Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Hot Off the Press: The November Issue of Our Socially Aware Newsletter Is Now Available

Posted in FTC, Internet of Things, Litigation, Privacy, Statistics, Terms of Use

The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we discuss an important Ninth Circuit decision refusing to enforce an arbitration clause in a website “terms of use” agreement; we examine “Operation Full Disclosure,” the Federal Trade Commission’s initiative to review fine print disclosures and other disclosures in connection with advertisements; we highlight a recent case allowing unprecedented service of process via Facebook; we take a look at California’s recent data security breach law amendment, which may impose the country’s first requirement to provide free identify theft protection services to consumers in connection with certain data security breaches; we explore a new court decision addressing ownership issues in connection with Facebook “likes”; and we review the UK Financial Conduct Authority’s draft guidelines on social media.

All this—plus an infographic regarding mobile device and app use.

Read our newsletter.

New California Privacy Law Revisions Will Impact Website and Mobile App Operators With Users Under Age 18

Posted in Privacy

Last year, California made child-related revisions to its Online Privacy Protection Act that have ramifications even for websites and other online services that are not directed to children.  The revision, “Privacy Rights for California Minors in the Digital World,” imposes obligations on any website, application, or other online service that (1) is directed to minors—that is, was created to reach an audience predominantly composed of minors—or (2) has actual knowledge that a minor is using it because, for example, it collects date of birth (each, a “Covered Service”).  Cal. Bus. & Prof. Code §§ 22580-81.  Covered Services are thus not limited to services directed to minors:  even a general audience or adult-directed service is subject to the law if it collects age information and permits those who identify as minors to use the service.  The law does not require an operator to collect age from its users.

The revised law takes effect on January 1, 2015.  It will require a Covered Service to permit a registered user who is a minor to remove content that he or she has posted.  It will also prohibit a Covered Service from advertising adult products to minors and from collecting, using, or disclosing minors’ personal information for such advertising, or allowing others to do so.

The Delete Button Requirement

The law will require a Covered Service to permit a registered user who is under 18 to remove content that he or she has posted to the service.  Specifically, it will have to:

  • Permit a minor to remove, or to request and obtain removal of, content that he or she has posted to the service (“posted” means that the content is accessible to others); and
  • Provide instructions (e.g., in its privacy policy) on how a minor may remove or request removal of posted content, along with an explanation that removal does not ensure complete or comprehensive removal of the content.

Cal. Bus. & Prof. Code § 22581.  The explanation that removal does not ensure complete or comprehensive removal is necessary because the law does not require removal in certain situations, including if another provision of law requires the Covered Service to maintain the content, if it was posted or reposted by users other than the minor, or if the minor received consideration in exchange for the posting.  Cal. Bus. & Prof. Code § 22581(b)(1), (2), (5).  Moreover, the law does not require permanent deletion of removed content.  Rather, a Covered Service may comply with a removal request by:  (1) anonymizing the content so that the minor cannot be individually identified; or (2) rendering the content invisible to others, while retaining it on its servers.

Limits on Advertising

The revised law also prohibits Covered Services from advertising adult products, such as alcohol, tobacco, and firearms, to minors and from collecting, using, or disclosing minors’ personal information for such advertising, or allowing others to do so.  Cal. Bus. & Prof. Code § 22580.  This provision applies to a Covered Service that is directed to minors or that has actual knowledge that the advertising will be targeted to a minor.  If a Covered Service uses a service provider to deliver its advertising and notifies the service provider that the service is directed to minors, then the responsibility to comply with the law rests with the service provider.  Cal. Bus. & Prof. Code § 22580(h)(1)-(2).

What Does This Mean in Practice?

 Each operator of a website, app, or other online service should determine whether it falls within the law’s coverage and, if so, develop a strategy to achieve compliance before the law takes effect on January 1, 2015.  When doing so, we suggest that:

  • If you operate a general audience or adult-directed site or service and you do not have a business need for your users’ age information, do not collect age or date of birth from your registered users on a going-forward basis.  This will limit your need to comply, at least with respect to new users.
  • If you operate a Covered Service and permit users to post information or content (such as through a profile, blog, chat, message board, or similar feature), consider whether you will let registered users who are minors remove their posted content themselves or request to have it removed (or anonymized) by you.  In either case, in your privacy policy, provide notice of the minor’s right, along with instructions and an explanation that removal does not ensure complete removal.  For example:

If you are under 18 and a registered Site user, you may ask us to remove content or information that you have posted to the Site by writing to [email address].  Please note that your request does not ensure complete or comprehensive removal of the content or information, as, for example, some of your content may have been reposted by another user. 

  • If you have actual knowledge that you are targeting advertising to minors, ensure that your advertising does not promote any of the adult products covered by the law.
  • If you have actual knowledge that you have collected personal information from a minor, put policies and procedures in place to ensure that such information is not collected, used, or disclosed—by you or any third party—to advertise adult products.
  •  If you operate a Covered Service that is directed to minors:  (1) do not advertise adult products; (2) take steps to ensure that your users’ personal information is not collected, used, or disclosed—by you or any third party—to advertise adult products; and (3)  inform your advertising service providers that your service is directed to minors.

