Technology Law Source

WAGO v. Rockwell; When is a Gerund not a Gerund; Pass on Twombly/Iqbal Mandate

Dave Shouvlin — Wed, 25 Apr 2012 11:08:02 -0600

Think choice of grammar or poor word choice is not relevant in patent claims? Think again. Indifferent word selection nearly sunk this infringement action as well as the patent. Judge Christopher A. Boyko of the Northern District of Ohio recently tackled the difficult issue of patent indefiniteness following IPXL Holdings, L.L.C. v. Amazon. com, Inc., 430 F.3d 1377 (Fed. Circ. 2005), in the case of WAGO Verwaltungsgesellschaft MBH v. Rockwell Automation, No. 1:11-cv-00756, 2012 WL 775683 (N.D. Ohio March 7, 2012). The WAGO decision, however, is notable as much for what it didn't address as for what it did.

The relevant facts are these. The plaintiff ("WAGO") sued Rockwell Automation ("Rockwell") for infringement of U.S. Patent No. 5,716,241 ("the 241 patent"), for input/output devices for data bus. As part of its answer, Rockwell moved for judgment on the pleadings pursuant to Rule 12 (c), arguing that the patent was invalid because language of the principal independent claims was fatally indefinite for including the phrase "configuring the device." Rockwell contended that this was the language of a method patent and not an apparatus patent, as the plaintiff claimed. The term "configuring" is a gerund, and therefore denotes action. Thus, the claim "impermissibl[y] mix[ed] 'method' and 'apparatus' elements." Given that the Federal Circuit held in IPXL, 430 F.3d at 1384, that a single claim cannot cover both a method and an apparatus, Rockwell argued that WAGO's claim was accordingly indefinite. Rockwell also relied upon the recent decision in Rembrandt Data Techs., LP v. AOL, LLC, 641 F.3d 1331, 1339 (Fed. Cir. 2011).

In response, WAGO first argued that whether the claim at issue was indefinite or not, it was premature for the court to decide the issue inasmuch as the parties had not yet battled over the construction of the claims. The court was not persuaded, however, explaining that the record was adequate to determine whether the disputed claims were indefinite or not, citing Intellect Wireless, Inc. v. Kyocera Communications, Inc., Case No. 08 C 1350, 2009 WL 3259996 (N.D. Ill. Oct. 8, 2009). The court next addressed whether WAGO's patent was valid under 35 U.S.C. § 112. Despite the fact that the court was less than enamored of WAGO's grammar and sloppy use of the term "configuring" in the claim, the court denied Rockwell's motion for judgment on the pleadings, explaining it was "not convinced sub-optimal drafting automatically denotes mixed subject matter and indefiniteness." Thus, WAGO lives to fight on, at least for a while.

There is a lesson here, however: it is imperative that patent counsel be highly perspicacious in its choice of language in setting forth patent claims. Rockwell unabashedly admitted that its motion rested on the use of WAGO's choice of grammar, and the court was almost persuaded. Inexact grammar, or more accurately, indifferent word selection, nearly sunk not only WAGO's infringement action, but its patent. Despite admonitions to the contrary, sometimes it actually is better to use two or more words when one will do – if clarity is at risk.

But proper syntax is not the only notable subject mentioned in Judge Boyko's decision. In its opposition, WAGO also argued that Rockwell's motion for judgment on the pleadings must fail because WAGO's complaint satisfied the sufficiency standard under Rule 8 given that the complaint conformed to Form 18 contained in the Appendix to the Federal Rules of Civil Procedure. WAGO pointed out that Rule 84 expressly states that forms in the Appendix "suffice under these rules and illustrate the simplicity and brevity that these rules contemplate." Fed R. Civ.P. 84. Therefore, WAGO maintained, following Form 18 was enough. Rockwell, however, had not challenged the sufficiency of WAGO's complaint, and so the court declined to scrutinize this issue. But maybe it should have.

Even though WAGO's complaint went into some detail about the history related to the patent and described the Rockwell device WAGO contended infringed its patent, the complaint did not go into much detail explaining how that device infringed the '241 patent. It is presently unclear whether identifying the infringing product and the claims it infringes is enough to satisfy the pleading mandates set forth in the Supreme Court's decisions in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 137 (2009). In those cases the Court held that the federal rules require something more than conclusory allegations to proceed with an action. Claims must have "facial plausibility," meaning that "the pleaded factual content allows the court to draw a reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 129 S.Ct. at 1949. Without including at least that minimal amount of factual detail to establish liability, complaints are subject to dismissal. The Court did not except patent cases from this ruling. In fact, it suggested just the opposite when the Court ruled in Iqbal that the Twombly pleading standard did not apply just to antitrust cases.

Nonetheless, even after Twombly and Iqbal some federal courts have held that a direct infringement complaint short on facts but otherwise conforming to Form 18 is sufficient under Rule 8. See, e.g., Microsoft Corp. v. Phoenix Solutions, Inc., 741 F. Supp. 2d 1156 (C.D. Cal. 2010); Biax Corp. v. Motorola Solutions, Inc., 10-cv-0313, 2012 WL 502727 (D. Colo. Feb. 15, 2012). But district courts are not unanimous in that view. Some courts, noting that Form 18 as well as Rule 84 considerably predate Twombly and Iqbal, have required more than what Form 18 provides. See, e.g., Anticancer, Inc. v. Xenogen Corp., 248 F.R.D. 278, 282 (S.D. Cal 2007); Via Vadis, LLC. v. Skype, Inc., Case No. 11-507, 2012 WL 261367 (D. Del. Jan 27, 2012).

One would guess the days are numbered for the vitality of Form 18. Think Beta max. There is no particular or justifiable reason why a plaintiff in a patent infringement case should be held to a lesser pleading standard than other plaintiffs in other cases -- or other plaintiffs in non-infringement patent cases. See Tyco Fire Prods, L.P. v. Victaulic Co., 777 F. Supp.2d 893, 905 (E.D. Pa. 2011) (granting plaintiff's motion to dismiss defendant's bare-bones invalidity counterclaim). Given what would seem to be an inevitable change in pleading practice, plaintiff's counsel would be well-advised to take the time in drafting a complaint to set forth a reasonably thorough factual recitation of the alleged infringement, such as identifying the products alleged to infringe, how they infringe, and when they infringed. You will save your clients time and money in the long run.

