April 2013

Morrison & Foerster’s Sherman Kahn Interviews American Arbitration Association Vice President, Sandra Partridge

Many companies are providing for arbitration of disputes in their terms of service agreements governing use of their websites or other online or mobile services. Arbitration clauses in online terms of service agreements should be carefully drafted in order to ensure that they are enforceable, particularly when arbitrations under the agreement may be conducted between the business and a consumer. It is also important to design the presentation of the clause so that the counterparty is aware of the clause and consents to it. We have previously written about these issues in Click-Accept Arbitration: Enforcing Arbitration Provisions in Online Terms of Service.

One of the decisions that must be made when drafting an arbitration clause is which organization will administer the arbitration. One of the organizations frequently chosen to administer arbitrations arising from online terms of service agreements is the American Arbitration Association (AAA). We are pleased to publish here a discussion with Sandra Partridge of the AAA. Ms. Partridge is the Commercial Vice President for the AAA in New York. She shares practical advice in the interview regarding how to provide for arbitrations in connection with your terms of service agreements.

Ms. Partridge, can you tell us about the AAA and its administration of arbitrations arising from online terms of service?

The AAA administers two types of arbitrations arising from online terms of service agreements—business-to-business and business-to-consumer. Business-to-business agreement disputes are heard under the AAA Commercial Arbitration Rules and proceed the same way as any other business-to-business arbitration. The AAA is prepared to handle both large and small business-to-business disputes. The AAA’s Commercial Rules include Expedited Procedures to govern the arbitration where the amount in dispute is under US$75,000. The AAA Expedited Procedures provide parties with a fast, cost-efficient method for resolving less complicated disputes.

Can you explain how the AAA’s approach differs when it is administrating a business to consumer dispute?

Pre-dispute arbitration clauses (i.e., agreements entered into before a dispute arises), such as clauses in online terms of service agreements, that may result in arbitration between the business and a consumer require additional scrutiny. This is because when businesses enter a pre-dispute arbitration agreement with consumers, a greater level of due process protection is required in order to ensure fairness. The AAA, in conjunction with a variety of other organizations, jointly developed a Consumer Due Process Protocol that addresses issues such as locale for arbitration hearings, cost-shifting and allocation, legal representation and access to remedies. Businesses considering adding pre-dispute arbitration clauses to terms of service agreements would find it advisable to become familiar with the Consumer Due Process Protocol. The AAA has also developed supplementary procedures for the conduct of consumer arbitrations. It is helpful to review those procedures before preparing a consumer-directed arbitration provision. In addition, the AAA has dedicated a section of its website to disputes between businesses and consumers that provides a variety of helpful material for the arbitration clause drafter.

What additional steps should the arbitration clause drafter take if the drafter expects that arbitrations under the agreement may include arbitration of disputes between the business and consumers?

As mentioned above, the drafter should refer to the Consumer Due Process Protocol when drafting the arbitration clause. In addition, where a clause may result in arbitration with consumers, the AAA requires that the clause drafter submit the clause to the AAA for review and approval in advance of the administration of any arbitration under the clause.

Why does the AAA require pre-arbitration review of arbitration clauses?

The AAA requires that a consumer-directed pre-dispute arbitration clause be in compliance with the Consumer Due Process Protocol before it can administrate cases brought under that clause. The AAA only administrates cases between businesses and consumers arising from pre-dispute arbitration provisions that are in compliance with the Protocol in order to ensure fairness and a level playing field for both sides. Consumers and businesses can expect a fair process and enforceable awards. Pre-approval also allows the AAA to administrate any cases that are filed pursuant to the clause without delay.

How would the AAA proceed if presented with a consumer arbitration filing based upon an arbitration clause that the AAA had not pre-approved?

When a case is submitted based on a compliant but not previously approved pre-dispute arbitration clause, the AAA’s consumer department will conduct an immediate review, approve the clause, and contact the business to arrange for administration of the case.  However, if a clause is not pre-approved, the business runs the risk that the clause will not be approvable as written, causing the AAA to reject the filing.

Some companies are concerned that the pre-review will take substantial time and effort, and potentially require major changes to clauses that have already been approved by top management. Can you respond to those concerns?

The AAA is able to approve a compliant clause in a matter of days. If a clause is not compliant, the AAA will notify the drafter of the specific reasons why; allowing the drafter to promptly correct those concerns. This can also be done in a matter of days. Top management’s concerns may be assuaged by the realization that a compliant clause contributes to both fairness and enforceability.

How can companies get in touch with the AAA to discuss potential administration of an arbitration program?

Neil Currie, the AAA Vice President who oversees the consumer area, is the best individual to contact for information, answers to questions and ultimate approval of an arbitration program involving consumers. His email is Currien@adr.org and his phone number is 213-362-1900.

