Is Sharing Torrents on Online Platforms a Communication to the Public ? – CJEU’s Judgment in Stichting Brein

On June 14 the CJEU delivered its judgment in Stichting Brein case (not to be confused with the C-527/15 Stichting Brein, which is also about ‘communication to the public’ and in which CJEU ruled that the sale of multimedia players with pre-installed add-ons is communication to the public).

The present case concerns Stichting Brein, the rights holders’ association from the Netherlands, and Ziggo and XS4ALL, internet service providers. The latter had a number of customers who availed themselves of the services of online sharing platform TPB, an indexing service for BitTorrent files. It was established as a fact that the majority of works indexed through TPB were protected by copyright and shared without the rightholders’ consent. Stichting Brein applied to courts requesting that Ziggo and XS4ALL be ordered to block access to TPB. The question then concentrated on whether the individual posters, the TPB or the intermediaries were engaged in communicating the works to the public. The Hoge Raad referred the case to CJEU, asking, essentially, if TPB’s actions amount to communication to the public at all.

The questions referred to the Court were:

Is there a communication to the public within the meaning of Article 3(1) of the Copyright Directive by the operator of a website, if no protected works are available on that website, but a system exist … by means of which metadata on protected works which is present on the users’ computers is indexed and categorised for users, so that the users can trace and upload and download the protected works on the basis thereof?

If the answer to Question (1) is negative:

Do Article 8(3) of the Copyright Directive and Article 11 of the Enforcement Directive 2 offer any scope for obtaining an injunction against an intermediary as referred to in those provisions, if that intermediary facilitates the infringing acts of third parties in the way referred to in Question 1?

The two groups of questions are conceptually unrelated. By the first, the Court is asking if TPB’s actions amount to communication to the public as per Article 3(1) of the Copyright Directive. By the second, the court is asking if the facilitating intermediaries (Ziggo and XS4ALL) can nevertheless be subject to an injunction (even where their activity is not communicating to the public).

Advocate General Szpunar, in his opinion, emphasises the lack of proper definition of ’communication to the public’ and refers to Court’s case law which had so far helped clarify the concept. In particular, the acts of communication and the presence of a public need to exist.1 The player makes an act of communication “when it intervenes, in full knowledge of the consequences of its action, to give its customers access to a protected work, and does so in particular where without that intervention its customers would not, in principle, be able to enjoy the broadcast work.” The second criterion requires two separate conditions to be fulfilled: the communication must be directed at indeterminate but fairly large number of recipients2 and it must target a new audience. The second condition is not fulfilled where the work is already been made available on another website. As will immediately be clear, all sorts of difficulties may arise as to what qualifies as a work already made available. In Advocate General’s summary (paragraphs 41 and 42) of the Court’s cases, two situations can be discerned in which a new public clearly exists:

  • a work made available without the consent of the copyright holder amounts to communication to the public since the original holder did not envisage the new public gained through the act
  • communication through technical means different than the initial communication3

(It is worth noting here that it is not entirely clear whether the Court’s case law amounts to the first conclusion and it is questionable whether the second one should apply.) AG Szpunar takes the position that TPB’s actions are a communication to the public and gives three reasons. First, the fact that files are cut-up in the process of transmission and downloaded from multiple sources simultaneously is irrelevant for the fact that complete works are enjoyed at final destination. Second, potential users of peer-to-peer networks fulfil the first criterion of indeterminate number of users. Third, the ‘new public’ criterion is also satisfied since not only is the rightholder’s consent absent but the new technical means had been used for transmission. Finally, the AG says that, although it is the users who willingly upload the files and leave the computers connected to the network, it is the indexing site that makes the ultimate transmission possible. While active knowledge (and refusal to rectify) remains a condition for an intermediary’s liability, the “necessary and deliberate” actions of operators demonstrate the possession of full knowledge and are, therefore, “simultaneously and jointly” making the works available.

The Court’s judgment repeats the basic premises on which Article 3(1) of the Copyright Directive works, in particular the absence of consent and the new technical means. The Court adds that the for-profit nature “is not irrelevant” without offering further explanation as to how and why it might become relevant. The key point is made in paragrapoh 36:

[…] the fact remains that those operators, by making available and managing an online sharing platform such as that at issue in the main proceedings, intervene, with full knowledge of the consequences of their conduct, to provide access to protected works, by indexing on that platform torrent files which allow users of the platform to locate those works and to share them within the context of a peer-to-peer network. […] without the aforementioned operators making such a platform available and managing it, the works could not be shared by the users or, at the very least, sharing them on the internet would prove to be more complex.

The Court downplays the subjective element which, both in the AG’s opinion and in the Court’s own previous case law features somewhat more prominently. Whereas AG’s opinion suggests that the operator must have been aware that the work had been available (thus exempting bona fide intermediaries), the final judgment puts focus on the facts that the indexing site is essentially a co-infringer. The final ruling is, therefore:

The concept of ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as covering, in circumstances such as those at issue in the main proceedings, the making available and management, on the internet, of a sharing platform which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of a peer-to-peer network. (emphasis added)

In spite of the somewhat unsurprising conclusion of the Court, some doubts remain.

