Essay Subject
In holding that a
national court might impose an injunction on the operator of a public Wi-Fi service,
compelling them to require users to register before getting Internet access,
the Court of Justice of the European Union in Mc Fadden afforded undue weight
to the protection of intellectual property and failed to protect sufficiently
the privacy rights of would-be Internet users. Discuss.
Introduction
As is so often the case in an increasingly online world,
the questions referred to the Court of Justice of the European Union (‘CJEU’)
in the Mc Fadden case[1]
demanded an assessment of how competing fundamental rights and freedoms ought
to be fairly balanced. The rights, guaranteed by the Charter of Fundamental
Rights of the European Union (‘Charter’),[2]
which weighed into the CJEU’s ‘fair balance’ in Mc Fadden were, most notably: the right to protection of intellectual
property; freedom to conduct business; freedom of expression; and freedom of
information.[3]
However, the right to privacy[4]
was absent from the CJEU’s judgment and, on first look, privacy appears to have
been overlooked by the Court in favour of, arguably ineffective, protection of
intellectual property. On second look, this may not be the only issue to have
been overlooked by the Court as restrictions on open networks could present a
threat to business and global development.
Background
Mr Mc Fadden provided a free Wi-Fi connection for customers
of his lighting and sound business as a way of enabling them to access his
website and encourage sales. This Wi-Fi connection was provided without the
need for the user to register or enter a password; it was an ‘open network’. In
2010, a user downloaded a song from a ‘peer-to-peer’ platform where the musical
work had been made available without the consent of the right holder (Sony).
When Sony Music gave Mr Mc Fadden formal notice of its rights in the musical
work, Mr Mc Fadden made a claim against Sony Music in the Munich Regional Court
to seek a ‘negative declaration’ of his liability. Sony Music’s counterclaims,
notably for direct liability for infringement of the musical work, were upheld
by the Court and, on Mr Mc Fadden’s appeal of that judgment, questions were
referred to the CJEU.
CJEU Judgment
Protection of Intellectual Property Rights
The CJEU found that, because Mr Mc Fadden was providing the
internet access as part of the economic activity of his business, he could
benefit from the ‘mere conduit’ defence under Article 12 of the E-Commerce
Directive. Consequently, Mr Mc Fadden would not be liable for the information
transmitted over his network by users provided he had not initiated the
transmission, selected the receiver of the transmission or selected or modified
the information contained in the transmission.
Rightsholders therefore have no right of compensation
against the operator (the ‘conduit’) for infringement of intellectual property
rights conducted via its network. Had the CJEU stopped there, rightsholders
would justifiably have been concerned for the protection of their intellectual
property. By absolving network operators of responsibility for infringement,
the fight for protection of works would be directed against individual
infringers who are far harder to identify and invariably have far shallower
pockets. The problem of illegal downloading is particularly acute in the music
industry: in 2014 it was estimated that the recorded music industry lost
approximately €170 million of sales revenue within the EU due to illegal
sources.[5]
Against that background, it is unsurprising that progress is being made towards
the prevention of illegal downloads.
However, the CJEU did not stop there. The CJEU went on to
find that network operators such as Mr Mc Fadden could be required, by
injunctions sought by rightsholders, to secure their networks by way of
password protection and user registration. The Court concluded that, whilst
such requirements would restrict the network operator’s freedom to conduct
business and the end-user’s freedom of information, this was fairly balanced
with the need to protect rightsholders’ works. The Court determined that the ‘essence’
of the right to conduct business would not be impeded given that users would
still be able to access the internet. Furthermore, the Court considered that
users’ freedom of information would not be unduly inhibited as no content would
be ‘blocked’ by such measures.
The CJEU makes this finding by reference to the need to
protect rightsholders’ intellectual property rights. Insofar as intellectual
property protection is the goal, will these measures achieve that goal?
The CJEU found that password-protecting may dissuade
network users from infringing copyright provided the user has been required to
reveal their identity to obtain the password and so may not act anonymously.
However, without clearer guidance on the necessary form of password protection,
it is easily possible to imagine that users will register for the network under
false details or details that fail to correctly identify the user. Without the
ability to identify the end-user it is not clear that this measure serves to
further the protection of intellectual property rights at all. There would be
no deterrent to the user and there could be no recompense against an infringing
user as they could not necessarily be identified.
Even assuming that network operators implement systems
capable of identifying users, this heavily places the onus of supervision of
infringement on the network operators. In circumstances where a system is
implemented pursuant to an injunction, the operator may be able to identify an
infringing user. But if operators were to pre-emptively password-protect their
network, they would have no incentive to constantly monitor their network for
infringing users. It seems unlikely that operators would therefore
substantially contribute to identifying infringement of intellectual property.
The CJEU stated that the assessment of the system of
password-protecting would fall to be ascertained by the referring court which
leaves scope for national courts to assess such measures by reference to the
specific circumstances of a case. Nevertheless, it seems possible that this
finding fails to achieve the level of intellectual property protection it
strives for.
Privacy Rights of End-users
Having considered above that the measures the CJEU
envisages could be imposed by injunction of the national court, it is clear
this would demand more than mere password protection and requires sufficient
information to identify the end-user. A consideration of the practical
consequences of this conclusion reveals the absence of consideration the CJEU
gave to end users’ fundamental rights to privacy. A sufficient system
essentially demands that users provide personal information on registration
which entirely removes any anonymity an internet user may previously have
benefitted from and exposes users’ personal information.[6]
It has been suggested that this issue may yet require further judicial
elucidation.[7]
Individual users would not be able to use the network
without providing personal information to the network operator of which it may
be unfamiliar and have been provided with minimal information relating to the
use, storage and protection of that personal information. In the context of
increasing scrutiny of the use of personal information and a heightened
awareness across the EU of the importance of online privacy, this presents
fresh challenges for individuals, policymakers and lawyers.
