Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Employer Surveillance of Internet and Email Use in the Workplace in Germany

Posted in Data Security, Employment Law, Privacy

iStock_000058091672_MediumIs an employer allowed to access an employee’s email account when the employee is on sick leave? To what extent is control permissible when an employee is suspected of illegal activities, e.g., of leaking trade secrets? In Germany, these questions are at the crossroads of data privacy and telecommunications law with their respective administrative and even criminal sanctions. The proper rules and best practice examples have been recapped in a guideline (the “Guideline”) issued in January 2016 by the Conference of Data Protection Authorities of the Federation and of the States in Germany (“DPA Conference”).

Private use excluded, employers may dispense with employee consent

To the extent that private email and Internet use is banned or restricted by the employer, only data privacy law applies.  Thus, concerns relating to the Telecommunications Act, employment law, or the Telemedia Act are not applicable if all private use is prohibited. Internet protocol data may be accessed without prior consent, e.g., in order to verify compliance with the restrictions on private use or to protect the network. However, access even to IP addresses should take into account the proportionality principle. According to the Guideline, the employer should, as a first step, evaluate Internet protocol data on an anonymous basis, followed by individual spot tests where necessary.

With regard to emails, the employer is not required to obtain the employee’s consent and may review the content of professional emails relevant to a specific business transaction or as pre‑defined by other specific categories. A constant review of all professional emails is not permissible. Consequently, for employees on leave, out of office messages are the method of choice to inform recipients that the individual may not respond (rather than having someone else check the emails). Alternatively, it is permissible to completely reroute emails if the demands of the workplace require such a solution. Full surveillance of an employee’s online activity is generally prohibited, unless there is a reasonable basis for believing that the employee’s use of the IT services violates the law and the proposed measures are proportional.

Private use of workplace IT triggers telecommunication secrecy consent requirement

Employers should carefully consider whether they wish to permit private use of their workplace IT systems or whether such use should be limited or banned altogether. To the extent that private use is permitted, the DPAs view employers as telecommunication service providers who are bound by the stringent rules of telecommunication secrecy. The chance that the employee’s inbox contains private emails (when private use is allowed) will prevent the employer from accessing the professional account altogether, unless such access is permitted by the employee on a case-by-case basis. Accordingly, to the extent that employees are entitled to use the Internet for private purposes, the employer is prohibited from reviewing the employee’s Internet usage (i.e., who accessed which website at what time and for how long). In contrast, where private use by employees is prohibited, the employer may review such Internet usage without prior consent of the employee.

While a number of lower courts disagree with the DPAs’ view, the question has not yet been decided by a German Federal Court, and employers should follow the DPAs’ interpretation. In practice, sanctions are limited to fines; however, in theory, improper access to private email or to an employee’s private use of the Internet could result in criminal liability.

Permission for private use may be construed where employers fail to sanction private use

The DPA Conference points out that failure to lay down the rules of use will often amount to permission for private use. The same is true for a ban of private use that is not effectively monitored and sanctioned. If an employer tolerates private use for a significant period of time, this conduct may give rise to an (unwritten) company practice, binding the employer for the future. As a consequence, the DPA Conference prompts employers to lay out the rules of workplace use of the IT services in writing, either in the employment contract, a corporate guideline, or, where a works council is established, in a works agreement. The employer may subject permission to specific conditions, e.g., limitations in time, rules of conduct, and general rules limiting the employer’s access to employee emails or Internet data.

Consent is valid only where it is genuinely free

The Guideline does not elaborate on the conditions of consent by the employee. On the European level, the Working Party 29 (WP 29) recognizes consent in the employment context to the extent that it is genuinely free (see Opinion 15/2011 on the definition of consent, dated July 13, 2011, p. 13). Notably, the WP 29 considers consent invalid where it is a condition of employment, such as consent required in the employment contract. Where it is provided in an ongoing employment relationship, consent is valid unless “it is not possible for the worker to refuse.” This conforms to a decision by the Federal Labor Court of December 11, 2014 (docket no. 8 AZR 1010/13, juris). In this decision, the Court held that employee consent provided in an ongoing employment relationship is valid unless concrete evidence indicates pressure or coercion or otherwise a lack of choice.

