Privacy, Data Protection and Copyright in Mc Fadden

Essay Subject

In holding that a
national court might impose an injunction on the operator of a public Wi-Fi
service, compelling them to require users to register before getting Internet
access, the Court of Justice of the European Union in Mc Fadden afforded undue
weight to the protection of intellectual property and failed to protect
sufficiently the privacy rights of would-be Internet users. Discuss. 

Introduction 

Proponents of copyright minimisation reacted to the decision
of the Court of Justice (CJEU) in Mc Fadden v Sony Music Entertainment
Germany GmbH[1]
with cautious optimism.[2]
It appeared that the content industry’s latest bid to water down immunity
provisions for online intermediaries had failed. In holding that providers of
free public Wi-Fi networks fell within the definition of ‘information society
services’ in Directive 98/34/EC,[3]
the Court allowed such persons to avail themselves of the ‘mere conduit’
defence to copyright liability under art 12(1) of the E-Commerce Directive.[4]
To the extent that the caffeine allowed it, imbibers of flat whites across Europe
relaxed, confident that their favourite cafes were now sufficiently protected
from intermediate liability as to be likely to continue to provide free Wi-Fi. 

On closer inspection, however, it is apparent that Mc
Fadden is not an unalloyed victory for internet users’ rights. In giving
effect to the right of copyright holders to have their intellectual property
protected, the CJEU held that national courts can enjoin public Wi-Fi providers
to protect their networks with passwords, and to require users to enter contact
details in order to access the internet. While the CJEU recognised that
mandatory passwords may affect Wi-Fi users’ right to freedom of information, it
failed to acknowledge that users’ rights to privacy and data protection are implicated
when contact information is divulged. 

In this essay I argue that the Court in Mc Fadden erred
in neglecting to balance the right to intellectual property protection against
users’ privacy concerns. Part 2 will outline the facts and findings of Mc
Fadden. Part 3 will show that the right to data protection, as contained in
the Charter of Fundamental Rights of the European Union,[5]
is enlivened when data such as names and email addresses are surrendered to
internet intermediaries. In Part 4, I argue that the amount of personal
information collected, and the people to whom it is subsequently sent, are
relevant considerations when evaluating whether preventative measures strike a
fair balance between intellectual property protection and users’ information
rights. The essay concludes that the failure of the CJEU to recognise the privacy
and data protection dimensions of password-protected Wi-Fi bespeaks a broader trend
in which the harvesting of personal data is condoned when it takes place in the
context of copyright enforcement. 

1 Privacy and data protection 

But first, some housekeeping. Privacy is a multifaceted
right: it guards against several different types of invasive conduct. It has a
physical component to it, in that it includes the right not to be subject to
intrusion upon one’s seclusion or solitude.[6]
It also has an informational element, concerned less with maintaining one’s spatial
integrity and more with the prevention of facts about one’s personal life from
being unscrupulously dealt with.[7]
It is this informational dimension of privacy which is at stake when personal details
are lodged with a Wi-Fi provider, and with which this essay is concerned. It is
also this aspect of privacy that data protection legislation is, to a large
extent, designed to regulate. Therefore, while acknowledging that important differences
exist between the rights to information privacy and data protection, this essay
will use the EU data protection legal framework as a yardstick[8]
against which to evaluate the degree to which Mc Fadden gives due weight
to the personal information of Wi-Fi users. 

2 The CJEU’s decision in Mc Fadden 

2.1 Scope of ‘mere conduit’ exception 

Mr Mc Fadden was
the proprietor of a sound system and lighting shop in Germany. In an effort to
attract passers-by to his business, he provided a free wireless local area
network (WLAN) in the vicinity of his premises. A person used the network to upload
a song to a website, making it available to the general public without the
authorisation of Sony, the rights holder. Sony sued Mr McFadden for damages for
direct copyright infringement. It also sought an injunction against Mr McFadden
to prevent further infringement, as well as the court and notice fees of
seeking the injunction. The main issues for the CJEU were: 

1.    
whether
Mr Mc Fadden could rely on art 12(1) of the E-Commerce Directive to avoid
liability for his customer’s infringing conduct; and

2.    
what
steps Mr Mc Fadden could be required to take, pursuant to an injunction, in
order to prevent third parties from using his WLAN to infringe Sony’s
copyright. 