Status Updates

Posted in Status Updates
  • Bad chords. A European musician’s attempt to stop a negative concert review from continuing to appear in Internet search results is raising questions about whether the EU’s “right to be forgotten” ruling could prevent the Internet from being a source of objective truth.  Established in May by the European Court of Justice, the right to be forgotten ruling requires search engines like Google to remove “inadequate, irrelevant or… excessive” links that appear as a result of searches of an EC member’s name. Pursuant to the ruling, European pianist Dejan Lazic asked the Washington Post to remove a tepid review of one of his Kennedy Center concerts from Google search results. Lazic’s request was denied because it was posed to the wrong party—the right to be forgotten ruling applies to Internet search engines, not publishers—but it nevertheless serves as an example of a request that could be granted under the right to be forgotten rule, and that, argues Washington Post Internet culture columnist Caitlin Dewey, is “terrifying.” Dewey writes that such a result “torpedoes the very foundation of arts criticism… essentially invalidates the primary function of journalism,” and “undermines the greatest power of the Web as a record and a clearinghouse for our vast intellectual output.”
  • A tall tale. The FBI has admitted to fabricating an Associated Press story and sending its link to the MySpace page of a high-school-bombing-threat suspect in 2007 to lure him into downloading malware that revealed his location and Internet Protocol address. Agents arrested the suspect, a 15-year-old Seattle-area boy, within days of learning his whereabouts as the result of the malware, which downloaded automatically when the suspect clicked the link to a fabricated story bearing the headline “Technology savvy student holds Timberline High School hostage.” Civil libertarians are concerned about the FBI’s impersonation of news organizations to send malware to suspects, and an AP spokesman said the organization finds it “unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP.”
  • Suspicious expulsions. An Alabama school district recently expelled more than a dozen students after a review of their social media accounts revealed signs of gang involvement or gun possession. The investigation into the students’ social media accounts was conducted by a former FBI agent whom the school district had hired for $157,000 as a security consultant. Since 12 of the 14 expelled students were African-American, a county commissioner accused the investigation of  “effectively targeting or profiling black children in terms of behavior and behavioral issues.”

What’s in a Like?

Posted in Employment Law, Litigation, Privacy

In the pre-Facebook era, the word “like” was primarily a verb (and an interjection sprinkled throughout valley girls’ conversations). Although you could have likes and dislikes in the sense of preferences, you could not give someone a like, claim to own a like or assert legal rights in likes. Today, however, you can do all of these things and more with Facebook likes and similar constructs on other social media platforms, such as followers, fans and connections. This article explores the emerging legal status of likes and similar social media constructs as the issue has arisen in a number of recent cases.

Likes as Protected Speech

One of the early cases to delve into the legal status of likes was Bland v. Roberts, which addressed the issue of whether a Facebook like constitutes protected speech for purposes of the First Amendment. In Bland, five former employees of the Hampton Sheriff’s Office brought a lawsuit against Sheriff Roberts, alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he fired them, allegedly for having supported an opposing candidate in the local election. In particular, two of the plaintiffs had “liked” the opposing candidate’s Facebook page.

Although (as we discussed previously) the district court held that merely liking a Facebook page was insufficient speech to merit constitutional protection, on appeal the Fourth Circuit reversed and held that liking a Facebook page does constitute protected speech. The Fourth Circuit looked at what it means to like a Facebook page and concluded: “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the User ‘likes’ something, which is itself a substantive statement.” The Fourth Circuit also found that liking a Facebook page is symbolic expression because “[t]he distribution of the universally understood ‘thumbs up’ symbol in association with [the] campaign page, like the actual text that liking the page produced, conveyed that [the plaintiff] supported [the opposing candidate’s] candidacy.” The Court analogized liking the opposing candidate’s Facebook page as the “Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”

Likes as Property

Perhaps most interestingly from a business perspective, various cases have explored the question of ownership of a like (and similar concepts, such as a Twitter follower or LinkedIn connection).  In Mattocks v. Black Entertainment Television LLC, the plaintiff Mattocks created an unofficial Facebook fan page focused on the television series The Game, which at the time was broadcast on the CW Network (BET later acquired the rights to The Game from the CW Network). BET eventually hired Mattocks to perform part-time work for BET, including paying her to manage the unofficial fan page. During the course of that relationship, BET provided Mattocks with BET logos and exclusive content to display on the fan page, and both Mattocks and BET employees posted material on the fan page. While Mattocks worked for BET, the fan page’s likes grew from around two million to over six million.

Mattocks and BET began discussions about Mattocks’ potential full-time employment at BET but, at some point during these discussions, Mattocks demoted BET’s administrative access to the fan page. After losing full access to the fan page, BET asked Facebook to “migrate” fans of the page to another official Facebook fan page created by BET.  Facebook granted BET’s request and migrated the likes to the other BET-sponsored page.  Facebook also shut down Mattocks’ fan page. Mattocks then sued BET in the Southern District of Florida, alleging, among other things, that BET converted a business interest she had in the fan page by migrating the likes. Mattocks argued that the page’s “significant number of likes” provided her with business opportunities based on companies paying to have visitors redirected to their sites from the page.  BET moved for summary judgment.

