Some of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?
In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.
Data Localization: Microsoft Case and Proposed New Laws
In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?
At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.
The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”
If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”
The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.
Data Localization: China’s Cybersecurity Law
In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:
“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”
The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.
Data Localization: EU’s GDPR
As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.
With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).
Two General Steps to Take Now
As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.
- Audit and inventory the personal and consumer data. Identify where physically the data is stored.
- Audit and identify circumstances in which the various data is transferred cross-border.
With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).
Internet Law Attorneys: Contact Revision Legal
If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.
You Might Also Like:
Stored Communication Act
Tips To Avoid Data Breach Litigation
Privacy Related News — Carpenter Case
GDPR
Yes, Your Business Needs A Data Protection Officer
The UDRP Process
/0 Comments/in Internet Law /by Eric MisterovichThe acronym UDRP is one that many website owners may have seen or heard before, but what it is, where it came from, and why we need it may be less familiar if you have never been involved in a domain dispute. But, whether you know it or not, you agreed to abide by the UDRP when you signed your domain agreement. Continue reading for a full explanation of the UDRP process.
What is UDRP?
The UDRP (Uniform Domain-Name Dispute-Resolution Policy) is a set of rules found in every Domain Name Purchase Agreement that defines how domain name disputes should be decided. The UDRP generally applies to top-level domains such as .biz, .com, .info, and .org—to name a few.
By signing the mandatory Domain Name Purchase Agreement when purchasing a domain, registrants “represent and warrant” that the registration “will not infringe upon or otherwise violate the rights of any third party,” and agree to an arbitration-like proceeding if such a claim should arise. While the UDRP is mandatory for domain holders, it is an optional procedure for mark holders.
Where did UDRP come from?
With the rise of the Internet in the early ‘90s came the use of trademarks as domain names without the owner’s consent, also known as “The Trademark Dilemma.” By 1998, the non-profit corporation ICANN (the Internet Corporation for Assigned Names and Numbers) was formed to assume responsibility for IP address space allocation, top-level domain name system management, and root server system management functions. In other words, ICANN ensures corporate trademark are not held ransom by those who register a certain domain name before the company can.
What are the UDRP elements?
The UDRP essentially protects businesses from abusive or bad faith registrations. However, like all contracts, there is more to it than that. You can read the full UDRP here, or find the essential elements, below.
To have a domain name transferred, a complainant must prove:
What are the steps in the UDRP process?
Day 0: Complainant files complaint with a the NAF or WIPO, which will send send a copy to Respondent (domain holder) at the address shown on the WHOIS database.
The provider then reviews the complaint for compliance with the UDRP and provider rules. If the complaint complies, the proceeding continues; if the complaint does not comply, however, the complainant has 5 days to resolve the defects. If the complainant does not do so within 5 days, the complaint will be considered withdrawn.
Day 3: The provider sends the complaint to the registrar of the allegedly infringing domain name, along with a copy to the respondent.
Day 23: the respondent must respond specifically to the allegations in the complaint and offer any bases for the retention of the domain name within 20 calendar days of the commencement of the formal proceedings.
If the respondent does not file a response within this 20-day window, respondent will be deemed to have defaulted.
Day 28: The provider now has 5 days to appoint a panel.
Day 42: A decision will be rendered within 14 days of the panel’s appointment.
Day 45: The panel has 3 days to notify the parties of the decision.
10 business days later: Unless the adversely affected domain name holder has filed suit in a court of mutual jurisdiction by this date, the registrar will implement the decision of the panel, canceling or transferring the domain name according to the remedy sought in the complaint.
Though it is at the panel’s discretion to extend the time restrictions in exceptional circumstances, disputes are generally resolved within 60 days of filing.
If you are facing or thinking of filing a UDRP complaint, please contact Revision Legal’s Internet attorneys for a consultation by completing the form on this page.
Editors note: This article was originally published in June, 2015. It has been updated for clarity and comprehensiveness.
E-Commerce Deceptive Pricing: What All Online Sellers Need to Know
/0 Comments/in internet /by Amanda OsorioIn the United States, the Federal Trade Commission (FTC) is charged with protecting consumers in the marketplace. Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1) prohibits companies from utilizing “unfair or deceptive acts or practices in or affecting commerce”. This standard has been applied to protect consumers from deceptive pricing schemes. With retail purchases transitioning from brick and mortar stores to e-commerce, deceptive pricing schemes are evolving and in some ways becoming more prevalent. In addition to the FTC, many states have enacted laws meant to protect consumers from deceptive advertising and pricing tactics.
