E-Commerce Law Week, Issue 344

Is the United States Going to Get Even Tougher on Foreigners?
In its efforts to fight terrorism, the Bush Administration has substantially tightened US immigration rules and other controls on access of foreigners to the United States. It now appears that the US government is testing the waters for tougher restrictions on US companies that employ foreign nationals who may have access to controlled technology. Last year, the US Department of Commerce issued a report indicating that the enforcement of regulations on "deemed exports" by the Bureau of Industry and Security (BIS) might not be strong enough, and a notice should soon be published requesting comment on the report’s recommendations.

Sacrebleu! The French Reduce Anti-Spam Restrictions for Business
When it comes to regulation of the Internet -- or regulation of anything for that matter -- France is often in a class by itself.  So it is somewhat surprising that the French Commission Nationale de l'Informatique et des Libertes' (“CNIL”) (France's data protection authority), after lengthy discussions with industry representatives, announced on March 2 that it would loosen its regulation of commercial emails in the “business-to-business context.

The sending of unsolicited commercial email is governed in France by the "Loi pour la Confiance dans l'Economie Numérique" ("Digital Economy Law") (2004-801).  Among other things, the law implemented the EU Privacy and Electronic Communications Directive (2002/58/EC), which includes an "opt-in" provision for direct-marketing emails to businesses.  But the CNIL found that the opt-in provision was overly broad and had the effect of “slow[ing] electronic exchanges between professionals, or business-to-business prospecting.”  This finding marks a comparatively rare moment when a French regulatory body has chosen to promote e-commerce over e-commerce regulation.   

Time to be Shy About SHA
A team of encryption researchers in China has recently announced that they have discovered a weakness in SHA-1, the most widely use hash algorithm on the Internet. This is a significant mathematical discovery, and big news for cryptographers, but it doesn't yet present any significant security or legal problem for encryption based on SHA-1. This type of discovery is entirely unrelated to the recent wave of information security breaches that have led to widespread calls for tighter regulation of security practices. However, this development does suggest that architects of security systems should start being shy about using SHA-1, and consider switching to more secure alternatives.

"Grassroots" Data Retention Creates a Legal Patchwork in the EU
A major component of the European response to security concerns from terrorism has involved requirements for telecommunications and Internet companies to retain communications "traffic data" for lengthy periods of time, in order to facilitate later law enforcement investigations. Although an EU-level Framework Decision on data retention proposed in April 2004 has stalled, EU member states have begun to adopt data retention requirements, using existing authority under Article 15(1) of the EU Privacy and Electronic Communications Directive (2002/58/EC). For example, Ireland adopted a three-year requirement last month, and a recent court decision in France has expanded the data retention requirements in that country. Several other member states also have such requirements. The result is a confusing patchwork of requirements, particularly for communications companies that do business in multiple European countries or that store traffic data for one country on facilities in another country.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.