New Guideline dispenses with requirement of consent by third‑party communication partners

For access to an employee’s email account, the DPAs have, in the past, also required the thirdparty’s consent, i.e., the consent of the sender of an email to the employee. Interestingly, the DPA Conference has now confirmed in its Guideline that employers may dispense with consent of the third‑party sender or recipient, which is naturally hard to obtain in practice. When access to emails is required by the course of business, the DPA Conference states that the employer can rely solely on the employee’s consent.

Clickwrap, Browsewrap and Mixed Media Contracts: A Few Words Can Go a Long Way

Posted in E-Commerce, Terms of Use

Contract

Courts have generally categorized online agreements into two types: “clickwrap” agreements and “browsewrap” agreements.

Clickwrap agreements—which require a user to check a box or click an icon to signify agreement with the terms—are usually enforceable under U.S. law, even where the terms appear in a separate hyperlinked webpage but where language accompanying the box or icon indicates that checking the box or clicking the icon indicates assent to such terms.

On the other hand, browsewrap agreements—where the terms are passively presented to users in a hyperlink somewhere on a webpage, often at the very bottom of the page in small font—are often unenforceable because it often cannot be proved the user knew the terms existed or even was aware of the hyperlink.

A New Jersey court recently faced a type of online agreement that did not fit nicely into either category. Where a contract, sent electronically but signed in hard copy, contains a hyperlink to a separate terms and conditions page, are those separate terms incorporated into the agreement? In Holdbrook Pediatric Dental, LLC, v. Pro Computer Service, LLC, the New Jersey court said no. A requirement to arbitrate disputes buried in the online terms and conditions page was not incorporated into a contract where the contract merely stated “Download Terms and Conditions” near the signature line.

Again, the signed contract did not itself contain an arbitration clause. Rather, on the last page of the contract, directly above the signature line, the following appeared in small text: “<a href=“http://www.helpmepcs.com/site_media/terms.conditions.pdf”>Download Terms and Conditions </a>”, which, if viewed in HTML, would instead appear as “Download Terms and Conditions”. The signed contract looked like this:

Holbrook

Holdbrook’s office manager, Nancy McStay, received the contract in electronic form where the hyperlink was clickable, but then printed and signed a hard copy. PCS argued that because McStay signed the contract, one could assume that she read and agreed to the entire agreement, including the hyperlinked terms and conditions. Holdbrook disagreed. They argued that the contract did not incorporate the terms and conditions for several reasons.

First, the online terms and conditions contained a separate signature block, suggesting that it required additional acceptance, and Holdbrook never signed onto those terms.

Second, Holdbrook claimed that McStay had no idea that additional terms were being incorporated, given the garbled coding of the hyperlink in the printed copy and the fact that the contract contained no clause specifically pointing to the separate terms and conditions.

Applying New Jersey contract law, the court held that “a separate document may be incorporated through a hyperlink, but the traditional standard nonetheless applies: the party to be bound must have had reasonable notice of and manifested assent to the additional terms.”

After describing clickwrap and browsewrap agreements, the New Jersey court examined two key cases in this area, Fteja v. Facebook, Inc. (which we’ve discussed previously) and Swift v. Zynga Game Network, Inc. In Fteja, a New York court found that a user had sufficient notice of Facebook’s terms of service even though the terms were only visible to the user during sign-up via hyperlink (like a browsewrap). A notice above the “Sign Up” button stated that “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service” (like a clickwrap).

Similarly, in Swift, a California court found that a hyperlink to the terms of services that appeared right below an “Accept” button—along with a statement that clicking “Accept” meant the user accepted the terms—was sufficient to prove the user agreed to those terms.

The New Jersey court explained that the fact that this case involved “mixed media” did not matter. The contract was “much like the ‘clickwrap’ agreements in Fjeta [sic] and Swift, where the ‘Terms and Conditions’ were contained in a hyperlink immediately next to a mechanism for accepting the agreement. In place of an ‘I Accept’ icon to be clicked, a Holdbrook representative was required to sign the agreement on paper.”

