When Experience Matters ®
< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 502

April 12, 2008

The Ninth Circuit's Roommate from Hell? 

Judging by his reputation, we're sure Alex Kozinski would make a fun roommate.  But his opinion for the en banc Ninth Circuit in Fair Housing Council of San Fernando Valley v. Roommate.com, LLC could prove to be a fiasco for websites.  The en banc court held that Roommate was not immune for allegedly discriminatory profiles created by its members, since it contributed to the development of the profiles by requiring members to choose from a small set of answers to specific profile-creation questions.  The court also held that Roommate could not claim immunity for its search system or its email notification system, since those features of the site were "designed to steer users based on discriminatory criteria."  Recognizing that this ruling could make any website a co-developer of information that is generated using a site's dropdown menus or search services, the court offered websites this reassurance:  "If you don’t encourage illegal content, or design your website to require users to input illegal content, you will be immune."  A dissenting opinion questioned this rosy assessment, noting that the majority opinion "puts the webhost in the role of a policeman for the laws of the fifty states and the federal system."  The ultimate impact of the Ninth Circuit's decision will depend on how it is interpreted and applied by other courts.  But unless it is overturned by the Supreme Court, the decision raises the stakes considerably for websites that rely on user-generated content. 

EU Opinion On Data Protection Means All Work And No Party for Search Engines

In an opinion issued earlier this month, the European Union's Article 29 Working Party (an advisory body comprising representatives of the data protection authorities of EU member states) examined search engines' obligations under the Data Protection Directive (95/46/EC).  The opinion addressed two questions:  (1) when does the Directive apply to search engines; and (2) what must they do to comply?  The Working Party found that the Directive covers a broad range of search engine activities -- including the collection and use of IP addresses and search histories and the long-term caching of third-party web pages -- even if the search engine is based outside of the EU.  It also found that search engines may not retain personal data longer than necessary to "serve the specified and legitimate purpose" for which the data was collected -- which generally should not exceed six months. The Working Party also noted that several standard search engine practices -- including behavioral advertising -- may not be permissible without users' consent.  The Working Party's recommendations, if followed by national data protection authorities, could sharply limit leading search engines' data retention and targeted advertising practices.  

Two More Breach Notification Laws Coming On Line

South Carolina and West Virginia have joined the list of more than 40 U.S. jurisdictions that have enacted data breach notification laws.  The West Virginia law takes effect June 6, 2008, while the South Carolina law is effective July 1, 2009.  Both states' laws follow the normal model when it comes to standards for notification, though with some variations.  But the laws differ in their approach to enforcement.  The West Virginia law gives the state Attorney General exclusive enforcement authority, and allows civil penalties only where "the defendant has engaged in a course of repeated and willful violations," and caps all civil penalties at $150,000.  The South Carolina law gives the state Department of Consumer Affairs the power to assess administrative fines of $1,000 "for each resident whose information was accessible by reason of the breach," and also allows state residents who have been injured by a violation of the notification requirement to sue for damages, an injunction, and attorneys' fees and court costs.  Until federal data breach notification legislation with strong preemption is enacted, differences like these will continue to cause legal headaches for companies that must comply with the broad array of state data breach notification laws. 

UK Regulator Issues Data Breach Response Guidelines

The United Kingdom's Information Commissioner's Office (ICO) has released data breach response and notification guidance for companies that handle the personal information of UK residents.  Although "not intended as legal advice," this guidance could help companies comply with the Seventh Data Protection Principle of the UK Data Protection Act 1998, which requires covered entities to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of … accidental loss or destruction of, or damage to, personal data."  Noting that these measures often include "the adoption of a policy on dealing with a data security breach," the ICO's new guidance addresses "some of the things an organisation needs to consider" when preparing such a policy.  To this end, it suggests a four step breach response process:  "[c]ontainment and recovery," "[a]ssessment of ongoing risk," "[n]otification of breach," and "[e]valuation and response."  The guidance also advises -- but does not require -- organizations to notify the Office of all "serious breaches."

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2008 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Washington | New York | Chicago | Phoenix | Los Angeles | Century City | Brussels | London