E-Commerce Law Week, Issue 544

European Court Upholds Data Retention Directive

In a judgment released February 10, the European Court of Justice (ECJ) dismissed Ireland's request to strike down the EU Data Retention Directive.  As we previously reported, the Data Retention Directive requires ISPs and fixed-line and mobile operators to retain non-content communications data of their EU customers for 6 to 24 months.  Ireland had contended that the Directive was not adopted on an appropriate legal basis.  As a result of the ECJ's ruling, countries that have delayed implementing the Directive may rush to enact the necessary implementing legislation.

Beware of Geeks Failing to Encrypt, Says FTC

The Federal Trade Commission announced on February 5 that it reached another settlement with a company that suffered a data breach after failing to encrypt its customers' personal information.  According to the FTC's complaint, Genica Corporation stored the personal information of customers who purchased consumer electronics through its geeks.com website "in clear, readable text."  Noting that hackers had used Structured Query Language (SQL) injection attacks to gain access to this unencrypted personal information, the FTC claimed that Genica's protections for personal information were neither "reasonable" nor "appropriate."  And, because the geeks.com website stated that "a variety of security and controls" were used "to safeguard [customers'] information," the FTC alleged that Genica's promises regarding data security were "false or misleading," in violation of "deceptive acts or practices" prong of the FTC Act.  In its settlement with the FTC, Genica agreed to implement and maintain "a comprehensive information security program" and obtain independent, third party audits of the program every two years for 10 years.

D.C. Circuit Bars Telcos from Sending Marketing to Departing Customers

The D.C. Circuit denied Verizon California, Inc.'s petition for review of a Federal Communications Commission order barring the company from sending marketing to a departing customer before porting the customer's number to her new carrier.  To port a number, a customer's new carrier submits a "Local Service Request" (LSR) to the customer's former carrier.  In their complaint before the FCC, three cable company VoIP providers alleged that Verizon "used information provided by the LSR process to contact defecting customers and offer them various incentives to stay with Verizon, all before the number port [was] completed," claiming that these marketing efforts violated Section 222(b) of the Telecommunications Act.  The FCC agreed with the VoIP providers, and ordered Verizon to cease and desist from such marketing.  The D.C. Circuit upheld the FCC's decision, finding it a reasonable interpretation of an ambiguous statute.  In addition to its impact on telecom companies' marketing practices, the D.C. Circuit's decision is also notable for its discussion of the FCC's authority to classify VoIP providers differently under different sections of the Telecommunications Act.

Ninth Circuit Makes It More Difficult for Individuals to Challenge Government Searches of the Workplace

A ruling handed down by the Ninth Circuit early this month could make it more difficult for a business owner or employee to challenge a government search of her workplace and its computers.  In United States v. SDI Future Health, Inc., the Ninth Circuit ruled that, "except in the case of a small, family-run business over which an individual exercises daily management and control, an individual challenging a search of workplace areas beyond his own internal office must generally show some personal connection to the places searched and the materials seized."  The dispute in this case centered around a warrant the government was granted to search the offices and computers of SDI Future Health for evidence that it had engaged in Medicare fraud.  Based on evidence seized during its search, the government won an indictment against SDI, its president and part-owner Todd Kaplan, and SDI officer and part-owner Jack Brunk.  A district court granted the defendants' motion to suppress evidence obtained using the search warrant on the ground that the warrant was vague and overbroad.  On appeal, the Ninth Circuit agreed that some portions of the warrant were overbroad, but held that the district court had not properly established that Kaplan and Brunk had standing to challenge the search. 

Finland Could Revise Law to Permit Limited Monitoring of Employees' Email

While U.S. law generally is fairly permissive when it comes to employers' monitoring the workplace communications of their employees, the law in many foreign jurisdictions can be much stricter.  In Finland, for example, the Act on the Protection of Privacy in Electronic Communications provides for the confidentiality of "[a]ll messages, identification data and location data" sent via communication services in the country -- including email and other communications that employees send using the communications systems of their employers.  Finland is expected to adopt an amendment to this Act that would give Finnish employers limited access to their employee's email.  But employers there would still face many restrictions not encountered in U.S. workplaces.  The Finnish action thus serves as a reminder to multinational companies that the laws on monitoring employee communications and computer usage vary widely, so employers should take extreme care in devising company policy on the issue or engaging in such monitoring.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.