However, the New Jersey court found one crucial component to be missing. In Fteja, Swift and other clickwrap cases, a statement draws “the user’s attention to the hyperlink” that is “sufficient to provide reasonable notice that assent to the contract included assent to the additional terms.” The New Jersey court noted that there was no such statement in this case, nor instructions to sign the contract only if Holdbrook also consented to the additional terms. The hyperlink, standing alone, was insufficient to show that Holdbrook had “reasonable knowledge” that the terms and conditions were part of the contract.

“Further complicating matters” was the fact that the contract was sent in electronic form but could not be accepted in electronic form. It had to be printed and signed. This made it even less clear that the hyperlink contained additional terms.

The New Jersey court noted that discovery might show that Holdbrook actually reviewed the contract electronically, noticed the hyperlink and agreed to its terms. In fact, after conducting some limited discovery, PCS has filed a new motion to compel arbitration, which, as of the date of this post, is currently pending before the court.

Like the courts in Fteja, Swift and other clickwrap cases, the New Jersey court took careful note of the language that surrounded the hyperlink to the terms and conditions to determine whether Holdbrook reasonably understood those additional terms were included in the contract. It seems that, for the court, PCS’s “Download Terms and Conditions” was just a little too similar to a “browsewrap” agreement to be found enforceable without further inquiry into whether Holdbrook in fact was aware of and agreed to the terms.

PCS could have likely avoided the issue entirely by simply including the following language in the signed agreement: “By signing the agreement, you also accept the Terms and Conditions on the PCS website.”

When it comes to clickwrap versus browsewrap agreements, a few words can go a long way.

Social Media 2016: Addressing Corporate Risks

Posted in Uncategorized

In case you missed Socially Aware’s and Practising Law Institute’s recent Social Media conference in San Francisco, we will be hosting the conference in New York City this Wednesday, February 24th.  The NYC conference will be chaired by Socially Aware co-editor John Delaney, and will feature presenters from AmEx, Citi, Dell, Etsy and Pepsi as well as representatives from the Federal Trade Commission, the Securities and Exchange Commission and the New York Attorney General’s Office.  The event will conclude with a network session.

Don’t miss what has become one of the leading conferences addressing cutting-edge social media-related legal issues! For more information or to register, please visit PLI’s website here.

Undead as a Service: Tips to Help Ensure Your IT Agreements Can Withstand a Zombie Apocalypse

Posted in Terms of Use

iStock_000022379236_IllustrationDo the undead read the small print? In our experience, zombies are typically more concerned with fresh brains than with forum selection, but Amazon Web Services (AWS) has helpfully updated its AWS Service Terms for anyone who values contractual certainty over actual zombie slaying.

The AWS Service Terms run to a lengthy 58 sections of legalese sufficient to put even the most energetic zombie into a deathlike slumber.  But a close reading of Section 57 reveals a provision that may provide a reanimating jolt to the careful reader. That section relates to the Amazon Lumberyard Engine, which is a game engine offered by AWS, and its associated assets and tools—collectively referred to as the “Lumberyard Materials.”

Section 57.10 deals specifically with acceptable use of the Lumberyard Materials but also includes a surprising exception:

“57.10 Acceptable Use; Safety-Critical Systems. Your use of the Lumberyard Materials must comply with the AWS Acceptable Use Policy. The Lumberyard Materials are not intended for use with life-critical or safety-critical systems, such as use in operation of medical equipment, automated transportation systems, autonomous vehicles, aircraft or air traffic control, nuclear facilities, manned spacecraft, or military use in connection with live combat. However, this restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.

Thus, while use of the Lumberyard Materials in the operation of medical equipment, manned spacecraft, nuclear facilities or any of the other applications described above is generally prohibited, the public-spirited folks at AWS, presumably recognizing that some exception must be made for customers facing exigent circumstances, are happy to allow such use in the event of a zombie apocalypse.

