Fourth Quarter 2009
In This Issue:
I. Consumer and Online Privacy
II. Liability Shields and Content Protection
III. Online Contracts
IV. Data Breach and Data Security
A. Company Settles With Texas Over Disposal of Customer Information B. PCI Security Standards Council Issues Guidance on Wireless Transmission
V. Financial Privacy
A. Agencies Issue Model Privacy Disclosure Form B. FTC Delays Enforcement Date for Red Flags Rule
VI. Workplace Privacy
A. Former Employee Can Send Documents to Home Computer B. Firing an Employee for Being a Smoker Did Not Violate Employee’s Privacy Rights
VII. International Privacy Issues
Liisa Thomas will be presenting New FTC Guidelines on Online Activities as Advertising on January 19, 2009, at the Chicago Bar Association in Chicago, IL |
A. Social Networking Web site to Pay $75,000 for Promotional Emails
The New York and Texas state attorneys general entered into settlement agreements with social networking Web site Tagged.com, after the attorneys general concluded that the Web site misappropriated its members’ contact lists and sent out millions of unsolicited and deceptive promotional emails to its members’ contacts. The state attorneys general alleged that Tagged accessed the email contact lists of many of its members to send more than 60 million emails indicating that Tagged members had posted photographs online for their friends to view. The emails were designed to appear as though they were sent directly from a member’s personal email account, rather than from Tagged.com. Recipients of these emails were required to sign up as members of Tagged before discovering that the photographs often did not exist. In addition to paying $500,000 in New York and $250,000 in Texas, Tagged is required to provide clear and conspicuous disclosures when requesting access to a user’s email contacts. A potential class action against Tagged is pending in California for violations of the federal Stored Communications Act and Computer Fraud and Abuse Act.
TIP: Provide clear and conspicuous disclosures and obtain consent prior to accessing your client’s email contacts or personal information for promotional purposes.
B. COPPA Settlement for Improper Age Screening Results in $250,000 Civil Penalty
Iconix Brand Group, Inc., owner of the Mudd, Candie’s, Bongo and Ocean Pacific brands (brands with wide appeal to children), settled with the Federal Trade Commission (“FTC”) on October 20, 2009, over its information collection practices on many of its brand-specific sites. On those sites, even though Iconix asked users for their date of birth during the registration process, those that provided an age under 13 were nevertheless allowed to register for the site. During the registration process, users were asked to provide a variety of personally identifiable information (including name, email address, and in some instances, mailing address), as well as other demographic information like gender, favorite songs, books, etc. Although the Iconix privacy policy indicated that it did not collect personally identifiable information from children under 13, at least 1,000 children under 13 since 2006 had provided personally identifiable information, according to the FTC complaint. Iconix sent marketing email messages to those children, and on one site, allowed them to publicly post photographs of themselves (which postings indicated the child’s name, age, and state). The FTC alleged that these activities constituted both a violation of the Children’s Online Privacy Protection Act (“COPPA”), which prohibits collecting personal information online from children under 13 without parental consent, as well as Section V of the FTC Act, inasmuch as the privacy representations about obtaining parental consent were inaccurate. The settlement terms mirrored those of prior FTC COPPA cases, including payment of a civil penalty ($250,000) and deletion of children’s personally identifiable information. Iconix also agreed to distribute to all of its employees a copy of an FTC guide describing how to comply with COPPA.
TIP: If you have a Web site that is directed to children – or you knowingly collect information from children under 13 by asking for the user’s age – ensure that you have a mechanism to screen out children under 13 and prevent them from providing you with personally identifiable information. This is the second case that the FTC has brought in less than 12 months on this issue, and companies who do collect age data online should consider checking their intake forms to ensure that they comply with COPPA, and with the representations made in their privacy policies.
C. Facebook Settles Privacy Lawsuit for $9.5 Lawsuit
Facebook recently settled a class action lawsuit filed in California against its Beacon program. Under the Beacon program, users who visited one or more of the Facebook Beacon-affiliated Web sites and engaged in a triggering activity would have their information regarding their activities on the affiliated Web sites shared with Facebook. The plaintiffs alleged that, inter alia, the Beacon program violated the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Computer Fraud and Abuse Act. Specifically, the plaintiffs claimed that Facebook violated consumers’ privacy rights by failing to properly provide notice of the Beacon marketing and data-sharing activity, and failing to obtain informed consent before acquiring and transmitting personal information from Beacon-affiliated Web sites to Facebook. As part of the settlement, Facebook will establish and administer a cash settlement fund of $9.5 million. The money will be used to establish and operate a privacy foundation devoted to educational programs for users, regulators, and enterprises. The programs will center on critical issues for protecting identity and personal information online. Additionally, Facebook has agreed to terminate the Beacon program.