First, a significant number of cases in which CJEU interpreted communication to the public relate to hyperlinks and not to peer-to-peer setups. It is not clear to what extent the conclusions made in those cases can be translated to the present ones. Although the Court does refer to its well-known Svensson and GS Media judgments, both of these were criticised at the time. Neither the Court nor Advocate General attempt to develop a new approach to P2P platforms.

Second, some aspects of the previous case-law are questionable. The fact that it is not necessary to establish the existence of the new public where new technical means are used is, in view of this author, problematic and may not be applicable to a range of situations. Likewise, the role of the extent of the rightholder’s consent is not properly explored. It seems that the CJEU believes that a rightholder who consented for something to be posted would be precluded from suing for infringement where that work gets linked to from elsewhere. While it is possible to defend that position, it is not clear that the drafters of Article 3 had intended that effect at all.

Third, while it may be clear that TPB is in full knowledge of the infringing nature of the traffic that it facilitates, this will not always be the case. The Court’s present case-law concerning the relevance of knowledge is confusing. The Court’s hyperlinking line of cases (GS Media) establishes the presumption of knowledge for commercial sites, saying that commercial providers who hyperlink are simply presumed to be knowledgeable about the infringing nature of the activity. Paragraph 47 of that judgment makes the subjective element part of the equation. Advocate General suggests (paragraph 52) that platform’s actual knowledge must exists. The AG suggests that GS Media approach is not appropriate here. The Court mostly disregards the knowledge factor in the present case and does not go into the applicability of its presumption system to P2P cases, leaving the subjective factor open for further confusion and interpretation. Finally, while the existence of intermediaries’ liability in light of Articles 12-15 of the E-Commerce Directive does depend on the subjective factor, these articles do not apply in cases where platforms are primary infringers or co-infringers.

Fourth, the Court’s judgment emphasises indexation, metadata and the provision of a search engine as decisive elements which make TPB a communicator but these exact elements can also be ascribed to search engines such as Google or instant messaging services. The judgment does not offer many clues which can be used to distinguish infringing P2P sites from other sites in the future.

Fifth, the intermittent reliance on profit as a criterion (also featuring in GS Media) is puzzling, especially in the absence of a longer explanation from the Court concerning the possible roles it may play. While the existence of commercial interests may play a role in highlighting the poster’s intentions regarding the public it wants to reach and possible lack of good faith, it cannot and should not play a role in determining whether a work has or has not been communicated to the public. Particularly damaging might be an attempt to conclude that an undertaking operating without profit should not be considered to be making a communication to the public – a possibility which still exists in the present setup. A possible interpretation would be that a for-profit shortcut would simply exempt court from looking at other factors but this interpretation is not supported by Article 3(1).

In summary, while the Court’s judgment is not surprising and can easily be defended on the basis of the facts presented to it, it does little to clarify the increasingly muddled situation surrounding communication to the public in the digital world.

In light of the fact that the first question was answered positively, the second question had not been answered. Nothing is lost here since the Court’s position on injunctions against intermediaries is relatively well-established.

  1. C-160/15 GS Media, link.
  2. A condition usually satisfied by a website C-466/12 Svensson, link.
  3. C-607/11 ITV, link

The US Congres Repealed FCC Broadband Privacy Rules – What does EU Law Say and are Europeans affected?

On January 27, representatives of many ISP providers in the United States filed a petition with the Federal Communications Commission (FCC) requesting a stay of the rules adopted on October 27, 2016 (under Obama administration). The rules the ISPs wanted removed were the FCC privacy, data breach, and data security rules for broadband Internet access service (BIAS) providers. These rules, which had not yet come into effect, had been labelled as unduly restrictive. The House voted this Tuesday on S.J. 34, repealing the FCC BIAS rules. This has prompted a wave of negative comments (e.g. here). Are they justified and are Europeans affected?

The essence of the rules was to require ISPs to obtain individual consent from each individual before collecting and using information for any purpose, including targeted advertising. The harvesting of data is already under control of the Federal Trade Commission (FTC) and this control extends to ISPs. The new rules – a bolt-on to the FTC’s existing control – would have created a new regime only for ISPs, subjecting them to a more stringent control, probably guided by the idea that ISPs have unique insight into users’ browsing habits (almost certainly not correct, since a lot of traffic is encrypted or anonymised). The FTC regime is, in essence, an opt-out regime – users can withdraw their assumed consent. FCC regime would have been an opt-in regime.

As already point out, in spite of an outcry from privacy advocates, the repeal would have little impact. This is because a) the FCC regime that it repeals had not yet come into force at the time of repeal, b) many ISPs have already pledged to protect existing levels of consumer privacy and c) the repeal simply leaves data collection in the state in which it has been up until now. The internet advertising market, which is dominated by Google, remains now open to a degree of competition, although all the criticism which could be levelled at data collection practices in the US prior to FCC attempt from October 2016 (which are now in place again) is still valid. In other words, whereas it is certainly true that EU Internet privacy is not ideal, this is not for the reasons stated in most public comments.

But, what is the situation in the EU and do American rules affect users in the EU?