Ninth Circuit En Banc Decision in Nosal Creates Federal Appellate Court Split On Scope of Computer Fraud and Abuse Act's Reach to Protect Trade Secrets

Donna Ruscitti — Fri, 20 Apr 2012 12:29:56 -0600

On our sister blog – Employer Law Report – Brian Hall discusses a much anticipated decision, in which the Ninth Circuit Court of Appeals held in an en banc decision in United States v. Nosal that the Computer Fraud and Abuse Act ("CFAA") was not intended to cover employee misappropriation of trade secrets, violations of corporate computer use policies or violations of an employee duty of loyalty. The decision, which overrules a previous Ninth Circuit panel decision in Nosal, creates a conflict with the Fifth, Seventh and Eleventh Circuits, all of which have interpreted the CFAA broadly to include such employee misconduct. As a result, we can probably expect this issue to show up on the Supreme Court's docket sometime in the future. Read Brian's full post here.

A Note of Caution When Suing for Copyright Infringement

Dave Shouvlin — Wed, 28 Mar 2012 11:25:28 -0600

Think recovery of attorneys' fees in copyright infringement cases is just for plaintiffs? Think again. Plaintiffs' counsel should take heed of the chilling tale in Fharmacy Records v. Salaam Nassar, Nos. 10-1354, 10-2073, 2012 WL 573942 (6th Cir. Feb. 23, 2012), discussed below. But first, some background. In Fogerty v. Fantasy, Inc., 510 U.S. 517 (1994), the Supreme Court explained that awards of fees to prevailing parties in copyright cases are discretionary and with respect to liability for them, copyright plaintiffs and defendants are to be held to the same standards. Since then, there have been scores of copyright cases in which courts have awarded fees. In most, it is the plaintiffs who have recovered. See, e.g., Balsley v. LFP, Inc., Case No. 1:08 CV 491, 2011 WL 1303738, **5-7 (N.D. Ohio March 31, 2011) (plaintiff prevailed but awarded only 40% of fees; thorough analysis of fee award). But on occasion, a defendant will win its fees. See, e.g., Chambers v. Ingram Book Co., Case No. 09-14731, 2012 WL 933237, **3-7 (E.D. Mich. March 20, 2012) (court awarded prevailing defendants just shy of $75,000 in attorneys fees). Whether intended or not, the principles governing Rule 11 are regularly applied when the issue is whether defendants should recover fees. See id. (in awarding fees, court found the lawsuit frivolous and motivations behind the filing of it highly questionable).

The Sixth Circuit issued one of the more interesting decisions applying Fogarty in Bridgeport Music, Inc. v. WB Music Corp., 520 F.3d 588, 593 (6th Cir. 2008). In that case the court affirmed the award of attorneys fees against the plaintiff even though the plaintiff's claim was, at least initially, "objectively reasonable."

Two very recent circuit court decisions relied upon the reasoning in Bridgeport, but with considerably different results. In T-Peg, Inc. v. Vermont Timberworks, Inc., 669 F.3d 59 (1st Cir. 2012), the First Circuit affirmed an award of fees to defense counsel, but severely limited the amount in light of the modest value of the plaintiff's claim. No matter that the defendant had to spend over four times that amount to prevail in the matter due to the plaintiff's aggressive litigation strategy. To view a good account of the case, see the blog, "Attorney's fees – not just for copyright Plaintiffs" here. In stark contrast, a week later the Sixth Circuit in Fharmacy Records v. Salaam Nassar, Nos. 10-1354, 10-2073, 2012 WL 573942 (6th Cir. Feb. 23, 2012) ("Fharmacy II"), awarded defense counsel fees in the amount of $546,199.89 -- without express mention of the value of the plaintiff's claim -- due to what the district court deemed to be egregious conduct on the part of the plaintiffs and their counsel, conduct that included discovery abuses, spoliation of evidence, and suborned perjury, as detailed in an earlier decision in the action. See Fharmacy Records, Inc. v. Salaam Nasser, 379 F.App'x. 522 (6th Cir. 2010).

In Fharmacy II, the stated reason for the appeal regarding fees had to do with whether the district court had correctly allowed a magistrate judge to review and calculate the fee award. The District Court had referred the matter to the magistrate judge pursuant to 28 U.S.C. §636(b)(1)(a). The Sixth Circuit acknowledged that the proper basis for the referral was actually 28 U.S.C.§636(b)(3). But the court concluded this "technical or clerical error" was of no practical moment – meaning, the plaintiff was not going to be able to dodge the fee award because of it.

Cruising past that and other procedural issues, the court then focused the main issue: whether plaintiff's counsel was jointly and severally liable under 28 U.S.C.§1927 to pay the fees the court had awarded. The court said yes, relying upon the report and recommendation the magistrate judge had prepared below excoriating plaintiffs' counsel for their vexatious conduct in litigating the case. The Sixth Circuit flatly rejected the argument that plaintiffs' counsel should not be liable because they didn't fully appreciate they might be personally liable for the fees (suggesting counsel were less concerned if only their clients had to pay the fees—even for counsel's behavior?).

There are many lessons to be learned from this case. First, it goes without saying that counsel must always follow the rules—and play fair, even if the battle has a David versus Goliath character to it. Few things provoke a court more than being forced to deal with a myopic or petulant litigator. And second, it is imperative that counsel keep control of its clients. The struggling artist who cannot afford to pay counsel's fees but who nonetheless insists his lawyer take unsupportable positions or pursue unreasonable litigation strategies may saddle the lawyer with a liability the lawyer never expected.

EU Conference: Privacy and Protection of Personal Data

Christina Hultsch — Thu, 22 Mar 2012 10:11:37 -0600

The EU Conference on Privacy and the Protection of Personal Data held March 19 in Washington, D.C., was a great illustration of the importance of the topic within the European Union. The conference was extremely well attended by high-level EU regulators and provided valuable insights into the respective priorities. Tangible results, however, were scarce and consisted largely of a joint statement on privacy by EU Commission Vice-President Viviane Reding and US Commerce Secretary John Bryson. The Joint Statement recognized the need for multinational cooperation to create mutual recognition frameworks that protect privacy in order to facilitate the free flow of information across borders. Both sides reaffirmed their commitment to the US-EU Safe Harbor Framework as a means to transfer data from the EU to the US.

Highlights
A joint conference, especially when organized by the European Commission, but held in Washington, D.C., instead of its headquarters in Brussels, naturally brings forth many polite statements of mutual admiration for one another’s efforts in the area of data privacy. Undoubtedly, the highlights of the conference occurred whenever the gloves came off and issues and expectations were voiced clearly.

