Fourth Quarter 2007

In This Issue:

I. ONLINE COMMERCE

I. ONLINE COMMERCE

A. CDA Immunity Protects and Malware-Blocking Software Provider

In August, the U.S. District Court for the Western District of Washington broadly interpreted the requirement that a defendant be an “interactive computer service provider” to enjoy immunity under the 1996 Communications Decency Act (“CDA”) to protect a provider of virus and malware-blocking software. In the case, the defendant’s software blocked plaintiff Zango Inc’s free online games from installing pop-up advertisements on a user’s computer. The court dismissed Zango’s claim that the Kaspersky anti-virus software wrongfully interfered with plaintiff’s software, finding that Kaspersky qualified as a “good Samaritan” and enjoyed immunity from the claim under the CDA. In reaching its decision, the court interpreted the CDA broadly in order to find Kaspersky an interactive service provider. The CDA in particular provides that no provider or user of an interactive computer service shall be held liable on account of any action taken to enable or make available to information content providers or others the technical means to restrict access to material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected. The court stated that the “interactive computer service provider” is “not limited to those who provide Internet access to consumers” but also includes those who are access service providers, namely those who filter, screen, allow or disallow content. The court further found that the defendant’s blocker “allows multiple users to access a computer server” because after being downloaded and installed by defendant’s customers, the blocker “regularly reaches out to communicate with online servers to update the [software’s] database of suspect code (e.g., viruses, adware, spyware, and other malware).”

TIP: The immunities of the Communications Decency Act can apply to more than just Internet websites but may also be available to those who provide access services such as filtering software or virus or malware pop-up blockers.  Companies that provide information services or other systems that allow multiple users to access a computer server should consider registering for immunity under the CDA.

[Top]

B. CDA Increasingly Used by Web Sites As Shield

Several courts addressed immunity under the 1996 Communications Decency Act in September and October, 2007. In September, the U.S. District Court for the Northern District of Ohio held that an adult dating Web site that encouraged members to meet for consensual sexual relations was not liable for content posted by a girl who misrepresented her age in her profile. The court dismissed claims brought by a man who met the girl through defendant’s Web site, had consensual sex with her and was subsequently charged with statutory rape. In October, the U.S. District Court for the Southern District of New York held that a search engine was immune from liability under the CDA for publishing search results that did not include the original source’s line breaks. Failure to include the original line breaks yielded results that incorrectly identified New York gubernatorial candidate William Murawski as: “communist political organizer William Murawski.” The U.S. District Court for the District of Arizona extended CDA Section 230 immunity to a Web site that refused to remove a defamatory post from its site. The plaintiff had obtained and was attempting to enforce an injunction issued by an Ontario, Canada court for defamation. The injunction ordered removal of any references to the plaintiff from defendant’s site. In refusing to enforce the injunction because the defendant was protected under the CDA, the court noted that it would be up to Congress to remedy any “unintended consequence” of the CDA.

In an unfair practices action brought by the Federal Trade Commission against a Web site that provided a searchable database of private phone numbers for a fee, the Web site was not afforded immunity under the CDA because it failed to meet the requirements that the FTC’s claim treat the defendant as the publisher or speaker of the information and that the information not be provided by another information content provider. The court found that the FTC’s claim targeted the facilitation by defendant of unlawful use of the phone numbers, not publication of the numbers, and that “by soliciting requests for such phone records and purchasing them for resale, Defendants participated in the creation or development of the information, and thus do not qualify for § 230 immunity.”

TIP: Web site operators should keep in mind the immunities provided by the CDA, and take steps to fall under its protections, including not participating in the creation or development of content submitted for posting by third parties.