On March 28, 2013, the Court of Appeals, New York’s highest court, issued a decision in Overstock.com, Inc. & Amazon.com, LLC, et al., holding that New York’s “click-through nexus” statute does not violate the Commerce Clause or the Due Process Clause of the U.S. Constitution. As a result, an Internet vendor may be presumed to have nexus in New York, and be required to collect sales tax from New York customers, when a link to the vendor’s website appears on websites of New York residents who are compensated via a commission arrangement.

The New York law was amended in 2008 to provide a presumption that the definition of a “vendor,” required to collect New York State sales tax on sales to New York customers, includes an entity that enters into an agreement with a New York resident under which the resident refers potential customers, including via a link on a website, “for a commission or other consideration.” Amazon and Overstock challenged the facial constitutionality of that presumption.

The Court of Appeals found that it was rational for the state legislature to presume that New York residents who were compensated on a commission basis would seek to increase their business by soliciting New York customers, and that the ability to rebut the presumption through an annual certification “sensibly” placed the burden on the retailers to demonstrate the lack of solicitation activities.

One judge dissented, finding that the placing of links on a website was no more than advertising, and that the change in compensation method for such advertising—from a flat fee to a commission—does not change its essential nature.

This decision is important to all Internet vendors who have relationships with “affiliates” and other business partners, not only in New York but in other states that have enacted similar statutes. We note, however, that a lower court in Illinois has found a similar Illinois statute unconstitutional, and an appeal of that decision is pending before the Illinois Supreme Court. The U.S. Supreme Court may yet have to weigh in on this issue.

Digital music has come a long way since the era of widespread unauthorized sharing, with digital music sales estimated to be approaching $6 billion worldwide. As this market grows, a natural question is whether there can be a legitimate digital analog to the traditional “used music” market. One company, ReDigi, sought to create such a market and suggested that it would create “billions of dollars in wealth” by imparting resale value to lawfully obtained digital materials. In Capitol Records v. ReDigi, however, the Southern District of New York confronted the resulting “fundamental clash over culture, policy, and copyright law” and ruled that ReDigi’s service results in unlawful copying.

ReDigi’s web-based service enables users to sell legally acquired digital music to other users at a “fraction” of the music’s price on iTunes or other legal sources. ReDigi’s service also requires users to run its “Media Manager” program to ensure that their computers and attached devices do not retain their own copies of the music offered for sale, but Media Manager cannot detect copies maintained in other locations. For every transaction, ReDigi retains 60% of the purchase price, which users pay other users in the form of credits that can only be used to purchase other music on ReDigi.

As a defense to infringement of Capitol Records’ distribution rights, ReDigi relied on the “first sale” doctrine, codified at Section 109 of the Copyright Act, which expressly permits authorized buyers of copyrighted material to redistribute their particular copies (or “phonorecords”). The doctrine, however, applies only to distribution of copies that are “lawfully made,” so the threshold question was whether ReDigi’s service creates unauthorized copies of the music files in violation of Capitol’s exclusive reproduction rights. Given the context, this was a novel question, as previous cases have not addressed the issue of whether the transfer of digital files “where only one file exists before and after the transfer” constitutes reproduction under the Copyright Act.

ReDigi argued that its service “migrates” a file as if it were a train so that the same data never exists in two places at any one time, but Capitol countered that, semantics aside, uploading a file “necessarily involves copying.” The court agreed with Capitol and saw it as “beside the point that the original phonorecord no longer exists.” What mattered was that transferring files over the Internet “moves” a file on one material object (a user’s computer) by reproducing it on another (ReDigi’s server). The court concluded that “it is therefore impossible for the user to sell her ‘particular’ phonorecord on ReDigi.” Given that ReDigi sold whole copies of commercial recordings that would harm the primary market for those recordings, the court also made quick work of ReDigi’s argument that the reproductions were “fair use” under Section 107 of the Copyright Act. Because the reproductions themselves were not lawful, ReDigi could not avail itself of the first sale doctrine and, therefore, was liable for infringement.

While giving credit to ReDigi for taking steps to prevent users from retaining an extra copy of the music sold via its service, commentators generally note that the court’s decision was predictable and aligns with the intrinsic difference between non-digital and digital goods, which are extremely easy to duplicate and mass distribute. This case demonstrates that there is no “digital first sale doctrine,” which, as one commentator pointed out, means that “digital files are intrinsically worth less over their lifetimes” than are physical media like CDs and DVDs.

Other reactions to the ruling included that it will “profoundly affect the economics of any digital re-sale marketplace,” not just music, and confirmed the rights of online distributors to control whether customers can resell or transfer digital goods. This does not mean, however, that there can be no resale markets, and there has been much public speculation regarding plans by existing retailers to create digital resale models.