TIP: In the wake of this settlement, as well as the developments we reported on regarding the FTC’s online behavioral advertising guides and its recent settlement with a major retailer regarding the same, companies that engage in online data sharing for marketing purposes should have plans in place to give notice about their activities and to obtain permission from consumers.
D. FTC To Hold First in Series of Privacy Roundtables
The Federal Trade Commission will hold on December 7 the first in a series of roundtables on privacy issues. FTC roundtables are forums for the industry to discuss – and the FTC to learn more about – specific issues. These particular roundtables will focus on privacy challenges associated with new technologies and business practices, and their impact on the use and collection of consumer data. The FTC has announced that two additional roundtables will be held, one in January and a final one in March. In some circumstances, FTC roundtables can lead to new guidelines or regulations from the FTC. It is not clear whether any such guidelines will result from these roundtables, which are slated to cover mobile marketing, social networking, cloud computing, online behavioral advertising, and information-collection practices by retailers, data brokers, and third-party applications. According to the FTC, the goal of the privacy roundtables is to “determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.”
TIP: If your company engages in any of these activities, you may wish to participate in the roundtables, the first of which will be held on December 7, 2009, at the FTC Conference Center. There is still time to submit written comments prior to the second roundtable; comments are due by December 21, 2009.
E. Posting Information on MySpace a “Publication” Regardless of Number of Viewers
The Minnesota Court of Appeals held that the posting of information on a MySpace.com page, which was viewable by anyone with an Internet connection, constituted dissemination of information to the public even if only a few people actually saw it. Plaintiff, who was estranged from her husband, visited a medical clinic to obtain a screening for sexually transmitted diseases based on intercourse with a new partner. Defendant, an employee at the clinic and an acquaintance of plaintiff, became curious when she saw plaintiff and accessed plaintiff’s medical file. Defendant then passed the information on to second defendant, who was also an acquaintance of plaintiff and an employee of a related clinic. Plaintiff was subsequently identified on a MySpace.com web page, which posting included her picture and information that she was cheating on her husband and was getting checked for sexually transmitted diseases. Plaintiff filed suit against defendant for publication of private facts, among other claims. The lower court granted summary judgment on the invasion-of-privacy claim, finding that there was no “publicity” since plaintiff could only establish that six people had seen the Web site. On appeal, the Minnesota Court of Appeals found that publication of the information on a publicly available Web site did constitute “publicity” even if only a small number of people actually saw it, analogizing to a person publishing information in the newspaper which few people actually saw, or announcing it on the radio late at night when few people were listening. However, the court still ruled in favor of defendant, since the plaintiff could not establish that defendant posted the web page.
TIP: Keep in mind that when posting on a public Web site, anyone will be able to view the information, and if legal questions arise, courts are unlikely to view the posting as “private,” even if only a few people actually read the posting.
II. Liability Shields and Content Protection
A. Site Vicariously Liable for Infringing Content Created by its Web Developer
A janitorial supply corporation, Master Maintenance, hired a third-party Web developer, West Central Ohio Internet Link, Ltd., to redesign its Web site. As part of the site redesign, the parties agreed that there should be photographs of the janitorial supplies sold by Master Maintenance. In updating the site, one of West Central’s employees uploaded several photographs, including four owned by Corbis Corporation, a visual solutions provider and owner of, among other things, a large collection of photographs. In promoting its services, Corbis makes available for viewing low-resolution images in an online gallery. In finding at summary judgment that not only was West Central liable for copyright infringement, but Master Maintenance was also liable for vicarious infringement, the court noted that Master Maintenance had (1) received a direct financial benefit from the infringement, and (2) had the right and ability to stop the infringement—the company’s employees were responsible for approving all changes made by West Central to the site—but failed to do so.