One of my personal highlights was seeing my fellow German countrymen and -women live up to our reputation of being blunt, punctual and lacking any sense of humor. Paul Nemitz, Director of Fundamental Rights and Citizenship at the European Commission, set the tone by dashing the hopes of Cameron Kerry, General Counsel for the US Department of Commerce, that the White Paper published by the White House as a blueprint for a Consumer Privacy Bill of Rights has brought the United States any closer to an adequacy finding by the European Union. Mr. Nemitz also questioned the effectiveness of FTC enforcement actions by calling it mainly “good PR.” The criticism was superbly countered by Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, who very gracefully accepted the statement as a compliment. In addition, she also provided useful substantive information of the FTC’s enforcement priorities and as a result, earned a spot in my personal list of highlights.

Other memorable moments included the passionate speech by Representative Ed Markey, D-MA, who presented a good update on the status of the COPPA revisions and, as the long-standing co-chair of the Congressional Privacy Caucus, provided a fascinating historical summary of the various federal privacy initiatives of recent decades.

Peter Hustinx, the European Data Protection Supervisor, was one of the few European representatives with a slightly optimistic message for the US. In outlining his understanding of the interoperability requirements highlighted in the Joint Statement, he suggested that an adequacy finding could result from the implementation of the White Paper, even if it did not result in a comprehensive law, as adamantly requested by Francoise Le Bail, Director-General for Justice at the European Commission. Mr. Hustinx emphasized the need for sufficiently common principles and their binding implementation as far more important than the specifics of the regulatory regime.

Take-aways for US privacy practitioners:

The current FTC enforcement priorities are:
- Social media
- Online tracking
- Data security
- Mobile privacy
- FCRA and apps that allow for instant background checks, especially when utilized by employers or prospective employers
Without a comprehensive law, the EU will likely not grant the US adequacy status. The concept of enforceable codes of conduct as introduced in the White Paper is viewed with skepticism among the EU regulators.
Interoperability is the “hot” new term. While the technological implications are generally well understood, a definition from a legal perspective is still missing. Mr. Hustinx presented his understanding of interoperability requirements as:
- Sufficiently common principles (which, of course, must be binding)
- Common implementation of these principles
- Common enforcement
- Common mechanisms for individual redress
Safe Harbor will continue despite European concerns over its effectiveness. Under the current budget situation, it is highly unlikely that the FTC will implement compliance audits, despite the adamant requests by various European NGOs.
The EU Commission is convinced that European businesses will gladly accept stringent data protection rules as long as they are uniformly applied. The opinion was corroborated by the DPO of Deutsche Telekom who listed legal certainty as his top priority.

Conclusion
Great efforts are being made on both sides to understand, accept and ultimately overcome the differences in the respective approaches to the protection of privacy rights. Whether reliance upon dialogue alone will be enough to accomplish these goals remains to be seen. The conference seemed to indicate that mere education about the basic principles is insufficient, but that, instead, a certain level of personal experience is required to fully understand and accept the different political, social and historical contexts in which both regimes function.

A Look Back: Top 10 E-Discovery Developments and Trends Emerging Out of 2011

Jay Yurkiw — Tue, 13 Mar 2012 09:50:10 -0600

We recently prepared a summary of the top developments and trends in electronic discovery that came out of 2011. Given the evolving nature of this area of the law, understanding the key events from last year can help with this year's e-discovery challenges. To see what made our list, click here.

Among the highlights:

"Computer-assisted review" gained traction as a potential way to reduce costs and increase accuracy during document review, resulting this year in the first-known judicial opinion recognizing computer-assisted review as an acceptable method to search for relevant electronically stored information (ESI) during discovery – a development we see playing a key role in how new technology will be leveraged to address budget and timeline concerns going forward.
Information governance and the need for strong records management policies saw increased discussion last year – a development we see leading to more businesses considering what steps they can take before litigation arises to reduce the volume of potentially discoverable ESI, particularly as new sources of ESI emerge as discovery targets.
Discovery obligations meet data protection obligations on a global scale – The Sedona Conference® issued a timely and important resource, which we reported on, with an eye toward multinational companies facing a conflict between the requirements of U.S. discovery rules and foreign privacy laws, particularly as the European Commission has proposed a comprehensive reform of the EU's 1995 data protection rules.
National civil rule reform is still a ways off from happening, but many federal and state courts are developing their own local e-discovery orders, protocols, and pilot programs to attempt to make e-discovery more efficient and less costly – a development we see continuing this year.

"Dang" That Renewal Copyright Law

Dave Shouvlin — Mon, 05 Mar 2012 14:21:45 -0600

The Sixth Circuit recently issued a rare decision addressing ownership of renewal copyrights - in some of country singer Roger Miller's songs: Roger Miller Music, Inc. v. Sony/ATV Publishing, LLC, Case No. 10-5363, 2012 WL 555485 (6th Cir. Feb. 22, 2012). It is worth a read if you have occasion to wrestle with renewal copyright issues.

Renewal copyrights are unquestionably tedious business. Not long ago we handled a case involving issues of renewal copyrights dating from Germany prior to World War II. See Cambridge Literary Properties, Ltd v. W. Goebel Porzellanfabrik G.m.b.H. & Co. KG.,510 F.3d 77 (1st Cir. 2007), cert. denied, 129 S.Ct. 58 (2008). The case took sixty-five years to bring and eight years to resolve!

Under the original Copyright Act, an author of a work enjoyed monopolistic power over a work he authored or created for a period of 14 years that was renewable for another 14 year period, for a total of 28 years. See 3 Melville Nimmer and David Nimmer, NIMMER ON COPYRIGHT, § 9.01, et seq. (2011 ed.). Congress eventually deemed this period too short, and in 1909, it doubled the time period for both the original and "renewal" periods, extending each to 28 years. Later, in 1976, Congress revised the Copyright Act to expand the original copyright period for future works to the life of the author, plus a renewal period of 50 years. For many works already in existence, Congress extended the overall copyright period for 95 years. Consequently, a composer of a song first published prior to 1978 owned all rights to it for 95 years - the original period of 28 years, and the renewal period of 67. Later, in the Sonny Bono Copyright Term Extension Act Congress extended the renewal period to 70 years after the death of the author.