[Top]

II. CONSUMER PRIVACY

A. Text Message Found Not Subject to Telephone Consumer Protection Act

The Federal Court for the Northern District of California recently dismissed claims against two defendants alleging that the defendants had violated the Telephone Consumer Protection Act’s prohibition against using an “automatic telephone dialing system” to place calls to a wireless phone when they sent a promotional text message to plaintiff’s cell phone number. In the case, a woman agreed to receive “promotions from NexTones affiliates and brands” after obtaining a free ringtone for her son’s cell phone. She brought suit when her son later received a promotional text message advertising a Stephen King novel. The message was from Simon & Schuster, but contained a NexTone brand. The court held that the system used by the defendants to send the promotional messages did not fall within the statutory definition of an “automatic telephone dialing system” because the calls were made to a targeted promotional list of numbers, while the law prohibits only randomly or sequentially generated calls. In addition, the court concluded that the defendants did not violate the TCPA because the defendant had been given prior express consent when the mother had opted in to receive promotional messages. The plaintiff claimed that the party sending the text message (Simon & Schuster) had no relationship to the party to whom the mother opted in to receiving messages (NexTone), but the court believed that the NexTone branding on the text message was sufficient to link the text to the prior opt-in by the mother

TIP: Whether the sending of promotional text messages is legal is highly dependant up on the method in which you send the text messages and whether you have prior express consent from the recipient. In sending such e-mails, you need to be very careful that you have obtained prior express consent in the manner required by law and that your method of sending the messages falls within the strict confines of the law.

[Top]

B. FTC Offers Tips to Mobile Ad Marketers

Lydia Parnes, director of the FTC’s Bureau of Consumer Protection, cautioned recently that mobile marketers sending text message advertisements should do so responsibly and legally, should create industry self-regulation, and should advertise within the limits of consumer tolerance in order to avoid federal action. She indicated that the FTC will host a town hall meeting in 2008 on mobile marketing before forming an official position on the practice.

TIP: Regulators and enforcement agencies including the FTC and states' attorneys general are taking notice of text message advertising. Be cautious in your use of that medium, and be sure that you understand the requirements of the TCPA and CAN-SPAM.

[Top]

C. Florida Targets Online Ad Distributors

Florida has created a new task force to deal with Internet-related fraud, called the CyberFraud Task Force. The group is part of the Florida Attorney General’s Economic Crimes Division. The first case settled by the Task Force was with AzoogleAds US Inc., an online media buying company, with respect to third-party ringtone advertisements the company placed on a variety of Internet Web sites. According to Florida investigators, children and teenagers (as well as other consumers) were responding to free ringtone offers AzoogleAds placed, and unbeknownst to the consumers, were often enrolled in fee-based subscription services. AzoogleAds agreed to an Assurance of Voluntary Compliance where, although it admitted no fault, it did agree to require that in ads it created or controlled, as well as in its contracts with advertisers: (1) “free” and similar terms would not be used unless it was clearly disclosed that the “free” item could only be obtained with purchase of another item (i.e., “Free ringtone with paid monthly subscription of $9.99/month”); (2) advertisements would not be made for content available only through certain carriers or mobile devices unless those restrictions were disclosed; (3) no requirement would be made that consumers automatically accept receipt of advertising or promotional messages by e-mail or text message that are unrelated to the current offer, and instead consumer’s specific and express consent to receipt of such message would be obtained; (4) the advertisements would clearly and conspicuously disclose all pricing and other material terms. AzoogleAds also agreed to contribute $1 million to assist the AG with future investigations. The settlement is being promoted as a “model” for how cell phone content should be marketed online. In a second suit, brought a week later, the Task Force sued Buongiorno, an “enabler” of digital mobile entertainment, for adding monthly charges to wireless bills for cell phone content without consumers’ knowledge or agreement that they have purchased such content. The Florida Attorney General is seeking a permanent injunction against Buongiorno.

TIP: If promoting cell phone content or services, ensure that all applicable terms are clearly disclosed. The AzoogleAds settlement serves as a helpful reference in designing and clearing an advertisement for cell phone content.

[Top]

D. FTC Launches Do-Not-Call Sweep: Obtains Over $7 Million In Penalties

A recent enforcement effort looking for violations of the National Do Not Call Registry resulted in six settlements that collectively brought the FTC almost $7.7 million in civil penalties. In one case, Craftmatic ran a sweepstakes where consumers were required to give their phone numbers (the form indicated the phone number was the sweepstakes entry number). Craftmatic then placed sales calls to consumers, even though consumers were not told that by providing their number in the sweepstakes entry form they would receive calls, nor did the consumers provide express consent. In another case, ADT and its authorized dealers called consumers on the DNC Registry. The FTC alleged that ADT was responsible not only for calls it made, but also for those made by its authorized dealers. In a case against Ameriquest, its telemarketers called consumers on the DNC Registry whose names had been obtained from third-party lead-generators, who had enticed consumers to provide phone numbers online to receive financial information (however, Ameriquest was not specifically mentioned). The FTC alleged that since the consumers were not responding in order to receive Ameriquest material or information, no established business relationship had been created.

