E-Commerce Law Week, Issue 503

French Court Eviscerates Website Immunity for User-Generated Content

In France, as in the  United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties.  But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law.  Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of "communications services" cannot be held liable for “information stored at the request of a recipient of those services" if the provider "did not have actual knowledge of [the] illegal nature" of the information, or if the provider "acted expeditiously to remove the data or make access impossible" after learning of its illegality.  But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the "organization and presentation" of the link and associated headline.  This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content.  If this trend continues, websites and Internet providers will be looking at major legal problems in Europe.

"Meta Tag, You're It"

The Eleventh Circuit recently held, in North American Medical Corp. v. Axiom Worldwide, Inc., that placing a competitor's trademarks in "meta tags" is a "use in commerce" that is "likely to cause confusion," and may therefore be actionable as trademark infringement under the Lanham Act.  ( Meta tags are hidden code containing information about a website, which search engines use to categorize and rank sites in response to a search query.)  In addition to dealing a blow to websites that use competitors trademarks in their meta tags, the court's ruling could also prove problematic for search engines and online advertising services that use trademarked search terms to trigger their ads.  In other words, meta tags are no mere children's game.

Danger, Will Robinson! Court's CFAA Ruling Does Not Compute

As we've previously reported, employers can use the Computer Fraud and Abuse Act (CFAA) to go after former employees who have pilfered company data.  But, in GWR Medical, Inc. v. Baez, a federal court in Pennsylvania recently found that an employer could not base a CFAA claim on an unreturned compact disc, because a CD, in the court's view, does not fall within the statute's definition of a "computer."   The court read the definition as requiring that the device engage in "processing" data rather than just storing it.  But the plain text of the CFAA casts doubt on this reading, since it defines computer as meaning not only a "high speed data processing device," but also "any data storage facility ... related to or operating in conjunction with such device."  The real question, then, is not whether a CD processes data on its own, but whether it constitutes a data storage "facility."  We doubt this is the last word on this subject.  So, for now, a CFAA claim still seems like a viable tool for suing someone who makes off with a CD full of proprietary data.

Court's Ruling Could Help Plaintiffs Show "Injury-in-Fact" in Data Breach Suits

For the plaintiffs' bar, winning damages for those whose personal information has been compromised in a data breach has been an uphill battle.  As we've previously reported, most courts have refused to grant plaintiffs in such cases standing without evidence that the breach has caused identity theft or financial harm, and held that allegations of emotional distress or increased risk of future harm do not sufficiently state an "injury-in-fact."  But, in American Federation of Government Employees v. Hawley, the U.S. District Court for the District of Columbia recently held that four Transportation Security Administration security officers could sue the TSA, its Administrator Kip Hawley, the Department of Homeland Security, and DHS Secretary Michael Chertoff for an alleged violation of the Privacy Act stemming from TSA's loss of a hard drive containing personnel data for 100,000 individuals -- despite the fact that the plaintiffs alleged only a variety of emotional harms but not "current, actual, financial loss."  Although the court's holding was limited to the Privacy Act, which applies to government agencies, the court's rationale could be persuasive to courts hearing data breach suits against private companies.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.