The district court granted BET’s motion for summary judgment on Mattocks’ conversion claim, holding that Mattocks failed to establish that she owned a property interest in the likes. The court explained that “liking” a Facebook page simply means that the user is expressing his or her enjoyment or approval of the content, and that the user is always free to revoke the like by clicking an unlike button. Citing Bland (discussed above), the court stated that “if anyone can be deemed to own the ‘likes’ on a [Facebook page], it is the individual users responsible for them.”  Given the tenuous relationship between the creator of the Facebook page and the likes of that page, the court held that likes cannot be converted in the same manner as goodwill or other intangible business interests.

In PhoneDog v. Kravitz, the district court for the Northern District of California denied defendant Kravitz’s motion to dismiss plaintiff PhoneDog’s claims for, among other things, conversion of the Twitter account “@PhoneDog_Noah.” PhoneDog, a mobile news and reviews website, employed Kravitz as a product reviewer and video blogger. Kravitz maintained the Twitter account “@PhoneDog_Noah,” which he used to post product reviews, eventually accumulating 17,000 Twitter followers. At the end of Kravitz’s employment, PhoneDog requested that Kravitz relinquish use of the Twitter account. Kravitz refused, changed the Twitter handle to “@noahkravitz” and continued to use the account.

PhoneDog claimed an “intangible property interest” in the Twitter account’s followers, which PhoneDog compared to a business customer list. Kravitz disputed PhoneDog’s ownership interest in either the Twitter account or its followers, based on Twitter’s terms of service, which state that Twitter accounts belong to Twitter and not to Twitter users such as PhoneDog. Kravitz also argued that Twitter followers are “human beings who have the discretion to subscribe and/or unsubscribe” to the account and are not PhoneDog’s property. The court held that there was insufficient evidence to determine whether or not PhoneDog had any property interest in the Twitter followers, and denied Kravitz’s motion to dismiss. PhoneDog and Kravitz subsequently settled the dispute so we will never know how the court would have ruled on this issue, but the court’s refusal to dismiss PhoneDog’s ownership claims may indicate that, at least in some circumstances, Twitter followers may constitute property.

The district court in the Eastern District of Pennsylvania looked at a similar issue involving ownership of a LinkedIn account in Eagle v. Morgan. Plaintiff  Linda Eagle established a LinkedIn account using the email address of Edcomm, the banking education company that she co-founded with Clifford Brody. As CEO of Edcomm, Brody embraced LinkedIn as a sales and marketing tool for the Edcomm business. Although Edcomm did not require employees to maintain or subsidize the maintenance of LinkedIn accounts, it did develop policies with respect to employee use of such accounts.

When Eagle (and Brody) were involuntarily terminated after Edcomm’s acquisition by another company, Edcomm employees accessed Eagle’s LinkedIn account (using the password she had disclosed to certain employees) and changed its password, effectively locking Eagle out of the account. For more than two weeks, Edcomm had full control of the account. During that time, it replaced the account information regarding name, picture, education and experience with information about Sandi Morgan, the newly appointed Interim CEO of Edcomm. As a result, during this time period, an individual conducting a search on either Google or LinkedIn for Eagle (by typing in “Linda Eagle”) would be directed to a URL for a web page showing Sandi Morgan’s name, profile and affiliation with Edcomm. LinkedIn subsequently intervened and restored Eagle’s access to the account.

Eagle filed suit against Edcomm, alleging compensatory damages of between $248,000 and $500,000. Eagle used a damages formula that attributed her total past revenue to business generated by the number of connections associated with the LinkedIn account in order to establish a dollar value per LinkedIn connection, and then used that value to calculate her damages for the period of time that she was unable to access the LinkedIn account. The court found for Eagle on a number of her claims—including claims for unauthorized use of name under a Pennsylvania statute, invasion of privacy and misappropriation of publicity—but the court ultimately held that Eagle’s damages request was not supported by sufficient evidence, citing, for example, her failure to connect her past sales to use of LinkedIn.

Although Eagle’s claim was unsuccessful, the use of LinkedIn connections to support her damages theory demonstrates the potential monetary value of these connections and the importance for companies to be clear with their employees in delineating ownership of social media accounts and associated likes, followers, fans and connections.

Likes as Concerted Activity

There have been a number of National Labor Relations Board (NLRB) decisions that examined whether an employee’s statements on social media constitute “concerted activity”—activity by two or more employees that provides mutual aid or protection regarding terms or conditions of employment—for purposes of the National Labor Relations Act (NLRA).