A March 23, 2013 decision from the U.S. District Court for the District of New Jersey serves as a cautionary tale for litigants. As a result of some arguably poor decisions by the plaintiff and likely miscommunication between the parties regarding access to the plaintiff’s Facebook account, the Court sanctioned the plaintiff for causing his account to be deleted.

In Gatto v. United Air Lines, Inc., plaintiff Frank Gatto, a ground operations supervisor at JFK International Airport, sued defendants United Air Lines and Allied Aviation Services. Gatto claimed that a United aircraft caused a set of fueler stairs operated by Allied to crash into him. Gatto claimed the accident left him permanently disabled, limiting his physical and social activities and rendering him unable to work.

Defendants sought discovery of Gatto’s social networking sites and other online services. Although the parties clearly agreed that Gatto would change his account password and provide it to defense counsel, Gatto apparently claimed that the parties had not agreed that defense counsel could directly access his Facebook account. In any event, defense counsel logged into Gatto’s account, purportedly to confirm that the password had been changed, and printed out portions of Gatto’s Facebook page. Defense counsel also sent a signed authorization to Facebook to access Gatto’s account, but Facebook objected and recommended that defense counsel have Gatto download his own account information.

After defense counsel logged into his account, Facebook notified Gatto that his account had been accessed from an unfamiliar IP address. Explaining later that his account had previously been hacked during an acrimonious divorce, Gatto deactivated his account. At some point after deactivation, the account contents were deleted and could no longer be retrieved. Claiming that the printed-out portions of Gatto’s account showed him engaged in physical and social activities inconsistent with his claimed injuries, the defendants brought a motion for spoliation sanctions. Specifically, the defendants sought an adverse inference instruction and expenses, including fees, incurred in filing the motion.

To issue sanctions, the court held that it needed to find four factors: (1) the evidence was within Gatto’s control; (2) the evidence was actually suppressed or withheld by Gatto; (3) the destroyed evidence was relevant to claims or defenses in the case; and (4) Gatto should have reasonably foreseen that the evidence would be discoverable. The court found that the first, third and fourth factors were clearly present.

With respect to the second factor, Gatto argued that he did not intentionally destroy anything. Gatto claimed he reasonably deactivated his account because of his prior experience with it being hacked. Gatto claimed that he had no idea that defense counsel had accessed his account. He also claimed that he had later tried to reactivate his account but that he had not acted quickly enough to save the data from being deleted.

The court found Gatto’s arguments unavailing, noting that the purpose of an adverse inference instruction is to “level[] the playing field” when one party has been prejudiced by the destruction, thus rendering the issue of an alleged spoliator’s culpability “largely irrelevant.” Gatto’s actions clearly prejudiced the defendants. This alone merited sanctions against Gatto. The court, however, found these sanctions sufficient and denied fees and costs.

There are two main takeaways from the Gatto case. First, as we have previously noted, commentators disagree about whether providing direct account access to an opposing party in discovery is wise. Gatto illustrates some of what can go wrong from providing such direct access. At least one commentator has called the “password exchange” a “terrible solution to Facebook discovery issues.” Nor, as we have previously reported, was a subpoena to Facebook necessarily the right approach, as Facebook objected in Gatto to providing certain information due to its concerns about violating the Stored Communications Act. Facebook recommended that Gatto download the contents of his account to obtain the information, an approach that at least one commentator has approved.

The second lesson is simple. If you are involved in litigation where social media evidence within your control may be relevant, don’t delete the data or deactivate the account, which could lead to deletion. This is not the first time a party has been sanctioned for spoliation of social media-related evidence, and it won’t be the last.

On February 27, 2013, the European Article 29 Working Party (a group comprising representatives from all of the data protection authorities of the EU Member States, referred to in this articles as “WP29”) issued an Opinion on the privacy and data protection implications of the use of apps on mobile devices (“the Opinion”). The Opinion primarily targets app developers, but provides recommendations for all players in the app ecosystem, including operating system (“OS”) developers and device manufacturers, app owners, app stores, and other third parties such as analytics and advertising providers. The Opinion sets out “musts” and “recommendations” for each player and is to some extent consistent with the U.S. Federal Trade Commission’s staff report on Mobile Privacy Disclosures (February 2012).

