Copyright Liability Consultation — User-Uploaded Images

Subject: Copyright and related intellectual property liability arising from user-uploaded images in an inventory management SaaS platform Jurisdiction: United States (primary); European Union (supplementary) Date: March 2026

Disclaimer: This document is prepared as an informational legal analysis and does not constitute legal advice. It reflects the state of law as understood at the time of preparation. Copyright law, particularly as applied to digital platforms and inline linking, is an evolving area. Arda Cards should consult qualified legal counsel before making operational or policy decisions based on this analysis.

1. Executive Summary

Arda Cards operates a Kanban-based inventory management SaaS platform that permits business customers to associate images with material and inventory records. Users may supply images through five distinct mechanisms: (1) copy-paste from the web, (2) file upload from a local device, (3) mobile phone camera, (4) screenshots, and (5) providing a URL to a remotely-hosted image.

The central copyright questions are:

Who is the direct infringer when a user uploads or references a copyrighted image without authorization?
What secondary liability risk does Arda Cards assume as the hosting platform?
Does the DMCA § 512 “safe harbor” insulate Arda Cards from monetary liability?
Does the EU DSM Copyright Directive Article 17 apply, and if so, how?
What is the risk profile of each upload method, and what operational mitigations are available?

The analysis concludes that:

In all cases, the user is the primary direct infringer if the uploaded image is copyrighted and unauthorized.
Arda Cards can obtain strong DMCA § 512(c) safe harbor protection for methods (1)–(4) by implementing a compliant notice-and-takedown regime.
The URL-referencing method creates a bifurcated risk depending on whether Arda Cards copies the image server-side or merely passes the URL to the browser for rendering. Server-side copying may make Arda Cards the direct copier, defeating safe harbor.
The EU Article 17 regime likely does not apply to Arda Cards due to its B2B, internal-use, non-public-sharing nature — but this requires careful legal confirmation.
A modest compliance infrastructure (DMCA agent registration, ToS clauses, takedown procedure, repeat infringer policy) substantially reduces platform-level exposure.

2. Background: Nature of the Platform and Use Cases

Arda Cards provides inventory and production management tooling to manufacturing operators. Images uploaded by users function as reference data — visual identification of materials (items) — used internally within the customer organization. This operational context is material to the legal analysis for several reasons:

Images are not “shared publicly” in the social media sense; they are accessed by authenticated users within a single customer’s workspace.
The platform does not index, curate, recommend, or profit from the images as content.
The platform derives revenue from subscription fees for the management software, not from the images themselves.
Users are business operators uploading images of their own materials — in the majority of cases, likely photos they own (e.g., their own product photos).

This context distinguishes Arda Cards from platforms like YouTube, Instagram, or Pinterest, which are the paradigmatic targets of both DMCA § 512 litigation and EU Article 17.

3. Foundational Copyright Concepts

3.1 What Constitutes Infringement

Under 17 U.S.C. § 106, the copyright holder holds exclusive rights to:

Reproduce the work (make copies)
Distribute copies
Create derivative works
Display the work publicly

Uploading a copyrighted image to a server creates a “copy” within the meaning of § 101 and potentially implicates the reproduction right. Serving an image to a browser implicates the public display right — although the “public” element is contested in B2B private contexts.

3.2 Direct vs. Secondary Liability

Direct infringement requires volitional conduct — the defendant must have made or caused the infringing copy or display. Courts have held that automated systems that passively store user-uploaded content without human selection do not constitute volitional copying by the platform operator. See Cartoon Network LP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008) (holding that a remote DVR operator was not a direct infringer because the copies were made “at the direction of” the customer).

Vicarious liability requires: (a) the right and ability to supervise the infringing activity, and (b) a direct financial interest in the exploitation. Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996).

Contributory liability requires: actual or constructive knowledge of specific infringement + material contribution to it. Metro-Goldwyn-Mayer Studios v. Grokster, 545 U.S. 913 (2005).

3.3 The “Server Rule”

The “server rule” originated in Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1159–61 (9th Cir. 2007). The Ninth Circuit held that Google’s inline linking to images hosted on third-party servers did not constitute “display” of those images under the Copyright Act, because Google did not store the images on its own servers:

“Google does not… display a copy of full-size infringing photographic images… when Google frames in-line linked images that appear on a user’s computer screen. Google provides HTML instructions that direct a user’s browser to a website publisher’s computer that stores the full-size photographic image. Providing these HTML instructions is not equivalent to showing a copy.”

This principle became foundational to the architecture of the modern web. However, the server rule has faced significant challenge.

