Free Wifi and Liability
In Case C-484/14 McFadden v Sony Music Entertainment Germany the Court of Justice of the European Union had to consider a claim brought against the provider of a free wifi network for copyright infringements (downloading) by persons using his network.
Facts and background
Tobias Mc Fadden runs a lighting and sound system shop in which he offers access to a wi-fi network to the general public free of charge in order to draw the attention of potential customers to his goods and services. In 2010, a musical work was unlawfully offered for downloading via that internet connection. The Landgericht München I (Regional Court, Munich I, Germany), before which the proceedings between Sony and Mc Fadden were brought, takes the view that he was not the actual party who infringed the copyright, but is minded to reach a finding of indirect liability on the ground that his wi-fi network had not been made secure. Given its doubts about whether the E-commerce Directive precludes such indirect liability, the Landgericht referred a series of questions to the CJEU.
The E-commerce Directive exempts intermediate providers of mere conduit services from liability for unlawful acts committed by a third party with respect to the information transmitted. That exemption of liability takes effect provided that three cumulative conditions are satisfied: (i) the provider of the mere conduit service must not have initiated the transmission; (ii) it must not have selected the recipient of the transmission; and (iii) it must neither have selected nor modified the information contained in the transmission.
Judgment
The CJEU held that making a wi-fi network available to the general public free of charge in order to draw the attention of potential customers to the goods and services of a shop constitutes an ‘information society service’ under the Directive. The Court went on to confirm that, where the above three conditions are satisfied, a service provider such as McFadden, who providers access to a communication network, may not be held liable. Consequently, the copyright holder is not entitled to claim compensation on the ground that the network was used by third parties to infringe its rights. Since such a claim cannot be successful, the copyright holder is also precluded from claiming the reimbursement of the costs of giving formal notice or court costs incurred in relation to that claim.
However, the CJEU went on to decide that the E-commerce Directive does not preclude a copyright holder from seeking to have such a service provider ordered to end, or prevent, any infringement of copyright committed by its customers.
The Court took the view that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights. In that regard, the Court nevertheless underlines that, in order to ensure that deterrent effect, it is necessary to require users to reveal their identity to be prevented from acting anonymously before obtaining the required password.
Hyperlinking
In Case C-160/15 GS Media BV v Sanoma Media Netherlands BV, Playboy Enterprises International Inc., Britt Geertruida Dekker the CJEU makes it clear that the posting of a hyperlink on a website to works protected by copyright and published without the author’s consent on another website does not constitute a ‘communication to the public’ when the person who posts that link does not seek financial gain and acts without knowledge that those works have been published illegally. In contrast, if those hyperlinks are provided for profit, knowledge of the illegality of the publication on the other website must be presumed. If there is actual knowledge of copyright infringement by the destination site then liability will follow whatever the status of the poster of the link to it.
The judgment has been widely criticised as placing a burden on posters that many acting for very limited financial gain cannot hope to carry effectively.
Background
GS Media operated a website (GeenStijl ) offering ‘news, scandalous revelations and investigative journalism with light-hearted items and wacky nonsense’. It is one of the ten most visited news websites in the Netherlands.
In 2011, GS Media published an article and a hyperlink directing viewers to an Australian website where photos of Britt Dekker were made available. Those photos were published on the Australian website without the consent of the copyright holder. Despite Sanoma’s demands, GS Media refused to remove the hyperlink. When the Australian website removed the photos at Sanoma’s request, a hyperlink to another website was substituted by GeenStijl. When that site complied with Sanoma’s request to remove the photos, Internet users visiting the GeenStijl forum posted new links to sites where the photos could be viewed.
The Hoge Raad der Nederlanden (Supreme Court of the Netherlands) sought a preliminary ruling. Under the Copyright Directive (Directive 2001/29/EC), every act of communication of a work to the public has to be authorised by the copyright holder but the Hoge Raad notes that the internet is overflowing with works published without the rightholder’s consent and that it will not always be easy for the operator of a website to check that the rightholder has given his consent.
Judgment
The CJEU noted that Case C-466/12 Svensson concerned only the posting of hyperlinks to works that have been made freely available on another website with the consent of the rightholder, and that it cannot, therefore, be inferred from that case-law that the posting of such hyperlinks would be excluded, as a matter of principle, from the concept of ‘communication to the public’ when the works at issue have been published on the other website without the rightholder’s consent.
