Third Quarter 2007

In This Issue:

I. ONLINE COMMERCE

I. ONLINE COMMERCE

A. New York Passes Online Shopping Law

A New York law was recently enacted that affords online consumers the same protections as those who make purchases over the phone or through the mail. Those protections include that: (a) orders cannot be accepted for merchandise that cannot be reasonably anticipated to be shipped within 30 days; (b) all advertising and promotional materials that contain a post office box address must prominently feature the legal name of the company, complete street address, and details about what conditions in which a refund will be issued; (c) if products fail to ship within 30 days, the company must clearly provide the buyer with the opportunity to cancel the order and receive a refund or receive substitute merchandise; and (d) companies must maintain records of all complaints of failure to ship merchandise or provide advertised services.

TIP: The New York law regarding selling merchandise via mail seems to be even more restrictive than the federal Mail Order Rule. Given that New York recently enacted this law to apply to Internet sellers, it would seem that the New York Attorney General may be particularly proactive in enforcing this law in the coming months. Please pay special attention to its requirements.

[Top]

B. Purchase of Another Company's Trademark As a Keyword Not Infringing

Peachtree Settlement Funding purchased J.G. Wentworth’s name as a “keyword” under an advertising program offered by an Internet search engine. When an Internet user conducted a search using “J.G. Wentworth,” Peachtree’s Web site appeared in a list of search results. J.G. Wentworth sued Peachtree for the purchase of such keyword, claiming that it amounted to trademark infringement. However, a United States District Court in Pennsylvania found that Peachtree’s purchase of the keyword did not amount to actionable likelihood of confusion. The court based its decision on the fact that Peachtree’s Web site only appeared on a list of search results and that potential customers were not taken directly to the competitor’s site. As such, Peachtree was not alleged to have used the marks in any way discernable to potential customers.

TIP: The purchasing of a competitor’s name via a keyword advertising program is the subject of significant ongoing debate, with this case providing some support for its legality.

[Top]

C. Web Site Not Immune For Information It Helped to Create and Develop

Roommates.com operates an online roommate matching Web site that helps individuals find roommates based on descriptions of themselves and their roommate preferences. To become members of Roommate, users respond to a series of online questionnaires by choosing from answers in drop-down and select-a-box menus. Users must disclose information about themselves and their roommate preferences based on such characteristics as age, sex and whether children will live in the household. They can then provide “Additional Comments” through an open-ended essay prompt. Roommate’s free membership allows users to create personal profiles, search lists of compatible roommates, and send “roommail” messages to other members. The Fair Housing Councils of San Fernando Valley and San Diego filed suit in federal district court against Roomates.com, claiming that Roomates.com violated the Fair Housing Act (“FHA”), which prohibits discrimination in housing, alleging that because the questionnaire asks for demographic information, the Web site posts material that could enable site users to discriminate against others.

Roommates.com claimed it was immune from such claims under the Communications Decency Act (“CDA”), which provides immunity for interactive computer service providers. However, the Ninth Circuit held that while Roommates.com was immune under the CDA so long as it merely published information provided by its members, it was not immune for publishing materials for which it was an information content provider, and Roommates.com had become a content provider of certain information because it was responsible for the questionnaires it had created and developed that asked potential customers about themselves, their preferences (e.g., living with children, living with people of various sexual orientations), arguably in violation of the Fair Housing Act.

TIP: While the CDA does provide protection for Web site owners against third-party content posted to its site, a Web site must be very careful about participating in the creation of consumer content posted to its site, as such participation may eliminate the site’s immunity under the CDA.

[Top]

D. Responding to an Online Solicitation Does Not Create a Contract

The American Association for the Advancement of Science's online magazine, ScienceNOW, posted a request for "news tips" from users. According to the advertisement, tips would be "investigated for suitability as a news item in ScienceNOW or perhaps even an article in Science," the AAAS's flagship magazine. Responding to this message, Swedish physician Erik Trell submitted a treatise purporting to solve Beal's Conjecture. The editors rejected Dr. Trell's submission: It was not "news," after all, and in any event did not appear to solve Beal's Conjecture. In response, Dr. Trell sued for breach of contract, claiming that the ScienceNOW solicitation created a binding obligation to publish all submissions.