TIP: When hiring a Web site developer, be sure to ask your developer where its content has come from. If acting as a Web site developer, be sure to educate employees about what content can and cannot be used. Since content is so easy to find and copy on the Internet, employees need to understand that just because something is on the Internet does not mean that it is free for the taking.
B. ISPs Found Liable for Contributory Trademark and Copyright Infringement
A unanimous jury in the U.S. District Court for the Northern District of California found that two ISPs committed contributory trademark infringement and copyright infringement against Louis Vuitton Malettier S.A. for failing to block Web sites offering counterfeit Louis Vuitton merchandise. Louis Vuitton was awarded $31.5 million in statutory damages for contributory trademark infringement, and $900,000 in damages for contributory copyright infringement. Louis Vuitton sent the ISPs 19 notices informing them that Web sites they were hosting were offering infringing merchandise for sale. When the ISPs failed to disable the Web sites, Louis Vuitton filed suit. Notably, the jury found that the ISPs were not entitled to the Digital Millennium Copyright Act’s safe-harbor provisions, which would have protected them from liability for contributory copyright infringement, because the ISPs had actual knowledge of the infringements.
TIP: Companies should take prompt action when notified of potential trademark or copyright violations in third-party or user-generated content on their Web sites, or risk liability.
C. Facebook’s Claim of Ownership of Posted Content Does Not Destroy CDA Immunity
The New York Supreme Court recently granted Facebook, Inc.’s motion to dismiss a pending defamation action because the court concluded that Facebook was immune from liability under the Communications Decency Act (“CDA”) as an interactive computer service. The plaintiff had alleged that four of her high school classmates created a Facebook group in which her classmates posted defamatory statements regarding the plaintiff. After Facebook moved to dismiss the case based upon CDA immunity, the plaintiff argued that because Facebook’s Terms of Use grant Facebook an ownership interest in the alleged defamatory content, CDA immunity is unavailable to Facebook. The court disagreed and concluded that ownership of posted content is irrelevant to a determination of whether CDA immunity should apply. The court held that as long as the defendant is an interactive computer service and the allegedly defamatory content is provided by a third party, the defendant is immune from liability under the CDA.
TIP: Notwithstanding the outcome in this case, Web sites and other user-generated content aggregators should consider whether a true need to own submitted content exists, or whether a license would suffice.
D. Creating Categories Does Not Destroy CDA Immunity
Thomas Dart, a sheriff in Cook County, Illinois, filed suit against online classified advertiser Craigslist, Inc. in the U.S. District Court for the Northern District of Illinois for creating a public nuisance by facilitating prostitution. Dart sought an injunction to prohibit Craigslist, Inc. from continuing to facilitate prostitution and to recover expenses and time incurred by his department in policing prostitution facilitated by Craigslist, Inc., as well as compensatory and punitive damages. Craigslist, Inc. moved for summary judgment on the ground that it is an interactive computer service shielded by the CDA, which states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1).
Dart attempted to distinguish his case from a previous Seventh Circuit decision, Chicago Lawyer’s Committee for Civil Rights Under Law, Inc. v. Craigslist, Inc., in which the court found that Craigslist, Inc. was immune from liability under the CDA for discriminatory housing ads that violated the Fair Housing Act. Dart argued that Craigslist, Inc. did not qualify for immunity under the CDA, because it encouraged the illegal ads by creating categories with titles such as “erotic” and “adult,” and cited the Ninth Circuit’s decision in Fair Housing Council of San Fernando Valley v. Roomates.com. In Roomates.com, the Ninth Circuit denied Roomates.com immunity under the CDA for publishing discriminatory ads because the Web site required each subscriber to disclose personal information, including sex, sexual orientation, and whether they will bring children into their household, in violation of the Fair Housing Act, via drop-down lists created by the Web site. The court disagreed with Dart and granted summary judgment to Craigslist.com, finding that “The phrase ‘adult,’ even in conjunction with ‘services’ is not unlawful in itself nor does it necessarily call for unlawful conduct.”
TIP: Companies will likely be immune from liability under the CDA for creating categories for content posted on their Web sites by others as long as the category name does not necessarily call for content or conduct that is illegal.
