Internet and the Government

ADAAt the beginning of this year, we warned that there would be an uptick in American with Disabilities Act litigation related to website accessibility this year in a post entitled Does My Website Need to be ADA Compliant?  The answer then was “most likely yes.” Now, the adverse litigation results are start to come in.

According to this post from Syefarth Shaw’s Kristina Launey: “A First: California Court Rules Retailer’s Inaccessible Website Violates ADA“, a California court held recently that a retailer violated the act because it lacked access for the vision-impaired. This was a first in the nation determination regarding ADA applicability to a retail site.

The court granted a summary judgment in favor of the plaintiff on the application of the ADA because (1) there was “sufficient evidence that he was denied full and equal enjoyment of the goods, services, privileges, and accommodations offered by defendant [via its website] because of his disability”; and (2) there was a sufficient nexus to defendant’s physical retail store and the website.

The statutory penalty was only $4,000 and there is an injunction in place to force the store to become compliant. The real pain to the defendant is coming because the store is liable for the plaintiff’s attorneys’ fee in an amount to be determined.

 

This should motivate you to look into whether you need to be compliant and whether you are. Go back and read ADA our post from January or fin additional information here.

 

By now, you have probably read about how the FBI is asking Apple to create software that would help the FBI unlock the iPhone of one of the deceased San Bernadino attackers. You have probably heard the talking heads scream about the privacy vs. security policy debate, but what law is at play?

The All Writs Act

You may have even heard the government is relying upon the All Writs of Act which was passed in 1789. Three years of law school and sixteen years of practice and I had not heard of the All Writs Act at 28 . § 165U.S.C.  Surprisingly, it is very short:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction. 

The purpose of the law is to fill in the gaps to give courts the power to enforce their orders and subpoenas.  Obviously, the use of the All Writs Acts has to be “agreeable to the usages and principles of law.”

How We Got Here

On February 16, 2016, the government received an ex parte order (which means without having anyone from Apple or anyone else arguing against the request) requiring Apple to provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data.” The order then lists what the court considers “reasonable technical assistance” including the oft-discussed decryption key that needs to be created to help unlock the phone. A copy of the order is here:  SB-Shooter-Order-Compelling-Apple-Asst-iPhone.

Apple’s Legal Argument

download (2)Apple primarily argues that Congress has already decided tech companies like Apple cannot be forced to provide access to encrypted devices. Apple’s brief is here. Specifically, Apple cites to the 1994 Communications Assistance for Law Enforcement Act at 47 U.S.C. § 1001, et seq.  CALEA, Apple argues,  specifically states that electronic communication service providers and mobile phone manufacturers cannot be forced to “implement any specific design of its equipment, facilities, services or system configuration” to unlock or decrypt phones.

Apple then argues that Congress has considered amendments to CALEA, but decided not to amend the 1994 law to require so-called back doors to encrypted devices or programs. According to the brief, “Congress, keenly aware of and focusing on the specific area of dispute here, thus opted not to provide authority to compel companies like Apple to assist law enforcement with respect to data stored on a smartphone the designed and manufactured.”

Case Law on the All Writs Act

The U.S. Supreme Court spelled out the test for whether the All Writs Act could be used in U.S. v. New York Telephone, 435 U.S. 159 (1977). In that case, the Court required the phone company to install a pin register device on two telephone lines.

The Court provided a three-part test:

(1) is the company so far removed from the controversey that its assistance could not be reasonably compelled?

(2) What is the burden on the company whose assistance is sought?

(3) Are there other alternatives?

In light of those factors, Apple argues:

(1) the company does not own or control or the phone or the data the government is seeking;

(2) It would be difficult for Apple to build the requested unlocking key and Apple does not want to for marketing and concerns about additional requests in the future.  Apple says it would take six to ten employees two to four weeks to develop it.

(3) The government made it more difficult when they changed the iCloud password and did not prove that the government exhausted all of the available digital forensics resources available to them.

Finally, Apple contends forcing them to create software would force them into compelled speech in violation of the First Amendment and would constitute an unlawful arbitrary action against Apple without due process in violation of the Fifth Amendment.