4. Analysis by Upload Method

4.1 File Upload (Method 2) and Copy-Paste (Method 1)

Mechanism: The user selects a file from their device or pastes image data from the clipboard. Arda Cards stores the resulting binary in its own storage (e.g., S3 or equivalent object store) and serves it from there.

Who makes the copy: The user initiates the upload; Arda Cards’ system receives and stores it at the user’s direction. This is the canonical § 512(c) “storage at the direction of a user” scenario.

Direct liability: The user is the direct infringer if the image is copyrighted and unauthorized. Arda Cards is not the volitional copier.

Platform liability: Arda Cards may be exposed to secondary liability (vicarious or contributory) absent safe harbor protection. The DMCA § 512(c) safe harbor is directly applicable here. See Viacom International Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012) (affirming that § 512(c) applies to storage of user-uploaded video content).

Risk level: Low, if DMCA compliance requirements are met (see Section 6).

4.2 Mobile Phone Photos (Method 3)

Mechanism: The user takes a photograph using their mobile device and uploads it.

Copyright ownership: The photographer — in this case, the user — owns the copyright in photos they personally take, absent a work-for-hire arrangement. 17 U.S.C. § 102(a)(6). There is no third-party copyright issue.

Caveat: A photo of a copyrighted object (e.g., a branded product, a copyrighted artwork displayed on the item) does not itself infringe copyright in the depicted item — copyright does not extend to prevent photographs of physical objects. Ets-Hokin v. Skyy Spirits, Inc., 225 F.3d 1068 (9th Cir. 2000). Some edge cases exist (e.g., architectural works, artistic works incidentally captured), but these are remote in the inventory management context.

Risk level: Negligible.

4.3 Screenshots (Method 4)

Mechanism: The user takes a screenshot of content visible on their display and uploads the resulting image.

Copyright analysis: A screenshot is a reproduction of whatever was on-screen. If the screen content is copyrighted (e.g., a product photo from a manufacturer’s website, a catalog image), the screenshot is a copy of a copyrighted work, and uploading it constitutes reproduction. The user is the direct infringer.

Fair use: For internal reference use in an operational context, a fair use argument is conceivable under 17 U.S.C. § 107 — particularly factors (1) (commercial vs. non-commercial character, though here it is commercial internal use) and (4) (effect on the market for the original work). Screenshots of product reference photos for internal inventory management arguably have minimal market impact. However, fair use is a fact-specific defense, not a guarantee.

Platform liability: Same analysis as methods 1–2. Arda Cards stores it at user direction; § 512(c) applies.

Risk level: Low to moderate for the user; low for Arda Cards with DMCA compliance in place.

4.4 URL Reference — Browser-Side Rendering, No Server Copy (Method 5a)

Mechanism: The user provides a URL. Arda Cards stores only the URL string. When the image is needed for display, the browser fetches it directly from the original server. Arda Cards never holds a copy of the image binary.

Copyright analysis under the server rule:

The Perfect 10 v. Amazon server rule (9th Cir. 2007) is the primary precedent. Under that holding, Arda Cards’ servers do not store or serve the image; the browser retrieves it from the original host. Arda Cards’ role is analogous to providing an HTML <img src="..."> tag. Under this analysis, Arda Cards does not reproduce the image (no copy on its servers) and the display occurs on the user’s device from the original source.

Challenge to the server rule — Nicklen (S.D.N.Y. 2021):

In Nicklen v. Sinclair Broadcasting Group, Inc., No. 20-CV-10300 (S.D.N.Y. July 30, 2021), the Southern District of New York declined to follow the server rule, holding that the Copyright Act’s display right “is concerned not with how a work is shown, but that a work is shown.” The court found that embedding a link to an externally-hosted video could constitute infringing display, regardless of whether a copy was stored on the defendant’s servers.

This creates a circuit split / inter-district conflict:

Court	Rule	Outcome
Ninth Circuit (Perfect 10, 2007)	Server rule — no copy = no direct infringement	Inline linking is not direct infringement
S.D.N.Y. (Nicklen, 2021)	Display rule — showing = infringing, regardless of storage	Inline linking can be direct infringement

As of 2026, the Second Circuit has not resolved whether Nicklen reflects Second Circuit law. The law is genuinely unsettled outside the Ninth Circuit.

Contributory liability caveat: Even where the server rule applies and direct infringement is negated, the Perfect 10 court acknowledged that “such assistance raised only contributory liability issues.” If Arda Cards has red-flag knowledge that a user is systematically linking to infringing images, contributory liability exposure remains.

Risk level: Moderate — lower than storing a copy, but not zero; depends on jurisdiction and future circuit court development.

