Online Copyright Infringement Liability Limitation Act

The Online Copyright Infringement Liability Limitation Act (OCILLA) is United States federal law that creates a conditional 'safe harbor' for online service providers (OSP) (a group which includes internet service providers (ISP) and other Internet intermediaries) by shielding them for their own acts of direct copyright infringement (when they make unauthorized copies) as well as shielding them from potential secondary liability for the infringing acts of others. OCILLA was passed as a part of the 1998 Digital Millennium Copyright Act (DMCA) and is sometimes referred to as the "Safe Harbor" provision or as "DMCA 512" because it added to Title 17 of the United States Code. By exempting Internet intermediaries from copyright infringement liability provided they follow certain rules, OCILLA attempts to strike a balance between the competing interests of copyright owners and digital users.

The 1998 DMCA was the U.S. implementation of the 1996 WIPO Copyright Treaty (WCT) directive to "maintain a balance between the rights of authors and the larger public interest, particularly education, research and access to information"[1] when updating copyright norms for the digital age. In the context of Internet intermediaries, OCILLA attempts to strike this balance by immunizing OSP's for copyright liability stemming from their own acts of direct copyright infringement (as primary infringers of copyright), as well as from the acts of their users (as secondary infringers of copyright), provided that OSP's comply with two general requirements protecting the rights of authors.

First, the OSP must "adopt and reasonably implement a policy" of addressing and terminating accounts of users who are found to be "repeat infringers."[2] Second, the OSP must accommodate and not interfere with "standard technical measures."[3] "Standard technical measures" are defined as measures that copyright owners use to identify or protect copyrighted works, that have been developed pursuant to a broad consensus of copyright owners and service providers in an open, fair and voluntary multi-industry process, are available to anyone on reasonable nondiscriminatory terms, and do not impose substantial costs or burdens on service providers.

OSPs may qualify for one or more of the Section 512 safe harbors under § 512(a)-(d), for immunity from copyright liability stemming from: transmitting,[4] caching,[5] storing,[6] or linking[7] to infringing material. An OSP who complies with the requirements for a given safe harbor is not liable for money damages, but may still be ordered by a court to perform specific actions such as disabling access to infringing material.

In addition to the two general requirements listed above, all four safe harbors impose additional requirements for immunity. The safe harbor for storage of infringing material under § 512(c) is the most commonly encountered because it immunizes OSPs such as YouTube that might inadvertently host infringing material uploaded by users.

Taken as a whole, OCILLA's passage represented a victory for telecom and Internet related industry groups over powerful copyright interests who had wanted service providers to be held strictly liable for the acts of their users. However, copyright owners also obtained concessions. In addition to the general and specific preconditions on the created immunity, OCILLA requires OSP's seeking an immunity to designate an agent to whom notices of copyright infringement can be sent,[8] and to disclose information about those users who are allegedly infringers.[9]

applies to OSPs that store infringing material. In addition to the two general requirements that OSPs comply with standard technical measures and remove repeat infringers, § 512(c) also requires that the OSP: 1) not receive a financial benefit directly attributable to the infringing activity, 2) not be aware of the presence of infringing material or know any facts or circumstances that would make infringing material apparent, and 3) upon receiving notice from copyright owners or their agents, act expeditiously to remove the purported infringing material.

An OSP must "not receive a financial benefit directly attributable to the infringing activity" to qualify for § 512(c) protection. However, it is not always easy to determine what qualifies as a direct financial benefit under the statute.

One example of an OSP that did receive a direct financial benefit from infringing activity was Napster. In A&M Records, Inc. v. Napster, Inc.,[10] the court held that copyrighted material on Napster's system created a "draw" for customers which resulted in a direct financial benefit because Napster's future revenue was directly dependent on increases in user-base. Conversely, in Ellison v. Robertson,[11] the court held that AOL did not receive a direct financial benefit when a user stored infringing material on its server because the copyrighted work did not "draw" new customers. AOL neither "attracted [nor] retained…[nor] lost…subscriptions" as a result of the infringing material.

To qualify for the § 512(c) safe harbor, the OSP must not have actual knowledge that it is hosting infringing material or be aware of facts or circumstances from which infringing activity is apparent. It is clear from the statute and legislative history that an OSP has no duty to monitor its service or affirmatively seek infringing material on its system.[12] However, the statute describes two ways in which an OSP can be put on notice of infringing material on its system: 1) notice from the copyright owner, known as notice and take down, and 2) the existence of "red flags."