The CJEU acknowledged the importance of freedom of expression and the role that links play in that and accepted that it was difficult, in particular for individuals, to ascertain whether works are protected and, if necessary, whether the copyright holders of those works have consented to their publication on the internet.
When assessing whether there is a ‘communication to the public’ where a link is posted to a work freely available on another website by a person who does not post the link for profit, account must be taken of the fact that people cannot reasonably know that the work was published on the internet without the consent of the copyright holder.
In contrast, where it is established that such a person knew or ought to have known that the hyperlink he posted provides access to a work illegally published, the provision of that link constitutes a ‘communication to the public’. The same applies if that link allows users to circumvent the restrictive measures taken by the site where the protected work is posted in order to restrict the public’s access to its own subscribers.
Furthermore, when hyperlinks are posted for profit, it may be expected that the person who posted such a link should carry out the checks necessary to ensure that the work concerned is not illegally published. It must then be presumed that such a posting has been done with the full knowledge of the protected nature of the work and of the possible lack of consent to publication on the internet. If that presumption is not rebutted, the act of posting a clickable link to a work illegally published on the internet constitutes a ‘communication to the public’.
Since GS Media provided the hyperlinks to the files containing the photos for profit and Sanoma had not authorised the publication of those photos on the internet. It seems clear that GS Media was aware of the illegal nature of that publication and that it cannot, therefore, rebut the presumption that it posted those links in full knowledge of the illegal nature of that publication. Subject to the checks to be made by the Hoge Raad, by posting those links, GS Media therefore effected a ‘communication to the public’.
Pre-installed Software
In Case-310/15 Vincent Deroo-Blanquart v Sony Europe Limited the CJEU has broadly endorsed the common practice of supplying pre-installed software with new computers and charging for it indirectly.
In 2008, Vincent Deroo-Blanquart acquired a Sony laptop in France equipped with pre-installed software (namely Windows Vista Home Premium operating system and various other software applications). When using that computer for the first time, Mr Deroo-Blanquart refused to subscribe to the operating system’s ‘end-user licence agreement’ (EULA) and asked to be reimbursed by Sony for the part of the purchase price of the computer corresponding to the cost of the preinstalled software. Sony refused to process that reimbursement but offered to cancel the sale and to reimburse Mr Deroo-Blanquart the entirety of the sale price, namely €549, subject to the return of the equipment purchased.
Mr Deroo-Blanquart declined that offer and brought legal proceedings against Sony for €450 as a lump sum for the pre-installed software and for €2,500 for the damage suffered as a result of unfair commercial practices. The Unfair Commercial Practices Directive (Directive 2005/29/EC) prohibits unfair commercial practices which distort the economic behaviour of consumers and which are contrary to the requirements of professional diligence, including, in particular, misleading commercial practices and aggressive commercial practices.
The French Cour de cassation referred questions to the CJEU.
The CJEU found that the sale of a computer equipped with pre-installed software does not in itself constitute an unfair commercial practice within the meaning of the Unfair Commercial Practices Directive when such an offer is not contrary to the requirements of professional diligence and does not distort the economic behaviour of consumers. It will be for the national court to determine this issue by taking into account the specific circumstances of the case.
The CJEU restate the view that a commercial practice is to be regarded as misleading if it omits material information that the average consumer needs in order to make an informed transactional decision and thereby causes, or is likely to cause, the average consumer to make a transactional decision that he would not have taken otherwise. In the context of a combined offer consisting of the sale of a computer equipped with pre-installed software, the CJEU takes the view that the failure to indicate the price of each item of software is not such as to prevent the consumer from taking an informed transactional decision, or likely to cause the average consumer to make a transactional decision that he would not have taken otherwise. Since the price of each of those items of software therefore does not constitute material information, the failure to indicate the price of each of those items of software does not constitute a misleading commercial practice.