4.5 URL Reference — Server-Side Copy (Method 5b)

Mechanism: The user provides a URL. Arda Cards’ backend fetches the image from the URL and stores it in its own object storage, serving it from there going forward.

Copyright analysis: This is the highest-risk scenario for Arda Cards as a platform. When Arda Cards’ server fetches and stores the image:

Arda Cards makes the copy, not merely the user. The system is the volitional actor in the reproduction.
The § 512(c) safe harbor requires that storage be “at the direction of a user.” An automated server-side fetch initiated by the platform’s own backend, even in response to a URL input, arguably takes the copying out of the user’s hands and into the platform’s.
The Copyright Alliance’s guidance on safe harbor states explicitly: “These safe harbors only apply when someone other than the service provider is the direct infringer. If the service provider itself is engaging in the infringing activities, the safe harbors will not apply.” DMCA Safe Harbor, Copyright Alliance.

Precedent — caching: § 512(b) provides a separate safe harbor for “system caching” — temporary intermediate storage of material made available by a third party. This requires the caching to be automatic, the material to be transmitted without modification, and the cache to be refreshed per the original server’s caching directives. If Arda Cards were to implement URL-based image caching as a proper proxy (respecting Cache-Control, ETag, etc.), § 512(b) might apply. However, if the system downloads and permanently stores the image with no expiry or origin-consistency check, § 512(b) does not apply and there is no applicable safe harbor.

Risk level: High. This is the scenario Arda Cards should specifically address in its architecture. The recommended design decision is discussed in Section 7.

5. EU Law: DSM Copyright Directive Article 17

5.1 Overview

The EU Directive on Copyright in the Digital Single Market (CDSM Directive, 2019/790) introduced Article 17 (formerly “Article 13”), which fundamentally altered the liability regime for certain platforms in EU member states. Member states were required to implement it by June 7, 2021.

Under Article 17, “online content-sharing service providers” (OCSSPs) are directly liable for copyright-infringing content uploaded by their users and made publicly available, unless they have:

Made best efforts to obtain a license from rights holders;
Made best efforts to prevent the upload of unauthorized content (using technical measures such as upload filters); and
Acted expeditiously upon receiving notice to remove infringing content and used best efforts to prevent future uploads.

See CJEU, Republic of Poland v. Parliament and Council, Case C-401/19 (Apr. 26, 2022) (upholding Article 17’s validity subject to procedural safeguards).

This is substantially stricter than the U.S. DMCA regime: Article 17 imposes a proactive licensing and filtering obligation, not merely a reactive takedown duty.

5.2 Does Article 17 Apply to Arda Cards?

The OCSSP definition under Article 2(6) CDSM covers a provider that:

Stores and gives the public access to a large amount of copyright-protected works uploaded by users;
Organizes and promotes those works for profit-making purposes.

Several factors weigh against Arda Cards being classified as an OCSSP:

Explicit B2B cloud service exemption: The European Commission’s Article 17 Guidance (June 2021) explicitly states that business-to-business cloud services (specifically referencing Dropbox as an example) are excluded from the OCSSP definition. Arda Cards’ images are stored and accessed exclusively within a customer’s authenticated workspace — not made available to the public.

No profit from content exploitation: Article 17 targets platforms that derive profit from making user-uploaded content publicly available (e.g., ad revenue against viewed content). Arda Cards’ revenue derives from subscription fees for workflow management tooling; the images are incidental operational data, not monetized content.

“Large amount” threshold: The Article 17 regime is calibrated for platforms hosting large quantities of copyright-protected works made available for general consumption. Inventory reference images for internal use do not fit this profile.

Conclusion: Arda Cards most likely falls outside the Article 17 OCSSP definition. However, this conclusion is jurisdiction-specific (each EU member state implemented Article 17 with some variation), and the scope continues to be litigated. EU customers should be a prompt for obtaining a formal opinion from EU-qualified IP counsel.

5.3 Pre-Article 17 EU Regime (E-Commerce Directive)

For platforms that are not OCSSPs, the prior EU framework under the E-Commerce Directive (2000/31/EC) Article 14 — analogous to DMCA § 512(c) — continues to apply. This provides a safe harbor for hosting providers who: have no knowledge of infringing activity, and upon obtaining such knowledge, act expeditiously to remove or disable access. This is broadly consistent with the DMCA framework and imposes no proactive filtering obligation.