This is advantageous for OSPs because OCILLA's clear process allows them to avoid making decisions about whether or not material is actually infringing. Such decisions can be complex both because it is difficult to determine whether the copyright has expired on a material without access to complete information such as publication date, and because even copyrighted material can be used in some cases under the doctrine of fair use, the applicability of which is difficult to evaluate.

Instead of making a complex legal determination, OCILLA allows OSPs to avoid liability provided they comply with the terms of the statute, regardless of the validity of any claim of infringement.

The first way an OSP can be put on notice is through the copyright holder's written notification of claimed infringement to the OSP's designated agent. This must[13] include the following:

(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
(iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
(v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

See 512(a) and (h) below if the information is not stored on the system of the OSP but is instead on a system connected to the Internet through it, like a home or business computer connected to the Internet. Legal liability may result if access to material is disabled or identity disclosed in this case.

If a notice which substantially complies with these requirements is received the OSP must expeditiously remove or disable access to the allegedly infringing material.[14] So long as the notice substantially complies with clauses (ii), (iii), and (iv) the OSP must seek clarification of any unclear aspects.[15]

In Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit held that the properly constructed notice must exist in one communication.[16] A copyright owner cannot "cobble together adequate notice from separately defective notices" because that would unduly burden the OSP.

After the notice has been complied with the OSP must take reasonable steps to promptly notify the alleged infringer of the action.[17] Note that the OSP is not prohibited from doing so in advance, only required to do so afterward. If there is a counter notification from the alleged infringer, the OSP must respond appropriately to it.

If the OSP complies with this and the counter notification procedures, it is safe from legal liability to its own customer as a result of taking down the material.

There is a common practice of providing a link to legal notices at the bottom of the main web page of a site. It may be prudent, though it is not required by the provisions of section 512 of the copyright law, to include the designated agent information on the page the legal link goes to, in addition to any other places where it is available. As long as the site gives reasonable notice that there is a method of compliance, that should be sufficient. Once again the courts have not ruled on the technicalities of posting of these notices.

The second way that an OSP can be put on notice that its system contains infringing material, for purposes of section 512(d), is referred to the "red flag" test.[12] The "red flag" test stems from the language in the statute that requires that an OSP not be "aware of facts or circumstances from which infringing activity is apparent."[18]

The "red flag" test contains both a subjective and an objective element. Subjectively, the OSP must have knowledge that the material resides on its system. Objectively, the "infringing activity would have been apparent to a reasonable person operating under the same or similar circumstances."[12]

The law provides for "expeditious" action. The meaning of "expeditious" in the context of this law has not yet been determined by the courts. Black's Law Dictionary defines "expeditious" as "performed with, or acting with, expedition; quick; speedy." In the common law, the term "expeditious" has been interpreted according to the circumstances, allowing more time than "immediate" but not undue delay. Some suggest that the most prudent courses are to comply "immediately" or to seek immediate legal advice from qualified legal counsel. In the commercial online world, taking more than 24 hours may well be viewed as undue delay. However, when legal advice is factored into the equation it is reasonable to give counsel time to review all the facts, verify the necessary elements of the notice and conduct minimal research to ascertain the current state of the law. This may reasonably occur when the material posted appears likely to be covered by a fair use, for fair use is not copyright infringement. So, in some situations it may be reasonable to determine that "expeditious" would take more than 24 hours, and if the ISP was a small not-for-profit provider, or a server run by volunteers, it may not have the resources to obtain a legal opinion with the same speed that a large multinational corporation may have resources at its disposal to comply immediately. There may not even be a person immediately available who is qualified to determine if the notice complies with the standards set forth in the act. Perhaps a reasonable court would take these factors into consideration. The courts in the United States have yet to rule on these issues.

For a commercially run on-line provider taking action within the hour to tell a customer that a takedown notice has been received and informing them that they must immediately remove the content and confirm removal, giving them six to twelve hours to comply; and otherwise informing them that the content will be taken down or their Internet connection terminated, may be considered reasonable. Some courts may find this to be too great a burden on an ISP if it receives a large number of communications at the same time or has limited resources to review § 512 notices for substantial compliance. It may also depend on how the notice is sent. If the notice is sent via regular mail or via fax, there may be a lag between the sending of the notice and its reception by those who are able to act upon it. If the notification is received by a mail delivery on a Saturday when the ISPs offices are closed and not acted upon until Monday, that may be considered reasonable.

