This interview was conducted in January 2021 by Lars Steffen, eco’s Project Manager Domains, with Volker Greimann, Chief Legal Officer and General Counsel at Key-Systems, a member of CentralNIC Group and an ICANN-accredited registrar. The core business of Key-Systems is the registration of Internet addresses. At present, Key-Systems manages more than 4 million domains on behalf of their customers. Key-Systems’ business areas include the retail customer portal domaindiscount24, the corporate domain portal BrandShelter, and the reseller portal RRPproxy. Since 2013, they have been engaged in legal proceedings related to what in Germany is called “Stoererhaftung” (translated into English as “interference liability” or, alternately, as “liability as a co-liable partner”).
Volker, can you tell us about the origin and background of the recent German Federal High Court of Justice (BGH) judgement on ‘Stoererhaftung’ (interference liability)?
Let’s start at the very beginning: A customer registered a domain with us via a reseller. Like millions of other domains, this was an additional string on our platform that was registered under .com. Problems only arose when we received a letter from a lawyer from Universal Music GmbH Germany requesting us to take down the domain, due to the fact that copyright-relevant content – including a certain music album – had been published on a website under the domain. We followed up with our normal procedure, which involved forwarding this email to our reseller with a request to inform the relevant customer, and informing the complainant, saying that we assumed that the customer would then resolve it on their part. The matter was thus dealt with from our side.
However, the complainant was not satisfied and after a short back and forth, we received a cease-and-desist notice in which we were requested as a “Stoerer” (a “co-liable party”) to deactivate the domain in question and also to pay the associated lawyer’s fees. We declined to do this and once again informed our customer about the complaint, urging them to take appropriate action.
In the meantime, the reseller also contacted the complainant seeking clarity and including a request to also formulate the concern in English in order for it to be forwarded to their end customer. This effectively meant that our customer action. In response, however, the complainant’s lawyer issued a terse response stating that their dispute was with us – Key-Systems GmbH – and that the customer should abstain from involvement.
As we did not accept the interference liability, we declined to sign the cease-and-desist notice. The result was that the complainant then applied for an interim injunction, which was granted by the court in Saarbrücken. We appealed against this, lost, but declined to make a final declaration. Our aim was to have the case transferred to principal proceedings. We lost each time before the Saarbrücken Regional Court and in the subsequent appeal before the Saarbrücken Higher Regional Court. However, since we were convinced that our legal opinion was correct, we then went on to the German Federal High Court of Justice (BGH), where we were ultimately successful.
Am I right in saying that, from the outset, it looked like there was little possibility of settling this particular case out of court?
It must be said that such cases are normally always resolved out of court. We receive a complaint, we forward the complaint to our customer, the customer removes the content in question or takes other appropriate action, and that sorts things out. This did not happen in this instance because, as we see it, the complainant refused to either accept this solution or to communicate with the party closer to the domain holder. Afterwards, we also learnt that the domain holder claimed they could not respond because they were on holiday at the time and could not read their emails. In this respect, it would always be a challenge for us as a registrar to take measures to rectify the complaint on the part of the complainant. We do not host the content and we cannot remove or access content from servers if it is hosted elsewhere.
Ultimately, the only step available to us – which really has to be the last resort – is to shut down a domain, which leaves the website online, albeit unreachable through the domain. Shutting down a domain with hundreds of thousands of pieces of content due to a single piece is something we have difficulty with, given that it generally would entail overblocking and removal of legitimate access to other content. Of course, if the entire website is used purely for illegal activities, then we don’t regard it as such an issue. We are also happy to shut down a site if, for example, we receive a tip from the police about content that is relevant to criminal law. Then we make short shrift of it, and the domain is taken offline from one moment to the next.
But especially when it comes to infringements, it is relatively difficult for us to judge whether it is a legitimate use of content. It’s the problem related to a “customer of a customer” who has uploaded something that just needs to be removed. In this respect, we work on the principle that our customers have the primary duty to remove such content and that we only have to intervene as a last resort, which we try to avoid. And in 99 percent of the cases, that’s what happens.
