E-Commerce Law Week, Issue 378

You Say "PIPEDA," I Say...Two Victories For Online Business
Sometimes it seems that the USA PATRIOT Act is the red-headed stepchild of anti-terrorism laws.  Whether in the United States or abroad -- and despite the fact that most countries have their own equivalent of the law -- everyone loves to beat up on it, and perhaps none more so than the United States’ neighbor to the north. A growing movement in Canada to channel anti-Patriot Act fervor into a campaign against US outsourcers experienced a setback recently at the hands of one of its traditional allies -- the Office of the Privacy Commissioner of Canada. While acknowledging that "the privacy implications of anti-terrorism legislation and outsourcing need to be the focus of continued public debate," Canada’s privacy office found that a bank’s use of a third-party service provider in the United States to handle data for its credit cards did not violate Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) by potentially exposing Canadians' personal information to U.S. government access via the Patriot Act. 

In an unrelated, but noteworthy ruling, the Office of the Privacy Commissioner went so far as to suggest that some of the onus for protecting personal information online belongs to the individual, and not the company collecting the information. In that ruling, the privacy office rejected a customer's complaints that a company offering free web-email had not adequately protected her personal information by permitting improper access to her email account. The privacy office found it "difficult . . . to hold the company accountable when the complainant had not taken the company's advice to fully protect her own personal information."

Both decisions were released on October 19.

DHS Accepting Comments on Draft NIPP
There’s nothing like another thick, bureaucratic, contractor-written government plan to assuage our fears about terrorism.  And with its recently released draft National Infrastructure Protection Plan (NIPP), the Department of Homeland Security (DHS) has produced a gem of the genre.  The massive NIPP is supposed to provide the broad framework for coordination of the combined federal, state, local, and private-sector efforts to protect the country’s Critical Infrastructures and Key Resources from terrorist attacks.  No discussion about protecting critical infrastructure would be complete without mention of cybersecurity, and references to "cybersecurity" are scattered liberally throughout the 175-page document, including a 16-page appendix entitled, "Cross-Sector Cyber Element."  Among other things, the report purports to outline who (i.e., federal/local/private sector) is supposed to be responsible for what when it comes to securing cyberspace, and how DHS plans to manage "cyber risk" and ensure long-term cybersecurity. What's missing, unfortunately, is any sense that DHS is actually putting any priority into cybersecurity or has a real plan for playing a useful role in the cyber arena.  It's been over seven years since the government issued its first strategy for critical infrastructure protection, Presidential Decision Directive (PDD) 63.  While the new plan has a lot more pages than PDD 63, at bottom it doesn't say much that is new.  Worse, the fact that the Department issued such a lengthy regurgitation of previously expressed goals, strategies, and platitudes fails to hide what has become all too obvious -- that our government's capabilities for dealing with a major cyber attack have not improved since the creation of DHS, but have actually regressed.  DHS is accepting comments on the draft NIPP until December 5.  

FCC  to VoIP Providers: "No E911, No New Customers"
The good news for Voice over Internet Protocol (VoIP) service providers is that the Federal Communications Commission (FCC) won’t force them to cut off existing customers who are still unable to dial into the enhanced 911 (E911) network by November 28.  The bad news is that the FCC expects such providers to stop accepting new customers and to cease marketing their VoIP services in areas not fully compliant with the  Commission ’s E911 rules.  These announcements come as part of a FCC Public Notice, released on November 7.  The notice outlines the specific information that interconnected VoIP service providers must include in the Compliance Letters required by the FCC’s June 2005 E911 Requirements for IP-Enabled Service Providers, First Report and Order.  As part of this Order, VoIP providers must submit Compliance Letters to the FCC on or before November 28. 

Meanwhile, on November 2, the Senate Committee on Commerce, Science and Transportation approved S. 1063, a proposal that would require VoIP providers to offer 911 service but would require more flexibility from the FCC.  The bill lays out a waiver process by which interconnected VoIP providers could continue to add subscribers after December 31, 2005, by demonstrating to the FCC that the provider is “technically or operationally” unable to comply with FCC rules.  Unless the FCC decides to reverse itself again, this bill may be the best hope for VoIP companies unable to fully comply with the FCC’s E911 rules, but unwilling to pull the plug on signing up new customers.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.