Even if a copyright holder does not intend to cause anything other than the removal of allegedly infringing material, compliance with the DMCA's procedures nonetheless may result in disruption of a contractual relationship: by sending a letter, the copyright holder can effectuate the disruption of ISP service to clients. If adherence to the DMCA's provisions simultaneously subjects the copyright holder to state tort law liability, state and federal law may conflict. Depending on the facts of the case, federal law may preempt state law i.e. there will be no liability for state law claims resulting from compliance with federal law.[19]

The other issue to keep in mind is that the delay in responding may not amount to a significant amount of damages and someone who has had their material removed by the § 512 procedure late may be more than satisfied with the result; it is much less expensive than filing a copyright infringement suit in federal court that might revolve around a minor technicality of the law. Indeed, one of the purposes of this section was to remove a large number of potential infringement suits from the courts when the facts revolving around infringement were basically undisputed and the damages could be minimized within a short period without the intervention of a US federal district court judge. A copyright holder may be more than happy to know that the material has been taken down for the minor fee of having a lawyer draft a compliant "take down" notice rather than the costs of drafting, filing, serving and prosecuting a federal copyright infringement action.

It is also useful to remember that another law, the federal Communications Decency Act (CDA) still protects the ISP from liability for content provided by third parties (see below). Even if a removal is found not to be "expeditious" within the meaning of the law and the so-called "safe harbor" under the DMCA is lost, in certain circumstances, the OSP may still be protected. Through these two laws there are ways to balance the ISP's intent to assist with the protection of third party copyright and the desire to preserve good customer relations. There is also a question of the infringement that is placed by a third party being an issue of negligence or another tort on the part of the OSP. If the OSP takes steps considered reasonable or is found not to have a duty of care to police potential infringers on the site then the infringement may be considered "innocent" from the point of view of the ISP and the infringer may still be held to be the liable party which posts the infringing work or works.

It is sometimes stated that the ISP needs to give the alleged infringer ten days' notice before acting. This is incorrect. The ISP must act expeditiously. The ten-day period refers to the counter notification procedure described in Section 512(g) after the infringing material has been removed, offering them an opportunity to counter the allegations presented to the ISP not during the stage of the so-called "take down" procedure.

It is sometimes suggested that content must be taken down before notifying the person who provided it. That is also not required, so long as the removal is expeditious. A large connectivity provider with many ISP customers would not be acting reasonably by disconnecting a whole ISP if it received a takedown notice for a web site hosted by that ISP on behalf of one of its customers. The law appears to allow the necessary flexibility to deal reasonably with relaying takedown requests to handle such situations.

protects service providers who are passive conduits from liability for copyright infringement, even if infringing traffic passes through their networks. In other words, provided the infringing material is being transmitted at the request of a third party to a designated recipient, is handled by an automated process without human intervention, is not modified in any way, and is only temporarily stored on the system, the service provider is not liable for the transmission.

The key difference in scope between this section, transitory network communications under 512(a), and caches, websites and search engine indexes under 512(b), 512(c) and 512(d) respectively, relates to the location of the infringing material. The other subsections create a conditional safe harbor for infringing material that resides on a system controlled by the OSP. For material that was temporarily stored in the course of network communications, this subsection's safe harbor additionally applies even for networks not under the OSP's control.

protects OSPs who engage in caching (i.e. creating copies of material for faster access) if the caching is conducted in standard ways, and does not interfere with reasonable copy protection systems. This Section applies to the proxy and caching servers used by ISPs and many other providers.

If the cached material is made available to end users the system provider must follow the Section 512(c) takedown and put back provisions. Note that this provision only applies to cached material originated by a third party, not by the provider itself. Also, the content of the material must not be modified as a result of the caching process.

eliminates copyright liability for an OSP who links users, through a tool such as a web search engine, to an online location that contains infringing material, provided that the OSP does not know the material is infringing.

There are several other conditions for this immunity to apply. Once the OSP becomes aware that the material is infringing, it must promptly disable access to it. Also, the OSP must follow Section 512(c)'s takedown and put-back provisions. Finally, where the OSP can control the infringing activity, the OSP must not derive any financial benefit through providing the link.

protects nonprofit educational institutions from liability for the actions of faculty and graduate student employees who place infringing material online. For the immunity to apply the materials must not be course materials for a course taught by the faculty or graduate student employee, and the institution must not have received more than two infringement notifications about the same individual, during the preceding 3 years. Also, the institution must distribute informational materials about US copyright laws to all the users of its network.