As such, we proceeded with the expectation that this problem would also be solved in this way: that we would tell the complainant who to contact – in this case, a hosting provider and a domain holder that we identify for the complainant – and that they could contact these two parties directly and get back to us if they failed to make progress with them. But instead, the complainant here was insistent that they did not need to contact these parties, claiming that Key-Systems was also a co-liable party and they could choose the party against whom they wanted to take action. The BGH has now clearly rejected this stance.
In order for non-lawyers to understand that this case not only has a time dimension, but also involved significant work, here’s a question worth asking: How many cases were there between the first trial and the BGH?
To cover the time dimension first: The first letter from the complainant was issued in mid-2013 and the BGH ruling was made at the end of 2020. And the case is still not quite over, given that the BGH has referred it back to the Higher Regional Court of Saarbrücken with the request to observe the correct legal interpretation. Which means that we’ve been working on the case for seven years now.
To turn to the number of cases: It started with the initial injunction, followed by us contesting the injunction and filing an appeal. There also was an attempt at an interim injunction for another domain registered by the same registrant, where the complainant simply wanted to enforce an administrative fine, but they dropped that after realizing there was no way to win that. That was then step two. Next came the principal proceedings of the first case before the Regional Court, and the appeal before the Higher Regional Court, with the Higher Regional Court disallowing a further appeal. Therefore, in the next step, we had to file an admissibility complaint before the BGH, which was fortunately granted, and thus the principal proceedings ultimately came before the BGH which overturned the previous decision and referred the matter back to the Higher Regional Court. Now the final proceedings before the Higher Regional Court are still pending. It really has kept us busy.
What made you persevere all the way to the BGH? Have you weighed up at some point whether this is worth continuing?
For us, it was pretty clear that we would fight it out to the end, because other registrars in other countries don’t have these problems. It is quite clear that the domain holder is responsible for their content and the registrar only intervenes if it does not comply with their terms of business and use. This can be seen, for example, in the USA right now, where certain sites have been shut down because the content is not compatible with the conditions of the respective providers – but not because there is a legal obligation to do so. Here, with this case an attempt was made in Germany to construct a legal duty for the registrar to take action instead of contacting the domain holder, and to do so by a rather harsh means, namely the disconnection of the domain.
It was clear to us that this could not continue – also on the basis of the case law on the liability of access providers that already existed at that time, which also acknowledges a mere intermediary function between the person who calls up the content and the person who provides the content. This view is also supported by the incoming EU NIS2 directive which sees registries and registrars as mere intermediaries. Therefore, it was quite clear to us that we would get justice, at the latest, from the BGH. It’s a pity that this was not possible in Saarbrücken, but you have to have staying power.
On the question of whether it’s been worth it? Yes. We thought long and hard about whether to take this step, whether to challenge the case in court at all. But what paid off was our element of tenacity and the view that we would also be putting ourselves at a certain competitive disadvantage and significant liability risks if we accepted liability. Just imagine if all registrars were forced to disable access to content without a court order just to avoid being sued. All would err on the side of caution and therefore disable more domains than legally required.
You have already indicated that there are other legal bases in other countries. What signal effect will the ruling have in Germany, at EU level, and perhaps also at international level?
I see the signal effect very positively. I think that once the ruling has been propagated to a certain extent, it will be clear for Germany at what point the registrar is obliged to take action. Absolutely no-one disputes that we have a certain duty to take action in Germany. But this boils down to the question of what the correct timing is and which steps the complainant must take before they can turn to the registrar, who is – as has now been established – only subsidiarily liable for the infringement: that is a very important result for us. It was quite noticeable that after the first two rulings, these were referred to by a great many complainants, often in complete disregard of the factual situation that existed at the time. This caused more work, as one always had to explain why the ruling was not relevant and that the decision was not yet final. We now can assume that a complainant knows exactly what their next steps are and whom to contact.