The District Court for the Western District of New York rejected Dr. Trell's claims and dismissed his suit with prejudice. "Quite simply, the Court finds that the advertisement for 'news tips' on the ScienceNOW Web site cannot be construed as an offer, nor did it in any way create a unilateral contract." This is in keeping with ordinary principles of contract law, under which a contract does not form unless both parties have assented to be bound by agreed-upon terms. Advertisements and solicitations—like the request for "news tips" from ScienceNOW—are not offers. Instead, they invite readers to make offers, which the advertising party can accept or reject.

TIP: The Internet has changed a lot of things, but the basic rules of contract law still apply. Ordinarily, an advertisement is not a contract, but merely an offer to enter a contract (or not) at some later date. An ad will create a binding contract only where it “clearly communicates an offer that is definite, explicit and leaves nothing open for negotiation.”

[Top]

II. EMPLOYEE, WORKPLACE and PERSONAL PRIVACY

A. Vermont One of Many States with SSN Protection Laws

The Vermont Attorney General recently issued a guidance to businesses on the use of social security numbers under the state’s law regarding the protection of personal information. Under SSN protection provisions of the law, which went into effect on July 1, businesses cannot sell or disclose SSNs to third parties without written consent, make SSNs publicly available, put SSNs on cards used to access products or services or on mailed materials, require online transmission of SSNs through an unsecured connection, or require a person to use an SSN to access a Web site (unless another authentication method, like a password, is also required). The Vermont law is similar to those in place in many other states.

TIP: If your business has not already done so, it should find non-SSN methods to identify its consumers, and should not be including SSN, on mailed materials, including bills, statements, and the like.

[Top]

B. Marketers to Pay More Than $1 Million in Penalties for Selling Consumer Data

Eight online marketing companies — Consumer Digital Services, Privasafe, JSE Direct, SurfSafe Internet Services, Leverage-CDS, CDS Family Trust, AMP-CDS, and JG-CDS — and Gary Salmirs (Leverage-CDS manager) were sued by the state of Washington for violating the state Consumer Protection Act. The companies offered consumers free merchandise in exchange for consumers’ personal information, including name, address, and e-mail address. Although the merchandise was marketed as being “free,” consumers were charged for multiple services on their phone bills. In addition, consumer privacy was alleged to have been violated, inasmuch as consumers were told that their information would be protected, including from “unscrupulous marketers.” Despite that representation, the information was sold to third parties, the Washington attorney general’s office alleged in its complaint. In a consent decree approved in late June, the marketers agreed to pay $750,000 in consumer refunds and $300,000 in civil fines and attorneys' fees.

TIP: Be careful of making marketing statements regarding your company’s privacy policies. Simple statements like “We will protect your privacy” will be viewed with great care when determining the obligations that company has to its consumers.

[Top]

C. Former Employee Files Class Action Against Pfizer Over SSN Disclosure

Terry L. Horne, a former Pfizer Inc. employee, is suing Pfizer in the United States District Court for the Middle District of Louisiana on behalf of himself and "all present and former Pfizer employees whose names, [social security numbers], and/or other personal information Pfizer disclosed without authorization to third parties." The lawsuit stems from an incident in which 2,300 computer files stored on an employee's laptop were inadvertently exposed to third parties when that employee's spouse installed unauthorized file-sharing software. Pfizer is alleged to have sent a letter dated June 1, 2007 advising present and former employees that files were disclosed to third parties; files that contained names, SSNs, and in some instances addresses of 17,000 present and former Pfizer employees. Mr. Horne alleges that Pfizer breached its fiduciary duties and violated Louisiana's Database Security Breach Notification Law. The suit also alleges that Pfizer's offered remedies—one year of credit monitoring and one year of identity theft insurance—were "wholly inadequate." Mr. Horne seeks long-term identity theft insurance for himself and the class or establishment of a damages fund.

TIP: If your employees hold confidential and/or private information on their computers, be sure to take steps to prevent the downloading of file-sharing or other software that may permit third parties to access saved information. You should also limit, when possible, the amount of private employee and client information that is stored locally on laptop or other mobile computers.