The Department of Justice’s Response

FBI-1In its response, the Government tried to shift the focus back to the specific facts of this case and this one phone in light of the three-part test and away from a greater policy argument.

The government says that just because Congress did not make any changes to CALEA does not mean the All Writs Act does not apply to fill in the gap as it has been used a number of times to require companies to unlock phones and other devices.

Regarding the three factors from the New York Telephone case,

(1) Apple purposefully licensed the operating system in the phone that allowed for encryption, so Apple’s involvement is sufficient.  Involvement does not mean a company participated or even specifically knew there was criminal conduct. It only requires that Apple be “closely connected” to the crime.

(2) While the burden to create the software might be burdensome on a small company, the Government says it would not be unreasonable for Apple which encrypted the software in the first place.  The Government would compensate Apple and work to minimize the burden.

(3) The FBI says it cannot unlock the phone without Apple because Apple built the code to prevent any access. They claim the fact that Apple cannot access it without building something new proves Apple is necessary.

Apple can file a response on March 15 and the hearing is scheduled for March 22.

In a developing story, The New York Times is reporting that the FBI is investigating the St. Louis Cardinals for hacking into the Houston Astros’ computer networks to steal the Astros’ internal baseball operation intelligence which is apparently working.

Quick aside:  click here to see highlights of last night’s win and the emergence of some of the Astros’ young stars.

The Astros’ GM responsible for the resurgence of the team used to work for the Cardinals. The two used to compete in the National League Central before the Astros moved to the American League West (I’m still getting used to that).

According to the NYT article:

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

When Luhnow left St. Louis, he helped the Astros build their “Ground Control” database which mirrored a similar effort he helped lead when with the Cardinals.  This is all part of the sabermetrics / big data craze in professional sports.  It’s the reason that at the game I attended earlier this month, it seemed like the shift was employed on defense almost half the time.

Some leaked information was already published in an embarassing article on Deadspin which included some trade prospects and player evaluations.

The FBI claims the Cardinals used a master password list compiled by Lunhow and associates when they were with the Cardinals to guess their passwords on the Astros’ systems.  The FBI was able to determine the hack had been done from a computer at a home that some Cardinals officials had lived in.

Here’s more background and detail from The Washington Post.

So what are the legal issues?

We often advise clients who have been hacked to contact law enforcement authorities. When it is on a smaller scale or not as high profile, it is hard to get them to take action.  It is almost always better if you can get law enforcement to investigate and do the heavy lifting.

On the criminal side, you are looking at fines and up to five years in prison based on the statutes discussed below.

But, you can still resort to the civil courthouse.

The Computer Fraud and Abuse Act

The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one’s authority impairing the computer system or data accessed and was passed to address hacking.  Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.

A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment.  On the civil side, plaintiffs sometimes struggle establishing the required $5,000 in a statutorily-defined “loss” to pursue a CFAA claim.

The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11).

Lost opportunities (like trades, or the value of the actual information) often do not qualify as the type of loss covered by the statute.  The loss usually results from costs of investigation and the expense to shut down the computer network.

ECPA and the SCA

The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes.  Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers.  By gaining access to a database on the Astros’ servers, the perpetrators may be liable under the Stored Communications Act.

A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs.   Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.

The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to “intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, wire fraud, trespassing and a myriad of state law claims.

The best revenge would be to rectify this dark moment in Houston Astros history from the 2005 NLCS (although the Astros won Game 6 in St. Louis before being swept by the White Sox in their only World Series appearance).

Maybe Springer, Correa, Altuve, Tucker, McHugh and Velasquez can get their recompense out of the courtroom.

Here’s my interview on Sports Radio 610 from this afternoon’s Triple Threat Show.

Kate bluebonnets

It’s Spring in Texas which means one of two things – the bluebonnets are out and in odd years, our legislature is back at work.  One makes me grateful to be in Texas and the other only meets every other year.  Here are a few bills we are watching this session:

Service of Process Via Social Media- HB 241

The Legislature is making another effort on this.