The Opinion considers the key data protection risks of apps to be a lack of transparency and a lack of the ability to provide meaningful consent. The Opinion recognizes that the ‘real-estate’ on a mobile device is limited because of limited screen sizes, but nonetheless states that users should be appropriately and adequately informed about how their personal information is used, and—where required—that users’ consent should be obtained

Scope and Applicable Law

The Opinion states that mobile apps are covered by both the Data Protection Directive 95/46/EC and the ePrivacy Directive 2009/136. Most data processed via apps is personal data, including unique device identifiers, user IDs, browsing history, contact data, phone calls, SMS, pictures and videos. Any player in the app ecosystem, regardless of its location, must comply with EU/EEA laws if it targets individuals resident in the EU/EEA. However, non-EU/EEA controllers are exempt where data is only processed in the device itself without generating traffic to the applicable data controller(s). Importantly, the user’s acceptance of terms of use or a contractual agreement will not exclude the applicability of EU law and the data controller’s or processor’s obligation to comply. Accordingly, app stores must “warn” app developers about EU/EEA obligations before submitting and making the app available to EU/EEA residents, and reject apps that do not comply.

Notice

The Opinion emphasizes the need to provide comprehensive, easy-to-understand, and timely notice. Notice must be provided “at the point when it matters to consumers, just prior to collection of such information by apps.” In practice, this will mean prior to installation of the app. This notice requirement not only applies to app developers but also to app stores and any OS or device manufacturers who provide pre-installed apps.

Notices should at least contain information about:

  • The entity that is legally responsible for the processing of the data, and how that entity can be contacted. Where there are multiple entities involved, apps should provide for a single point of contact.
  • The categories of personal information that will be processed through the app, in particular where such categories are not intuitively obvious.
  • The purposes for which information is processed. WP29 notes that such purposes should be described narrowly and specifically, and warns for “purpose-elasticity.”
  • Whether or not information data will be shared with third parties.

The Opinion further states that “the essential scope of the processing must be available to the users before app installation via the app store. The relevant information about the data processing must also be available from within the app, after installation.” In practice, this will mean that both app developers and app stores carry the biggest burden of ensuring adequate notification, both prior to and after installation. WP29 favors a layered approach that provides essential information in an initial notice and further information via (links to) a complete privacy policy. The Opinion also suggests the development of industry-wide visual logos, icons or images.

Consent

Consent is required for any processing of data via apps. The Opinion states that the two different consent regimes overlap: Under Article 5(3) of the ePrivacy Directive, consent is required to access or store any information on a user’s device; and under the Data Protection Directive, consent is required to process personal data. In practice, a single consent can be obtained for both types of processing. Consent should be “granular” and simply clicking an “install” button would not suffice. In order for consent to be valid, it needs to be freely given, specific and informed (which places additional importance on the quality and scope of the notice). Other legal bases may be used for processing at a later stage (during use of the app) but only by app developers.

Children

The Opinion also calls for extra attention to applicable national age requirements. Many national privacy laws in EU Member States require parental consent for minors of certain ages. In addition, even when consent can be legally obtained from a minor and the app is intended to be used by a minor, developers should be particularly mindful of the minor’s potentially limited understanding of, and attention for, information about data processing. Developers and app stores should adapt their notices and data processing practices accordingly. WP29 further notes that children’s data should never, whether directly or indirectly, be used for behavioral advertising purposes, as this will fall outside the scope of a child’s understanding.

Security and Retention

App developers should pay specific attention to the security of their apps, and implement security considerations at the design stage of the app. They should also carefully consider where data will be stored (locally on the device or remotely), and not use persistent (device-specific) identifiers, but instead use app-specific or temporary device identifiers to avoid tracking users over time.

Also, app developers must consider appropriate retention periods for the personal information they collect, taking into account that users may lose their devices or switch devices. App developers are recommended to implement procedures that will treat accounts as expired after defined periods of inactivity.

Different Players

Although the Opinion references app developers in many of its requirements and recommendations, WP29 acknowledges that responsibilities are shared between different players. The Opinion states that every app should provide a single point of contact for users, “taking responsibility for all the data processing that takes place via the app.” The Opinion provides the following recommendations:

