Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

What’s in a Like?

Posted in Employment Law, Litigation, Privacy

In the pre-Facebook era, the word “like” was primarily a verb (and an interjection sprinkled throughout valley girls’ conversations). Although you could have likes and dislikes in the sense of preferences, you could not give someone a like, claim to own a like or assert legal rights in likes. Today, however, you can do all of these things and more with Facebook likes and similar constructs on other social media platforms, such as followers, fans and connections. This article explores the emerging legal status of likes and similar social media constructs as the issue has arisen in a number of recent cases.

Likes as Protected Speech

One of the early cases to delve into the legal status of likes was Bland v. Roberts, which addressed the issue of whether a Facebook like constitutes protected speech for purposes of the First Amendment. In Bland, five former employees of the Hampton Sheriff’s Office brought a lawsuit against Sheriff Roberts, alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he fired them, allegedly for having supported an opposing candidate in the local election. In particular, two of the plaintiffs had “liked” the opposing candidate’s Facebook page.

Although (as we discussed previously) the district court held that merely liking a Facebook page was insufficient speech to merit constitutional protection, on appeal the Fourth Circuit reversed and held that liking a Facebook page does constitute protected speech. The Fourth Circuit looked at what it means to like a Facebook page and concluded: “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the User ‘likes’ something, which is itself a substantive statement.” The Fourth Circuit also found that liking a Facebook page is symbolic expression because “[t]he distribution of the universally understood ‘thumbs up’ symbol in association with [the] campaign page, like the actual text that liking the page produced, conveyed that [the plaintiff] supported [the opposing candidate’s] candidacy.” The Court analogized liking the opposing candidate’s Facebook page as the “Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”

Likes as Property

Perhaps most interestingly from a business perspective, various cases have explored the question of ownership of a like (and similar concepts, such as a Twitter follower or LinkedIn connection).  In Mattocks v. Black Entertainment Television LLC, the plaintiff Mattocks created an unofficial Facebook fan page focused on the television series The Game, which at the time was broadcast on the CW Network (BET later acquired the rights to The Game from the CW Network). BET eventually hired Mattocks to perform part-time work for BET, including paying her to manage the unofficial fan page. During the course of that relationship, BET provided Mattocks with BET logos and exclusive content to display on the fan page, and both Mattocks and BET employees posted material on the fan page. While Mattocks worked for BET, the fan page’s likes grew from around two million to over six million.

Mattocks and BET began discussions about Mattocks’ potential full-time employment at BET but, at some point during these discussions, Mattocks demoted BET’s administrative access to the fan page. After losing full access to the fan page, BET asked Facebook to “migrate” fans of the page to another official Facebook fan page created by BET.  Facebook granted BET’s request and migrated the likes to the other BET-sponsored page.  Facebook also shut down Mattocks’ fan page. Mattocks then sued BET in the Southern District of Florida, alleging, among other things, that BET converted a business interest she had in the fan page by migrating the likes. Mattocks argued that the page’s “significant number of likes” provided her with business opportunities based on companies paying to have visitors redirected to their sites from the page.  BET moved for summary judgment.

The district court granted BET’s motion for summary judgment on Mattocks’ conversion claim, holding that Mattocks failed to establish that she owned a property interest in the likes. The court explained that “liking” a Facebook page simply means that the user is expressing his or her enjoyment or approval of the content, and that the user is always free to revoke the like by clicking an unlike button. Citing Bland (discussed above), the court stated that “if anyone can be deemed to own the ‘likes’ on a [Facebook page], it is the individual users responsible for them.”  Given the tenuous relationship between the creator of the Facebook page and the likes of that page, the court held that likes cannot be converted in the same manner as goodwill or other intangible business interests.

In PhoneDog v. Kravitz, the district court for the Northern District of California denied defendant Kravitz’s motion to dismiss plaintiff PhoneDog’s claims for, among other things, conversion of the Twitter account “@PhoneDog_Noah.” PhoneDog, a mobile news and reviews website, employed Kravitz as a product reviewer and video blogger. Kravitz maintained the Twitter account “@PhoneDog_Noah,” which he used to post product reviews, eventually accumulating 17,000 Twitter followers. At the end of Kravitz’s employment, PhoneDog requested that Kravitz relinquish use of the Twitter account. Kravitz refused, changed the Twitter handle to “@noahkravitz” and continued to use the account.

PhoneDog claimed an “intangible property interest” in the Twitter account’s followers, which PhoneDog compared to a business customer list. Kravitz disputed PhoneDog’s ownership interest in either the Twitter account or its followers, based on Twitter’s terms of service, which state that Twitter accounts belong to Twitter and not to Twitter users such as PhoneDog. Kravitz also argued that Twitter followers are “human beings who have the discretion to subscribe and/or unsubscribe” to the account and are not PhoneDog’s property. The court held that there was insufficient evidence to determine whether or not PhoneDog had any property interest in the Twitter followers, and denied Kravitz’s motion to dismiss. PhoneDog and Kravitz subsequently settled the dispute so we will never know how the court would have ruled on this issue, but the court’s refusal to dismiss PhoneDog’s ownership claims may indicate that, at least in some circumstances, Twitter followers may constitute property.