Nonetheless, in many cases, we’re still likely to be the first point of contact because most complainants do not even know who the domain holder is or who the hosting provider is. And this is information that we are happy to provide if there is evidence of legitimate interest (and disclosure is legally possible) under the General Data Protection Regulation (GDPR). Then the complainants have an address to turn to and we assume that this will be settled between the two parties as it should be. If, contrary to expectations, this does not happen, we can always discuss with the complainant how to proceed. I also assume that we will now move away from an antagonistic positioning between the complainant and ourselves and move towards a cooperative communication: that we will jointly consider how to remedy the matter. Because ultimately, we too have no interest in our services being abused.
You just mentioned the GDPR, which has been enacted in the European Union. On the same level, the Digital Services Act is now just around the corner. Will this have an impact on such cases from your point of view?
I don’t think so. First, of course, we have to see what the final outcome will be. But as far as the registrar’s obligations on content are concerned, I have no worries that anything will now change in this regard. I have found a few references that go more in the direction of providing information, but which we already fulfil in any case. Ultimately, this means that we need to provide complainants with the information they need in order to take action against the right party. This may not be quite the case in other countries and with other registrars. But we are usually always ready to go the extra step and say: “Here, this is what you need and this is the information you need. And now you know who to turn to.”
You mentioned at the beginning that the complainant took the liberty of who to complain to. Was this perhaps been done out of ignorance of what the DNS is, how it works and how the market participants in this industry interrelate and cooperate with each other?
No, I don’t think so. The complainant was represented by a lawyer who is familiar with the matter. The complainant is an internationally active company, Universal Music, who chose to take action against a German registrar with its own German branch. The domain holder is based abroad, the hosting provider is based in the Netherlands, Universal Music is based in the USA. The artist whose album was allegedly made available for download on the website in question is based in the USA. That is, one could just as easily have enforced their rights against the domain holder in a US court in rem (which is common practice), or against the hosting provider in a Dutch court with the Dutch offshoot of the company. Here, the registrar was specifically targeted in order to construct registrar liability and ultimately also to create a precedent.
Did you always have the feeling that the Court had a complete understanding of the subject matter?
That’s hard to say. I trust that the judges certainly engaged with the subject matter, even if it’s clear that they do not get to deal with it on a daily basis. But we also took a lot of trouble to really explain everything in great detail in our briefs: how this industry and the processes are connected, what the responsibilities are, and who does what.
What can we as the eco Association and other organisations do to create more understanding of the connections?
That’s a good question. We sometimes felt a little lost. We were the only ones who had to fight such a court case and the rest of the industry watched what happened, even though the case was important for everyone who works in this industry in Germany and the precedent would have affected everyone. Therefore, it would be very helpful if the defence in such cases could perhaps be better coordinated in the future. Here I’m not thinking so much of money, but rather of the exchange between the industry sectors, between the different legal departments, that one supports each other with ideas, with expertise and with possible arguments.
If we work more closely together here and pool our knowledge, we can undertake some joint lobbying. This could also involve jointly published articles that explain what the responsibilities should be based on our legal position. This would allow us to create some basic understanding in the legal community of what our role as a registrar actually is and while we are all competitors, we do have a common interest in legal stability and certainty.
Is there anything else you would like to mention about the case?
I’m glad that things are finally drawing to a satisfactory close and that this decision clarifies responsibilities. From our point of view, it’s important that we have legal certainty when we offer services to domain holders and carry out registrations as a registrar. It’s important to also be clear that you can do this business in Germany without exposing yourself to undue legal risk. Otherwise, you’d end up getting written notices for things you can’t do anything about. What’s also important is to take the risk of overblocking into account and to recognise that deactivation of a domain name can only ever be a last resort measure when all other means have been exhausted. Against this background, I am very glad that the BGH has taken up the matter here, has shown a good understanding of the circumstances, and has also ruled accordingly.