Concordia University Libraries C I T A T I O N G U I D E S APA Citation Style This guide provides a basic introduction to the APA citation style. It is based on the 5th edition of the Publication Manual of the American Psychological Association published in 2001. Copies are available at the Vanier Library Reference Desk, in the Webster Library Reference Collection and on 3-hour Reserve (at both libraries). The call number for the handbook is BF 76.7 A46 2001. The Publication Manual is generally used for academic writing in the social sciences. The manual itself covers many aspects of research writing including selecting a topic, evaluating sources, taking notes, plagiarism, the mechanics of writing, the format of the research paper as well as the way to cite sources. This guide provides basic explanations and examples for the most common types of citations used by students. For additional information and examples, refer to the Publication Manual. Direct quotations of sources Direct quotations allow you to acknowledge a source within your text by providing a reference to exactly where in that source you found the information. The reader can then follow up on the complete reference in the Reference List page at the end of your paper. ƒ Quotations of less than 40 words should be incorporated in the text and enclosed with double quotation marks. Provide the author, publication year and a page number. She stated, "The ‘placebo effect,' ...disappeared when behaviors were studied in this manner" (Miele, 1993, p. 276), but he did not clarify which behaviors were studied. Miele (1993) found that "the ‘placebo effect,' which had been verified in previous studies, disappeared when [only the first group’s] behaviors were studied in this manner" (p. 276). ƒ When making a quotation of more than 40 words, use a free-standing "block quotation" on a new line, indented five spaces and omit quotation marks. Miele (1993) found the following: The "placebo effect," which had been verified in previous studies, disappeared when behaviors were studied in this manner. Furthermore, the behaviors were never exhibited, even when reel [sic] drugs were administered. Earlier studies were clearly premature in attributing the results to a placebo effect. (p. 276) ƒ For electronic sources such as Web pages, provide a reference to the author, the year and the page number (if it is a PDF document), the paragraph number if visible or a heading followed by the paragraph number. “The current system of managed care and the current approach to defining empirically supported treatments are shortsighted” (Beutler, 2000, Conclusion section, ¶ 1) Further examples and explanations are available in Section 3.34 of the Publication Manual. Reference citations in the text When using your own words to refer indirectly to another author's work, you must identify the original source. A complete reference must appear in the Reference List at the end of your paper. ƒ In most cases, providing the author’s last name and the publication year are sufficient: Smith (1997) compared reaction times… Within a paragraph, you need not include the year in subsequent references. Smith (1997) compared reaction times. Smith also found that… ƒ If there are two or three authors, include the last name of each and the publication year: …as James and Ryerson (1999) demonstrated… …as has been shown (James and Ryerson, 1999)… ƒ If there are three to five authors, cite all authors the first time; in subsequent citations, include only the last name of the first author followed by “et al.” and the year: Williams, Jones, Smith, Bradner, and Torrington (1983) found... Williams et al. (1983) also noticed that... ƒ The names of groups that serve as authors (e.g. corporations, associations, government agencies, and study groups) are usually spelled out each time they appear in a text citation. If it will not cause confusion for the reader, names may be abbreviated thereafter: First citation: (National Institute of Mental Health [NIMH], 1999) Subsequent citations: (NIMH, 1999) ƒ To cite a specific part of a source, indicate the page, chapter, figure, table or equation at the appropriate point in the text: (Czapiewski & Ruby, 1995, p. 10) (Wilmarth, 1980, chap. 3) ƒ For electronic sources that do not provide page numbers, use the paragraph number, if available, preceded by the ¶ symbol or abbreviation para. If neither is visible, cite the heading and the number of the paragraph following it to direct the reader to the quoted material. (Myers, 2000, ¶ 5) (Beutler, 2000, Conclusion section, para. 1) Further examples and explanations are available in Sections 3.94-3.103 of the Publication Manual. Reference List The alphabetical list of references that appears at the end of your paper contains more information about all of the sources you have used allowing readers to refer to them, as needed. The main characteristics are: ƒ The list of references must be on a new page at the end of your text ƒ The word References should be centered at the top of the page ƒ Entries are arranged alphabetically by the author’s last name or by the title if there is no author ƒ Titles are italicized ƒ Entries are double-spaced (for the purposes of this handout, single-spacing is used) Below are some examples of the most common types of sources including online sources (web and databases). Book with one author Bernstein, T.M. (1965). The careful writer: A modern guide to English usage (2nd ed.). New York: Atheneum. Book with two to five authors Beck, C. A. J., & Sales, B. D. (2001). Family mediation: Facts, myths, and future prospects. Washington, DC: American Psychological Association. Two or more books by the same author Arrange alphabetically by the book’s title Postman, N. (1985). Amusing ourselves to death: Public discourse in the age of show business. New York: Viking. Postman, N. (1985). The disappearance of childhood. New York: Vintage. Anthology or compilation Gibbs, J. T., & Huang, L. N. (Eds.). (1991). Children of color: Psychological interventions with minority youth. San Francisco: Jossey-Bass. Work in an anthology or an essay in a book Bjork, R. A. (1989). Retrieval inhibition as an adaptive mechanism in human memory. In H. L. Roediger III & F. I. M. Craik (Eds.), Varieties of memory & consciousness (pp. 309-330). Hillsdale, NJ: Erlbaum. Book by a corporate author Associations, corporations, agencies, government departments and organizations are considered authors when there is no single author American Psychological Association. (1972). Ethical standards of psychologists. Washington, DC: American Psychological Association. Article in a reference book or an entry in an encyclopedia If the article/entry is signed, include the author’s name; if unsigned, begin with the title of the entry Guignon, C. B. (1998). Existentialism. In E. Craig (Ed.), Routledge encyclopedia of philosophy (Vol. 3, pp. 493-502). London: Routledge. Article in a journal Mellers, B. A. (2000). Choice and the relative pleasure of consequences. Psychological Bulletin, 126, 910-924. Note: List only the volume number if the periodical uses continuous pagination throughout a particular volume. If each issue begins with page 1, then list the issue number as well. Klimoski, R., & Palmer, S. (1993). The ADA and the hiring process in organizations. Consulting Psychology Journal: Practice and Research, 45(2), 10-36. Article in a newspaper or magazine Semenak, S. (1995, December 28). Feeling right at home: Government residence eschews traditional rules. Montreal Gazette, p. A4. Driedger, S. D. (1998, April 20). After divorce. Maclean’s, 111(16), 38-43. Television or radio program MacIntyre, L. (Reporter). (2002, January 23). Scandal of the Century [Television series episode]. In H. Cashore (Producer), The fifth estate. Toronto: Canadian Broadcasting Corporation. Film, videorecording or DVD Kubrick, S. (Director). (1980). The Shining [Motion picture]. United States: Warner Brothers.  