The bill provides:

Sec. 17.032.  SUBSTITUTED SERVICE THROUGH SOCIAL MEDIA PRESENCE.
(a)  If substituted service of citation is authorized under the Texas Rules of Civil Procedure, the court, in accordance with the rules adopted by the supreme court under Subsection (b), may prescribe as a method of service an electronic communication sent to the defendant through a social media presence.

(b)  The supreme court shall adopt rules to provide for the substituted service of citation by an electronic communication sent to a defendant through a social media presence.

It looks like the bill stalled in committee.

Codifying a fair reporting privilege – SB 627

The Legislature continues to show its disdain for defamation suits.  This time, they are considering a bill that would codify a sometimes-recognized common law fair reporting privilege.  The privilege allows for a fair reporting of public records and allegations as long as done in good faith.  It looks like this one may become law.

The bill provides:

(b)  This section applies to:

(1)  a fair, true, and impartial account of:

(A)  a judicial proceeding, unless the court has prohibited publication of a matter because in its judgment the interests of justice demand that the matter not be published; (B)  an official proceeding, other than a judicial  proceeding, to administer the law; (C)  an executive or legislative proceeding (including a proceeding of a legislative committee), a proceeding in or before a managing board of an educational or eleemosynary institution supported from the public revenue, of the governing body of a city or town, of a county commissioners court, and of a public school board or a report of or debate and statements made in any of those proceedings; or (D)  the proceedings of a public meeting dealing with a public purpose, including statements and discussion at the meeting or other matters of public concern occurring at the meeting; [and]

(2)  publication of allegations made by a third party regarding matters of public concern, regardless of the truth or falsity of the allegations; and

(3)  reasonable and fair comment on or criticism of an official act of a public official or other matter of public concern published for general information.

(c)  This section does not abrogate or lessen any other defense, remedy, immunity, or privilege available under other constitutional, statutory, case, or common law or rule provisions.

(d)  This section shall be construed liberally to effectuate its purpose and intent fully.

Civil Penalties for Frivolous Patent Claims – SB 1457

This bill also looks like it might be headed for passage.  The pertinent part of the bill states:

       Sec. 17.952.  BAD FAITH CLAIM OF PATENT INFRINGEMENT PROHIBITED.

(a)  A person may not send to an end user located or doing business in this state a written or electronic communication that is a bad faith claim of patent infringement.

(b)  A communication is a bad faith claim of patent infringement if the communication includes a claim that the end user or a person affiliated with the end user has infringed a patent and is liable for that infringement and:

(1)  the communication falsely states that the sender has filed a lawsuit in connection with the claim;

(2)  the claim is objectively baseless because:

(A)  the sender or a person the sender represents does not have a current right to license the patent to or enforce the patent against the end user; (B)  the patent has been held invalid or unenforceable in a final judgment or administrative decision; or (C)  the infringing activity alleged in the communication occurred after the patent expired; or

(3)  the communication is likely to materially mislead a reasonable end user because the communication does not contain information sufficient to inform the end user of:

(A)  the identity of the person asserting the claim; (B)  the patent that is alleged to have been infringed; and (C)  at least one product, service, or technology obtained by the end user that is alleged to infringe the patent or the activity of the end user that is alleged to infringe the patent.

The bill only allows for enforcement by the Attorney General and not private litigants.

We will keep on eye on these any other bills of note.

fcc_logoAs expected, the FCC passed the net neutrality rules today.  Other than spokesmen for the large telecoms (and perhaps some politicians who listen to that lobby), you don’t hear much reasoned opposition to net neutrality.

I have to admit that my views have been changing on the issue from a position of: (1) a solution in search of a problem; (2) to a desire to help make sure start-ups have a fair shake and access to the consumers; (3) to let the market take care of any ISP’s that throttle content; (4) to what about the people who don’t have more than one option for an ISP?

Now, I feel like we are at a Hobson’s Choice.  Do we trust the Government, or do we trust Big Business?  More precisely, who do we trust not to be a jerk in the future?