The district court in the Eastern District of Pennsylvania looked at a similar issue involving ownership of a LinkedIn account in Eagle v. Morgan. Plaintiff  Linda Eagle established a LinkedIn account using the email address of Edcomm, the banking education company that she co-founded with Clifford Brody. As CEO of Edcomm, Brody embraced LinkedIn as a sales and marketing tool for the Edcomm business. Although Edcomm did not require employees to maintain or subsidize the maintenance of LinkedIn accounts, it did develop policies with respect to employee use of such accounts.

When Eagle (and Brody) were involuntarily terminated after Edcomm’s acquisition by another company, Edcomm employees accessed Eagle’s LinkedIn account (using the password she had disclosed to certain employees) and changed its password, effectively locking Eagle out of the account. For more than two weeks, Edcomm had full control of the account. During that time, it replaced the account information regarding name, picture, education and experience with information about Sandi Morgan, the newly appointed Interim CEO of Edcomm. As a result, during this time period, an individual conducting a search on either Google or LinkedIn for Eagle (by typing in “Linda Eagle”) would be directed to a URL for a web page showing Sandi Morgan’s name, profile and affiliation with Edcomm. LinkedIn subsequently intervened and restored Eagle’s access to the account.

Eagle filed suit against Edcomm, alleging compensatory damages of between $248,000 and $500,000. Eagle used a damages formula that attributed her total past revenue to business generated by the number of connections associated with the LinkedIn account in order to establish a dollar value per LinkedIn connection, and then used that value to calculate her damages for the period of time that she was unable to access the LinkedIn account. The court found for Eagle on a number of her claims—including claims for unauthorized use of name under a Pennsylvania statute, invasion of privacy and misappropriation of publicity—but the court ultimately held that Eagle’s damages request was not supported by sufficient evidence, citing, for example, her failure to connect her past sales to use of LinkedIn.

Although Eagle’s claim was unsuccessful, the use of LinkedIn connections to support her damages theory demonstrates the potential monetary value of these connections and the importance for companies to be clear with their employees in delineating ownership of social media accounts and associated likes, followers, fans and connections.

Likes as Concerted Activity

There have been a number of National Labor Relations Board (NLRB) decisions that examined whether an employee’s statements on social media constitute “concerted activity”—activity by two or more employees that provides mutual aid or protection regarding terms or conditions of employment—for purposes of the National Labor Relations Act (NLRA).

In Pier Sixty LLC, the administrative law judge decided that a Facebook posting made by an employee about his supervisor constituted protected concerted activity under the NLRA, despite being sprinkled with obscenities. The decision held that the posting constituted part of an ongoing sequence of events related to the employees’ dissatisfaction with the manner in which they were treated by their managers. The administrative law judge specifically mentioned that because the employee was friends on Facebook with several other employees, he could anticipate that those other employees, who were also concerned with the supervisor’s demeaning treatment, would see the posting (at the time, the employee had set his Facebook page so that it could only be viewed by his friends).

Similarly, in Richmond District Neighborhood Center, a Facebook conversation between two employees was found to be concerted activity under the NLRA because it involved the employees voicing their disagreement with the management’s running of the center. However, the administrative law judge ultimately concluded that the activity was not protected under the NLRA because it “jeopardized the program’s funding and the safety of the youth it serves” and demonstrated that the two employees were “unfit for further service.”

Although these two NLRB cases involved postings and conversations on Facebook rather than just likes, it would not be a huge leap for a future NLRB case to hold that a Facebook like constitutes concerted activity in certain circumstances, particularly in light of the Fourth Circuit’s decision in Bland discussed above.

* * * *

As the legal status of likes, followers, fans and connections continues to develop, we are likely to see more cases in which courts and litigants struggle with the question of whether and in what circumstances these social media constructs constitute valuable business assets and legitimate forms of speech and communication. At least in the legal sense, “like” has come a long way from the valley girl lexicon—like, a really long way.