  • App stores are usually data controllers, in particular when they facilitate upfront payments for apps, support in-app purchases and require user registration. App stores should: (i) collaborate with OS and device manufacturers in developing user control tools (such as symbols representing access to data) and display them in the app store; (ii) implement checks in their admissions policy to eliminate malicious apps before making them available in the store (and provide detailed information on such submission checks to users); (iii) implement a privacy-friendly remote uninstall mechanism based on notice and consent; (iv) collaborate with app developers to proactively inform users about data security breaches; and (v) consider the use of public reputation mechanisms whereby users rate apps not only on their popularity but also on privacy and security.
  • OS and device manufacturers are usually the data controllers (or joint controllers) when they process data for their own purposes, for example for smooth running of the device, security, back-ups or remote facility location. OS and device manufacturers should: (i) develop technical mechanisms and interfaces that offer sufficient user control, in particular via built-in consent mechanisms at the first launch of the app or the first time an app attempts to access data that has a significant impact on privacy (this also applies to pre-installed apps); (ii) ensure that the app developer implements sufficiently granular control and can access only the data necessary for the functioning of the app; (iii) ensure that the user can block the access to the data and uninstall the app in a simple manner; (iv) implement mechanisms to inform users about what the app does, what data the app can access, and provide settings to change parameters of processing (OS and device manufacturers share this responsibility with app stores); (v) develop clear audit trails into the devices, such that end users can see which apps have been accessing which data on their devices; (vi) prevent covert monitoring of users and put in place a mechanism to avoid online tracking by advertisers and other third parties (in particular, default settings must be “such as to avoid any tracking”); and (vii) ensure security by strengthening authentication mechanisms, enabling strong encryption mechanisms, and providing security updates.
  • Ad providers, analytics providers and communications service providers act as data processors where they execute operations for app owners such as analytics, provided they do not process data for their own purposes or share data across app developers. In this context, such third parties have limited obligations, mostly related to data security. However, third parties are data controllers where they collect or share data across apps, provide additional services, or provide analytics figures “at a larger scale,” such as for app popularity and personalized recommendation. In such cases, third parties should: (i) obtain consent for behavioral or targeted advertising, as well as accessing or storing any information on the device; and (ii) apply security requirements, in particular secure data transmission and encrypted storage of unique device and app identifiers and other personal data. Where communications service providers issue branded devices, they must ensure that consent is obtained for any pre-installed apps. Ad providers must not deliver ads outside the context of the app, such as by delivering ads through modified browser settings or placing icons on the mobile desktop.  Advertisers should further refrain from using unique device or subscriber IDs for tracking purposes.

On March 7, 2013, a federal court in Manhattan ruled, in Federal Trade Commission v. PCCare247 Inc., that service via Facebook is an acceptable alternative means of serving court documents on foreign defendants. Although this is a watershed ruling in many respects, in other ways, it is a natural extension of current authority in a factual situation where such a ruling posed little risk.

In this case, the FTC brought suit against nine parties, including five India-based defendants—two entities and three individuals. The FTC alleged that the defendants violated a provision of the FTC Act by operating a scheme, run largely out of call centers in India, that tricked American consumers into spending money to fix non-existent computer problems. At the time of the decision, the FTC had already secured a temporary restraining order enjoining the defendants’ business practices and freezing various assets.

In addition, following procedures outlined in Rule 4(f)(1) of the Federal Rules of Civil Procedure and the Hague Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, the FTC had provided the summons, complaint and related court documents to the Indian Central Authority for service on the defendants and had also sent these documents by three alternative means: by email to the defendants’ last known addresses, by Federal Express and by personal service through an Indian process server. The process server had successfully delivered the documents to all five defendants and FedEx had confirmed delivery for most, but the Indian Central Authority had still not confirmed delivery nor responded to the FTC’s inquiries more than four months later. Nevertheless, defendants, on notice of the action, hired counsel to represent them at a preliminary injunction hearing, only to have counsel withdraw two months later due to nonpayment.

In the motion decided by this ruling, the FTC sought the court’s permission to serve documents other than the summons and complaint by alternative means on the five defendants located in India. In particular, the FTC sought to serve the defendants by email and Facebook. Analyzing Rule 4(f)(3) of the Federal Rules of Civil Procedure, concerning service of an individual in a foreign country by alternative means, the court first concluded that service by email and Facebook was not prohibited by international agreement and that India had not specifically objected to such service.

The court next turned to a due process analysis, considering whether the proposed means of service was reasonably calculated to notify defendants of future filings in the case. The court found that it was. Reasoning that the defendants used email frequently to run their Internet-based business and that the FTC had identified email addresses—some used for scheme-related tasks—for each of the individuals (who served as directors of the defendant corporations), the court concluded that it was highly likely that defendants would actually receive and respond to emails sent to these addresses. Thus, the court found that service by email alone would satisfy due process.

For the sake of “thoroughness,” according to the court, the FTC had proposed service by personal message via Facebook, attaching the relevant documents in addition to service by email. The court found that the FTC had also demonstrated a high likelihood that Facebook messages would reach the defendants, given that two of the defendants had registered their Facebook accounts with the known email addresses, two had listed their job titles at the defendant companies on their profiles, and two were Facebook friends with the third individual defendant.

Although the court recognized that Facebook service was a “relatively novel concept” and might not actually reach the defendants, it drew comfort from the fact that such service was a “backstop” to email service. In addition, the defendants were already on notice of the lawsuit. Where the defendants had embraced new technology in operating their scheme, it was only fitting that service by both email and Facebook should satisfy due process: “Where defendants run an online business, communicated with customers via email, and advertise their business on their Facebook pages, service by email and Facebook together presents a means highly likely to reach defendants.”

