Ninth Circuit Refuses To Enforce Arbitration Clause Contained in Barnes & Noble's 'Browsewrap' Terms of Use Agreement

This post was written by Mark S. Melodia and Lisa B. Kim.

During recent terms, the U.S. Supreme Court has repeatedly embraced mandatory arbitration and class action waivers contained in a wide variety of consumer contracts.  The Court has sided with corporate defendants and elevated the requirements of the Federal Arbitration Act above other legal and policy interests advanced by would-be class representatives and their class action counsel.  And yet, all of this case law takes as a starting point that a valid, enforceable contract has been formed under state contract law.  Given the increasingly online nature of consumer transactions, this means that companies offering their goods and services via website or app need to assure that their terms and conditions will be recognized later by a reviewing court as a binding contract in order to get the benefit of this pro-arbitration case law.  Those counseling companies must, therefore, closely watch court decisions – particularly federal appellate authority – that do or do not enforce online terms of use.  One such decision issued earlier this week.

On August, 18, the Ninth Circuit affirmed the district court’s denial of Barnes & Noble, Inc.’s motion to compel arbitration, finding that plaintiff did not have sufficient notice of Barnes & Noble’s Terms of Use agreement, and thus, could not have unambiguously manifested assent to the arbitration provision contained in it.  See Nguyen v. Barnes & Noble, Inc., Case No. 12-56628, 2014 WL 4056549, *1 (9th Cir. Aug. 18, 2014).  In Nguyen, the plaintiff brought a putative class action against Barnes & Noble after it had cancelled his purchase of two heavily discounted tablet computers during an online “fire sale.”  The plaintiff alleges that Barnes & Noble engaged in deceptive business practices and false advertising in violation of California and New York law.

In affirming the district court’s ruling, the Ninth Circuit found that the plaintiff did not have constructive notice of the arbitration clause in it, despite the fact that Barnes & Noble’s Terms of Use was available through a hyperlink at the bottom left of every page of its website (i.e., as a “browsewrap” agreement) and was in proximity to relevant buttons the website user would have clicked on.  Id. at *5-6.  The Ninth Circuit held that the onus was on website owners to put users on notice of the terms to which they wish to bind consumers, and that this could have been done through a “click-wrap” agreement where the user affirmatively acknowledged the agreement by clicking on a button or checking a box.  Id. at *5-6.  Indeed, the decision expressly states that had there been evidence of this, the outcome of the case may have been different.  Id. at *4.

In light of this decision, website owners utilizing a “browsewrap” terms of use agreement should consider incorporating some type of “click-wrap” method for garnering the affirmative consent of its users.  Otherwise, they will run the risk that courts, like the Ninth Circuit, will deny their enforceability.

TCPA Plaintiffs Secure Victories in Recent Rulings on Class Certification and Prior Express Consent

This post was written by Albert E. Hartmann and Henry Pietrkowski.

In separate cases, one Illinois federal judge issued several rulings favorable to Telephone Consumer Protection Act (TCPA) plaintiffs on key issues.  One ruling certified classes of almost 1 million consumers who received automated phone calls, even though the defendants’ records alone were not sufficient to identify the class members.  In a series of rulings in another case also involving automated calls, the judge refused to dismiss the case, even though the plaintiff admitted that he gave his cellular phone number to the defendant.

In the first case, Birchmeier v. Caribbean Cruise Line, Inc., et al., # 1:12-cv-04069 (U.S. District Court for the Northern District of Illinois), United States District Judge Matthew F. Kennelly certified two classes – with a combined total membership of almost 1 million consumers – who had received automated calls in alleged violation of the TCPA.  Plaintiffs initially indicated that they had received from defendants a list of almost 175,000 phone numbers to which automated calls had “unquestionably” been made.  At oral argument on class certification, defendants’ counsel conceded that the class members associated with those numbers were ascertainable. 