Deceptive pricing, according to the FTC, is any pricing scheme that is likely to mislead consumers and affect consumers’ behavior or decisions about the product or services offered for sale. Basically, any advertising, including pricing, must tell the truth and not mislead consumers.
Deceptive pricing has been found where companies utilize marketing schemes such as:
These pricing practices may not, in and of themselves, be deceptive. However, where the pricing comparisons or fine print are deceptive in nature, the FTC may intervene.
For example, strike-through pricing is a common practice where retailers list the current price in comparison to a former price for the product. The former price appears with a line through it indicating that it is no longer valid. This is a great way to communicate discounts or sales to potential customers. However, if the stricken former price is not a valid indication of an actual former price of the product, the difference in price and consequently the “deal” is misleading.
The FTC has provided some guidance to sellers regarding deceptive advertising issues on their website here. Deceptive pricing schemes do cause actual problems for online retailers.
If companies are found to be utilizing deceptive pricing or advertising practices, the FTC will issue fines. Furthermore, many companies have faced civil litigation including class action lawsuits where damages can add up quickly.
In 2017, Canada levied a $1 Million fine against Amazon Canada for misleading pricing practices. They found that Amazon’s practice of comparing prices to higher “list prices” or suggested manufacturer prices (MSRPs) was merely a marketing gimmick that mislead consumers into thinking they are getting a great deal although the list price was not a prior actual price of the product. Canada’s Competition Bureau found Amazon culpable because they relied on their sellers to provide the list prices and never verified that those prices were ever accurate.
During the FTC’s review of Amazon’s purchase of Whole Foods in 2017, Amazon’s pricing was also investigated in the United States because of a letter filed with the FTC by Consumer Watchdog. Consumer Watchdog claimed that the reference prices posted on Amazon were higher than actual former prices of the products in the previous 90 days. Amazon denied the allegations. The FTC suspended its investigation of Amazon in 2017 but stated in a press release that, “Of course, the FTC always has the ability to investigate anti-competitive conduct”. This investigation highlights the FTC’s intent to follow up on complaints and investigate deceptive pricing in the marketplace.
The lesson here for online retailers is to make sure your marketing practices do not cross over the line to deceive consumers. Sellers should make sure that price comparisons including strike-through prices are an accurate representation of the actual deal the customers are receiving.
Today, online sellers have a lot to focus on. New competitors and pricing pressures, adhering to new privacy laws like the GDPR, and securing their customer data against hackers. Don’t make an FTC investigation into your advertised pricing an issue. If you have questions, have one of our Internet Lawyers review your pricing practices before the FTC does.
Facebook and the GDPR: Why Your Company Needs To Be Prepared
/0 Comments/in Privacy /by Amanda OsorioData privacy is a big deal right now. Facebook is the latest company facing lawsuits and a PR nightmare related to the way they handled their customer’s data. However, Facebook is not the only company that needs to re-think its privacy related policies. The current data issues that Facebook is facing places the spotlight on an issue that has been brewing for some time.
Privacy and control over what companies do with personal information is a common concern held by people around the world, from all walks of life and all political persuasions. While there are differing views on whose responsibility it is to protect data, most agree that there should be some safety measures taken. In the US, most states have some laws related to data breach and data security but the US does not have a comprehensive federal data security law. The European Union has enacted a stringent regulation called the General Data Protection Regulation (GDPR). The GDPR goes into effect in May 2018 and places strict rules on what companies can do with the personal data of EU residents. Read here about the 5 steps your company needs to take before May.
GDPR requires companies to closely monitor and control their collection of personal data of EU residents. “Personal Data” is broadly defined and includes details such as name, date of birth, social security number, financial information, address, email addresses, IP addresses, sexual orientation, and religion. Under the GDPR, individuals have a right to opt in to having their data collected, to know what data is being collected, why it is being collected, who is receiving it, to request copies of all personal data a company has of theirs, to opt out of the data collection, and to have it deleted completely from the company’s records. In order to comply with these and other requirements, companies need to have processes and policies in place to act quickly. Non-compliance can result in massive fines of up to 20 million Euros or 4% of the company’s global turnover, whichever is higher, per breach. These are serious consequences and US business need to be prepared. While Facebook has been highly criticized for the Cambridge Analytica data scandal, their recent changes regarding privacy have likely been in the works for some time. Like other businesses, Facebook has to be compliant with the GDPR by the May 2018 deadline.