6. DMCA § 512 Safe Harbor: Requirements and Compliance Checklist

To qualify for § 512(c) protection (storage at direction of user), Arda Cards must meet three general requirements applicable to all safe harbors, plus specific conditions for the § 512(c) harbor:

6.1 General Requirements (All Safe Harbors)

Requirement	Description
Service Provider Status	Arda Cards qualifies as an OSP under 17 U.S.C. § 512(k)(1) as a provider of online services.
No Interference with Standard Technical Measures	Platform must not interfere with copyright protection systems (e.g., DRM fingerprinting). Not applicable to Arda Cards’ use case.
Repeat Infringer Policy	Must adopt, inform users of, and implement a policy to terminate accounts of repeat infringers.

6.2 § `512(c)` -Specific Requirements

Requirement	Description
Storage at direction of user	Content must be stored at user’s direction, not the platform’s own selection or curation. ✓
No actual knowledge	Must not have actual knowledge that specific material is infringing.
No red-flag knowledge	Must not be aware of facts or circumstances from which infringing activity is apparent.
No direct financial benefit from infringement	Platform must not financially benefit directly from specific infringing activity while having the ability to control it. Subscription revenue is generally not “direct” financial benefit from specific infringement. ✓
Designated DMCA agent	Must designate an agent to receive takedown notices, register with the U.S. Copyright Office ($6/agent), and publish contact information on website.
Expeditious response to valid takedowns	Must remove or disable access to infringing material upon receiving a valid takedown notice under 17 U.S.C. § `512(c)`(3).

6.3 Compliance Infrastructure Required

Register a DMCA Designated Agent with the U.S. Copyright Office at copyright.gov/dmca-directory. Cost: $6 per agent; renewal required every 3 years.
Publish DMCA contact information on Arda Cards’ website (commonly in the Terms of Service or a dedicated “Copyright Policy” page).
Draft and publish a Repeat Infringer Policy stating that accounts with multiple copyright violations are subject to suspension or termination. This must be implemented in practice, not merely posted. Viacom v. YouTube and subsequent cases have scrutinized whether platforms actually enforce their repeat infringer policies.
Establish a Takedown Procedure: Upon receipt of a valid § 512(c)(3) notice (identifying the work, the infringing material, and the copyright holder’s good-faith belief), Arda Cards must expeditiously remove or disable access to the identified content and notify the uploading user.
Counter-Notice Option (Recommended): Implementing a counter-notice procedure under § 512(g) is optional but recommended. It shields Arda Cards from user claims if content is removed pursuant to a takedown notice, provided the user is given an opportunity to contest.
Terms of Service IP Representations: Include a user representation that they own or have licensed all images uploaded and indemnify Arda Cards against third-party copyright claims. This does not affect safe harbor eligibility but provides contractual recourse against infringing users.

7. Architectural Recommendations

7.1 URL-Based Images: Choose Browser-Side Rendering

The single most consequential architectural decision for copyright risk is how Arda Cards handles images provided by URL.

Recommended: Store only the URL string. Pass it to the browser as a standard <img src="..."> or equivalent reference. The browser fetches the image directly from the origin server. Arda Cards never holds a copy of the image binary.

Advantages:

No reproduction on Arda Cards’ servers → no direct copying → server rule defense available
§ 512(c) safe harbor applies fully to any URL the user entered (Arda Cards is storing a URL string, not a copyrighted image)
Architecturally simpler; no egress cost for image fetching

Disadvantages:

Images become unavailable if the origin URL goes dead (link rot)
Browser makes cross-origin requests (CORS, referrer policy implications)
Potential mixed-content issues if origin serves over HTTP

Alternative if server-side copy is required: Implement as a proper caching proxy respecting HTTP caching semantics (Cache-Control, ETag, Last-Modified). This is closer to the § 512(b) caching safe harbor model. Retain the URL as the canonical reference; treat the stored copy as an expendable cache, not the source of truth. This is architecturally and legally more complex and should be reviewed with counsel.

Do not: Fetch-and-store without any origin consistency mechanism. This is the highest-risk design and provides no safe harbor coverage for the stored copy.

7.2 User Acknowledgment for URL Inputs

For URL-provided images — particularly if Arda Cards does fetch them server-side — consider requiring a user checkbox acknowledgment at the point of input: “I confirm I have the right to use and store this image.” This:

Is not a legal shield (the user’s representation doesn’t fix a copyright problem)
But demonstrates good faith on Arda Cards’ part (relevant to “red flag knowledge” analysis)
Establishes contractual basis for indemnification claims against the user