[Top]

D. Department of Homeland Security Publishes "No-Match" Regulation

On August 10, 2007, the Department of Homeland Security issued a new "No-Match" regulation aimed at helping the government identify and crack down on employers who knowingly hire illegal workers. The regulation, which was published in the Federal Register on August 15, 2007 (72 Fed. Reg. 45611), states that the Social Security Administration will send an employer a "no-match" letter if an employer has employees whose names and corresponding social security numbers or immigration status documents fail to match the records of the agency. The regulation states that employers who receive the "no-match" letter may be deemed to have constructive knowledge that an employee has submitted a false social security number and/or is an unauthorized alien. The government may also hold employers liable if they ignore the "no-match" letter and fail to take specified steps within 90 days of receiving the letter. The regulation also creates a "safe harbor" period in which an employer can investigate and correct mistaken information. The regulation was due to go into effect on September 14; however in response to a suit filed by a broad coalition of entities, the Ninth Circuit issued a temporary order restraining DHS and the Social Security Administration from sending out "no-match" letters. The U.S. Chamber of Commerce and the National Restaurant Association have also opposed the new law.

TIP: Employers should monitor how the government enforces this new regulation, as it may result in faster action by the Department of Homeland Security. If you should receive a "no-match" letter, it is important to promptly consider and implement the required steps set forth in the regulation.

[Top]

III. HEALTH PRIVACY AND SECURITY

A. Better Education Needed on State Health Information Privacy Laws' Applicability

A study commissioned by the U.S. Department of Health and Human Services found that most U.S. doctors and other health care providers believe that HIPAA trumps state privacy laws, even though HIPAA clearly states that more stringent state laws must be followed. The study, part of the Health Information Security and Privacy Collaboration project, also found varying interpretations of the HIPAA privacy and security rules as well as inconsistencies between federal and state privacy laws. Better physician and provider education is needed to make sure HIPAA rules are applied consistently and more strenuous state privacy laws are followed. Teaching the basic tenets of state medical privacy laws to non-lawyers may be particularly difficult since many state privacy laws were enacted to apply to paper records and sometimes do not sensibly apply to electronic records. However, without a consistent approach to HIPAA rules and state law applications, the implementation of a nationwide electronic health information network will be even more difficult. HISPC participants from a number of states are currently working on model outreach and education programs to address these issues.

TIP: Consider educational programs or training for physicians and other health care providers to make sure they understand the relationship between HIPAA and state privacy laws to avoid liability issues and streamline information networks.

[Top]

B. New York Ruling on State Law Exception to Physician-Patient Privilege

A New York state court ruled that the state physician-patient privilege does not protect patient records from disclosure in a fraud investigation. The court in In Re Application of Bergamo Medical refused in July to quash grand jury subpoenas seeking patient medical information issued as part of a state investigation into "no fault" insurance fraud. Noting that New York courts had already created a physician-patient privilege exception in Medicare and Medicaid fraud investigations, the court concluded that an exception should apply to state fraud investigations. The court also noted that grand jury proceedings are secret such that no grand juror or other person may disclose grand jury documents or evidence without a court order. The court, however, also indicated that the physicians could withhold patient information if they could establish the information was both privileged and irrelevant to the fraud investigation.

TIP: Medical information is not likely to be protected from either state or federal investigative subpoenas unless you can show it is both privileged and irrelevant to the investigations.

[Top]

C. Revisions to HIPAA Privacy Rules Proposed

United States Senators Patrick Leahy and Edward Kennedy have introduced the Health Information Privacy and Security Act (S. 1814) to revise some of the HIPAA privacy rules and create new privacy safeguards for health care information. Senator Kennedy contends that the current system is "tilted too far against patient privacy" and that the bill "is a needed effort to correct that imbalance." Among the provisions of the proposed legislation are requirements to notify individuals when data corruption or loss of health information is discovered and the establishment of a new office within HHS to investigate alleged violations, conduct audits and establish compliance guidelines. The bill also provides criminal penalties for wrongful disclosure or use of protected health information, and requires regulations debarring health care entities from receiving federal funds if they are found guilty. The legislation further requires the Secretary of HHS to revise HIPAA as needed to make it consistent with the new law.

TIP: With new privacy legislation that includes additional compliance requirements to be considered by Congress later this year, companies should ensure that they are taking all necessary steps to comply with HIPAA's requirements.

[Top]

D. New Laws Limiting Disclosure of Prescribing Information Challenged

Two new laws due to take effect in January 2008 are being challenged by IMS Health and Wolters Kluwer Health on constitutional grounds. The laws are intended to prohibit collection and disclosure of physician prescribing information, a practice that is common in the industry (with patient – but not physician – data being de-identified), and supported by groups such as the AMA as a "tool to help monitor the safety of new medications." A similar law in New Hampshire was struck down that law included a ban on selling prescription information for commercial use, like marketing, if it included the patient's or physician's personally identifiable information.