E. Winston Wins Victory for Veoh in Copyright Infringement Lawsuit
A federal court recently affirmed that Veoh Networks, an online video Web site, qualified for safe-harbor protection under the Digital Millennium Copyright Act ("DMCA"). The court found that Veoh satisfied the safe-harbor requirements where it established a DMCA policy, actively took steps to limit infringement on the site, and removed infringing material when notified. Universal argued that Veoh was not eligible for the safe harbor because the company’s founders, employees, and investors allegedly knew of the infringing activity on the Web site. The court found that knowledge of such infringement on most Web sites is common, and not enough to disqualify Veoh from safe-harbor protections.
TIP: If you allow users to post to your Web site, ensure that you have a DMCA take-down policy in place and that you take down alleged infringing content upon appropriate notice.
III. Online Contracts
A. Twitter Amends Terms in an Attempt to Address User Ownership Issues
Twitter recently amended its Web site terms of use to emphasize that users own their own postings. The changes still grant Twitter a broad license to use Tweets. Twitter’s terms also permit others to publish user’s Tweets via the Twitter API. While guidelines for the API are still being developed, they will likely include a requirement that when a user republishes a Tweet via the Twitter API, he/she identifies the author of the Tweet, does not edit the Tweet, and obtains permission prior to using the Tweet in a commercial product (such as a book, poster or t-shirt). The terms also “leave the door open for advertising” by indicating to users that the company and its partners may place advertising on the site in connection with user-submitted posts.
TIP: Based on Twitter’s policy, it seems that Tweets may be republished without permission on Web sites and other online means via the Twitter API, but the new rules don’t seem to clarify whether Tweets can be used for traditional advertising functions (e.g., for use in a print ad).
B. Court Finds Browsewrap Agreement Unenforceable
The U.S. District Court for the Eastern District of New York held that Overstock.com’s terms and conditions were not enforceable against its customers who did not actually read the terms. Plaintiff purchased a vacuum cleaner from Web retailer Overstock.com, and when she returned the item, she was charged a $30 restocking fee. The Overstock.com Web site contains a link at the bottom of the page labeled “Terms and Conditions,” which govern use of the Web site and customer purchases and state that “Entering this site will constitute your acceptance of these Terms and Conditions.” Customers are not required to accept the Terms and Conditions when either entering the Web site or when completing a purchase. When plaintiff filed suit, Overstock.com attempted to enforce the arbitration provision in the Terms and Conditions. Overstock.com argued that all users of the Web site are advised of the company’s terms and conditions prior to entering the Web site. The court rejected that argument, finding that plaintiff lacked notice of the Terms and Conditions because the Web site did not prompt her to review the Terms and Conditions, nor was the link prominently displayed so as to provide reasonable notice of the existence of the Terms and Conditions.
TIP: Companies should prominently display a link to their terms and conditions or require click-through acceptance of the terms and conditions on their Web sites to ensure that the terms and conditions are enforceable against visitors and users of the Web sites.
C. Users Bound to Site Terms Even If Using Someone Else’s Password
CoStar Reality Information Inc., a national commercial real estate information services provider, granted a license for its databases to Copier Country. Under the license, two identified authorized users were given access. The database contained information about New York City’s real estate market. The license prohibited Copier from: (a) providing third parties with access to or use of the CoStar database service; (b) sub-licensing or reselling CoStar’s information services to others; (c) sharing the Copier-specific ID and password; and (d) storing, copying, or exporting any portion of the licensed CoStar database service into any database or other software program, except as permitted by the CoStar-Resource License Agreement or by express written consent of CoStar. Notwithstanding these terms, Copier allegedly gave the access information of its two identified users to a third party, Dunman Realty, which third party used the information to access the database. CoStar brought suit, arguing that Copier had breached the license, and that Dunman had breached CoStar’s terms of use by using CoStar’s products without authorization. The court rejected Copier and Dunman’s motion to dismiss for lack of jurisdiction. The court found that both Copier (expressly) and Dunman (implicitly) consented to a forum selection clauses included in both the license agreement and the database’s Terms of Use.
TIP: In addition to having clear license agreements in place to protect databases or products you might license to authorized users, consider also having online terms that can be used to bind non-authorized users who may gain access through nefarious means.
