E-Commerce Law Week, Issue 460

Court RAMs Home Message: Temporary Storage May Not Be So Temporary

Data privacy and data retention are hot issues these days.  While American and European legislatures and regulators wring their hands over how to balance the interests of privacy, law enforcement, and commercial imperatives, courts are not hesitating to step into the breach in unexpected ways.  Last month, in Columbia Pictures Indus. v. Bunneli, a federal magistrate judge in California ordered TorrentSpy, a website that offers dot-torrent files for download by users, to preserve and produce information about users' interaction with the site, even though this information is purposely not logged but only stored temporarily in the RAM of either the TorrentSpy server, located in the Netherlands, or of servers controlled by a third-party middleman, located around the world.  The ruling was based on the Federal Rules of Civil Procedure, which require litigants to retain and produce "electronically stored information" relevant to a case. The court rejected the defendants' various arguments for why retention and production should not be required – including costs, the website's privacy policy, the Stored Communications Act (SCA), the Wiretap Act, the pen register statute, the First Amendment, the potential loss of users' good will, and conflicts with Dutch data protection law.  If this ruling becomes the norm in discovery, it could lead to much greater retention and production of communication records, website logs, and search terms during litigation.  More broadly, if courts routinely order data retention during discovery, even where such retention is not part of a company's normal business practices, the slope leading to a broad data retention mandate seems likely to get a lot more slippery.

"Working Party" May Be an Oxymoron, But Google Hopes It Can Resolve Other Contradictions

Google's handling of users' personal information has come under fire on several fronts, with advocacy groups urging the Federal Communications Commission to review the privacy implications of Google's proposed purchase of DoubleClick, and Privacy International harshly criticizing Google's privacy protections.  While the "cyber liberties" community may never be satisfied, Google's cooperative posture appears to have had some success in assuaging concerns raised by the EU's Article 29 Working Party about the company's data retention policies.  In a June 10 letter to the Working Party, Google explained the reasons for retaining user-identifiable server log data and announced that it would anonymize such data after 18 months, rather than the 18 to 24 months it had previously planned.  Google did not comment on how long it would retain the anonymized server logs, which would still include users' search queries. As an early entrant to the data retention debate and the 800‑pound gorilla of the search industry, Google's continuing negotiations with the Working Party could go a long way towards establishing de facto standards for what retention period is "proportionate" to search engines' business needs – at least in Europe.  The negotiations could also point the way to a resolution of some of the open questions about how to balance data privacy rules with existing or proposed data retention obligations.

Federal Court Claims Jurisdiction Over "Real" Property Dispute in the Virtual World

Second Life, owned and operated by Linden Research Inc., was one of the first virtual worlds to allow players to claim intellectual property protections for their in-world creations, trade in virtual goods, and even purchase, rent, improve and sell virtual land.  Property rights have proven a boon to the Second Life economy, driving daily user-to-user transactions of more than $1.5 million U.S. Dollars – real dollars, that is.  But they have also given rise to a debate over who should have the ultimate say in disputes involving these increasingly valuable cyber properties:  the administrators of the virtual world, or the courts of the physical world.  Last month, a federal court in Pennsylvania asserted jurisdiction, ruling in Bragg v. Linden Research, Inc., that former Second Life "resident" and lawyer Marc Bragg could go forward with a suit alleging that Linden had unlawfully confiscated his virtual land.

FCC Sets Dates for Comments on Potential New CPNI rules

The Federal Communications Commission's Further Notice of Proposed Rulemaking to consider new rules for the protection of Customer Proprietary Network Information (CPNI) has been published in the Federal Register.  As a result, comments on the Further Notice are due on July 9 and reply comments are due on August 7, 2007.  As we previously reported, CPNI consists of a range of subscriber-related information, including call-detail and usage information, the disclosure of which can have significant privacy implications, as the HP "pretexting" scandal shows.  The FCC's CPNI rules are intended to protect the privacy of telephone subscribers by imposing restrictions on when and how carriers can use or disclose such information.  The issues raised by the FCC should be of immediate interest to the carriers who will be burdened by the new proposals, including the newly covered interconnected VoIP providers.  Internet Service Providers and other companies that could eventually be subject to similar data security and/or data destruction requirements may also be interested.  Now that comment dates have been established, interested parties should begin preparing their response as soon as possible.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.