In Pier Sixty LLC, the administrative law judge decided that a Facebook posting made by an employee about his supervisor constituted protected concerted activity under the NLRA, despite being sprinkled with obscenities. The decision held that the posting constituted part of an ongoing sequence of events related to the employees’ dissatisfaction with the manner in which they were treated by their managers. The administrative law judge specifically mentioned that because the employee was friends on Facebook with several other employees, he could anticipate that those other employees, who were also concerned with the supervisor’s demeaning treatment, would see the posting (at the time, the employee had set his Facebook page so that it could only be viewed by his friends).

Similarly, in Richmond District Neighborhood Center, a Facebook conversation between two employees was found to be concerted activity under the NLRA because it involved the employees voicing their disagreement with the management’s running of the center. However, the administrative law judge ultimately concluded that the activity was not protected under the NLRA because it “jeopardized the program’s funding and the safety of the youth it serves” and demonstrated that the two employees were “unfit for further service.”

Although these two NLRB cases involved postings and conversations on Facebook rather than just likes, it would not be a huge leap for a future NLRB case to hold that a Facebook like constitutes concerted activity in certain circumstances, particularly in light of the Fourth Circuit’s decision in Bland discussed above.

* * * *

As the legal status of likes, followers, fans and connections continues to develop, we are likely to see more cases in which courts and litigants struggle with the question of whether and in what circumstances these social media constructs constitute valuable business assets and legitimate forms of speech and communication. At least in the legal sense, “like” has come a long way from the valley girl lexicon—like, a really long way.

Status Updates

Posted in Status Updates
  • Cuffed links. The Spanish parliament has passed what is commonly known as the “Google tax,” although it’s technically not a tax and doesn’t apply solely to Google. Rather, it’s an intellectual property law requiring online news aggregators to pay fees for describing and linking to stories published by Spanish newspapers; failure to pay can expose the aggregator to penalties up to $758,000 (€600,000). Moreover, according to The Independent, the Spanish law characterizes these fees as an “inalienable right” (derecho irrenunciable) that “overrides any concept of ‘fair use’.” Not surprisingly, the new law has sparked criticism, with Gizmodo observing that this makes Spain essentially “the first country in the world to charge for linking online.”
  • Pass the passcode. Can prosecutors force a criminal defendant to hand over the passcode to his cellphone if they think there’s incriminating evidence on the phone? A trial judge in Virginia said no in an interesting case late last month. The judge said it’s one thing to force the defendant to be fingerprinted – even if the fingerprint is what unlocks the phone, prosecutors can do that. It’s another thing entirely to compel production of the passcode, because that would require handing over a form of “knowledge” in violation of the Fifth Amendment’s privilege against self-incrimination. The case involved a man charged with attempting to strangle his girlfriend; prosecutors believed that the phone’s built-in video camera may have recorded what went on in the altercation between the couple.
  • Treasure tweets. Under its recently announced partnership with Twitter, IBM will be tapping into a truly vast source of data – the nearly 500 million tweets that run across Twitter’s network every day. Many consider this to be a treasure trove of information that can help businesses to better understand consumer sentiment and to tap into trends before they become evident. IBM plans to find patterns in the Twitter data and to sell its findings to clients. This is a pretty big deal for IBM, as it is training 10,000 workers in the art of finding trends and patterns in the data and making them useful to businesses. Although IBM and Twitter may make for an odd couple, big data analytics require big databases, and few databases are as big as the one that Twitter is making available to IBM.

Status Updates

Posted in Status Updates
  • Cover your Glass. We’ve addressed in Socially Aware the growing legal hysteria stirred up by Google Glass and other wearable technology. Just as Polaroid cameras were once banned from beach resorts and even the Washington Monument for crying out loud, expect to see all types of businesses and organizations – bars, restaurants, banks, schools, museums, casinos, circuses, strip clubs, accounting firms, you name it – rushing to enact Glass bans. But some bans may make more sense than others. Movie theater owners, for example, are understandably concerned about those wearable devices, such as Glass, that can record video. Should such devices be banned from theaters? The theater industry says yes, absolutely. Indeed, the trade groups that represent movie theaters and movie studios have both set forth a new policy: No devices of any sort in movie theaters that are capable of recording video. But how far will the ban go? For many people who wear eyeglasses to correct their vision, Glass may be their only pair of glasses. Moreover, as technology advances, wearable recording devices will become increasingly difficult to detect – in the not-too-distant future, there may be no effective way of distinguishing between wired glasses and ordinary glasses. No doubt some enterprising entrepreneur is working right now on a solution to that problem.
  • Once more into the breach. California Attorney General Kamala Harris just issued a report concluding that the online data of 18.5 million of the state’s residents was compromised in 2013 as a result of intentional data breaches, up dramatically from 2.5 million in 2012. It’s not surprising that the majority of the data that was compromised was stolen electronically by unauthorized access rather than by the physical theft of a machine that held the data. What may be surprising is that the biggest target is social security numbers; they are apparently the gold standard for hackers because a single social security number can lead to an average of $2,330 in fraud, nearly twice as much as a mere credit card. Consumers – and retailers and banks – beware.
  • Tainted love. OK, imagine this. You’re single, and you’re using an online dating site or mobile app. You strike up an online conversation with Mr. or Ms. Right, only to subsequently learn that you were interacting with a shill hired by the site owner or app developer to goose traffic and revenue numbers. You’re upset, of course, but is there any legal problem here? The FTC says that there is, and recently fined UK-based JDI Dating and its owner $616,165 for engaging in this and other allegedly deceptive practices. Jessica Rich, head of the FTC’s Consumer Protection Bureau, noted that JDI Dating – which operates sites such as cupidswand.com, flirtcrowd.com and findmelove.com – “used fake profiles to make people think they were hearing from real love interests and to trick them into upgrading to paid memberships.” In its complaint, the FTC had charged JDI Dating with violating the Federal Trade Commission Act. This was apparently the agency’s first enforcement action against a dating site or app.