TIP: Ensure that you obtain proper consents before using consumer contact information, and scrub against relevant registries such as the federal Do-Not-Call Registry when necessary.

[Top]

III. FINANCIAL PRIVACY

A. Federal Banking Agencies Issue Identity Theft Program Rule

On November 9, 2007, the federal financial institution regulatory agencies issued the Identity Theft Prevention Program Rule, which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. Under the Rule, a financial institution, including a U.S. branch or agency of a foreign bank, that maintains any “covered accounts” is required to develop and implement a written Identity Theft Prevention Program (“Program”) that is designed to detect and deter identity theft. Under the Rule, a “covered account” includes a consumer account, a mortgage, and certain business accounts. The requirements of the Rule are summarized in our Client Briefing, which is available here.

TIP: In order to determine which business accounts would be deemed to be “covered accounts,” a U.S. financial institution must conduct a risk assessment of its business accounts and identify whether the business accounts could be at risk for identity theft. Click here to view the Winston & Strawn Client Briefing regarding the Rule.

[Top]

B. Bank Ordered to Produce Customer Information to Class Representative

On September 24, 2007, a federal judge in the U.S. District Court for the Northern District of Arkansas held that a bank must provide a class representative the names and contact information for potential class members in response to a discovery request in a class action lawsuit. In the ruling, the judge held that the discovery request was permitted under two exceptions to the privacy protections under the Gramm-Leach-Bliley Act. The judge stated that the release of personal information is permitted under the exemption that allow disclosure (i) to comply with applicable legal requirements (15 U.S.C. § 6802(e)(8)), and (ii) to a person acting in a fiduciary or representative capacity for the consumer (15 U.S.C. § 6802(e)(3)(E)). It is not clear from this ruling whether by disclosing the personal information the bank could be subject to the risk of further class action litigation brought by the consumers whose personal information was released.

TIP: While banks may be permitted under GLB to provide names and contact information for a potential class action to the class representative, banks should nevertheless proceed with caution.

[Top]

C. Data Disposal Case Settles in Hawaii with Payment of $10,000

Fidelity Escrow Services Corp. settled a data disposal suit this July. The settlement resolves a case filed by the Hawaii state Department of Commerce & Consumer Affairs against the mortgage escrow company in March. Fidelity was charged with having thrown away in a public recycling bin thousands of paper documents containing sensitive financial data in violation of not only Hawaii’s consumer protection laws, but its data destruction statute.

TIP: Companies that maintain sensitive consumer data should have a clear data destruction policy in place, and should be sure that all their employees, in all their offices or locations, follow that policy.

[Top]

IV. HEALTH PRIVACY AND SECURITY

A. Municipal Fire Department in WI Properly Released Health Information

The Wisconsin Attorney General has issued an informal opinion finding that a municipal fire department correctly concluded that it is both a “health care provider” and a “covered entity” under HIPAA based on the provision of ambulance services. The Attorney General also concluded that, even though “protected health information” (PHI) normally protected by HIPAA is contained in the fire department’s ambulance services records, the information may be disclosed because Wisconsin public records law requires its disclosure. While HIPAA would have only permitted disclosure of non-PHI data such as the date and response time of the ambulance service call, Wisconsin public records law specifically provides for release of the name, age and gender of the patient where the ambulance provider is a municipal entity. The Attorney General’s decision is consistent with HIPAA’s statutory “required by law” exception which provides that PHI must be disclosed to the extent such disclosure is required by state law.

TIP: Covered entities under HIPAA can take many forms, even a municipal fire department. If an entity is covered under HIPAA, it may disclose PHI to the extent required by state law.