Universities across the country have been forced to adapt to the Digital Millennium Copyright Act regulations. The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), who are the major representers of the music and movie industries, are the main organizations who have been enforcing the copyright laws the strongest. This started in 2003 as they began to track down the heaviest peer-to-peer users and seek lawsuit against them.[20] Most Universities today have set in rules to follow the strict guidelines of the DMCA.[21] Offenders are issued subpoenas and disciplinary actions are taken to identify and disable the issue. Fortunately for the colleges, the liability of Internet service providers is limited under section 512 of the Copyright Act.

deters false claims of infringement by imposing liability on anyone who makes such claims, for the damages suffered by other parties as a result of the OSP's reliance on the false claim, and for associated legal fees.

This provision really does have some bite, as illustrated by the cases of Online Policy Group v. Diebold, Inc.,[19] where an electronic voting technology firm was sanctioned for knowingly issuing meritless notices of infringement to ISPs, and more recently Lenz v. Universal, 801 F.3d 1126 (2015).

contains provisions that allow a copyright owner to force an OSP to reveal identifying information about the user who allegedly infringed the owner's copyright, through the use of a subpoena issued by a federal court at the owner's request.

Part (h)(2)(A) requires that the owner's request include "a copy of a notification described in subsection (c)(3)(A)" (a takedown notice, see above). Note that 512(c)(3)(A)(iii) states that the notice must identify the allegedly infringing material that is to be removed, and must provide reasonably sufficient information for the service provider to locate the material residing on its system. The owner must also swear that any information obtained through the subpoena will only be used for the purpose of protecting its rights under Section 512.

If the OSP is served with such a subpoena after or at the same time as a valid takedown notice, under Part (h)(2)(A) it must expeditiously provide the information required by the subpoena.

In 2003, the Recording Industry Association of America appeared to be seeking subpoenas and serving takedown notices which did not comply with these requirements, notably using the subpoena provisions for 512(a) situations, which do not provide for them.

On 20 December 2003, the DSL ISP Verizon prevailed on appeal in its case seeking to prevent the use of this section for transitory network communications, the decision reversing a court order to supply customer details.[22] The appeal decision accepted the argument that the key distinction was the location of the files, with this section applying only when the material is stored on equipment controlled by the OSP. However, in response, RIAA member labels turned to a different method to acquire their desired information. They began suing multiple "Doe" defendants at a time and issuing third-party discovery subpoenas to ISPs for the customer details.

On 6 October 2003 Charter Communications became the first cable Internet provider to challenge the RIAA use of this provision,[23] when it filed for a motion to quash the subpoenas to obtain the identities of 150 of its customers. Although Charter Communications initially lost this motion and was forced to turn over the identities of the requested customers, a later appeal ruled that the motion to quash should have been upheld.[24]

outlines the general requirements for a grant of immunity. Online service providers must reasonably implement a policy "that provides for the termination in appropriate circumstances" of "repeat infringers", must inform their users of this policy, and must accommodate standard copy protection systems.

This passage has historically been open to interpretation, as it does not specify any minimum standards that a repeat infringer policy must adhere to, and only specifies that users must be informed of its existence. In 2018, the Ninth Circuit Court of Appeals ruled that a repeat infringer policy did not necessarily need to be documented and publicized (as long as users are informed of its presence), and that a website owner's efforts to moderate and manually ban repeat infringers on a case-by-case basis was sufficiently reasonable.[25][26]

describes the forms of injunctive (i.e. court order) relief available to copyright holders. Even though OSPs have immunity from monetary damages under Section 512, they may be compelled by copyright holders, in appropriate situations, to stop providing access to infringing material or to terminate the account of a particular infringer.

notes that a service provider's ineligibility for a safe harbor from monetary damages under this section does not affect the validity of any other legal defenses that may be applicable (notably the CDA, although it isn't specifically identified).

notes that OSPs retain the protections of parts (a) through (d) even if they don't monitor their service looking for infringing activity, as long as they comply Section 512(i)'s general requirements relating to the institution of account termination policies for infringers and accommodation of copy protection systems. Furthermore, OSP's are not required to remove or disable access to material if doing so would break another law.

states that the limitations on liability in parts (a), (b), (c) and (d) apply independently. Hence, the fact that an OSP qualifies for a limitation on liability under one subsection has no impact on whether the OSP qualifies for a limitation under a different subsection. This is because subsections (a), (b), (c), and (d) describe separate and distinct functions.