The GDPR is an EU regulation but that doesn’t mean that US businesses don’t have anything to worry about. Even companies without a physical presence in the EU could be liable for violations of the GDPR. Like Facebook, businesses that collect personal data from any EU resident need to make sure they are compliant with the GDPR by May. The recent PR scandal Facebook is dealing with highlights the public’s demand for transparency and providing greater control to consumers.
Facebook’s troubles and the impending strict regulations of the GDPR should be a sign for all companies to take a second look at the way they collect and utilize personal data. Just this week, Pinterest introduced a new Privacy Policy and Terms of Service in order to comply with the new European privacy laws. Other companies are following suit. For more information on how to become GDPR compliant or begin the process of creating a comprehensive data privacy policy, feel free to contact us.
GDPR Compliance: 5 Steps You Need to Take Before May
/0 Comments/in Privacy /by Amanda OsorioIf you think Facebook is the only company that needs to think about data privacy and security issues, unfortunately you are mistaken. Right now, most companies need to consider whether or not there are prepared to protect the personal data of their customers. Not only because of the outrage and backlash that companies face in the aftermath of a breach but because of regulations like the GDPR and other data protection laws. The General Data Protection Regulation (GDPR) is a regulation that has been passed by the European Union and is set to be implemented in May 2018 and companies need to take steps to meet GDPR compliance requirements.
What if your company has no presence in the EU?
GDPR could still apply to your company if you offer goods and/or services to people in the EU and you collect data from them or if you process data received from a third party who does. This is important because non-compliance could result in massive fines up to 20 million Euros or 4% of global company turnover, whichever is higher. These fines are high due to the EU’s intention to deter companies from misusing data.
The GDPR allows for personal data processing where the owner of the data consents and you have legitimate reasons to collect the data or when the processing is necessary for tax, legal, or other reasons.
Personal Data as defined by the GDPR includes any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Some GDPR Personal Data Rights and how they could affect your business:
The GDPR also places restrictions on and regulations regarding the transfer of Personal Data outside of the European Union. Data breaches must be reported to authorities within 72 hours and companies must have a process in place to notify potentially affected individuals.
This is not an exhaustive list of all requirements imposed by the GDPR. It is imperative that companies have processes, procedures, technological capabilities and training in place so that they can comply.
GDPR Compliance: 5 Steps You Need to Take
The GDPR is a complex law with significant impact on the business community. Time will tell us the full extent and impact on business but we recommend taking steps now to move toward compliance. Contact Revision Legal for more information or for further guidance and resources.
9 Steps to Business Success
/0 Comments/in business /by Amanda OsorioSo, you have a great business idea. Great! What now?
Below are 9 steps that will help guide your idea from light bulbs to a profitable business.
Step 1: Identify a Brand Name
Branding is important and any new idea needs a name. There are many details that come into play when choosing a brand name. Whether you are working with a marketing firm or you have a list of potential names on a napkin, it is important to consider the legal implications of choosing a name. Brand names are trademarks. The use of a trademark has legal implications that can enhance or hurt your business.
Some names are better than others. Choosing a strong, distinctive trademark will help you create a brand that really makes your idea shine. It is important to avoid descriptive and generic trademarks. The strongest trademarks are fanciful or arbitrary. Apple is a very strong trademark for the sale of computers but Apple is a terrible trademark for the sale of apples.
Many people think their trademark should describe their product or service. This is not necessarily true. While your brand should represent the tone you intend to portray in business, choosing a descriptive trademark is not the best approach in the long run.
Step 2: Identify a Domain name
Your idea needs a website. Whether you are selling products online or you will use your website to help get the word out about your services, your website is an important aspect of your marketing and business plans. Finding the right domain name is an important part of this process. Do your research and see what relevant domain names are available.