The Court noted
that Article 12(1) applies only to ‘information society services’ (ISS), and explained
that this term is limited to those services which are normally provided for
remuneration.[9]
However, it found that a service ‘does not need to be paid for by those for
whom it is performed’.[10] Therefore,
businesses using free Wi-Fi in order to attract customers may avail themselves
of the ‘mere conduit’ exception to copyright liability where the cost of the
network is borne indirectly by those who purchase the businesses’ products. Accordingly,
Sony was precluded from claiming compensation from Mr Mc Fadden on the ground
that his network was used by third parties to infringe its rights.[11] 

This aspect of the Mc Fadden judgment has been rightly applauded. It extends the E-Commerce Directive’s
safe harbour protections to those who may not be in the business of providing
internet access for a fee. But the Directive does not allow ISSs to shed
responsibility entirely for the infringing behaviour of their users. It goes on
to state that Article 12 ‘shall not affect the possibility … of requiring the
service provider to terminate or prevent infringement.’[12]
Therefore, while a Wi-Fi provider is immune from claims for compensation, a
person harmed by infringement may still claim injunctive relief against the
service provider, including the costs of obtaining such a remedy.[13] 

2.2 What can injunction require of service provider? 

Having affirmed
that ISSs may still be subject to injunctions, the CJEU considered the types of
measures a national court can legitimately require a Wi-Fi provider to take in
order to prevent recurrent infringement on their network. It identified three
rights affected by the making of such an order. Firstly, the right of the
copyright holder to protection of intellectual property as enshrined in Article
17(2) of the Charter.[14]
Secondly, the Wi-Fi provider’s right of freedom to conduct a business as
contained in Article 16 of the Charter.[15] Thirdly,
to the extent an injunction restricts Wi-Fi users from lawfully accessing the
internet, the right to freedom of information under Article 11 of the Charter
is affected.[16] 

The Court outlined several
courses of action which might feasibly be taken by a Wi-Fi provider to prevent
infringement, before concluding that password-protecting the network strikes an
appropriate balance between the relevant stakeholders’ rights. Such a measure
was deemed not to violate ‘the essence’ of the freedom to conduct a business, as
it consists merely in ‘marginally adjusting one of the technical options’ open
to the provider.[17]
It similarly does little to undermine internet users’ right to freedom of
information, given that the Wi-Fi network presumably ‘constitutes only one of
several means of accessing the internet’.[18]
Finally, the Court held that password-protection is ‘sufficiently effective to
ensure genuine protection’ of intellectual property rights. This is because,
‘provided that those users are required to reveal their identity in order to
obtain the required password and may not therefore act anonymously’,[19] the
measure has the effect, at the very least, of ‘seriously discouraging internet
users’ who are using the Wi-Fi provider’s network from accessing infringing
subject matter.[20] 

3 The right to
data protection 

It takes little
more than a cursory reading of the Mc
Fadden judgment to note the absence
of any references to the rights to privacy and data protection for internet
users. Yet the EU data protection regime is clearly at play when one enters
personal information in order to access Wi-Fi. Names and email addresses plainly
constitute ‘personal data’ under the Data Protection Directive (DPD) and the
impending General Data Protection Regulation (GDPR), given that users can
readily be identified on the basis of these details.[21] Indeed,
the Article 29 Working Party has acknowledged that information even less
probative of identity, such as IP addresses, can constitute personal data in many
circumstances.[22] 

Users of free Wi-Fi
are therefore within the scope of the DPD and GDPR. Consequently, data
controllers must have a legal basis for any processing and abide by various
procedural safeguards. To be sure, there is a legitimate basis for the collection
of internet users’ details, given that users consent to its collection when joining
the network.[23]
After all, there was nothing forcing Mr Mc Fadden’s customers to use his Wi-Fi.
Moreover, where collection takes place pursuant to an injunction, the
processing is necessary for compliance with a legal obligation to which the Wi-Fi
provider is subject.[24] Nevertheless,
providers of the network must still comply with important precautionary
measures when dealing with the data, including that it be processed fairly and
lawfully,[25]
that it be collected for specified, explicit and legitimate purposes[26] and
that the amount of data collected is not excessive in light of its purpose.[27] The
CJEU did not advert to these safeguards. Yet the next part of this essay will
show that they have a material effect on what can reasonably be required of a Wi-Fi
provider. 