  • Do you think the likes of Comcast would throttle competitors’ content or force the big content providers into fast lanes leaving all start-ups back at dial-up speed?
  • Do you think the Government can stay at this minimally invasive level of regulation whereas before the Internet has thrived, at least in part, because of the lack of government regulation.

Leave it to the BBC Radio to have Mark Cuban on as a guest to provide additional interesting arguments as to why the new regulations are bad–by focusing on the future?  Listen here.  In effect, Cuban asks whether we want companies to be able to manage their networks as we start to see more driverless cars and online virtual reality applications.  Will the next new thing have to ask the government for permission to run online?

The regulations, as currently written, take a soft hand approach.  But, we should be vigilant to make sure they stay that way.  You know the story of the cooked frog, right?  If you put him in boiling water, he will jump out of the pot.  You put him in cool water and gradually turn up the heat, you will end up with a cooked frog.

For a good analysis prior to today’s release, read this.

Everyone supports the prevention of sexual predators texting illicit material to people under 17.  Everyone knows that revenge porn is a scourge on public decency.  But, can the law do anything about it?  Should it?

Texas Throws Out Law Banning Explicit Online Communications With Minors.

Yesterday, the Texas Court of Criminal Appeals (our highest court that hears criminal cases) reversed the conviction of a 53-year-old man who was charged with the third degree felony of communicating in a sexually explicit manner with a person whom he believed to be a minor with an intent to arouse or gratify his sexual desire.  You can read about the case here and read the court’s decision here.

The overturned law, Texas Penal Code 33.021(b)(1) states:

A person who is 17 years of age or older commits an offense if, with the intent to arouse or gratify the sexual desire of any person, the person, over the Internet, by electronic mail or text message or other electronic message service or system, or through a commercial online service, intentionally:

(1) communicates in a sexually explicit manner with a minor; or

(2) distributes sexually explicit material to a minor.

To be clear, you cannot solicit a minor for sex (conduct), but sending indecent, but not obscene materials (protected speech) is not illegal.  The court said criminal laws “may protect children from suspected sexual predators before they ever express any intent to commit illegal sexual acts, but it prohibits the dissemination of a vast array of constitutionally protected speech and materials.”  The court also noted there are several other statutes that criminalize other inappropriate conduct with minors.

For the constitutional lawyers out there, the court determined the  “sexually explicit communications” provision is facially unconstitutional because it is content-based speech regulation that could not withstand the strict scrutiny analysis.  Under that test, there needs to be a compelling state interest and the restriction on speech must be narrowly tailored.

While there is a compelling state interest to protect minors from sexual predators, the law covers merely indecent speech which is constitutionally protected.  In light of the many other laws that protect children (solicitation, child pornography, obscenity, harassment), the court said the restriction was too broad.

Subsection (b) covers a whole cornucopia of “titillating talk” or “dirty talk.” But it also includes sexually explicit literature such as “Lolita,” “50 Shades of Grey,” “Lady Chatterly’s Lover,” and Shakespeare’s “Troilus and Cressida.” It includes sexually explicit television shows, movies, and performances such as “The Tudors,” “Rome,” “Eyes Wide Shut,” “Basic Instinct,” Janet Jackson’s “Wardrobe Malfunction” during the 2004 Super Bowl, and Miley Cyrus’s “twerking”* during the 2013 MTV Video Music Awards. It includes sexually explicit art such as “The Rape of the Sabine Women,” “Venus De Milo,” “the Naked Maja,” or Japanese Shunga. Communications and materials that, in some manner, “relate to” sexual conduct comprise much of the art, literature, and entertainment of the world from the time of the Greek myths extolling Zeus’s sexual prowess, through the ribald plays of the Renaissance, to today’s Hollywood movies and cable TV shows.

*I will leave it for someone else to determine whether this is the first reference to “twerking” to make it into case law — a sign that the fad needs to go.

The prosecutors say they may appeal to the U.S. Supreme Court.

