E-Commerce Law Week, Issue 509

Fifth Circuit Rules that CDA Bars Suit against MySpace for Failure to Protect Minor

The Fifth Circuit recently held in Doe v. MySpace Inc. that section 230(c)(1) of the Communications Decency Act (CDA) barred a mother and daughter from suing MySpace Inc. and its parent company, News Corporation, for negligence after the daughter was sexually assaulted by a man she first met on MySpace.com.  The court ruled that MySpace could not be held liable for its alleged failure to protect the daughter, since doing so would treat MySpace as a publisher of information provided by another content provider, in violation of section 230.  Websites that handle third-party content will probably welcome the Fifth Circuit's ruling.  But, given its limited scope and several less favorable opinions by other courts in recent months, the strength of websites' CDA immunity remains very much an open question.

Court Asserts Jurisdiction Over Teddy Bear Grudge Match 

In The Bear Mill, Inc. v. Teddy Mountain, Inc., a federal court in  Idaho found  specific personal jurisdiction over a trademark infringement suit filed by one teddy-bear seller against another.  Canadian defendant Teddy Mountain's website allegedly contained references and pictures concerning plaintiff The Bear Mill without the latter's authorization. The court held that this was enough to establish jurisdiction in Idaho under the "effects" test of Calder v. Jones, 465 U.S. 783 (1984), since Teddy Mountain 's actions were intentional, its website was accessible in Idaho, the companies were competitors, the defendant knew that The Bear Mill’s principal place of business was in Idaho, and any sales facilitated by the trademarked materials would harm The Bear Mill in Idaho.  Thus, the court reasoned, Teddy Mountain's actions were "purposefully directed at" Idaho.  If followed by other courts, this decision could make it easier for plaintiffs to gain home-field advantage in e-commerce suits.

EU Advisory Body Seeks to Broaden Breach Notification Proposal

The European Union's Article 29 Working Party has suggested significant expansions to the scope of data breach notification requirements proposed by the European Commission last fall.  As we previously reported, the EC's proposal would amend the ePrivacy Directive to require providers of "publicly available electronic communications services" that suffer a breach of "personal data" to give timely notice to both the concerned subscriber and the national regulatory authority.  The Working Party has joined the European Data Protection Supervisor in arguing that this proposed notification requirement should extend beyond communications providers to include providers of "information society services" -- including "on-line banks, on-line businesses, [and] on-line providers of health care services."  And, instead of advocating that notice be made only to subscribers, the Working Party suggests that notice be given to "all persons whose data has effectively been compromised by the security breach."  Should the Commission follow the Working Party's advice, a broad swath of companies doing business in the EU would face breach notification requirements.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.