Our law firm is often asked by clients, and potential clients, whether they should designate a DMCA agent for their site, and how to go about doing so. While that is an important first question to ask, particularly for any site that contains material provided by third parties, it is only the beginning of a somewhat complicated analysis leading to a determination of whether a particular website can avail itself of the “safe harbor” protections against copyright infringement claims, as provided by federal law. Regardless of the geographic location of the website involved, compliance with U.S. DMCA safe harbor obligations is becoming essential for global online service providers.
The development of the DMCA. In 1998, in an attempt to curtail copyright infringement occurring via the Internet and harmonize international law, Congress passed the Digital Millennium Copyright Act (DMCA).1 One of the most controversial and litigated elements of the DMCA is its “safe harbor” protection for “service providers.” Copyright holders tend to hate it, while website operators that allow posting of third party content view it as essential to survival of their business model. Given the recent wave of copyright infringement litigation being asserted against tube sites and other service providers, DMCA safe harbor is becoming an essential tool for website operators.
The DMCA’s safe harbor provisions allow certain online service providers (“OSPs”) who comply with specified statutory prerequisites to take advantage of significant limitations on monetary liability for copyright claims based on material posted by third party users on the service provider’s network.
The DMCA’s safe harbor provisions allow certain online service providers (“OSPs”) who comply with specified statutory prerequisites to take advantage of significant limitations on monetary liability for copyright claims based on material posted by third party users on the service provider’s network. Simple enough, right? Post some legal-sounding takedown policies, file some forms, and you’re good to go. Not exactly. There are several important requirements, and even preconditions to those requirements, that an OSP must fulfill in order to even be considered for safe harbor protections. The following is a roadmap of sorts, designed to inform service providers of the hazards in navigating one of the Web’s most crucial and complicated pieces of legislation. However, this article is no substitute for legal advice, and if anything referenced in this post appears to affect your operation, a talk with your lawyer about DMCA issues is in order.
Who is a service provider? Although a seemingly simple question, many providers of online services to end users on the Internet do not realize that the type of service they provide affects their obligations and potential protections under the DMCA. The DMCA defines a “service provider” as an entity offering transmission, routing, or providing connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, without modification to the content of the material as sent or received, or, a provider of online services or network access, or the operator of facilities thereof.2 Given its expansive definition, essentially any entity that provides end users with web space, bandwidth or access to the Internet could be considered a service provider under the DMCA. The types of business models covered by this definition range from ISP’s, to online dating sites, to adult tube sites. The statute goes on to identify four categories of conduct that enable an OSP to determine which type of service provider they are under the DMCA:
- Transitory communication systems: Network services that simply provide transitory access to the Internet, this includes basically any broadband Internet provider (i.e. – AT&T and other DSL/cable/satellite Internet access providers);3
- Caching systems: Network services still providing simple conduit access to the Internet, but that also may store or copy transmitted data temporarily;4
- Web hosts: Online services that host content at the direction of a user (i.e. – traditional hosting websites or almost any website/network that contains content uploaded or generated by the network’s users);5 or
- Information location tools: search engines (i.e. – Google)6.
Given the latest cyber litigation “target du jour”; user-generated content (“UGC”) websites, this article will only concentrate on potential limitation of liability for OSPs that host their users’ files (i.e., No. 3 above). The legislative intent behind the file hosting safe harbor provision is to protect OSPs from liability based on the content posted by its users – whether in the form of online dating profiles or comments to a blog piece like this. For example, if UGC sites were responsible for each and every piece of infringing material uploaded by its users to the provider’s network, such liability would likely bring much of today’s Internet traffic to a screeching halt. OSPs that are required to monitor the content and/or conduct of their users would quickly find that the manpower necessary to accomplish that task would eat up any potential revenue to be generated, thus resulting in de facto censorship of an entire venue for online speech.
Acquiring potential safe harbor protection? Notably, the safe harbor from liability is not a blanket grant of protection or immunity from suit. Even with full compliance with all aspects of DMCA safe harbor obligations, an OSP could still get sued by an aggressive plaintiff, and be forced to ‘prove up’ its safe harbor compliance regime. Importantly, an OSP may only qualify for the DMCA’s limitation on liability if it fulfills the threshold conditions of the statute by agreeing to do the following:
- Identify and designate a DMCA agent
- Accommodate technical measures to protect copyrighted works7
- Adopt and implement a repeat infringer policy8
In order to facilitate the notification process required for safe harbor, OSPs must designate the name and contact information of an agent who will be responsible for receiving any infringement notices from copyright owners (i.e., a “DMCA Agent.”) Take down notices sent to the DMCA Agent must include specific elements, but they essentially must state that the OSP’s network contains content that is infringing upon the owners’ intellectual property rights and is therefore on the network illegally. Upon appointing the DMCA Agent, the OSP must file a notice of designation of agent with the U.S. Copyright Office, along with the required fee; effectually providing public notice of the relationship between the OSP and the agent.9 Unfortunately, this is a step that many OSPs tend to forgo, and the failure to properly designate the agency relationship with the Copyright Office may result in total loss of safe harbor protection. The information disclosed to the Copyright Office; i.e., name, address, phone number, and email address, must also be made readily available to the public through the OSP’s service or website.10
The DMCA defines “standard technical measures,” referenced in No. 2 above, as attempts by intellectual property owners used to identify or protect their copyrighted works; for example, a watermark embedded on an image. An OSP accommodates, or does not interfere with, standard technical measures so long as it does not disable any such efforts by the copyright owner. Implementation of fingerprinting technology for identifying infringing videos or images may someday be considered a “standard technical measure” as such technology becomes more readily available and used by OSPs such as tube sites.