The law also provides protections for trademark owners. Anti-cybersquatting laws provide an opportunity for trademark owners to protect their rights online. Cybersquatting occurs where one registers a domain name containing the trademark of another with the intent to profit from the sale or use of that domain name. Cybersquatting can be devastating to a business. Cybersquatters can divert valuable traffic and, in turn, sales, from a business through the use of the cybersquatted domain name.
Step 3: Obtain a Trademark Clearance
You picked a name you love and you’ve found a domain name that is perfect. Now it is time to take this step which many entrepreneurs skip or put off only to suffer devastating consequences in the future. Obtaining a trademark clearance is an affordable and essential action in the start-up process. A trademark attorney will perform a trademark search and provide you with a clearance opinion. In the opinion, the attorney will include results of their search that they consider relevant to your ability to use and register your trademark.
Some things that trademark attorneys consider include whether there are any registered trademarks that would hinder your use and registration. They will provide you with an opinion as to whether consumers would likely be confused by the existence of your trademark and the prior mark. The attorney will also give you their opinion about any genericness or descriptiveness concerns they anticipate.
Step 4: File a Business Entity
Creating a business entity will help you organize and protect your business. There are many different entity types and structures to choose from. The best type of entity for you depends on the nature of your business and your goals. A business attorney can help explain your options and help you choose the most appropriate one. Business entities are valuable because they help shield owners from personal liability and can help improve the tax implications of bringing your ideas to life.
Step 5: File for a Trademark Registration
Obtaining a trademark registration is a powerful asset for your business and not something that should be overlooked or put off for the future. After you have a business entity and a trademark clearance, it is important to file an application for registration for your trademark. You will want to make sure that not too much time has passed since you received a trademark clearance as it may be inaccurate as to any subsequent filings or trademark use by third parties. The United States Patent and Trademark Office handles all trademark applications for registration. While it is not absolutely required, you may want to hire a trademark attorney to help you prepare and file your application.
Step 6: Open a Bank Account
It is important to keep business and personal expenses separate from one another. Opening a new bank account is a great way to avoid confusion and help make tax filing easier. You may want to consider opening an account at a bank other than the one you use for personal finances just to keep everything separated and easy.
Step 7: Get Insurance
Business insurance can help keep you out of trouble and assist in the event your business encounters problems. Ask around to learn about your options. The type of insurance you purchase depends greatly on the type of business you are creating. Important questions maybe whether you are offering services that put people in harm’s way, sell products to a potentially vulnerable customer base or invite people to your place of business to purchase or receive services. A reputable insurance agency can help you determine the best insurance for your business.
Step 8: Get Your Contracts in Order
Businesses need solid contracts to protect their assets and create good working relationships. Whether you hire employees or independent contractors, have a graphic designer create a logo or other design, hire a developer to help create the software you intend to sell, etc., you will need contracts. Hiring a distributor to help get your product on the market overseas? You need a good contract. Working with a supplier? You need a contract. Almost every business needs a website and you will need Terms and Conditions and a Privacy Policy.
Having agreements that are drafted with your business goals in mind can help you avoid costly litigation and difficulties in business relationships in the long run. A good attorney will help you draft contracts that are reasonable and protect both your business and your relationships.
Step 9: Get Your IP in order
Many companies do not realize that their intellectual property (IP) rights can often be their most valuable asset. Few startups have portfolios of real property or vast quantities of retail inventory and other physical assets. What startups usually have are ideas, and ideas are valuable if they are properly protected. If you have a well-established business, you might not be aware of the value of the IP you currently own. Having an audit performed by an IP attorney can help make you aware of the value you have, find holes in your protection, and create a plan for the future.
There are five main types of intellectual property rights:
If you have questions about your IP inventory or how to monetize your IP assets, please reach out to us and have us help you realize your business’s potential.
Finding Help
There are a lot of things that business owners need to consider. These are some major issues we help people deal with so that they can focus on running and growing their business. This is our business and we love what we do. Please contact us if you have any questions or if you need a consultation. We want to help you succeed!
Streaming Music in your Business
/0 Comments/in copyrights /by Amanda OsorioIf you walk in to a local book shop, the corner bar, the Apple Store, or Target you will likely hear some sort of music playing. Music can help set the tone for your location and enhance your brand while your customers are in your establishment. If you have a brick and mortar business, there are some serious legal considerations you need to be aware of when playing music for your customers.
There have been many instances in the news recently of businesses being sued for Copyright infringement for streaming music without the proper license. Joe’s on Weed St. in Chicago is just one example. It is much cheaper to purchase the right license than to pay settlement costs or court ordered damages and legal fees if you get sued for copyright infringement.
Copyright law protects the artists, publishers, and owners of music. Copyright gives rights holders the exclusive right to copy, reproduce, distribute and license their works. Streaming services like Spotify, Apple Music, and yes even CDs and iTunes music you’ve “purchased” is not available for public performance. That means that it is illegal to play this music in a commercial establishment.
Limited License For Music
Here’s how it works… When you pay for a subscription or buy an album on iTunes or a record at the store, you do not actually buy the music. Your payment provides you with a limited license to use the music for personal enjoyment. That means, you can play it for yourself in your home or on your devices for your own personal use and with family and friends. If you want to be able to play music for the public, you need a Public Performance License (PPL).
Many small businesses think they can get away with playing Spotify for their customers but that is a potentially expensive mistake. Music licensing entities are very active in inspecting commercial establishments like shops, bars, and restaurants. Often you will get a letter demanding that you both cease playing the music and pay a fine or an estimate of the fee you should have paid for the PPL. If you do not comply they will have the option of filing a copyright infringement lawsuit against you in federal court. A copyright attorney can help you negotiate but this is something that is better to avoid in the long run.
Solution: Obtain a Public Performance License
What can you do? The best way to avoid problems, comply with the law, and help make sure artists, collaborators and producers get their fair compensation for their work is to obtain a Public Performance License (PPL). One option to obtain PPL licenses for the music you want to play from licensing organizations. There are three major organizations in the United States that license music: Broadcast Music, Inc. (BMI), American Society of Composers, Authors, and Publishers (ASCAP) and Global Music Rights (GMR). These are performing rights organizations that the songwriters, composers and publishers join. They have the ability to grant PPLs. This is helpful because it streamlines the process of having to purchase a license from each individual rights holder.
If purchasing PPLs, research which music you want to play and which organization the rights holders belong to. Because of the collaboration in the music industry you most likely will need a license from all of the organizations. There are also monthly reporting requirements to comply with for these licenses. Another option is to subscribe through a third party licensor like Spotify’s Soundtrack Your Brand service or CloudCover Music. These companies pay for the PPLs and then sell sub-licenses for a fee. You will want to make sure you comply with the terms and conditions of these services.
Overall it will be worth it to save yourself time and money upfront by purchasing licenses for the music you’d like to share with your customers versus facing a copyright lawsuit for illegal streaming. If you have received a letter regarding copyright infringement or just have some questions, contact Revision Legal.
Data Localization and Export: 2 Steps to Take Now
/0 Comments/in internet /by Eric MisterovichSome of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?
In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.
Data Localization: Microsoft Case and Proposed New Laws
In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?
At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.
The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”
If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”
The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.
Data Localization: China’s Cybersecurity Law
In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:
“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”
The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.
Data Localization: EU’s GDPR
As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.
With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).
Two General Steps to Take Now
As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.
With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).
Internet Law Attorneys: Contact Revision Legal
If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.
You Might Also Like:
Stored Communication Act
Tips To Avoid Data Breach Litigation
Privacy Related News — Carpenter Case
GDPR
Yes, Your Business Needs A Data Protection Officer
Internet Law: Is Facebook Violating The TCPA Via Text Message?
/0 Comments/in internet /by Amanda OsorioThere a few cases percolating through the federal courts accusing Facebook of illegal robocalling via their automated text messaging. One example is Brickman v. Facebook, Inc., No. 16 Civ. 00751 (N.D. Cal. Jan. 27, 2017) which argues Facebook is violating the Telephone Consumer Protection Act.
Mr. Brickman claims Facebook sent an automated text message prompting him that it was the birthday of a friend of his. The message came to his cellphone number and sated: “Today is Jim Stewart’s birthday. Reply to post a wish on his Timeline or reply with 1 to post ‘Happy Birthday!’” While Brickman had given his phone number to Facebook (he was required to give his phone number), Brickman set his personal settings to “no text messages” from Facebook. Brickman sued Facebook alleging violation of the federal Telephone Consumer Protection Act (“TCPA”), which prohibits robocalling via use of automated dialing machines.
What is the Telephone Consumer Protection Act?
The Telephone Consumer Protection Act (TCPA) became law in 1991; now codified at 47 U.S.C. § 227. Essentially, the TCPA bans robocalling and gives the Federal Communications Commission (FCC) regulatory authority to create regulations. The TCPA prohibits companies or individuals from “mak[ing] any call (other than a call made … with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice …” The penalties are the greater of actual monetary loss or $500 per violation with treble damages where a violation is deemed willful or knowing.
TCPA Legal Principles: What is an Automated Call?
The TCPA came onto the scene just as cellphones and the internet enjoyed wider adoption. As such, key terms such as “automated” and “call” needed legal definitions. Generally, courts have taken the “if it walks like a duck…” approach to defining both terms. The case of King v. Time Warner Cable, 113 F. Supp. 3d 718 (S.D.N.Y. 2015) provides a good example. In that case, the plaintiff sued Time Warner, a national cable service provider, for making 163 automated calls to her cellular phone without her consent. Time Warner used an “interactive voice response” calling system. The system automatically dials the number associated with accounts more than 30 days past-due in the billing cycle. If the customer answers the call, the system plays a recorded message. If the call goes to voicemail, the recorded message plays and the system can call up to two additional times per day.
Time Warner argued that its system did not meet the definition of an automated dialing machine under the TCPA since the numbers called were not “randomly generated.” The court, however, rejected that argument by stating “The method is fully automated from start to finish” and noting that there was no human involvement at any stage of the customer selection, list compilation, or dialing processes. As for the random generation argument, the court found that the law does not require telephone numbers to be randomly generated or chosen, only that the system have “the capacity … to store or produce telephone numbers to be called.” And by that definition, Time Warner’s system met the standard of violating the Telephone Consumer Protection Act.
TCPA Legal Principles: Obtaining Consent
The final argument made by Time Warner was that the plaintiff had consented to the calls. Because to obtain service, Time Warner requires that all customers agree to its Terms of Service Agreement. Among the provisions is this one concerning consent:
This argument swayed the court and this consent provision was sufficient to absolve Time Warner of liability for robo-calling, but only up to the point where the plaintiff revoked her consent and told Time Warner to stop calling her. The evidence showed that the plaintiff revoked her consent at the 30th call; the court held Time Warner liable for the remaining 153 calls. The court noted that consumers have the right to revoke their consent to receive robocalls. Time Warner could have continued to call the plaintiff about the past-due bill, but had to do so manually. The court assessed treble damages against Time Warner.
Are Text Messages Like Calls?
With respect to Mr. Brickman’s case against Facebook, the question then becomes: Are text messages “calls” for purposes of the TCPA? The answer is yes. See Van Patten v. Vertical Fitness Group, LLC, 847 F. 3d 1037 (9th Circuit 2017). In that case, the plaintiff sued for robo-text messages, or “wireless spam” as he called it, from his fitness club. The plaintiff’s case was dismissed because he had consented to the text messages and had not revoked his consent.
However, before dismissing Mr. Van Patten’s claim, the court confirmed that text messages are “calls” for purposes of the TCPA. The court noted that TCPA does not contain a definition of a “call,” but that the FCC passed regulations in 2003 interpreting the TCPA to encompass text messages. Several courts have deemed that interpretation “reasonable,” and the 9th Circuit panel agreed.
How Will Brickman v. Facebook Turn Out?
Based on the foregoing caselaw, it looks like Facebook might be violating the TCPA with its Birthday text messages. But Facebook has marshalled a novel argument: The TCPA violates the First Amendment to the US Constitution. The TCPA has two exceptions where robo-calling without consent is allowed – emergency communications and certain messages from debt collectors. As such, Facebook argues that the TCPA requires a review of speech and/or communication — content — to determine if a violation has occurred. Because a review of the content of the messages is necessary, the TCPA violates the First Amendment. The Brickman court denied Facebook’s argument. The court held that the TCPA withstands strict scrutiny. A similar result was reached in Mejia v. Time Warner Cable, Inc., Nos. 15-CV-6445 (JPO), 15-CV-6518 (JPO) (S.D. New York August 1, 2017). The cases are on appeal.
