E-Commerce Law Week, Issue 400

EU Data Retention Directive to Take Effect, Not Without Controversy
The controversial new EU Data Retention Directive ("Directive") was published April 13 in the Official Journal of the European Union. Under the Directive, which cleared its most important hurdle when it was adopted by the European Parliament last December, ISPs and fixed-line and mobile operators will be required to retain communications data of their EU customers (not including the content of communications). The Directive will take effect 20 days after publication, but the more important deadlines come later. EU member states will have until September 15, 2007, to implement the Directive for traditional telephone services and ordinary mobile voice services. For "Internet Access, Internet telephony and Internet e-mail", member states had the option to declare that they would reserve the right to delay implementation until March 15, 2009, and 16 member states have exercised this option -- Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, and the United Kingdom. But nine member states did not, including three of the EU's five biggest economies -- France, Italy, and Spain -- as well as Denmark, Hungary, Ireland, Malta, Portugal, and Slovakia. For these countries, the earlier deadline of September 15, 2007, will apply to Internet services as well.

Cross Border Technology Firm Mergers Face Uncertain Terrain
In late March, near the conclusion of a rare, full-blown investigation by the Committee on Foreign Investments in the United States (CFIUS), the Israeli software firm Check Point abandoned its plans to buy US rival, Sourcefire, Inc. Although played up by most media outlets as a casualty of the Dubai ports deal fiasco, the demise of the Check Point deal was probably doomed from the start. FBI and Pentagon officials had expressed strong misgivings over the prospect of a company with possible ties to Israeli military and intelligence agencies gaining control over Sourcefire's sensitive, government-used software. The specific software at issue was a "specialized intrusion detection" program called "Snort," which protects information on US military and intelligence computers. More recently, the proposed merger of Alcatel SA of France and Lucent Technologies threatens to raise similar hackles. Lucent, after all, runs Bell Labs -- the "elite research institution" that handles sensitive research for the Department of Homeland Security, the National Aeronautics and Space Administration, and the Defense Advanced Research Projects Agency, among others. It also designs communications systems and software that could, in the wrong hands, be used to facilitate foreign espionage or cyber attacks.  Thanks, however, to some preemptive moves by the two companies to assuage US concerns, the Alcatel/Lucent deal probably will go through. Still, the US government's concerns about possible covert access to sensitive information and cyber attacks will have broad ramifications -- possibly limiting not only foreign acquisition of US companies, but also the offshoring of government contract work and private sector work involving sensitive information or technology.

French Supreme Court Confirms Illegality of Spam
In a March 14 decision in the case of Fabrice F. v. Ministere Publique, the French Supreme Court (la Cour de Cassation) confirmed that the sending of commercial email messages without recipient consent violates French data protection law. This decision is not surprising, but is worthy of note because it ends a rather lengthy battle and establishes an influential precedent regarding the illegality of spam in Europe.  Although the decision in Fabrice H. results from an interpretation of French data protection law, similar principles apply more broadly in Europe.   Under Article 13 of the EU Privacy and Electronic Communications Directive, which took effect in 2003, all EU member states are required to provide by law that "electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent." This requirement of prior consent is significantly stricter than the restrictions on the content of marketing emails under the federal CAN-SPAM Act in the United States (although more stringent anti-spam prohibitions exist under various state law). In short, for any service providers still wondering whether to be careful about spam in Europe, the answer remains "Oui."

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.