D. Washington Court Affirms Ability to Sell Software on eBay
A Washington court recently held that an individual who resold packages of software did not commit copyright infringement under the “first-sale doctrine,” which allows the owner of a copyrighted work to resell that copy. In the case, an individual, Vernon, who makes his living selling merchandise on eBay, obtained several software disks in their original packaging from CTA, a company which originally obtained the disks from Autodesk, a software manufacturer and owner of the copyright for the software. The software disk’s case contained a sticker indicating that the software was subject to a license agreement, which agreement was displayed on-screen during installation. A copy was also included in the box. Upon learning of Vernon’s attempt to sell several packages of its software on eBay, Autodesk contacted eBay and asked that the auctions be halted as a violation of the Copyright Act. In response, Vernon filed suit seeking a declaratory ruling that his sales of the software did not constitute an infringement. Both sides filed motions for summary judgment. The court noted a split in Ninth Circuit cases regarding whether a software transaction is a sale (and as such Vernon would have had the right to sell the software) or a license (which would mean that Vernon should not have sold the software). The court resolved the conflict by looking at the agreement that came with the software disks. In that agreement, while there were numerous restrictions on use of the software and a requirement that the user destroy older versions of the software in the event of an upgrade, there were no provisions requiring return of the software to Autodesk or destruction of the software if the user did not upgrade to a newer version. As such, the user was essentially able to retain possession of the software indefinitely as long as the purchaser did not upgrade to a newer version. The court concluded that the transaction thus constituted a sale, not a license. Accordingly, the court held that Vernon was an owner of the software and was protected by the first-sale doctrine, which gave him the right to sell the software, and granted summary judgment to him on the issue of copyright infringement.
TIP: Software manufacturers who wish to prevent resale of their software should include provisions in their license agreements which provide for return or destruction of the software should the purchaser attempt to sell or transfer the software to a third party without the manufacturer’s authorization.
IV. Data Breach and Data Security
A. Company Settles With Texas Over Disposal of Customer Information
A Texas fitness center settled with the State of Texas over allegations that the fitness center allowed their customers’ sensitive personal information to be left in a trash area without adequate protection. The Texas Attorney General indicated that when the fitness center was moving one of their facilities, a filing cabinet containing personal-training contracts and personal information, including Social Security and driver’s license numbers, was found in a dumpster. Cornerstone Fitness Texas and the State of Texas stipulated to a final judgment and permanent injunction that bars Cornerstone Fitness from improperly disposing of records containing personal information and requires Cornerstone to pay $28,000 to the state. The stipulated order requires that when disposing of records that contain personal information, Cornerstone Fitness must modify the records to make the personal information unreadable, through shredding, erasing or other means. The court also ordered that Cornerstone Fitness adopt and maintain an Information Security and Safe Disposal Program to safeguard against the unlawful use, disposal, or disclosure of personal information. The stipulated judgment did not constitute an admission of liability.
TIP: If you collect and maintain personally identifiable information, be sure that you not only have measures in place to safeguard that information while it is in your possession, but also have a process in place to ensure that when you no longer need the storage media on which the data is stored (whether it is in paper or electronic form), the media are disposed of – and destroyed – in such a way that a third party cannot access the personally identifiable information.
B. PCI Security Standards Council Issues Guidance on Wireless Transmission
The PCI Security Standards Council issued guidelines for organizations which store, process or transmit cardholder data using wireless LAN technology as well as those who audit for compliance with the PCI’s Data Security Standard. The guidelines set forth the requirements for such organizations to secure their networks from unauthorized access, including (1) maintaining an up-to-date hardware inventory; (2) scanning to look for unauthorized access points; (3) ensuring physical security of wireless devices to prevent theft or other unauthorized physical access; (4) periodically changing the default settings’ access points; (5) using strong wireless authentication and encryption methods; and (6) developing and enforcing wireless usage policies.
TIP: Companies that collect, process or transmit cardholder data are likely subject contractually to the PCI standards, and should thus ensure that they are familiar with, and adhere to, the wireless transmission guidance. In general, it is important that companies ensure that they have properly secured their wireless networks, and the guidance can help provide direction in that regard.
V. Financial Privacy
A. Agencies Issue Model Privacy Disclosure Form
On November 17, eight federal regulatory agencies, including the FTC, FDIC, and Federal Reserve, released a final privacy rule and model form (collectively, the “privacy rule”) under the Gramm-Leach-Bliley Act. The model form is intended to make it easier for consumers to understand how financial institutions collect and share information about consumers, and give consumers the right to opt out of certain information-sharing practices. Although financial institutions are not required to use the model form, it does provide them with a safe harbor for compliance with the disclosure requirements of the privacy rule. The rule also eliminates, after a transition period, the safe harbor provided by the agencies’ sample notices in the prior versions of the privacy rule. Most provisions of the privacy rule take effect on January 1, 2010.