Another critical element must be met in order for an OSP to claim safe harbor: The OSP must adopt a policy that provides for terminating the accounts of users who repeatedly infringe on another’s copyright under “appropriate circumstances.” This is known in the industry as a “Repeat Infringer Policy” or “RIP.” The OSP must inform its customers of the RIP and “reasonably implement” it as well.11 There are often two sources of confusion that correspond with the RIP requirement: Who is a “repeat infringer” and how do I “reasonably implement” a repeat infringer policy? Unfortunately for OSPs, the DMCA does not provide any guidance to resolve these ambiguities. For example, the statute does not specify whether the repetition requirement for a “repeat infringer” refers to the total number of works infringed, the number of times a single work has been infringed, or the number of times a particular user has been identified as an infringer. Nor does the statute discuss the time span within which the repeat infringements are to be calculated. Further, the DMCA does not identify particular actions that can be taken by an OSP to satisfy the statute’s requirement that it “reasonably implement” the RIP.
Ultimately, it is up to the OSP to decide exactly how it wishes to implement its RIP. Each business model may require its own type of RIP considerations, and there is no “magic number” of infringements that must result in termination of a user. Because of this lack of clarity in the statutory language, it has only been through OSPs being sued, and legal decisions being issued, that the public has gained some insight on the proper protocol in implementing an RIP. While no court has definitively described how a legally-compliant RIP should look, courts have discussed the importance of a consistent RIP to overall safe harbor protection.12
It should be noted that the law does not require OSPs to adopt an RIP, or to comply with any of the safe harbor provisions of the DMCA. OSPs can tolerate obvious repeat infringers, but they do so at their own peril. Compliance with DMCA safe harbor provisions is completely optional, but the benefits of compliance cannot be ignored, as a practical matter. Improper implementation of an RIP could result in the total loss of safe harbor protection, rendering OSPs completely vulnerable to traditional copyright claims based on direct, contributory and/or vicarious copyright infringement liability theories. Therefore, DMCA compliance comes down to a business decision – one that can be very important if the OSP is ever sued for copyright infringement based on UGC.
Loss of safe harbor protection. Not only must an OSP fulfill the conditions referenced in the above section, but it must also meet the following constant obligations relating to its knowledge of specific infringing materials and its reaction to the knowledge of such materials. The DMCA specifically states that an OSP does not have a duty to monitor its network or actively seek out infringing activity in order to maintain its safe harbor status. However, if the OSP is put on notice of infringement within its network, this then triggers the OSP’s duty to act. An OSP may lose safe harbor protection if it:
- Has actual knowledge of the infringement;13 or,
- Is aware of facts or circumstances from which the infringing activity is apparent;14 and,
- Upon obtaining such knowledge or awareness, does not act expeditiously to remove, or disable access to, the infringing material.15
This means that safe harbor protection is available to OSPs only to the extent that the OSP has not been put on notice of particular infringing activity, or if it has, then it is obligated to remove the infringing content from its network. This also means that if certain “red flags” exist, suggesting rampant copyright infringement is apparent on the site, the OSP has a duty to act to take appropriate action to protect the copyright owners. Actual knowledge of alleged infringement is satisfied by receipt of a proper notice and takedown request from the copyright owner of the infringed upon material. The takedown notification must be in writing and must substantially contain the following information:
- The name, address, and electronic signature of the complaining party;16
- Identification of the infringing materials and their Internet location;17
- Identification of the copyrighted works that are being infringed upon;18
- A statement by the owner that it has a good faith belief that there is no legal basis for the use of the materials complained of;19
- A statement of the accuracy of the notice and, under penalty of perjury, that the complaining party is authorized to act on the behalf of the owner.20
So long as the DMCA notice is processed by the OSP, meaning, the notice is acknowledged by removal of the infringing material, it cannot be used as “actual notice” against the OSP in a subsequent secondary infringement claim.21
DMCA notices have become relatively commonplace in today’s online marketplace. Unfortunately, the recent trend has been to abuse the quick and easy content removal system put in place through the DMCA, by competitors seeking to get the upper hand by submitting false infringement reports about competing content. This sort of activity often occurs in the online escort site and online dating site industries. DMCA abuse can be punished by anyone suffering damages as a result, but often identifying the abuser can prove difficult, since the contact information provided in the Notice is often false. The OSP has no obligation to ensure that the contact information in a DMCA notice is valid or accurate – they are merely required to act when they receive a notice containing the necessary elements.
