1. Is an open WiFi that is provided for free still an information society service covered under the E-Commerce Directive?
2. Can an operator of an open WiFi benefit from a mere conduit safe harbour enshrined in Art. 12 of the E-Commerce Directive?
3. Does the safe harbour limit pre-trial costs, injunctions and penalties for non-compliance with injunctions?
4. Provided that injunctions are allowed in principle, is an injunction prescribing a) the termination of the Internet connection, b) the password-protection of the Internet connection and c) the examination of all communications passing through that connection compatible with the EU law?

41.      In my view, where, in the course of his business, an economic operator offers Internet access to the public, even if not against payment, he is providing a service of an economic nature, even if it is merely ancillary to his principal activity.
42.      The very operation of a Wi-Fi network that is accessible to the public, in connection with another economic activity, necessarily takes place in an economic context.
43.      Access to the Internet may constitute a form of marketing designed to attract customers and gain their loyalty. In so far as it contributes to the carrying on of the principal activity, the fact that the service provider may not be directly remunerated by recipients of the service is not decisive. In accordance with consistent case-law, the requirement for pecuniary consideration laid down in Article 57 TFEU does not mean that the service must be paid for directly by those who benefit from it. (13)

(,,)

48.      In my opinion, the provision of Internet access in such circumstances takes place in an economic context, even if it is offered free of charge.

65.      In accordance with Article 12(1)(a) to (c), this limitation of liability takes effect provided that three cumulative conditions are fulfilled: the provider of the mere conduit service must not have initiated the transmission, must not have selected the recipient of the transmission and must not have selected or modified the information contained in the transmission.
66.      According to recital 42 of Directive 2000/31, the exemptions from liability solely cover activities of a merely technical, automatic and passive nature, which implies that the service provider has neither knowledge of nor control over the information that is transmitted or stored.
67.      The questions referred by the national court are based on the assumption that those conditions are fulfilled in the present case.

(..) 

97.      Article 12(1)(a) to (c) of Directive 2000/31 makes the limitation of the liability of a provider of mere conduit services subject to certain conditions that are cumulative and also exhaustive. (24) The addition of further conditions for the application of that provision seems to me to be ruled out by its express terms.

 

64.      As is apparent from the preparatory work for that legislative act, the limitation of liability in question extends, horizontally, to all forms of liability for unlawful acts of any kind, and thus to liability under criminal law, administrative law and civil law, and also to direct liability and secondary liability for acts committed by third parties. (19)

(..) 

68.      I would observe that it is clear from a combined reading of paragraphs 1 and 3 of Article 12 of Directive 2000/31 that the provisions in question limit the liability of an intermediary service provider with respect to the information transmitted, but do not shield him from injunctions.

69.      Equally, according to recital 45 of Directive 2000/31, the limitations of the liability of intermediary service providers do not affect the possibility of injunctive relief, which may, in particular, consist of orders by courts or administrative authorities requiring the termination or prevention of any infringement.

73.      I would recall that Article 12(1) of Directive 2000/31 limits the civil liability of intermediary service providers and precludes actions for damages based on any form of civil liability. (20)

74.      In my opinion, that limitation of liability extends not only to claims for compensation, but also to any other pecuniary claim that entails a finding of liability for copyright infringement with respect to the information transmitted, such as a claim for the reimbursement of pre-litigation costs or court costs.

76.      Pursuant to Article 12 of Directive 2000/31, a provider of mere conduit services cannot be held liable for a copyright infringement committed as a result of the information transmitted. Therefore, he may not be ordered to pay pre-litigation costs or court costs incurred in connection with that infringement, which cannot be imputed to him.

77.      I would also observe that the making of an order to pay the pre-litigation costs or court costs relating to such an infringement could compromise the objective pursued by Article 12 of Directive 2000/31 of ensuring that no undue restrictions are imposed on the activities to which it relates. An order to pay pre-litigation costs or court costs could potentially have the same punitive effect as an order to pay damages and could in the same way hinder the development of the intermediary services in question.

78.      Admittedly, Article 12(3) of Directive 2000/31 provides for the possibility of a court or administrative authority imposing certain obligations upon an intermediary service provider following the commission of an infringement, in particular by means of an injunction.