8. Risk Matrix by Upload Method

Method	User Liability	Platform Direct Liability	Platform Secondary Liability	DMCA Harbor Available	Risk Level
(1) Paste from web	High (if unauthorized)	None (not the copier)	Low with compliance	Yes — § `512(c)`	Low
(2) File upload	High (if unauthorized)	None (not the copier)	Low with compliance	Yes — § `512(c)`	Low
(3) Mobile photo	Negligible (user owns photo)	None	None	N/A	Negligible
(4) Screenshot	Moderate–High	None (not the copier)	Low with compliance	Yes — § `512(c)`	Low
(5a) URL / browser fetch	Moderate (if unauthorized)	Low–Moderate (Nicklen risk)	Low with compliance	Yes — § 512(d) (linking)	Moderate
(5b) URL / server copy	Moderate (if unauthorized)	High (platform makes copy)	Moot	No	High

9. Summary of Authoritative Sources

U.S. Statutory Law

17 U.S.C. § 106 — Exclusive rights of copyright holders
17 U.S.C. § 107 — Fair use doctrine
17 U.S.C. § 512 (DMCA) — Online Copyright Infringement Liability Limitation Act (OCILLA); safe harbors for OSPs
- Full text: law.cornell.edu/uscode/text/17/512

U.S. Copyright Office Resources

U.S. Copyright Office, Section 512 of Title 17 (May 2020) — Comprehensive report on safe harbor provisions and notice-and-takedown system
- copyright.gov/512/
U.S. Copyright Office, The Digital Millennium Copyright Act — Overview
- copyright.gov/dmca/
DMCA Designated Agent Directory — Required registration for safe harbor eligibility
- copyright.gov/dmca-directory/

U.S. Case Law

Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007) — Server rule; inline linking not direct infringement under Ninth Circuit
Viacom International Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012) — § 512(c) applies to user-uploaded video; “red flag knowledge” requires specific, not general, awareness
Nicklen v. Sinclair Broadcasting Group, Inc., No. 20-CV-10300 (S.D.N.Y. July 30, 2021) — Rejects server rule; embedding alone may infringe display right
Cartoon Network LP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008) — Volitional copying requirement; automated storage at user direction not direct infringement by platform
Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996) — Vicarious liability standard
Metro-Goldwyn-Mayer Studios v. Grokster, 545 U.S. 913 (2005) — Contributory liability; inducement theory

Congressional Research Service

“DMCA Safe Harbor Provisions for Online Service Providers: A Legal Overview”, CRS Report IF11478, Congress.gov
- congress.gov/crs-product/IF11478

Practitioner References

Fenwick & West, “Your DMCA Safe Harbor Questions Answered” — Comprehensive practitioner Q&A on all four safe harbors
- assets.fenwick.com/legacy/FenwickDocuments/DMCA-QA.pdf

EU Law

Directive (EU) 2019/790 on Copyright in the Digital Single Market — Article 17 (OCSSP liability regime)
- eur-lex.europa.eu — CELEX:32019L0790
CJEU, Republic of Poland v. Parliament and Council, Case C-401/19 (Apr. 26, 2022) — Upholds Article 17 subject to safeguards
European Commission Guidance on Article 17 (June 4, 2021) — Clarifies scope, “best efforts” standard, and B2B exclusions
- ec.europa.eu — Article 17 Guidance
E-Commerce Directive 2000/31/EC, Article 14 — Hosting safe harbor applicable to non-OCSSP platforms in the EU
Wikipedia: Inline Linking — Technical and legal overview of the server rule and its limitations
- en.wikipedia.org/wiki/Inline_linking

10. Recommended Next Steps

Immediate (low cost, high impact):
- Register a DMCA Designated Agent with the U.S. Copyright Office ($6).
- Add a copyright/DMCA policy section to Arda Cards’ Terms of Service, including: IP ownership representation by users, repeat infringer policy, DMCA agent contact information, and an indemnification clause for third-party IP claims.
Short-term (architectural):
- Audit the URL-image handling path: confirm whether the backend fetches and stores images, or passes URLs to the browser. If server-side copying is occurring, redesign to browser-side rendering or implement a proper caching proxy.
Medium-term (process):
- Establish an internal process (even a simple one) for handling DMCA takedown notices when received. Designate a responsible person. Document that the process exists and is followed — courts have invalidated safe harbor protection where policies exist on paper but are not operationally implemented.
EU customers:
- If Arda Cards has customers in EU member states, obtain a formal opinion from EU IP counsel confirming that the platform falls outside the Article 17 OCSSP definition. The B2B, non-public-sharing, internal-use nature of the platform strongly supports exclusion, but confirmation provides a defensible record.

End of consultation document. Prepared with reference to U.S. and EU law as of Q1 2026. This analysis is informational in nature and does not create an attorney-client relationship.