TIP: If you are a financial institution subject to the Gramm-Leach-Bliley Act, you should review your consumer privacy disclosure forms and practices to determine whether they comply with the new privacy rule.
B. FTC Delays Enforcement Date for Red Flags Rule
On October 30, 2009, the Fair Trade Commission announced the fourth delay in the enforcement date for the Red Flags Rule, from November 1, 2009, until June 1, 2010. The latest delay permits Congress to further review the issue regarding whether certain types of entities should be excluded from the application of the Red Flags Rule. Recently, under the Red Flags Rule, a company is required to develop and implement policies and procedures designed to identify and prevent identity theft from certain “covered accounts.” A “covered account” includes consumer accounts, a mortgage, and certain business accounts. In order to determine which business accounts would be deemed to be “covered accounts,” an institution must conduct a risk assessment of its business accounts and identify whether the business accounts could be at risk for identity theft.
TIP: If you are covered by the Red Flags Rule, you should consider completing the following steps to ensure compliance by June 1, 2010: (1) review the existing customer base to identify any accounts maintained for personal, family, or household purposes; (2) review the existing customer base to identify any business accounts; (3) perform a risk assessment for each business account and stratify the identity-theft risk associated with each account; (4) develop and implement policies and procedures no later than June 1, 2010; and (5) review the policies and procedures and customer base on a periodic basis for any changes in identity-theft risks, and revise the policies and procedures as necessary.
VI. Workplace Privacy
A. Former Employee Can Send Documents to Home Computer
LVRC Holdings, LLC (“LVRC”) sued its former employee, Christopher Brekka, and his consulting business, Employee Business Solutions, Inc. (“EBSN”), alleging that Brekka violated the Consumer Fraud and Abuse Act (“CFAA”) by accessing LVRC’s computer without authorization during and after Brekka was employed at LVRC. In affirming the lower court’s ruling in favor of Brekka, the Ninth Circuit found that Brekka was authorized to use LVRC’s computer while he was employed at LVRC. Therefore, Brekka did not violate the CFAA by emailing documents to himself or his wife on his personal computer before leaving LVRC. Additionally, Brekka did not exceed his authorized access because Brekka was permitted to obtain the documents that he emailed. Additionally, the court determined that there were insufficient material facts to establish that Brekka accessed LVRC’s computers without authorization after he left LVRC.
TIP: Companies should review their policies regarding use of company data and documents to confirm that such policies clearly detail employees’ authorized use of company data and technology.
B. Firing an Employee for Being a Smoker Did Not Violate Employee’s Privacy Rights
A former employee filed suit against Scotts LawnService for violation of his right to privacy under Massachusetts state law after Scotts fired him for testing positive for the use of nicotine. Scotts prohibits employees from using tobacco at any time and it is Scotts’ policy not to hire tobacco users. When the employee was hired, he provided a voluntary urine sample, and after the sample tested positive for nicotine, he was fired. Following his termination, the ex-employee filed suit for violation of Massachusetts’ state privacy law, which provides: “A person shall have a right against unreasonable, substantial or serious interference with his privacy.” The court granted summary judgment in favor of Scotts, finding that the former employee did not have a protected privacy interest in the fact that he is a smoker because he has not attempted to keep that fact private. The court held that an individual’s right to privacy is not invaded if the facts at issue “are already in the public domain.”
TIP: When administering drug tests, take care to ensure that the test is being administered in accordance with applicable state and/or federal laws.
VII. International Privacy Issues
A. eBay Binding Corporate Rules Approved by 14 EU Countries
Under the laws of various EU member states, pursuant to the EU Data Privacy Directive, there are restrictions on the ability of corporations based in EU countries to send data to non-EU countries whose laws fail to provide an “adequate” level of data protection. There are many ways to overcome the restriction, one of which is for a corporation to create its own internal “binding corporate rules” and to have those rules ratified and approved by the data protection authorities in the EU member states. There has been some concern in the past, as we have reported, over the difficulty in getting all data protection authorities to approve the same set of binding corporate rules. The recent approval by 14 member states of eBay’s rules is a good sign that this process may work for other companies in the future. Indeed, many suspect that the use of the process may increase now that eBay has successfully gone through it.