Data Protection Masterclass: Cybersecurity & Data Protection Concerns – Current and Upcoming Risks

Posted in Event

Socially Aware will be sponsoring a free webinar on cybersecurity-related legal issues on December 2, 2014.  As part of the webinar, privacy and data security lawyers from Morrison & Foerster LLP – including a number of Socially Aware contributors – will discuss the cybersecurity trends and challenges, addressing current and pending laws and regulations in various jurisdictions, how to work with regulators around the world, and critical action items before, during and after a security incident. For more information on Morrison & Foerster’s privacy and data security practice group, please follow them on Twitter @MoFoPrivacy.  More information regarding the webinar, including how to register for the event, please click here.

Status Updates

Posted in Status Updates
  • Back to the future. Socially Aware readers – and editors – of, uhm, a certain age will fondly recall how, during the early days of the dotcom era, we hung out on message boards and in chat rooms discussing (some might say arguing about) politics, sports, movies, music, you name it – with people we’d never met, and never would meet, in person. Well, Facebook is now trying to recapture that vibe with a new feature called “Rooms” – free-form areas that include text and photos based on some niche interest that was kicked off by the room’s originator. Of course, it’s not 1995 anymore, and one question that has to be asked is: can “Rooms” fit into a business’s marketing strategy? It’s easy to see how: would makers of high-end kitchen equipment participate in “Rooms” on gourmet cuisine? Athletic clothes manufacturers in “Rooms” on yoga poses? Old-school feature, meet new-school branding.
  • If an ad falls below the fold, does it make an impression? Online ads are big business, of course, as advertising rapidly migrates from print to websites, apps, social media and other online outlets. But how do advertisers even know that their ads are being noticed? In the old days, it was a pretty fair assumption that newspaper ads were actually looked at by readers, but a major 2013 survey showed that more than 50 percent of ads online are not viewed. Advertisers and agencies would, understandably, like to see standards in place to ensure that they’re not paying for ads that a web surfer had no chance of seeing (for example, because the ad was “below the fold” on a site’s home page, yet the site visitor never scrolled down to where the ad could be viewed). A media VP at Unilever has noted, “It’s simple — we want to get what we pay for.” So agencies and clients, led by GroupM – the world’s largest ad-buying firm – and by Unilever, are leading the charge for standards addressing these concerns. Among the proposed standards: 100% of display ads must be visible to site visitors; 100% of the video player for video ads must be visible to site visitors, and at least 50% of the video must be played while visible; the video player’s sound cannot be turned off while the video is playing; and no use of “auto-start” functionality – rather, the site visitor must initiate playing of the video ad.
  • Laundry list. The “Internet of things,” touted for years as a big part of the digital future, seems to be approaching rather more slowly than anticipated. Whirlpool, the nation’s largest appliance maker, is marketing a “smart washer” and “smart dryer” at $1,699 each, but these cutting-edge, fully wired machines are not exactly jumping off the shelves. Many consumers are apparently in no rush to pay that kind of cash just to own a Web-enabled washing machine that will text them when their clothes are ready for the dryer. Even a Whirlpool executive acknowledges the problem, observing that “trying to understand exactly the value proposition that you provide to the consumer has been a little bit of a challenge.” After all, the machine won’t sort and fold your laundry for you, or track down that missing sock – now that’s an innovation worth paying a premium for.

Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud

Posted in Cloud Computing, Privacy

For many companies, the main question about cloud computing is no longer whether to move their data to the “cloud,” but how they can accomplish this transition. Cloud (or Internet-based on-demand) computing involves a shift away from reliance on a company’s own local computing resources, in favor of greater reliance on shared servers and data centers. Well-known examples of cloud computing services include Google Apps, Salesforce.com, and Amazon Web Services. In principle, a company also may maintain its own internal “private cloud” without using a third-party provider. Since many companies choose to use third-party cloud providers, however, this article will focus on that cloud computing model.

Cloud computing offerings range from the provision of IT infrastructure alone (servers, storage, and bandwidth) to the provision of complete software-enabled solutions. Cloud computing can offer significant advantages in cost, efficiency, and accessibility of data. The pooling and harnessing of processing power provides companies with flexible and cost-efficient IT systems. At the same time, however, cloud computing arrangements tend to reduce a company’s direct control over the location, transfer, and handling of its data.