Addendum: Supplementary Analysis of Two Additional Scenarios

Addendum to: Copyright Liability for User-Uploaded Images in a B2B SaaS Platform Subject: (1) User copyright verification prompts; (2) Cross-tenant sharing of reference data Date: March 2026

This addendum should be read in conjunction with the primary consultation document. Defined terms and the analytical framework established therein apply throughout.

Addendum 1: Effect of a User-Facing Copyright Verification Prompt

1.1 Description of the Feature

The system presents the user with an explicit acknowledgment at the point of image upload, requiring them to confirm that the uploaded material does not infringe third-party copyrights. The policy states that violation — i.e., uploading infringing material after providing this acknowledgment — constitutes grounds for account termination.

1.2 Effect on DMCA § `512(c)` Safe Harbor Eligibility

This feature directly addresses two of the conditions required for § 512(c) safe harbor protection.

Repeat Infringer Policy Requirement

Safe harbor under § 512(c) requires that the platform “adopt and reasonably implement… a policy that provides for the termination in appropriate circumstances of subscribers and account holders… who are repeat infringers.” 17 U.S.C. § 512(i)(1)(A).

A per-upload verification prompt backed by a stated account termination consequence satisfies this requirement and exceeds the bare minimum. Many platforms satisfy this condition by including a clause in their Terms of Service; Arda Cards’ implementation creates a per-upload record of the user’s affirmative representation, which is operationally and evidentiarily stronger.

Critically, courts have scrutinized whether repeat infringer policies are actually implemented in practice, not merely stated. In Viacom International Inc. v. YouTube, Inc., 676 F.3d 19, 35 (2d Cir. 2012), the court emphasized that the statute requires the policy to be “reasonably implemented” — a paper policy that is never enforced does not qualify. Arda Cards should ensure the termination consequence is applied in practice when violations are confirmed, and maintain records of enforcement actions.

Red Flag Knowledge Mitigation

Safe harbor is unavailable if the platform has “red flag knowledge” — awareness of “facts or circumstances from which infringing activity is apparent.” 17 U.S.C. § 512(c)(1)(A)(ii). Viacom clarified that this requires awareness of specific infringing material, not merely general awareness that infringement might occur on the platform.

A per-upload acknowledgment reinforces the platform’s good faith posture. The user affirmatively represented compliance before the upload was accepted. If a rights holder later claims the platform had red-flag knowledge, Arda Cards can demonstrate that it: (a) required users to certify compliance at each upload, (b) had no independent reason to doubt the certification absent specific notice, and (c) acted expeditiously upon receiving a valid takedown notice.

This does not create a duty to verify the user’s claim. The DMCA does not require pre-screening of uploads. Viacom confirmed that platforms have no general monitoring obligation, and that § 512(c) “knowledge” requires awareness of specific infringing content, not a generalized suspicion. Implementing the acknowledgment does not shift a verification duty onto Arda Cards.

1.3 Effect on Contractual Indemnification

The acknowledgment creates a contractual basis — separate from copyright law — for Arda Cards to seek indemnification from a user whose infringing upload results in a third-party claim. This is distinct from, and cumulative to, the safe harbor analysis. The Terms of Service should make explicit that:

The user warrants ownership of or a license to all uploaded images;
The user agrees to indemnify and hold harmless Arda Cards against any third-party IP claims arising from their uploads; and
The acknowledgment at upload constitutes a representation made under the Terms of Service.

1.4 What the Verification Prompt Does Not Change

Scenario	Effect
URL server-side copy (Method 5b)	No material effect. If Arda Cards’ backend fetches and stores the image, the platform is still the direct copier. The user’s acknowledgment mitigates secondary liability exposure but does not cure the direct infringement issue.
EU Article 17 analysis	No effect. Article 17 operates independently of user representations and imposes affirmative platform obligations regardless of user acknowledgment.
Direct liability for platform-initiated copies	No effect. Where the platform (not the user) makes a copy, safe harbor does not apply regardless of user representations.
Fair use analysis for screenshots	No effect. Whether a screenshot constitutes fair use is a fact-specific inquiry under 17 U.S.C. § 107 unaffected by the upload acknowledgment.

1.5 Summary Assessment

The verification prompt is a net positive with no legal downside. It strengthens safe harbor eligibility, reinforces the red-flag knowledge defense, and establishes a contractual indemnification basis. It should be implemented regardless of other architectural decisions.

Recommended implementation details:

Present the acknowledgment as a mandatory checkbox or affirmative click — not a passive notice.
Log the acknowledgment with a timestamp and the identity of the authenticated user.
Include acknowledgment language in the Terms of Service as a separately defined obligation.
Establish and document an internal enforcement process for acting on confirmed violations.