Users should note, however, that even in a zombie apocalypse, there are caveats. Not only must the outbreak be certified by the United States Centers for Disease Control—and we hope that USCDC is aware that it has been set up as the arbiter of severity of undead uprisings—but the apocalypse must also be “likely to result in the fall of organized civilization.” Of course, this is difficult to assess without knowing how well equipped the world is to address a zombie invasion, so the applicable escalation and dispute resolution provisions will need to be robust enough to handle such an issue.

Here at Socially Aware, we welcome AWS’ contribution to the still-too-short list of Things To Do In The Event of a Zombie Apocalypse. But we’re concerned that AWS has not gone far enough.  Therefore, we have compiled this short list of suggestions to help ensure that your IT contracts are ready for the zombie apocalypse:

  • Check whether your force majeure clause covers a zombie apocalypse and, in particular, whether the licensor or service provider is required to use reasonable efforts to continue to perform despite the fall of organized civilization.
  • Consider whether your service agreements provide for different levels of charging or service credits for the undead portions of your user base.
  • Make sure to update business continuity plans to account for the zombie apocalypse—it’s never too soon to work out how quickly a hot standby site can be re-animated if the personnel at your primary site have their brains devoured by a rampaging hoard of undead.
  • Do your agreements provide that zombie-related damages are subject to the limit of liability clause, or did you negotiate uncapped liability? Also consider whether losses arising from the fall of organized civilization will be deemed direct or consequential damages.
  • Make sure that your service levels account for the possibility that a worldwide viral infection will cause corpses to rise from their graves with an unslakable hunger for human brains. For example, if an instance of downtime results from a zombie attack on the service provider’s data center, does that count against the SLA?
  • Finally, it’s also important to update your screening requirements to make sure that zombies are not assigned to your account and to consider what happens if key personnel become zombified.

Consumer Privacy Survey Results

Posted in Data Security, E-Commerce, Privacy, Statistics

privacy_As Socially Aware readers know, privacy presents real business risks that have the potential to negatively impact a company’s bottom line, from the legal fees associated with a data breach to revenue declines stemming from a loss of consumer trust.

Late last year, Socially Aware contributor Andrew Serwin conducted an online survey of more than 900 consumers from across the United States to gauge attitudes and concerns about various privacy issues.

Andrew’s summary of the survey results can be found here. The summary makes for interesting reading. Some of the findings include:

  • Privacy concerns influence consumer purchasing decisions. In fact, in the last 12 months, nearly one in three U.S. consumers (35%) made a decision about what company to purchase products or services from based on privacy concerns.
  • High-earning, well-educated consumers are more likely than other consumers to stop buying from a business because of a data breach
  • Identity theft is the single biggest privacy concern among consumers.

Enjoy!

The Internet of Things: Interoperability, Industry Standards & Related IP Licensing Approaches

Posted in Internet of Things, IP

InternetofthingsThe financial impact of the Internet of Things on the global economy will be significantly affected by interoperability. A 2015 McKinsey Global Institute report indicated that, “[on] average, interoperability is necessary to create 40 percent of the potential value that can be generated by the IoT in various settings […] Interoperability is required to unlock more than $4 trillion per year in potential economic impact for IoT use in 2025, out of a total impact of $11.1 trillion across the nine settings that McKinsey analyzed.”

However, at present, there is a lack of consensus between standards organizations and industry stakeholders as to even the most basic technical standards and protocols that apply to how devices communicate. Characterized as a “standards war” between technology groups, companies have competing incentives. While all vendors share an interest in aligned standards that promote IoT development and interoperability, individually some companies seek the perceived competitive and economic advantages of building proprietary systems based on proprietary standards and protocols (or so-called “walled-gardens”).

The lack of a uniform standard that applies across devices and networks means that we lack any universally adopted set of semantics. As a result, without clear definition, opportunities for misunderstandings abound. We start then with the definition of two key concepts: the definition of the Internet of Things or “IoT,” and the definition of interoperability as applied to the Internet of Things.

Internet of Things

The term “Internet of Things” is arguably a misnomer in today’s rapidly changing technical environment. The term has two components, both of which are somewhat misleading: “Internet” and “things.”