As reported in June 2012 by Socially Aware, the PCCare247 court is not the first court in the Southern District of New York to consider whether service by Facebook is an acceptable means of alternative service. In fact, in the June 7, 2012 decision of Fortunato v. Chase Bank USA, N.A., another judge in the Southern District of New York considered the issue and concluded that service of a third party complaint by Facebook message and email to an address listed on an individual’s Facebook profile (in addition to service on the woman’s estranged mother) would not satisfy due process.

As the PCCare247 court noted in distinguishing the earlier decision, the facts in Fortunato were much different. In Fortunato, the plaintiff had failed to show that the Facebook profile was authentic—that the account in fact belonged to or was maintained by the individual in question, who had a history of providing fictional or out-of-date addresses to state and private parties—or that the email address listed on the Facebook profile was operational or regularly used by the individual. By contrast, in PCCare247, the court had multiple indicia that the Facebook profiles actually belonged to the defendants and that the defendants regularly used both their Facebook accounts and their email addresses.

Even while concluding that Facebook service was an acceptable alternative means of service, the PCCare247 court struck a cautionary note about its ruling: “To be sure, if the FTC were proposing to serve defendants only by means of Facebook, as opposed to using Facebook as a supplemental means of service, a substantial question would arise whether that service comports with due process.” Other courts have not been so bothered by Facebook service alone. For example, in a May 10, 2011 ruling, a Minnesota state court concluded that it would be considered sufficient service for a woman who had unsuccessfully been seeking to serve divorce papers on her husband to serve them by publication on the Internet, in whatever format she believed it most likely that he would receive such notice, including by “[c]ontact via Facebook, Myspace, or other social networking site.” In addition, beginning with an Australian ruling in December 2008, courts in Australia, Canada, New Zealand and the United Kingdom have permitted service via Facebook. And a bill has recently been introduced in Texas that would permit service of process through social media sites.

The PCCare247 decision is indeed an important moment—the first time a federal court has endorsed service via Facebook as an alternative means of service. But it was also a safe decision in many ways. The service was of documents other than the summons and complaint after the foreign defendants had already appeared through counsel and proved themselves to be on notice of the case. By their online behavior, defendants had shown themselves to be highly likely to access Facebook messages. Most crucial, Facebook service was permitted only as a backstop to email service, which itself was highly likely to reach the defendants; the court took pains to note that Facebook service alone might not satisfy due process. And the permitted method of service was private Facebook message—quite similar to email service—not by a wall post or other means arguably more similar to traditional publication.

Nonetheless, the PCCare247 decision will likely serve as a springboard for more decisions endorsing service by social media because, as the court explained, “history teaches that, as technology advances and modes of communication progress, courts must be open to considering requests to authorize service via technological means of then-recent vintage, rather than dismissing them out of hand as novel.”

Please join Socially Aware editor John Delaney as he speaks at the New England Corporate Counsel Association’s “Technology Law Update: Recent Developments in Social Media & Internet Law” event in Waltham, MA on Wednesday, April 10. Issues to be addressed in the presentation include the following:

  • Recent developments and trends impacting corporate uses of social media and the Internet
  • Why your company’s social media policy may be out of compliance with U.S. law if it hasn’t been updated over the past year (and how to get it into compliance)
  • Employers vs. employees: The growing battle for ownership of social media accounts
  • The Pinterest dilemma: Does the country’s hottest social media platform turn corporate users into copyright infringers?
  • Online data harvesting: Is it legal?
  • Emerging best practices with respect to mobile apps

For more information and registration information, click here.

On April 2, 2013, the U.S. Securities and Exchange Commission (SEC) issued guidance in the form of the Report of Investigation under Section 21(a) of the Securities Exchange Act of 1934 which indicates that social media channels—such as Twitter and Facebook—could be used by public companies to disseminate material information, without running afoul of Regulation FD. Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings, Release No. 34-69729 (April 2, 2013) (the “21(a) Report”). The SEC emphasized that companies should apply the guidance from its 2008 interpretive release regarding the disclosure of material information on company websites when analyzing whether a social media channel is in fact a “recognized channel of distribution,” including the guidance that investors must be provided with appropriate notice of the specific channels that a company will use in order to disseminate material nonpublic information.

The SEC confirmed in the 21(a) Report that Regulation FD applies to social media and other emerging means of communication used by public companies in the same way that it applies to company websites as discussed in the 2008 Guidance, which clarified that websites can serve as an effective means for disseminating information if investors have been made aware that they can locate the company information on the website.