The CJEU did not factor these issues into its analysis. Whilst
Advocate General Szpunar also primarily focused on the rights of the network
operators to conduct their business in his Opinion,[8]
he did not fail to identify the privacy implications of these measures. AG
Szpunar’s Opinion, delivered six months ahead of the Judgment, considered that
all potential measures of protecting intellectual property that had been
proposed by the referring Court, including the introduction of
password-protection, would not strike a fair balance between the competing
rights and freedoms at issue. Crucially, in AG Szpunar’s assessment, these
competing rights include the right to privacy. AG Szpunar considered that not
only would adequate systems of registration be costly for network operators,
but that there would be ‘serious reservations’ concerning the protection of the
right to privacy and the confidentiality of communications. The Court, by
contrast, appeared to have no such serious reservations.
Setting aside the privacy risk for individual users, the
legal and regulatory implications of retaining personal information will be
burdensome for the network operators. The CJEU, whilst overlooking the privacy
rights of end-users, considered the network operators’ freedom to conduct
business at length. This increased burden and cost should surely therefore have
weighed into the Court’ balancing exercise.
Regarding the increased burden on network operators, it is
not clear from the judgment in Mc Fadden who should properly bear the
costs of the injunctions proposed. AG Szpunar considered that imposing the
costs of claims or orders on the network operator could be tantamount to
requiring the network to pay damages; indeed, it is clear from the judgment
that a right holder cannot claim for reimbursement of the costs of claiming
damages against a network operator. Nevertheless, there is no clear indication of
who should fund an injunction requiring a network operator to secure their
network.[9]
If it falls to the network operator, this adds yet further to the costs they
will incur in implementing a password system, complying with data protection
law and regulation.
It is hard therefore, not to conclude that the protection
of intellectual property rights may have been afforded undue weight as compared
with, not only the protection of end-users’ privacy rights, but the necessary
costs of protecting end users’ privacy rights which will fall, along with other
costs, on the network operator.
Other Considerations
Attributing excessive weight to the protection of
intellectual property rights rendered the Court blind to the competing
fundamental rights of would-be internet users and network operators. Therefore,
in noting issues, the CJEU failed to take into consideration that there is yet
more to add.
AG Szpunar noted in his Opinion that there is a risk that
making Wi-Fi networks secure could be a disadvantage for society as a whole.
Interestingly, the importance of open Wi-Fi networks is also acknowledged by
the Commission who, just one day prior to the publication of the Mc Fadden judgment, announced its
support for open networks in public places by way of its ‘WiFi4EU’ scheme.[10]
Open WiFi offers free internet connection for the public.
This is of particular importance to those who may not otherwise be able to
afford or access the wealth of information, educational resources and social
benefits available online. By restricting access or requiring registration,
users may be deterred from accessing the internet and operators may be deterred
from providing that access for free (owing to the costs and regulatory burden
that such measures will cause)[11].
This risks increasing what has been termed the ‘digital divide’ and could have
major socioeconomic implications. This argument was put before the CJEU in Mc Fadden in an open letter signed by
numerous companies and organisations committed to and reliant on open WiFi.[12]
Furthermore, there are commercial benefits to maintaining
and encouraging open WiFi. The system allows for development of new devices and
systems which rely upon access to the internet but would not be compatible with
password protected networks and it enables users to access WiFi quickly whilst
moving through an area.
Conclusion
Generally speaking, where privacy is compromised, the
advocates of compromise are those that stand to profit. Undoubtedly,
intellectual property rights holders will welcome the finding that a national
court might impose an injunction on a network operator but there are indicators
that these measures will not sufficiently protect intellectual property. If
that is the case, and given the compromise made to individuals’ privacy,
network operators’ business and global development, it is not clear who does stand to profit, and therefore who would advocate such compromise.
Ella Castle is now a first year trainee in the London
office of DLA Piper. She recently completed a degree in law at Cambridge.
[1]
C484/14 Tobias Mc Fadden v Sony Music
Entertainment Germany GmbH
[2]
2000/C 364/01 Charter of Fundamental Rights of the European Union (Articles
17(2), 16 and 11 respectively)
[3]
Articles 17(2), 16 and 11 of the Charter respectively
[4]
Article 7 of the Charter
[5]
See European Union Intellectual Property Office press release, 24 May 2016: https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/resources/research-and-studies/ip_infringement/study7/Press_release-Music_industry_en.pdf
[6]
Professor Lorna Woods, University of Essex, Public Wi-Fi and liability for
illegal downloads, 17 September 2016
[7]
Graham Smith, Open Wi-Fi and copyright – the CJEU Mc Fadden decision, 15
September 2016
[8]
Opinion of Advocate General Szpunar delivered on 16 March 2016 in Case C-484/14
[9]
http://ipkitten.blogspot.co.uk/search?q=Mc Fadden
[10]
Commission paves the way for more and better internet connectivity for all
citizens and businesses: European Commission Press Release, Strasbourg, 14
September 2016
[11]
CJEU sheds light on liability for operators of open Wi-Fi networks, Bernd
Justin Jütte, European Law Blog, 28 September 2016
[12]
Prohibiting WiFi is an Obstacle to Legitimate Trade (an open letter): https://www.eff.org/files/2015/07/20/closedwifiasanobstacletolegitimatetrade-4.pdf