eBay Can Be Liable for Trademark Infringements

The European Court of Justice (ECJ) has ruled that eBay can be held liable for the offer for sale by third parties of trademark-infringing goods on its site if it took steps to actively assist those third parties or if it knew or should have known of the infringing activity and did nothing. It also held that eBay could be liable for its own use of trademarks as keyword search terms to generate ads on search engines, if those ads do not allow an Internet user to easily determine whether the goods referred to in the ads are offered by the mark owner or someone else. And perhaps most importantly, the court held that national courts can issue injunctions requiring an online marketplace like eBay to alter their sites to make it easier to identify sellers in order to deter future infringements and give trademark owners an effective remedy. Though the courts of each member state will have to determine how to apply these principles in particular cases, it seems almost certain that Internet marketplaces may be exposed to significant potential liability unless they alter their approach to policing trademark infringements.

© Copyright 2011 Steptoe & Johnson LLP

Friends Don't Let Friends Eat Spam

US Law: Ask your average teenager if Facebook messages or wall postings are emails, and you will probably get a fair amount of eye-rolling. But according to a recent federal district court decision in Facebook v. MaxBounty, such communications may indeed be considered “electronic mail messages” within the meaning of the CAN-SPAM Act. The court’s interpretation of what constitutes email may mean that other forms of Internet advertisements directed at particular individuals may be subject to the Act.

© Copyright 2011 Steptoe & Johnson LLP

HHS Gets Serious About Privacy

The Department of Health and Human Services is getting serious about its privacy enforcement responsibilities, announcing that it has imposed big penalties on two medical centers that violated the Health Insurance Portability and Accountability Act (HIPAA). HHS imposed a fine of $4.3 million on Cignet Health Center for ignoring the requests of patients who wanted access to their medical records and then failing to cooperate with an investigation into the incident by HHS's Office of Civil Rights. And Mass General agreed to pay $1,000,000 to settle charges that it had violated the HIPAA Privacy Rule when an employee accidentally left on the subway documents containing protected health information of 192 patients.

© Copyright 2011 Steptoe & Johnson LLP

Generic Website Coding Does Not Remove CDA Immunity

A federal district court in Georgia, in Herman v. Xcentric Ventures, LLC, has granted summary judgment to a website in a case that emphasizes the “robust immunity” provided by the Communications Decency Act (CDA). Defendant Xcentric Ventures operates www.ripoffreport.com, which allegedly displayed an anonymous defamatory post about the plaintiff’s law firm. As we have previously reported, courts have interpreted Section 230(c)(1) of the CDA as providing broad immunity for websites that display third-party content, as long as the websites do not contribute to the content. The plaintiffs argued that the website had added “original content” by providing a title for the third-party report, metatags, and new content on the website itself, thus acting as an information content provider and voiding any immunity under the CDA. The court determined, however, that any content contributed by the website was “generic” and common to all the user-generated comments on the site, and that the website had not created any content specifically about the plaintiff.

© Copyright 2011 Steptoe & Johnson LLP

Denmark Says "Nej!" To Cloud Computing, For Now

Denmark’s Data Protection Agency (DPA) has rejected a Danish city’s request to use cloud computing to store sensitive information, citing “important security issues.” The DPA's opinion letter, which will be sent to other EU data protection officials for their information, may become an important precedent for public and private entities that are considering storing information in the cloud, as well as for cloud providers. Still, the DPA left open the possibility of allowing storage in the cloud if the cloud provider offers adequate assurances about security.

© Copyright 2011 Steptoe & Johnson LLP

Canada Introduces Anti-Spam and Computer Crime Legislation

Canadians may enjoy their poutine, but spam is another matter. Canada has finally passed national anti-spam legislation (Bill C-28) that, in addition to prohibiting the sending of unsolicited electronic messages, prohibits the unauthorized alteration of a message’s transmission data and the unauthorized installation of computer programs. It also introduces monetary penalties and a private right of action against spammers, as well as extended liability which will allow plaintiffs to “follow the money” to the responsible party. And the law amends Canada’s Personal Information Protection and Electronic Documents Act to crack down on the collection or compiling of unlawfully obtained personal information. The new legislation will be enforced by the Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner.

© Copyright 2011 Steptoe & Johnson LLP

Supreme Court rules that IP addresses are personal data in file-sharing case

The Supreme Court of Switzerland ruled that IP addresses constitute as personal data in an 8 September 2010 case involving a company, Logistep AG, which had collected, without consent, the IP addresses of internet users who were illegally downloading copyrighted materials using peer-to-peer software. The company – which then passed on the details of those users to copyright holders for a fee - was held to have violated the Swiss Data Protection Act.

Logistep AG had developed software in 2008 to research which works were being offered online on peer-to-peer networks without the author's consent. Whenever one of these works was downloaded illegally, the software would record and store the data relating to the download. This data was then sold to members of music and film industries interested in protecting their intellectual property, who could identify the owners of the internet connection used for the download and claim compensation for copyright violation.

