Skip to content

Linking and secondary liability for copyright infringement. A look into the Spanish approach.

May 18, 2016

In the pending and closely watched GS Media case, the CJEU is asked to further clarify whether linking to copyrighted content may in some instances constitute a primary copyright infringement.

It is not the first time the CJEU addresses the nature of links under copyright law. It already tackled the question in Svensson, where it held that “the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public’,” under the meaning of Article 3(1) of the InfoSoc Directive. The CJEU reached that conclusion by reasoning that while a link constitutes an ‘act of communication,’ links to works freely available on another website do not communicate those works to a new public, i.e. a public that was not taken into account by the copyright holders when they authorised the initial communication. That conclusion was held again by the CJEU in the Bestwater case, explicitly mentioning the “new public” criterion in the operative part of the order.

In both cases, the Court tried to find a balanced outcome by allowing the provision of links to copyrighted works as long as the links do not circumvent any access restriction established on the website to which they point. However, those cases didn’t directly address the key question of whether a link, even if it does not circumvent any access restriction, may amount to a communication to the public when the content linked to was posted without authorization. In other words, whether linking to freely available pirate content constitutes a primary infringement of the communication to the public right. And this is in essence what the Court must clarify now in GS Media.

In his Opinion on the case, Advocate General Wathelet suggests the CJEU to answer the question in the negative. According to the AG, a hyperlink to a work which is freely available on another website does not amount to an ‘act of communication’ under the Directive in the first place, “since the intervention of the operator of the website which posts the hyperlink, in this case GS Media, is not indispensable to the making available of the photographs in question to users.” That is, there would not be an act of communication to the public regardless of whether or not the works linked to were posted with the rights holders authorization.

The AG holds as well that in any event, the ‘new public’ criterion would not be applicable to that case, since it only applies where the rights holder authorised the initial communication. And furthermore, even if the Court would find that criterion applicable, the ‘new public’ requirement is not satisfied because the intervention of the link setter was not indispensable for the making the works available.

As to the question, also raised by the national court, of whether there is a communication to the public where a hyperlink greatly facilitates the finding of the work, the AG proposes to answer in the negative, noting that “it is not sufficient that the hyperlink facilitates or simplifies users’ access to the work in question.”

It remains to be seen if and to what extent the Court will follow AG’s advice. Some have expressed fears that if the CJEU ends up declaring that links to freely available pirated content are non-infringing, websites of the likes of The Pirate Bay which deliberately provide links to clearly infringing files would be condoned and left out of reach of copyright enforcement.

Arguably, though, the question is not whether rights holders must have some remedies against those blatantly pirate sites, but whether those remedies should be based on the idea that they are infringing the communication to the public right, that is, that they are engaging in primary infringement. Expanding the notion of communication to the public to make sure those sites fit in it would have dramatic consequences for the use of hyperlinks on the internet  – as the AG noted, “as a general rule, internet users are not aware and do not have the means to check whether the initial communication to the public of a protected work freely accessible on the internet was effected with or without the copyright holder’s consent.”

A more careful approach would be to deal with those sites and other bad actors under theories of secondary or accessory liability, which allow for better consideration of the elements that characterize their activity, such as facilitation, knowledge, intent, volume of works affected, contempt for copyrights and ultimately fault.

Secondary or accessory liability in the field copyright is not harmonized as of yet in the EU – though some proposals for harmonization have been put forward. It thus turns on national law. In this regard, it might be interesting to briefly look at the case of Spain, where some legislative measures have been taken to tackle the activity of websites aiming to foster infringement, while at the same time carefully leaving out neutral linking activities.

The Spanish approach

Before Svensson, courts in Spain were wrestling on whether websites providing catalogues of links to pirate content were themselves infringing the public communication right. Many courts – particularly in criminal cases but also in civil ones – found that they don’t . Those courts held that while the linking websites greatly facilitate access to the infringing content, such facilitation does not amount to an act of communication.

Having that case law in mind, a number of legislative measures were passed, which aimed to strengthen copyright enforcement against such websites. Those reforms neither amended the definition of the public communication right, nor sought to ensure that links constitute acts of “communication to the public,” – which after all is a harmonized concept in EU law.  Rather, they sought to allow the enforcement of copyright against those websites and similar bad faith business models even if it turns out that their activity can’t be considered a communication to the public – which would be the case if the CJEU follows the AG’s approach.

In particular, in 2014, a system of indirect liability was introduced for the first time in the Copyright Act (LPI). A new paragraph in art. 138 LPI holds liable those who knowingly induce an infringement; those who, knowing or having reason to know about the infringing conduct, cooperate with it; and those who, having a direct economic interest in the results of the infringement, have the capacity to control the infringer’s conduct. The provision expressly states that this will not affect the e-Commerce intermediary safe harbours, as long as their conditions are met.

The same 2014 reform modified the legal regime of the Second Section of the Intellectual Property Commission (aka Sinde-Wert Commission), an administrative enforcement body created in 2011, which limits its scope of action to information society service providers. The 2014 reform decided that Commission’s activity should focus on the big copyright infringers. Hence, in order to decide whether or not to initiate a case, the Commission will consider the audience share of the service in Spain, the number of apparently unauthorized works and performances which can be accessed from the service, and its business model. In addition, the relevant provision states that the Commission will act against providers that infringe copyright in the said way (thus considering their audience share, number of works, or business model) “by facilitating the description or the location of works and performances apparently offered without authorization, carrying out to that end an active and non neutral task, without limiting themselves to activities of mere technical intermediation. In particular, those who offer arranged and classified lists of links to those works and performances, regardless of whether the said links might have been initially provided by the recipients of the service.”[1]

In 2015, two relevant changes were made to the Criminal Code. Before the reform, the conduct for the basic copyright criminal offence (art. 270.1) consisted of reproducing, plagiarizing, distributing, or communicating to the public, wholly or in part, a protected subject matter without authorization (when carried out for profit and to the prejudice of a third party). The reform added the language “or in any other way economically exploiting” the protected work or performance. In addition, the “for profit” element is now the intent to obtain an economic benefit “directly or indirectly”.

On the other hand, in addition to this basic conduct, the reform of the Criminal Code added a specific offence (art. 270.2) which refers to “the one who, when providing information society services, with the aim of obtaining a direct or indirect economic benefit, and to the prejudice of a third party, facilitates in an active and non neutral way, without limiting himself to a merely technical processing, the access to, or the location on the internet of, works or performances subject to copyright without the authorization of the holders of the corresponding rights or their assignees, in particular by offering arranged and classified lists of links to the works and contents referred above, even if the said links had been initially provided by the recipients of their services.”

This is an autonomous offence, which does not require the conduct to fall under the notion of communication to the public. The preamble to the Law that introduces this new felony notes that it leaves out the case of “those who carry out activities of mere technical intermediation, such as, for instance, a neutral activity of a search engine, or those merely providing occasionally links to those contents.”

We will see how these reforms will play out in practice.  In any event, this legislative approach aims at ensuring that even if the CJEU finds that linking to freely available infringing content does not amount to a communication to the public, the activity of those bad-actor websites will give raise to administrative injunctions, secondary civil liability, and even criminal liability as the case may be.


[1] The legislator envisioned that this activity would constitute in any event a violation of the “general exploitation right” which Spanish law confers to rights holders. Nonetheless, it could always be considered a form of secondary liability under the new wording of Art. 138.

Clash between different chambers of the Spanish Supreme Court on the right to be forgotten.

April 11, 2016

The right to be forgotten – which can be best described as a right to be delisted – was recognized by the CJEU on the assumption that the search engine operator, Google Inc., is a data controller of the personal data included in the search results.

However, is also the local subsidiary of Google Inc., Google Spain SL, a data controller? The answer to this question is by no means irrelevant. After the 2014 CJEU judgment, the Audiencia Nacional (AN)—the court that made the reference for a preliminary judgment—handed down 60+ rulings upholding DPA delisting orders that had been appealed before it. All of them, with the only exception of the Costeja case itself, were directed exclusively against Google Spain SL, not against Google Inc. Now, if Google Spain SL is not a data controller, all those rulings, along with the original DPA decisions they affirm, could be declared void by the Supreme Court for lack of standing of the defendant.

And that’s exactly what happened last month. The 60+ AN rulings had been appealed by Google Spain SL before the Supreme Court claiming lack of standing. And the Supreme Court agreed, handing down five rulings holding that Google Spain SL is not a controller and declaring the DPA decisions null and void. Similar rulings in the remaining cases are expected to follow soon.

(It must be noted that this refers to old decisions of the DPA. Since August 2014, the DPA no longer directs its decisions against Google Spain, but against the Google Inc., and thus no problem of lack of standing should appear).

That came as a big surprise for many. But the news didn’t end there. There was another RTBF ruling appealed by Google Spain SL before the Supreme Court. Unlike all the others, this one was not an appeal against a decision issued by the DPA and further upheld by the AN. Rather it was an appeal against a ruling issued by the Barcelona Court of Appeals in a civil lawsuit sentencing Google Spain SL to pay 8,000 Euros in moral damages for failing to delist a link.

There is a crucial difference. The DPA is an administrative body, and thus the appeals against its decisions are ultimately decided by the Administrative Chamber of the Supreme Court (Third Chamber), whereas appeals in civil lawsuits correspond the Civil Chamber of the Supreme Court (First Chamber).

Only a few days after the Administrative Chamber of the Supreme Court issued the said five rulings, the Civil Chamber ruled on the civil appeal. In essence, the ruling held that Google Spain is in fact a controller, no matter what the other Chamber may say. The case was decided by the Civil Chamber in full, which attaches more relevance to the judgment.

So now we have the following puzzle regarding the local subsidiary: the DPA can’t order Google Spain SL to delist a link – such a decision would be immediately voided on appeal. However, if a data subject requests Google Spain SL to delist a link and this company rejects the request, that individual might bring a civil action for damages against Google Spain SL and this company could not claim lack of standing.

How could the two Chambers of the Supreme Court come to such a diverging conclusion?

Under the Data Protection Directive, a controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” The Administrative Chamber of the Supreme Court noted that being a controller thus hinges on the actual intervention in the determination of purposes and means of the processing. The processing at issue, as described by the CJEU [¶ 28], consisted of a number of activities carried out by the operator of a search engine “in exploring the internet automatically, constantly and systematically in search of the information which is published there”, namely “the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” The operator of the search engine, who carries out those activities, is Google Inc., and the AN remarked that “it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites.” [¶ 46]

The Administrative Chamber of the SC held that for Google Spain SL to be considered a joint controller, it must participate in the determination of the means and purposes of the processing, and this was not demonstrated in any way in the procedure. In addition, it stressed that the CJEU clearly assumed that the processing was carried out only by Google Inc. The CJEU conclusion the activities of both entities were ‘inextricably linked’ was only to the effect of finding that Google Inc.’s processing was carried out ‘in the context of the activities’ of Google Spain SL., which entails that the Data Protection Directive is applicable to Google Inc. All the discussion about the territorial application would have been unnecessary if Google Spain would have been considered a controller of processing carried out by the search engine.

On the other hand, the Civil Chamber did not directly discuss the arguments of the Administrative Chamber—it simple noted that their decisions are not binding for the Civil Chamber. The Civil Chamber holds that the CJEU supports the finding that Google Spain is also a controller. It admits that the CJEU did not seek to determine whether this company was a controller. However, the Civil Chamber believes that the CJEU ruling provides elements enough to come to this conclusion, as that ruling (i) refers to the broad definition of the concept of controller in the Directive; (ii) finds that the operation of the search engine by Google Inc. is inextricably linked with Google Spain’s marketing activities; and (iii) holds Google Inc.’s processing is carried out ‘in the context of the activities’ of Google Spain SL. According to the SC Civil Chamber:

“Google Spain may also be considered, in a broad sense, controller of the processing carried out by the search engine Google Search in its Spanish version (, jointly with its parent company Google Inc.”.

It added that holding otherwise would frustrate in practice the aim of “ensuring effective and complete protection” of the rights to privacy and data protection sought by the Directive and the EU Charter of Fundamental Rights, as data subjects would need to litigate with a company located in the US, which might entail huge costs. The Civil Chamber argues that it would be inconsistent to give the Directive a very broad territorial scope and then frustrate in practice this protection by obliging the data subject to litigate against a company located in the US, with the costs and delays attached to this.

Of course, though, this does not seem comport with the practice experience in Europe, where Google Inc is delisting results by the thousands. Further, one may wonder what the situation would be should Google Inc. decide to dispense with its local subsidiary and simply work with a local establishment without legal personality.

Whatever you may think about considering the local subsidiary a controller, this radical disparity of conclusions within the Supreme Court looks far from desirable.

Trademarks as Keywords: Spanish Supreme Court finds no infringement

March 6, 2016

[Cross posted on the Stanford CIS Blog]

The Spanish Supreme Court (TS) has recently ruled on the legality of using someone else’s trademark as a keyword to trigger sponsored ads in Google Adwords. The case is Maherlo v Charlet (pdf, in Spanish).

The claimant, Maherlo Ibérica S.L., commercializes elevator shoes for men—shoes with raised insoles that make people look taller. It owns two Community Trade Marks which bear the words “Masaltos” and “” The defendant, Charlet S.A.M., is also in the business of selling elevator shoes, under a different trademark—Bertulli. The defendant selected the trademarked words “Masaltos” and “” to trigger ads in Google Adwords. The text of the ads, however, did not include those words. The commercial link in the ads pointed to the defendant’s website, where the plaintiff’s trademarks where not used, either.

Both the first instance court and the court of appeals (pdf, in Spanish) found that such a use was not a trademark infringement. In its ruling, the Supreme Court affirms.

Just like the court of appeals, the Supreme Court follows the case law from the EU Court of Justice (CJEU), particularly the well known cases Google France (2010) and Interflora (2011). In Interflora the CJEU held that

the proprietor of a trade mark is entitled to prevent a competitor from advertising – on the basis of a keyword which is identical with the trade mark and which has been selected in an internet referencing service by the competitor without the proprietor’s consent – goods or services identical with those for which that mark is registered, where that use is liable to have an adverse effect on one of the functions of the trade mark. Such use:

–      adversely affects the trade mark’s function of indicating origin where the advertising displayed on the basis of that keyword does not enable reasonably well-informed and reasonably observant internet users, or enables them only with difficulty, to ascertain whether the goods or services concerned by the advertisement originate from the proprietor of the trade mark or an undertaking economically linked to that proprietor or, on the contrary, originate from a third party;

–      does not adversely affect, in the context of an internet referencing service having the characteristics of the service at issue in the main proceedings, the trade mark’s advertising function; and

–      adversely affects the trade mark’s investment function if it substantially interferes with the proprietor’s use of its trade mark to acquire or preserve a reputation capable of attracting consumers and retaining their loyalty.

The assessment of the facts corresponds to national courts. Therefore, the CJEU case law does not prevent the finding by a national court that, in a particular case, the challenged use of the trademark adversely affects a trademark function. In fact, the Inteflora case was finally decided in favor of the plaintiff by the national UK judge, finding that there was a likelihood of confusion.

In Maherlo v Charlet, the Spanish Supreme Court upholds the lower court’s ruling that the use at issue use was not liable to have an adverse effect on any of the functions of the trademark. In particular, the TS upholds the conclusion that there was no risk of confusion or association (and thus no adverse effect to the origin function) because the text of the ad did not include the claimant’s trademarks. The plaintiff had argued that 63 internet users, out of 5,051 who googled the trademarked words, eventually purchased goods from the defendant. According to the claimant, this would indicate that they were misled into thinking that they were buying the goods from the plaintiff. The court of appeals rejected that contention, and noted that the absence of the trademark in the text of the ads clearly showed to the users that the advertiser was in fact a competitor, and thus the origin function was not jeopardized.

While there have been a number of rulings dealing with the use of trademarks as keywords by first instance courts and courts of appeals in Spain, this is the first time the Supreme Court tackles the issue. It must be noted that the same plaintiff has also sued other merchants on these issues, and lower courts have sometimes granted its claims, though on somewhat different factual situations.


No more right-to-be-forgotten for Mr. Costeja, says Spanish Data Protection Authority

October 11, 2015

[Cross posted to the Center for Internet and Society at Stanford Law School]

The man who won the right-to-be-forgotten case in the Court of Justice of the European Union (CJEU) has now been denied the right to suppress links to comments about that case by the Spanish Data Protection Authority (DPA). Given the relevance of the CJEU’s ruling, comments discussing the case and the facts behind it must be considered of public interest, according to the DPA’s decision.

Since the CJEU handed down its landmark ruling in May 2014 – and even before that – the circumstances of the case were widely publicized in the media. The irony was immediately apparent. While the claimant sought to have some old unpleasant information forgotten – and he actually succeeded to have the links to it delisted – all the details ended up being brought to the public eye. He even gave numerous interviews, sometimes being depicted in the media as the man who won the battle against Google.

Of course, some negative comments were also published. Eventually, Mr. Costeja requested Google to delist one of those, which Google rejected. He then addressed himself to the Spanish DPA, which in its recent decision dismisses the claim.

In the case before the CJEU, Mr. Costeja had complained that Google showed links to obsolete information available in a newspaper’s digital archive – a 1998 notice of real estate auction following attachment procedures for the recovery of Social Security debts. The CJEU found that individuals may request the delisting of links showing up in searches for their name pointing to information which is “inadequate, irrelevant, no longer relevant or excessive”. Nonetheless, the CJEU noted that such a right does not apply where there is a preponderant right of the public in accessing the information – for instance when the claimant has a role in public life.

Now the DPA finds that there is indeed a preponderant interest of the public in the comments about the famous case that gave rise to the CJEU judgment of May 13, 2014 – and expressly reminds that the claimant itself went public about the details.

While the decision does not mention the particular piece of information the claimant was complaining of, it may in all probability be a blog post titled “The unforgettable story of the seizure to the defaulter Mario Costeja González that happened in 1998”, available both in English and Spanish, which is currently the first result in in a search for the claimant’s name. In his claim before the DPA, Mr. Costeja complained that the content was also defamatory. However, the DPA answers that claims for defamation must be brought before the civil courts, not before the DPA.

All in all – as it was easy to anticipate from the beginning – this seminal right-to-be-forgotten case appears to have ended up in a big Streisand effect.

Spain: The Right to Be Forgotten Does Not Apply to Blogger

March 5, 2015

Note: Cross posted to the Center for Internet and Society at Stanford Law School

In a recently reported ruling, the Spanish National High Court held that Google is not responsible for the processing of personal data on blog hosted on Google’s owned Blogger, and therefore, that the so called “right to be forgotten” established by the Court of Justice of the European Union (CJEU) in the Google Spain case does not extend to a blogging platform.

The ruling reverses a decision issued by the Spanish Data Protection Authority (DPA) which had ordered Google to remove personally identifiable information from a blog hosted on Blogger. The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.

On the one hand, the DPA ordered Google to remove the information from its search engine. This was upheld by the National High Court, albeit ordering more precisely that Google remove the link from the search results – thus applying the criteria set out by the CJEU in Google Spain.

On the other hand, the DPA considered Google, as the owner of the blogging platform, to be the “controller” of the processing. Interestingly, the DPA found that while Google was not liable for the content of the blog, as it was shielded by the hosting safe harbor, the DPA has the power to order Google to remove the information from the blog.

The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.

Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.

Spanish Court rules that links to infringing content are copyright infringements

December 19, 2014

In a recent ruling (PDF), a Spanish appellate court (Audiencia Nacional) has upheld the decision of the Spanish agency for the administrative enforcement of copyright — the Intellectual Property Commission (IPC).

The IPC had ordered that a torrent linking website (elitetorrent) remove some of its torrent links to protected works.

This is the first case where the Audiencia Nacional deals with an appeal against an order issued by the ICP and tackles the substance of the legal question at issue, i.e., whether the challenged links constituted a copyright infringement.

It concludes that the links were indeed a copyright infringement, and thus rejects the appeal brought by the webmaster.

The ruling holds that a link to non-authorized content amounts to an act of making available, and thus require the authorization of the rights holder. The court reaches this conclusion on the basis of the CJEU judgment in Svensson. There, the CJEU held that a link constitutes an act of communication to “a public”, albeit it does not need to be authorized where it points to a work which the right holders had made freely available on the Internet, as in that case the link does not target a “new public”, different than that already taken into account by the rights holders when they authorized the initial communication.

The Spanish Audiencia Nacional states that the Svensson criteria fully apply to the case at issue and concludes that the linking website carried out an act of communication to the public which did required the right holders’ authorization, as they “had not authorized the exploitation free of restrictions of their work on the Internet”.

Text of the ruling (in Spainsh) available here (PDF).

Right to Be Forgotten: Google Sentenced to Pay Damages in Spain

December 17, 2014

(Cross posted to the Stanford’s Center for Internet & Society Blog)

The CJEU judgment on the right to be forgotten, Google Spain v. Mario Costeja, hit the search engine on an unexpected front – damages. On the basis of the CJEU’s judgment, the Barcelona Court of Appeals ordered Google to pay damages to an individual who, like Costeja, sought the removal of links to some old, damaging information from the search results.

In 1981, the plaintiff of this case was criminally charged for violating “public health” regulations. He was finally convicted by the Spanish Supreme Court in 1990. Nine years later, he was granted pardon. The Royal Decree granting this pardon was subsequently published in the Boletín Oficial del Estado (Official Gazette), as is required by the law. When typing plaintiff’s name in Google, links to the Official Gazette would appear, thus revealing that this person had committed a crime about thirty years ago.

In 2009, he filed a complaint against Google Spain SL before the Spanish Data Protection Authority (DPA). The DPA ordered Google Spain SL to adopt the measures necessary to withdraw the data from its index and to prevent access to the data in the future. Like in many other similar cases – including the Costeja’s case – Google appealed this decision to the Audiencia Nacional, where it is still pending.

On March 22, 2011, long before the CJEU rendered the Google Spain ruling, the plaintiff brought also a civil lawsuit asking for damages. This is the case now decided by the Barcelona Court of Appeals. The complaint asked for the removal of the links, and for damages. However, at an initial stage of the proceedings, the plaintiff acknowledged that the contested links had already been removed, and thus only the claim for damages survived in the lawsuit.

Initially, the first instance court rejected the complaint, and the plaintiff appealed. On July 17, 2014 (albeit only recently reported), the court of appeals handed down its ruling granting the plaintiff’s claim and awarding damages, although dramatically reducing the exaggerated amount demanded. The court relied heavily on the CJEU Google Spain judgment and held that Google infringed the subject’s data protection rights by failing to remove the links when requested to do so. The plaintiff was awarded moral damages for the period of time the links were accessible.

The Data Protection Directive (95/46) orders Member States to “provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” This provision was transposed into art. 19 of the Spanish Data Protection Law, which is the basis for the complaint.

Google successfully claimed that the safe harbor for search engines (art. 17 of the Law on Information Society Services) applied to it. However, according to the court, Google lost the safe harbor when it obtained the actual knowledge of the offending links, at the time it knew about the DPA decision. While this claim for damages is independent from any administrative proceeding, the court came to the conclusion that Google was liable from the moment it was notified about the DPA decision, and up to the moment the links were removed – a time span of about ten months.

As noted, the defendant in this case was not Google Inc., but its Spanish subsidiary, Google Spain SL – along with some other entities. The court rejected the defendant’s contention that because the search engine is operated by Google Inc. – a different entity – Google Spain SL cannot be held liable.

The text of the ruling, which has been appealed before the Supreme Court, is available here (in Spanish). Please note that the names of individual parties are anonymized.