Copyright update: provider of public WiFi network not liable for copyright infringement

Written on 7 Oct 2016

The CJEU handed down a decision on 15 September 2016, in Tobias McFadden v Sony Music Entertainment Germany GmbH, that the operator of a shop, hotel or bar who offers the public free access to an internet network is not liable for damages flowing from the infringement carried out by a user of that internet connection.

The Court held that operators could be injuncted to cease the infringement by having to secure the connection by password-protection and also obtaining the identity of the users prior to providing the password to the user. However, operators will not be required to terminate the internet connection, nor monitor all communications passing through the network provided by the provider via the internet connection as part of any injunction.

This decision somewhat departs from the opinion of Advocate General Szpunar discussed here in July 2016, who suggested that none of those three types of measures in relation to an injunction should be permissible.


In Tobias McFadden v Sony Music Entertainment Germany GmbH, the German court made a reference for a preliminary ruling to the CJEU asking for clarification on the extent to which a person, who in the course of a business operates a wireless internet network and provides this free of charge to the public, is liable for copyright infringement committed by users of that network.

Mr McFadden runs a business selling and renting lighting and sound systems for events. He owns an internet connection which he provided to his customers, password free and free of charge. In 2010, a user of that internet connection unlawfully downloaded a musical work owned by Sony Music. Sony Music sent a formal notice concerning the infringement of its rights. Mr McFadden asked the German court for a declaration of non-infringement and Sony counterclaimed by asking the court for an injunction and damages.

The German court granted an injunction and ordered Mr McFadden to pay damages and costs. He then appealed the decision. The appellate court made a request to the CJEU for a preliminary ruling, stating that it believed Mr McFadden was indirectly liable on the ground that his Wi-Fi network had not been made secure.

What questions did the referring court ask?

The referring court asked whether:

  • Mr McFadden could be exempt from liability to pay damages in relation to the copyright infringement, by relying on the ‘mere conduit’ defence under article 12(1) of the InfoSoc Directive;
  • an injunction requiring measures such as terminating or password-protecting the internet connection or examining all communications passing through it would be permitted, based on interpretation of the E-Commerce Directive, InfoSoc Directive and the Enforcement Directive, in order to prevent infringement of a copyright protected work available to the general public from an online peer-to-peer platform.

The decision

As AG Szpunar had suggested, the CJEU held that an operator, such as Mr Mcfadden, will not be liable for damages following a finding of copyright infringement by its users under an internet connection provided by it, if it fell under Article 12 of the E-Commerce Directive. Article 12 is the ‘mere conduit’ defence which gives protection to the provider if it does not:

  • initiate the transmission;
  • select the receiver of the transmission; or
  • select or modify the information contained in the transmission.

The CJEU held that a rights holder may, however, seek an injunction at a relevant national court or authority to prevent a continuation of an infringement, in the form of an injunction. The the rights holder may also claim for the costs of giving a formal notice and court costs in relation to an injunction from the operator.

What steps can a WiFi provider be required to take?

In relation to the possible measures associated with an injunction, the CJEU held that:

  • imposing an obligation to a provider to monitor all of the information transmitted would be contrary to the E-Commerce Directive, which excluded a general obligation on operators to monitor the information they transmit;
  • a requirement to terminate the internet connection would cause a serious infringement of the freedom to conduct a business of a person who pursues an economic activity – this measure does not, therefore, comply with the requirements of ensuring a fair balance is struck between the fundamental rights;
  • a requirement to password-protect an internet connection is capable of restricting freedom to conduct a business and the freedom of information of the recipients of that service, but it does not damage the right of freedom to conduct business, nor undermine the essence of the right to freedom of information of the recipient of an internet network.

The CJEU also considered that password-protecting an internet connection “may dissuade” users from infringing copyright, provided they are required to reveal their identity prior to obtaining the password from the operator.


Despite AG Szpunar suggesting that password-protecting an internet connection could undermine the business model of companies who offer internet access in addition to another service and thereby considering it impermissible, the CJEU decision provided more clarity on the liabilities faced by operators who provide access to an internet network to their potential customers in an economic context. This clarity will be welcomed by business owners.

The decision leaves open the possibility for rights owners to apply at their national court, for an injunction against an operator who provides an internet network to the public in order to prevent a copyright infringement from continuing. The form of that injunction will include a requirement that the connection is password protected and that the users reveal themselves prior to obtaining the password.

It is certainly true that asking users for their identity will have a chilling impact on a user considering carrying out an infringing act. Whether this is an effective means of controlling potential infringements will remain to be seen.

The exchange of private data for certain goods and services (such as a free internet connection) in this day and age is not uncommon by any means. It will, however, place an onus on all providers to gather identity data of its internet users prior to providing a password. The collection of that data will have consequences on rights such as the protection of personal data and respect for private and family life under the EU Charter of Fundamental Rights. Unlike its decision in UPC Telekabel Wien, C-314/12, this decision did not emphasise the importance of the balance of rights between the parties, proportionality, and the rights under the Charter of Fundamental Rights. It is therefore likely, that the question will come up again and the answer will be refined.

For the moment though, as providers are potentially liable to an injunction and costs in relation to an injunction, providers may come under increasing pressure from rights holders to password protect their internet network and also request its users to reveal their identities, if it transpires that users of a particular network are infringing rights holders’ copyright.