E-Commerce Law Week, Issue 619

India Issues Harsh New Rules for Communications Companies

In the great game of who can impose the greatest burdens on communications companies, India has just upped the ante in a big way.  On July 28, India's Department of Telecommunications issued letters to an array of communications company licensees, introducing cumbersome and intrusive new requirements that will affect not just Indian carriers, but foreign communications companies and equipment vendors as well.  The letters amend existing license agreements so that they now require Indian licensees to, among other things:  undergo extensive audits and inspections of their network security by a government approved auditor; inspect, or allow the Department to inspect, all hardware, software and other equipment bought from vendors and utilized in the network; and have their networks operated and maintained only by Indian engineers within two years.  The new rules also create penalties for licensees in the event of a network "security breach," and provide that the supplier of the breached equipment may be "blacklist[ed]" from further supplying Indian licensees.  Of most concern to any company trying to protect its proprietary information, the rules also requires that licensees allow the government access to their network designs and source code "at any time."

FCC Seeks Comment on Creating a "Cybersecurity Roadmap"

The Federal Communications Commission stuck another toe in the mucky swamp of cybersecurity on August 9, asking for comments "on the creation of a Cybersecurity Roadmap to identify vulnerabilities to communications networks or end-users and to develop countermeasures and solutions in preparation for, and response to, cyber threats and attacks."  Such a Roadmap was recommended in the FCC's National Broadband Plan (NBP) as an "initial step" for the Commission into the realm of cybersecurity.  The NBP said the Commission should identify the five most critical cybersecurity threats to the communications infrastructure and its end users and establish a two-year plan for addressing those threats.  Comments on what should be in the Roadmap, what role the FCC should play, and other relevant topics are due by September 23, 2010.

Batter Up! New Decree Implements France's Three Strikes Law

On July 27, the French government published Decree No. 2010-872, which establishes procedures for implementing a controversial "three strikes" Internet piracy law.  As we previously reported, the law empowers a new government agency, Haute Autorité pour la Diffusion des Œuvres et la Protection des Droits sur Internet (High Authority of Diffusion of Art Works and Protection of [Copy]Rights on the Internet), or simply the HADOPI), to issue two written warnings to subscribers allegedly making illegal copies of protected music, movie, or other media files.  If the illegal pirating has not ceased following the second warning, the HADOPI can seek a court order requiring Internet service providers to suspend a subscriber's Internet access for up to one year and imposing fines.  The first wave of warnings from the HADOPI could commence as early as this fall.

It's Not Just a Pipe Dream:  PIPEDA Victory for a Private Employer

On July 21, the Office of the Privacy Commissioner of Canada held that a company that accessed a worker's corporate email account to investigate a potential breach of his employment contract did not violate the Personal Information Protection and Electronics Document Act (PIPEDA).  The Office started its Case Summary by warning that it is "unacceptable for organizations to monitor employee email without good reason justifiable under the Act" and that "[a]n organization’s accessing and using employee emails would normally require the knowledge and consent of the individual employee."  But the Office found that the employer's actions in this case were permissible under Sections 7(1)(b) and 7(2)(d) of PIPEDA, which provide that "an organization may collect [and use] personal information without the knowledge or consent of the individual only if it is reasonable to expect that the collection [and use] with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection [and use] is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province."

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.