[Top]

B. Punitive Damages Permitted for Unintentional Disclosure of Sensitive Medical Information

In a three-to-two ruling, a New York state appellate court ruled that punitive damages can be awarded for the unintentional disclosure of sensitive medical information. In the case of Randi A.J. (Anonymous) v. Long Island Surgi-Center, No. 2005-04976 (N.Y. Sup. Ct. App. Div. Sept. 25, 2007), despite specific instructions from the twenty-year-old patient not to contact her at home, the center placed a call to the home to follow up on some post-operative blood tests and in so doing inadvertently released information to the patient’s mother that allowed the mother to determine that her daughter had received an abortion. The court concluded that punitive damages are available where the breach of patient confidentiality is the result of “willful or wanton negligence or recklessness,” and awarding such damages would “deter future reprehensible conduct.” The court also noted numerous other instances where the surgery center had not protected patient privacy, as well as the fact that the center had insufficient privacy policies and procedures.

TIP: Entities prohibited by HIPAA from disclosing sensitive medical information should review their practices and procedures to insure that unintentional disclosure cannot occur.

[Top]

C. Prohibition On Broadcasting Medical Records Found Unconstitutional

A Florida state appellate court dissolved an injunction issued by the trial court prohibiting a television station from broadcasting a local public figure’s individual and family medical records. In Post-Newsweek Stations Orlando, Inc. v. Guetzloe, No. 5D07-430 (Fla. Dist. Ct. App. Oct. 4, 2007), the appellate court concluded that Mr. Guetzloe could not meet the heavy burden of overcoming the presumption of unconstitutionality that attaches to prior restraints because he failed to establish that broadcasting portions of his personal medical records would likely amount to an actionable invasion of privacy. The appellate court determined that for Guetzloe to prevail in an invasion of privacy claim, he would have to show that publication of the records would be “highly offensive to a reasonable person” and that Guetzloe was unable to do so.

TIP: A media outlet may be able to broadcast medical information about individuals, but should take care that doing so wouldn’t be viewed as “highly offensive to a reasonable person.”

[Top]

V. CHILDREN'S PRIVACY

A. Social Networking Site Settles With NYAG Over Online Child Safety

A month after the New York Attorney General's office subpoenaed Facebook, an online social networking Web site, it reached a settlement with the company regarding Facebook's safety standards with respect to children. The settlement has been referred to by the NYAG and Facebook as "precedent-setting." Mayor Mario Cuomo's office had opened an investigation after it found that underage users were being targeted by predators. Facebook has agreed that it will accept complaints about threats to children — harassment, unwelcome contact, nudity, or pornography — and within 24 hours will respond and begin addressing the complaint. Within 72 hours, Facebook will let the complaining party know what steps have been taken to address the threat. Facebook will also retain an independent safety and security examiner (to be approved by NYAG), which will review complaint handling and recommend any other security steps that might be appropriate. Parents and children will be given direct access by Facebook to this examiner, and the examiner will prepare biannual reports to NYAG about Facebook's performance. Facebook will also make a rather lengthy public disclosure on its site that includes disclaimers about Facebook's inability to "guarantee that its site is entirely free of illegal, offensive, pornographic or otherwise inappropriate material." The statement begins that children under 13 are not permitted to access the site. The Connecticut attorney general issued a press release shortly after the announced New York settlement stating that the settlement should have gone farther. He also co-chairs a national social networking task force of all 50 attorneys general. He indicated that the task force was expected to urge Facebook to also require age and identity verification for users 18 and older, use filtering technology to screen out inappropriate mater, hide minors' profiles from adults, and limit the search options of minors (including barring them from seeing inappropriate material).

TIP: The NYAG settlement suggests that operators of social network Web sites should implement measures to protect the safety of children on their Web sites. While the Facebook terms can serve as a guide for what types of measures to implement, the Connecticut AG's comments should also serve as a caution that the NYAG terms may merely be a start.