But why have a renewal period at all? Why not just have one copyright period? Well, many authors assign the copyrights in their works to others. That and licensing specific use of their works are the principal ways authors make money on their creations. Song writers, for example, regularly assign their copyrights to music publishers for a sum of money to get the benefit of certain cash payment (rather than deal with the uncertainty of royalty payments). Congress, apparently feeling quite paternalistic, believed that economic necessity too often compelled starving artists to make improvident, irreversible decisions regarding their copyrights, conveying away all of their interests before the artists (or the market) knew the true value of the works. Congress was especially concerned about instances where artists' improvident decisions adversely affected their families, depriving the families of commercial successes that perhaps the authors did not initially anticipate. Consequently, Congress modified the copyright laws to prevent an author from conveying away his copyright interests in both the original copyright period and the renewal period unless, first, the author expressly states he is conveying his renewal interests, and second, he survives to the renewal period. If the author reaches the renewal period, his earlier express conveyance of the renewal copyright is binding. But if the author dies before the original term concludes, his copyrights revert to his family - even if he had previously intended to convey them to a third party. At least that is generally the case.

The Sixth Circuit braved this thorny thicket in Roger Miller. At issue in that case was whether Roger Miller, the author of such songs as "King of the Road," "You Can't Roller Skate In A Buffalo Herd," and "Dang Me," properly assigned his interest in the renewal copyrights to his songs to Sony, or whether Sony infringed Miller's copyrights in those songs by producing recordings of them after Miller's death in 1992.

As with the resolution of many cases, timing is important. At issue were songs Miller copyrighted in 1964. Miller died in 1992, the 28th year of the original copyright period. Shortly before Miller died, he applied for the renewal copyrights for the 1964 songs and assigned them to Sony. The question before the Sixth Circuit was whether the renewal copyrights went to Sony or reverted to Miller's family.

It was clear that the Copyright Act allows an author to assign his rights in a renewal copyright of a work if the author survived the original term, whether the assignment took place before or after the renewal period began. And historically, it was also clear that if he died before the renewal period began, his assignment of his renewal rights was ineffective. But the language of 17 U.S.C. § 304 applicable to this case could be read to be inconsistent with that proposition. The statute is certainly not a model of clarity. What if the author died during that last year, before the renewal period began, after applying for and assigning the renewal copyright? Would the assignee enjoy the renewal copyright, or would the renewal copyright revert to the author's family, as historically happened by statute? Enter Roger Miller.

In its decision, which included a review of the circuitous procedural history of the case, the Sixth Circuit determined that 17 U.S.C. § 304(a)(2)(A) controlled. But the statute's lack of clarity forced the court to study the relevant House Report. The court concluded, with the help of the Report, that Congress intended that such assignments made during the 28th copyright year could be effective. Because Miller had applied for the copyright renewal and assigned it to Sony during the 28th year, the interest in the renewal copyright was properly conveyed to Sony and did not revert to his family upon his death, even though Miller did not survive to the renewal period. The renewal application and assignment trumped the death benefits to Miller's family the renewal period usually provides.

Therefore, because Sony owned the renewal copyrights in Roger Miller's songs, Sony could not be liable for infringement; owners, even co-owners of copyrights, cannot be liable for infringement. Based on this reasoning, the Sixth Circuit reversed the district court's decision enjoining Sony from further use of these songs and reversed the award to the Miller's family for infringement of over $900,000, as well.

Is there a useful take-away from this decision? Its applicability, given the changes in the Copyright Act, is certainly limited. But there is a lesson: be extra careful when dealing with renewal copyrights of older works. Just because "That's the Way It's Always Been," does not mean that's the way it is now, "Dern Ya."

Grandfather Provision of Massachusetts Data Security Requirements Expiring

Jeremy Logsdon — Tue, 28 Feb 2012 09:55:27 -0600

This note is a reminder of the expiration of the grandfather provision under the Massachusetts Data Security Regulations, summarized here, which expires on March 1, 2012. Any applicable third party service provider contract entered into prior to March 1, 2010 must incorporate the appropriate security measures for personal information as specified in the regulations. Companies should take steps immediately to ensure that their contracts with third party service providers who maintain, receive, or access personal information of Massachusetts residents conform with the regulation's requirements.

Federal Court Approves Use of "Computer-Assisted Review" to Find and Produce Relevant ESI in Discovery

Jay Yurkiw — Mon, 27 Feb 2012 14:55:29 -0600

In the first-known judicial opinion in which a court has recognized that the use of computer-assisted review is an acceptable way to search for relevant electronically stored information (ESI) in appropriate cases, Magistrate Judge Andrew J. Peck of the United States District Court for the Southern District of New York issued an opinion on Friday approving the use of “computer-assisted review” to find and produce relevant ESI in an employment discrimination case filed as a class action.

Computer-assisted review (also referred to as “predictive coding” or “technology-assisted review”) generally refers to review software that uses machine learning algorithms to enable a computer to determine what documents are relevant to a case after being trained by a human reviewer. In computer-assisted review, attorneys knowledgeable about the case manually review and analyze a small sample set of potentially relevant ESI to decide which documents are relevant to the case. The relevant documents reviewed by the attorneys are then used as a “seed set” to teach the computer what to search for in the larger data set so that the computer can find additional relevant documents through an automated process. Because computer-assisted review does not require attorneys to review each and every potentially relevant document and can identify fewer non-relevant documents than keyword searching alone, computer-assisted review potentially can result in significant cost savings and a more accurate document production.

Over the past year, the potential of computer-assisted review to reduce the time and money it takes to conduct electronic discovery has received a lot of attention. The New York Times, for example, reported on “armies of expensive lawyers” being replaced by “cheaper software” and explained how advances in artificial intelligence are leading to improvements in e-discovery technology to find and produce relevant documents. Forbes recently commented on the importance of human expertise in guiding computer-assisted review as well as “the complexities of attempting to apply a new technological approach to electronic document review that is transparent, accurate, and fair for all parties.” Judge Peck also wrote an article last year, which he quotes from in his opinion, supporting the use of predictive coding as an alternative to the time and cost of manual review of large document sets. He explained that “the volume of ESI has made full manual review virtually impossible” and how keyword searching alone can have drawbacks.

After holding multiple discovery conferences on the possibility of using predictive coding technology in the employment discrimination case pending before him, Judge Peck ordered the parties earlier this month to submit their “final” protocol relating to the production of ESI using predictive coding. Over the plaintiffs’ objections to the predictive coding methodology proposed by the defendants, Judge Peck entered the protocol as an order last week. He then followed that order up with Friday’s opinion.