The past decade of experience with the safe harbor provisions has shown them to be reasonably effective.[27][28] Copyright holders have the incentive to monitor Internet sites for offending material, and to send ISPs notifications where appropriate, of material that should be taken down. ISPs have incentive to cooperate with copyright holders and terminate the accounts of repeat infringers on pain of forfeiting the safe harbor created by OCILLA. At the same time, copyright holders are deterred from improperly sending out notices by provisions that make them liable for resulting damages, and also by bad publicity.

That is not to say that OCILLA functions perfectly in practice. There are several problems resulting from imperfect incentives created by the law, from the complexity and requirements of the counter-notice procedures, and from evolving Web Technology.

There is some evidence that ISPs tend to quickly take down allegedly infringing content on request by copyright holders, in situations where the content is actually non-infringing and should be preserved.[29][30] This may be because ISPs have much more to lose by forfeiting their safe harbor than by angering a user whose content is improperly removed.

Chilling Effects estimates that OSPs remove allegedly offending content even though approximately 60% of all takedown notices are flawed. Notices can be flawed in several ways. Many fail to follow the requirements of the statute. Others ask for material to be taken down for reasons such as trademark infringement and defamation that are unrelated to copyright infringement.[31]

There is evidence of problems with the counter-notice procedure, arising from its complexity and also because ISPs are not required to inform users of its existence. According to Chilling Effects, while Google has taken hundreds of sites out of its index because of DMCA requests, not a single person has filed a counter-notice or received a counter-notice from any other OSP.

This may result from the inherent imbalance in prerequisites for the original complaint and the counter-notice. To get content removed, copyright holder Bob need only claim a good-faith belief that neither he nor the law has authorized the use. Bob is not subject to penalties for perjury. In contrast, to get access to content re-enabled, Alice must claim a good faith belief under penalty of perjury that the material was mistakenly taken down. This allows for copyright holders to send out take-down notices without incurring much liability; to get the sites back up, the recipients might need to expend considerably more resources. Section 512(f) makes the sender of an invalid claim liable for the damages resulting from the content's improper removal, including legal fees, but that remedy is not always practical.

Furthermore, ISP's tend to remove allegedly offending material immediately, while there is a 10- to 14-day delay before the ISP re-enables access in response to a counter-notice. For example, if a website advertised an upcoming labor protest outside BlameCo, BlameCo could send a DMCA notice to the site's ISP alleging copyright infringement of their name or logo a week before the protest. The site would then be disabled; even if the site's owners immediately filed a counter-notice, access would not be re-enabled until after the protest, too late to be useful.

ISP's may also disregard counter-notices. Section 512(g) of the DMCA shields an ISP from liability to its customer for a DMCA takedown, if the ISP restores removed content following a counter-notice. In practice, however, an ISP may disregard the counter-notice, and instead rely on its own terms of service to shield itself from liability to its customer. For example, since April 2013, YouTube refuses to restore some counter-noticed content, citing an agreement YouTube made with third-party music content owners.[32][33]

Additionally, there is no public record of takedown requests and counter-notices. This prevents the public from seeing how the process is used. (Chilling Effects has tried to make up for this shortcoming, but, so far, few OSPs besides Google submit their takedown notices.)

There have been recent claims[34] that the DMCA-embedded concepts of direct financial benefit, interference with standard technical measures, and the legislative red flag test for identifying infringing material are significantly challenged by the explosion of user-generated content unleashed by Web 2.0 technologies.

Web 2.0 has enhanced the ease of access to copyrighted works by introducing new and alternative electronic platforms in which information can be shared publicly.[35] Recognizing the challenge that Web 2.0 presents, many OSPs have implemented programs that automatically scan every upload for potential infringing activity. These proactive systems can detect anything from background melodies to visual displays. Through YouTube's system called Content ID, copyright owners are given the power to either track, block or monetize user-uploaded content. Oftentimes, copyright owners elect to profit from videos containing their copyrighted content. As of 2017, Content ID has been able to generate over two billion USD for its copyright partners.[36]

The European Union's Electronic Commerce directive, Article 14, contains limited liability provisions for online hosts which provide the legal basis for notice and takedown in the EU. France's Digital Economy Law ("Loi relative à l'économie numérique") is an example of an implementation of this directive, as is Finland's "Laki tietoyhteiskunnan palvelujen tarjoamisesta."

In Korea, the analogous law is Section 102 (Limitation of OSP Liabilities) and Section 103 (Takedown) of Copyright Law of Korea.

In Taiwan, Republic of China, the analogous law is Chapter VI-1 of the Copyright Act.[37]