[Top]

B. CARU Announces Hannah Montana Fan Site Making COPPA Changes

In a recent announcement, CARU indicated IMM Studio has taken steps to modify its Web sites (mileyworld.com and mileycyrus.com) to assure that it has verifiable parental consent and has provided parental notification. Mileyworld.com, a fee-based fan club for Miley Cyrus (who plays Hannah Montana), allowed children to register by providing personal information on the first screen, and then instructing children to “grab a parent” for the next part; namely the screen where valid credit card information and parent’s
e-mail address was required. As a result of the investigation, the mileyworld.com online registration has now been modified. In particular, no personally identifiable information is asked of the child (notably the child is no longer asked for his or her first and last name, nor is the child asked for his or her e-mail address), and instead the personally identifiable information collection is limited to the screen where the parent is required to provide his or her credit card information. CARU indicated that the advertiser has also modified its privacy policy and notice to parents, and has frozen accounts of children under 13 until all of the agreed-upon changes were made.

TIP: Merely asking children to “go get your parent” is not an effective way to ensure that you are interacting with a parent. If you are using credit card numbers as a way to verify parental identity, be careful that your full information collection process is compliant with COPPA and the CARU guidelines.

[Top]

C. CARU Refers Singer Fan Site to FTC

In a similar case, CARU announced that it is referring WUK Music Group’s daechelle.com, a fan site for the singer Daechelle, to the FTC. CARU found in its investigations that the WUK Web site collected personal information and asked children for their ages without obtaining verifiable parental consent. In response to CARU, the advertiser added the statement “you must be 13 years of age or older to submit personal information.” People who submitted an age under 13 were not blocked from joining the site, however. CARU then recommended that the advertiser implement neutral age screening and blocked users under 13 from registering. The operator did not respond, and CARU thus recommended the case to the FTC.

TIP: If you wish to block children from a Web site you create that is enticing to those under 13, be sure that you have a neutral age screening mechanism, as well as a process in place to keep children under 13 from accessing your site.

[Top]

D. Texas AG Files COPPA Suits Against The Doll Palace and Future US

Texas has become the first state to bring a lawsuit under COPPA, as permitted by 15 U.S.C. § 6504. Under COPPA, a state bringing action must first give notice to the FTC, which has the right to intervene in such an action. In these Texas cases, the Attorney General took issue with the Web sites thedollpalace.com and gamesradar.com, where children’s personally identifiable information is collected without parental consent, according to the complaints. When registering at thedollpalace.com, for example, a child under 13 is told “you need a parent’s permission to continue. Is a parent with you right now.” The child can then select “yes” or “no.” The “yes” selection allows the child to click “ok” at the bottom of a permission page. The “no” selection prompts a child to enter an e-mail address. An e-mail is sent to that address asking for consent; no subsequent verification is made. According to the Texas AG, it is thus easy for a child to circumvent parental consent. The Texas AG characterized thedollpalace.com as a Web site directed to and appealing to children, where children can create and play with Web-based dolls, and can interact with others through chat and “friend” features. During registration, users are required to complete a profile consisting of ten pages of questions, including whether the user wants to “meet someone older than myself.” After registration, users are encouraged to provide additional personal information in exchange for free stickers; stickers which are, according to the complaint, never sent. In its complaint against gamesradar.com, the Texas AG alleged that the site contained content inappropriate for children, and during registration, had no screening process to effectively block children, and instead encouraged children to age-up.

TIP: When creating general-interest Web sites that may be appealing to children, be sure that your site (including any registration process) complies with COPPA. As these cases demonstrate, not only do the FTC and CARU look at sites for compliance issues, but with these Texas cases, it appears that the states have begun to do so as well.

[Top]

