E-Commerce Law Week, Issue 521

Spanning The Globe To Bring You The Constant Variety Of ... Data Protection Laws 

New data protection requirements are being considered all over, including in Australia, Mexico, Turkey, South Korea, Peru, and Vietnam.  The Australian Law Reform Commission has recommended several amendments to that country's Privacy Act, including mandatory notification to individuals affected by data breaches that pose a "real risk of serious harm" and a reworking of the rules governing cross-border data flows.  Meanwhile, Mexican lawmakers are drafting a data protection law based loosely on Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).  The Turkish government is also reportedly ready to get on the data protection bandwagon, stating that it hopes to enact an EU-ready data protection law sometime this fall.  And South Korea, Peru, and Vietnam have announced that they are considering data protection measures that would be consistent with privacy principles promoted by the Asia-Pacific Economic Cooperation forum.  South Korea's draft legislation would also require businesses to notify individuals whose personal data has been breached.  If adopted, these data protection measures could cause headaches for international companies, which might be required to comply with different rules for the handling of personal information in the various countries where they do business.  All these measures therefore bear close watching.

Another Court Protects Anonymous Speech Online

Many courts have held that plaintiffs must meet a heightened evidentiary standard before they can compel ISPs or others to identify someone who has posted allegedly illegal or tortious material online.  But there has been disagreement over what the standard should be.  In Quixtar Inc. v. Signature Management Team, LLC, another federal court called the "summary judgment standard" first articulated by the Delaware Supreme Court in Doe v. Cahill the "correct standard."  As we have previously reported, the Cahill standard requires plaintiffs to make out a prima facie case before courts will compel discovery of an anonymous individual's identity.  The Quixtar court ruled that persons challenging the unmasking of anonymous third-party bloggers should be given an opportunity to notify the bloggers, so that they can contest the discovery of their identities.  The court also held that the bloggers could raise their objections under pseudonyms, and noted that it would assess any objections under the Cahill summary judgment standard.

FACTA Identify Theft Rules Could Affect Communications Companies and Other "Creditors"

Pursuant to final rules adopted earlier this year by the Federal Trade Commission and five other financial industry regulators, "financial institutions and creditors" are required, effective November 1, 2008, to develop and implement a written Identity Theft Prevention Program in order to detect, prevent and mitigate identity theft and address discrepancies with the opening of certain new and existing accounts.  Significantly, these rules would apply not just to financial institutions, but also to other companies that fit the definition of "creditors," including communications companies.  Companies that may not have paid attention to these rules earlier therefore should look at them closely now, since they have less than three months to develop an an implementation plan.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.