Status Updates

Posted in Status Updates
  • Cuffed links. The Spanish parliament has passed what is commonly known as the “Google tax,” although it’s technically not a tax and doesn’t apply solely to Google. Rather, it’s an intellectual property law requiring online news aggregators to pay fees for describing and linking to stories published by Spanish newspapers; failure to pay can expose the aggregator to penalties up to $758,000 (€600,000). Moreover, according to The Independent, the Spanish law characterizes these fees as an “inalienable right” (derecho irrenunciable) that “overrides any concept of ‘fair use’.” Not surprisingly, the new law has sparked criticism, with Gizmodo observing that this makes Spain essentially “the first country in the world to charge for linking online.”
  • Pass the passcode. Can prosecutors force a criminal defendant to hand over the passcode to his cellphone if they think there’s incriminating evidence on the phone? A trial judge in Virginia said no in an interesting case late last month. The judge said it’s one thing to force the defendant to be fingerprinted – even if the fingerprint is what unlocks the phone, prosecutors can do that. It’s another thing entirely to compel production of the passcode, because that would require handing over a form of “knowledge” in violation of the Fifth Amendment’s privilege against self-incrimination. The case involved a man charged with attempting to strangle his girlfriend; prosecutors believed that the phone’s built-in video camera may have recorded what went on in the altercation between the couple.
  • Treasure tweets. Under its recently announced partnership with Twitter, IBM will be tapping into a truly vast source of data – the nearly 500 million tweets that run across Twitter’s network every day. Many consider this to be a treasure trove of information that can help businesses to better understand consumer sentiment and to tap into trends before they become evident. IBM plans to find patterns in the Twitter data and to sell its findings to clients. This is a pretty big deal for IBM, as it is training 10,000 workers in the art of finding trends and patterns in the data and making them useful to businesses. Although IBM and Twitter may make for an odd couple, big data analytics require big databases, and few databases are as big as the one that Twitter is making available to IBM.

Status Updates

Posted in Status Updates
  • Cover your Glass. We’ve addressed in Socially Aware the growing legal hysteria stirred up by Google Glass and other wearable technology. Just as Polaroid cameras were once banned from beach resorts and even the Washington Monument for crying out loud, expect to see all types of businesses and organizations – bars, restaurants, banks, schools, museums, casinos, circuses, strip clubs, accounting firms, you name it – rushing to enact Glass bans. But some bans may make more sense than others. Movie theater owners, for example, are understandably concerned about those wearable devices, such as Glass, that can record video. Should such devices be banned from theaters? The theater industry says yes, absolutely. Indeed, the trade groups that represent movie theaters and movie studios have both set forth a new policy: No devices of any sort in movie theaters that are capable of recording video. But how far will the ban go? For many people who wear eyeglasses to correct their vision, Glass may be their only pair of glasses. Moreover, as technology advances, wearable recording devices will become increasingly difficult to detect – in the not-too-distant future, there may be no effective way of distinguishing between wired glasses and ordinary glasses. No doubt some enterprising entrepreneur is working right now on a solution to that problem.
  • Once more into the breach. California Attorney General Kamala Harris just issued a report concluding that the online data of 18.5 million of the state’s residents was compromised in 2013 as a result of intentional data breaches, up dramatically from 2.5 million in 2012. It’s not surprising that the majority of the data that was compromised was stolen electronically by unauthorized access rather than by the physical theft of a machine that held the data. What may be surprising is that the biggest target is social security numbers; they are apparently the gold standard for hackers because a single social security number can lead to an average of $2,330 in fraud, nearly twice as much as a mere credit card. Consumers – and retailers and banks – beware.
  • Tainted love. OK, imagine this. You’re single, and you’re using an online dating site or mobile app. You strike up an online conversation with Mr. or Ms. Right, only to subsequently learn that you were interacting with a shill hired by the site owner or app developer to goose traffic and revenue numbers. You’re upset, of course, but is there any legal problem here? The FTC says that there is, and recently fined UK-based JDI Dating and its owner $616,165 for engaging in this and other allegedly deceptive practices. Jessica Rich, head of the FTC’s Consumer Protection Bureau, noted that JDI Dating – which operates sites such as cupidswand.com, flirtcrowd.com and findmelove.com – “used fake profiles to make people think they were hearing from real love interests and to trick them into upgrading to paid memberships.” In its complaint, the FTC had charged JDI Dating with violating the Federal Trade Commission Act. This was apparently the agency’s first enforcement action against a dating site or app.

Data Protection Masterclass: Cybersecurity & Data Protection Concerns – Current and Upcoming Risks

Posted in Event

Socially Aware will be sponsoring a free webinar on cybersecurity-related legal issues on December 2, 2014.  As part of the webinar, privacy and data security lawyers from Morrison & Foerster LLP – including a number of Socially Aware contributors – will discuss the cybersecurity trends and challenges, addressing current and pending laws and regulations in various jurisdictions, how to work with regulators around the world, and critical action items before, during and after a security incident. For more information on Morrison & Foerster’s privacy and data security practice group, please follow them on Twitter @MoFoPrivacy.  More information regarding the webinar, including how to register for the event, please click here.