Competition in Data Feeds
In Case T-76/14 Morningstar, Inc. v Commission the General Court of the EU has confirmed the Commission’s decision to accept the commitments of Thomson Reuters intended to remedy its abuse of a dominant position in the market for consolidated real-time data feeds. The Court refused an application by a rival to the Thomson Reuters group which claimed that the Commission had not gone far enough in seeking changes in the Thomson Reuter’s business practice, with the effect that competing providers were unable to offer a comparable service.
The General Court notes that Thomson Reuters’ commitments focus, essentially, on the opportunities available to customers to switch providers, either on their own or by collaborating with a third-party developer. They can thus collaborate and mutually assist each other in the development of mapping tables on the basis of the licences proposed by Thomson Reuters. The Commission thus took the view that Thomson Reuters did not necessarily have to include its competitors in the licence terms in order to remedy the abuse of a dominant position. The Commission also correctly found that granting Thomson Reuters’ competitors access to Reuters’ Instrument Codes (RICs) would go beyond what was necessary to address the Commission’s concerns relating to the abuse of a dominant position.
Furthermore, the General Court observes that Thomson Reuters offered to allow its customers and third-party developers to set up mapping tables between the RIC codes and the symbol system used by the new provider, with the result that the modifications to be made to the applications are not excessively costly. Those commitments therefore represent a genuine improvement for Thomson Reuters’ customers since, in the absence of the need extensively to modify IT applications, they do not face prohibitive costs during a possible switch of providers.
The commitments are therefore capable of resolving the concerns raised by the Commission and it did not commit a manifest error of assessment in accepting those commitments.
Social Media Control: Criminal Trial
The Court of Appeal in R (British Broadcasting Corporation & Eight Other Media Organisations) v F & D [2016] EWCA Crim 12 was faced with an appeal against an order under the Contempt of Court Act 1981, s. 4(2) which was directed at the press and intended to control vile social media comment posted on the Facebook pages of media organisations in a high profile and extremely difficult trial in which two young teenage girls are charged with murder. The judgment confronts ‘the issue of how critical fair trial protections can be extended to prevent or control communications on social media’.
The proceedings concerned the brutal murder of Angela Wrightson by two young teenage girls from Hartlepool. Cleveland Police produced a document to the court containing over 500 comments to the links to reports of trial posted on the Facebook pages of the Hartlepool Mail, the Daily Mirror, the Sunderland Echo, Breaking News Teesside and Sky News. The news reports themselves were fair, accurate, and reasonable reporting: the problem was the extreme comments to these posts left by members of the public.
Globe J made an order, under s. 45(4) of the Senior Courts Act 1981, addressed at media organisations reporting the trial which greatly restricted their reporting and laid a heavy duty upon them as regards comments. Globe J admitted that he had not foreseen the avalanche of public outrage recorded on social media in reaction to media reports. He agreed with counsel for prosecution and defence that it was impossible to continue with the trial because there was a real risk of injustice to the defendants and, accordingly, discharged the jury.
Nine media organisations then made representations to Globe J and argued that the court had no jurisdiction to make the order, it was disproportionate and it was unworkable. The prosecution and defence responded that since no practical solution to the risk of prejudice created by the provision of a platform for public comment during the trial had been offered and if the initial order was unworkable then that must lead to an order completely restricting reporting under the Contempt of Court Act 1981, s. 4. That was the order made.
On the media’s appeal, Sir Brian Leveson, who knows a thing or two about the press, gave the lead judgment. The media’s case that the robustness of the jury process should be given great weight, referring to past cases and research that suggest that a jury can focus on the evidence in court, and that jury trials had proceeded following clearly prejudicial press coverage in notorious cases (such as that involving Fred West) was not successful. Sir Brian Leveson said that comparison with the West case was misleading because there was no ‘fade factor’ as modern social media comments are immediately available at the click of a mouse. The Court did not accept that those trawling the internet would not go beyond the first page but saw a real risk that they would scroll down or even seek out offensive comments.
The Court was wary of making broad policy statements that would influence future trials but saw it as appropriate for the Attorney-General to consult and issue guidance. The judgment includes a reminder that anyone posting a comment on a publicly available website which creates a substantial risk of causing serious prejudice faces the potential prospect of proceedings for contempt of court.