79.      However, given the provisions of Article 12(1) of that directive, a judicial or administrative decision imposing certain obligations on a service provider may not be based on a finding of the latter’s liability. An intermediary service provider cannot be held liable for failing to take the initiative to prevent a possible infringement or for failing to act as a bonus pater familias. He may incur liability only after a specific obligation contemplated by Article 12(3) of Directive 2000/31 has been imposed on him.

80.      In the present case, in my view, Article 12(1) of Directive 2000/31 therefore precludes the making of orders against intermediary service providers not only for the payment of damages, but also for the payment of the costs of giving formal notice or other costs relating to copyright infringements committed by third parties as a result of the information transmitted.

115. In the light of those considerations, national courts must, when issuing an injunction against an intermediary service provider, ensure:

–        that the measures in question comply with Article 3 of Directive 2004/48 and, in particular, are effective, proportionate and dissuasive,

–        that, in accordance with Articles 12(3) and 15(1) of Directive 2000/31, they are aimed at bringing a specific infringement to an end or preventing a specific infringement and do not entail a general obligation to monitor,

–        that the application of the provisions mentioned, and of other detailed procedures laid down in national law, achieves a fair balance between the relevant fundamental rights, in particular, those protected by Articles 11 and 16 and by Article 17(2) of the Charter.

116. The national court asks whether Article 12 of Directive 2000/31 precludes injunctions which contain prohibitions formulated in general terms and leave it to the addressee of the injunction to determine what specific measures should be adopted.

117. The measure envisaged in the main proceedings consists in an order requiring the intermediary service provider to refrain in the future from enabling third parties to make a particular protected work available for electronic retrieval from an online exchange platform via a specific Internet connection. The question of what technical measures are to be taken remains open.

118. I would observe that a prohibitory injunction that is formulated in general terms and does not prescribe specific measures is potentially a source of significant legal uncertainty for the addressee thereof. The fact that the addressee will be entitled, in any proceedings concerning alleged failure to comply with such an injunction, to show that he has taken all reasonable measures does not entirely remove that uncertainty.

119. Moreover, given that determining what measures it is appropriate to adopt entails striking a fair balance between the various fundamental rights involved, that task ought to be undertaken by a court, rather than left entirely to the addressee of an injunction. (33)

120. Admittedly, the Court has already held that an injunction addressed to a provider of Internet access which leaves it to the addressee to determine what specific measures should be taken is, in principle, consistent with EU law. (34)

121. That solution was based, in particular, on the consideration that an injunction formulated in general terms had the advantage of enabling the addressee to decide which measures were best adapted to his resources and abilities and compatible with his other legal obligations. (35)

122. However, it does not seem to me that that reasoning can be applied in a case, such as the case in the main proceedings, in which the very existence of appropriate measures is the subject of debate.

123. The possibility of choosing which measures are most appropriate can, in certain situations, be compatible with the interests of the addressee of an injunction, but it is not so where that choice is the source of legal uncertainty. In such circumstances, leaving it entirely to the addressee to choose the most appropriate measures would upset the balance between the rights and interests involved.

124. I therefore consider that, whilst Article 12(3) of Directive 2000/31 and Article 8(3) of Directive 2001/29 do not, in principle, preclude the issuing of an injunction which leaves it to the addressee thereof to decide what specific measures should be taken, it nevertheless falls to the national court hearing an application for an injunction to ensure that appropriate measures do indeed exist that are consistent with the restrictions imposed by EU law.

(..)

130. I consider that, in the present case, the inconsistency with EU law of the first and third hypothetical measures mentioned by the national court is immediately evident.

131. Indeed, a measure which requires an Internet connection to be terminated is manifestly incompatible with the need for a fair balance to be struck between the fundamental rights involved, since it compromises the essence of the freedom to conduct business of persons who, if only in ancillary fashion, pursue the economic activity of providing Internet access. (39) Moreover, such a measure would be contrary to Article 3 of Directive 2004/48, pursuant to which a court issuing an injunction must ensure that the measures imposed do not create a barrier to legitimate trade. (40)

132. In so far as concerns a measure requiring the owner of an Internet connection to examine all communications transmitted through that connection, that would clearly conflict with the prohibition on imposing a general monitoring obligation laid down in Article 15(1) of Directive 2000/31. Indeed, in order to constitute a monitoring obligation ‘in a specific case’, (41) such as is permitted under Article 15(1), the measure in question must be limited in terms of the subject and duration of the monitoring, and that would not be the case with a measure that entailed the examination of all communications passing through a network. (42)

(,,)

d)      The compatibility of an obligation to make Wi-Fi networks secure

(..)