The Court ruled that, while the interest of Logistep AG to reduce copyright infringement was valid, it did not override or justify the infringement into personal privacy. The method was deemed to have ‘significant interference in the private sphere of each user’, which the state is obliged to protect. Logistep AG must now discontinue all of its activities.

The Swiss Data Protection Authority filed the case at the Supreme Court, after the Federal Administrative Tribunal found in Logistep AG’s favour, ruled that the goal to hunt down those guilty of internet piracy did not require the consent of users.

Copyright (C) 2010 Data Guidance

CAP Code to apply to organisations' own website content and social networking sites

The Advertising Standards Authority (ASA) and the Committee of Advertising Practice (CAP) have extended the scope of the British Code of Advertising, Sales Promotion and Direct Marketing (CAP Code) to cover, from 1 March 2011, marketing communications on an organisation's own website and in other non-paid-for online space under a company's control, such as social networking sites. Currently, the Code applies to sales promotions wherever they appear but only to other marketing communications in paid-for online space. However, the Code's remit is to be extended in response to a formal recommendation from a wide cross-section of UK industry. As CAP accepts that it may be difficult to decide what marketing communications are covered by the new rules, it has set out a new three-step test to assist. The change represents a major extension to the remit of the ASA and CAP. Organisations have six months to ensure that their websites and other online space under their control comply with the code. The extended remit follows the introduction of a new CAP Code and Broadcast Committee of Advertising Practice (BCAP) Advertising Standards Code on 1 September 2010.

©Practical Law Publishing Limited; Practical Law Company Limited 2010

Update to Google Keyword Policy in Europe

Google has announced on 4 August 2010 a change to its keyword policy in Europe meaning that as of 14 September 2010 they will introduce a notice and take down procedure. Complaints can then be made directly to Google and if Google agrees that they are valid, Google will remove the offending ads. This follows the recent ruling of the Court of Justice in the recent Google France joined Cases.

See new policy - Adwords Trademark Policy

EU Takes Search Engines to Task on Data Retention

The European Union’s Article 29 Working Party has sent letters to Google, Yahoo!, and Microsoft telling them that they must cease retaining personal data of search engine users for more than six months and must improve their anonymization procedures. It also asked the companies to appoint outside auditors to review their procedures for anonymizing data to ensure that they truly prevent identification of the users behind the data. In addition, the Party sent copies of the letters to the U.S. Federal Trade Commission and asked it to investigate whether the companies’ data retention practices were “unfair” or “deceptive” within the meaning of the FTC Act.

Canada Moves A Step Closer to Mandatory Data Breach Notification

Canada’s Ministry of Industry has proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would require private sector entities to notify the Office of the Privacy Commissioner of breaches of personal data, and to notify affected individuals directly if the breach creates a “real risk of significant harm.” The proposal will now be considered by Parliament. The Privacy Office in the past has opposed mandatory notification, but this time around has said it welcomes the proposal. Chances thus seem fairly good that Canada will join the breach notification club.

EU Revises Model Contract Clauses for Data Transfers

The EU Data Protection Directive restricts transfers of personal data of EU residents to non-EU countries. A common approach for complying with this obligation is for the EU data transferor and the transferee abroad to adopt model contract clauses approved by the European Commission. The European Commission earlier this month adopted a decision approving a new set of model contract clauses for the transfer of personal data from a data controller to a foreign processor (controller-to-controller clauses were previously approved). The new clauses permit the foreign processor to re-transfer data to a sub-processor (the previous version did not permit this), and delete an arbitration provision from the previous version that had never been applied in practice.

© Copyright 2010 Steptoe & Johnson LLP

European Commission urges social-networking service providers to improve child safety policies

The European Commission is urging social-networking service providers to improve their child safety policies. In February 2009, 17 social-networking service providers such as Bebo, Facebook, Google and Microsoft signed an agreement on "Safer Social Networking Principles for the EU" (see Legal update, Social-networking service providers sign agreement on child online safety). The Commission has published a report, in which it says that most of these companies had empowered minors to tackle online risks by making it easier to change privacy settings, block users or delete unwanted comments and content. However, Viviane Reding, Commissioner for Information Society and Media, said more needed to be done. Less than half of social-networking providers made profiles of under-18 users visible only to their friends by default and only one third replied to user reports asking for help. Source: European Commission press release, 9 February 2010.

©Practical Law Publishing Limited

Court Muddies the Water on Electronic Signatures in New York

In Prudential Ins. Co. v. Dukoff, et al., a federal district court in New York has left unclear whether state regulators can add requirements for electronic signatures that go beyond those defined in the state’s electronic signatures law. While the court suggested that the state insurance department’s requirements were inconsistent with the statute, it nonetheless deferred to the department’s opinion that an electronic signature on an insurance application is valid only if the insurer can verify the identity of the person signing the application.

© Copyright 2010 Steptoe & Johnson LLP

Is the UK Moving Toward A De Facto Data Breach Notification Requirement?