It is easier to dispense with the second question first. The FCC rules would have targeted ISPs in the United States only, not those located abroad, including in the EU. Since EU users do not avail themselves of American ISP services (except when they travel to the US), all remains as it has been. On the other hand, EU consumers are subject to American data collection practices in as much as they use websites located1 in the United States. The legal status of these practices is somewhat murky, since they are subject to two sets of laws + collector’s terms of use and privacy policy. First, the general data collection is under US FTC rules. Second, they are under EU data protection law. At present this is the 1995 Data Protection Directive, from May 2018 it will be General Data Protection Regulation. The former applies to entities established in the EU or those who process with the use of the equipment in the EU. If neither is satisfied, the Directive does not apply. This is an oversight which had been corrected in the GDPR which demands application to all situations where EU individuals are targeted irrespective of the establishment or the equipment. Finally, privacy policies and terms of use will be interpreted in light of both these sets of rules and national contract and consumer protection laws. Unfair clauses in such polls are likely to be invalid under EU and national contract and consumer laws and under privacy law. Whereas all this may be of interest to EU users (and their lawyers), it has nothing to do with data that ISPs collect. The conclusion must, therefore, be that the repeal has no effect whatsoever on EU consumers.

The second question, concerning the extent to which EU broadband providers in their own right are subject to privacy oversight, is split between regulation affecting the content and carrier layers of the Internet. The carrier layer is subject to telecommunications laws2 and covers wired and wireless infrastructure carrying the signal (rules on setting up operations, access to other providers’ networks, obligations towards consumers, spectrum management, etc.) These rules do not regulate content itself. The latter is subject to a different set of disciplines – electronic commerce laws3 and audio video media services laws.4 These do not affect the carrier layer but do regulate the content (contracts, consumer laws, protection of minors, advertising, copyright, etc.) The division between the content and carrier layers is important because the EU regulates privacy on both and ISPs do operate on both layers . Privacy on the content layer is largely subject to a the 1995 EU Data Protection Directive (soon GDPR). Privacy on the carrier layer is subject to a special directive, the 2002 ePrivacy Directive (which itself is under a proposed change tabled in 2017 and currently under review). An activity in the digital world may be regulated under both regimes if it moves across the content and carrier layers, or it may be regulated under one only.5

An EU ISP provider in its role as a broadband provider is subject to DPD (which covers all situations where private data relating to identified or identifiable customers is gathered with the aid of automation). It will also be subject to ePrivacy Directive in its role as telecommunications provider and in respect of data that consumers demand from third parties through ISPs infrastructure. In other words, if the data moves through ISP provider’s wires only, and it is not ISP itslef that purveys data, the transaction is subject to ePrivacy Directive. Content providers such as Google or Facebook or a local newspaper, are not telecommunications providers and are, as a rule, only subject to DPD and those elements of the ePrivacy Directive which do apply to the content layer (cookies and spam).

Having said all this, what does ePrivacy Directive actually say about ISPs and will that change in the ePrivacy proposal?

The ePrivacy Directive applies to all telecommunications providers.6 Two general obligations imposed on providers7 are the obligation to secure the processing of data8 and to maintain confidentiality.9 A general rule on traffic data, Article 6(1), demands that this data be erased or anonymised “when it is no longer needed for the purpose of the trans­mission of a communication.” Exceptions exist for billing purposes, marketing and value added services as well as for reasons of national security, defence, public security, and the prevention, investi­gation, detection and prosecution of criminal offences or of unauth­orised use of the electronic communication systems.10 In Article 15(3), the exception relating to marketing is introduced in the form of explicit opt-in:

For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data […] to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. [emphasis added]

This is the level of protection consistent with the one that would have come into place in the US after the now moribund October 2016 intervention. Location data, other than traffic data11, as per Article 9, may only be processed when “made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.” In such cases, the users are informed of the collection and can withdraw their consent. Furthermore, Article 9(2) also requires that, where consent had been given, users be allowed to temporarily suspend collection in an easy and free-of.charge manner.

The 2017 proposal for an ePrivacy regulation is at this stage only a proposal (unlike GDPR which has been adopted). It is a more complex and more confusing document than its predecessor. New Article 6 proposes to allow the processing telecommunications metadata,12 among others when

the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

The wording is different from DPD. Whereas DPD Article 6 allowed collection for marketing purposes or for the provision of value-added services, the new proposal is more permissive in terms of types of services for which collection is possible. This includes all situations where the user gives consent for a purpose which is “specified” and which includes (but is not limited to) the provision of “specific services”. The only limitation comes in the form of a demand that the purpose could not have been achieved through anonymised processing. Content itself (rather than metadata) can only be processed if and only if the provision of a consumer-demanded electronic service could not be achieved without such processing. Although the article no longer specifies that it is “prior” consent, this is clear from Article 9’s reference to GDPR’s conditions for consent.

Overall, the new article is slightly more permissive in terms of purposes for which metadata could be collected but it does not relax the conditions (prior consent, possibility for withdrawal, etc.) for their collection. On the contrary, it underlines that such collection is possible only when anonmymization does not fulfill the purpose and under user’s consent.

