E-Commerce Law Week, Issue 578

Germany Broaches the Breach Question in the EU

With amendments to the German Federal Data Protection Law (Bundesdatenschutzgesetz) that took effect last month, Germany has become an early adopter of data breach notification obligations in the European Union.  Data breach notification laws are widespread in the United States (now in force in 45 states, plus the District of Columbia, Puerto Rico, and the U.S. Virgin Islands ), but the EU has lagged in this area of regulation.  That will almost certainly change, because proposed revisions to the EU electronic communications framework are expected to require all EU member states to introduce data breach notification legislation.  However, those revisions stalled this summer due to conflicting views of the European Parliament and Council over other aspects of an overall electronic communications reform package, and it is likely to be at least a year before EU-wide data breach obligations take effect.  In the meantime, Germany has taken the lead (although EU neighbor Norway has had such legislation on the books for some time).  One upshot of these developments is that companies that suffer a breach involving the data of U.S. as well as EU residents will face an even broader patchwork of differing notification obligations.

Court Inadvertently Expands the Definition of a Data "Breach"

A federal court in California denied a bank's request to seal its complaint and other filings in a suit against Google, following an employee's accidental sending of customer data to the wrong Gmail account.  In Rocky Mountain Bank v. Google, Inc., a Bank employee, responding to a request for loan statements, inadvertently emailed a batch of confidential customer information for 1,325 individuals and businesses to an unknown Gmail account.  Despite efforts to retract the email and to request that the unknown recipient destroy the customer information, the Bank was unable to reach the recipient or even determine whether the Gmail account was active.  When Google refused to disclose information about the Gmail account without a subpoena or other legal process, the Bank sought a preliminary injunction against Google.  The Bank requested that its complaint and motions remain sealed, concerned that disclosure of the data breach would "unnecessarily create panic among all of its customers and result in a surge of inquiry."  The court denied the motion, unconvinced that the risks of notification outweighed the common law right of public access to the court proceedings.  (The case has since been dismissed with prejudice.)  Although the court made no reference to data breach notification laws, it did state that "there has been an unauthorized disclosure of confidential customer information," even though there was no indication that the Gmail address was active or that anyone had actually seen the data.  This holding might be used to rebut data breach victims' arguments that they do not have to notify affected individuals if there is no indication that data was actually accessed, or if their investigation to determine the risk of harm is ongoing.

Six Companies Settle FTC Charges Concerning US-EU Safe Harbor Framework

Six companies (World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC) have agreed to settle FTC charges that they committed unfair and deceptive business practices by claiming they were certified under the US-EU Safe Harbor Framework, when in fact they had allowed their self-certifications to lapse.  The settlement agreements prohibit the companies from misrepresenting on their websites and in promotional materials the extent of their compliance with the Safe Harbor Framework.  But the FTC made no charges regarding compliance with the Framework's data-protection requirements, and thus its action will do little to stem European complaints that FTC enforcement of the Framework is weak at best.  The settlement agreements are available for comment until November 5, 2009.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.