Status Updates

Posted in Status Updates
  • Back to the future. Socially Aware readers – and editors – of, uhm, a certain age will fondly recall how, during the early days of the dotcom era, we hung out on message boards and in chat rooms discussing (some might say arguing about) politics, sports, movies, music, you name it – with people we’d never met, and never would meet, in person. Well, Facebook is now trying to recapture that vibe with a new feature called “Rooms” – free-form areas that include text and photos based on some niche interest that was kicked off by the room’s originator. Of course, it’s not 1995 anymore, and one question that has to be asked is: can “Rooms” fit into a business’s marketing strategy? It’s easy to see how: would makers of high-end kitchen equipment participate in “Rooms” on gourmet cuisine? Athletic clothes manufacturers in “Rooms” on yoga poses? Old-school feature, meet new-school branding.
  • If an ad falls below the fold, does it make an impression? Online ads are big business, of course, as advertising rapidly migrates from print to websites, apps, social media and other online outlets. But how do advertisers even know that their ads are being noticed? In the old days, it was a pretty fair assumption that newspaper ads were actually looked at by readers, but a major 2013 survey showed that more than 50 percent of ads online are not viewed. Advertisers and agencies would, understandably, like to see standards in place to ensure that they’re not paying for ads that a web surfer had no chance of seeing (for example, because the ad was “below the fold” on a site’s home page, yet the site visitor never scrolled down to where the ad could be viewed). A media VP at Unilever has noted, “It’s simple — we want to get what we pay for.” So agencies and clients, led by GroupM – the world’s largest ad-buying firm – and by Unilever, are leading the charge for standards addressing these concerns. Among the proposed standards: 100% of display ads must be visible to site visitors; 100% of the video player for video ads must be visible to site visitors, and at least 50% of the video must be played while visible; the video player’s sound cannot be turned off while the video is playing; and no use of “auto-start” functionality – rather, the site visitor must initiate playing of the video ad.
  • Laundry list. The “Internet of things,” touted for years as a big part of the digital future, seems to be approaching rather more slowly than anticipated. Whirlpool, the nation’s largest appliance maker, is marketing a “smart washer” and “smart dryer” at $1,699 each, but these cutting-edge, fully wired machines are not exactly jumping off the shelves. Many consumers are apparently in no rush to pay that kind of cash just to own a Web-enabled washing machine that will text them when their clothes are ready for the dryer. Even a Whirlpool executive acknowledges the problem, observing that “trying to understand exactly the value proposition that you provide to the consumer has been a little bit of a challenge.” After all, the machine won’t sort and fold your laundry for you, or track down that missing sock – now that’s an innovation worth paying a premium for.

Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud

Posted in Cloud Computing, Privacy

For many companies, the main question about cloud computing is no longer whether to move their data to the “cloud,” but how they can accomplish this transition. Cloud (or Internet-based on-demand) computing involves a shift away from reliance on a company’s own local computing resources, in favor of greater reliance on shared servers and data centers. Well-known examples of cloud computing services include Google Apps, Salesforce.com, and Amazon Web Services. In principle, a company also may maintain its own internal “private cloud” without using a third-party provider. Since many companies choose to use third-party cloud providers, however, this article will focus on that cloud computing model.

Cloud computing offerings range from the provision of IT infrastructure alone (servers, storage, and bandwidth) to the provision of complete software-enabled solutions. Cloud computing can offer significant advantages in cost, efficiency, and accessibility of data. The pooling and harnessing of processing power provides companies with flexible and cost-efficient IT systems. At the same time, however, cloud computing arrangements tend to reduce a company’s direct control over the location, transfer, and handling of its data.

The flexibility and easy flow of data that characterize the cloud can raise challenging issues related to protection of data in the cloud. A company’s legal obligations and risks will be shaped by the nature of the data to be moved to the cloud, whether the data involve personal information, trade secret information, customer data, or other competitively sensitive information. This article describes the special legal considerations that apply when moving personal information to the cloud. It also offers a framework to help companies navigate these issues to arrive at a solution that meets their own legal and business needs.

Determine the categories of personal information to be moved to the cloud

As a general principle, personal information includes any information that identifies or can be associated with a specific individual. Some types of personal information involve much greater legal and business risks than other types of personal information. For example, a database containing health information will involve greater risks than a database containing names and business contact information of prospective business leads. Also, financial regulators in many countries require specific security standards for financial information. Accordingly, a cloud computing service that may be sufficient for the business lead data may fail to provide the legally required level of protection for health, financial, or other sensitive types of information.

A company will want to develop a strategy that provides sufficient protection to the most sensitive personal information to be transmitted to the cloud. In some cases, a company may elect to maintain certain types of personal information internally, in order to take advantage of more cost-efficient cloud computing services for its less-sensitive data.

Identify applicable laws affecting your outsourcing of personal information

Cloud computing, by its nature, can implicate a variety of laws, including privacy laws, data security and breach notification laws, and laws limiting cross-border transfers of personal information.

(a) Privacy Laws

Companies operating in the United States will need to consider whether they are subject to sector-specific privacy laws or regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Such laws impose detailed privacy and data security obligations, and may require more specialized cloud-based offerings.

Europe-based companies, as well as companies working with providers in or with infrastructure in Europe, will need to account for the broad-reaching requirements under local omnibus data protection laws that protect all personal information, even basic details like business contact information. These requirements can include notifying employees, customers, or other individuals about the outsourcing and processing of their data; obligations to consult with works councils before outsourcing employee data; and registering with local data protection authorities. Similar requirements arise under data protection laws of many other countries, including countries throughout Europe, Asia, the Middle East, and the Americas.