TIP: Companies that engage in the practice of collecting, disclosing or using physician prescribing information should stay abreast of these suits, and be prepared for the possible implementation of the Vermont and Maine laws in January 2008.

[Top]

IV. FINANCIAL PRIVACY

A. Lawsuits Filed to Enforce Federal Consumer Privacy Law

A series of lawsuits has recently been filed against major retailers, including Toys “R” Us, IKEA, and two major rental car companies, alleging violations of the Fair and Accurate Credit Transactions Act (FACTA). Enacted in 2003, FACTA was intended to prevent identity theft. Among other things, FACTA prohibits a merchant from including more than the last five digits of the account number from a consumer’s credit or debit card, or the expiration date on an electronic receipt. Violations of this statute may subject a merchant to damages of up to $1,000 per violation. With respect to machines in use before January 1, 2005, a merchant has three years to comply with the law.

TIP: If you are a merchant who issues electronic credit card receipts, these receipts should not include more than the last five digits of the customer’s account number, and should not include the card's expiration date. At up to $1,000 per violation, potential damages can add up quickly.

[Top]

B. Minnesota First to Enact Breach Law Making Retailers Liable to Banks for Breach Costs

On May 21, Minnesota became the first state to include in its data breach notification law requirements that retailers restrict the amount of time they maintain credit card transaction data. The law, passed in reaction to mass breaches involving consumer credit card data, prohibits retailers after August 1, 2007, from retaining data that they obtain from the credit card magnetic strip after the transaction is complete. Debit card data can be stored for no longer than 48 hours. After August 1, 2008, retailers who violate these requirements will be liable to banks for a variety of costs (such as canceling and reissuing credit cards and closing or reopening impacted accounts) if there is a breach of the data that the retailer improperly maintained. We are tracking similar legislation pending in California, Connecticut, Illinois, Massachusetts, and Texas.

TIP: If you operate national retail establishments, be sure that you are taking steps to protect credit card data and that you are aware of requirements, such as this Minnesota law, to destroy transaction data.

[Top]

C. State Ban on Sale of Mortgage-Trigger Lists Preempted

A Minnesota judge issued a preliminary injunction against enforcing a statute that banned the sale of mortgage-trigger lists by a credit reporting agency. A mortgage-trigger list is a list compiled by a consumer reporting agency of consumers who have recently applied for a mortgage loan. The lists are then sold by a consumer reporting agency to other lenders for marketing purposes. The judge held that section 1681t(b) of the Fair Credit Reporting Act ("FCRA") expressly preempts any state law that imposes a prohibition or requirement relating to any subject matter regulated under FCRA. Section 1681b(c) of FCRA governs furnishing a credit report in connection with a credit transaction that is not initiated by a consumer. Although the court did not rule on the merits of either party's argument, the court held that because the subject matter of mortgage-trigger lists is "unquestionably regulated" by section 1681b(c) of FCRA, no state may prohibit or regulate their sale.

TIP: Lenders should be careful when using or sharing mortgage-trigger lists. Before these pre-screened lists of potential consumers can be shared by credit reporting agencies for marketing purposes, they must meet certain federal standards.

[Top]

D. Amended National Security Letter Statute Still Unconstitutional

On September 6, 2007, the United States District Court for the Southern District of New York held that part of the USA PATRIOT Act is unconstitutional. Namely, the Act's provision authorizing the FBI to issue national security letters ("NSLs") seeking records from individuals and businesses, including demanding that Internet service providers provide information about their customers' Internet use. The court said that the provisions creating the NSL process, which gives federal prosecutors the discretion to determine whether a gag order should accompany the surveillance request, is a form of speech-licensing prohibited under Freedman v. Maryland, 380 U.S. 51 (1965). The court also held that the process by which ISPs can seek judicial review of an NSL gag order violates the constitutional separation of powers doctrine because it restricts the circumstances a court may consider when deciding whether a gag order should be lifted in any particular case. In its ruling, the court stayed the enforcement of the ruling for 90 days in order to allow for an appeal.

TIP: ISPs and others who are impacted by the PATRIOT Act's requirements to disclose personal information to the FBI should take early warning that the procedures for responding to national security letters may change.