Revenge Porn – a perplexing topic for legislators

The American Bar Association recently wrote an excellent article on revenge porn you can read here.  For the uninitiated, revenge porn is when the ex publishes what were supposed to be private nude pictures for the world to see often including full names, addresses, phone numbers and links to social media profiles.  There is a whole cottage industry bubbling up of websites who encourage posters to provide this information.

As a victim, you can bring civil claims like invasion of privacy, intentional infliction of emotional distress and copyright claims if you took a selfie because the copyright usually belongs to the photographer and not the subject.  But, these claims are expensive to bring and there are no guaranties because a lot of people blame the victim for having nude pictures in the first place.

Meanwhile, it is hard to sue the websites where these pictures are downloaded because Section 230 of the Communications Decency Act gives immunity to websites based on claims related to user generated content.

California passed a law last month that seeks to punish “Any person who photographs or records by any means the image of the intimate body part or parts of another identifiable person, under circumstances where the parties agree or understand that the image shall remain private, and the person subsequently distributes the image taken, with the intent to cause serious emotional distress, and the depicted person suffers serious emotional distress.

Professor Goldman on his Technology and Marketing Law Blog points out the faults of the law which include: (i) it does not apply to selfies; (ii) it does not apply to redistribution or websites which could have Section 230 issues; and (iii) the difficulty in proving beyond a reasonable doubt the parties’ expectations of privacy or the intent of the accused.

While having the intent to cause severe emotional distress may avoid First Amendment scrutiny, over broad laws would cover the publishing of Anthony Weiner’s infamous photos. Here is a Wired article by Sarah Jeong arguing that criminal laws may not be the answer.

While there are some class action lawsuits against some of the sites that encourage this behavior that we will keep an eye on, one of the best weapons may be to shine the light on the scum who engage in revenge porn using the same social media tools and the let the markets take care of the websites.

UPDATE – NOVEMBER 1 – Ask a question and the Internet answers.  Professor Goldman directed me to one of his earlier tweets:

 

While the second special session is winding down (thank goodness), we will take a look at a couple more new laws impacting online media and technology in Texas.  While most of the attention was on social media password protections, service via social media and online “compelled prostitution” legislation,  two additional bills made it through to become law.

The Defamation Mitigation Act

The first was HB 1759 called the Defamation Mitigation Act, often referred to as the Retraction Statute, which became law as of June 14, 2013.  The purpose of the law is to encourage people who feel they have been defamed to demand a retraction and allow publishers to do it.

Here ‘s how it works.  A plaintiff has to notify a publisher about an allegedly defamatory statement within 90 days of learning about it.  If a plaintiff fails to do so, they may not be able to seek punitive damages or bring suit until this process takes place.  The statute lays out the specifics about what needs to be in the notice including a particular statement identifying the defamatory statement and when and where the publication was made.  The publisher then has 30 days to correct the mistake by publishing a correction, an apology or the prospective plaintiff’s own statement.

The retraction must be  “published in the same manner and medium as the original publication or, if that is not possible, with a prominence and in a manner and medium reasonably likely to reach substantially the same audience as the publication complained of.”  There is a detailed process about challenging the sufficiency of the correction.

If the plaintiff fails to follow this procedure, or the publisher takes corrective action within 30 days, the plaintiff can still sue, but can no longer seek punitive damages unless the plaintiff can show actual malice.  If the plaintiff files suit without sending the notification, there is also a process that would allow the defendant to abate the case and allow for the process to take place.

The law is codified at Texas Civil Practice & Remedies Code, § 73.051–.062.

Data Breach Notification

The Legislature also amended the Texas data breach notification law with SB 1610 so that companies have to notify consumers regardless of state of residence and regardless of whether the state of the consumer has their own breach notification law.

Texas law already required all Texas businesses to notify any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person pursuant to the state law of the individuals.  The amendment makes it easier for businesses to follow the Texas law or to make the notification pursuant to the law of the individual’s state — as long as the business does one or the other.  This closed the hole that allowed businesses to avoid the notifications for residents of states who don’t have notification laws and business concerns that they would have to follow and know the laws of 50 states.

To be safe, businesses should make their best effort to comply with the Texas notification requirement for all individuals regardless of residence.

