E-Commerce Law Week, Issue 482

Data Breach Notification to Head North for the Winter?

While federal data breach notification legislation remains stalled in the U.S. Congress, Canadian officials have taken another step towards bringing breach notification north of the border. As we previously reported, in May a committee of the Canadian House of Commons recommended that the Personal Information Protection and Electronic Documents Act "be amended to include a breach notification provision." Last month, the Canadian Government threw its weight behind this proposal, noting in its comments on the committee's recommendations that a breach notification requirement would "encourage all organizations to take the security of personal information seriously" and allow those impacted by a breach to "mitigate their risk of harm." The Minister of Industry has requested input on "questions of timing, manner of notification, penalties for failure to notify ... and appropriate [notification] 'thresholds," with comments due by January 15, 2008. Given the increased prospect of federal breach notification legislation in Canada, companies that handle the personal information of Canadian residents may want to comment on these issues.

Coalition Asks FCC to Defend "Net Neutrality" by Barring Comcast from Degrading P2P Traffic

A recent petition and complaint against broadband Internet provider Comcast could force the Federal Communications Commission to clarify its position on "net neutrality." Several law professors and members of the Save the Internet Coalition allege that Comcast degrades Internet uploads made using certain popular applications -- including Lotus Notes and peer-to-peer (P2P) file-sharing software such as BitTorrent and Gnutella. The petitioners argue that Comcast's degrading use of these applications violates the Commission's September 2005 Policy Statement on network neutrality, which states that consumers are "entitled to run applications and use services of their choice." (While the Policy Statement is non-binding, the FCC has required adherence with its principles as a condition of the SBC/AT&T, Verizon/MCI, and AT&T/BellSouth mergers.) The petitioners ask the FCC to award "significant forfeitures" and to enjoin Comcast from the "degrading or blocking" of targeted applications. The FCC's findings in this case could help draw the line between "reasonable network management" and practices that threaten consumer choice in Internet applications and content.

Germany Enacts Data Retention Law

On November 9, the German Bundestag approved a law implementing the EU Data Retention Directive (2006/24/EC) that will require that communication providers in Germany retain connection data for at least six months, beginning January 1, 2009. Telecommunications providers are required to retain data relating to the date, time, sender, recipient, and duration of communications -- but not their content. VoIP providers will also be required to store the IP addresses of all parties to a communication. Mobile providers must also retain the location of the phone at the time of the call. If a provider does not itself generate or process connection data, it must make sure that the data is retained by another provider, and identify that entity upon request. Internet Service Providers must retain a subscriber's IP address and user ID, along with the date, time and length of the subscriber's connection . Email providers must store email addresses of all senders and addressees, the IP addresses of senders and sending communication systems, and the header of each email. The law also puts in place several other controversial measures, including a prohibition on the use of fictitious online identities. Although retention is not mandatory until January 1, 2009, communications providers may begin retaining data on January 1, 2008.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.