137. I would observe that an obligation to make access to such a network secure would potentially meet with a number of objections of a legal nature.

138. First of all, the introduction of a security obligation could potentially undermine the business model of undertakings that offer Internet access as an adjunct to their other services.

139. Indeed, some such undertakings would no longer be inclined to offer that additional service if it necessitated investment and attracted regulatory constraints relating to the securing of the network and the management of users. Furthermore, some users of the service, such as customers of fast-food restaurants or other businesses, would give up using the service if it involved a systematic obligation to identify themselves and enter a password.

140. Secondly, I would observe that imposing an obligation to make a Wi-Fi network secure entails, for persons who operate that network in order to provide Internet access to their customers and to the public, a need to identify users and to retain their data.

141. In this connection, Sony Music states in its written observations, that, in order to be able to impute an infringement to a ‘registered user’, the operator of a Wi-Fi network would need to store the IP addresses and the external ports through which registered users have established an Internet connection. Identifying users of a Wi-Fi network essentially corresponds to the allocation of IP addresses by an access provider. The operator of the Wi-Fi network could therefore use a computer system, which would not be very costly, according to Sony Music, to enable it to register and identify users.

142. I would observe that obligations to register users and to retain their private data fall within the scope of the regulations governing the activities of telecoms operators and other Internet service providers. The imposition of such administrative constraints seems to me to be clearly disproportionate, however, in the case of persons who offer their customers and potential customers access to the Internet via a Wi-Fi network as an adjunct to their principal activity.

143. Thirdly, although an obligation to make a Wi-Fi network secure that is imposed in a particular injunction is not the same as a general obligation to monitor information or actively to seek facts or circumstances indicating illegal activities, such as is prohibited by Article 15 of Directive 2000/31, any general obligation to identify and register users could nevertheless lead to a system of liability applicable to intermediary service providers that would no longer be consistent with that provision.

144. Indeed, in the context of prosecuting copyright infringements, network security is not an end in itself, but merely a preliminary measure that enables an operator to have a certain degree of control over network activity. However, conferring an active, preventative role on intermediary service providers would be inconsistent with their particular status, which is protected under Directive 2000/31. (47)

145. Fourthly, and lastly, I would observe that the measure at issue would not in itself be effective, and thus its appropriateness and proportionality remain open to question.

146. It must also be observed that, given the ease with which they may be circumvented, security measures are not effective in preventing specific infringements of protected works. As the Commission states, the use of passwords can potentially limit the circle of users, but does not necessarily prevent infringements of protected works. Moreover, as the Polish Government observes, providers of mere conduit services have limited means with which to follow exchanges of peer-to-peer traffic, the monitoring of which calls for the implementation of technically advanced and costly solutions about which there could be serious reservations concerning the protection of the right to privacy and the confidentiality of communications.

147. Having regard to all of the foregoing considerations, I am of the opinion that the imposition of an obligation to make access to a Wi-Fi network secure, as a means of protecting copyright on the Internet, would not be consistent with the requirement for a fair balance to be struck between, on the one hand, the protection of the intellectual property rights enjoyed by copyright holders and, on the other, that of the freedom to conduct business enjoyed by providers of the services in question. (48) By restricting access to lawful communications, the measure would also entail a restriction on freedom of expression and information. (49)

148. More generally, I would observe that any general obligation to make access to a Wi-Fi network secure, as a means of protecting copyright on the Internet, could be a disadvantage for society as a whole and one that could outweigh the potential benefits for rightholders.

149. First, public Wi-Fi networks used by a large number of people have relatively limited bandwidth and are therefore not particularly susceptible to the risk of infringement of copyright protected works and objects. (50) Secondly, Wi-Fi access points indisputably offer great potential for innovation. Any measures that could hinder the development of that activity should therefore be very carefully examined with reference to their potential benefits.