Given the burden on the OSP to remove infringing content the moment it gains actual knowledge of infringement, or constructive knowledge through ‘red flags,’ the statute prevents such knowledge to be used against the OSP so long as it discharges its removal obligations. In other words, the DMCA allows OSPs to remain within the realm of safe harbor protection, even after acquiring knowledge (whether actual or apparent) of infringing content, so long as the OSP “acts expeditiously to remove, or disable access to, the material.”22
Consequences of safe harbor loss. The primary consequence of losing DMCA safe harbor protection is exposure to monetary damages (i.e. – “all damages, costs, attorneys’ fees, and any other form of monetary payment,”) however it is within a court’s discretion to issue injunctive relief against them as well. Such injunctions may mandate any actions that the court considers necessary to prevent subsequent infringement of the material in question.23 Loss of safe harbor protection does not mean that the OSP is automatically responsible for infringing content posted by third parties; it simply means that the OSP cannot assert the safe harbor defense. A copyright claimant would still need to prove the standard elements of copyright infringement before the OSP could be held liable.
In the event that an OSP attempts half-hearted DMCA compliance, whether intentional or not, it may not be able to rely on the statute to come to its rescue if it is ultimately sued for copyright infringement based on infringing UGC on its network. Thus, merely posting the name of a person who has agreed to serve as your DMCA agent on your “contact us” page does not grant an OSP any safe harbor protection. Yet, many OSP’s – particularly those located overseas who are not conversant in U.S. legal requirements – tend to assume that listing a DMCA agent constitutes a “magic shield” that will protect them from any U.S. claimants seeking to impose monetary liability for third party generated content.24 As demonstrated above, full DMCA safe harbor protection is much more complicated to achieve.
Conclusion. Although acquiring DMCA safe harbor can be a burden, any compliance regime should be developed in consultation with legal counsel. The benefits of proper DMCA compliance are substantial. Few federal statutes provide a complete release of liability for a category of intellectual property infringement, and thus all OSPs that allow any UGC should strongly consider developing strict DMCA safe harbor compliance policies. DMCA safe harbor is one of the greatest shields provided to OSPs, but like most armor, if it not properly applied, it can turn the wearer into nothing more than a target.
1 17 U.S.C. § 512(2010) et seq.
1 17 U.S.C. § 512 (k)(1).
2 17 U.S.C. § 512(a).
3 17 U.S.C. § 512(b).
4 17 U.S.C. § 512(c).
5 17 U.S.C. § 512(d).
6 17 U.S.C. § 512(c)(2). Identification occurs by posting information about how to send DMCA notices to the agent on the website (i.e. – via a Notice and Takedown Policy), and Designation occurs by filing a Designation of Agent with the U.S. Copyright Office, and payment of the required fee. See United States Copyright Office website; available at: http://www.copyright.gov/onlinesp/.
7 17 U.S.C. § 512(i)(1)(B).
8 17 U.S.C. § 512(i)(1)(A).
9 See United States Copyright Office website; available at: http://www.copyright.gov/onlinesp.
10 17 U.S.C. § 512(c)(2). This is accomplished through posting a proper Notice and Takedown Policy.
11 17 U.S.C. § 512(i)(1)(A).
12 See Perfect 10, Inc. vs. CCBill LLC, 488 F.3d 1102 (9th Cir. 2007); IO Group Inc. vs. Veoh Networks Inc., 586 F.Supp.2d 1132 (N.D. Cal. 2008)(The DMCA does not define “reasonably implement.” Nonetheless, the 9th U.S. Circuit Court of Appeals has held that a “service provider ‘implements’ a policy if it has a working notification system, a procedure for dealing with DMCA – compliant notifications, and it does not actively prevent copyright owners from collecting information needed to issue such notifications.” CCBill, 488 F.3d at 1109. “The statute permits service providers to implement a variety of procedures, but an implementation is reasonable if, under ‘appropriate circumstances,’ the service provider terminates users who repeatedly or blatantly infringe copyright.” Id.)
13 17 U.S.C. § 512(c)(1)(A)(i).
14 17 U.S.C. § 512(c)(1)(A)(ii).
15 17 U.S.C. § 512(c)(1)(C).
16 17 U.S.C. § 512(c)(3)(A)(i).
17 17 U.S.C. §§ 512(c)(3)(A)(ii-iii).
18 17 U.S.C. § 512(c)(3)(A)(iv).
19 17 U.S.C. § 512(c)(3)(A)(v).
20 17 U.S.C. § 512(c)(3)(A)(vi).
21 17 U.S.C. § 512(c)(1)(A)(iii).
23 17 U.S.C. § 512(j)(1)(iii).
24 Not only is this factually inaccurate, but as discussed above, the DMCA has no applicability to certain claims like trademark or cybersquatting claims, which could still be asserted against OSPs that are in full compliance with the DMCA.