This new law, called the “Notification Required Following Breach of Security of Computerized Data,” is codified at Section 521.053(b-1) of the Texas Business and Commerce Code.

Sometimes, when you read the basics of a story, it sounds so incredulous, you think “surely, there has to be more to it.”  Enter the story of 19-year-old Texan Justin Carter.   The quick headlines usually read – Texas Teen Faces Eight Years for Facebook Comment.

Unfortunately for Justin, the post was about shooting up kindergartners.  Hence, he was charged with making “terroristic threats” and was for over three months because of a $500,000 bond that recently got paid by an anonymous supporter.

During an online multi-player game of League of Legends when Justin was 18, he got into an argument with someone on Facebook about it.  After someone called him messed up in the head, according to the arrest warrant in the case, Justin wrote:

“I’m f–ked in the head alright, I think Ima SHOOT UP A KINDERGARTEN

“AND WATCH THE BLOOD OF THE INNOCENT RAIN DOWN

“AND EAT THE BEATING HEART OF ONE OF THEM.”

According to Justin’s family, the next two lines were “lol” and “jk.”

Allegedly, a Canadian woman saw the post and called the police.  For more on the story, read here.  Surprisingly, that’s about it — the whole story.  It does not appear Justin was a real threat, had any past issues, meant for any law enforcement to get involved, or took any actions to carry out the alleged threat.

Instead, he has been charged with a violation of Section 22.007 of the Texas Penal Code which reads:

TERRORISTIC THREAT. (a) A person commits an offense if he threatens to commit any offense involving violence to any person or property with intent to:

(1)  cause a reaction of any type to his threat by an official or volunteer agency organized to deal with emergencies;

(2)  place any person in fear of imminent serious bodily injury;

(3)  prevent or interrupt the occupation or use of a building, room, place of assembly, place to which the public has access, place of employment or occupation, aircraft, automobile, or other form of conveyance, or other public place;

(4)  cause impairment or interruption of public communications, public transportation, public water, gas, or power supply or other public service;

(5)  place the public or a substantial group of the public in fear of serious bodily injury; or

(6)  influence the conduct or activities of a branch or agency of the federal government, the state, or a political subdivision of the state.

. . . 

(e)  An offense under Subsection (a)(4), (a)(5), or (a)(6) is a felony of the third degree.

The main issue in this case is hilited — Intent.  It is not clear whether the prosecutor is going to try and prove a violation of 4, 5, or 6 (we know they are pressing for a third degree felony), but does it really matter?  Can anyone prove, beyond a reasonable doubt, Justin intended to scare anyone or get law enforcement involved.

There are real threats made on social media and elsewhere.  People that make bomb threats or take other actions meant to scare targeted people or waste law enforcement’s time should be prosecuted.  People who have bad taste shouldn’t.

We can prove beyond a reasonable doubt, the comment was in bad taste — but the same may hold true for trying to prosecute the man unless there really is more to this story that has not come out yet.

I have not posted in some time because I enjoyed some traveling with the family in Hungary.  Some of my cousins – by marriage – are lawyers in Budapest.  They mainly peppered me with questions about the NSA and our take on privacy.  I can’t repeat the compelling soliloquy I made for all Americans after a few Czech brews, but it was noticeable we had different takes about online privacy.   This is not just a matter of good discussion at a ruin pub, your business needs to pay attention to E.U. privacy law, too.

The E.U. already has strict guidelines that apply to all of their member nations.  Rather than relying upon protections for only certain types of health, financial data or information related to children like we do here in the U.S., the E.U. looks to protect all personal information regardless of how benign it may appear.

Compliance Now

Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995.   The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1.  Give a notice of what you collect and what you do with it and how individuals can ask about it.

2.  Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3.  Ensure that the company to whom you transfer data also had adequate protections.

4.  Provide users access to the data you have about them.

5.  Initiate adequate security, data integrity and enforcement procedures.

The Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” program that qualifies companies to store and transfer personal information on E.U. residents so you don’t have to hire E.U. counsel.  You can learn more about the process here at the Department of Commerce website.

