FTC to Explore Mobile Payments

Posted by Josephine Liu on January 27, 2012

The Federal Trade Commission has announced that it will host a workshop on April 26, 2012, to discuss mobile payments.  In addition to exploring payment technologies and business models, the workshop will likely cover consumer protection issues such as the risks of financial loss, the need for information disclosures, data protection concerns, and the remedies available to consumers.  The FTC plans to bring together a variety of stakeholders – industry, consumer advocates, regulators, technologists, and academics – and welcomes public comments in advance of the event.

As we previously noted, the law governing mobile payments is a complex blend of existing federal laws as well as rapidly changing state laws.  The regulatory picture is further complicated by the number of federal agencies that could theoretically assert jurisdiction over mobile payments.  Besides the FTC, other agencies that might have an interest include the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Communications Commission, the Treasury Department's Federal Crimes Enforcement Network, and the Consumer Financial Protection Bureau. 

NIST Issues Guidelines on Public Cloud Security, Privacy

Posted by Michael Beder on January 26, 2012

The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on the provider’s shared equipment rather than on the organization’s own servers.

The new NIST security guidelines do not recommend any particular services, providers, or service models; instead, the guidelines highlight the steps organizations should take and the issues they should consider when evaluating any public cloud service.

Continue Reading

Pineda One Year Later

Posted by Josephine Liu on January 26, 2012

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of recent developments in Song-Beverly Act litigation:

  • A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed. 
  • Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]).  According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either.  The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions. 
  • A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.

Continue Reading

Senate Privacy Subcommittee Schedules Video Privacy Hearing

Posted by Rob Sherman on January 25, 2012

As we previously reported, the Video Privacy Protection Act reform bill sponsored by Rep. Bob Goodlatte (R-VA) passed the House.  And now the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law has scheduled a hearing on video privacy, to be held next Tuesday, January 31.

The VPPA has come under scrutiny in recent months because of what some say are ambiguities over how the statute applies to online video distribution.  According to Rep. Goodlatte, the House legislation was designed to address those ambiguities and clarify how companies can share information about video watching activity on social media and other websites.

Tuesday’s hearing will include testimony from Netflix General Counsel David Hyman.  Netflix, which is in mediation relating to privacy litigation brought against it in California, made news when it declined to roll out new social features within the U.S., citing confusion over how the VPPA would apply.  Also testifying are University of Minnesota Law School Professor William McGeveran, and Marc Rotenberg, Executive Director of the public interest group the Electronic Privacy Information Center

The hearing will be webcast on the Subcommittee’s website.

European Commission Proposes Comprehensive Data Protection Reform

Posted by Mark Young on January 25, 2012

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

Continue Reading

Supreme Court: Attaching GPS Tracker to Suspect's Car Constitutes Search For Purposes of Fourth Amendment

Posted by Michael Beder on January 24, 2012

The federal government conducted a search for purposes of the Fourth Amendment when it attached a GPS tracking device to a suspect’s car and used the device to track the suspect’s movements for 28 days, the U.S. Supreme Court ruled Monday.

All nine justices voted to uphold the decision by the U.S. Court of Appeals for the D.C. Circuit reversing Antoine Jones’s drug-trafficking conviction, which was partly based on evidence obtained from the tracking device. But the Court split 5-4 on how the government’s actions constituted a search within the meaning of the Fourth Amendment.

A five-justice majority, in an opinion written by Justice Antonin Scalia, held that the government’s physical attachment of the device to Jones’s car was the critical factor because the Fourth Amendment specifically protects “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”  Physically trespassing on one of Jones’s “effects” — the car — in order to obtain information would have been considered a search when the Fourth Amendment was adopted, the Court held, and such an intrusion therefore requires the government to obtain a warrant under most circumstances. Chief Justice John Roberts and Justices Anthony Kennedy, Clarence Thomas and Sonia Sotomayor joined Justice Scalia’s majority opinion.