The 21(a) Report indicates that, while every situation must be evaluated on its own facts, disclosure of material nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the social media site may be used for this purpose, is unlikely to qualify as an acceptable method of disclosure under securities laws. In this regard, the SEC notes that it would not normally be assumed that the personal social media sites of public company employees would serve as channels through which the company discloses material nonpublic information.

In analyzing the applicability of Regulation FD to any communications, the SEC notes that while the Regulation FD adopting release highlighted concerns about “selective” disclosure of information to favored analysts or investors, “the identification of the enumerated persons within Regulation FD is inclusive, and the prohibition does not turn on an intent or motive of favoritism.” The SEC also emphasizes that nothing in the Regulation FD would suggest that disclosure of material nonpublic information to a broader group that includes both enumerated and non-enumerated persons, but that still would not constitute a public disclosure, would somehow result in Regulation FD being inapplicable. Rather, the SEC states that “the rule makes clear that public disclosure of material nonpublic information must be made in a manner that conforms with Regulation FD whenever such information is disclosed to any group that includes one or more enumerated persons.” As a result, whenever a company makes a disclosure to an enumerated person, including to a broader group of recipients through a social media channel, the company must consider whether that disclosure implicates Regulation FD, including determining whether the disclosure includes material nonpublic information and whether the information was being disseminated in a manner “reasonably designed to provide broad, non-exclusionary distribution of the information to the public” in the event that the issuer did not choose to file a Form 8-K.

Drawing on the reference to “push” technologies (such as email alerts, RSS feeds and interactive communication tools, such as blogs) in the 2008 Guidance, the SEC acknowledged that social media channels are an extension of these concepts, and therefore the guidance should apply equally in the context of social media channels. Given the “direct and immediate communication” possible through social media channels, such as Facebook and Twitter, the SEC expects companies to examine whether such channels are recognized channels of distribution. In particular, the SEC emphasized the need to take steps to alert the market about which forms of communication a company intends to use for the dissemination of material nonpublic information. The SEC notes that without this sort of notice, the investing public would have to keep pace with a “changing and expanding universe of potential disclosure channels.” The ways in which such notice could be provided would include: (1) references in periodic reports and press releases on the corporate website and disclosures that the company routinely posts important information on that website and (2) disclosures on corporate websites identifying the specific social media channels a company intends to use for the dissemination of material nonpublic information (thereby giving people the opportunity to subscribe to, join, register for, or review that particular channel).

In light of the SEC’s guidance, companies should consider whether to specifically address the use of social media in Regulation FD policies, including whether prohibitions, restrictions or editorial oversight should be implemented to govern the use of social media by those persons authorized to speak for the company. This will remain an evolving area that must be continually monitored, as the methods for interacting with shareholders, analysts and others continue to evolve. As with the 2008 Guidance, companies may not be in a position to implement the 21(a) Report’s guidance in such a way that they could do away with more traditional forms of public dissemination, but the guidance may provide more comfort for companies using social media to supplement other more traditional forms of communication. Companies should carefully evaluate what social media channels may be useful for communicating information, and begin providing notice that information about the company may be found on those social media channels, while using those channels as a regular source of information. At the same time, companies should advise individual officers, directors and employees that posting information about the company on social media channels could potentially implicate Regulation FD, and therefore such persons must exercise caution when communicating through social media.

It is well settled that Internet search engines’ reproduction of limited portions of copyrighted materials in order to direct Internet users to locations of original content constitutes “fair use” under the Copyright Act. (See, for example, Perfect 10, Inc. v. Amazon.com, Inc. and Kelly v. Arriba Soft.) But where is the line between, on the one hand, a search engine’s fair use of a small amount of material to enable users to locate the original works and, on the other hand, infringing reproduction and display of excerpts that serve as substitutes for the original works? A recent opinion by the Southern District of New York in The Associated Press v. Meltwater U.S. Holdings, Inc. provides insight into that question and a cautionary tale for online service providers that utilize search engine functionality to provide “news clipping” or other aggregation services on the Internet.

Meltwater News is a news aggregator service that bears some similarity to a traditional search engine: it utilizes an automated program, or “web crawler,” to scan the Internet for news articles; extracts, or “scrapes,” content from online news articles and creates a searchable index of the content; and delivers verbatim excerpts of the articles and links in response to search queries. What distinguishes Meltwater News from traditional (and free) Internet search engines is its apparent purpose and the amount of content delivered in its search results, called “News Reports,” which Meltwater generates automatically on a recurring basis using a subscriber’s standing search queries. The News Reports include article titles; a hyperlink to the web address where Meltwater’s web crawler found the article; information about the article’s source; the opening text of the article (the “lede”), consisting of up to 300 characters; and an algorithmically chosen short excerpt (approximately 140 characters) containing one of the search terms.

