E-Commerce Law Week, Issue 454May 5, 2007
Suit Targets Yahoo! For Actions in China, Using American Law from 1789
What would the Founding Fathers have thought about tech companies' alleged cooperation with Chinese censors? Thanks to a recent lawsuit invoking the 218-year-old Alien Tort Statute (ATS), the question is no longer academic. Last month, with the help of a U.S. human rights group, Chinese political prisoner Wang Xiaoning, his wife, and additional yet-to-be-identified individuals filed suit against Yahoo! and its Chinese subsidiaries and business partner in a federal court in California. Plaintiffs contend that, by allegedly voluntarily providing Chinese authorities with identifying information about plaintiffs and their communications, the defendants knowingly "aided and abetted" the Chinese government's detention, torture, and mistreatment of Xiaoning and others. Plaintiffs allege that the defendants thereby contravened the Torture Victim Protection Act, the Electronic Communications Privacy Act, and California law. They also claim that the defendants are liable for violations of international law under the ATS, which grants U.S. courts jurisdiction over "any civil action by an alien for a tort only, committed in violation of the law of nations or a treaty of the United States." Companies that operate abroad should watch this case closely, since a broad application of the ATS or one of the other laws at issue could significantly increase their risk of liability for cooperating with foreign law enforcement or security agencies.
EU Data Retention Implementation Gradually Picks Up Steam, But Where Is It Heading?
EU member states are required to implement the EU Data Retention Directive ("Directive") by September 15, 2007, for certain communications services. But as that deadline looms just over four months away, member state implementation activity has been very slow, presenting telecommunications and Internet service providers with the difficult problem of rapid compliance with as yet unknown obligations. The only member state that has so far adopted implementing legislation appears to be Denmark. Although implementation is beginning to pick up steam, with France and Germany recently introducing proposed legislation, there is a long way to go, and not very long to get there. The best course of action for service providers appears to be to pay close attention to developments, and to make appropriate judgment calls on required actions as the implementation of the Directive evolves.
France Slaps Tyco on the Wrist for Data Protection Deception
Multinational countries spend an increasing amount of time worrying about data protection compliance, and this is indeed an important issue. However, enforcement reality does not necessarily match the level of compliance concern. This is well-illustrated by a recent enforcement action against Tyco Healthcare France ("Tyco") by French data protection authority the Commission Nationale de l'Informatique et des Libertés ("CNIL"). The CNIL's enforcement action followed a troubling tale of missteps by Tyco which culminated in an enforcement decision in December 2006, but which was only announced in mid-April this year. Although Tyco made some arguments defending its conduct, the CNIL concluded that "Tyco Healthcare France has clearly not understood the gravity of the failures of which it is accused concerning its lack of cooperation and transparency." As a result, the CNIL decided to fine Tyco … sit down and hold onto your chair … the princely sum of €30,000. This has to be regarded as a slap on the wrist in the global scheme of regulatory enforcement. And it is reportedly only the second fine that the CNIL has ever issued for breach of French data protection laws.
Questions and comments about E-commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.