[Top]

V. TECHNOLOGY LICENSING

A. New District Court Decision Denies Injunctive Relief for Open Source License Violation

In Robert Jacobsen v. Matthew Katzer, a Northern District of California decision published on August 17, 2007 in San Francisco, the court denied the licensor's motion for preliminary injunction to enjoin the defendant from further violating the open source Artistic License. The court reasoned that an injunction is not appropriate where the plaintiff's claim "sounds in contract, not copyright" law. Generally, the remedy for contract violations is damages, whereas copyright infringement normally includes a presumption that injunctive relief is appropriate. Thus, the question of whether the violation of a license is based on contract or copyright law is very important, because such a determination affects whether injunctive relief is available as a remedy for licensors. In this case, the decision argued that the Artistic License grants a nonexclusive license to use, distribute, and copy the source code. The court further found that the license provisions permitting users from copying the code verbatim and modifying the materials in any way, "including as part of a larger, possibly commercial software distribution", is intentionally broad in scope. As such, the notice of attribution condition is not a limit on the scope of the license, but rather a contractual term/covenant of the license. Therefore, defendant's alleged violation of the notice of attribution requirement is only a contractual breach, and is not a violation of the scope of the license that would "create liability for copyright infringement."

TIP: This is one of the few cases that has interpreted issues relating to the scope of open source licenses. This decision may suggest that courts are more inclined to view alleged violations of open source licenses as contractual disputes, thus denying licensors the option of injunctive relief, but this case does not settle the issue for the GPL and is only a district level decision that will likely be appealed. It remains important to be cognizant of the use of open source software and its potential contractual and copyright liabilities.

[Top]

B. Use of Photo On Web Site After License Term Constitutes Infringement

A professional photographer, licensed one of his copyright photographers of Arnold Palmer to an agency, DVC Worldwide, Inc., and its client GlaxoSmithKline, for advertising purposes for a smoking-cessation campaign in 2001 and 2002. On its Web site, DVC posted some of its advertising materials to show potential clients examples of its work and, after the expiration of the term of its license with the photographer, DVC posted one advertisement that included the photographer's 1989 photograph of Arnold Palmer. The photographer sued DVC Worldwide for copyright infringement. The court held that such use was a copyright infringement and that it was not protected as a "fair use" by the agency under the copyright law. Even though the agency's use of the photo was merely for self-promotion, the court held it to be infringing, as the use of the photo was merely for "private commercial gain."

TIP: Agencies that post creative on their Web sites for self-promotional uses must ensure that they have the relevant rights from all third parties whose images are contained within the advertisements. The fact that you may have had rights at one time to use an image in an advertisement for a client does not give an agency an unlimited right to use it for self-promotion.

[Top]

VI. GLOBAL PRIVACY ISSUES

A. Progress Made in E.U. for Use of Binding Corporate Rules

Just a few months after the European Union Data Commissioners released a standard application form for the approval of Binding Corporate Rules (BCR), the U.K. data protection office gave Philips the second-ever approval for its BCR. Under the E.U. Data Privacy Directive, countries must enact laws prohibiting the transfer of personal data to an entity located outside an E.U. country unless (1) the entity is in a country with equivalent laws, (2) the company has entered into a model contract with the recipient of the data, (3) the exporter has obtained prior informed consent (and this option is not always available, depending on the specific country laws that apply), (4) the company is in the United States, and participates in the E.U./U.S. Safe Harbor Program, or (5) the company adheres to internal BCR that have been approved by the data protection authority of the exporting country. Philips was able to convince the U.K. that it provided adequate levels of protection across its group of companies, and the U.K. approved Philips BCRs, authorizing it to transfer that data out of the European Economic Area to a non-E.U. Philips entity.

TIP: BCRs appear to be gaining traction as a viable option for the transfer of personal data within a company that has European operations.

[Top]

B. Protective Measures for the Processing of Customers' Personal Information

After two companies failed to meet the requirements of the U.K. Data Protection Act 1988, the U.K. Office of the Information Commissioner threatened with further enforcement action and prosecution. The companies had failed to protect customer’s personal information by allowing new members of the staff to share user names and passwords, and by continuing to use customers' personal data for marketing purposes after the customer had opted out of such use. The breaches focused on the unlawful processing of personal data, accidental loss, destruction or damage of the same, as well as the marketing material sent to customers even after the customer has requested, in writing, that he or she no longer wishes to receive the material.

