Skip to main content

Decision on potential liability of free Wi-Fi providers

Chris Eastham and Marina Khawaja comment on the CJEU's recent judgment on an issue that has kept many free Wi-Fi network providers and digital rights campaigners in eager anticipation...

On 15th September, the Court of Justice of the European Union (CJEU) gave its judgment on an issue that has kept many free Wi-Fi network providers and digital rights campaigners in eager anticipation. The question for the court was whether providers of open Wi-Fi access are liable for copyright infringement by users of their free services. More specifically, the case was to decide whether technology giant Sony was entitled to compensation from a shop owner, Tobias McFadden, whose open Wi-Fi hotspot was used to download music illegally.

The answer was, to McFadden's relief, no. Open Wi-Fi operators will not be liable for infringement by users of their networks, subject to certain conditions. However the ruling left the door open for copyright owners to seek injunctions requiring Wi-Fi providers to password protect the connection, and obtain information regarding the identity of its users.The ruling did not address the implications of mandatory provision of a user's identity from a data privacy perspective.


Tobias McFadden was the owner of a lighting shop in Munich who offered free access to the internet via an open Wi-Fi hotspot for his customers. In 2010, the connection was used for the illegal upload of copyrighted music of which Sony was the rights holder. Sony sought an injunction, and brought a damages claim against McFadden. The injunction was initially granted, and McFadden was ordered to pay damages. On appeal to the CJEU, it was argued that Article 12(1) of the e-Commerce Directive would shield him from liability for third party infringements. The Article provides that where an Information Society Service provider merely transmits information for a user of the service, or provides access to a communications network, it cannot be held liable for the information that is transmitted. This is known as the 'mere conduit' defence.


For McFadden to benefit from the 'mere conduit' defence, he would need to have provided a Wi-Fi service which was normally for remuneration for it to fall within the definition of Information Society Service. The CJEU reasoned that, although the network was provided for free, it should be considered part of the shop's economic activity because it was offered for the purpose of attracting potential customers. This meant that the Wi-Fi service was considered to be provided for remuneration and, therefore, constituted an Information Society Service under the Directive.

A provider of an Information Society Service will only be protectedwhere it meets three conditions: it did not initiate the transmission; it did not select the recipient of the transaction; and it did not select or modify the information contained in the transaction.

The court ruled in McFadden's favour meaning that Sony was unable to recover damages or its costs associated with the claim. In the light of its ruling, the CJEU considered the best way of protecting the rights of copyright holders. Monitoring all information which is transmitted via a connection is not permissible (and would be extremely burdensome); and being forced to terminate a connection was considered much too restrictive on the freedom to conduct business. The CJEU therefore determined that the best means of balancing the competing rights of copyright holders, the freedom to conduct business, and the right to freedom of information of the users of Wi-Fi, was to permit copyright holders to apply for an injunction requiring a Wi-Fi provider to secure access to the connection using a password.

It suggested that an injunction could require that the password is only given to people who reveal their identity. The court's intent being that it would be adeterrent to potential infringers of copyright by making it more difficult to act anonymously, and making it easier for any infringements to be traced back to anidentifiable user. It was left open for national courts to decide the precise nature of any such injunctive relief, including who will bear the costs of implementing any such injunction.


The ruling means that small businesses and coffee shops offering free Wi-Fi are capable of being protected by the 'mere conduit' defence under the e-Commerce Directive. However, there remain questions as to how a Wi-Fi provider will be able to get the true identity of its users. Less scrupulous users could quite easily submit false details, making the requirement to obtain identity information redundant unless the ID checks are more thorough – and intrusive. There are potential issues with the practicalities of obtaining personal information, and Wi-Fi operators will need to consider how they comply with legal requirements pertaining to data privacy.

Many will recall the recent announcement by Jean-Claude Juncker, the President of the European Union's executive body, that the European Commission wants to see more free Wi-Fi in public spaces across member states within the next four years (the Wifi4EU plan). It remains to be seen what the implications of the ruling might be on the implementation of that plan.

by Chris Eastham and Marina Khawaja.

Sign up to our email digest

Click to subscribe or manage your email preferences.