Notifying Data Breach
TalkTalk Telecom Group PLC v Information Commissioner (Appeal No. EA/2016/0110) was an appeal against the imposition of a monetary penalty notice imposed under the Privacy and Electronic Communication Regulations 2003. It raises a simple point: when does time start to run on the duty to notify a personal data breach within 24 hours after detection of that breach? The TalkTalk view was that the duty arose only after it had completed its investigation of the alleged breach. The ICO view was that, on the facts, the duty arose within hours, and certainly no more than a few days, from the TalkTalk customer giving TalkTalk details of the breach.
Facts
On 16 November 2015, one TalkTalk customer (A) accidentally obtained unauthorised access to the personal data of another customer (B) and was able to see online B’s name, address, telephone numbers, email addresses and date of birth. This occurred due to a problem with one of TalkTalk’s password mechanism. This was a personal data breach under the PECR. A told B about this and B notified TalkTalk of the personal data breach by telephone immediately and then, on 18 November, wrote a detailed letter to TalkTalk and raised the matter with the Information Commissioner.
On 20 November, the Commissioner wrote to TalkTalk about the personal data breach, enclosing B’s letter of 18 November. TalkTalk acknowledged that letter by email on 20 November, via its Information Security Officer, Mike Rabbitt. On 27 November, Mr Rabbitt emailed the Commissioner to say that the incident was being investigated and that the Commissioner would be notified if TalkTalk concluded that a personal data breach had occurred. TalkTalk provided the requisite notification to the Commissioner on 1 December 2015.
The Commissioner then asked TalkTalk to explain why the personal data breach had not been reported within the 24-hour period stipulated by the Notification Regulation. The Commissioner took the view that the personal data breach should have been notified within 24 hours of the receipt of the customer’s letter of 18 November or, at the latest, within 24 hours of the Commissioner’s letter of 20 November. In an email on 3 December, Mr Rabbitt explained on behalf of TalkTalk that this was because ‘the incident had not been reported to either the Information Security or Fraud team’.
Law
The key issue in dispute turns on the interpretation of Commission Regulation 611/2013 (the Notification Regulation), Article 2(2), which addresses the timing of the obligation to notify the Commissioner. As the judgment puts it: ‘The sole issue in dispute in this case is when TalkTalk could rightly be said to have ‘detected’ the personal data breach or to have acquired ‘sufficient awareness’ of the breach.’
Submissions
TalkTalk’s principal contention in the case was that they only ‘detected’ or acquired sufficient awareness of the personal data breach after they had concluded their own investigation into the issues raised by the customer. TalkTalk also submitted that it was standard industry practice for a customer’s complaint of a possible personal data breach to be investigated and confirmed before the Commissioner was notified and suggested that the Commissioner condoned this practice.
The ICO countered by pointing out that customer’s original notification was detailed and gave rise to sufficient awareness – ‘detection’ was not ‘conclusive confirmation’. The Notification Regulation specifically provided for multi-stage reporting in Article 2(3) and the basic information required for a notification could have been provided following the customer’s letter.
Conclusions
The Tribunal dismissed the appeal for the following reasons:
· The level of detail in the customer’s letter of 18 November led to the inevitable conclusion that there was no other explanation for what had occurred other than that there had been a personal data breach.
· TalkTalk’s representatives were not able to suggest any credible alternative scenario apart from a personal data breach that would explain the contents of the customer’s letter.
· TalkTalk therefore had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter (and possibly had sufficient awareness of the breach when the customer telephoned on 16 November).
· The Regulations made no specific provision for time to conduct an investigation by a service provider beyond permitting a strictly time-limited staged notification process in certain circumstances. The Tribunal considered that to ‘read in’ the requirement that there should always be a period of investigation before notification risked undermining the strict time-limits in the Regulations as there was no specific provision for investigations and consequently no express time limit on the conduct of such an investigation.
· The Tribunal agreed with the Commissioner’s submissions that all the initial information that had to be provided was available to the company from the customer’s letter and that none of the provided information appeared to derive from any subsequent investigation. ·
· The Tribunal distinguished the facts of this case from the situation where a customer made a generalised complaint of a suspected personal data breach when an investigation may well be required before a personal data breach was ‘detected’.
· The Tribunal did not accept that the Commissioner had allowed a practice to arise whereby service providers only notified after an investigation.