The flexibility and easy flow of data that characterize the cloud can raise challenging issues related to protection of data in the cloud. A company’s legal obligations and risks will be shaped by the nature of the data to be moved to the cloud, whether the data involve personal information, trade secret information, customer data, or other competitively sensitive information. This article describes the special legal considerations that apply when moving personal information to the cloud. It also offers a framework to help companies navigate these issues to arrive at a solution that meets their own legal and business needs.

Determine the categories of personal information to be moved to the cloud

As a general principle, personal information includes any information that identifies or can be associated with a specific individual. Some types of personal information involve much greater legal and business risks than other types of personal information. For example, a database containing health information will involve greater risks than a database containing names and business contact information of prospective business leads. Also, financial regulators in many countries require specific security standards for financial information. Accordingly, a cloud computing service that may be sufficient for the business lead data may fail to provide the legally required level of protection for health, financial, or other sensitive types of information.

A company will want to develop a strategy that provides sufficient protection to the most sensitive personal information to be transmitted to the cloud. In some cases, a company may elect to maintain certain types of personal information internally, in order to take advantage of more cost-efficient cloud computing services for its less-sensitive data.

Identify applicable laws affecting your outsourcing of personal information

Cloud computing, by its nature, can implicate a variety of laws, including privacy laws, data security and breach notification laws, and laws limiting cross-border transfers of personal information.

(a) Privacy Laws

Companies operating in the United States will need to consider whether they are subject to sector-specific privacy laws or regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Such laws impose detailed privacy and data security obligations, and may require more specialized cloud-based offerings.

Europe-based companies, as well as companies working with providers in or with infrastructure in Europe, will need to account for the broad-reaching requirements under local omnibus data protection laws that protect all personal information, even basic details like business contact information. These requirements can include notifying employees, customers, or other individuals about the outsourcing and processing of their data; obligations to consult with works councils before outsourcing employee data; and registering with local data protection authorities. Similar requirements arise under data protection laws of many other countries, including countries throughout Europe, Asia, the Middle East, and the Americas.

(b) Data Security Requirements

Even if a company is not subject to these types of privacy laws, it will want to ensure safeguards for personal information covered by data security and breach notification laws. In the United States, these laws tend to focus on personal information such as social security numbers, driver’s license numbers, and credit or debit card or financial account numbers. One of the key safeguards is encryption because many (although not all) of the U.S. state breach notification laws provide an exception for encrypted data.

In contrast, many other countries require protection of all personal information, and do not necessarily provide an exception for encrypted data. Consequently, companies operating outside of the United States may have broader-reaching obligations to protect all personal information. While data protection obligations vary significantly from law to law, both U.S. and international privacy laws commonly require the following types of safeguards:

i. Conducting appropriate due diligence on providers;

ii. Restricting access, use, and disclosure of personal information;

iii. Establishing technical, organizational, and administrative safeguards;

iv. Executing legally sufficient contracts with providers; and

v. Notifying affected individuals (and potentially regulators) of a security breach compromising personal information.

The topic of data security in the cloud has received significant industry attention. Industry groups, such as the Cloud Security Alliance, have suggested voluntary guidelines for improving data security in the cloud. For example, please refer to the CSA’s Security Guidelines for Critical Areas of Focus for Cloud Computing, available at https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/. In Europe, the Cloud Select Industry Group (CSIG), an industry group sponsored by the European Commission, recently issued the Cloud Service Level Agreement Standardization Guidelines, available at http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines. The Guidelines recommend contractual stipulations covering (1) business continuity, disaster recovery, and data loss prevention controls; (2) authentication/authorization controls, including access provision/revocation, and access storage protection; (3) encryption controls; (4) security incident management and reporting controls and metrics; (5) logging and monitoring parameters and log retention periods; (6) auditing and security certification; (7) vulnerability management metrics; and (8) security governance metrics. Providers also may choose to be certified under standards such as ISO 27001, although such certifications may not address all applicable legal requirements.

(c) Restrictions on Cross-Border Data Transfers

A number of countries—e.g., all the European Economic Area (EEA) Member States and certain neighboring countries (including Albania, the Channel Islands, Croatia, the Faroe Islands, the Isle of Man, Macedonia, Russia, and Switzerland), as well as countries in North Africa (e.g., Morocco), the Middle East (e.g., Israel), Latin America (e.g., Argentina and Uruguay), and Asia (e.g., South Korea)—restrict the transfer or sharing of personal information beyond their borders. These restrictions can present significant challenges for multinational companies seeking to move their data to the cloud. Recognizing these challenges, some providers are starting to offer geographic-specific clouds, in which the data are maintained within a given country or jurisdiction. Some U.S. providers have also certified to the U.S.-European Union Safe Harbor program, in order to accommodate EU-based customers. However, as the Safe Harbor only permits transfers from the EU to the United States, it is not a global solution. Accordingly, a company should assess carefully whether the options offered by a provider are sufficient to meet the company’s own legal obligations in the countries where it operates.