In conclusion, the EU opt-in regime (both under the present and proposed ePrivacy) provides a somewhat better (on paper at least) protection than their American opt-out counterpart. Overall, ISP data collection practices are regulated on both sides of the Atlantic and the demise of the October 2016 proposal is likely to be of little consequence. On the other hand, data collection practices on the service and application layer (not ISPs) remain an issue both in the USA and in the EU but are legally and logically not part of this debate. Finally, the fact that EU regime is more robust on paper is not in itslef a testimony to EU users being better protected in real life.


  1. Officially referred to in EU as electronic communications law.
  2. See EU E-commerce Directive which is the framework instrument for this area.
  3. See AVMS Directive and the 2016 proposal for its reform.
  4. To make things even more complicated, the ePrivacy Directive does regulate certain issues on the content layer such as cookies and spam.
  5. Articles 1 and 3.
  6. This is not only ISP but all providers of telecoms services.
  7. Article 4. This is general security against outside breaches.
  8. Article 5. This relates to surveillance, tapping, etc.
  9. See Article 15.
  10. Traffic data refers to ordinary data about the electronic transaction (e.g. IP address, duration, etc.). Location data only refer to the geographical location.
  11. Which is information about the type, duration, IP, etc. of a transaction but not the content itself. “Location” in this context means a company with a corporate seat in the United States and subject to US laws, irrespective of where the equipment (i.e. servers) used to collect data is located. 

Rule By Decree: A Comment on the Commission’s Letter to Twitter, Facebook and Google

On March 17, the Commission published a press release concerning a meeting following a letter it sent in November 2016 to Twitter, Facebook and Google. The letter demanded action from the said platforms in two areas: unfair contracts terms and removing fraud & scams. The meeting on March 16 was organised to hear the three companies’ proposal for action. The press release is accompanied by the European consumer authorities’ common position, which provides a somewhat more detailed explanation of the legal bases for each demand.

In the first area, the following changes are demanded:

  • Social media networks cannot deprive consumers of their right to go to court in their Member State of residence;
  • Social media networks cannot require consumers to waive mandatory rights, such as their right to withdraw from an on-line purchase;
  • Terms of services cannot limit or totally exclude the liability of Social media networks in connection with the performance of the service;
  • Sponsored content cannot be hidden, but should be identifiable as such;
  • Social media networks cannot unilaterally change terms and conditions without clearly informing consumers about the justification and without given them the possibility to cancel the contract, with adequate notice;
  • Terms of services cannot confer unlimited and discretionary power to social media operators on the removal of content.
  • Termination of a contract by the social media operator should be governed by clear rules and not decided unilaterally without a reason.

In the second, the following is demanded:

  • scams involving payments taken from consumers;
  • subscription traps where consumers are offered to register for a free trial but are not given clear and sufficient information;
  • marketing of counterfeited products;
  • fake promotions like “win a smart phone for 1 €” have proliferated over social media which were in fact a true contest but entailing a hidden long term subscriptions for several hundred euros per year.

There are two kinds of problems with the Commission’s approach.

First, in spite of the obvious worthiness of some of the Commission’s aims, the letter is an unfortunate example of “rule by decree”. There is no obvious reason why a public authority should address foreign or EU corporations with the competition law-styled statement of objections – a power which the Treaties do not give it. Nor is there reason to single out a small number of Information Society Service (ISS) providers, which all happen to be public platforms, rather than address its communication to ISSs in general or offer interpretative communications on each relevant regulation or directive. ISS are legitimate subjects of EU regulation in the content layer while platforms are not. Moreover, if the rules in question are obviously applicable to the otherwise extraterritorial platforms, why is it necessary to remind them of that fact and much less already extract their commitment to change their practices? While it is certainly true that a “carrot-and-stick” approach has sometimes been used in the EU, this is normally not done in cases where clear rules already exist but in cases where there are no rules and the Commission encourages self-regulation with a (usually thinly) disguised threat to the stakeholders to engage in self-regulation or suffer the consequences of EU laws. The example in question is significantly different: the Commission is informally enforcing a disparate bunch of rules already in existence – and rules whose applicability to the question in hand it obviously doubts – for why would it otherwise be necessary to threaten enforcement rather than simply engage in it, as is the Commission’s duty?

Second, it is far from certain that some of the Commission’s statements are even true. Three items from the Commission’s list can be taken as examples.

First, it is not a given fact that social media cannot deprive consumers of the right to go to court in their Member State. Brussels I Regulation (Recast) Article 18 (on special jurisdiction for consumer protection) and Article 25 (on prorogation of jurisdiction) talk of jurisdiction of “Member States” only and do not openly prohibit jurisdiction or arbitration clauses in favour of third countries. Their application to third countries is far from obvious. While it is possible to interpret these provisions as prohibiting any jurisdiction clause in favour of courts or tribunals in third states, no CJEU case law exists to confirm or reject such a view yet.

Second, the limitation or exclusion of liability which the communication speaks of is, in reality, affected by contractual arrangements as well as the liability regime in Articles 12-15 of the E-Commerce Directive. A statement limiting liability may very well be valid under national contract law and under the provisions of the 1993 Unfair Contract Terms Directive. That directive, which is not a full harmonisation measure and allows discrepancies in national implementation, quotes as examples only specific cases of limitation of liability, the first of which relates to death or personal injury and the second to “inappropriate” limitations of liability in cases of non-performance or partial performance. None are obvious examples of platform limitations of liability.