Internet Attorneys: Contact Revision Legal Today
If you need more information on the Telephone Consumer Protection Act, contact Revision Legal. Internet law is at the core of Revision Legal’s practice. We are attorneys who know the business of internet law and have the skills and dedication to help your business succeed. We can be reached by email or by calling us at 855-473-8474.
You Might Also Like:
10 Data Security Management Tips to Prevent a Data Breach
2017 Data Breaches — Severity and Frequency On
Browsewrap and Clickwrap Agreements
Updated Guidelines for Online Endorsements
Import Businesses: Beware of FCC Regulations
Intellectual Property: 3 Tips For Architects
/0 Comments/in Intellectual Property /by Amanda OsorioAs an architect your designs combine creativity, technical skill, experience and your unique style. You provide your clients with a customized experience and your work product is one-of-a-kind. Whether you focus on residential or commercial, custom design or license plans in bulk, your work and your business need to be protected. Below are three intellectual property tips that will help you keep your business safe from those who might attempt to profit from your ideas and creativity.
Tip 1: Register your Copyrights
One of the most important things you can do to protect your intellectual property is to register your designs as architectural works with the US copyright office. Registering a copyright is a relatively easy and affordable way to not only protect your design but also put yourself in the best possible position for the future if someone does try to use your designs without your permission. US Copyright law protects the owners of copyright registrations by providing for increased damages awards and more options if your work is registered before someone copies it.
Tip 2: Draft Strong Licensing Agreements
You might have a great contract your clients sign when they engage your design services. You are clear about your fees and payment requirements as well as what the client should expect in the work product. But do you have a tight copyright license section? Have you had an IP attorney review your licensing agreements for you? Do you sell your designs online or in a publication? Making sure that your designs are being licensed to your clients not only protects your IP, it protects your clients and your reputation.
Tip 3: Think About Your Trademark
The name you use in business is your trademark. Your logo says a lot about your style and approach. These are essential to creating a strong business and brand. It is likely that your clients and potential clients recognize your style by your trademark. Your drawings likely have your name and logo on them. This is how you indicate to the public where your designs come from and the quality of product they are purchasing. Protecting your name and logo with a trademark registration is an essential part of helping your business thrive.
Contact an Intellectual Property Attorney
If you have questions about the state of your IP or for a consultation with an IP attorney, feel free to Contact Us today. We’d love to help protect your work and business.
Naming your Business, Naming your Baby
/0 Comments/in Trademarks /by Amanda OsorioAs a trademark attorney I often try to come up with good ways to explain the intricacies of the law to my clients. Whenever I work with a new trademark client we discuss ideas for naming their business and potential problems they might have in using a trademark and obtaining a registration. There are lots of things to consider when naming your business including the marketing, design, style, and legal aspects.
Also, I am currently expecting my first baby. As my husband and I consider different name options for the baby, we have had to look at each possible name from many different angles. Does it flow with our last name? Is there any significant meaning in the name? Do we both like it? How about the middle name? Should we consider family names? How does it sound in Spanish (my husband is from Honduras)? Our considerations go on and on. Everyday it seems like there is another thing to consider.
Picking a business name is a lot like picking a baby name. There are many different perspectives from which you have to evaluate the name. Business owners have to consider the marketing and design elements, their own personal feelings about the name and what they want to portray to consumers. Also, business owners have to consider whether their name is available for use and registration. You wouldn’t use your best friend’s baby name for your baby, you can’t use someone else’s trademark for your business.
Unlike naming your baby, naming your business without first clearing the name through a trademark attorney could result in serious legal, financial and business consequences. US Trademark law protects the rights of those who first use a trademark in commerce and obtain a trademark registration. A trademark lawyer can provide you with a clearance search, advice about trademarks, and help you file an application for trademark registration with the USPTO. We often help clients that have tried registering their mark with an online automated system.
Too often, clients come to us with trademark applications filed through automated services like trademarkengine.com or similar services. The price for such services looks too good to be true because it is. A trademark attorney with years of experience dealing with the Trademark Office can help you identify problems that you did not know existed. In most cases, it is important to identify these issues as soon as possible. Being forced to change your business name after a year in business is often a death sentence to a young company.
Unfortunately, we can’t help you name your baby but if you have any questions or want to schedule a consultation with a trademark attorney please Contact Us.