E-Commerce Law Week, Issue 426

Cable Act's Data Privacy Provisions Don't Cover Internet Access, Court Rules, Splashing Spectators

Defining terms like "information service," "telecommunications service," and "cable service" has sometimes made the Federal Communications Commission and courts engage in verbal flips and spins that make Greg Louganis look like an amateur at the neighborhood pool. But a recent decision by the U.S Court of Appeals for the Sixth Circuit treats one definitional issue as involving no greater degree of difficulty than a forward dive in the pike position. The court ruled that the Cable Communications Policy Act of 1984, which prohibits "cable operators" from using "cable systems" to collect "personally identifiable information" from customers, plainly does not apply to a cable company's broadband Internet access service, since that service is not part of a "cable system." Fair enough. But the court also held that the Act's requirement that cable operators provide written notice of data collection practices to subscribers of cable "or other service" also does not apply to Internet service. That part of the holding seems much more dubious. So, judge's score for the court's two efforts? A solid 9 for the first, but a 1.5 for the second.

Taking Down Terrorist Speech in the UK

On October 3, UK Home Office issued "Guidance On Notices Issued Under Section 3 Of The Terrorism Act 2006." Sections 1 and 2 of the Terrorism Act make it an offense to (1) publish a statement that encourages acts of terrorism; or (2) disseminate a terrorist publication, which is defined as material that encourages terrorism or is useful to its commission. Section 3 of the Act allows law enforcement to issue a "take down notice" to electronic service providers or users who disseminate material covered by the Act. The Home Office's Guidance reminds Internet businesses that the take down provisions are applicable to all UK and extra-territorial entities that host statements that are "unlawfully terrorism-related" -- i.e., that are "likely to be understood ... as a direct or indirect encouragement or other inducement ... to the commission, preparation or instigation of acts of terrorism" or that is "likely to be useful ... in the commission or preparation of acts of terrorism." The Act (which is in part a transposition of Article 5 of the Council of Europe Convention for the Prevention of Terrorism) thus goes beyond provisions in U.S. anti-terrorism statutes barring the provision of "material support or resources" for terrorism, and potentially conflicts with First Amendment protections afforded speech that does not incite "imminent lawless action." Although the Guidance details the steps to be taken when serving notice to a communication service provider in the European Economic Area (EEA), it does not address the broader conflict of laws issues that could arise should UK regulators attempt to apply the Act to websites hosted in the U.S. and other parts of the world.

EU Capitulates to US Requests in Passenger Data Deal

In May 2004, after lengthy negotiations, the EU and U.S. reached agreement on sharing of passenger name record (PNR) data for flights from Europe to the United States. However, the European Parliament, not satisfied that the deal sufficiently protected the privacy rights of EU residents, successfully sued in the European Court of Justice (ECJ) to invalidate it. The EU and U.S. reached a new interim deal on October 6 -- just past the ECJ's deferred September 30 deadline, but without any disruption of air travel because of European willingness not to take a tough line on privacy law in the intervening week. The only aspect in which the new deal is arguably more restrictive than the original deal is that it anticipates a transition from the current "pull" system of data exchange (under which the U.S. Department of Homeland Security directly accesses European airline computer systems) to a "push" system (under which airlines would instead provide the data to DHS). The timetable for this transition is not defined, and the deal specifies that there is no limit to the number of times that airlines can push data in response to DHS requests (with which they must comply). The new PNR deal is an interim agreement that expires by its own terms at the end of July 2007. But absent determined resistance (which may be difficult in the current security environment), the permanent deal that is expected to replace the interim one is not anticipated to be materially more restrictive of DHS actions.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.