Finally, the storage and removal of content is governed by a contractual relationship between the users and the platforms. That relationship is subjected mostly to national law. It is certainly true that the power to remove content is not unlimited and usually not entirely discretionary. Consumer Rights Directive and Unfair Commercial Practices Directive, which are full harmonisation measures that preclude further national intervention, may very well apply to the problem even though the common position does not even quote them. The enforcement of such measures should not be subject to EU discretion but is, instead, entirely in the hands of national courts. The common position quotes Article 3 in relation to item 1(m) in the Annex of the Unfair Terms Directive. This puts the problem in the context of user-generated services being offered in exchange for the use of the platform. In such a scenario, the consumer gets access to the platform in exchange for providing user-generated content. But, this is not a typical use of platforms nor their dominant business model. Instead, the user is accessing a service on the provider’s terms, agreeing to be subject to certain amount of advertising and agreeing to its personal data being used. What the user “sells” is information about the user, not his or her content. The contractual relationship, therefore, is free access and use of the service in exchange for some personal data (usually obtained on consent) and exposure to advertising. An arbitrary removal may raise liability issues as it tilts the balance between the parties but the exercise of a discretion in removing content voluntary provided does not.

In summary, the regulatory approach is obscure. Rather than encouraging self-regulation, the Commission is simply overstepping its authority. The letter states that the companies have already “agreed to propose changes.” More significantly, even, the issues which have been bundled together as falling under “consumer protection” are a diverse package of issues concerning jurisdiction and the applicable law, contract law, customs law, criminal law and even unfair competition. These complex issues, in as much as they fall within EU competences, are better be left to tried and tested methods of enforcement. The Treaties do not give the Commission ex ante enforcement powers which it had taken on itself. Instead, it gives it the power of passing specific laws, regulations, directives and decisions, which national consumer authorities and national courts – not the Commission – are authorised to enforce.

The Pirate Bay and Inducement in EU Copyright – AG’s Opinion in C-610/15 Stichting Brein

The Pirate Bay is an online index of torrents which the users can access to search and obtain files downloadable through BitTorrent clients. The operators were subject to criminal and civil proceedings in Sweden in 2009 and the site remains controversial and blocked in some jurisdictions.

The case concerns a Dutch foundation for the protection of intellectual property rights – Stichting Brein – and two main Dutch Internet providers. Stichting Brein applied to courts under Article 8(3) of Directive 2001/29 asking them to order the two ISP providers to block access to The Pirate Bay, arguing that The Pirate Bay website is used primarily for large-scale copyright infringement.

In November 2015 the Dutch Hoge Raad referred the following question to the CJEU:

Is there a communication to the public within the meaning of Article 3(1) of the Copyright Directive 1 by the operator of a website, if no protected works are available on that website, but a system exist … by means of which metadata on protected works which is present on the users’ computers is indexed and categorised for users, so that the users can trace and upload and download the protected works on the basis thereof?

If the answer to Question (1) is negative:

Do Article 8(3) of the Copyright Directive and Article 11 of the Enforcement Directive 2 offer any scope for obtaining an injunction against an intermediary as referred to in those provisions, if that intermediary facilitates the infringing acts of third parties in the way referred to in Question 1?


The Hoge Raad is essentially asking about liability of operators of P2P indexing sites for copyright infringements ensuing from the use of these sites. Although a casual reader might first think of the limitation of liability for intermediaries which both the EU and US laws provide, the case concerns not providers as intermediaries but providers as primary infringers. In other words, the question is not about whether the ISPs can be insulated from liability for somebody else’s actions1 but whether the site indexing these torrents itself is participating in the infringement.

In the United States, the Supreme Court addressed this issue in the well-publicised 2005 MGM v Grokster case, where it ruled that a service which induces infringement cannot shield itself from copyright infringement claims2. A service which does have substantial non-infringing uses and does not induce, however, could. European law is not unison on the substantive aspects of inducement or indirect infringement (with various Member States’s law applying somewhat different standards) but it is on the ability to use generic injunctive relief. Such relief is allowed under Article 8 of the Copyright Directive and Section 4 of the Copyright Enforcement Directive. In the 2010 Scarlet Extended and Sabam cases, though, the CJEU ruled that generic indiscriminate filtering injunctions were not allowed under EU law but did not exclude targeted filtering.3

The Stichting Brein case is interesting for two related yet different reasons. The first question referred is asking if the operators (The Pirate Bay) themselves are the originators of the infringement. In other words, this question is not whether the operator could avail itself of the E-Commerce Directive ISP liability insulation but whether the operator is one of the perpetrators. In order to answer that, the Court has to look into whether the operator (indexer) is making the works available or not (Article 3 of the Copyright Directive). The second question asks if, in the case where they are not perpetrators, an injunction could still be made against them ordering them to block the content which the indexer makes available. The first question is, therefore, essentially about The Pirate Bay while the second targets the ISPs.