Ongoing discovery expanded that number to approximately 930,000.  Plaintiffs defined the putative classes as people whose numbers were on the list of 930,000 numbers from defendants, or whose own records could prove that they received a call at issue.  Judge Kennelly rejected defendants’ arguments opposing certification of classes based on this larger number.  The judge rejected the argument that the class was not ascertainable because defendants’ records could not establish the identity of the subscribers to the called numbers at the times of the calls.  The defendants’ earlier admission that the identities of the smaller number of class members were ascertainable, combined with plaintiffs’ contentions that that could (albeit with difficulty) identify the class members, rendered the putative classes sufficiently ascertainable under Rule 23.  Judge Kennelly also ruled that class members could be identified using their own records; for example, copies of phone bills showing they received a call from one of defendants’ numbers, or potentially with sworn statements providing sufficient details.  In reaching this ruling, Judge Kennelly noted that it would be “fundamentally unfair” to restrict class membership to people only identified on defendants’ records because that could result in “an incentive for a person to violate the TCPA on a mass scale and keep no records of its activity, knowing it could avoid legal responsibility for the full scope of its illegal conduct.”  After determining that the putative classes were ascertainable, the judge held that plaintiffs had carried their burden on the remaining Rule 23 elements and certified the two classes.  Thus, even when a defendant’s records cannot identify the putative class members, the class may still be certified if plaintiff can establish a viable method to ascertain class membership.

In the second case, Kolinek v. Walgreen Co., # 1:13-cv-04806 (U.S. District Court for the Northern District of Illinois), the plaintiff alleged a TCPA violation because he received automated calls to his cellular phone prompting him to refill a prescription.  Judge Kennelly initially dismissed the case because plaintiff had provided his cellular phone number to the defendant, which the defendant argued constituted “prior express consent.”  On July 7, 2014, however, Judge Kennelly reconsidered that decision in light of a March 2014 ruling from the Federal Communications Commission (FCC) that “made it clear that turning over one’s wireless number for the purposes of joining one particular private messaging group did not amount to consent for communications relating to something other than that particular group.”  Thus, while providing a cellular number may constitute “prior express consent” under the TCPA, “the scope of a consumer’s consent depends on its context and the purpose for which it is given.  Consent for one purpose does not equate to consent for all purposes.”  Because plaintiff alleged that he had only provided his number for “‘verification purposes.’ … If that is what happened, it does not amount to consent to automated calls reminding him to refill his prescription.”  Accordingly, Judge Kennelly ruled that dismissal of the case under the TCPA’s “prior express consent” exception was not warranted.

In a second opinion, issued August 11, 2014, Judge Kennelly ruled that dismissal was not warranted under the TCPA’s “emergency purposes” exception either.  While FCC regulations define “emergency purposes” to mean “calls made necessary in any situation affecting the health and safety of consumers,” 47 C.F.R. § 64.1200(f)(4), the FCC has not read that exception to cover calls to consumers about prescriptions or refills.  Noting the absence of such FCC guidance (which the judge observed would “bind the Court”), as well as the paucity of the complaint’s allegations “about the nature or contents of the call,” the judge ruled that he could not dismiss the case without “further factual development.”  Taken together, Judge Kennelly’s rulings in the Kolinek case may allow plaintiffs to survive motions to dismiss even when they admit providing their cellular phone numbers to the defendant.

In many respects, both of these opinions are outliers.  For example, other courts have concluded that providing a cellular number to a company constitutes consent to receive calls on that number.  Moreover, the rulings are fact-specific and thus may not extend beyond the cases at issue.  TCPA plaintiffs, however, will likely seize on these rulings and read them expansively to prolong cases and pressure defendants.  Defendants, therefore, must be aware of these issues and take them into account when defending TCPA cases, especially in the Northern District of Illinois.


This post was written by Hena M. Schommer, Bethany R. Brown, Michael J. Lowell, Leigh T. Hansson, and Michael A. Grant.

On August 13, 2014, the Office of Foreign Assets Control (“OFAC”) revised its guidance on the status of entities owned by persons designated on the Specially Designated Nationals List (“SDN List”).  Under the new guidance, OFAC will consider an entity to be blocked if it is 50 percent or more owned, directly or indirectly, in the aggregate by one or more SDNs. This rule applies even if the entity is not itself listed on the SDN List.  The guidance reverses OFAC’s prior position on aggregate ownership by multiple SDNs.  In conjunction with the revised guidance OFAC also issued further guidance in the form of Frequently Asked Questions (“FAQs”).