2.1 Description of the Feature

The platform permits tenants (customer organizations) to share their reference data — including material records and associated images — with other tenants. This may take forms such as: a manufacturer sharing a parts catalog with a supplier, or a shared materials library accessible across a group of related organizations.

2.2 Effect on the “Private Use” Characterization

The primary consultation noted that images in Arda Cards are accessed only within a single authenticated customer workspace — a factor that distinguished the platform from public-facing content sharing services for purposes of both the U.S. public display right analysis and the EU Article 17 OCSSP scoping analysis.

Cross-tenant sharing weakens this characterization to a degree that depends on the access model:

Access Model	”Public” Characterization
Authenticated sharing between specific named tenants (e.g., invite-based)	Remains non-public; access is restricted and controlled
Sharing within a closed industry network with authenticated membership	Likely still non-public; analogous to a private business-to-business data exchange
Sharing via discoverable listings within the platform	Begins to resemble a content catalog; “public” characterization more arguable
Images accessible via unauthenticated public URLs	Public display; full copyright exposure

For U.S. copyright purposes, the public display right under 17 U.S.C. § 106(5) applies to display “to the public.” Courts have not established a precise threshold, but display to a defined, authenticated set of business partners is materially different from broadcast to the general public.

The platform should never expose images via unauthenticated URLs. Doing so would unambiguously constitute public display, defeating the private-use characterization for both U.S. and EU purposes.

2.3 Effect on U.S. Copyright Liability

Distribution Right

Sharing an image with a second tenant organization potentially implicates the distribution right under 17 U.S.C. § 106(3) — the right to distribute copies of the work to the public. Even if the image file remains within Arda Cards’ storage infrastructure, making it accessible to an organization other than the uploader’s constitutes a form of distribution.

This does not automatically create liability for Arda Cards — distribution by the platform occurs at the user’s direction (the sharing tenant initiates the share), which preserves the § 512(c) “storage and access at the direction of the user” framing. However, the distribution right exposure for the user is broader than in the single-tenant case, and Arda Cards’ role as the technical enabler of that distribution is more prominent.

Contributory Liability — Active Role Threshold

Section 512(c) safe harbor is available to providers whose role is passive storage and access provision. Courts have identified an “active role” threshold above which the platform loses the neutrality required for safe harbor. In Viacom v. YouTube, the Second Circuit noted that for an OSP to lose § 512(c) protection on the basis of control, it must have “substantial influence on the activities of users” — such as dictating the appearance of content, curating selections, or directly inducing infringing uploads.

A sharing feature that is purely peer-to-peer and tenant-initiated preserves Arda Cards’ passive-platform posture. A sharing feature that involves platform-facilitated discovery, recommendation, or curation of cross-tenant content — even algorithmically — moves the platform toward an active editorial role that can imperil § 512(c) eligibility.

Recommendation: Keep sharing tenant-initiated and peer-to-peer. Do not implement platform-curated discovery of shared content (e.g., “Popular materials in your industry,” “Suggested catalogs based on your activity”). If discovery features are commercially important, obtain legal review specifically addressing the active role threshold before implementing them.

Direct Financial Benefit Disqualifier

Section 512(c) safe harbor is unavailable if the platform “receives a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity.” 17 U.S.C. § 512(c)(1)(B).

General subscription revenue is not “direct financial benefit” attributable to specific infringing content — this is well-established in the case law. However, if cross-tenant sharing is a premium feature for which Arda Cards charges an additional fee, and an infringing image is shared via that feature, the analysis is more fact-specific. The fee would need to be shown to be “directly attributable” to the infringing content specifically, not merely to the sharing feature generally — a high bar, but one that warrants awareness.

2.4 Effect on EU Article 17 Analysis

The primary consultation concluded that Arda Cards likely falls outside the Article 17 OCSSP definition based on: (a) the B2B cloud service exclusion in the EC’s Article 17 Guidance; (b) the absence of public access; and (c) the absence of profit derived from content exploitation.

Cross-tenant sharing requires this analysis to be revisited.

The B2B Cloud Service Exclusion

The EC’s Article 17 Guidance (June 4, 2021) explicitly excluded “business-to-business cloud services” from the OCSSP definition, citing Dropbox as an example. The rationale is that such services store content for private use, not for making it publicly available as a sharing service.

The Dropbox analogy holds where Arda Cards is purely an internal storage and workflow tool. It becomes less clean when the platform enables content to be shared across organizational boundaries as a deliberate product feature. The question is whether cross-tenant sharing transforms Arda Cards from a “B2B cloud storage service” into something closer to a “B2B content sharing platform” — the latter being a category the Guidance does not explicitly exempt.