VI. EMPLOYEE AND WORKPLACE PRIVACY

A. CFAA May Not Protect Against Employees’ Improper Use of Sensitive Information

Wayne Davidson was a high ranking employee of the Diamond Power Corporation and accordingly was provided with upper level access to the company’s computers and restricted network. Near the end of his employment, Mr. Davidson downloaded and copied sensitive financial reports and marketing files from the restricted network to his home computer. Then, in direct violation of company polices, Mr. Davidson transferred this sensitive data to Diamond Power’s primary competitor. Diamond Power sued for damages claiming that Mr. Davidson had violated the Computer Fraud and Abuse Act by accessing a computer “without authorization” or in the alternative that he had “exceeded authorized access.” The United States District Court for the Northern District of Georgia held that a violation of the CFAA does not depend upon the defendant’s improper use of the information, but rather upon the defendant’s unauthorized access. Unlike other courts that have looked at this issue, the court here reasoned that a violation for accessing “without authorization” could occur only where initial access was not permitted. And, a violation for “exceeding authorized access” could occur only where an agent was granted limited initial access and then exceeded the scope of that access. The Court found that Mr. Davidson was authorized to access Diamond Power’s computers and his level of access included the specific information he copied from the restricted network. Therefore, the Court held that Mr. Davidson’s improper use of Diamond Power’s files alone did not violate the CFAA.

TIP: Companies should protect confidential information and trade secrets by restricting an employee’s access to only that information essential to his or her position. Companies should also consider contracts to protect sensitive proprietary information, with explicit remedies for unauthorized copying or other misuse of confidential information.

[Top]

B. CA Litigation Privilege Protects Third-Party Who Provides Private Information

The Second Appellate District for the Court of Appeals of California held in September that California’s statutory “litigation privilege” provided broad protection to parties responding to a subpoena involving private consumer information. In this case, the Foothill Federal Credit Union received a subpoena seeking account information for two individuals. FFCU produced certain credit union records in response to the subpoena. A group of consumers sued FFCU claiming that the credit union had provided private account information beyond the limitations placed upon the scope of the subpoena. They alleged breach of contract, invasion of privacy and intentional infliction of emotional distress. FFCU argued that its actions were protected by California Civil Code section 47, which creates an absolute privilege for litigation-related communications, including those made in discovery. The Court dismissed the complaint, holding that the litigation privilege applies to a party responding to a subpoena, even when the response exceeds the subpoena’s scope and includes customers’ private information. The Court reasoned that the policy behind the litigation privilege was to eliminate the threat of liability during the truthful communication made during judicial proceedings. Therefore, the Court held that the litigation privilege provides broad protection to parties that make relevant communications in judicial proceedings.

TIP: It is necessary to investigate and comply with state notice provisions when seeking the discovery of private financial, educational, medical and employment-related records in litigation. You should advise your counsel if you believe that responding to a subpoena will result in the disclosure of sensitive third-party information.

[Top]

VII. ONLINE COMMERCE

A. Ninth Circuit Finds Parties to Online Contract Not Bound by Later Modifications

Talk America, a long-distance telephone service, made changes to its service contract, including adding additional charges, a class action waiver, an arbitration clause, and a New York choice-of-law provision. The changes to the contract were made in the online version of the contract. Joe Douglas, a subscriber, brought a class action suit alleging that Talk America had violated California consumer protection laws. Douglas contended that he was unaware of the contract changes, since he had authorized automatic payments by credit card and, as such, would not in the ordinary course go to Talk America’s Web site to view the most recent service contract. On appeal, the Ninth Circuit agreed that parties have no obligation to check a contract to see if they have been changed by the other party, and indeed, in this instance Douglas would not have even known to go to Talk America’s Web site to look for a change in the contract.

TIP: When making modifications to online terms, whether service contracts, Web site agreements, or privacy policies, it is not merely enough to make changes and post them, where consumers have no reason to see the changes and otherwise consent to them.

[Top]

B. Copyright Principles Created For User-Generated Content

On October 18, 2007, a group of leading commercial copyright owners and Internet service providers announced the establishment of a set of principles regarding user-generated audio and video content. The stated goal of these principles is the elimination of infringing content on user-generated content Web sites, while not discouraging the uploading of legitimate original content. These principles include: implementation of state-of-the-art filtering technology, including blocking infringing uploads before they are made available to the public; cooperation in developing procedures for promptly addressing claims that content was blocked in error; regularly using the technology to remove infringing content that was uploaded before the technology could block it; and identification and removal of links to sites that are clearly dedicated to, and predominantly used for, the dissemination of infringing content. These principles are not a legally binding agreement, and compliance with these principles by a user-generated content service provider does not preclude a copyright owner from filing a complaint for copyright infringement. However, these principles appear to represent an attempt by copyright holders and user-generated content service providers to reach some common ground in this area. View the User-Generated Content Principles.

