Free WiFi? ECJ assesses liability for copyright infringement

The Court of Justice of the European Union (ECJ) has ruled that a provider of a WiFi network which is freely open to the public cannot be held liable for copyright infringement carried out by users of the network. However, the ruling in McFadden v Sony also confirmed that a right holder can seek an injunction against a business providing access to its WiFi connection to prevent further infringement of its Intellectual Property (IP) rights. The Court also said that such an injunction could include a requirement that the internet connection is password-protected, provided that users are required to confirm their identity in order to obtain the password.

Whilst in practice, most businesses require passwords to access their connection – although it may not be feasible always to police easily the information given by a user to obtain the password – this decision may have significant implications for those businesses that allow unrestricted access such as, for example, cafes and bars.


Tobias McFadden operates a business in Germany renting and selling sound and lighting systems. In a bid to attract more customers he ran an open WiFi network which allowed users to log in anonymously without the need for a password. One of those users illegally downloaded music owned by record label Sony.

In 2010, Sony issued a formal notice to Mr McFadden and, in response, Mr McFadden sought a negative declaration before a German court. Sony counterclaimed on the grounds that he was directly liable for the infringement and sought damages, an injunction and reimbursement of its legal costs – both in giving the formal notice and in relation to the proceedings. Mr McFadden appealed the German court’s finding of liability against him, arguing that Article 12(1) of the E-Commerce Directive provided him with a safe harbour as a ‘mere conduit’ of information. The ECJ was asked to consider whether the mere conduit exemption applied.

The decision

To rely on the safe harbour, the service provided by Mr McFadden first had to fall under the definition of an “information society service” under the E-Commerce Directive. Even though access to the WiFi service was free, the ECJ said it was provided for an economic purpose, i.e., to attract customers to Mr McFadden’s business. Next, Mr McFadden’s provision of access to his WiFi network had to be as a “mere conduit” of information. This required that the provision of access did not go beyond the boundaries of a technical, automatic and passive process for the transmission of the required information but no other conditions, such as a contractual relationship, had to be imposed.

Where those conditions were satisfied, a business providing access to its WiFi network could rely on the safe harbour from liability, and the copyright holder would not be able to claim compensation against it where third parties used the internet connection to infringe the copyright or other IP rights.

However, the right holder could, in such a situation, seek an injunction to prevent the infringement occurring in the future. The ECJ noted that several fundamental rights protected under EU law were at stake – the national court deciding whether to grant an injunction had to ensure a fair balance between those rights. This would not be achieved by a requirement to monitor all information transmitted over a WiFi network, or by termination of the connection. However, the ECJ suggested that the national court could require the provider to choose which technical measures to comply with the injunction, even if limited to password-protecting the internet connection, provided that users were required to disclose their identity to obtain the required password.

Wider implications

In practice, most businesses protect access to their WiFi network through password requirements and users must give their details in order to access the network; those that don’t should now consider taking this step to avoid an injunction (and related costs) against them. However, it is difficult to police the details that are actually provided by users in terms of their accuracy.

It will be interesting to see if the ECJ’s decision impacts on the President of the European Commission’s WiFi4EU proposal to provide public access to free WiFi across major European cities (e.g., in or around public buildings, health centres, parks or squares), as announced in the annual State of the Union address this year. This stated that local authorities offering these services to their citizens would not be liable for the content that they transmit, but now the implications of the ECJ’s decision will have to be borne in mind.