(b) Data Security Requirements

Even if a company is not subject to these types of privacy laws, it will want to ensure safeguards for personal information covered by data security and breach notification laws. In the United States, these laws tend to focus on personal information such as social security numbers, driver’s license numbers, and credit or debit card or financial account numbers. One of the key safeguards is encryption because many (although not all) of the U.S. state breach notification laws provide an exception for encrypted data.

In contrast, many other countries require protection of all personal information, and do not necessarily provide an exception for encrypted data. Consequently, companies operating outside of the United States may have broader-reaching obligations to protect all personal information. While data protection obligations vary significantly from law to law, both U.S. and international privacy laws commonly require the following types of safeguards:

i. Conducting appropriate due diligence on providers;

ii. Restricting access, use, and disclosure of personal information;

iii. Establishing technical, organizational, and administrative safeguards;

iv. Executing legally sufficient contracts with providers; and

v. Notifying affected individuals (and potentially regulators) of a security breach compromising personal information.

The topic of data security in the cloud has received significant industry attention. Industry groups, such as the Cloud Security Alliance, have suggested voluntary guidelines for improving data security in the cloud. For example, please refer to the CSA’s Security Guidelines for Critical Areas of Focus for Cloud Computing, available at https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/. In Europe, the Cloud Select Industry Group (CSIG), an industry group sponsored by the European Commission, recently issued the Cloud Service Level Agreement Standardization Guidelines, available at http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines. The Guidelines recommend contractual stipulations covering (1) business continuity, disaster recovery, and data loss prevention controls; (2) authentication/authorization controls, including access provision/revocation, and access storage protection; (3) encryption controls; (4) security incident management and reporting controls and metrics; (5) logging and monitoring parameters and log retention periods; (6) auditing and security certification; (7) vulnerability management metrics; and (8) security governance metrics. Providers also may choose to be certified under standards such as ISO 27001, although such certifications may not address all applicable legal requirements.

(c) Restrictions on Cross-Border Data Transfers

A number of countries—e.g., all the European Economic Area (EEA) Member States and certain neighboring countries (including Albania, the Channel Islands, Croatia, the Faroe Islands, the Isle of Man, Macedonia, Russia, and Switzerland), as well as countries in North Africa (e.g., Morocco), the Middle East (e.g., Israel), Latin America (e.g., Argentina and Uruguay), and Asia (e.g., South Korea)—restrict the transfer or sharing of personal information beyond their borders. These restrictions can present significant challenges for multinational companies seeking to move their data to the cloud. Recognizing these challenges, some providers are starting to offer geographic-specific clouds, in which the data are maintained within a given country or jurisdiction. Some U.S. providers have also certified to the U.S.-European Union Safe Harbor program, in order to accommodate EU-based customers. However, as the Safe Harbor only permits transfers from the EU to the United States, it is not a global solution. Accordingly, a company should assess carefully whether the options offered by a provider are sufficient to meet the company’s own legal obligations in the countries where it operates.

To complicate matters, international data protection authorities, particularly in the EEA, have expressed concerns about use of the cloud model for personal information. The Working Party 29 (WP29), the assembly of EEA data protection authorities, and many other local EEA authorities have issued guidance about cloud computing, covering purpose and transfer restrictions, notification requirements, mandatory security requirements, and the content of the contract to be concluded with cloud providers. This guidance includes the WP29 Opinion 05/2012 on Cloud Computing, which is discussed further below. The draft Data Protection regulation currently discussed among the EEA Member States reflects such guidance and should be accounted for prior to engaging cloud providers.

Review contractual obligations affecting your outsourcing of personal information

If your company is seeking to outsource to a cloud provider applications that involve third-party data, such as personal information maintained on behalf of customers or business partners, it is important to consider any limitations imposed by contracts with those third parties. Such agreements might require third-party consent to the outsourcing or subcontracting of data processing activities, or may require your company to impose specific contractual obligations on the new provider or subcontractor.

Select an appropriate cloud computing solution

Cloud services tend to be offered on a take-it-or-leave-it basis, with little opportunity to negotiate additional contractual protections or customized terms of service. As a result, companies may find themselves unable to negotiate the types of privacy and data security protections that they typically include in contracts with other service providers. Companies will need to evaluate whether the contract fulfills their applicable legal and contractual obligations, as discussed above. Beyond that, companies will want to evaluate the practical level of risk to their data, and what steps they might take to reduce those risks.

(a)   Public vs. Private Cloud

Broadly speaking, a private cloud maintains the data on equipment that is owned, leased, or otherwise controlled by the provider. Private cloud models can be compared with many other well-established forms of IT outsourcing and do not tend to raise the same level of concerns as a public cloud model.

A public cloud model disperses data more broadly across computers and networks of unrelated third parties, which might include business competitors or individual consumers. While offering maximum flexibility and expansion capabilities, the public cloud model raises heightened concerns about the inability to know who holds your company’s data, the lack of oversight over those parties, and the absence of standardized data security practices on the hosting equipment. Given these challenges, companies outsourcing personal information will want to understand whether the proposed service involves a private or public cloud, as well as evaluate what contractual commitments the provider is willing to make about data security.