The UK's Information Commissioner's Office recently warned companies that they could face tougher sanctions if they don't report data security breaches to the ICO. Although notification is not strictly required by the ICO, a recent statement by the ICO suggests that the agency may be seeking to establish a de facto notification requirement for serious data breaches. This warning is yet another sign that more countries, particularly in Europe, are moving toward expressly requiring notification of government agencies and/or affected individuals in the event of a data breach.

© Copyright 2010 Steptoe & Johnson LLP

Court Refuses to Enforce Take-Down Injunction Against Website

USA: A federal district court in Illinois has ruled in David Blockowicz, et al., v. Joseph David Williams, et al., that a website is not required to remove defamatory remarks despite an injunction against the persons who posted the remarks on the site. Wishing to avoid the immunity provision of the CDA, the plaintiffs sued the actual authors of the defamatory remarks rather than the websites that posted the remarks. The court issued an injunction requiring the plaintiffs to remove the remarks, but the plaintiffs were unable to contact the defendants. The plaintiffs therefore moved for third-party enforcement of the injunction against the website, ripoff.com. But the court was unpersuaded that the website – despite Terms of Service that included a copyright claim to all posted comments, a statement that comments would never be removed, and an indemnification clause – should be considered an aider and abettor of the defamatory remarks, and therefore refused to enforce the injunction against it.

© Copyright 2010 Steptoe & Johnson LLP

UK: Court reject copyright infringement and breach of confidence

The High Court has rejected a claim by a computer games designer, Mr Burrows, that a director of a company called Circle Studio Limited (Circle) which had previously employed him, had infringed copyright in a game called "Traktrix" which Mr Burrows had proposed to them, or breached confidence, by trying to exploit a substantially revised version of the game. Norris J found that there was no breach of confidence because the proposal for "Traxtrix" was not disclosed in circumstances importing an obligation of confidence; in disclosing the idea to Circle, Mr Burrows was doing what he was paid to do as a games designer, and there was no evidence that he told Circle that it was an idea that he had thought up before joining Circle. Norris J rejected the copyright claim because, among other things, Mr Burrows argued that Circle had copied significant parts of his original document recording the concept for the game in a later design document relating to it. However, since nobody at Circle knew of the original document, if the design document incorporated parts of it, it was because Mr Burrows himself incorporated them. This was not a grant of an implied licence by Mr Burrows, but a unilateral act requiring no agreement on Circle's part.

©Legal & Commercial Publishing Limited; Practical Law Company Limited 2009

ISPs Ordered to Pay $32 Million to Louis Vuitton for Contributory Trademark and Copyright Infringement

A federal jury in California has found two Internet service providers, Akanoc Solutions, Inc., and Managed Solutions Group, Inc. ("MSGI"), and their owner, Steven Chen, guilty of contributing to trademark and copyright infringement for hosting websites selling counterfeit Louis Vuitton goods, and has awarded Louis Vuitton $32 million in damages. As we previously reported, Louis Vuitton sued Akanoc, MSGI and Chen for "knowingly allow[ing] and encourag[ing] certain websites to use" their Internet hosting services to infringe Louis Vuitton's "valid trademarks and copyrights." Louis Vuitton successfully demonstrated that both ISPs knew of the infringing websites but failed to take "simple measures" to shut them down.

© Copyright 2009 Steptoe & Johnson LLP

Keyword advertising vs. trade mark infringement

Advocate General (AG) Poiares Madura has provided a detailed opinion concerning Google's keyword advertising system, following references to the ECJ from France in three sets of proceedings brought by trade mark owners against Google. The AG considered (among other things) that Google, by displaying advertisements in response to keywords corresponding to trade marks, established a link between those keywords and the sites advertised, which sold goods or services. However, such a link did not constitute trade mark infringement as the mere display of relevant sites in response to key words was not enough to lead to confusion. The AG's opinion provides some much-needed clarification of trade mark law in relation to keyword advertising, although it remains to be seen whether it will be followed by the ECJ when it gives its decision. Brand owners will doubtless be disappointed with the opinion, but the references only concerned the use of keywords which corresponded to trade marks, not the use of the trade marks in advertisements, or in the products sold via the sites advertised. The AG also considered that the liability exemption for hosts in Article 14 of the E-Commerce Directive (2000/31/EC) should not apply to the content featured in Google's AdWords. Case: Google France and Google Inc. v Louis Vuitton Malletier, Google France v Viaticum Luteciel, and Google France v CNRRH and others, Joined Cases C???236/08, C???237/08 and C???238/08, 22 September 2009.

©Legal & Commercial Publishing Limited

Facebook Capitulates in Privacy Law Face-Off

Facebook, Inc. has reached agreement with the Office of the Privacy Commissioner of Canada regarding privacy controls on the social networking website. As we previously reported, the Office found that several of Facebook's practices violated Canada's Personal Information Protection and Electronic Documents Act. The Office gave Facebook 30 days to address the concerns or face court action. Facebook has now consented to several significant changes, including a more forthcoming description of its Privacy Policy; more granular privacy settings; a permissions-based model for third-party applications (e.g., games and quizzes) that allows users to select the information they share with third parties; and the clear option to either "deactivate" or entirely "delete" an account.

© Copyright 2009 Steptoe & Johnson LLP.