In his opinion, Judge Peck recognized that “computer-assisted review is not perfect” but determined that the use of predictive coding in the case before him was appropriate considering the parties’ original assent to using predictive coding, the vast amount of ESI to be reviewed (over three million documents), the superiority of computer-assisted review to available alternatives (such as linear manual review or keyword searches), the need for cost effectiveness and proportionality, and the transparent process proposed by the defendants. Judge Peck further explained the process that the defendants were going to use and rejected the plaintiff’s arguments that the process violated Rule 26(g) of the Federal Rules of Civil Procedure and Evidence Rule 702 of the Federal Rules of Evidence. He also provided guidance for considering the use of computer-assisted review in future cases.

On another issue recently discussed here, Judge Peck also noted The Sedona Conference’s® recent publication of the International Principles on Discovery, Disclosure & Data Protection as support for his denial of discovery of a custodian’s emails stored in France because they likely would be covered by French privacy and blocking laws. He also reiterated his strong endorsement of The Sedona Conference Cooperation Proclamation® and the need for counsel to cooperate on e-discovery issues. Judge Peck believes that an “important aspect of cooperation is transparency in the discovery process,” and he “highly recommends that counsel in future cases be willing to at least discuss, if not agree to, such transparency in the computer-assisted review process.”

Judge Peck concluded his opinion by encouraging counsel to consider using computer-assisted review to search for relevant ESI in appropriate cases: “What the Bar should take away from this Opinion is that computer-assisted review is an available tool and should be seriously considered for use in large-data-volume cases where it may save the producing party (or both parties) significant amounts of legal fees in document review.”

Beware of Solicitations Appearing to be from the USPTO

Melanie Martin-Jones — Mon, 27 Feb 2012 08:50:45 -0600

The US Patent and Trademark Office (USPTO) has posted a warning on its website regarding solicitations that appear to be official notices (Click here for a sample). The notices come from private companies that are not associated with the USPTO.

The notice is typically made to resemble an official notice from the USPTO by including the trademark serial or registration number, classes, filing dates and other information that is publicly available on the USPTO's database. Most of the notices appear to be an invoice stating an amount "due". If you read the fine print (if it is even included), the fee is not for a legitimate government fee, but for legal services, trademark monitoring services, Customs recordation services or inclusion in a private registry.

Trademark owners who receive such a solicitation may file a complaint with the Federal Trade Commission at www.FTC.gov. The Trademark Office also provides an e-mail for reporting misleading communications at TMFeedback@uspto.gov.

The Trademark Office notes that all of its correspondence is from the “United States Patent and Trademark Office” in Alexandria, VA (if by e-mail, from the domain @uspto.gov). If you are represented by an attorney, most likely all government fee notices will come from your attorney.

We often get a call or email when a client receives such solicitations – hopefully if you receive one, you will check with us prior to submitting payment.

Michael Jordan Shoots in China

Rick Mescher — Fri, 24 Feb 2012 13:44:36 -0600

Remember to register transliterations as well as English versions of your trademarks in China and elsewhere. NBA legend Michael Jordan initiated a suit in China alleging the unauthorized use of his name by a Chinese sportswear and footwear manufacturer. Michael Jordan became a worldwide basketball star in the 1980s and 1990s. Qiaodan Sports Company Ltd., changed its name to "Qiaodon", the transliteration of "Jordan", in 2000. Not only does Qiaodon use the name Jordan, it often has used Michael Jordan's iconic number 23 and a logo which greatly resembles Nike’s “Jumpman” logo (which Nike uses on Michael Jordan related products) on its products and advertisements.

Nike registered the trademark "Jordan" (in English) in China in 1993 but failed to register the Chinese version allowing Qiaodon to register the Chinese version in 1998. Jordan appears to have acted after all of these years because other NBA players (such as Yao Ming) have had recent victories under similar circumstances. Things appear to be looking brighter on the intellectual property front in China. However, you should still take Michael Jordan's situation as a lesson/reminder to register transliterations as well as English versions of your trademarks in China and elsewhere.

The Sedona Conference® Publishes International Principles on Discovery, Disclosure & Data Protection

Jay Yurkiw — Tue, 24 Jan 2012 07:52:39 -0600

The Sedona Conference® recently published the International Principles on Discovery, Disclosure & Data Protection (“International Principles”) through its Working Group 6 on International Electronic Information Management, Discovery and Disclosure. The Sedona Conference® launched Working Group 6 in 2005 to bring the most experienced attorneys, judges, privacy and compliance officers, technology-thought leaders, and academics from around the world to discuss the management, discovery, and disclosure of electronically stored information (“ESI”) involved in cross-border disputes. The publication of the International Principles comes in light of a number of U.S. court decisions over the last two years ordering the disclosure of information in U.S. litigation despite the existence of foreign privacy laws that otherwise would have prohibited such disclosure. See, e.g., EnQuip Technologies Group, Inc. v. Tycon Technoglass, S.R.L., 2010-Ohio-28, 2010 WL 53151 (Jan. 8, 2010).

The International Principles contain best practices and recommendations for addressing the preservation and discovery of “protected data” in U.S. litigation. Protected data broadly includes any information that must be safeguarded pursuant to federal, state, or foreign laws, or through other privacy obligations. Although focused primarily on the relationship between U.S. preservation and discovery obligations and the European Union Directive 95/46/EC, the International Principles are designed to apply whenever data protection laws or other privacy obligations conflict with U.S. preservation and discovery obligations. The International Principles also contain a model protective order for use with protected data as well as a cross-border data safeguarding process and transfer protocol to document the steps taken to comply with applicable privacy laws.

The International Principles encourage parties to examine whether their discovery requests and obligations present a conflict with any data protection laws. If a conflict exists, The Sedona Conference® maintains that the parties should try to avoid or minimize the conflict by limiting the scope of discovery, engaging in phased discovery, or limiting the production of protected data and metadata. The parties also should agree to a protective order or stipulation limiting the use and disclosure of protected data and to a plan setting forth the methodology by which protected data will be preserved, processed, transferred, and produced.

Interestingly, the sixth and final principle addresses how organizations should maintain their data before preservation and discovery obligations arise. This principle reinforces the importance of having strong records management policies in place and stresses that custodians of protected data should retain such information “only as long as necessary to satisfy legal or business needs.” The Comment to the Principle 6 states in part:

Many organizations worldwide have become electronic data hoarders. While the retention of paper-based information had tangible physical consequences and costs, it has become relatively inexpensive and more expedient to expand storage capacity rather than to apply records management lifecycle discipline to ESI. There are numerous direct and indirect costs and risks associated with unbridled accumulation and retention of data. Legal risks may also arise, especially in the context of data protected by Data Protection Laws, in the over-retention of information.

