In its judgment, the Court of Justice of the European Union has departed from the Advocate General's opinion and gives not very appropriate guidance to national courts, when on the pretext of password-protecting a Wi-Fi network, it opens the way for limiting anonymous access to the Internet. The argumentation of the judgment may also potentially limit undertakings that enable visitors to their establishments to use an Internet connection free of charge.

On 15 September 2016, the Court of Justice of the European Union ("CJEU") rendered a judgment in case C-484/14 Tobias Mc Fadden v Sony Music ("Sony Music") as part of a request for a preliminary ruling referred by the Regional Court in Munich, concerning imposing a measure under Article 12(3) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (`Directive on electronic commerce') (the "Directive" and the "Judgment"). As we already informed you in EU Legal News 7/2016, in his opinion of March 2016, CJEU Advocate General Maciej Szpunar considered a measure consisting of imposing an obligation to password-protect a Wi-Fi network, including identification of its users, as being clearly inadequate. In its judgment, the CJEU has departed from the Advocate General's opinion, without giving more specific grounds, when it recognised as being adequate an injunction imposing an obligation to password-protect a Wi-Fi network, and to carry out identifying of all of its users, irrespective of more specific circumstances of operating such a Wi-Fi network.

As part of its business, Mr Mc Fadden enabled his customers to access his Wi-Fi network free of charge with access to the Internet and made it possible to access for the public without securing it. However, Sony Music learned of an unauthorised infringement of its rights, when one of his visitors downloaded a musical work from the Internet.

The subject of the main proceedings is inter alia the question whether Mr Mc Fadden may be found liable based on indirect (secondary) liability inferred by the German case law for allowing the infringement of third party rights by not securing a Wi-Fi network with a password, and thus not acting with due care.

The main subject of the judgment is to assess what form possible injunctions ordering a provider of such a service to terminate infringement of rights, or to prevent such infringement (Article 12(3) of the Directive) may take, of course, provided that the conditions laid down in Article 12(1) of the Directive are met, i.e. such a provider (i) does not initiate the transmission; (ii) does not select the receiver of the transmission; and (iii) does not select or modify the information contained in the transmission. After meeting such conditions (similar conditions must also be met by caching service providers, e.g. proxy server operators, hosting service providers, including Internet storage service providers, under Articles 13 and 14 of the Directive), such a service provider is in the regime of a so-called `safe harbour', meaning that its liability for the activities of users of its service is excluded.

In the Judgment, the CJEU decided to depart from the Advocate General's arguments and completely omitted to address in detail the question of proportionality and striking a fair balance among fundamental rights (mainly as part of the right to free access to information), especially in the context of significant differences in information society service providers consisting in mere conduit within this one category (Article 12 of the Directive). The CJEU concluded that Article 12(3) and Article 15(1) of the Directive did not preclude the issuing of an injunction in which an obligation is imposed upon a person who operates a public Wi-Fi network as an adjunct to his principal economic activity to make access to that network secure (point 150 of the Advocate General's opinion). However, the CJEU did not much assess the adequacy of its conclusions, for example, in the context of undertakings operating a Wi-Fi network as part of their non-core activities. Yet it is obvious that a different degree of adequacy is found in the case of a professional provider of Internet access, who pursues this activity as its core business, and in the case of an entrepreneur who has equipped its establishment with a Wi-Fi network access point enabling customers to access the Internet network; such an activity is basically a marketing activity with a totally different level of technical means for ensuring the operation of such a network.

The CJEU considers that the proposed injunction does not interfere with the essence of the freedom to conduct a business of a communication network access provider, because the injunction only marginally adjusts one of the technical options of pursuing the activities by that information society service provider (point 91 of the Judgment). However, password-protecting a Wi-Fi network and efficient identification of its users does not have to be only a marginal technical solution, but quite a technically complex measure having significant legal and financial consequences (such as personal data processing or procuring a relevant authentication mechanism). However, in the Judgment, the CJEU addresses neither of these consequences, nor the issue of actual effectiveness of the proposed injunctions. If we also applied the CJEU's conclusions to the Czech legal environment, such an approach could lead to significant limitations of availability of an Internet connection for public use in restaurants and other establishments.

As for the obligation to carry out identification of users, according to the CJEU, functioning in anonymity encourages infringement of intellectual property rights and, on the contrary, the prevention from an anonymous use of a communication network with access to the Internet aims at discouraging users from infringing copyright; irrespective of this fact, the Internet connection in Mr Mc Fadden's establishment is only one of the alternatives via which users can access the Internet network (the CJEU thereby restricts the impact of its conclusions to the right to free access to information). Apart from password-protecting a Wi-Fi network, the CJEU also considers the mandatory identification of all users of that network as appropriate. However, the CJEU omits to reflect the actual condition of technology when users never act anonymously within an Internet network in the strict sense, because it is technically often possible (however, not remarkably simple) to track a specific person, or at least a technical means that has been used in such a conduct.

For the time being, the Czech legal environment can stay calm, as the German doctrine of indirect (secondary) liability consists in breaching the standard of due care, and is defined by the German courts. That doctrine should not apply in the Czech Republic, mainly due to the absence of a legal basis for determining such liability, namely rather in relation to information society service providers and, therefore, when applying the Judgment to national court cases, the Czech courts should take a very reserved approach. Courts' reservations are legitimate with regard, apart from other issues, to the fact that except for Section 40(1)(f) of Act No. 121/2000 Sb., on Copyright, Rights Related to Copyright and on Amendment to Certain Acts (Copyright Act), as amended, the possibility for court of imposing specific injunctions under Article 12(3) of the Directive has not been duly reflected in Czech law.

Please also note that in addition to the form that court injunctions should take, the CJEU has also assessed and confirmed that the safe harbour regime will apply only in relation to illegal conduct by a given service user. Claims ensuing from non-compliance with a court injunction (i.e., a failure to terminate infringement of rights or prevent such infringement) under Article 129(3) of the Directive are not in any way affected by the provisions of the Directive, or national legislation (such as Czech Act No. 480/2004 Coll.). The CJEU thus follows the logical and ideological bases of the Directive with respect to the issue of the nature of the safe harbour regime, in a way that if the safe harbour regime is observed, it is not possible to seek any claims arisen as a result of the conduct of users from an information society service provider. However, the CJEU has also addressed the issue of non-compliance with an imposed court injunction. Such non-compliance constitutes liability of a service provider for its own actions in the case of breaching the obligation to act in compliance with the court injunction.