< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 563

June 27, 2009

Will EU Data Regulators Put the Kibosh on Facebook and Twitter?

The European Union's Article 29 Data Protection Working Party has issued an opinion advising all social networking sites that handle the personal data of EU residents that they must comply with the EU Data Protection Directive, even if their headquarters are located outside the EU.  The Working Party -- which comprises representatives of the data protection authorities of EU member states -- sets out a list of data protection obligations incumbent upon social networking sites, providers of third-party applications that interact with these sites, and, in some cases, users.  If followed, this opinion could substantially change the way social networking sites -- such as Facebook, MySpace, Twitter, and LinkedIn -- currently operate, as it would impose unwieldy consent requirements for the sharing of some of the most common material found on such sites, such as pictures, statements of political opinions, and information about users' health and sex life.  While these burdensome requirements suggested by the Working Party are on their face a credible application of EU data protection law, they illustrate the growing tension between data protection law and the realities of evolving Internet business models and communication tools.  The opinion thus adds support for the argument that it is time to reevaluate and modernize European data protection law.

TJX Settles with State Attorneys General Over Data Breach

The TJX Companies, Inc., has agreed to pay $9.75 million and adopt new data security measures in order to resolve a data breach investigation launched by the attorneys general of 40 states and the District of Columbia and Hawaii's Office of Consumer Protection.  As we have previously reported, the breach of payment card and other confidential customer data suffered by TJX stores in 2005 and 2006 has already led the retailer to settle suits by banks and consumers, as well as a complaint by the Federal Trade Commission.  Like its earlier settlement with the FTC, TJX's settlement with the AGs requires it to "implement and maintain a comprehensive Information Security Program that is reasonably designed to protect the security, confidentiality, and integrity of Personal Information" and to obtain data security audits from "a third-party professional" every two years for a period of twenty years.  However, unlike the FTC settlement, TJX's agreement with the AGs also requires it to:  (1) adopt certain specific data security technologies, including a more secure wireless networking system and the encryption of any stored card data; and (2) after suffering another data breach, notify the AGs within 10 days of providing notice to affected consumers.  This latest TJX settlement is the latest proof that data breaches are starting to cause real financial pain for companies.  Companies should strongly consider bolstering their data security and putting in place a crisis management plan to deal with a breach in order to minimize the risk of expensive litigation.

CDA Immunity Protects Craigslist from Liability for Gun Sale

A federal court in New York recently ruled that the Communications Decency Act (CDA) immunized Craigslist against claims stemming from an individual's sale of guns on the site.  Plaintiff Calvin Gibson was shot using a gun that Jesus Ortiz had purchased from an unknown Craigslist seller, and filed a suit alleging that Craigslist "breached its 'duty of care to [e]nsure that inherently hazardous objects, such as handguns, did not come into the hands of … individual[s], such as Mr. Ortiz."  Craigslist moved to dismiss, claiming that Gibson's suit was barred by Section 230 of the CDA, which states that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" and has generally been interpreted as immunizing websites against claims stemming from information posted by third parties.  The court granted the motion to dismiss.  It noted that Gibson's complaint did not "dispute that Craigslist is a provider of an interactive computer service" and acknowledged that the ad for the gun was placed by another information content provider, and not Craigslist.  It also found that Gibson's allegation that Craigslist "failed to monitor, regulate, properly maintain and police the merchandise being bought and sold on its … website" was clearly "directed toward Craigslist as a 'publisher' of third party content," and that "Section 230 specifically proscribes liability in such circumstances."  Accordingly, it rejected Gibson's argument that he was seeking to hold Craigslist liable "as a business, plain and simple" rather than as a "speaker" or "publisher" and dismissed his case.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2012 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Beijing | Brussels | Century City | Chicago | London | Los Angeles | New York | Phoenix | Washington