OFAC’s revised guidance addresses ownership only and not control.  OFAC clarified that an entity collectively controlled by multiple SDNs - that is not also an SDN - owned under the 50 percent standard articulated in the guidance - is not automatically blocked.  Other more comprehensive sanctions programs may apply separate SDN control criteria, such as Cuba and Sudan.  However, OFAC warns that entities that are controlled by SDNs have a high risk of future designation by OFAC.

OFAC encourages entities considering potential transactions to undertake appropriate due diligence on parties to or involved with the transaction, especially in cases where complex ownership structures exist, since direct or indirect ownership by SDNs will trigger automatic blocking. Persons doing business with companies owned in part by an SDN should reevaluate the companies' status under the new guidance and consider whether existing due diligence processes will be sufficient to identify blocked persons going forward.

Wearable Device Privacy - A Legislative Priority?

This post was written by Frederick Lah and Khurram N. Gore.
Seemingly every day, new types of wearable devices are popping up on the market.  Google Glass, Samsung’s Gear, Fitbit (a fitness and activity tracker), Pulse (a fitness tracker that measures heart rate and blood oxygen), and Narrative (a wearable, automatic camera) are just a few of the more popular “wearables” currently on the market, not to mention Apple’s “iWatch,” rumored to be released later this year.  In addition, medical devices are becoming increasingly advanced in their ability to collect and track patient behavior. 
As wearables become more sophisticated and prevalent, they’re beginning to attract the attention of senators and regulators.  Earlier this week, U.S. Senator Chuck Schumer (D-N.Y.) issued a press release calling on the Federal Trade Commission (“FTC”) to push fitness device and app companies to provide users with a clear opportunity to “opt-out” before any personal health data is provided to third parties.  Schumer’s concern is that the data collected through the devices and apps – which may include sensitive and private health information – may be potentially sold to third parties, such as employers, insurance providers, and other companies, without the users’ knowledge or consent.  Schumer called this possibility a “privacy nightmare,” given that these fitness trackers gather a wide range of health information, such as medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more. This press release comes on the heels of an FTC workshop held in May that analyzed how some health and fitness apps and devices may be collecting and transmitting health data to third parties. 
Schumer’s comments were of particular interest to us.  We’ve been beta-testing Google Glass for the past several months as we try to get a better understanding of the types of data privacy and security risks that wearables pose in the corporate environment.  As the devices continue to gain popularity, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

House of Lords' report on Google 'right to be forgotten' case concludes that it's 'bad law'

This post was written by Cynthia O’Donoghue and Kate Brimsted.

Back in May, we covered the European Union Court of Justice’s landmark ruling in the Google Spain case (‘CJEU Judgment’). Since then, much has been made in the media about the so-called “right to be forgotten”, and the various characters that have requested the removal of links relating to them. Now, the House of Lords Home Affairs, Health and Education EU Sub-Committee (‘Committee’) has released its own report (‘Report’) on the CJEU Judgment, calling it “unworkable, unreasonable and wrong in principle”.

One of the main concerns of the Report is that the practical implementation of the CJEU Judgment imposes a “massive burden” on search engines, and that while Google may have the resources to comply with the ruling, other smaller search engines may not. In addition, the Report makes much of the argument that classifying search engines as data controllers leads to the logical conclusion that users of search engines are also data controllers.

In relation to the “right to be forgotten” – both as implemented by the Judgment and as proposed by the Data Protection Regulation – the Committee notes a particular concern that requiring privacy by design may lead to many SMEs not progressing beyond start-up stage. Labeling the Judgment “bad law”, the Committee calls for the EU legislature to “replace it with better law”, in particular by removing the current provision that would establish a right to be forgotten. The provision is unworkable in practice since it requires the application of vast resources, and leaves to individual companies the task of deciding whether a request to remove data complies with the conditions laid down in the Judgment.

The Committee’s Report is just one of a host of criticisms that has been made of the Google Spain decision – albeit one of the most high profile. Implementing the Judgment has also caused Google PR headaches, with individual instances of the removal of links subject to widespread coverage in the media.

Microsoft loses third round of battle against extra-territorial warrants

This post was written by Cynthia O’Donoghue, Mark S. Melodia, Paul Bond, and Kate Brimsted.