TIP: If your company finds itself in need of transferring data across borders, creating and adopting binding corporate rules is beginning to look like a more feasible option, and may be something to consider.
B. APEC Approves Cross-Border Cooperation Agreement on Data Privacy and Protection
The Asia-Pacific Economic Cooperation (“APEC”) recently approved an initiative to facilitate the transfer of data across the borders of APEC countries, which details recommendations for data privacy, protection, and enforcement. The APEC Cooperation Arrangement for Cross-Border Privacy Enforcement is voluntary, and does not create any obligation under the laws of the participating countries. The agreement aims to allow participating countries to establish mechanisms to effectively promote cross-border data transfer, including through referrals of matters and through parallel or joint investigations or enforcement actions in the event of a data or security breach. The Cooperation Agreement will become effective one month after APEC’s Electronic Commerce Steering Group appoints an Administrator, or at a later date if specified by the ECSG.
TIP: While non-binding, the agreement suggests that it may soon be easier for companies to share data across borders, by creating a more uniform standard by which countries that restrict such transfers may more uniformly allow them to occur.
C. EU Amends Privacy Directive, Provides for Breach Notice and Consent for Cookies
Effective December 1, EU’s ePrivacy Directive (2002/58/EC) has been amended to require that Internet service providers and telecommunications companies obtain consent from consumers before cookies are downloaded onto their computers. In addition, these same entities must provide notice to consumers if there is a breach of the consumers’ information. Directives are not directly applicable to companies; instead, member states must pass national laws to implement the directives’ requirements on companies in their countries. There is thus some time before companies will need to start following these requirements. Namely, the amendment provides that national laws must be in place by June 2011.
TIP: Even though these requirements will not go into effect until 2011, companies that operate in the online space in Europe should begin thinking now about how they will obtain consent for cookie usage. Those that operate in the U.S. are no doubt already familiar with the process for notifying consumers in the event of a breach.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | NEW YORK | ||
|
Liisa M. Thomas |
(312) 558-8121 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
| Monique Bhargava (Advertising) |
(312) 558-3732 | ||
Stephen P. Durchslag |
(312) 558-5288 |
PARIS | |
Christine A. Edwards |
(312) 558-5571 |
Sébastian Ducamp |
33 0(1) 53 64 82 08 |
Brian D. Fergemann |
(312) 558-8024 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
Delilah B. Flaum |
(312) 558-8922 |
Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
Jason W. Gordon |
(312) 558-6145 |
Vanessa Lerner (Employment, Health) |
33 0(1) 53 64 82 70 |
Brian L. Heidelberger |
(312) 558-5897 |
Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
Mary Hutchings Reed |
(312) 558-5721 |
||
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | SAN FRANCISCO |
|
Robert H. Newman |
(312) 558-8125 |
David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
| Michael Philipp (Financial Services) |
(312) 558-5905 | Andrew P. Bridges (Intellectual Property) |
(415) 591-1482 |
Cardelle B. Spangler |
(312) 558-7541 |
Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
Marc H. Trachtenberg |
(312) 558-7964 |
Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
|
|
Becky L. Troutman (Intellectual Property) |
(415) 591-1401 |
| LONDON | |||
| Zoe Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 | WASHINGTON, D.C. | |
| Danvers Baillieu (Litigation, Financial) |
44 (0)20 7105 0017 |
Richard P. Gilly (Intellectual Property) |
(202) 282-5853 |
| Barry Vitou (Corporate, Financial) |
44 (0)20 7105 0018 |
Marion K. Goldberg (Health Care) |
(202) 282-5788 |
| Michael A. Mancusi (Financial Services) |
(202) 282-5729 | ||
| LOS ANGELES | Paul S. Pilecki (Financial Services) |
(202) 282-5730 | |
| Steven D. Atlee (Litigation) |
(213) 615-1827 | ||
| Anna S. Masters (Labor and Employment) |
(213) 615-1711 | ||
| Evan R. Moses (Labor and Employment) |
(213) 615-1713 | ||
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
Copyright © 2009. Winston & Strawn LLP.