Continue Reading

Mexico's Data Protection Law Fully in Force

Posted by Helena Marttila on January 24, 2012

The implementing regulations of Mexico’s Federal Law for the Protection of Personal Data (the “Law”) came into effect on 22 December 2011.  The regulations have allowed the Law to finally fully enter into force.  As reported earlier, Mexico’s privacy law is the first piece of federal legislation to regulate how businesses handle personal information in Mexico.

The implementing regulations bring into force the Law’s provisions dealing with data subjects’ rights to access, correct and delete personal information relating to them, which individuals have been able to exercise since January 2012.  Failure to comply with individuals’ requests to exercise these rights are actionable by the Federal Institute of Access to Information and Personal Data and may lead to civil penalties. The regulations also deal with security and breach notification, cloud computing, consent and notice requirements, as well as data transfers. 

Although the Law is now fully enforceable, a “honeymoon period” of 18 months has been granted to companies to implement the security measures required under the regulations.

Breaches of the Law may lead to fines as well as to custodial sanctions. If sensitive personal data is processed, the penalties can be increased significantly.

Personal Injury Defendant Denied Access to Plaintiff's Private Facebook Content

Posted by Laura Brookover on January 23, 2012

An Eastern District of Michigan judge held that a personal injury defendant could not discover the plaintiff’s private Facebook content under Rule 26(b) governing the discoverability of evidence.  Tompkins v. Detroit Metropolitan Airport, No. 2:10-cv-10413-BAF-RSW (E.D. Mich, Jan. 18, 2012).  Although—as the court noted—the private portions of a user’s Facebook account are not generally privileged or protected by common law privacy rights, “the Defendant does not have a generalized right to rummage at will through information that Plaintiff has limited from public view.”

The court required the defendant to make “a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence” so as to avoid “the proverbial fishing expedition.”  The defendant proffered some of the plaintiff’s public postings as support, including photographs showing the plaintiff holding a dog and grocery shopping.  Because these pictures were not inconsistent with the plaintiff’s claims of injury, the defendant did not establish relevance. 

“If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account,” the court noted.

Ontario Recognizes Intrusion Upon Seclusion Privacy Tort for the First Time in Canada

Posted by Laura Brookover on January 23, 2012

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s claim.  The Court of Appeal for Ontario reversed, resolving a question that “has been debated for the past one hundred and two years”—namely, whether to recognize a tort for the invasion of privacy.

The court concluded that the time had come to recognize the cause of action.  Acknowledging “the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form,” the court stated that “technology change has motivated the legal protection of the individual’s right to privacy.” 

Ontario’s new cause of action adopts the elements of the intrusion upon seclusion tort in the Restatement (Second) of Torts, which requires that a defendant intentionally act to invade, without lawful justification, a person’s private affairs or concerns, and that a reasonable person would find the invasion highly offensive.  The court declined to impose an economic harm requirement, noting that “given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.”

The new privacy right is not absolute.  Competing claims—such as “claims for the protection of freedom of expression and freedom of the press”—may in some circumstances override individual privacy rights.

Supreme Court Holds That Private Plaintiffs May Bring TCPA Claims In Federal Court

Posted by Mali Friedman on January 20, 2012

On Wednesday, the United States Supreme Court unanimously held that the Telephone Consumer Protection Act (“TCPA”) allows private citizens to seek relief in federal (in addition to state) court.  Overturning an Eleventh Circuit decision that Congress had vested jurisdiction over private TCPA actions exclusively in state courts and disagreeing with numerous other Circuit courts that had reached the same conclusion, the Supreme Court held that the TCPA’s provision allowing private citizens to bring suit for violations “in an appropriate court of [a] state” does not deprive U.S. district courts of a concurrent authority to adjudicate claims.  Nothing in the text, structure, purpose or legislative history of the TCPA calls for displacement of the [] jurisdiction U.S. district courts . . . ordinarily have," said Justice Ruth Bader Ginsburg, writing for the Court.

The TCPA was enacted by Congress in 1991 in response to complaints regarding abuses by telemarketers.  The underlying case leading to the Supreme Court’s decision was Mims v. Arrow Financial Services, LLC.