On 31 July, the chief judge of the Southern District of New York delivered the latest in a series of controversial judgments stemming from a test case brought by Microsoft in an extra-territorial warrant issued under the U.S. Stored Communications Act. In the third ruling on the matter, the court found in favour of the U.S. government, upholding the warrant and ordering that Microsoft turn over customer emails stored in a data centre in Ireland. The District Court agreed to stay the order while the decision is appealed further.  If Microsoft’s final appeal is dismissed, the case will have significant implications for all U.S. businesses that store customer data overseas.  The implications also extend to non-U.S. customers, including those companies located within the EEA, that have entered agreements with U.S.-based companies to store their data outside the U.S. In particular, there is concern that foreign companies and consumers will lose trust in the ability of American companies to protect the privacy of their data.

Click here to read the full issued Client Alert.

U.S. Expands Export Restrictions Targeting Russia's Oil and Gas Production

This post was written by Hena M. Schommer, Michael J. Lowell, and Leigh T. Hansson.

Effective August 6, 2014, the United States Department of Commerce’s Bureau of Industry and Security (“BIS”) issued new regulations, identified as the “Russian Industry Sector Sanctions,” restricting exports and other transfers of certain items subject to the Export Administration Regulations (“EAR”) that may benefit Russia’s energy sector.  Newly added EAR section 746.5 imposes licensing requirements on the export, reexport, or in-country transfer of a wide range of items that may be used in Russia in the exploration or production of deepwater, Arctic offshore, or shale projects having the potential to produce oil or gas. The new regulations also clarify that applications for pertinent export licenses are subject to a presumption of denial, and that no EAR license exceptions – aside from license exception GOV  – apply to covered shipments.  The BIS rule took effect immediately upon issuance. Any in-process shipments of restricted items that fall within the restrictions will be considered violations after August 6, 2014; this means that shipments that are in-transit on or after the effective date would be considered violations.

In section 746.5(a)(1), BIS provides a list of Export Control Classification Numbers (“ECCNs”) and a list of EAR99 items identified as the Russian Industry Sector Sanction List.  The specific ECCNs restricted for export to Russia are ECCNs 0A998 (newly added), 1C992, 3A229, 3A231, 3A232, 6A991, 8A992, and 8D999 (also newly added).  The Russian Industry Sector Sanction List, consisting of items identified by their Schedule B numbers and descriptions, includes, but is not limited to, drilling rigs, parts for horizontal drilling, drilling and completion equipment, subsea processing equipment, Arctic-capable marine equipment, wireline and down hole motors and equipment, drill pipe and casing, software for hydraulic fracturing, high pressure pumps, seismic acquisition equipment, remotely operated vehicles, compressors, expanders, valves, and risers.

U.S. and non-U.S. exporters and reexporters should carefully examine the Russian Industry Sector Sanction List and relevant ECCNs to determine whether any items recently shipped, in process, or intended for future export, reexport, or transfer, are covered.

As a result of U.S. and European Union (“EU”) cooperation, the list of restricted items is virtually identical to the items included in Annex II of the EU Regulation issued July 31, 2014.  However, the items actually controlled under the respective lists may differ because of divergent classification interpretations between the United States and the EU.  For further details on EU restrictions, see Reed Smith’s recent update here.

Brazilian Data Protection Authority fines Internet Provider $1.59m

This post was written by Cynthia O’Donoghue and Kate Brimsted.

In July, the Brazilian Department of Consumer Protection and Defence (‘DPDC’) fined the telecom provider Oi 3.5 million reals ($1.59 million) for recording and selling its subscriber browser data in a case based on Brazilian consumer law dating back to 1990.

The DPDC investigated allegations that Oi had entered into an agreement with British online advertising firm Phorm Inc. to develop an Internet activity monitoring program called ‘Navegador’. The investigation confirmed that this program was in use and actively collected the browsing data of Oi’s broadband customers.

The browsing data was collected and stored in a database of user profiles, with the stated purpose of improving the browsing experience. Oi then sold this data to behavioural advertising companies without having obtained the consent of its customers.

The amount of the fine imposed took into account several factors, including the economic benefit to Oi, its financial condition, and the serious nature of the offence. The fine was issued after Oi suspended its use of the Internet activity monitoring software.

Oi denied violating customer privacy and claimed that use of the Internet monitoring program was overseen by government regulators. Phorm Inc. denied that any of the data collected from Oi’s customers was sold, and said that all relevant privacy regulations had been adhered to strictly.

The fine serves as a warning that Brazil will take strong action to enforce its new Internet law.