To complicate matters, international data protection authorities, particularly in the EEA, have expressed concerns about use of the cloud model for personal information. The Working Party 29 (WP29), the assembly of EEA data protection authorities, and many other local EEA authorities have issued guidance about cloud computing, covering purpose and transfer restrictions, notification requirements, mandatory security requirements, and the content of the contract to be concluded with cloud providers. This guidance includes the WP29 Opinion 05/2012 on Cloud Computing, which is discussed further below. The draft Data Protection regulation currently discussed among the EEA Member States reflects such guidance and should be accounted for prior to engaging cloud providers.

Review contractual obligations affecting your outsourcing of personal information

If your company is seeking to outsource to a cloud provider applications that involve third-party data, such as personal information maintained on behalf of customers or business partners, it is important to consider any limitations imposed by contracts with those third parties. Such agreements might require third-party consent to the outsourcing or subcontracting of data processing activities, or may require your company to impose specific contractual obligations on the new provider or subcontractor.

Select an appropriate cloud computing solution

Cloud services tend to be offered on a take-it-or-leave-it basis, with little opportunity to negotiate additional contractual protections or customized terms of service. As a result, companies may find themselves unable to negotiate the types of privacy and data security protections that they typically include in contracts with other service providers. Companies will need to evaluate whether the contract fulfills their applicable legal and contractual obligations, as discussed above. Beyond that, companies will want to evaluate the practical level of risk to their data, and what steps they might take to reduce those risks.

(a)   Public vs. Private Cloud

Broadly speaking, a private cloud maintains the data on equipment that is owned, leased, or otherwise controlled by the provider. Private cloud models can be compared with many other well-established forms of IT outsourcing and do not tend to raise the same level of concerns as a public cloud model.

A public cloud model disperses data more broadly across computers and networks of unrelated third parties, which might include business competitors or individual consumers. While offering maximum flexibility and expansion capabilities, the public cloud model raises heightened concerns about the inability to know who holds your company’s data, the lack of oversight over those parties, and the absence of standardized data security practices on the hosting equipment. Given these challenges, companies outsourcing personal information will want to understand whether the proposed service involves a private or public cloud, as well as evaluate what contractual commitments the provider is willing to make about data security.

(b)   Securing Data Before Transmission to the Cloud

Companies also may be able to take measures themselves to protect personal information before it is transmitted to the cloud. Some provider agreements instruct or require customers to encrypt their data before uploading the data to the cloud, for example. If it is feasible to encrypt the data prior to transmission to the provider, this may provide substantial additional protections, as long as the encryption keys are not available to the provider.

It is also important to account for applicable security requirements. To this effect, several countries in Europe have very specific statutory requirements for security measures, and some regulators have issued detailed security standards for cloud computing providers. Pursuant to the WP29 Opinion 05/2012, all contracts should include  security measures in accordance with EU data protection laws, including requirements for cloud providers on technical and organizational security measures, access controls, disclosure of data to third parties, cooperation with the cloud client, details on cross-border transfer of data, logging, and auditing processing. The recent guidelines from the CSIG recommends the inclusion of the following provisions in processing agreements: (1) standards or certification mechanisms the cloud service provider complies with; (2) precise description of purposes of processing; (3) clear provisions regarding retention and erasure of data; (4) reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures; (5) a full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data; (6) description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements; (7) clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms; and (8) time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects.

(c)   Contract Issues

In the majority of cloud computing services, the client is the data controller and the cloud provider is the data processor. However, in certain scenarios (in particular Platform as a Service (PaaS) and Software as a Service (SaaS) in public computing models), the client and the cloud provider may be joint controllers. Under EU guidance, the responsibilities of joint controllers must be very clearly set out in the contract to avoid any “dilution” of legal responsibility.

The contract with the cloud services provider needs to set out clearly the roles and responsibilities of the parties. Unlike many outsourcing arrangements, cloud service contracts usually do not distinguish between personal information and other types of data. These contracts may still include at least basic data protection concepts, even if they are not expressly identified as such. At a minimum, companies will want to look for provisions preventing the provider from using the information for its own purposes, restricting the provider from sharing the information except in narrowly specified cases, and confirming appropriate data security and breach notification measures. Various European data protection authorities have underscored that access to cloud data by public authorities must comply with national data protection law and that the contract should require notification of any such requests unless prohibited under criminal law and should prohibit any non-mandatory sharing. Given the difficulty of negotiating special arrangements with cloud providers, it is important to select a cloud offering that is appropriately tailored to the nature of the data and the related legal obligations. It is likely that as cloud computing matures, more offerings tailored to specific business requirements, including compliance with privacy and similar laws, will be made available to companies.

Concluding thoughts

While cloud computing can substantially improve the efficiency of IT solutions, particularly for small and medium-sized businesses, the specific offerings need to be examined closely. There is no “one-size-fits-all” solution to cloud computing, especially for companies operating in highly regulated sectors or internationally. By understanding their legal compliance obligations, companies can make informed decisions in selecting cloud computing services or suites of services that best meet their needs.