The Comment further encourages organizations to implement data privacy and data protection technologies and procedures and to collect personal data with data protection in mind, e.g., “privacy by design,” to lower the costs and risks relating to data protection.

A copy of the International Principles publication is available here.

Data Protection in Social Networks

Christina Hultsch — Mon, 12 Dec 2011 07:53:34 -0600

In a statement published on December 8, 2011, the Association of German Data Protection Agencies known as the “Duesseldorfer Kreis,” (“DK”) issued an opinion summarizing the minimum compliance criteria for operators of social networks in Germany:

Transparent privacy policy and informed consent are essential for protecting the right to data privacy
Opt-out solutions are insufficient, all privacy settings must be on the basis of opt-in selections
Users must have simple access to their stored personal data
Facial recognition features require express, confirmed consent
No tracking profiles without the informed consent of the user
Obligation to delete data after the termination of the membership
Social plug-ins on the websites of German operators are not compliant with data protection laws unless they are covered by informed consent and provide the opportunity for the user to prevent the data transfer
Social networks must protect user data through implementation of suitable privacy controls; operators must be able to demonstrate that such measures were taken
Minors require particular protection and information regarding the processing of personal data must be easily comprehensible to them
Social networks located outside the EEA must nominate an agent in Germany who serves as the contact person for the DPAs

The opinion, however, is not limited to this rather generic list of minimum requirements. Instead, it takes the opportunity to address two of the most pressing issues which have dominated the discussion of social networks and their commitment to data privacy over the past several months.

In August we reported that a German Data Protection Agency (Unabhängiges Landeszentrum für Datenschutz in Schleswig Holstein, “ULD”) threatened to impose fines on all website owners who refused to remove social plug-ins, and especially the like-button, from their websites. The topic has become an issue of extensive substantive discussion[1], with the majority of the opinions rather critical of the approach and hinting, more or less directly, at a certain degree of overzealousness on behalf of the ULD. The main complaint is directed at the insufficiency of the ULD’s legal analysis which ignored many of the unsettled areas of privacy law, especially with regard to whether IP addresses constitute personal data under the Federal Data Protection Act. The DK opinion now offers an unconditional statement of support by declaring all social plug-ins as noncompliant with the law. The opinion holds the website owners responsible for the content of the data processed through social plug-ins and tells website owners to stay away from the like-button unless the website owner has a clear understanding of the scope of the data processing and transfer that could result from such a plug-in. This opinion comes as a surprise in light of the recent study published by the German Bundestag, which was remarkably direct in its criticism of some of the ULD’s legal conclusions. Whether the DK opinion will provide the ULD with the vindication it needed to enforce the threatened fines of up to €50,000 remains to be seen. To date, the Facebook like-button remains a prevalent feature of most business and even the Schleswig-Holstein government page is still asking users to endorse the website via social plug-ins.

Just last month, another German DPA attacked Facebook directly over its biometric database and the company’s refusal to obtain retroactive user consent. That the storage of user photos in a database to create a facial recognition feature is a legitimate issue of data privacy has been universally recognized. The legal discussion in Germany regarding this issue is mostly jurisdictional, with Facebook asserting that it is not subject to the German data privacy laws. The DK opinion, without addressing the Facebook situation directly, flat-out rejects this argument. Unless the social network is actually operated from within the European Union, simply forming a subsidiary in an EU member state is considered insufficient to limit jurisdiction to that particular country. Instead, German data protection laws shall apply to processing of all personal data derived from users located in Germany, according the DK opinion.

While it is difficult to predict the impact this opinion will have on how the individual Data Protection Agencies proceed against perceived violations of data privacy laws within the world of social networks, it is highly unlikely that it will create sufficient pressure to result in any settlement agreements similar to the one entered into with the Federal Trade Commission and Facebook.

[1] Including a 90min panel discussion in German with a member of the ULD

IMPACT: Measuring the Loss of Brand and Business Reputation after a Data Breach

Donna Ruscitti — Wed, 23 Nov 2011 12:10:19 -0600

Brand and business reputation suffer following a data breach. A recently released survey puts some numbers to the losses and shows just how much that damage can be, with breach of customer data being the most costly. The study, independently conducted Ponemon Institute LLC and sponsored by Experian® Data Breach Resolution, is believed to be the first study to compare the impact of the loss of confidential customer or employee information and sensitive business information with loss of brand and business reputation.

The study surveyed 843 senior-level persons with in-depth knowledge about their companies brand and reputation management objectives. Some of the highlights found, and resulting key take-aways from the study are:

With an average economic value of corporate brand or reputation at $1.5 billion (ranging from less than $1 million to greater than $10 billion), the average loss in the value of the brand ranged from $184 million to more than $330 million, depending on the type of information lost in the breach.
As a percentage of annual gross revenues, the economic value of corporate brand or reputation ranged from less than 10% to greater than 5 times annual gross revenue, and depending on the type of information lost in the breach, the value of brand and reputation could decline as much as 17% to 30%.
Reputation and brand image are inextricably linked.
In some cases it can take longer than a year to restore reputation and brand image.
Some breaches are more devastating than others, with breach of customer information being most devastating.
82% of the respondents stated their organizations had a data breach involving sensitive or confidential customer information, on average, 2.7 breaches in the past 2 years. 76% say the customer data breaches had a significant or moderate impact on reputation.
Before having a data breach, less than 50% had incident response plans in place for customer data breaches; after a breach over 75% put a plan in place.
What you should do: respondents strongly believed the top two steps in responding to data breaches are: (i) conducting investigations and forensic evaluations; and (ii) working closely with law enforcement. Following those two steps: (iii) immediately respond to the incident, (iv) protect those affected from potential harms such as identity theft; and (v) conduct employee training and awareness programs.

As a lawyer who counsels clients in these matters, I'd also suggest now is the time to:

Review and update your data breach response plan.
If you don't have one, do one now!
Make sure you are in compliance with the laws enacted in 33 states with respect to protection of social security numbers.
Make sure you are in compliance with the laws enacted in 10 states regarding security for personal information.

To access the study, click here: http://www.experian.com/data-breach/reputation-impact-study.html.

Will Facebook soon be privacy-friendly?

Christina Hultsch — Wed, 23 Nov 2011 02:00:25 -0600

FTC Audit Agreement
According to various news reports, Facebook and the FTC are about to enter into an agreement which will subject Facebook to privacy audits for the next 20 years. The agreement will apparently require Facebook to obtain prior express consent before making public any information to which the user had granted limited access only. The agreement is a direct response to complaints over the changes Facebook made to its privacy policy in 2009, when previously private information became accessible to the public and users had to take active steps in order to return to their accustomed privacy settings.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards.