EU Regulation on electronic identification and trust certificates

This post was written by Cynthia O’Donoghue and Kate Brimsted.

In July, the Council of the European Union adopted a Regulation on electronic identification and trust services for electronic transactions (‘Regulation’). The Regulation is part of the Commission’s Digital Agenda for Europe, which promotes the benefits of a digital single market and cross-border digital services.

The Regulation will replace Directive (1999/93/EC) on electronic signatures and address its shortcomings. In particular, trust in electronic transactions is increased by creating a common foundation for secure electronic interaction between citizens, businesses and authorities. Essential to this development is that Member States should build the necessary trust in each other’s electronic identification schemes and the level of data security provided by them.

One shortcoming of the current system is that citizens are unable to use their electronic identification to authenticate themselves in another Member State because the national electronic identification scheme in their countries is not recognized in other Member States.

The Regulation will implement several measures, including:

  • Mutual recognition of electronic identification and authentication systems, where they comply with the conditions of notification and have been notified to the Commission.
  • Rules concerning trust services, including the creation and verification of electronic time stamps and electronic registered delivery services. This is a substantial enhancement of the previous position, under which EU provisions only existed for electronic signatures.

Under the Regulation, trust service providers will be under a duty to apply security practices that are appropriate for the level of risk presented by their activities. In addition, these services will be subject to a regulatory regime and liability in the event that damage is caused to any company or person through a failure to comply with this regime.

The Regulation will come into full force in July 2016.

Final Rule on Whistleblower-Related Legal Costs Shows It Pays (Possibly Literally) to Comment on Proposed Regulations

This post was written by Joelle E.K. Laszlo and Lorraine M. Campos.

On July 25, 2014, the U.S. Department of Defense (“DOD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) adopted a Final Rule addressing the allowability of legal costs incurred by a contractor or subcontractor defending against a whistleblowing employee’s accusation of reprisal.  The Final Rule implements a provision of the 2013 National Defense Authorization Act (“2013 NDAA”), which included a number of enhanced whistleblower protections.  The Final Rule also includes one fairly significant change from the interim version, based apparently on a single set of comments received.

The 2013 NDAA and the Interim and Final Rules prohibit a contractor or subcontractor from being able to charge to a government contract any legal costs incurred while defending against a whistleblower’s reprisal complaint, if ultimately found liable.  Due to “urgent and compelling circumstances,” the Interim Rule was promulgated without the opportunity for public comment.  However, DOD, GSA, and NASA pledged to consider all comments received in response to the Interim Rule in formulating the Final Rule. 

Accepting this offer, the management and operating contractor for the Department of Energy’s Y-12 National Security Complex noted, among other things, that the rigid language of the Interim Rule could discourage settlements of whistleblower complaints.  The Councils responsible for developing the Final Rule agreed.  As a result, the Rule now provides that if a whistleblower’s complaint of reprisal is resolved by “consent or compromise,” a contractor’s or subcontractor’s “reasonable costs [associated with the proceeding] . . . may be allowed if the contracting officer, in consultation with his or her legal advisor, determined that there was very little likelihood that the [whistleblower] would have been successful on the merits.”

While the practical impact of this revision remains to be seen, anyone who doubts the benefit of participating in notice and comment rulemaking may want to reconsider that stance.  Submitting comments on a proposed or interim rule doesn’t have to cost a lot, and it may pay off, even when no one else speaks up.

New Russian legislation requires local storage of citizens' personal data

This post was written by Cynthia O’Donoghue and Kate Brimsted.

President Putin recently signed Federal Law No. 242-FZ (the “Law”) which amends Russia’s 2006 data protection statute and primary data security law (Laws 152-FZ and 149-FZ), to require domestic data storage of Russian citizens’ personal data. The Law will allow the websites that do not comply to be blocked from operating in Russia and recorded on a Register of organisations in breach.

The requirement to relocate database operations could place a significant burden on both international and domestic online businesses. All retail, tourism, and social networking sites, along with those that rely on foreign cloud service providers, could have their access to the Russian market heavily restricted by the Law. The Law takes effect 1 September 2016, which may not provide some organisations with enough of a transition period to make the necessary changes.

Earlier this year, the Brazilian government decided not to include a similar provision in their Internet bill in recognition of the draconian nature, the potential economic impact and the practical difficulties.  Russia has not taken this more pragmatic approach.  