The Associated Press (AP) sued Meltwater for copyright infringement based on the inclusion of AP’s content in the News Reports. Meltwater asserted fair use (among other defenses that the court disposed of easily) as an affirmative defense (i.e., a defense that Meltwater had to affirmatively prove), contending that its use of AP’s material was fair because Meltwater functions as a search engine. As the court repeatedly noted, however, Meltwater failed to present any evidence directly supporting that argument within the framework of the statutory factors that guide the fair use determination. On summary judgment, therefore, the court held that there was no material question of fact regarding fair use and ruled against Meltwater.

This case puts online news aggregators on notice that, if they wish to invoke the fair use defense, the mere fact that they provide search engine functionality does not substitute for a showing that their use of copyrighted materials meets the statutory fair use factors. More specifically, news aggregators should anticipate a few key fair use questions as set forth below and be able to answer them with evidence.

Is the Copyrighted Material Being Used for a “Transformative” Purpose? 

The “purpose and character” of the use that an alleged infringer makes of copyrighted material is one of the statutory factors for determining fair use. A “transformative” use—i.e., a use that is significantly different from the intended use of the original work—will support a finding of fair use. A traditional search engine may be said to make transformative use of copyrighted materials when it reproduces those materials for the sole purpose of allowing users to find the originals. The court rejected Meltwater’s attempt to liken its expensive subscription service to a traditional search engine, however, because Meltwater presented no evidence that its service “systematically drives its customers to third-party websites.” In particular, Meltwater admitted that its “click-through rate” (the frequency with which users click on links to access the underlying AP articles) was likely around .05%, but it chose not to rely on any evidence comparing its “seemingly small click-through rate” to the rates of other Internet search services. Moreover, Meltwater failed to establish that it did not copy more copyrighted materials than are copied by traditional search engines. In fact, Meltwater had described its News Reports as “customized news digest[s]” that “save[] you time so you don’t have to read the full article.” Thus, Meltwater failed to persuade the court that its use of AP’s material served a transformative purpose.

Are We Copying No More Than Our Purpose Requires? 

The “amount and substantiality of the copying” factor of the fair use analysis looks at how much of the original work has been copied and how important the copied portion is to the original work. If a search engine provides results that include the core expressive elements of the underlying original material, rather than displaying only enough material to direct the user to the original, this factor would weigh against fair use. Apparently this was the case with Meltwater’s search results, which included the lede sentence “meant to convey the heart of the story,” and Meltwater made no attempt to establish that it copied no more than was necessary to function as a search engine. The court therefore found this factor to weigh heavily against a finding of fair use.

Does Our Copying Usurp the Market for Original Materials?

If there is a market for licensing original content and unauthorized use deprives the copyright owner of potential licensing revenue, a finding of fair use is unlikely. The court easily applied this factor against Meltwater, which refused to pay licensing fees to AP while operating in the same commercial space as many AP licensees, including other media monitoring services. Accordingly, the court found that Meltwater “not only deprives AP of a licensing fee . . . but also cheapens the value of AP’s work by competing with companies that do pay a licensing fee to use AP content in the way that Meltwater does.” Meltwater had no effective counter argument to these facts. Instead, Meltwater relied “almost exclusively on its contentions that it is a search engine and that search engines make a transformative use of the copyrighted news stories.” As explained above, the court rejected that argument. The court observed that Meltwater used its service to “obtain an unfair commercial advantage in the marketplace,” and granted AP summary judgment rejecting Meltwater’s fair use defense.

Perhaps not surprisingly, AP praised the ruling as a rejection of the mindset that “if it is free on the Internet, it is free for the taking.” Others agreed that the ruling was a “significant victory for journalists, news content owners and legitimate content distributors more generally.”

Meanwhile, some observers find the ruling troubling in that it distinguishes Meltwater’s services from free search engines and appears to give weight to the fact that Meltwater reproduced the “heart” of AP’s articles, the factual content of which is not protected by copyright. The ruling has fueled the ongoing discussion regarding the balance of rights between news publishers and news reader applications, including specific analysis of how other news aggregators may avoid similar rulings.

Much of the court’s analysis was fact-specific, so it may not have broad application except to those engaged in substantially the same activity as Meltwater’s. As one commentator notes, Meltwater’s service is very different from “typical blogger or social media” activity. Nevertheless, this case sounds a warning to any online service provider that provides content aggregation functionality that goes beyond what is typically provided by traditional search engines. One clear lesson is that, at least in the Southern District of New York, there is no per se rule that a search engine’s provision of links to articles alongside verbatim excerpts of the articles constitutes fair use. If providers of such search or aggregation services wish to avoid summary judgment, they must be ready to show how their use of copyrightable material is transformative.