E-Commerce Law Week, Issue 520

Court Says eBay is a Criminal Enterprise.  Seriously.

A federal court in California recently held that eBay's allegedly false statements about the safety of its "Live Auction" service can support a claim against the company under section 1962(c) of the Racketeer Influenced and Corrupt Organizations Act (RICO), a statute originally designed to go after organized crime.  Although the case involves a civil suit, the court's ruling in Mazur v. eBay Inc. amounts to a remarkable statement that eBay's description of its auction service constitutes criminal behavior.  While the Federal Trade Commission has brought actions for "unfair" or "deceptive" acts in commerce against companies whose actual privacy practices did not live up to their stated policies, allowing RICO actions to be brought on the basis of similar misstatements is a giant leap -- and could have enormous negative ramifications for websites.

French High Court Upholds Monitoring of Employee's Internet Use

French workers recently lost their cherished right to work only 35 hours per week.  And as a result of a recent ruling by France's highest court, they may have to spend those hours actually working rather than playing solitaire online.  Last month, the Cour de Cassation Chamber Sociale ruled that employers can monitor their employees' workplace Internet use.  Past rulings had suggested that an employer may not access information that an employee stored on his or her workplace computer and clearly marked as personal, unless the employee is present and consents to the search.  However, in Franck L. v. Entreprise Martin, the court ruled that an employer may generally access an employee's computer hard drive without the employee's knowledge or presence for the purpose of monitoring the employee's Internet use.  The court reasoned that any websites accessed using a workplace computer during business hours are "presumed to be of a professional character," and that employers may therefore review records of the employee's Internet use without the employee present.  Accordingly, it upheld defendant Entreprise Martin's firing of former IT manager Franck L., who was let go after Entreprise Martin's review of his web browsing revealed that he had spent large amounts of work time browsing non-work-related websites.

South Korea Expected To Enact Breach Notification and Encryption Requirements

South Korea is expected to enact a "Personal Information Protection Law" later this year that will require entities that suffer a data breach to notify and assist affected individuals.  Penalties for violating the new law will reportedly be stiff, including up to five years in prison and 100 million South Korean Won (nearly $100,000) in fines.  As we've previously reported, Australia, Canada, the European Commission, and the United Kingdom are also considering mandatory data breach notification.  Given these developments, the patchwork of breach notification laws in the United States -- which already covers 44 states -- could soon take on a decidedly international flavor.  The South Korean Law will also reportedly require covered entities to encrypt stored identification numbers, passwords, and financial account numbers.  In addition to creating breach notification requirements, the Korean law would also establish comprehensive privacy protection rules.  These privacy rules will be based on the Organization for Economic Cooperation and Development's 1980 "Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data," which, among other things, advise:  (1) limiting the collection of personal data, (2) ensuring data collected remains relevant and up-to-date, (3) limiting use and disclosure of personal data, (4) using "reasonable security safeguards" to protect the data, (5) giving data subjects the right to access their data, and (6) holding data controllers accountable for compliance.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.