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.

Prioritized Examination of Patent Applications Under Leahy-Smith America Invents Act

Martin Miller — Wed, 02 Nov 2011 14:23:44 -0600

The Leahy-Smith America Invents Act ("AIA") was enacted on September 16, 2011. The changes implemented by this Act are wide-ranging and significant, and different provisions have different effective dates, with many taking effect September 26, 2011, September 16, 2012, or March 16, 2013. We will be providing additional information in the coming weeks and months.

One of the more immediate and interesting aspects of the AIA is the creation of a prioritized examination process which allows applicants to request accelerated examination in exchange for payment of an additional fee. While the U.S. Patent Office had proposed to implement accelerated examination earlier in 2011, that proposal was suspended due to funding limitations. Not only does the AIA now explicitly provide for prioritized examination, it also mandates that the additional fees paid for prioritized examination are automatically credited to the Patent Office's appropriation account—thus providing the additional funding needed for implementation.

Normally, patent applications are examined in the order they are received. While it varies greatly by technological area, on average it currently takes 28 months for the U.S. Patent Office to issue a first office action. The new prioritized examination track, on the other hand, is intended to result in a notice of allowance or final rejection within 12 months of prioritized status being granted. In theory, the first office action should therefore issue within about 6 months from the application filing date—almost two years sooner than is typical under the normal examination track.

So what's the catch? Perhaps the biggest is the additional fees required for prioritized examination: $5,230 (reduced to $2,830 for small entities). That's in addition to the normal application filing fees. Thus, the total fee due on filing an application for which prioritized examination is requested is $6,480 ($3,360 for small entities), not including any excess claim or application size fees.

Prioritized examination is only available for original utility or plant patent applications filed on or after September 26, 2011. However, for applications pending prior to that date, it is possible to file a continuation or divisional application and request prioritized examination of that application. Additionally, while prioritized examination is not available to a national stage entry of a PCT application, it is available for a continuation application claiming priority to a PCT application which designates the United States.

In addition, the application must be complete on filing (including the request for prioritized examination, acceptable drawings and payment of all applicable fees), must be filed electronically, and must contain no more than four independent claims or thirty total claims. During prosecution, an application will lose its prioritized examination status if: (1) an amendment results in more than four independent claims or thirty total claims; (2) a petition for an extension of time is filed; or (3) a notice of appeal or request for continued examination is filed.

It is unclear how many applicants will take advantage of prioritized examination, or whether or not the U.S. Patent Office will be able to consistently meet its goal of completing the examination process within 12 months. Because of these uncertainties and the continuing need to hire additional patent examiners, the prioritized examination program is limited to 10,000 applications during at least the first year of implementation.

What's next in EU data protection?

Christina Hultsch — Tue, 25 Oct 2011 08:02:25 -0600

The Article 29 Working Party outlined its agenda for 2012 at a recent plenary meeting in Brussels. Not surprisingly, the top priority is a new legal framework for data protection. But other topics, some of interest for US data protection developments, were discussed as well.

Revision of the EU data protection framework: To ensure that EU data protection authorities can consistently apply the EU data protection rules, the revisions to the current Data Privacy Directive will emphasize harmonization efforts to advance the cooperation and coordination between the various authorities.
WADA: The EU has ongoing concerns related to the current legal framework and the protection of athletes’ personal information. The EU Commission, supported by the Working Party, will provide comments to the proposed revision of WADA’s World Anti-Doping Code, which is planned for 2013.
Cooperation with the European Network and Information Security Agency (ENISA): The Working Party and ENISA share common interests with regard to data breach notifications and will intensify their cooperation.
EU Agency for Fundamental Rights (FRA): While the discussion addressed projects of the near future such as redress mechanisms and the publication of a Handbook on European data protection case law, FRA has long been critical of Passenger Name Record (PNR) data transmissions and a cooperation with the Working Party may suggest that the use of PNR will come under scrutiny again.

Whether the newly harmonized EU data protection rules will be a curse or a blessing for US companies doing business in the EU remains to be seen. Frustration by certain EU member states over a lack of cooperation between the national data protection authorities is undoubtedly a driving force behind this recent development and, as a result, the current practice of concentrating business operations in the jurisdiction with the least onerous data protection laws may soon come to an end. But if the closing of national loopholes is mitigated by a uniform application of data protection principles, it may be a worthwhile sacrifice.

ISSA Social Media Summit - Social Media and Legal Risk

Donna Ruscitti — Tue, 11 Oct 2011 11:13:46 -0600

Porter Wright attorney Justin Root will present “Social Media and Legal Risk” as part of the Information Systems Security Association (ISSA) Columbus Chapter's Social Media Summit on October 19, 2011 in Worthington, Ohio. More information is available at http://centralohioissa.org/. ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

Act now to prevent use of your trademark with the new adult entertainment industry TLD

Robert J. Morgan — Tue, 04 Oct 2011 09:57:16 -0600

A new top level domain will soon be available for use by adult entertainment providers. In order to address concerns from trademark owners not in the adult entertainment industry, a sunrise reservation period has been established to enable trademark owners to reserve or "block" the new adult entertainment industry domain names that correspond to their registered trademarks. The period for trademark owners to reserve such domain names runs through October 28, 2011.

Blocking the use of .xxx domain names that correspond to registered trademarks will help prevent third-parties from exploiting these trademarks in connection with adult themed entertainment and will help to avoid costly future domain name disputes.

During the initial application period, only .xxx domain names that correspond to the complete textual components of the registered mark can be blocked. Reservations can be based only on trademarks registered prior to September 1, 2011. If the trademark upon which the reservation was based is later cancelled or otherwise invalidated, the domain may be released.

All applications to block .xxx domain names will be assessed at the same time so that no priority is given for applying early in the initial application period.

If successfully reserved, the .xxx domain name will resolve to a standard informational page indicating the status of the name as reserved. The WHOIS information for reserved names will list the .xxx registry as the domain registrant (not the trademark owner).

Fees for reservation depend on which accredited registrar is used to complete the process. The list of accredited .xxx registrars can be found here: http://www.icmregistry.com/registrars/.

Additional information can be found here: http://www.icmregistry.com/launch/sunrise-b/.

We are familiar with the requirements for the process and would be happy to assist you with protecting your brand against its use in a .xxx domain name. If you would like to learn more, please contact me at rmorgan@porterwright.com or at (614) 227-2186.