Drones: Why You Should Start Thinking Now About the Anticipated UAS Regulations

Posted in Internet of Things

Editor’s Note:  At first glance, drones may seem unrelated to the social media and Internet-related issues that we track on Socially Aware. Upon closer examination, however, many social media and Internet companies are exploring the commercial use of drones; for example, Amazon has publicly announced its intentions to incorporate drones into its package delivery system, and both Facebook and Google have expressed their desire to use drones to facilitate Internet connectivity. With that in mind, we present the following post regarding the upcoming Notice of Proposed Rulemaking related to commercial drone use in the United States.

Introduction

With drone technology rapidly advancing and the FAA recently starting to open the door to commercial drone use, companies across industries should begin evaluating how drones can add value to their businesses, if they have not already done so.

Drones can benefit a wide range of industries and activities, including (to name only a few): industrial-scale agriculture; energy generation, transmission, production, and pipeline facilities; other conveyances and linear projects (such as water and flood control); transportation infrastructure, including railways, roads, ports, and waterways, and the rolling stock, vehicles, and vessels that use them; private and public emergency response (e.g., fire, flooding); insurance and accident inspection; and resource assessment, monitoring, and compliance. But without input from leaders in these industries, their use of drones may not be realized in the foreseeable future. Industry leaders need to demand that the FAA’s much-anticipated Notice of Proposed Rulemaking (NPRM) for small UAS—now expected to be issued in the first half of December—is reasonable and practical for the wide range of industries and activities, and fosters drone use and innovation while responsibly ensuring public safety.

Background of the Notice of Proposed Rulemaking for Small UAS

FAA rulemaking for drones was mandated by Congress as part of the FAA Modernization and Reform Act of 2012. The law requires the FAA to “provide for the safe integration of civil unmanned aircraft systems into the national airspace system as soon as practicable, but not later than September 30, 2015.”

The NPRM for small UAS (meaning UAS that weigh less than 55 pounds) was expected sooner—with Congress requiring the FAA to issue a final rule by August 2014. But the agency is notably behind this schedule. According to the latest publicly available information regarding the rulemaking, the NPRM for small UAS will issue in November 2014. We believe, however, that the FAA is more likely to issue the NPRM in mid-December. Moreover, in fall 2013, the DOT declared a deadline of May 2014 for issuing the small UAS NPRM, which it extended. That could happen again. The NPRM will initiate what is expected to be a decade of rulemaking to establish the regulatory regime for drones, large and small.

What Will the Proposed Regulations Say?

More important than the timing of the NPRM, however, is its expected content. This rulemaking is going to be comprehensive, designed to adopt specific rules for the operation of small UAS in the national airspace. The proposed regulations are likely to address classification of small UAS, certification and training of pilots and visual observers, registration, approval of operations, and operational limitations. Additionally, there will likely be provisions requiring the FAA to collect safety data from the user community.

Operational limitations and certification requirements that the FAA may require can be gleaned from the exemption requests that the FAA granted for the commercial use of small UAS in film production late last month. These exemptions—while allowing limited commercial use—remain highly restrictive. They permit the use of specific drone models that must fly at speeds below 50 knots and be equipped with advanced GPS systems. The flights must be conducted below 400 feet and within the visual line of sight of the pilot in command, who must possess at least a private pilot’s certificate. Flight plans of activities are required to be submitted to the local Flight Standards District Offices three days in advance of the operations, and the operators must obtain specific waivers from the relevant air traffic organizations.

If the FAA attempts to impose these types of restrictions on small UAS operations across the board, the utility of drone operations for many industries may be severely limited, if not extinguished. For example, using drones to inspect pipelines and power lines over long distances would prove impossible if the FAA imposes a visual line of sight requirement. Similarly, requiring a private pilot’s certificate for all operations may hinder the ability of farmers to use drones for precision agriculture, or realtors to use drones to obtain aerial footage of properties. Simply put, a one-size-fits-all approach will not work for the small UAS regulations. Given the FAA’s historical concerns and agency culture, there is reason for concern.

What Can Be Done Now?

Companies and trade associations interested in obtaining the benefits of small UAS should start formulating plans now to help shape the NPRM and the regulations that will come out of it. They need not wait for the NPRM to issue.

The FAA can be petitioned in advance of the NPRM with broad requests to include or exclude certain provisions. Moreover, comments can be submitted on pending Section 333 exemption requests. These comments can be narrow and limited to why the specific exemption request should or should not be granted; or they can be broad, sweeping commentary on the current status of the FAA’s position on small UAS operations. Several well-known associations have already begun commenting on the exemption requests, including the Aerospace Industries Association, the National Agricultural Aviation Association, the Association for Unmanned Vehicle Systems International, and the Air Line Pilots Association International.

Industry leaders should also plan to comment on the NPRM once it is issued. This will require careful consideration of the current operating environment, as well as a keen eye toward potential future uses for UAS. Industry should seek to ensure that small UAS operations are not unduly restricted, while taking into account the risks associated with, and potential unintended consequences of, expanding UAS operations.