 

The children with my father-in-law.
My children with my father-in-law who left Hungary in 1956.

Compliance in the Future

While already stricter than U.S. requirements, the E.U. is considering strengthening its laws with changes that may take place as soon as next year.

1.  Will you need a forget me button?

Recent proposals have suggested a “right to be forgotten” will have to be implemented requiring companies to erase all information about individuals.  You can read more here on this proposal and how U.S. companies may fight it. If it becomes law in the E.U. next year, will you be able to offer this service?

2.  Will you need consent to share data?

The E.U. is leaning towards a disclosure and consent process before any of your personal information can be shared.  This may require an affirmative opt-in for all cookies with full disclosure of how the information will be used and shared.

The whole Hungarian Family (by marriage) including more than one Hungarian lawyer.

You can read more about some the proposals and the reaction by U.S. companies here, here, here and here.

As you may imagine, marrying a lawyer can make for some interesting conversations (or dreadful depending on your outlook) at home.  The same holds true with an extended family with multiple lawyers working on difference continents with different outlooks.

 

There are two bills (SB 568 and SB 501) working their way through the California Legislature that may require social media sites to erase the content of minors.

Oops . . . I shouldn’t have posted that.

California Senate Bill 568, which has already passed the Senate, would allow minors to request websites to remove that picture the teen thought would be awesome to post at 2:30 in the morning, but no longer looks good while you are applying for jobs or a spot at Harvard.  It only applies to content actually posted by the minor and not those pictures posted by the teen’s friends who have less scruples.

Before minors celebrate by temporarily posting offensive jokes or pictures, the bill wisely provides that there is no guarantee removal by the initial website ensures complete elimination of the materials from the entire web.  The law states the removal process:

does not ensure complete or comprehensive removal of the content or information submitted to or posted on the operator’s Internet Web site, service, or application by the user.

The existing federal COPPA regulations provide for a similar removal process of content for children under 13 by the parents, but this law would force websites to add the process for those up to 17 and allow the request to come from the minor.  Considering most social media reputational harm is likely to happen in college (let’s just say I’m glad I went through college before smartphones and social media), I am sure there are some who like this to be law for people of all ages?

And now, a word from our sponsor.

Another interesting part of SB 568 prohibits websites from marketing a product or service to a minor, if the minor cannot legally purchase the product or participate in the service in the State of California.  This prohibition applies to all sites and apps “directed to minors” or if the operators “has actual knowledge that a minor is using its” service.

This “directed to” or “actual knowledge” is also a similar COPPA concept which is why certain sites like Facebook do not allow users under 12, but do allow users 13 and above.  Because Facebook has actual knowledge of its users between 13 and 17, it would not be allowed (or possibly allow others) to market alcohol or possibly even R-rates movies.

Dude, my mom erased my PII!

California SB 501, meanwhile, would require websites to remove personally identifiable information about minors upon the request of the minor OR the parent within 96 hours of the request.

As opposed to the first bill, this one would only apply to a “Social networking Internet Web site” which is defined as:

an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.

Why do I care?

These bills are not likely to become law in the next couple months (S.B. 568 would not go into effect until January 1, 2015).  Even if you are not running Facebook, you should care.  To the extent you advertise on social media adult products or services, you need to pay attention and be prepared for any changes.

If you have a website “directed” to minors or with actual minors using it, the law will require certain disclosures and procedures.  Simply failing to have the listed disclosures can get you in trouble.  You will have to be careful in how you accumulate and store information so that you can respond to requests timely to avoid related civil penalties.  Perhaps, between now and when (or if) these bills become law, you will have to consider what value the 13-17 year old market means to you in light of these changes?

Even if you are so uncool that your site does not want to deal with teens (and won’t be deemed “directed” towards teens based on your content), you should at least adjust your terms of service to prohibit use by anyone under 18 to avoid having to deal with these proposals.

Google and Facebook are fighting this law, so perhaps there will be some changes or they will die.  For more on these bills and the implications, read the Privacy and Security Matters Blog.