It is worth
emphasising at this point that my argument is not that a Wi-Fi provider necessarily
breaches a customer’s right to data protection by collecting their password and
contact details. The collection of this data has a legitimate basis if it is undertaken
in response to an injunction, because it will have been conducted in order to
comply with a legal obligation. My argument is that the CJEU should have
stipulated that national courts, in
formulating this legal obligation in the first place, must always consider the impact of the
injunction on users’ information rights. 

4 An appropriate
balance 

As indicated above,
the Court’s judgment in Mc Fadden did not simply give insufficient weight to
internet users’ rights to data protection and privacy. It neglected to consider
these rights altogether. The CJEU found that national courts may feasibly come
to the conclusion that password-protection strikes a fair balance between the
interests of affected parties when free Wi-Fi is used to infringe copyright.
But the calculus outlined by the Court is defective to the extent that the
rights to data protection and privacy are not included among users’ interests. How
are national courts to arrive at an appropriate balance between the concerns of
copyright owners, businesses and internet users when two of the fundamental
rights at stake are excluded from consideration? 

The CJEU should
have instructed national courts that whether a fair balance is struck depends
on the type of arrangement established between Wi-Fi providers and users.
Usually, the more information that a user is required to divulge in order to
access the network, the less likely it is that password-protection
appropriately mediates between the interests of copyright holders and users. One
could envisage a scenario in which gratuitous information is requested, for
example the user’s gender or credit card details. The garnering of such data is
surely excessive in light of the purpose for it was collected – namely the
protection of intellectual property – and therefore falls foul of the data
minimisation principle in the DPD and GDPR. Yet national courts, in following Mc
Fadden, can claim (and not without reason) that the nature and
extent of information requested by Wi-Fi providers is ancillary to their
assessment of whether a fair balance has been struck.   

The Court should
also have instructed national courts that whether a preventative measure
constitutes a fair balance depends on who has access to the information that Wi-Fi
users enter. Does the data remain with the ISS providing free Wi-Fi, or is it
also transferred to the internet service provider (ISP) through which the
wireless is purchased? And what can the ISP do with the data in the event that
it is able to access it? If the purpose of collection is to prevent users from
breaching copyright with impunity, then it is surely a breach of the purpose
limitation principle in the DPD and GDPR for ISPs to use the information for
marketing or to sell it to data brokers. In failing to issue guidance to this
effect, the Court unduly prioritised the protection of intellectual property at
the expense of user privacy. 

5 Conclusion 

Safe harbour
provisions for internet intermediaries exist in almost all copyright regimes. Yet
as long ago as 2009, Jeremy de Beer and Christopher Clemmer registered a gradual
policy shift in which ‘entertainment industries, government legislators, and
regulatory agencies increasingly are pressuring online intermediaries to play a
more active role in preventing copyright infringement ex ante.’[28]
The story is well-known: as it dawned on governments that ISPs and Wi-Fi
providers were technically and commercially better-positioned than regulators
to reduce infringement,[29]
responsibility for copyright enforcement shifted to the private sector. 

The adoption of
this strategy was perhaps only a matter of time, given the outsized influence
of the copyright maximalist lobby (representing the content industry) on
copyright laws worldwide.[30] Against
this backdrop, the CJEU’s finding in Mc
Fadden that providers of free Wi-Fi
fall within the ‘mere conduit’ exception to indirect liability is by no means
insignificant. Yet the failure of the CJEU to acknowledge internet users’
rights to information privacy and data protection is alarming, because it
implies that these rights are, at best, marginal concerns when it comes to the
protection and enforcement of intellectual property. 

One is reminded, when reading the Mc Fadden judgment,
of other instances in which the protection of intellectual property is seen to
obviate the need for scrutiny of data protection practices. ISPs provide to
copyright owners the names and contact details of customers linked to IP
addresses which are suspected to have downloaded infringing content.[31]
Telecommunications companies continue to engage in Deep Packet Inspection,
examining the content of data packets in order to identify and block
peer-to-peer file sharing.[32]
The protection of intellectual property is undoubtedly important. But companies
cannot be allowed to play fast and loose with user data simply because it is
collected for the purposes of copyright enforcement.

Daniel Zwi is an LLM candidate at the London
School of Economics specialising in intellectual property. He is a qualified
Australian solicitor with an interest in ICT law and digital rights. His
twitter handle is @dan_zwi