E-Commerce Law Week, Issue 433

EU Gives SWIFT Kick on Conflict of Laws Issues

While millions of Americans were enjoying their Thanksgiving turkey, the Brussels-based international banking consortium known as SWIFT was trying to digest something much less palatable:  a finding that the consortium and participating financial institutions had violated the EU Data Protection Directive by providing personal data to the U.S. government in response to a subpoena.  In an opinion adopted on November 22, the European Union’s Article 29 Working Party found that SWIFT had engaged in a "serious violation" of the Directive by failing to adequately safeguard personal data stored and processed by the consortium’s U.S. arm.  This personal information was shared with the U.S. Department of the Treasury as part of SWIFT’s efforts to cooperate with the U.S. government's "Terrorist Finance Tracking Program," which uses administrative subpoenas to obtain information about global financial transactions.  The Working Party's opinion comes on the heels of German data protection officials’ finding that SWIFT and participating German banks violated both national and EU data protection laws.  And, as we previously reported, data protection officials in Belgium and Switzerland have reached similar conclusions.  These findings put SWIFT and participating institutions in a conflict-of-laws conundrum, since compliance with U.S. data demands is deemed to violate European law.  Such conflicts are likely to affect other global companies subject to U.S. data demands, including communications companies, credit card associations, and financial institutions.

French Supreme Court Sets Limits on Employee Use of Encryption

The French will tolerate little secrets -- as was famously displayed when Francois Mitterrand's wife and long-time mistress stood side by side at his 1996 funeral.  In the workplace too, French laws (and national data protection authority CNIL) zealously defend employee privacy.  But a recent decision of the French Supreme Court regarding the use of encryption at work suggests that these principles only go so far, with fairly significant implications for employers in France and perhaps elsewhere.  In Jeremy L.F. v. Techni-Soft, the Supreme Court upheld lower court decisions supporting the firing of salesman Jeremy Le Fur for refusal to stop using encryption to protect files on his work computer.  The court concluded that "documents and files created by an employee with IT tools provided by his employer for work-related purposes are presumed, unless the employee identifies them as personal, to have a professional character such that the employer may have access to them outside his presence."  Although this decision does leave room for employee use of encryption for files identified as personal, the fact that it sets limits on such rights is important, particularly in a country as privacy-conscious as France.  Given the common framework of the EU Data Protection Directive, this decision is also likely to be persuasive in other countries of the EU (which will expand to 27 countries in January 2007 with the addition of Bulgaria and Romania).

Banking Groups Release Guidance for Responding to Data Breaches

Companies that suffer a data security breach must negotiate a crazy quilt of state and federal laws.  And even with the most adept handling, the breach may still damage customer confidence and companies' reputations -- and draw the attention of the Federal Trade Commission, state Attorneys General, and the plaintiffs' bar.  In an effort to help financial institutions avoid these potential pitfalls, the BITS Financial Services Roundtable and the American Bankers Association recently released guidance for "developing and executing response programs."  Although intended primarily for financial institutions, the document also extends to other industries, advising "all entities that handle sensitive customer information" to implement "similar security standards."  And with Democrats hinting that data security and identity theft may be priorities in the coming congressional term, the document seems as much directed at lawmakers as at the business world. 

UK Criminalizes Development and Distribution of Hacker Tools

The UK government last month published the new Police and Justice Act 2006, which was recently adopted by Parliament (and given royal assent by the Queen).  Among other things, the Act makes several amendments to the Computer Misuse Act 1990, the UK's main anti-hacking statute.  One of the amendments criminalizes the development and distribution of any item with the intent that it be used to commit any of the other offenses defined in the Computer Misuse Act.  The new language is intended to target those who design and distribute "exploits" (e.g., viruses, worms, Trojan Horses) to attack computer system vulnerabilities.  But these provisions also raise the possibility that individuals who design network penetration tools for security testing or research could face prosecution in the UK.  As a result, the amendment has been very controversial in computer security and academic circles, since the approach taken focuses on the intent to commit or assist an offense (indicating that the well-intentioned are not the intended targets), and is far better than an alternative that was considered, which attempted to define specifically what types of hacking tools are prohibited.  Nevertheless, even a well-intentioned person might allegedly "believe" that his network penetration tool is also "likely to be used" for unlawful purposes.  Accordingly, these amendments to the Computer Misuse Act suggest that UK computer security researchers should tread with care when engaging in conduct that might arguably fall within the scope of this prohibition.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.