Federal Circuit: VA May Refuse to Set Aside Contracts for Veteran-Owned Contractors

This post was written by Lorraine M. Campos and Carlos A. Valdivia.

Back in 2013, we reported that the Department of Veterans Affairs (“VA”) is not required to give veteran-owned small businesses (“VOSBs”) or service-disabled veteran-owned small businesses (“SDVOSBs”) preference for all contracts.  In Kingdomware Technologies, Inc. v. United States (“Kingdomware”), the United States Court of Federal Claims accepted the VA practice of purchasing off the Federal Supply Schedule (“FSS”) without first considering set-aside contracts for VOSBs or SDVOBs.  Last month, the U.S. Court of Appeals for the Federal Circuit upheld the precedent-setting Kingdomware decision. The 2-1 decision explains why the VA can refuse to set aside contracts for veteran-owned contractors despite small business goals required by law.

The dispute revolves around section 8127(d) of the Veterans Act of 2006, which provides that a contracting officer of the VA shall award contracts to VOSBs if the contracting officer reasonably expects offers from two or more VOSBs. This “Rule of Two” is a form of restricted competition meant to give VOSBs an opportunity to compete for set-aside contracts,  but veteran-owned status does not guarantee an award. Section 8127(d) expressly prefaces that contracting officers “shall” award contracts using the Rule of Two “for the purposes of meeting the goals under subsection (a) [i.e., the VA’s goals for participation in VA contracts by VOSBs and SDVOSBs].” The Federal Circuit held that this statutory language clearly expresses Congress’ intent to require restricted competition only when necessary to meet set-aside goals, and that the VA’s decision was entitled to Skidmore deference. The Rule-of-Two mandate cannot be divorced from the VA’s goal-setting authority.

As Judge Reyna points out in his dissent, however, the court may be giving too much weight to the prefatory language in section 8127(d), and the use of the word “shall” could require use of restricted competition under the Rule of Two. Ignoring the mandate in section 8127(d) expands the VA’s discretion when it comes to applying Rule-of-Two analyses, potentially undermining congressional intent. Moreover, the VA’s regulations do not use the prefatory language tying mandatory set-asides to goal-setting, other than in the non-controlling preamble to the regulations. In effect, the majority’s decision gives the VA the discretion to ignore mandatory set-aside requirements once it meets its small business contracting goals.

What does this mean for veteran-owned contractors? That veteran-owned status is no guarantee of a set-aside award, at least not where the VA is concerned.

The opinions can be read here (PDF). The case is Kingdomware Technologies, Inc. v. United States, No. 2013-5042, before the U.S. Court of Appeals for the Federal Circuit.

FTC Commissioner Brill Urges State AGs to Up the Ante

This post was written by Divonne Smoyer and Christine Czuprynski.

Businesses that think they know what privacy issues are on the minds of the state attorneys general (AGs) should be aware that AGs are being urged to take action, either on their own, or in concert with the FTC, on key cutting edge privacy issues. At a major meeting of state AGs this week at the Conference of Western Attorneys General, FTC Commissioner Julie Brill, one of the highlighted speakers at the event, emphasized the importance of the AGs’ role in privacy regulation, and encouraged AGs to collaborate and cooperate on privacy investigations consistent with FTC efforts.

Commissioner Brill, a former assistant AG in two influential state attorney general offices, Vermont and North Carolina, outlined for the AGs several high-level privacy priorities for the FTC, including: (1) user-generated health information; (2) the Internet of Things; and, (3) mobile payments and mobile security. She invited the states to follow these and other privacy issues, and to complement the FTC’s actions in these areas in appropriate ways.

Also a focus: the Commission’s “Big Data” data broker report. Commissioner Brill emphasized her concerns about data broker practices, including their use of terms to describe and categorize individuals, such as “Urban Scramble,” “Mobile Mixers,” “Rural Everlasting,” and “Married Sophisticates.” She stressed that the information gathered by data brokers about these groups may allow businesses to make inferences about people, which in turn could impact access to credit, and in other ways. She pointed out that the FTC unanimously called for legislation to increase transparency and provide consumers with meaningful choices about how their data is used.