TIP: The use of user-generated content is exploding, but the technologies for screening out copyrighted materials are still being developed. Most advertisers currently rely primarily on the protections provided by the Digital Millennium Copyright Act, which insulates certain Web site providers from liability for copyright infringement based on user-generated content posted to its Web site, provided certain procedures are followed when notice of the infringement is received. However, more advanced screening technologies are being developed and adopted by major Internet service providers.

[Top]

VIII. INTERNATIONAL PRIVACY

A. Commerce Department To Test APEC Registry for Data Transfers

In an innovative new program being launched by the Commerce Department (with the assistance of the FTC), U.S. companies will be able to certify compliance with the Asian Pacific Economic Cooperative's data protection framework. The goal of the registry is to make it easier for companies to engage in cross-border data transfers. The program will be tested throughout 2008, with a small launch of five or six countries, with data being transferred between three or four countries (Canada and Mexico have already agreed to participate in the test). Similar to the EU Safe Harbor, companies would self-certify their compliance with a listed set of principles. The FTC would thus provide enforcement under the Deceptive Trade Practices Act. The hope is that through the test, the Commerce Department can convince the APEC countries that this self-regulatory scheme is an effective mechanism, and they should recognize the program and allow transfers between companies in their countries and U.S. companies that participate in the program. Member countries include, among others: Australia, China, Russia, South Korea, Japan, Taiwan, Hong Kong, Singapore, Peru, and Chile.

TIP: While the US-EU Safe Harbor program allows U.S. participants to receive personally identifiable information from EU companies, there are no similar multi-country schemes in place that allow the flow of data to the U.S. This scheme may provide such a mechanism for companies that do business with entities in Australia, China, Singapore, Japan and elsewhere.

[Top]

B. Australian Advertiser Sued For Use Of Photo From Online Photo Sharing Web Site

A family in the United States filed suit against an Australian advertiser over an advertising campaign featuring a photo of the family’s teenage daughter. The suit alleges that the advertiser or its agency obtained a copy of the photo from the online photo sharing Web site, Flickr, but failed to get permission to use the girl’s image. The photo was apparently posted to the Web site by the person who took the photograph, the girl’s counselor, and the counselor released the photograph for use under the Web site’s Creative Commons copyright policy, which permits reuse of photos for any purpose. However, the suit alleges that the advertiser failed to obtain consent from the girl who was the subject of the photo, which is required for commercial use of an identifiable model under Australian law (as well as in the U.S. under U.S. right of publicity laws).

TIP: We recommend against using images from free online photo sharing services in advertising. The person who submitted the image likely does not have authority to grant you the necessary rights for use of the likeness of an individual featured in one of these images. In addition, you can’t be certain that the person who uploaded the image is the copyright holder, and these Web sites do not offer any protection against claims of copyright infringement if the person who uploaded the image is not the photographer.

[Top]

C. French CNIL Specifies New Regulations on Data Subjects’ Rights

On July 2, the French Data Protection Authority (CNIL) published instructions clarifying new legal obligations for database operators. This decree reinforces the possibility for French residents to refuse to be included in databases, since all consumers must be given the right to refuse commercial use of their data. Now French individuals must be provided with a specific “opt-in” request if a company wishes to include them in a database merely indicating that the data will be included within the contract terms is no longer sufficient. CNIL specified that third-party users of a database must be informed when a data subject has opted-out, that the data subject’s right to review, correct or oppose the use of his data can be exercised in person or by postal request and that data subjects have the right to a “rapid” response to their request (two months being an acceptable delay for action). Moreover, the CNIL indicated that the data subject can be assisted or represented by third-parties such as attorneys.

TIP: If collecting data from individuals in France that you wish to retain and use again, for example as part of a marketing database, you must obtain express consent, such as through an online “opt-in” box. Merely indicating in contract terms (such as a privacy policy or terms of use) that you will keep the individual’s personal data is no longer enough.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

If you no longer wish to receive the Privacy and Technology Client Bulletin, please e-mail us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 W. Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn LLP for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this Client Bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn LLP's Web site (www.winston.com).

Copyright © 2007. Winston & Strawn LLP.