The reference to the Internet is misleading because the Internet is not the only networking protocol over which devices communicate. While the Internet is a powerful enabler of the broad adoption of connected devices, the networks and communications protocols that support our connected world are far more diverse and continue to proliferate.

The term “things,” while not limiting in and of itself, is vague at best. In this article, when we refer to “things,” we intend to encompass all of the types of objects that have the ability to connect and communicate, whether those objects be sensors, computers or everyday things. The ability to connect with other objects and communicate data makes the object “smart.”

Continue Reading

Now Available: The January Issue of Our Socially Aware Newsletter

Posted in Advertising, Cyberbullying, Data Security, Endorsement Guides, FTC, Marketing, Online Endorsements, Privacy, Terms of Use

The latest issue of our Socially Aware newsletter is now available here.

01_08__Jan_SociallyAware_COVER_v6In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we offer practical tips to help ensure the enforceability of website terms of use; we discuss the FTC’s ongoing efforts to enforce disclosure obligations in social media advertising; we examine efforts by top social media platforms to control cyber-harassment and explicit material; we take a look at four recently passed laws protecting Californians’ privacy rights; and we explore legal issues that UK brands need to consider when engaging in vlogger endorsements and social media marketing.

All this—plus an infographic listing 2015’s most popular social media trends.

Read our newsletter.

Social Media 2016: Addressing Corporate Risks

Posted in Event, Marketing, Online Promotions

As Socially Aware readers know, social media is transforming the way companies interact with consumers—indeed, some pundits have referred to social media as the greatest development for marketers since the printing press. But, of course, the new business opportunities created by social media also create new legal risks for companies. Learn how to make the most of these new business opportunities while minimizing associated legal risks at Socially Aware’s and Practising Law Institute’s upcoming Social Media conference in San Francisco on Tuesday, February 9th.  The conference will be chaired by Socially Aware editor John Delaney, and will be webcasted for our readers who are located outside of the Bay Area.

This year’s program features speakers from Facebook, Pinterest and Snapchat, as well as counsel at other prominent companies and law firms immersed in the emerging social media-related trends and best practices. Further, representatives from leading social media regulators, including the Federal Trade Commission and the California State Attorney General’s Office, will share their insights on how companies leveraging social media can stay on the right side of the law.

If you’re looking for a conference tackling today’s most challenging social media-related legal issues, this is it!  For more information or to register, please visit PLI’s website here.

Launching a Mobile App in Europe? Seven Things to Consider When Drafting the Terms & Conditions

Posted in Terms of Use

[Editor’s Note: In response to the success of our earlier post on terms and conditions for mobile apps, two of our London-based colleagues have prepared a “remixed” version, which looks at the subject of mobile app terms and conditions from a European perspective. Enjoy!]

The mobile app has become the new face of business. It’s no longer sufficient to have a company website. More and more companies want a mobile app that users can download to their smartphones and easily access. It’s not 75601199_illustration-[Converted]difficult to see why. People are voting with their thumbs.

In 2015, overall mobile app usage grew by 58%, with lifestyle and shopping apps growing 81%, following previous 174% growth in 2014, according to FlurryMobile. Indeed, FlurryMobile figures show that mobile commerce now accounts for 40% of online commerce worldwide. Accordingly, the advantages of an app to business, from a customer marketing, engagement, service and awareness perspective, are clear.

Even traditionally conservative sectors such as financial services are being revolutionised by the mobile app. In 2015, the British Bankers Association identified that banking by smartphone and tablet has become the main way for UK customers to manage their finances, with mobile banking overtaking branches and the internet as the most popular way to bank.

If your company will be among the many businesses that launch a mobile app in Europe in 2016, one of the key legal protections your company will need in connection with such launch is an end user licence agreement (EULA). So, where do you start? Here at MoFo, we regularly review mobile app EULAs and we’ve noticed a number of issues that app developers don’t always get right. Here is our list of the key issues you will need to consider.