Building on her comments about data brokers, Commissioner Brill voiced concerns about the United States’ sectoral approach to privacy law and stressed that there needs to be gap-filling in areas outside of those sector-specific laws, and, since Congress is focused elsewhere on privacy issues, state action may be the best option to take on these issues and fill the gaps. This is not the first time Commissioner Brill has called on the states to take decisive action, and it won’t be the last.

Finally, Commissioner Brill addressed the FTC’s case against Wyndham in particular, noting that the FTC is aggressively fighting challenges to its Section 5 authority. She reminded the states that they have an interest in this fight given that state UDAP statutes share a common blueprint as so-called “mini-FTC Acts,” and invited collaboration on future challenges.

It is likely that many of the states will take action consistent with Commissioner Brill's urging.

UK set to implement emergency Data Retention and Investigatory Powers Bill

This post was written by Cynthia O'Donoghue, Angus Finnegan and Kate Brimsted.

In April, the Court of Justice of the European Union (‘Court’) declared Directive 2006/24/EC on the Retention of Data to be invalid, creating uncertainty for telecommunications operators across the region. In a controversial move by the UK Government, the Data Retention and Investigatory Powers Act 2014 (‘Act’) has been passed using emergency procedures.

Formulated in 2006, the Directive aimed to harmonise the laws of Member States in relation to the retention of data. It introduced an obligation on telecommunications operators to retain a wide range of traffic and location data, which could then be accessed by national authorities for the purpose of detecting and investigating serious crime. The Directive was implemented in the UK through the Data Retention (EC Directive) Regulations 2009.

In its judgment, the Court stated that the obligation to retain communications data and the ability of national authorities to access them constituted an interference with both Articles 7 and 8 of the Charter of Fundamental Rights. Whilst this satisfied the objective of general interest, it was not proportionate or limited to what was strictly necessary. There was concern that the data collected “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”

The Act seeks to maintain the status quo by preempting any legal challenge to the Regulations, and allows the Secretary of State to issue a notice requiring the retention of all data, or specific categories of data, for a period of 12 months. Whilst the effect of the Act is largely similar to its predecessor, the language used is more expansive and appears to be capable of encompassing a broader range of data.

The Act also amends certain provisions of the Regulation of Investigatory Powers Act 2000, allowing for the extra-territoriality of warrants in certain circumstances. This is a major step not only for UK interception powers, but for interception powers globally. Last month, we reported that Microsoft would continue to challenge a U.S. court ruling that effectively allowed an extra-territorial warrant to be issued; it appears that the legal basis for similar powers could be being introduced by the back door in the UK.

It is unclear whether the Act will be a temporary piece of legislation, staying in place until a more permanent solution is implemented at EU level, or whether it will be permanent. However, one positive effect will be that telecommunications operators will know what their retention obligations are. That is not the case in almost all other Member States at present.

Has Facebook been evil? It's down to the regulators to decide

This post was written by Cynthia O'Donoghue and Kate Brimsted.

In June, Facebook came under public scrutiny after it was revealed that the company carried out research in 2012 that manipulated the News Feeds of 689,000 users. Several regulators are now poised to investigate Facebook’s conduct.

The study exposed users to a large amount of either positive or negative comments in order to observe the effect of this on the way that they used the site. It found that “emotional states can be transferred to others via emotional contagion, leading people to experience the same emotions without their awareness.”

Facebook’s behavior will now be scrutinized by data protection regulators, with the UK’s Information Commissioner’s Office indicating on 1 July that it will work with the Irish Data Protection Commissioner to learn more about the circumstances surrounding the research. The regulators are likely to be particularly interested in the terms of use and privacy policy that applied at the time of the research, and whether they contained adequate notices.

Meanwhile, on 3 July, the Electronic Privacy Information Centre (‘EPIC’) filed a formal complaint with the U.S. Federal Trade Commission, requesting that the regulatory body undertake an investigation of Facebook’s practices. The FTC has not yet responded to this request.

Although perhaps an extreme example, this issue highlights the challenges that organisations can face when using data for a purpose that goes beyond what users would expect. Given the mysterious algorithms that underlie what any Facebook user sees (contrary to common belief, it is not simply a chronological list of activities), it is arguable that the issue here arises out of functionality that is not far removed from Facebook’s everyday operations. It will be interesting therefore to see whether the regulators take any robust action.