E-Commerce Law Week, Issue 351

Fighting the Patriot Act With Protectionism
As Congress gears up for the debate over renewing certain provisions of the USA PATRIOT Act (Patriot Act), bitter privacy attacks on the Act are hitting an unusual target – US outsourcers. American businesses are increasingly at risk as other countries buy into the anti-Patriot Act sentiment expressed by US civil liberties interests.  Foreign governments find it hard to resist the politics of a measure that both tweaks the Bush Administration and excludes foreign competition. For example, the Canadian Treasury Board Secretariat (TBS) and Federal Privacy Commissioner are working on a proposal to amend all federal procurement contracts in hopes of protecting Canadians’ personal information from being accessed by US law enforcement authorities. The South Australian government is also examining its data-processing contracts with a US-based company due to concerns about the Patriot Act.  And British Columbia's (BC) provincial government has already enacted legislation and government contracting guidelines aimed at preventing BC residents' personal information processed by US-affiliated companies in Canada from crossing the border.

State Legislatures Tackle Data Security
“ChoicePoint” bills are now proliferating faster than black-market North Korean weapons.  Legislatures in in Montana (HB 732), North Dakota (SB 2251), and Washington (SB 6043) passed data security bills similar to California's existing security breach notification law (SB 1386).  All three new bills require businesses that own or license information to notify individuals upon discovering that there has been a security breach of resulting in the unauthorized acquisition of computerized, unencrypted data that compromises the security, confidentiality, or integrity of the personal information.  Additionally, on April 25, Arizona Governor Janet Napolitano (D) signed two privacy-related measures (SB 1058 and HB 2470) that establish the category of aggravated identity theft as a Class 3 felony and create civil penalties for violating Social Security number confidentiality restrictions.  The Arizona bills, however, do not contain any breach notification provisions. 

Immigration Agency Finally Issues Rule on High-Tech Visas
For tech companies hoping to hire more skilled foreign workers for jobs in the United States, learning of the release of an additional 20,000 H-1B work visas is like hearing that U2 just announced an additional show at Madison Square Garden.  The US Citizenship and Immigration Services (USCIS) rule detailing the requirements for the additional visas allocated by Congress for fiscal year 2005 was published on May 5 in the Federal Register.  USCIS will only grant the visas to foreign workers who have earned a master's degree or higher from a US university.  And companies hoping to obtain one or more of the visas for their employees should act fast.  Due to extremely high demand, it’s likely that only those petitions received by USCIS by the end of this week will be eligible to receive a visa.

New FCC Chairman Tells Congress About Plans to Require 911 for VoIP
Following Canada's lead, the Federal Communications Commission (FCC) may soon issue regulations requiring Voice over IP (VoIP) companies to provide 911 emergency calling capabilities. This possibility has been raised before in a number of previous FCC proceedings, including the pending IP-Enabled Services and E911 dockets. However, there are signs that the FCC may finally be ready to act.  At a House subcommittee hearing on April 26, recently-installed FCC Chairman Kevin Martin said that he is "very concerned" about the problems associated with many customers' inability to call 911 on their VoIP phones. He said that he wanted to address the issue by May and that he might even propose something to his fellow commissioners at their next open meeting to explicitly require that 911 services be made available by VoIP providers. But that meeting came and went, and Martin made no such proposal, which means that the issue will not be on the FCC's agenda at least until its next meeting on May 19.

EU Clarifies "Fourth Way" for Foreign Data Transfers
Global companies trying to cope with Europe's data protection laws have traditionally had three options if they wanted to move personal information out of Europe. They could get the consent of everyone whose data would be moved.  They could execute a web of agreements among the receiving and sending companies, essentially guaranteeing that European protections would follow European data.  Or they could move the data only to the handful of countries whose data protection laws had been approved by European authorities – Argentina, Canada, Guernsey, Isle of Man and Switzerland – and the US, at least for companies that have joined the US-EU Safe Harbor.

Now there's a fourth way. In a pair of documents issued in mid-April – a Model Checklist for Approval of Binding Corporate Rules and a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From "Binding Corporate Rules" – the EU Article 29 Data Protection Working Party set out procedures for approval of "binding corporate rules" ("BCRs"), adopted by a multinational company or other entity, that require compliance with the requirements of the Data Protection Directive and provide for redress by data subjects for violations of their data protection rights. The BCRs approach supplements the other three main options for transfer of personal data outside of the European Economic Area in accordance with Articles 25 and 26 of the Data Protection Directive.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.