Still think consent is easy?

Christina Hultsch — Tue, 23 Aug 2011 13:02:12 -0600

In my last entry I stressed the importance of complying with the various consent requirements hidden in European data protection laws. To prove my point and to illustrate further the high standards imposed by the German Data Protection Law, a regional German DPA (das “Unabhängige Landeszentrum für Datenschutz” in Schleswig Holstein or “ULD”) has taken aim at Facebook’s data privacy practices by sending cease and desist letters to all website operators located in the area who incorporate the “like” button and other Facebook plugins on their pages. Operators have until the end of September to deactivate these features or face up to € 50,000 in fines.[1]

Despite asserting its inability to do so, ULD’s legal analysis[2] attempts a comprehensive study of Facebook’s data privacy policies and, as a result, appears to lose sight of the core issue which formed the basis for this enforcement action. ULD claims that website operators who incorporate Facebook plugins illegally transfer data to the U.S., yet the discussion of Facebook’s Safe Harbor Certification is restricted to one footnote.

Nonetheless, the opinion provides valuable insight into a typical DPA consent analysis and highlights common mistakes that will likely invalidate the consent obtained from the data subject. ULD analyzes the amount and quality of information provided to potential Facebook users during the registration process and concludes that the current method is not even remotely sufficient to justify the processing of personal data provided by Facebook users. Sheer mass is no substitute for the quality of information required to create valid consent, and ULD chastises Facebook for a blatant lack of clarity and transparency. The opinion further criticizes that the provided information is not only deliberately vague, but also incomplete as it excludes certain forms of data processing.

Even if this particular action is tailored specifically to curb Facebook’s insatiable appetite for collecting personal data, other U.S. companies are well advised to consider the message sent by ULD’s enforcement action and review their consent procedures, regardless of whether they have a physical presence in the European Union. Data privacy and protection is quickly becoming a global issue and the lack of EU jurisdiction just means that DPAs will seek alternative ways to punish U.S. companies for violations of EU data privacy laws. In a novel approach, Facebook is being targeted through the prosecution of its business partners located within the EU, and ULD is obviously confident that the pain inflicted on the website operators will create sufficient momentum to cause a change in Facebook’s privacy policies.

[1]https://www.datenschutzzentrum.de/presse/20110819-facebook.htm, an English version of the letter can be found at https://www.datenschutzzentrum.de/presse/20110819-facebook-en.htm

[2]https://www.datenschutzzentrum.de/facebook/facebook-ap-20110819.pdf

Basic Principles of European Union Consent and Data Protection

Christina Hultsch — Mon, 25 Jul 2011 14:01:16 -0600

Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below.

The constant collection, processing and transfer of personal data broadly defined in the EU as any information relating to an identified or identifiable person, [1] has become an overwhelming feature of modern society, both on-line and off-line. Contrary to law in the US, in the EU, obtaining the consent of the individual (the “data subject”) has always played a key role in the European Union’s data protection efforts.

The Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy, issued an opinion in July, 2011 addressing the consent principles currently in place as well as providing insight into a possible and likely expansion of consent requirements. (The opinion was published, coincidentally or not, immediately after the expiration of the deadline which requires EU member states to transpose the so-called “Cookie Directive" which serves the purpose of ensuring that a data processor obtain the individual’s consent each and every time a cookie is placed on a computer.[2])

Consent by the data subject is just one of various legal grounds permitting the processing of personal data within the EU member states and the transfer of such information to third countries which possess an inadequate level of data protection. The EU still considers the United State’s data protection standards to be insufficient and US companies must therefore rely on various exemptions, including consent, in order to import any personal data from the European Union.

The Working Party’s opinion scrutinizes the current practice of using default settings to create consent by silence or inactivity and ultimately concludes that a silent consent by accepting the default setting of a pre-ticked box should not qualify as unambiguous. If this opinion prevails, which is very probable due to the frequent reliance on Working Party opinions by the legislature as well as the courts, the current opt-out mechanisms will no longer suffice as a method of establishing valid consent.

To avoid any unpleasant surprises further down the road when a data protection agency scrutinizes the validity of the consent in place, companies should carefully consider the following:

Consent does not negate a data processor’s general obligation to adhere to the principles of proportionality, data quality, fairness and necessity. Regardless of the subject’s consent, excessive data collection is never permissible!
Consent is to be viewed in relation with other processing and transfer exemptions and companies must evaluate whether other grounds exist for the lawful collection and transfer of data. The most appropriate legal ground should be chosen for justification of the transaction and used in the right context. The Working Party suggests that consent often may not be available if other grounds exist. If the processing/transfer could have been performed based on a different ground, asking an individual for his consent could be considered misleading or inherently unfair.
For data transfers to a non-EU country, consent can only be requested for one distinct transaction. It cannot provide an adequate long-term framework for repeated or structural data transfers.
An employee’s consent will not be considered valid if it was not possible for the employee to refuse without a real or potential relevant prejudice arising from not consenting. This holds true even if the request for consent was made as a condition of employment. The rationale for such an expansion can be found in the fact that nearly all employers now impose the same or similar pre-employment condition of consent.
Consent can always be withdrawn. With the exception of the processing of location data under the e-Privacy Directive, there is no specific provision explicitly allowing for the withdrawal of consent. Such a right has nonetheless been uniformly accepted through case law and Working Party opinions. The current opinion expands on this concept and suggests as a matter of best practices that data processors regularly review the data subjects’ choices and approach the data subject to offer an option for confirming or withdrawing the consent.
The complexity of data processing places a burden on data controllers to put in place procedures that show consent has been verifiably obtained from the data subject.

When processing sensitive personal data such as health records or data related to a person’s age, race, religion, political beliefs, etc., the consent must be explicit. The data subject must take some positive action to signify consent and must be free not to consent. This requires an active response, which can either be oral or in writing. While the question of whether passive or silent consent can be unambiguous remains to be fully determined, there is absolutely no doubt that an opt-out process, such as the presence of a pre-ticked box, clearly fails the requirements for explicit consent. To obtain explicit consent, a data processor must provide an opt-in method to elicit a positive statement from the individual.

Attribution for the citations in this post are as follows: © European Union, http://eur-lex-europa.eu. Only European Union legislation printed in the paper edition of the Official Journal of the European Union is deemed authentic.

[1] Article 2 Definitions. For the purposes of this Directive: (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

[2] Article 5(3) shall be replaced by the following: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF