Technology Law Source

The Sedona Conference® Publishes International Principles on Discovery, Disclosure & Data Protection

Jay Yurkiw — Tue, 24 Jan 2012 07:52:39 -0600

The Sedona Conference® recently published the International Principles on Discovery, Disclosure & Data Protection (“International Principles”) through its Working Group 6 on International Electronic Information Management, Discovery and Disclosure. The Sedona Conference® launched Working Group 6 in 2005 to bring the most experienced attorneys, judges, privacy and compliance officers, technology-thought leaders, and academics from around the world to discuss the management, discovery, and disclosure of electronically stored information (“ESI”) involved in cross-border disputes. The publication of the International Principles comes in light of a number of U.S. court decisions over the last two years ordering the disclosure of information in U.S. litigation despite the existence of foreign privacy laws that otherwise would have prohibited such disclosure. See, e.g., EnQuip Technologies Group, Inc. v. Tycon Technoglass, S.R.L., 2010-Ohio-28, 2010 WL 53151 (Jan. 8, 2010).

The International Principles contain best practices and recommendations for addressing the preservation and discovery of “protected data” in U.S. litigation. Protected data broadly includes any information that must be safeguarded pursuant to federal, state, or foreign laws, or through other privacy obligations. Although focused primarily on the relationship between U.S. preservation and discovery obligations and the European Union Directive 95/46/EC, the International Principles are designed to apply whenever data protection laws or other privacy obligations conflict with U.S. preservation and discovery obligations. The International Principles also contain a model protective order for use with protected data as well as a cross-border data safeguarding process and transfer protocol to document the steps taken to comply with applicable privacy laws.

The International Principles encourage parties to examine whether their discovery requests and obligations present a conflict with any data protection laws. If a conflict exists, The Sedona Conference® maintains that the parties should try to avoid or minimize the conflict by limiting the scope of discovery, engaging in phased discovery, or limiting the production of protected data and metadata. The parties also should agree to a protective order or stipulation limiting the use and disclosure of protected data and to a plan setting forth the methodology by which protected data will be preserved, processed, transferred, and produced.

Interestingly, the sixth and final principle addresses how organizations should maintain their data before preservation and discovery obligations arise. This principle reinforces the importance of having strong records management policies in place and stresses that custodians of protected data should retain such information “only as long as necessary to satisfy legal or business needs.” The Comment to the Principle 6 states in part:

Many organizations worldwide have become electronic data hoarders. While the retention of paper-based information had tangible physical consequences and costs, it has become relatively inexpensive and more expedient to expand storage capacity rather than to apply records management lifecycle discipline to ESI. There are numerous direct and indirect costs and risks associated with unbridled accumulation and retention of data. Legal risks may also arise, especially in the context of data protected by Data Protection Laws, in the over-retention of information.

The Comment further encourages organizations to implement data privacy and data protection technologies and procedures and to collect personal data with data protection in mind, e.g., “privacy by design,” to lower the costs and risks relating to data protection.

A copy of the International Principles publication is available here.

Data Protection in Social Networks

Christina Hultsch — Mon, 12 Dec 2011 07:53:34 -0600

In a statement published on December 8, 2011, the Association of German Data Protection Agencies known as the “Duesseldorfer Kreis,” (“DK”) issued an opinion summarizing the minimum compliance criteria for operators of social networks in Germany:

Transparent privacy policy and informed consent are essential for protecting the right to data privacy
Opt-out solutions are insufficient, all privacy settings must be on the basis of opt-in selections
Users must have simple access to their stored personal data
Facial recognition features require express, confirmed consent
No tracking profiles without the informed consent of the user
Obligation to delete data after the termination of the membership
Social plug-ins on the websites of German operators are not compliant with data protection laws unless they are covered by informed consent and provide the opportunity for the user to prevent the data transfer
Social networks must protect user data through implementation of suitable privacy controls; operators must be able to demonstrate that such measures were taken
Minors require particular protection and information regarding the processing of personal data must be easily comprehensible to them
Social networks located outside the EEA must nominate an agent in Germany who serves as the contact person for the DPAs

The opinion, however, is not limited to this rather generic list of minimum requirements. Instead, it takes the opportunity to address two of the most pressing issues which have dominated the discussion of social networks and their commitment to data privacy over the past several months.

In August we reported that a German Data Protection Agency (Unabhängiges Landeszentrum für Datenschutz in Schleswig Holstein, “ULD”) threatened to impose fines on all website owners who refused to remove social plug-ins, and especially the like-button, from their websites. The topic has become an issue of extensive substantive discussion[1], with the majority of the opinions rather critical of the approach and hinting, more or less directly, at a certain degree of overzealousness on behalf of the ULD. The main complaint is directed at the insufficiency of the ULD’s legal analysis which ignored many of the unsettled areas of privacy law, especially with regard to whether IP addresses constitute personal data under the Federal Data Protection Act. The DK opinion now offers an unconditional statement of support by declaring all social plug-ins as noncompliant with the law. The opinion holds the website owners responsible for the content of the data processed through social plug-ins and tells website owners to stay away from the like-button unless the website owner has a clear understanding of the scope of the data processing and transfer that could result from such a plug-in. This opinion comes as a surprise in light of the recent study published by the German Bundestag, which was remarkably direct in its criticism of some of the ULD’s legal conclusions. Whether the DK opinion will provide the ULD with the vindication it needed to enforce the threatened fines of up to €50,000 remains to be seen. To date, the Facebook like-button remains a prevalent feature of most business and even the Schleswig-Holstein government page is still asking users to endorse the website via social plug-ins.