(b)   Securing Data Before Transmission to the Cloud

Companies also may be able to take measures themselves to protect personal information before it is transmitted to the cloud. Some provider agreements instruct or require customers to encrypt their data before uploading the data to the cloud, for example. If it is feasible to encrypt the data prior to transmission to the provider, this may provide substantial additional protections, as long as the encryption keys are not available to the provider.

It is also important to account for applicable security requirements. To this effect, several countries in Europe have very specific statutory requirements for security measures, and some regulators have issued detailed security standards for cloud computing providers. Pursuant to the WP29 Opinion 05/2012, all contracts should include  security measures in accordance with EU data protection laws, including requirements for cloud providers on technical and organizational security measures, access controls, disclosure of data to third parties, cooperation with the cloud client, details on cross-border transfer of data, logging, and auditing processing. The recent guidelines from the CSIG recommends the inclusion of the following provisions in processing agreements: (1) standards or certification mechanisms the cloud service provider complies with; (2) precise description of purposes of processing; (3) clear provisions regarding retention and erasure of data; (4) reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures; (5) a full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data; (6) description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements; (7) clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms; and (8) time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects.

(c)   Contract Issues

In the majority of cloud computing services, the client is the data controller and the cloud provider is the data processor. However, in certain scenarios (in particular Platform as a Service (PaaS) and Software as a Service (SaaS) in public computing models), the client and the cloud provider may be joint controllers. Under EU guidance, the responsibilities of joint controllers must be very clearly set out in the contract to avoid any “dilution” of legal responsibility.

The contract with the cloud services provider needs to set out clearly the roles and responsibilities of the parties. Unlike many outsourcing arrangements, cloud service contracts usually do not distinguish between personal information and other types of data. These contracts may still include at least basic data protection concepts, even if they are not expressly identified as such. At a minimum, companies will want to look for provisions preventing the provider from using the information for its own purposes, restricting the provider from sharing the information except in narrowly specified cases, and confirming appropriate data security and breach notification measures. Various European data protection authorities have underscored that access to cloud data by public authorities must comply with national data protection law and that the contract should require notification of any such requests unless prohibited under criminal law and should prohibit any non-mandatory sharing. Given the difficulty of negotiating special arrangements with cloud providers, it is important to select a cloud offering that is appropriately tailored to the nature of the data and the related legal obligations. It is likely that as cloud computing matures, more offerings tailored to specific business requirements, including compliance with privacy and similar laws, will be made available to companies.

Concluding thoughts

While cloud computing can substantially improve the efficiency of IT solutions, particularly for small and medium-sized businesses, the specific offerings need to be examined closely. There is no “one-size-fits-all” solution to cloud computing, especially for companies operating in highly regulated sectors or internationally. By understanding their legal compliance obligations, companies can make informed decisions in selecting cloud computing services or suites of services that best meet their needs.

Drones: Why You Should Start Thinking Now About the Anticipated UAS Regulations

Posted in Internet of Things

Editor’s Note:  At first glance, drones may seem unrelated to the social media and Internet-related issues that we track on Socially Aware. Upon closer examination, however, many social media and Internet companies are exploring the commercial use of drones; for example, Amazon has publicly announced its intentions to incorporate drones into its package delivery system, and both Facebook and Google have expressed their desire to use drones to facilitate Internet connectivity. With that in mind, we present the following post regarding the upcoming Notice of Proposed Rulemaking related to commercial drone use in the United States.

Introduction

With drone technology rapidly advancing and the FAA recently starting to open the door to commercial drone use, companies across industries should begin evaluating how drones can add value to their businesses, if they have not already done so.

Drones can benefit a wide range of industries and activities, including (to name only a few): industrial-scale agriculture; energy generation, transmission, production, and pipeline facilities; other conveyances and linear projects (such as water and flood control); transportation infrastructure, including railways, roads, ports, and waterways, and the rolling stock, vehicles, and vessels that use them; private and public emergency response (e.g., fire, flooding); insurance and accident inspection; and resource assessment, monitoring, and compliance. But without input from leaders in these industries, their use of drones may not be realized in the foreseeable future. Industry leaders need to demand that the FAA’s much-anticipated Notice of Proposed Rulemaking (NPRM) for small UAS—now expected to be issued in the first half of December—is reasonable and practical for the wide range of industries and activities, and fosters drone use and innovation while responsibly ensuring public safety.

Background of the Notice of Proposed Rulemaking for Small UAS

FAA rulemaking for drones was mandated by Congress as part of the FAA Modernization and Reform Act of 2012. The law requires the FAA to “provide for the safe integration of civil unmanned aircraft systems into the national airspace system as soon as practicable, but not later than September 30, 2015.”

The NPRM for small UAS (meaning UAS that weigh less than 55 pounds) was expected sooner—with Congress requiring the FAA to issue a final rule by August 2014. But the agency is notably behind this schedule. According to the latest publicly available information regarding the rulemaking, the NPRM for small UAS will issue in November 2014. We believe, however, that the FAA is more likely to issue the NPRM in mid-December. Moreover, in fall 2013, the DOT declared a deadline of May 2014 for issuing the small UAS NPRM, which it extended. That could happen again. The NPRM will initiate what is expected to be a decade of rulemaking to establish the regulatory regime for drones, large and small.

What Will the Proposed Regulations Say?

More important than the timing of the NPRM, however, is its expected content. This rulemaking is going to be comprehensive, designed to adopt specific rules for the operation of small UAS in the national airspace. The proposed regulations are likely to address classification of small UAS, certification and training of pilots and visual observers, registration, approval of operations, and operational limitations. Additionally, there will likely be provisions requiring the FAA to collect safety data from the user community.

Operational limitations and certification requirements that the FAA may require can be gleaned from the exemption requests that the FAA granted for the commercial use of small UAS in film production late last month. These exemptions—while allowing limited commercial use—remain highly restrictive. They permit the use of specific drone models that must fly at speeds below 50 knots and be equipped with advanced GPS systems. The flights must be conducted below 400 feet and within the visual line of sight of the pilot in command, who must possess at least a private pilot’s certificate. Flight plans of activities are required to be submitted to the local Flight Standards District Offices three days in advance of the operations, and the operators must obtain specific waivers from the relevant air traffic organizations.

If the FAA attempts to impose these types of restrictions on small UAS operations across the board, the utility of drone operations for many industries may be severely limited, if not extinguished. For example, using drones to inspect pipelines and power lines over long distances would prove impossible if the FAA imposes a visual line of sight requirement. Similarly, requiring a private pilot’s certificate for all operations may hinder the ability of farmers to use drones for precision agriculture, or realtors to use drones to obtain aerial footage of properties. Simply put, a one-size-fits-all approach will not work for the small UAS regulations. Given the FAA’s historical concerns and agency culture, there is reason for concern.

What Can Be Done Now?

Companies and trade associations interested in obtaining the benefits of small UAS should start formulating plans now to help shape the NPRM and the regulations that will come out of it. They need not wait for the NPRM to issue.

The FAA can be petitioned in advance of the NPRM with broad requests to include or exclude certain provisions. Moreover, comments can be submitted on pending Section 333 exemption requests. These comments can be narrow and limited to why the specific exemption request should or should not be granted; or they can be broad, sweeping commentary on the current status of the FAA’s position on small UAS operations. Several well-known associations have already begun commenting on the exemption requests, including the Aerospace Industries Association, the National Agricultural Aviation Association, the Association for Unmanned Vehicle Systems International, and the Air Line Pilots Association International.

Industry leaders should also plan to comment on the NPRM once it is issued. This will require careful consideration of the current operating environment, as well as a keen eye toward potential future uses for UAS. Industry should seek to ensure that small UAS operations are not unduly restricted, while taking into account the risks associated with, and potential unintended consequences of, expanding UAS operations.

Status Updates

Posted in Status Updates
  • Unfree speech? In the United States, the First Amendment would likely prevent the prosecution of someone who posted racist or anti-Semitic messages on a social media platform. But social media platforms operate worldwide, and many nations’ laws are much less permissive when it comes to speech of this type. Following a French case in which Twitter was forced to remove certain anti-Semitic content, many operators of social media platforms have updated their terms of service to comply with European laws regarding racist statements, Holocaust denial and other hate speech.
  • By invitation only. Google is currently rolling out Inbox, a new email system with added features that may eventually replace Gmail for some users. Interestingly, Google is initially making Inbox available only by invitation. Each person with an Inbox account can invite up to three friends by clicking a “golden ticket” icon. It’s not clear why Google is doing this. According to an article on Techcrunch, Google may be trying to create a “sense of buzz” for the new app so that it can grow the user base inexpensively and virally.
  • Not with a bang but a whimper. Last month, we wrote about the long-drawn-out trademark battle between Twitter and Twitpic in which Twitter said it would prevent Twitpic from gaining access to its API if Twitpic did not abandon its trademark. Twitpic decided to shut down instead, and we just heard the last bit of news on this dispute: Twitpic’s archives of photos will remain accessible and available for perusal, but no new additions will be allowed. And Twitpic is ending the availability of its mobile apps. So if you put a photo on Twitpic a year ago, you’ll still be able to find it, but that’s about all.

Counterfeit Goods: Has the War on ISPs Just Gotten Tougher?

Posted in IP

The pressure on ISPs to take responsibility for the sites accessible through their services has been growing in recent years (e.g., the requirement for certain ISPs to block filesharing sites). On October 17, 2014, the High Court of England and Wales took this one step further by granting a website-blocking order against certain ISPs in a case involving counterfeit goods. This case is notable for the fact that the infringement related to trademarks and not copyright. While English copyright law has a provision under which blocking injunctions may be sought, there is no statutory equivalent under trademark law, yet an injunction was still granted. Has the war on ISPs just gotten tougher?