The EC Guidance states that OCSSP classification should be determined “on a case-by-case basis, taking the competing role compared to conventional forms of exploitation in the market into account.” A parts/materials reference data exchange between manufacturers — where images are shared for operational reference, not for content consumption — still differs substantially from the YouTube/Facebook paradigm that Article 17 targets. But the argument requires more careful articulation than in the pure single-tenant case.

”Large Amount” Threshold and Profit Orientation

Article 17 applies to services storing “a large amount of copyright-protected works.” The EC Guidance clarifies that there is no fixed numeric threshold; the assessment is qualitative and considers the platform’s scale and nature. Inventory reference images across many manufacturing tenants, potentially shared into a cross-organizational library, could cumulatively constitute a “large amount” more readily than isolated per-tenant storage.

The profit-orientation requirement also warrants attention: the EC Guidance clarifies that the profit motivation must be “linked directly to the profits from the use of the copyrighted works — for example, by placing ads next to the uploaded content.” Arda Cards’ subscription model remains structurally distinct from ad-supported content platforms, but if the sharing feature is positioned as a marketplace or content exchange with associated commercial value, this element should be evaluated.

Conclusion on Article 17

The sharing feature does not definitively bring Arda Cards within Article 17’s scope, but it introduces sufficient uncertainty that the original recommendation — obtaining a formal opinion from EU IP counsel confirming OCSSP exclusion — becomes more urgent. That counsel engagement should explicitly describe the cross-tenant sharing feature and the access model, and ask whether it changes the Article 17 classification.

2.5 Updated Risk Matrix

The following supplements the risk matrix in the primary consultation document, reflecting the effect of cross-tenant sharing:

Factor	Single-Tenant (Original)	With Cross-Tenant Sharing
Public display exposure (U.S.)	Low — private workspace	Moderate — depends on access model; unauthenticated URLs = high
Distribution right exposure (U.S.)	Low	Moderate — sharing to second organization implicates § 106(3)
§ `512(c)` safe harbor — passive posture	Strong	Maintained if sharing is tenant-initiated; at risk if platform curates content
Direct financial benefit disqualifier	Low — general subscription revenue	Low–Moderate — evaluate if sharing is a separately priced feature
Article 17 (EU) applicability	Likely excluded	Uncertain — requires fresh legal analysis
Contributory liability	Low	Moderate if platform facilitates discovery of shared content

Enforce authenticated access at all times. Images shared between tenants must never be accessible via unauthenticated URLs. All cross-tenant access should require authentication and explicit authorization. This is the single most important design constraint for preserving the non-public characterization.
Keep sharing tenant-initiated and peer-to-peer. Sharing should be initiated by the owning tenant (e.g., explicit “share with organization X” action). The platform should not algorithmically surface, recommend, or curate cross-tenant content.
Propagate the copyright acknowledgment to sharing actions. When a tenant shares reference data containing images, present the same copyright acknowledgment at the point of sharing — the sharer should confirm they have the right to share the content with the recipient organization. Log this acknowledgment alongside the original upload acknowledgment.
Revisit EU counsel engagement with sharing feature in scope. The recommendation in the primary consultation to obtain a formal EU IP counsel opinion should explicitly include a description of the cross-tenant sharing feature, the access model, and ask whether it changes the Article 17 OCSSP classification.
Monitor the “active role” threshold. Any future product development involving platform-facilitated discovery, recommendation, or curation of shared content should be reviewed against the § 512(c) active role threshold before implementation.

Summary of Changes to the Original Analysis

Topic	Original Analysis	Revised with Addenda
DMCA repeat infringer policy	Required; implementation not specified	Satisfied by per-upload acknowledgment; must be operationally enforced
Red flag knowledge defense	Available under Viacom standard	Strengthened by per-upload acknowledgment and logged user representations
Contractual indemnification	Recommended in ToS	Grounded in per-upload acknowledgment; log timestamps as evidentiary record
Public display characterization	Strong (single-tenant, authenticated)	Maintained if sharing is authenticated; at risk if unauthenticated URLs used
Distribution right exposure	Low	Moderate with cross-tenant sharing; mitigated by tenant-initiated model
§ `512(c)` passive posture	Strong	Maintained; at risk if platform curates shared content
Article 17 (EU) applicability	Likely excluded	Uncertain with sharing feature; requires fresh EU counsel opinion

End of Addendum. This addendum supplements and should be read together with the primary consultation document dated March 2026. This analysis is informational in nature and does not constitute legal advice or create an attorney-client relationship.