In answering the first question, the AG Szpunar emphasises that operators of The Pirate Bay are merely indexing the content and not actually putting it online for downloading4. On the other hand, it is equally clear that the works would either be unavailable or very difficult to obtain had it not been for The Pirate Bay’s intermediation.5 For that role to be fulfilled, the operator must have actual knowledge of the infringement.6 In light of that, the AG answers the first question as follows:

The answer to the first question referred for a preliminary ruling should therefore be that the fact that the operator of a website makes it possible, by indexing them and providing a search engine, to find files containing works protected by copyright which are offered for sharing on a peer-to-peer network, constitutes a communication to the public within the meaning of Article 3(1) of Directive 2001/29, if that operator is aware of the fact that a work is made available on the network without the consent of the copyright holders and does not take action in order to make access to that work impossible.

This result is neither surprising nor inconsistent with the Court’s previous case law nor with what has hitherto been said in courts in the EU7 or in the United States. In fact, using different legal concepts and a somewhat different language, AG Szpunar reached the result which is, in substance, in line with the US Supreme Court’s MGM Grokster decision.

The second question is, in essence, about obtaining a blocking injunction through Article 8(3) of the Copyright Directive of a service which does not communicate to the public. Since the AG suggests an affirmative answer to the first question (i.e. that The Pirate Bay is an infringer), the available injunctions are somewhat wider and there would no need to use Article 8(3), which is specifically targeting ISPs.8 The CJEU had already said in UPC Telekabel Wien that Article 8(3) allows injunctions againstinfringing operators where the order “does not specify the measures which [the] access provider must take and when that access provider can avoid incurring coercive penalties for breach of that injunction by showing that it has taken all reasonable measures”. In the AG’s opinion, however, this only covers the infringing operators which The Pirate Bay may, at this stage, not be. Article 8(3) presupposes a link between subject of the injunction and a direct copyright infringement.9 In addition to that, it is also necessary that such an injunction does not violate fundamental rights.10 Crucially, however, if the infringement is only indirect, it falls under national law, since indirect copyright infringements have not been harmonised at EU level. The AG, therefore, leaves the matter to national courts, suggesting that Article 8(3) allows injunctions

against an intermediary ordering it to block access for its users to an indexing site of a peer-to-peer network, if the operator of that site can, under national law, be held liable for copyright infringements committed by users of that network, provided that measure is proportionate to the significance and seriousness of the copyright infringements committed, which is a matter for the national court to determine.

This part of the Opinion is also not particularly controversial since it has long been clear not only that injunctive relief in national law is available but also what the outer EU boundaries of such relief might be. The only change that this Opinion brings, should it be adopted, is to clarify the limits of Article 8(3) in cases where it is not expressly clear that the indexing website is itself infringing.

Overall, the case brings the EU law one step closer to the American position and provides extra clarity for what has long already been the practice in national courts. After this case, it becomes clear that indexing services, such as The Pirate Bay, might very well be considered to be primary infringers, just as the Swedish court originally held in 2009.

  1. Nor about whether the users posted illegal torrent links – presumably they had.
  2. Grokster had marketed itself openly as the successor of the recently shut down Napster service.
  3. See UPC Telekabel Wien CJEU case here.
  4. Paragraph 51 of the Opinion.
  5. Paragraph 50.
  6. Paragraph 52.
  7. For Swedish case see
  8. He is answering the question, anyway, on the assumption that the Court might not agree with him on the first question.
  9. Paragraph 64.
  10. Paragraphs 71-83.

The New ePrivacy Regulation – Complex and Obscure Rules

In December 2016, a proposal for the new ePrivacy Directive was leaked. The final proposal was published on January 10, 2017 (text and impact assessment, Commission’s summary) The important document, which has an impact on a wide range of issues (cookies, spam, advertising and metadata, for example) is already causing the Internet to resonate with comments (see here, here, here and here).

The original 2002 Directive (see consolidated version) has always been a peculiar instrument. It is technically part of the 2009 telecommunications package (see the proposed 2016 reform), and therefore also part of the carrier layer of regulation1. On the other hand, it always also had an impact on the content of the Internet, since it regulated spam and cookies, and general security of electronic data. In addition to that, the ePrivacy Directive is a bolt-on instrument to the 1995 Data Protection Directive, which is the main instrument regulating privacy of individuals on the net (itself reformed with the proposal for a General Data Protection Regulation – GDPR). The 2002 Directive was meant to complement the 1995 Directive and “refresh” it for the digital age and the 2017 Regulation continues this connection with the GDPR.

The Proposal does not fundamentally change the setup provided in the ePrivacy Directive but brings in a number of significant changes, somewhat increasing privacy protection.

The basic rule is confidentiality of communications (Article 5). This rule is then subject to various modifications and exceptions scattered trhoughout the Regulation. Article 10 requires privacy-by-design for software, meaning that new software ought to default to increased privacy settings upon installation.

In terms of the type of instrument used, the Directive becomes a Regulation, thus reducing the manoeuvring space that Member States might have (for transposition problems with the existing Directive and inconsistencies in Member States’ implementation, see here).

The scope of the Regulation is wider than that of the Directive and matches GDPR. Article 3 of the Proposal specifies that it applies “in connection with the provision of electronic communications services” in the EU, irrespective of whether they are processed in the Union or not. In addition to this, it applies to all services located out of the EU but targeting end-user in the EU. This is consistent with the extended scope of application of GDPR.

The Regulation prohibits collection of metadata but contains a full page of exceptions. It does not directly address the high-profile problem of state-mandated ‘snooping’ (for that, see C-203/15 Tele2).

In terms of cookies, the Directive (Article 5(3)) had drawn a lot of criticism in respect of its demand that clear prior consent be given for all ‘cookies’ stored on the machine. In practice, this resulted in annoying popups alerting the users of ‘cookies’. The info was mostly ignored and the Proposal now has what the Commission calls a more sensible approach (Article 8) but what is, in effect, a markedly more complicated one. The article has two basic rules, with six basic exceptions and other modifying rules elsewhere in the text. In addition to that, Article 9(2) says that “consent may be expressed by using the appropriate technical settings of a software application”. This means that a software setting (e.g. in a browser) ought to be interpreted as consent or lack thereof.

Article 16 reinforces the rule that unsolicited communication could only be received by those who have given their consent (opt-in). The article applies to any “services, i.e. email, SMS, instant messaging, etc, a change compared to Article 13 of the ePrivacy Directive which only applied to electronic mail.

While it is true that the Regulation is a result of the REFIT simplification process, the end product is anything but simple. This is for four reasons. First, the Regulation must be read in conjunction with GDPR, itself a lengthy and complex instrument. Frequent cross-references do not make things easier and neither does the obsure technical language. Second, the Regulation is still standing with one foot in the carrier and the other in the content world, each of which is subject to different rules. Third, the interplay of various issues it regulates (data, metadata, different types of consent, lots of exceptions) makes interpreting it a difficult task even for experts. Fourth, the lack of clarity on fundamental issues (metadata collection is prohibited – except when it is allowed, cookies may or may not require consent, metadata should not be collected – unless one of the broad exceptions exist, unsolicited communication is banned but the reality of advertising is not taken into consideration…)

In view of this author, the new Regulation will intensify the problems, not eliminate them.

  1. Content vs carrier: the laws applying to the carrier layer regulate the networks and telecommunications services (cables, wires, spectrum, etc). The laws applying to the content layer regulate the content that flows on these wires (media rules, e-commerce, copyright, etc.)

CJEU Confirms – No General Data Retention Allowed

On 21 December 2016, an important decision came from the Court of Justice of the European Union (CJEU). In joined cases, C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others, (full case and press release) the court ruled against general data retention while allowing it in specific and controlled conditions. It said:

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.

The present judgment is a continuation of a saga that goes back to September 11, 2001. In the wake of the attacks on the United States, the governments on both sides of the Atlantic introduced measures to combat the perceived threat of terror. Among these measures were the EU 2006 Data Retention Directive. The directive required storing of telecommunications data for a period between 6 and 24 months. The data stored was ‘metadata’, i.e. information on what was accessed on the Internet or what telephone numbers have been dialled and when, not the actual copies of information.

In joined cases C-293/12 and C-594/12 Press and Information Digital Rights Ireland and Seitlinger and Others (press release available here), the Court declared the Directive to be invalid, saying that it

entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary

The main argument for invalidation was that the Directive was not compatible with the European Convention on Human Rights (ECHR). The result was only that the 2006 Directive had been made invalid, but nothing specific was said about whether Member States’ data retention laws are incompatible with other EU laws.

Following the invalidation of the 2006 Directive, a number of Member States retained laws that operated, essentially, on the basis of the Directive. In Sweden, the law required operators of electronic communications services to retain traffic and location data while laws in the UK required data retention for periods up to 12 months. The two joined cases referred to here relate to Swedish and UK laws, respectively.

Since the directive which provided a basis for data retention had been made invalid, the fallback provision is Article 15 of the ePrivacy Directive, which allows for rules of the 1995 Data Protection Directive to be derogated from when required by “national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences”. The question referred to CJEU by the Swedish court asks, essentially, whether general data retention obligation (i.e. an obligation to retain all data, without a specific purpose of threat) is compatible with Article 15 and with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights. If the answer is no, the second question asks whether retention may be, nevertheless, permitted in certain specific cases (“targeted retention”). The UK court’s reference is conceptually slightly different. It is asking if the 2014 Digital Rights Ireland judgment (invalidating the 2006 Directive) also introduces “mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the Charter.”

The Court ruled that Article 15 of the ePrivacy Directive, read in light of Article 7, 8 and 11 of the Charter, precludes

general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.

Ruling on where and how such retention may still be legal, it said that this is so

where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

In other words, general data retention is illegal, specific data retention is allowed in cases where serious crime fighting requires so, where there is judicial oversight and where such data is not transferred out of the EU.

The main position of the Court is that, absent specific legislation on data retention, the provisions of the ePrivacy Directive must be interpreted narrowly. In analysing the case, the Court pointed out that the conditions of Article 15 of the ePrivacy Directive are exhaustive. Any derogations from the rules protecting privacy must apply only in so far as is strictly necessary. Only the objective of fighting serious crime justifies derogations from general data protection requirements and then only with proper court oversight. Since general data retention does not contain a proper link between data retained and a threat to public security, such retention does not satisfy the conditions. The Court does not preclude data retention in general but allows targeted retention under the conditions discussed.