  1. One size does not fit all

Your EULA will be an important part of your strategy to help mitigate risks and protect your intellectual property in connection with your app. It’s unlikely that you would release desktop software without an EULA, and mobile apps (which are, after all, software products) warrant the same protection. While platforms such as Google and Amazon each provide a “default” EULA to govern mobile apps downloaded from their respective app stores, they also permit developers to adopt their own customized EULAs instead—subject to a few caveats, as mentioned below. Because the default EULAs can be quite limited and can’t possibly address all of the issues that your particular app is likely to raise, it’s generally best to adopt your own EULA in order to protect your interests.

Continue Reading

New Court Decision Highlights Potential Headache for Companies Hosting User-Generated Content

Posted in Copyright, Digital Content, DMCA, IP, Litigation

0114_SA_ImageIn this election season, we hear a lot of complaints about laws stifling business innovation. And there is no doubt that some laws have this effect.

But what about laws that spur innovation, that result in the creation of revolutionary new business models?

Section 512(c) of the Digital Millennium Copyright Act (the DMCA) is one such law. Passed by Congress and signed by President Bill Clinton in 1998, Section 512(c) has played an enormous role in the success of YouTube, Facebook and other social media platforms that host user-generated content, by shielding such platforms from monetary damages from copyright infringement claims in connection with such content.

Absent this safe harbor, it is difficult to imagine a company like YouTube thriving as a business. For example, in 2014 alone, YouTube removed over 180 million videos from its platform due to “policy violations,” the vast majority of which likely stemmed from alleged copyright infringement; yet, absent the Section 512(c) safe harbor, YouTube could have been exposed to staggering monetary damages in connection with those videos.

The DMCA’s protection from liability is expansive, but it is not automatic. To qualify, online service providers must affirmatively comply with a number of requirements imposed by the law. While most of those requirements may seem straightforward, a recent case in the Southern District of New York illustrates how even seemingly routine paperwork can pose problems for websites that host user-generated content.

For companies seeking protection under the DMCA, the typical starting point is designating an agent to receive “takedown” notices from copyright owners. If a company is sued for copyright infringement relating to its website, that company will want to show that it has designated a DMCA agent. But what if the designation paperwork was handled by another entity within the defendant’s organizational structure, such as a corporate parent? That was the situation faced by one of the defendants in BWP Media USA Inc., et al. v. Hollywood Fan Sites LLC, et al. (S.D.N.Y. 2015)—and the court held that the defendant was out of luck.

Although the defendant’s corporate parent had filed a registration form with the U.S. Copyright Office under the parent’s name, nothing on the form mentioned the defendant or made any general reference to affiliates. Under those circumstances, the court concluded that the defendant was ineligible for the safe harbor because it had “no presence at all” in the Copyright Office’s directory of DMCA agents. The court reasoned that those searching the Copyright Office directory should not be “expected to have independent knowledge of the corporate structure of a particular service provider.”

Despite lacking a Copyright Office registration, the defendant argued that it did actually post the agent’s information on its own website, and that one of the plaintiffs had successfully used such information to send a takedown notice resulting in removal of the allegedly infringing material. The court found those assertions “irrelevant,” because they did nothing to address the Copyright Office registration requirement. As the court noted, the DMCA requires each service provider to post the agent’s name and contact information on the provider’s website, and submit such information to the Copyright Office.

Would the defendant’s DMCA eligibility have turned out differently if the parent had included the affiliate’s name on the form, or at least made a general reference to the existence of affiliates? The court’s opinion leaves those questions unaddressed, but the preamble to the Copyright Office regulations—cited in passing by the court—appears to reject such an approach. According to the preamble, each designation “may be filed only on behalf of a single service provider[, and] related companies (e.g., parents and subsidiaries) are considered separate service providers who would file separate [designations].”

Following the Hollywood Fan Sites decision, we expect that many companies that host user-generated content will be checking to make sure that all of their legal names are indeed listed in the Copyright Office directory—and, in light of the Copyright Office’s position on this subject, many such companies may also decide to file separate designations for each legal entity within a corporate family. While this process may be cumbersome, it seems a small price to pay for the generous safe harbor benefits offered by the DMCA, especially for companies with business models that depend on user-generated content.