Free public Wi-Fi is not a rarity, especially among shops that try to draw the attention of potential customers to their goods and services. However, what happens when a user commits a copyright infringement while using that Wi-Fi network? Would the person who runs the shop be held liable for the crime? This is according to the Court of Justice of the European Union (CJEU) in the long-running German case of Tobias McFadden v Sony Music Entertainment Germany GmbH .The circumstances of the case were that a shop owner was providing free Wi-Fi via a connection named “”.

The CJEU found that the provider may be able to rely on the ‘mere conduit’ defense against liability in the E-commerce Directive. In contrast to an internet website host, a Wi-Fi-provider normally doesn’t store any information of a more permanent nature. For example, the downloading of a film is not normally continued for any length of time and, after having transmitted the information, the Wi-Fi-provider no longer has any control over that information. A Wi-Fi-provider is simply not in a position to take action to remove certain information or disable access to it at a later time. In addition, the CJEU concluded that a national court could order a provider of free Wi-Fi to take steps to prevent the infringement through password protected accounts and obtaining user identity information. In this decision the CJEU has struck a balance between the interests of copyright holders and other fundamental rights, especially in relation to the right of freedom to conduct a business and the right of others to information. As pointed out by the CJEU, when several fundamental rights protected under EU law are at stake, it is for the national authorities or courts concerned to ensure that a fair balance is struck between those rights. One controversial aspect is that a court may issue an injunction requiring a Wi-Fi provider to password protect its network, but the CJEU has stated that password protection is an effective measure only if the user is required to provide identity details to the Wi-Fi provider so that the user cannot act anonymously. However, a provider may not try to obtain users’ identity details by mandatory means. That would interfere with users’ right to privacy and potentially the right to protect personal data (Art. 8 EU Charter of Fundamental Rights). Germany’s Regional Court referred this question to the Court of Justice of the European Union (CJEU) in the case Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, which gave a preliminary ruling in September. In this case, the appellant ran a lighting and sound system shop, where he offered free Wi-Fi access to the public. In 2010, a person used the internet connection in this shop in order to download music illegally. The German Court was of the opinion that, even though he was not the actual party who infringed the copyright, he was still indirectly liable on ground that his Wi-Fi network was not secure. Therefore, it referred the case to the CJEU for its interpretation of EU law.

The CJEU began by noting that the EU’s directive on electronic commerce is applicable, as it said that offering free Wi-Fi to the public with the intention of attracting potential customers constitutes an “information society service” This directive exempts the information society service provider from indirect liability, in that the intermediate provider providing such conduit services is excluded from the liability of illegal acts committed by third parties. However, the court said that this exemption only held where the following three conditions were all satisfied, these being that

(1) The provider of the service has not initiated the transmission;

(2) He has not selected the recipient of the transmission; and

(3) He has neither selected nor modified the information contained in the transmission.

Thus, where these three conditions are satisfied, the service provider offering free Wi-Fi may not be held liable and consequently, the copyright holder may not claim compensation from him for copyright infringement. Nevertheless, the court also said that under the directive, the copyright holder has the option of seeking to have the service provider ordered to end or prevent infringement of copyright committed by its customers. Such copyright holder may do so either before a national authority or before a court. The court also held that a measure which can deter users from infringing intellectual property rights is an injunction which orders the internet connection to be secured with a password. This would ensure that a certain balance is reached between the intellectual property rights of the right holder and the freedom to conduct business of access and information. In this case, users would be required to reveal their identity, in order to ensure that they do not act anonymously before obtaining the required password.