The ISPs in question were Sky, BT, EE, TalkTalk and Virgin, and the matter centered around six websites that advertise and sell counterfeit goods (such as Cartier and Montblanc). The claimants (trademark owners in the Richemont/Cartier group) sought a blocking injunction from the ISPs for these six sites.

In reaching his decision to grant the blocking injunction, Mr. Justice Arnold focused on (a) whether the court had jurisdiction to grant the injunction; (b) whether such an injunction could be granted where no specific statutory legislation was in place relating to this remedy; and (c) whether the threshold conditions were met for granting such an injunction.

Having established that the court did indeed have jurisdiction, Mr. Justice Arnold noted that, although there is no specific legislation providing for injunctions in cases of trademark infringement, to grant such an injunction against a non-infringing party would nevertheless be consistent with EU law and UK policy. Further, Mr. Justice Arnold noted that “the 1994 [Trade Mark] Act both confers remedies against persons who are not necessarily infringers . . . and yet does not purport to contain a comprehensive code of the remedies available to a trade mark proprietor . . . More generally, there is nothing inconsistent between granting an injunction against intermediaries . . . and the provisions of the 1994 Act.” Thus, in this instance, the court held that an injunction could be granted even where no specific statutory legislation was in place.

Mr. Justice Arnold then focused on whether the threshold conditions for an injunction (in this case a website-blocking order) were met:

  1. Is the defendant an intermediary within the meaning of Article 11 of the Enforcement Directive (Directive 2004/48/EC)? The court determined that ISPs clearly fall into this category.
  2. Do the users and/or the operators of the website in question infringe the claimant’s trademarks? The court determined that each of the six websites did infringe because each provided goods bearing signs identical to the trademarks in dispute, and sold these goods in response to orders without consent of the claimants.
  3. Do users and/or the operators of the websites use the ISP’s services to infringe? Mr. Justice Arnold held that the answer to this question was yes. The ISPs have an essential role, as it is via their services that the advertisements and offers for sale are communicated to users in the UK. Even if UK consumers don’t purchase any goods, the first act of infringement is already complete based just on the advertisements.
  4. Do the ISPs have actual knowledge? Here again, the court held in the affirmative: If the operators of the websites in question use the ISPs’ services to infringe, then the ISPs have actual knowledge of the infringement, based on the fact that the claimants sent notices to the ISPs and the other evidence produced.

In considering whether the injunction would unduly interfere with the ISPs’ freedom to carry on business and Internet users’ freedom to receive information, Mr. Justice Arnold considered that no new technology would be required to block the sites in question and, although alternative measures such as takedown and de-indexing were available, these measures would not be as effective as an injunction and would not be less burdensome. However, he did adopt certain points made by the Open Rights Group, including requiring that additional information be provided to users when they attempt to access the blocked sites and limiting the order to an initial two-year period.

The Internet is increasingly used in the counterfeit goods trade. A study published in 2008 by the Organisation for Economic Co-operation and Development entitled The Economic Impact of Counterfeiting and Piracy estimated that the value of counterfeited and pirated goods moving through international trade alone in 2005 amounted to US$200 billion. In 2014 the European Commission published its Report on EU Customs Enforcement of Intellectual Property Rights: Results at the EU Border, which recorded that, in 2012, customs authorities at the external borders of the EU seized a total of over 39.9 million articles, representing a market value of almost €900 million, with the UK seizing more articles than any other Member State. It remains to be seen, however, whether this case, acknowledged by Mr. Justice Arnold as a test case, will open the floodgates for trademark owners affected by this widespread issue or, given that domain names can be easily purchased and new sites quickly set up, will have little real impact.

Status Updates

Posted in Status Updates
  • Clearing the air. Aereo, the startup broadcasting service that lost big in the U.S. Supreme Court last June, just lost another, and possibly its last, court battle. A U.S. district judge in the Southern District of New York, responding to a motion filed by the major broadcasting networks, granted a preliminary injunction barring Aereo from retransmitting programs to its subscribers while the programs are still being broadcast . The ruling by U.S. District Judge Alison Nathan also rejected Aereo’s argument that it should be able to take advantage of the statutory compulsory license applicable to cable systems.
  • Let’s be friends. Twitter’s relationship with app developers has been somewhat strained since the microblogging platform tightened its rules on outside apps a couple years back. That’s all changing now, as Twitter convened its first mobile app-developer conference in four years. The event in San Francisco attracted 1,000 developers. At the conference, Twitter introduced Fabric, a set of developer tools that are intended to make it easier for developers to build apps and make money from them.  It looks as if Twitter is taking note of the similar steps that Google, Facebook and others are taking to attract app developers.
  • Sharing the wealth. A New York-based tech startup called Tsu is trying to establish a whole new business model for a social network. Tsu, which has attracted a $7 million venture capital investment from Sancus Capital, will pay users based on the advertisements that their postings attract. Tsu keeps only 10 percent of the revenue that it receives from ads, sponsorships, and third-party applications. The other 90 percent is divided into two pools of money. Half of it goes to the content creator who posted the content that attracted the ad. The other half goes to the social network that recruited that content creator.