E-Commerce Law Week, Issue 474

Sex and the CDA

We apparently are living in the Irony Age.  When U.S. senators known for their promotion of "family values" are discovered on a D.C. madam's phone list or in an airport restroom soliciting a police officer, perhaps we shouldn't be surprised when the "Communications Decency Act" (CDA) ends up protecting an adult dating website that connected a male member with a 14-year-old girl.  That's what happened in Doe v. Sex Search.com, in which a federal court ruled that section 230 of the CDA immunized SexSearch.com from claims stemming from its failure to verify the age of a female member.  Courts have interpreted section 230(c)(1) as giving websites and other "provider[s] or user[s] of an interactive computer service" immunity from suits that "treat[]" them as the "publisher" of information provided by a third party.  In SexSearch.com, the court found that this section barred claims against SexSearch, since it was not the "provider" or "developer" of a profile in which the female member falsely stated that she was 18.  The ruling follows the main trend of cases in which courts have broadly applied the CDA's legal protections to website operators.  Over the long-term, however, as more such cases with disturbing facts accrue, they may catalyze what seems to be a nascent movement in the courts to limit CDA immunity.  Alternatively, members of Congress may seek to "restore" decency to the Web by cutting back on the immunity provision through legislation.  Now wouldn't that be ironic.

RAM Dispute, Part Deux:  Court Upholds Order to Preserve and Produce Server Logs

Hollywood studios love a good sequel, whether it's a follow-up to a hit movie or a court ruling that aids Tinseltown in its fight against pirated films.  The studios recently got a taste of the latter, when a federal court in California upheld a magistrate's earlier ruling that, under Federal Rule of Civil Procedure 34 (which permits discovery of relevant "electronically stored information"), the operators of the TorrentSpy website could be compelled to preserve and produce data stored -- even if only temporarily -- in the RAM of a web server.  While this decision -- in Columbia Pictures, Inc., v. Bunnell -- may cheer Big Content, like many Hollywood sequels, it is sure to leave some observers cold.  If adopted by other courts, this ruling could greatly increase the volume of communication records, website logs, and search terms that parties must retain and produce during litigation.

UK Information Commissioner to Court:   It’s Not Business, It’s Personal

In an apparent rebuke to the UK Court of Appeal, the UK's Information Commissioner’s Office (ICO) has issued guidance that broadens the definition of what constitutes "personal data" requiring protection under the UK Data Protection Act 1998 (DPA).  The Court of Appeal, in Durant v Financial Services Authority [2003] EWCA Civ 1746, had held that not all personally identifiable data in a company’s records require protection as “personal data”; rather, information is “personal” only if is "biographical in a significant sense" and/or has the individual as its focus. Subsequent U.K. cases (Johnson v. The Medical Defence Union [2004] All ER (D) 131 (Nov) and Smith v. Lloyds TSB Bank Plc [2005] All ER (D) 358 (Feb)) affirmed this narrow interpretation.  But Durant led to a formal complaint in 2004 from the European Commission and heavy criticism from data privacy groups, which argued that the court’s definition was inconsistent with the EU Data Protection Directive.  Apparently in response to these complaints, and following hot on the heels of an EC Article 29 Data Protection Working Party Opinion 4/2007, the ICO’s new guidance would essentially have companies treat as “personal data” any information that “relates to,” “is obviously about,” or “is linked to” a living, identifiable person.  This could lead to more information being brought within the scope of the DPA than was previously thought to be the case.  While companies operating in the UK may not yet need a "wartime consigliere,"  the stand-off between the ICO and the court will make compliance with the UK’s data protection rules more confusing, and more difficult.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.