DMCA Compliance Becomes a Serious Obligation for ISPs

February 15, 2018

With a virtual stroke of the pen on 1st February, 2018 the U.S. Court of Appeals for the Fourth Circuit brought a new reality to the world of Internet Service Providers. In the watershed 37-page decision in BMG Rights Management v. Cox Communications case, the court held that providers of internet access can indeed be held “contributorily liable” for infringement of copyrights by their service subscribers. And with Cox facing a judgment of $25 million, the obligations were indeed real and the consequence of ignoring them was severe.

In some ways, the BMG v. Cox decision mirrored another compliance obligation case from twelve years ago, where the Court of Appeals for the DC Circuit in American Council on Education v. FCC held that ISPs are required to support CALEA law enforcement assistance compliance obligations and provided for “safe harbor” means of meeting the obligations that included outsourcing required capabilities to a Trusted Third Party.

It is not well known, but the DC Circuit case was also the basis for the FCC adding two additional ISP compliance obligations. First was the 2012 imposition of outage reporting requirements on ISPs providing interconnected VoIP service via the FCC’s NORS (Network Outage Reporting System) and went into force. Second is the extension of the outage reporting requirements on ISPs to cover all broadband internet access services (BIAS) disruptions above a threshold value initially proposed in 2015 and intended to enhance the reliability of the nation’s 9-1-1 system. That proceeding – FCC Docket 15-39 – remains open and undecided today.

The BMG v. Cox case proceeded under the Digital Millennium Copyright Act (DMCA) which proscribed the unauthorized distribution of copyrighted material via the internet, and like CALEA, provided a “safe harbor” mechanism means for meeting the obligations. What was at issue in the case was whether or not Cox’s chosen safe harbor mechanism was sufficient… It was clearly not.

What Cox had done was to create only a very limited automated system to process notifications of alleged infringement notices received from copyright owners. Cox’s automated system rested on a thirteen-strike policy that determined the action to be taken based on how many notices Cox has previously received regarding copyright infringements by a particular subscriber. Up until the tenth notice, the notices and access limits were imposed. At the tenth to twelfth notice level, service was suspended but could be reactivated. At the thirteenth, the subscriber was considered for termination; but even if they were terminated, the service could be re-activated after six months. The thirteen-strike approach also had various throttles as to how fast it could be implemented as well as constraints on the available actions of the copyright holder, including blacklisting them.

The court noted that to fall within the DMCA 17 U.S.C. § 512(a) safe harbor, a provider must show that it meets the threshold requirement, common to all § 512 safe harbors, that it has “adopted and reasonably implemented . . . a policy that provides for the termination in appropriate circumstances of subscribers . . . who are repeat infringers.” Cox’s principal contention is that “repeat infringers” means adjudicated repeat infringers: people who have been held liable by a court for multiple instances of copyright infringement. However, as noted by the court, the usual definition of the term “repeat infringer,” is one who infringes a copyright more than once. The facts also showed that the number of actual terminations for copyright infringement declined significantly, notwithstanding the large numbers of warnings and temporary suspensions, and that the blacklisting of the copyright notice agent resulted in millions of infringement notices being rejected. As a result, the court held that “Cox failed to qualify for the DMCA safe harbor because it failed to implement its policy in any consistent or meaningful way — leaving it essentially with no policy.”

The court, however, found that the lower court erred in its instructions to the jury, and remanded the case for retrial. The holding of the Fourth Circuit was “that proving contributory infringement requires proof of at least willful blindness; negligence is insufficient.” The court notes that it was “persuaded that the Global-Tech rule developed in the patent law context, which held that contributory liability can be based on willful blindness but not on recklessness or negligence, is a sensible one in the copyright context.”

The significance of the case was reflected in the numerous subsequent legal blog posts. For example, the prominent communications law firm Wiley Rein notes that “ISPs should consider reviewing implementation of their repeat infringer policies now to ensure they are consistent with the Fourth Circuit’s opinion…[and] should evaluate whether their policies are properly crafted using the ‘flexibility’ afforded to service providers and ensure that their policies include criteria to apply when determining when termination is appropriate.” A Hollywood reporter put the basics in the headline “ISPs Don’t Get Copyright Shield Without Enforcement of Meaningful Repeat Infringer Policy.”

The Register in the UK quotes a law firm that opines that “in order for contributory liability to attach, copyright owners will arguably need to meet a higher threshold. They will have to establish that the ISP knew about the infringement or was willfully blind to it…that could make contributory liability claims against ISPs a bit more difficult to establish as a factual matter.”

TorrentFreak notes to its base that “this means that, while Cox gets a new trial, it is still at a severe disadvantage…and…the Court of Appeals interpretation of the repeat infringer question is also a clear signal to other Internet service providers to disconnect pirates based on repeated copyright holder complaints.”

Stanford’s more liberal blog posting suggests that “importantly for future cases involving section 512(i)’s repeat infringer requirement, the Fourth Circuit in this case had nothing negative to say about the liberality of Cox’s thirteen-strike policy…[and] that the court was ‘mindful’ of the need to afford ISPs flexibility in crafting repeat infringer policies.” It also suggests that the decision’s “focus on implementation rather than policy design gives this case fairly limited reach.”

The IP Kitten blog notes on retrial, “As a result, the case will see a new trial in which, very likely, the jury will have to evaluate whether Cox knew of specific instances of infringement or was willfully blind to such instances.” However, “this Kat believes it is quite likely that the jury will answer this question in the affirmative, due to the fact that Cox prevented itself from receiving any of the nearly two million notices that Rightscorp, Inc. sent on BMG’s behalf.”

It is worth noting that use of a good system, like Yaana Technologies’ Request Management System (RMS) platform, which is designed for trusted receiving and managing of DMCA infringement requests and takedown actions, helps alleviate the headaches faced by Cox. Outsourcing the support to a well-established trusted third party such as Yaana which has had many years of experience in developing the standards and implementing compliance obligation requests under legal systems in the US, Europe, and around the world, can also be very cost effective.