TIP: When operating internationally, be sure that your marketing is aimed at customers who have either expressed a desire to receive information or have remained silent on this. Also ensure that your employees have been properly trained on use of consumer data.

[Top]

C. USB Keys in France

On June 20, the French government commission that oversees assessment of copyright protection (Commission Copie Privée) voted to tax USB keys, flash memory cards and external computer hard drives under the copyright protection taxes applied to compensate intellectual property right holders for copyright violation. The new tax, which is based on digressive levies according to the size of the device, will be effective by fall, after publication of the new tax schedules in the Official Journal. (The commission also agreed to reduce the existing copyright protection tax on blank DVDs from today's $1.47 to $1.34). Royalty collection agencies welcomed this decision, estimating that the new taxes on hybrid devices would raise $26.8 million annually in additional revenue to compensate for copyright violation. However, business groups and consumer protection groups expressed their disapproval of this decision, considering the copyright tax unjustified and too important on the wholesale price of the concern products.

TIP: When selling USB keys, flash memory cards and external computer hard drives in France, keep in mind that the wholesale price of these products may be affected by the application of copyright protection taxes.

[Top]

D. U.K. Data Protection Office Brings Privacy Case

The UK Data Protection Office has signed agreements with two companies found to have violated the U.K Data Protection Act of 1988, Orange Personal Communication Services Ltd and Littlewoods Shop Direct Home Shopping Ltd. Orange Personal Communication Services Ltd was alleged to have failed to keep its customers' personal information secure, authorizing its staff members to share user names and passwords when accessing the company's IT system. Littlewoods Shop Direct Home Shopping Ltd was alleged to have continued to use customers' personal data for marketing purposes after customers requested that their information not be used for such purposes.

TIP: When collecting and using personal data information, make sure to have taken all necessary steps to have your employees comply with applicable legislation.

[Top]

E. The French Data Protection Authority Fines Tyco Healthcare France

In mid-April, the French Data Protection Authority (CNIL) fined Tyco Healthcare France for improper storage and cross-border transfer of employee data. After being asked by the CNIL to provide additional information on the operated database on its 450 French employees, Tyco told the CNIL that the use of the database had been suspended. CNIL inspection showed that the database was currently used and updated despite numerous legal doubts previously raised by the CNIL, including cross-border data transfers, and security measures. CNIL informed the company in December 2006 that the investigation showed the company had improperly declared the content and use of its database and had failed to cooperate with the CNIL.

TIP: Company must always be vigilant to comply with local privacy legislation and cooperate with the local Data Protection Authority when necessary.

[Top]

F. Spain Issues Rules on Corporate Whistleblowing Mechanisms

The Spanish Data Protection Agency (AEPD) has issued an opinion establishing guidelines for the creation of whistleblowing mechanisms inside companies. These guidelines are in response to U.S. anonymous whistleblower requirements, and address European concerns regarding anonymity of whistleblowers. The guidelines avoid anonymous complaints, which the Spanish (and other European countries) view as necessary to ensure that the information the whistleblower gives is exact and complete. The AEPD also ruled that employees must be made fully aware of the company's whistleblowing system, and the accused employees must be made aware of the complaints against them as fast as possible and be informed of their rights. Companies that receive complaints by telephone or in person must collect and maintain the personal data of both parties, along with the details of the reported incident and the results of successive investigations. The data may be stored more than two months (and retained for legal proceedings) only if the complaint can be proved.

TIP: U.S. companies operating internationally that are subject to SOX disclosure requirements should use caution when implementing their whistleblowing scheme abroad.

[Top]

G. The French Data Protection Authority Releases 2006-2007 Report

In compliance with the financial sanction powers created in 2004, the French Data Protection Authority reported handing down 16 individual fines amounting to a total of $228,888. The largest penalties endured were by Credit Lyonnais ($61,200/€45,000), Credit Agricole ($27,200/€20,000) and the Caribbean-based financial sector firm Banque des Antilles Françaises ($40,800/€30,000). Smaller fines were also handed out for abuses of data transfer, unsolicited marketing, refusal of access to database to authorities and failure to respect "do not call lists."

TIP: Companies operating in Europe should be aware that data protection offices such as CNIL are actively enforcing their countries' data protection laws.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

If you no longer wish to receive the Privacy and Technology Client Bulletin, please e-mail us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 W. Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn LLP for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this Client Bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn LLP's Web site (www.winston.com).

Copyright © 2007. Winston & Strawn LLP.