E-Commerce Law Week, Issue 411

Big Kahunas of Industry Hold Privacy Luau, But Where's the Poi?
Twelve major U.S. companies -- including technology giants eBay, Google, Hewlett-Packard, Intel, Microsoft, Oracle, Sun Microsystems, and Symantec -- signed on to a one-page "Statement of Support in Principle for Comprehensive Consumer Privacy Legislation." The statement calls for a "serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework." Though short on specifics, the Statement's main thrust is to call for a uniform set of federal privacy standards that would preempt state laws. The companies are all members of the recently organized Consumer Privacy Legislation Forum (CPL Forum), and several of them appeared at a June 20 hearing of the House Subcommittee on Commerce, Trade, and Consumer Protection. The CPL Forum's statement concludes that "[b]ecause a national standard would preempt state laws, a robust framework is warranted." But the crucial question is just how robust privacy protections should be, and how the group would like Congress to balance those protections against industry's desire to be able to collect, use, and share information about customers. This is an issue that Congress has typically dealt with in only a piecemeal fashion, leaving huge gaps to be filled by the states, if at all. So the call for a more comprehensive approach could be helpful, as long as it doesn't result in European-style regulations that impose huge compliance costs and stifle the exchange of information.

'Hands On' The Internet -- FCC Subjects Interconnected VoIP Providers to Discriminatory USF Liability
While the Federal Communications Commission continues to pay lip service to light-handed regulation of the Internet and "net neutrality" seems not quite dead in Congress, the reality on the ground is that regulation of Internet-based services (and VoIP in particular) continues to inexorably and aggressively expand. On June 27, the FCC released its anticipated Report and Order subjecting interconnected VoIP revenues to universal service fund (USF) contributions on an interim basis. The FCC's order is notable for two things. First, in its latest effort to avoid the fact that its Internet policies are based on legally incoherent analyses, the FCC has once again refrained from classifying VoIP services under the Communications Act. Second, and more important, the FCC imposed more onerous USF requirements on interconnected VoIP providers than on other USF contributors. In addition to more burdensome reporting requirements, the FCC's action will result in interconnected VoIP revenues being subject to at least twice the USF liability normally applicable to other telecommunications revenues for two full quarters after the Order becomes effective.

Visa Card Issuers Harmed By BJ's Breach Can't Recover on Breach of Contract Theory
Banks that issue credit cards often suffer the main economic harm when a security breach leads to the disclosure of lots of credit card numbers, since they have to reimburse cardholders for any fraudulent purchases on their cards and go through the expense of replacing the cards. Some courts have held that the "economic loss" rule bars recovery on a negligence claim where the only damages are economic in nature, in part because companies can contract to allocate the risk in such situations. But that rationale pertains only if the companies involved actually have a contract. According to a recent decision by a federal district court in Pennsylvania, a card issuer can't recover against a company responsible for the breach even if the two are members of the Visa credit card association, since the issuer was not an intended third-party beneficiary of the defendant's contract with Visa. The decision points up the limits of contract claims as a source of recovery where there's not privity of contract between the parties.  The upshot for card issuers, at least, may be an effort to change the rules of card associations to reallocate risks among the member companies.

OMB Issues Guidelines for the Handling of "Remote" Data
In the wake of the recent string of data security failings at the Department of Veterans Affairs and at least four other government agencies, the Office of Management and Budget issued a memorandum to agency and department heads addressing the "Protection of Sensitive Agency Information." The memo and its accompanying checklist provide "specific actions" that federal agencies should take to protect personally identifiable information that is either "[a]ccessed remotely" or "physically transported outside the agency's secured, physical perimeter." The memo is not revolutionary -- industry groups and government organizations such as the BITS Financial Services Roundtable and the Federal Trade Commission have provided similar guidance for the private sector in the past, and the memo itself is largely a restatement of policy recommendations originally published by the National Institute of Standards and Technology. But it does serve to remind security specialists and agency managers of both the often neglected human element of data security -- two of the four steps on the memo's security checklist focus on the importance of matching policy to personnel -- and the important role that encryption plays in any data security policy. Furthermore, most of the OMB's recommendations could be adopted by the private sector. What that means for companies is that the FTC and courts may consider these measures to be a necessary part of the emerging standard of "reasonable" care when it comes to FTC enforcement actions or civil law suits.

Belgium to Investigate Banking Consortium that Gave Data to U.S. -- Other Countries Could Follow
SWIFT -- the Brussels-based international banking consortium that has been providing the U.S. Treasury Department with access to a global database of confidential financial transactions -- is now facing the inevitable backlash such a revelation brings. On June 26, the Belgian government asked the Council for Information and Security to examine whether "actions taken by the United States and SWIFT are permissible under Belgian law." The examination will be undertaken by the country’s national security, counter-fraud, and data protection offices. Meanwhile, the London-based group Privacy International announced on June 28 that it had filed formal complaints against SWIFT in 33 countries, alleging that SWIFT violated European and Asian data protection rules by providing the United States with confidential information about international money transfers. Privacy International filed the complaints in all 25 EU member states, along with Australia, New Zealand, Canada, Switzerland, Lichtenstein, Norway, Iceland, and Hong Kong. These actions bring to the fore again the potential for serious conflict between US data collection practices for law enforcement and intelligence and European data protection rules.

French Online Music Legislation Seems Off Pitch
It is not unusual on global legal issues for the French to march to the beat of a different drummer or -- in a more contemporary idiom -- to dance to the beat of a different MP3 player. For the last several months, the French Parliament has been doing exactly that in its debates on legislation governing copyright issues for online content distribution. The biggest target has been the proprietary digital rights management (DRM) technology of the Apple iTunes business. Last week, the French Parliament agreed on a compromise version of the Law on Authors' Rights and Neighboring Rights in the Information Society. While the latest French proposals are less problematic for Apple than initial proposals, they still leave much to be desired.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.