Just last month, another German DPA attacked Facebook directly over its biometric database and the company’s refusal to obtain retroactive user consent. That the storage of user photos in a database to create a facial recognition feature is a legitimate issue of data privacy has been universally recognized. The legal discussion in Germany regarding this issue is mostly jurisdictional, with Facebook asserting that it is not subject to the German data privacy laws. The DK opinion, without addressing the Facebook situation directly, flat-out rejects this argument. Unless the social network is actually operated from within the European Union, simply forming a subsidiary in an EU member state is considered insufficient to limit jurisdiction to that particular country. Instead, German data protection laws shall apply to processing of all personal data derived from users located in Germany, according the DK opinion.

While it is difficult to predict the impact this opinion will have on how the individual Data Protection Agencies proceed against perceived violations of data privacy laws within the world of social networks, it is highly unlikely that it will create sufficient pressure to result in any settlement agreements similar to the one entered into with the Federal Trade Commission and Facebook.

[1] Including a 90min panel discussion in German with a member of the ULD

IMPACT: Measuring the Loss of Brand and Business Reputation after a Data Breach

Donna Ruscitti — Wed, 23 Nov 2011 12:10:19 -0600

Brand and business reputation suffer following a data breach. A recently released survey puts some numbers to the losses and shows just how much that damage can be, with breach of customer data being the most costly. The study, independently conducted Ponemon Institute LLC and sponsored by Experian® Data Breach Resolution, is believed to be the first study to compare the impact of the loss of confidential customer or employee information and sensitive business information with loss of brand and business reputation.

The study surveyed 843 senior-level persons with in-depth knowledge about their companies brand and reputation management objectives. Some of the highlights found, and resulting key take-aways from the study are:

With an average economic value of corporate brand or reputation at $1.5 billion (ranging from less than $1 million to greater than $10 billion), the average loss in the value of the brand ranged from $184 million to more than $330 million, depending on the type of information lost in the breach.
As a percentage of annual gross revenues, the economic value of corporate brand or reputation ranged from less than 10% to greater than 5 times annual gross revenue, and depending on the type of information lost in the breach, the value of brand and reputation could decline as much as 17% to 30%.
Reputation and brand image are inextricably linked.
In some cases it can take longer than a year to restore reputation and brand image.
Some breaches are more devastating than others, with breach of customer information being most devastating.
82% of the respondents stated their organizations had a data breach involving sensitive or confidential customer information, on average, 2.7 breaches in the past 2 years. 76% say the customer data breaches had a significant or moderate impact on reputation.
Before having a data breach, less than 50% had incident response plans in place for customer data breaches; after a breach over 75% put a plan in place.
What you should do: respondents strongly believed the top two steps in responding to data breaches are: (i) conducting investigations and forensic evaluations; and (ii) working closely with law enforcement. Following those two steps: (iii) immediately respond to the incident, (iv) protect those affected from potential harms such as identity theft; and (v) conduct employee training and awareness programs.

As a lawyer who counsels clients in these matters, I'd also suggest now is the time to:

Review and update your data breach response plan.
If you don't have one, do one now!
Make sure you are in compliance with the laws enacted in 33 states with respect to protection of social security numbers.
Make sure you are in compliance with the laws enacted in 10 states regarding security for personal information.

To access the study, click here: http://www.experian.com/data-breach/reputation-impact-study.html.

Will Facebook soon be privacy-friendly?

Christina Hultsch — Wed, 23 Nov 2011 02:00:25 -0600

FTC Audit Agreement
According to various news reports, Facebook and the FTC are about to enter into an agreement which will subject Facebook to privacy audits for the next 20 years. The agreement will apparently require Facebook to obtain prior express consent before making public any information to which the user had granted limited access only. The agreement is a direct response to complaints over the changes Facebook made to its privacy policy in 2009, when previously private information became accessible to the public and users had to take active steps in order to return to their accustomed privacy settings.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards.

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.

Prioritized Examination of Patent Applications Under Leahy-Smith America Invents Act

Martin Miller — Wed, 02 Nov 2011 14:23:44 -0600

The Leahy-Smith America Invents Act ("AIA") was enacted on September 16, 2011. The changes implemented by this Act are wide-ranging and significant, and different provisions have different effective dates, with many taking effect September 26, 2011, September 16, 2012, or March 16, 2013. We will be providing additional information in the coming weeks and months.

One of the more immediate and interesting aspects of the AIA is the creation of a prioritized examination process which allows applicants to request accelerated examination in exchange for payment of an additional fee. While the U.S. Patent Office had proposed to implement accelerated examination earlier in 2011, that proposal was suspended due to funding limitations. Not only does the AIA now explicitly provide for prioritized examination, it also mandates that the additional fees paid for prioritized examination are automatically credited to the Patent Office's appropriation account—thus providing the additional funding needed for implementation.

Normally, patent applications are examined in the order they are received. While it varies greatly by technological area, on average it currently takes 28 months for the U.S. Patent Office to issue a first office action. The new prioritized examination track, on the other hand, is intended to result in a notice of allowance or final rejection within 12 months of prioritized status being granted. In theory, the first office action should therefore issue within about 6 months from the application filing date—almost two years sooner than is typical under the normal examination track.

So what's the catch? Perhaps the biggest is the additional fees required for prioritized examination: $5,230 (reduced to $2,830 for small entities). That's in addition to the normal application filing fees. Thus, the total fee due on filing an application for which prioritized examination is requested is $6,480 ($3,360 for small entities), not including any excess claim or application size fees.

Prioritized examination is only available for original utility or plant patent applications filed on or after September 26, 2011. However, for applications pending prior to that date, it is possible to file a continuation or divisional application and request prioritized examination of that application. Additionally, while prioritized examination is not available to a national stage entry of a PCT application, it is available for a continuation application claiming priority to a PCT application which designates the United States.

In addition, the application must be complete on filing (including the request for prioritized examination, acceptable drawings and payment of all applicable fees), must be filed electronically, and must contain no more than four independent claims or thirty total claims. During prosecution, an application will lose its prioritized examination status if: (1) an amendment results in more than four independent claims or thirty total claims; (2) a petition for an extension of time is filed; or (3) a notice of appeal or request for continued examination is filed.

It is unclear how many applicants will take advantage of prioritized examination, or whether or not the U.S. Patent Office will be able to consistently meet its goal of completing the examination process within 12 months. Because of these uncertainties and the continuing need to hire additional patent examiners, the prioritized examination program is limited to 10,000 applications during at least the first year of implementation.

What's next in EU data protection?

Christina Hultsch — Tue, 25 Oct 2011 08:02:25 -0600

The Article 29 Working Party outlined its agenda for 2012 at a recent plenary meeting in Brussels. Not surprisingly, the top priority is a new legal framework for data protection. But other topics, some of interest for US data protection developments, were discussed as well.

Revision of the EU data protection framework: To ensure that EU data protection authorities can consistently apply the EU data protection rules, the revisions to the current Data Privacy Directive will emphasize harmonization efforts to advance the cooperation and coordination between the various authorities.
WADA: The EU has ongoing concerns related to the current legal framework and the protection of athletes’ personal information. The EU Commission, supported by the Working Party, will provide comments to the proposed revision of WADA’s World Anti-Doping Code, which is planned for 2013.
Cooperation with the European Network and Information Security Agency (ENISA): The Working Party and ENISA share common interests with regard to data breach notifications and will intensify their cooperation.
EU Agency for Fundamental Rights (FRA): While the discussion addressed projects of the near future such as redress mechanisms and the publication of a Handbook on European data protection case law, FRA has long been critical of Passenger Name Record (PNR) data transmissions and a cooperation with the Working Party may suggest that the use of PNR will come under scrutiny again.

Whether the newly harmonized EU data protection rules will be a curse or a blessing for US companies doing business in the EU remains to be seen. Frustration by certain EU member states over a lack of cooperation between the national data protection authorities is undoubtedly a driving force behind this recent development and, as a result, the current practice of concentrating business operations in the jurisdiction with the least onerous data protection laws may soon come to an end. But if the closing of national loopholes is mitigated by a uniform application of data protection principles, it may be a worthwhile sacrifice.

ISSA Social Media Summit - Social Media and Legal Risk

Donna Ruscitti — Tue, 11 Oct 2011 11:13:46 -0600

Porter Wright attorney Justin Root will present “Social Media and Legal Risk” as part of the Information Systems Security Association (ISSA) Columbus Chapter's Social Media Summit on October 19, 2011 in Worthington, Ohio. More information is available at http://centralohioissa.org/. ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

Act now to prevent use of your trademark with the new adult entertainment industry TLD

Robert J. Morgan — Tue, 04 Oct 2011 09:57:16 -0600

A new top level domain will soon be available for use by adult entertainment providers. In order to address concerns from trademark owners not in the adult entertainment industry, a sunrise reservation period has been established to enable trademark owners to reserve or "block" the new adult entertainment industry domain names that correspond to their registered trademarks. The period for trademark owners to reserve such domain names runs through October 28, 2011.

Blocking the use of .xxx domain names that correspond to registered trademarks will help prevent third-parties from exploiting these trademarks in connection with adult themed entertainment and will help to avoid costly future domain name disputes.

During the initial application period, only .xxx domain names that correspond to the complete textual components of the registered mark can be blocked. Reservations can be based only on trademarks registered prior to September 1, 2011. If the trademark upon which the reservation was based is later cancelled or otherwise invalidated, the domain may be released.

All applications to block .xxx domain names will be assessed at the same time so that no priority is given for applying early in the initial application period.

If successfully reserved, the .xxx domain name will resolve to a standard informational page indicating the status of the name as reserved. The WHOIS information for reserved names will list the .xxx registry as the domain registrant (not the trademark owner).

Fees for reservation depend on which accredited registrar is used to complete the process. The list of accredited .xxx registrars can be found here: http://www.icmregistry.com/registrars/.

Additional information can be found here: http://www.icmregistry.com/launch/sunrise-b/.

We are familiar with the requirements for the process and would be happy to assist you with protecting your brand against its use in a .xxx domain name. If you would like to learn more, please contact me at rmorgan@porterwright.com or at (614) 227-2186.

Still think consent is easy?

Christina Hultsch — Tue, 23 Aug 2011 13:02:12 -0600

In my last entry I stressed the importance of complying with the various consent requirements hidden in European data protection laws. To prove my point and to illustrate further the high standards imposed by the German Data Protection Law, a regional German DPA (das “Unabhängige Landeszentrum für Datenschutz” in Schleswig Holstein or “ULD”) has taken aim at Facebook’s data privacy practices by sending cease and desist letters to all website operators located in the area who incorporate the “like” button and other Facebook plugins on their pages. Operators have until the end of September to deactivate these features or face up to € 50,000 in fines.[1]

Despite asserting its inability to do so, ULD’s legal analysis[2] attempts a comprehensive study of Facebook’s data privacy policies and, as a result, appears to lose sight of the core issue which formed the basis for this enforcement action. ULD claims that website operators who incorporate Facebook plugins illegally transfer data to the U.S., yet the discussion of Facebook’s Safe Harbor Certification is restricted to one footnote.

Nonetheless, the opinion provides valuable insight into a typical DPA consent analysis and highlights common mistakes that will likely invalidate the consent obtained from the data subject. ULD analyzes the amount and quality of information provided to potential Facebook users during the registration process and concludes that the current method is not even remotely sufficient to justify the processing of personal data provided by Facebook users. Sheer mass is no substitute for the quality of information required to create valid consent, and ULD chastises Facebook for a blatant lack of clarity and transparency. The opinion further criticizes that the provided information is not only deliberately vague, but also incomplete as it excludes certain forms of data processing.

Even if this particular action is tailored specifically to curb Facebook’s insatiable appetite for collecting personal data, other U.S. companies are well advised to consider the message sent by ULD’s enforcement action and review their consent procedures, regardless of whether they have a physical presence in the European Union. Data privacy and protection is quickly becoming a global issue and the lack of EU jurisdiction just means that DPAs will seek alternative ways to punish U.S. companies for violations of EU data privacy laws. In a novel approach, Facebook is being targeted through the prosecution of its business partners located within the EU, and ULD is obviously confident that the pain inflicted on the website operators will create sufficient momentum to cause a change in Facebook’s privacy policies.

[1]https://www.datenschutzzentrum.de/presse/20110819-facebook.htm, an English version of the letter can be found at https://www.datenschutzzentrum.de/presse/20110819-facebook-en.htm

[2]https://www.datenschutzzentrum.de/facebook/facebook-ap-20110819.pdf

Basic Principles of European Union Consent and Data Protection

Christina Hultsch — Mon, 25 Jul 2011 14:01:16 -0600

Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below.

The constant collection, processing and transfer of personal data broadly defined in the EU as any information relating to an identified or identifiable person, [1] has become an overwhelming feature of modern society, both on-line and off-line. Contrary to law in the US, in the EU, obtaining the consent of the individual (the “data subject”) has always played a key role in the European Union’s data protection efforts.

The Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy, issued an opinion in July, 2011 addressing the consent principles currently in place as well as providing insight into a possible and likely expansion of consent requirements. (The opinion was published, coincidentally or not, immediately after the expiration of the deadline which requires EU member states to transpose the so-called “Cookie Directive" which serves the purpose of ensuring that a data processor obtain the individual’s consent each and every time a cookie is placed on a computer.[2])

Consent by the data subject is just one of various legal grounds permitting the processing of personal data within the EU member states and the transfer of such information to third countries which possess an inadequate level of data protection. The EU still considers the United State’s data protection standards to be insufficient and US companies must therefore rely on various exemptions, including consent, in order to import any personal data from the European Union.

The Working Party’s opinion scrutinizes the current practice of using default settings to create consent by silence or inactivity and ultimately concludes that a silent consent by accepting the default setting of a pre-ticked box should not qualify as unambiguous. If this opinion prevails, which is very probable due to the frequent reliance on Working Party opinions by the legislature as well as the courts, the current opt-out mechanisms will no longer suffice as a method of establishing valid consent.

To avoid any unpleasant surprises further down the road when a data protection agency scrutinizes the validity of the consent in place, companies should carefully consider the following:

Consent does not negate a data processor’s general obligation to adhere to the principles of proportionality, data quality, fairness and necessity. Regardless of the subject’s consent, excessive data collection is never permissible!
Consent is to be viewed in relation with other processing and transfer exemptions and companies must evaluate whether other grounds exist for the lawful collection and transfer of data. The most appropriate legal ground should be chosen for justification of the transaction and used in the right context. The Working Party suggests that consent often may not be available if other grounds exist. If the processing/transfer could have been performed based on a different ground, asking an individual for his consent could be considered misleading or inherently unfair.
For data transfers to a non-EU country, consent can only be requested for one distinct transaction. It cannot provide an adequate long-term framework for repeated or structural data transfers.
An employee’s consent will not be considered valid if it was not possible for the employee to refuse without a real or potential relevant prejudice arising from not consenting. This holds true even if the request for consent was made as a condition of employment. The rationale for such an expansion can be found in the fact that nearly all employers now impose the same or similar pre-employment condition of consent.
Consent can always be withdrawn. With the exception of the processing of location data under the e-Privacy Directive, there is no specific provision explicitly allowing for the withdrawal of consent. Such a right has nonetheless been uniformly accepted through case law and Working Party opinions. The current opinion expands on this concept and suggests as a matter of best practices that data processors regularly review the data subjects’ choices and approach the data subject to offer an option for confirming or withdrawing the consent.
The complexity of data processing places a burden on data controllers to put in place procedures that show consent has been verifiably obtained from the data subject.

When processing sensitive personal data such as health records or data related to a person’s age, race, religion, political beliefs, etc., the consent must be explicit. The data subject must take some positive action to signify consent and must be free not to consent. This requires an active response, which can either be oral or in writing. While the question of whether passive or silent consent can be unambiguous remains to be fully determined, there is absolutely no doubt that an opt-out process, such as the presence of a pre-ticked box, clearly fails the requirements for explicit consent. To obtain explicit consent, a data processor must provide an opt-in method to elicit a positive statement from the individual.

Attribution for the citations in this post are as follows: © European Union, http://eur-lex-europa.eu. Only European Union legislation printed in the paper edition of the Official Journal of the European Union is deemed authentic.

[1] Article 2 Definitions. For the purposes of this Directive: (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

[2] Article 5(3) shall be replaced by the following: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF

Discovering Ensnarement

Isaac Molnar — Tue, 24 May 2011 10:01:06 -0600

Ensnarement is a powerful defense in any patent case where the doctrine of equivalents is at issue. It's time for defendants to "discover" this under-utilized defense. Despite litigating numerous doctrine of equivalents cases, I've only litigated one case where an ensnarement defense was vigorously asserted.

Ensnarement, seminally set forth in Wilson Sporting Goods, prevents a patentee from claiming a range of equivalents that "ensnares" the prior art. To make that determination, the original claim is redrafted as a hypothetical claim by replacing certain claim terms with the asserted equivalents. As a result, the hypothetical claim literally encompasses the claimed product. In DePuy v. Medtronic, e.g., the claim term "spherically-shaped portion" was replaced with "conically-shaped portion" in the hypothetical claim because the accused product included a conically-shaped portion. The relevant question is then whether the hypothetical claim is allowable over the asserted prior art. If the hypothetical claim is not allowable, then there is no infringement because the asserted range of equivalents "ensnares" the prior art.

Two features of ensnarement make the defense particularly powerful. First, ensnarement is a question of law. In DePuy, the district court held a separate bench trial on the issue of ensnarement after the jury trial (See DePuy, 526 F.Supp.2d 126). The Federal Circuit affirmed the propriety of the court's ensnarement proceeding, holding that ensnarement is a question of law like any other limitation on the doctrine of equivalents. Second, the defendant merely bears the burden of producing prior art to challenge the hypothetical claim; the patentee bears the burden of establishing that the hypothetical claim is patentable. This is in stark contrast to the clear and convincing standard that a defendant must meet to establish invalidity.

Ensnarement, then, effectively allows a defendant two chances to win with its invalidity arguments. A defendant should request a "DePuy Hearing" after the trial if there is a finding of infringement under the doctrine of equivalents. At that hearing, defendant can re-raise its same basic invalidity arguments because ensnarement and invalidity have significantly different burdens and ask different questions (patentability of the hypothetical claim vs. validity of the original claim). The second bite at the apple could prove invaluable. As an example, a court is unlikely to grant defendant's JMOL on anticipation or obviousness if the question is close. With an ensnarement defense, though, the "close call" should go to the defendant, and "close calls," of course, are far easier to assert post-KSR. Further, from the Court's perspective, a finding of ensnarement may be a better option because it is more likely to withstand appeal than a grant of JMOL on a jury verdict of validity. From a defendant's perspective, whether the patent is invalid or the prior art ensnared is typically of no significant consequence. Thus, in any case where infringement is based on the doctrine of equivalents, defendant should assert an ensnarement defense and request a "DePuy Hearing" on the issue.

Best Mode Requirements Apply To Each Inventor

Isaac Molnar — Mon, 02 May 2011 14:06:43 -0600

A decision issued by the Federal Circuit April 29, 2011 offers a lesson for patent prosecutors to talk to each named inventor about what they consider to be the best way of practicing their invention. Though anti-intuitive, it is possible to have multiple best modes. In Wellman, Inc. v. Eastman Chemical Co. (Fed. Cir. 2011), the Federal Circuit has held that the best mode requirement of 35 U.S.C §112 applies to each named inventor (as opposed the inventors collectively). The statutory language on this point is less then clear as §112 requires disclosure of the best mode "contemplated by the inventor." The issue is whether "the inventor" refers to a single best mode contemplated by all the named inventors or whether "the inventor" refers to each and every inventor, thereby allowing for the possibility of multiple best modes for a patent. In addition, the term "best mode" suggests only one mode per patent. Up to this point, Federal Circuit precedent was also unclear on the issue. The only Federal Circuit decision addressing this issue supported the latter position, but did so in dicta in a footnote. See Pannu v. Iolab Corp., 155 F.3d 1344, 1351 n.5 (Fed. Cir. 1998). However, multiple Federal Circuit decisions have used loose language that supports the former position, though those decisions weren't presented squarely with the issue.

In Eastman, the Federal Circuit adopted the dicta in Pannu and held that "best mode issues can arise if any inventor fails to disclose the best mode known to him or her." In Eastman, one of the inventors had testified that a certain recipe for PET resins was, in his mind, the best resin available at the time the application was filed. The patentees, however, choose to maintain that recipe as a trade secret rather than specifically disclose it in the patent application. Instead, the patent "hides" the best mode by disclosing broad ranges for certain elements that technically encompass the best mode recipe, but which failed to enable a person of ordinary skill to practice the best mode. Significantly, the patent actually "leads away" from one critical element through statements about "typical" and "preferred" properties within a range that the actual best mode compound does not have.

The lesson of Eastman for patent prosecutors is to talk to each named inventor about what they consider to be the best way of practicing their invention. Though anti-intuitive, it is possible to have multiple best modes. Further, if you're dealing with a chemical patent, it's much safer to directly disclose the actual best mode, but if you opt to use "ranges" to make the required disclosure, the best mode must be enabled.

Two final comments. First, Chief Judge Radar found that "Wellman intentionally concealed the best mode." Perhaps we will find out if intentional concealment of the best mode is a sufficient predicate for an inequitable conduct defense. Second, Patent Reform (addressed in this post), removes the best mode requirement from 35 U.S.C § 112. So, it's possible that this may be the last significant best mode decision.

Track One Expedited Patent Examination Program Postponed

Jim Liles — Thu, 21 Apr 2011 14:50:24 -0600

According to a message to USPTO Employees from Director David Kappos, the Track One expedited patent examination program (discussed in this earlier post), scheduled to go into effect on May 4, 2011, is postponed until further notice. As reported in Hal Wegner's newsletter, the cancellation is due to budgetary cuts and whether and when prioritized examination may be reinstated is unclear.

New Fast Track Examination at the USPTO

Holly Kozlowski — Wed, 13 Apr 2011 14:09:02 -0600

Beginning May 4, 2011, a US patent applicant can request prioritized or "fast track" examination at the USPTO under the newly promulgated "Track 1" procedure of 37 C.F.R. 1.102(e). To obtain the Track 1 prioritized examination, the following conditions must be met when the application is filed: (1) the application must be an original utility or plant non-provisional application (i.e., this procedure is not available for international national stage entry applications, design applications, reissue applications, provisional applications, or reexamination proceedings, but is available for continuation and divisional applications, including a continuation application of an international application designating the US); (2) the application must be filed with an executed inventor oath or declaration and all applicable filing and publication fees; (3) the application must not contain more than four independent claims, more than thirty total claims, or any multiple dependent claims; and (4) a request for prioritized examination must be filed together with a $4000 filing fee and a $130 processing fee. Currently, there is no reduction in the $4000 fee for small entity applicants.

The USPTO indicates that it will only grant a maximum of 10,000 application requests for prioritized examination in fiscal year 2011, which concludes September 30, 2011.

Once an application is granted the prioritized status, the application will be placed on the examiner’s special docket throughout its course of prosecution until a final disposition is issued. A “final disposition” is defined to mean (1) mailing of a notice of allowance; (2) mailing of a final Office action; (3) filing of a notice of appeal; (4) declaration of an interference by the Board of Patent Appeals and Interference (BPAI); (5) filing of a request of continued examination; or (6) abandonment of the application.

A word of caution: If an extension of time is taken for any response, prioritized examination will be terminated. Also, prioritized status will be lost if the application is amended to include more than four independent claims, more than 30 total claims, or any multiple dependent claims.

The USPTO's goal for Track 1 applications is to provide a "final disposition" within 12 months of prioritized status being granted. However, this is a goal, not a guarantee!

Is Patent Reform Finally On Its Way?

Rick Mescher — Thu, 24 Mar 2011 08:54:51 -0600

There was much excitement when the U.S. Senate overwhelmingly passed (95–5) the America Invents Act (formerly titled the Patent Reform Act of 2011) (S.23 or AIA), on March 8, 2011. The America Invents Act This legislation represents a major patent reform initiative that has been under congressional debate for at least six years and is quite possibly the most significant patent reform since the 1952 Patent Act. This legislation rewrites, among many other things, who is entitled to a patent when two or more entities seek protection for the same invention, when prior art is available for novelty and nonobviousness determinations, and what is available to a third party who wants to oppose a patent.

First-to-File: When two or more entities seek patents for the same invention, current law awards the patent to the entity that can prove it was the first to invent. Under the AIA, the patent would be awarded to the first-to-file a patent application. Proponents argue that this is more efficient because it eliminates costly and time consuming procedures called interferences and aligns U.S. law with other industrialized countries. Opponents argue that this favors large companies over small companies and independent inventors who do not have the resources to win a race to the patent office. To somewhat address these concerns, the AIA allows for a derivation claim (either in court or the Patent Office) when the first-filer “derived” their claimed invention from the other. Even with these derivation claims, however, the AIA appears to favor large companies who are active in patenting innovations.

Importantly, the AIA does not include any provision for prior user rights. Current law has limited prior user rights in that a prior user who is sued for infringement may be able to invalidate that patent by claiming prior invention. That option is eliminated in a first-to-file system leaving a prior user potentially liable for infringement. This is particularly a concern for business methods and software because many companies have considered their business method and software innovations either unpatentable or better protected as a trade secret. Without prior user rights, a company can be liable for patent infringement for continuing to use an innovation that they have been using for years as a trade secret. This lack of prior user rights could be very problematic for industries such as the financial industry and the software industry. The AIA temporarily adds a limited proceeding to challenge business method patents within the patent office but this will be of little help if all of the accused company's prior use was secret.

Novelty/Nonobviousness: In order to obtain a patent, an invention must be novel and nonobvious. The AIA rewrites Sections 102 (novelty) and 103 (nonobviousness) of the Patent Act. Current Section 102(a) denies a patent when prior art shows the invention was known to others prior to the patent applicant's invention date. The AIA moves up the focus to the patent applicant's filing date and whether prior art existed before that date. This expands the scope of potential prior art and may make it more difficult to obtain a patent. Current Section 102(b) bars a patent when there is prior art of the inventor or others disclosed more than a year before the patent applicant's filing date. This creates a grace period for pre-filing disclosures but prevents the patent applicant from waiting more than a year to file a patent application. The AIA only applies this grace period to pre-filing disclosures of the inventor or pre-filing disclosures derived from the inventor. Thus, the grace period no longer applies to independent disclosures by others. This also expands the scope of potential prior art and may make it more difficult to obtain a patent. The AIA also rewrites Section 103 (nonobviousness) to deny a patent when the invention is obviousness as of the patent applicant's filing date rather than “at the time the invention was made” per the current Section 103. This yet again expands the scope of potential prior art and may make it more difficult to obtain a patent.

Third Party Participation: When the public is aware of prior art that may prevent the issuance of a patent, current law has a very narrow window of two months after publication of the application to submit the prior art to the Patent Office. In some cases, a patent application is not published and thus there is not an opportunity for the public to submit prior art. The AIA permits the public to submit prior art to the Patent Office at any time. This change has little opposition. The AIA also creates a post grant review and an inter partes review for third parties to oppose issued patents. These proceedings would replace the current reexamination system within the patent office which is limited to addressing patentability issues raised by prior patents or printed publications. The post grant review permits a third party to raise any issue of patentability at the patent office within nine months of the issuance of the patent. The inter partes review permits a third party to raise prior patent or printed publication issues after nine months of the issuance of the patent. Opponents believe that these changes do not go far enough to provide a viable alternative to litigation that is fair to both parties.

Initial excitement upon passage by the U.S. Senate appears to be waning as anticipated quick action in the U.S. House of representatives appears unlikely. Initial hearings by the House Judiciary Committee Subcommittee on Intellectual Property, Competition, and the Internet raised questions about the lack of prior user rights and the decreasing nature of the post grant proceedings. Other questions were directed to the lack of change to damage provisions which some commentators believe to be the biggest concern of current patent law and the inclusion of the proceeding to challenge business method patents. Note that the Senate removed changes to damage provisions as a compromise to obtain passage of the AIA. It now appears there may still be a long battle before we see patent reform.

Starbucks Makes News with Logo and Mobile Payment Option

Robert J. Morgan — Fri, 04 Mar 2011 08:27:06 -0600

When Starbucks recently announced a change to their iconic logo, I took interest not only as an attorney specializing in trademark and advertising law, but also as a fairly regular consumer of Starbucks coffee (and, I confess, a Starbucks "Gold Level" card holder).

This article discusses issues pertinent to both and addresses some interesting theories behind the reasons and implications of logo revisions generally, as well as some thoughtful observations on the Starbucks logo change and the advantages of a wordless logo for a global marketplace.

Also, Starbucks has launched a mobile application allowing users to track the funds in their Starbucks stored value cards and to use their phones for payment—with the phone essentially taking the place of the card. It's a cool and useful application, and seems to be perfectly suited for its targeted audience. I have the application downloaded and use it to track or reload my own card balance, which I am starting to find surprisingly useful. I've had a mixed experience with baristas who either handle my phone or refuse to handle my phone citing company policy. While the latter makes for a somewhat awkward counter transaction, I find it preferable. There is something very personal about handing over my phone (as compared to a credit card or Starbucks card), and given the amount of information we carry around on our phones, it seems like a security concern—especially if that phone is going in through a drive-through window. In any case, this functionality perhaps brings us one step closer to that promised future in which we pay for everything by using a single electronic device. One ironic twist to this, however, is that would-be users must first purchase a physical Starbucks card in order to establish an account to be accessed by their mobile application.

False Marking Qui Tam Provision Found Unconstitutional

Robert J. Morgan — Fri, 25 Feb 2011 14:47:24 -0600

As has been widely reported, there has been an influx of false marking cases hitting the courts over the past year based on 34 U.S.C. Section 292, the False Marking Statute. That statute, loosely translated, makes it an offense to mark a product or use in advertising a patent number or the words "patent," "patent pending," or any other indication that a patent applies to a product when it in fact does not. This includes situations in which a company for years correctly marked a product with a patent number, but then continued so marking the product after the expiration of the patent. The statute states that a person responsible for such an offense shall be fined not more than $500 for every such offense.

The statutory language also includes a somewhat uniquely simplistic qui tam provision providing that "Any person may sue for the penalty, in which event one-half shall go to the person suing and the other to the use of the United States." While the qui tam provision of the False Marking Statute was enacted in 1952, the 2009 Forest Group , Inc. v. Bon Tool Company decision made the qui tam actions more financially lucrative—and set the groundwork for a cottage industry of false marking litigation—by holding that violators of the False Marking Statute face a $500 fine for each article improperly marked rather than a $500 fine for a single decision to improperly mark multiple articles.

The February 23, 2011 decision in Unique Product Solutions, Ltd. v. Hy-Grade Valve, Inc. —holding that the False Marking Statute's qui tam provision violates the Appointments and Take Care Clauses of the United States Constitution—could have a chilling effect on the recent rash of false marking cases. In an interesting opinion, Judge Dan Aaron Polster of the US District Court for the Northern District of Ohio briefly explains the history and rationale behind qui tam provisions, which "can reasonably be regarded as effecting a partial assignment of the Government's damages claim" such as in the case when an "assignee of a claim has standing to assert the injury in fact suffered by the assignor."

Judge Polster also explains the purpose behind the Take Care Clause of Article II of the Constitution which provides that the President "shall take care that the laws be faithfully executed." Judge Polster cites precedent in explaining that the Take Care Clause requires that the Executive Branch retain sufficient control over a qui tam claim to "ensure that the President is able to perform his constitutionally assigned duty to take Care that the Laws be faithfully executed." In applying the "sufficient control" analysis to the False Marking Statue (which Judge Polster suggests "is unlike any statue in the Federal Code with which this Court is familiar"), Judge Polster notes that "[a]ny private entity that believes someone is using an expired or invalid patent can file a criminal lawsuit in the name of the United States, without getting approval from or even notifying the Department of Justice" and "[t]he case can be litigated without any control or oversight by the Department of Justice. " Given the lack of a requirement of Department of Justice notification, government oversight or right to intervene, stay discovery, dismiss the action, or involve itself in a settlement, the qui tam provision was found by the court to be in violation of the Appointments and Take Care Clauses of the United States Constitution. Judge Polster bolsters his opinion with a final critique with which defendants of False Marking cases would no doubt agree:

The danger of this uncontrolled privatization of law enforcement is exacerbated by the financial penalties in this statute. The penalty is up to $500 for each article falsely marked. Forest Group, 590 U.S. at 1302-1303. Depending upon the number of items, this could be a staggering amount of money or a trivial amount. The statutory penalty is not calibrated to the size or economic strength of the defendant, the significance of the product, or to the degree of competitive harm the false marking may have had beyond simply the gross number of articles falsely marked. See Id. at 1303 (“[t]he more articles that are falsely marked the greater the chance the competitors will see the falsely marked article and be deterred from competing”). It is therefore essential that the government have control over when such cases are brought, and most importantly, how they are settled. Such decisions should be made by government attorneys who have no financial stake in the outcome of the litigation or settlement, not by private parties motivated solely by the prospect of financial gain.

HHS imposes 7 Figure Fine for Breach of HIPAA; Soon to be the Norm?

Jeremy Logsdon — Wed, 23 Feb 2011 15:33:30 -0600

In case you missed the OCR announcement late yesterday afternoon, the Department of Health and Human Services announced that it was imposing a civil money penalty of $4.3 million dollars against Cignet Health for various violations of HIPAA. These penalties were based upon the violation categories and increased penalty amounts authorized by the HITECH Act; discussed further here. The violations stemmed in part from Cignet's failure to provide 41 patients access to their own medical records as required under 45 C.F.R. § 164.524. In addition to the huge amount of the fine, according the HHS, this action marks the first civil money penalty issued by HHS for HIPAA Privacy Rule violations. This action could indicate a renewed push by HHS to enforce violations of HIPAA and utilize its heightened penalty schedule and enhanced enforcement powers provided under the HITECH Act. Could this be the new norm for HIPAA enforcement? Only time will tell.

Identity Fraud down 28% in 2010; Consumer Costs Up!

Jeremy Logsdon — Wed, 09 Feb 2011 10:44:08 -0600

According to Javelin Strategy & Research's 2011 Identity Fraud Survey Report, there was a 28% drop in the number of victims of identity fraud in 2010. Additionally, the number of reported data breaches dropped significantly (404 reported breaches in 2010, down from 604 in 2009). Finally, the report states that "only" 26 million records were reportedly exposed in 2010 compared to a whopping 221 million exposed in 2009. James Van Dyke, president and founder of Javelin Strategy & Research, attributed (i) increased educational efforts by business, the financial services industry, and government agencies and (ii) "[e]conomic conditions" as contributing factors in the reduction in identity fraud over the past year.

Not all metrics improved however. The report stated that the consumer out-of-pocket costs rose significantly from $387 in 2009 to $631 in 2010. The reason for the out-of-pocket increase may be attributed to more "focused" attacks on individuals and an increase in, what the report refers to as, "friendly fraud." What we don't know is whether the fewer victims facing greater damages is solely the result of more effective, if less widespread, attacks, or if there are other factors at play. What is also unknown is what caused the almost 10 fold drop in the number of records reportedly exposed in 2010. Could this be due to more improved data security tools and practices, or an increased resistance by businesses to report breach events, especially in those instances where conclusively determining that a reportable breach occurred is not possible?

The report also provides six "Safety Tips" to protect consumers:

1. Keep personal data private

2. Don't overshare on social networks

3. Use debit cards wisely

4. Be vigilant in monitoring credit and financial accounts

5. Learn about identity protection services

6. Report problems immediately

Although the Javelin report brings us good news, it will be interesting to see if these trends continue.

Attend Our Upcoming Complimentary Workshop - " What Would YOU Do If Your Network is Hacked?"

Sara Smith — Fri, 04 Feb 2011 15:42:45 -0600

Wednesday, February 16, 2011
11:30 a.m. - 1:30 p.m. Lunch will be provided.
Capital Club – 41 South High Street, 7th Floor
Columbus, Ohio

One needs only to visit a site such as http://www.privacyrights.org/data-breach to learn the extent data breach incidents occur. This workshop will help you learn how to respond to data breach intrusions, whether as a result of a lost laptop, criminal hacking, or other unauthorized access or use of information.

Featuring:
Robert J. Morgan, Esq., Porter Wright Morris & Arthur LLP
Jeremy A. Logsdon, Esq., Porter Wright Morris & Arthur LLP
Donna M. Ruscitti, Esq., Chair, Porter Wright's Information Privacy and Data Security Practice Group

This is a complimentary seminar, however seating is limited. To reserve your spot at this program, please e-mail Deb Ballard at dballard@porterwright.com before February 14.