There is no doubt that the most important point that the CJEU is making is that proper judicial oversight is needed in all cases where government proposes to undermine basic constitutional rights and EU-based privacy rules. As such, the decision is not surprising and is a continuation of the arguments put forward in the Digital Rights case. The decision will have significant impact on the just-adopted UK 2016 Investigatory Powers Bill, which has been heavily criticised.

EU Consumer Summit 2016 – to What Extent is EU Consumer Law in Need of Reform?

The EU prides itself on having robust consumer laws. This is a result of decades-long development and a intelligent but gradual changes in policy direction. The legislation is comprehensive, covering a range of consumer situations and is slowly drifting towards full harmonisation. The key laws in this area are the 2011 EU Consumer Rights Directive, the 2005 Unfair Commercial Practices Directive and the 1993 Directive on Unfair Terms in Consumer Contracts. Both the 2011 CRD and the 2005 UCP directives are full harmonisation instruments.

Contrary to many other areas of EU, cyberlaw which are currently subject to comprehensive reviews (in particular privacy, copyright and telecommunications), consumer law is not in need of fundamental reform, a sentiment which the EU officials repeat often. The 2016 EU Consumer summit takes place in the sign of the EU’s REFIT program, which is an initiative to make EU laws simpler and less costly. As part of the REFIT, the Commission is conducting a “Fitness check”, which is a comprehensive policy evaluation aimed at making sure that legislation is fit for purpose. The result will not be the scrapping of present laws but their gradual adjustment. The 2016 Fitness check of EU consumer laws will be complete by May 2017.

The Fitness check covers the following directives:

• Directive 2005/29/EC, Unfair Commercial Practices Directive

• Directive 1999/44/EC, Sales and Guarantees Directive

• Directive 93/13/EEC, Unfair Contract Terms Directive

• Directive 98/6/EC, Price Indication Directive

• Directive 2006/114/EC, Misleading and Comparative Advertising Directive

• Directive 2009/22/EC, Injunctions Directive

During the summit’s opening session, some key points have been put forward:

  • First, three areas which the Commission itself believes action ought to be taken in are: the 1) simplification of consumer requirements, 2) commercial practices and contract terms and3) effectiveness of the injunctions procedure.
  • Second, consumer protection as a policy goal ought to be at least as important as increased growth or competitiveness (Evelyne Gebhardt, MEP).
  • Third, there is a belief that, because consumers are usually not familiar with their rights, these may as well be scrapped. Instead, better education and increased enforcement ought to lead to better understanding among consumers and more trust (Evelyne Gebhardt, MEP).
  • Fourth, the biggest weakness in the present framework are problems with enforcement and compliance. Improving EU laws, therefore, does not mean more laws but better enforcement of present laws (Monique Goyens, BEUC).
  • Fifth, small and medium enterprises have not influenced the creation of the EU consumer acquis in the 90s and ought to play a more prominent role (Luc Hendrickx, UEAPME).

The workshops on the three issues presented reported as follows:

  • The first workshop concluded that 2011 Consumer Rights Directive is adequate and full harmonisation of information requirements should be maintained. Improvements can be made by avoiding duplication of information, better enforcement of existing rules, and better presentation of information. Transparency of information requirement for platforms should be improved, plain language used and less technical info provided. Price indication also needs to be improved.
  • The second workshop looked at UCP Unfair Contract Terms directives and concluded that there is support for an EU-wide black-list backed by principles, as is presently the case, but also indicated a need for improvement in a number of areas. Among others, this included a need for harmonised civil remedies, better enforcement, and streamlined information requirements. The workshop also recommended extension of UCP Directive to B2B transactions, which would particularly benefit SME enterprises.
  • The third group looked at the effectiveness of the injunctions procedure. It concluded that national varieties of the injunction procedure are working well. On the other hand, improvements could be made in reducing costs and clearer minimum standards.

Overall, someone following the debate would conclude not only that EU consumer acquis is not in need of a thorough reform but could also hear very specific suggestions about how it could be fine-tuned. This author agrees but cannot escape the impression that some of the important dilemmas have not been addressed.

First, to what extent is data protection legislation not just a complement to consumer laws but their replacement? The significantly stricter data protection rules might achieve what poorly enforced consumer protection rules do not. Second, little was said about alternatives and soft law. While enforcement of consumer law is a long-term problem, the issue is also about alternatives to solutions which do not work. Since we know that legally mandating the display to consumers of the endless terms-of-use which they do not read does not work, what alternative solutions might we find? We need to learn from the industry examples that work and this requires field research and cooperation. Finally, the EU paradigm of “weaker consumer” has put the EU at the forefront of consumer protection in the 80s and the 90s but that paradigm may no longer be adequate for the Internet-of-Things data-driven economy of this decade and the next. What is, therefore, needed is not fine-tuning but a complete rethinking of both that paradigm and how consumers are treated in non-consumer branches of EU law.