Article from a database Provide the same information as you would for a printed journal article and add a retrieval statement that gives the date of retrieval and the proper name of the database. Schredl, M., Brenner, C., & Faul, C. (2002). Positive attitude toward dreams: Reliability and stability of ten-item scale. North American Journal of Psychology, 4, 343-346. Retrieved December 16, 2004, from Academic Search Premier database. Dussault, M., & Barnett, B. G. Peer-assisted leadership: Reducing educational managers’ professional isolation. Journal of Educational Administration, 34(3), 5-14. Retrieved December 16, 2004, from ABI/INFORM Global database.  Non-periodical documents on the Internet Library and Archives Canada. (2002). Celebrating Women’s Achievements: Women Artists in Canada. Retrieved December 16, 2004, from http://www.collectionscanada.ca/women/h12-500-e.html  Article in an Internet-only journal Pelling, N. (2002, May). The use of technology in career counseling. Journal of Technology in Counseling, 2(2). Retrieved December 16, 2004, from http://jtc.colstate.edu/vol2_2/pelling.htm Further examples and explanations are available in Chapter 4 of the Publication Manual. Revised: December 2004 

CHAPTER 14 International CyberLaw The Internet has already been a source of tremendous progress in China … [b]ut countries that restrict free access to information or violate the basic rights of internet users risk walling themselves off from the progress of the next century …. [U]ltimately, this issue isn’t just about information freedom; it is about what kind of world we want and what kind of world we will inhabit. Secretary of State Hillary Rodham Clinton, Jan. 21, 2010 It is a lie to claim that the Internet is an absolutely free space without regulations. The truth is that it is the extension of the real world. Therefore, implementing monitoring according to a country’s national context is what any government has to do …. China will certainly and gradually change this reality, but the starting point of the change should be in the interests of the entire Chinese society instead of for the convenience or desire of a small group of people. Zhang Jingwei People’s Daily Online (China’s state-run newspaper), Jan. 26, 2010 LEARNING OUTCOMES After you read this chapter, you should be able to: • Identify key organizations that administer and regulate international cyberlaw • Explain how a firm’s global intellectual assets are regulated online • Explain the major issues involved with cross-border employee and data management • Discuss differences between U.S. and international online regulations Introduction The Internet is no longer the province of the economic elites. Access and use of the Internet has thoroughly penetrated the globe. China surpassed the United States in 2008 to become the largest nation of Internet users in the world. The number of Internet users globally has increased almost 400 percent since 2000. Citizens from countries as diverse as Azerbaijan and Vietnam are witnessing staggering increases in user activity. There is little sign that such increases will slow anytime soon. 439 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. With global interaction, however, comes a need for global regulation. Accompanying the advances in commerce and research available online are crime, intellectual property disputes, and misuse of online assets. Using a phrase that is by now almost too obvious to mention, where technology leads, regulation inevitably follows. This chapter will address some key issues related to global legal and regulatory issues online. After addressing problems of global governance, the chapter will turn to issues related to intellectual assets and treatment of individual data. The chapter then closes with a discussion of global Internet crime. As you read this chapter, look closely at the widely varying practices of different nations toward online regulation: What is closely regulated by one nation is left relatively untouched by another. These laws do not simply present rules to follow, but reveal important insights into attitudes and beliefs of the society toward the Internet, the use of information, and the broader world. Who Governs the Online World? Just as the Internet offers unprecedented opportunities for international communication and commerce, so too the Internet presents unique and difficult jurisdictional questions. The question of who exactly has what authority to resolve an online legal issue is far from certain. Businesses must know what law applies to their dealings so that these laws may be complied with. In other words, businesses must know the court’s choice of law in an online dispute. Businesses must also be aware of the appropriate forum for resolving international legal disputes in cyberspace. Whether a dispute will be resolved in the United States or elsewhere may have significant impact on the business decisions of a global Internet firm. The Problem of Jurisdiction Nearly all commentators agree that it is simply not possible for a single entity or group to control the Internet and thus have jurisdiction over its boundaries. Making matters more difficult, data is so easily converted and packaged as it moves from one computer to the other that the origin of the offending data may be easily masked by the author. Distance no longer matters, as a transmission from California to Nevada is as easy as one from California to India. Fundamentally, an Internet user places herself in a number of “virtual places” when she makes a statement, purchase, or sale online. The user and her data are “present” in the location of the originating computer, the locations of the routing networks of cyberspace, and the destination of the transmission. Thus, jurisdiction may be asserted in one of many places, such as the location of: • the Internet user • the Internet service provider • the various communications conduits through which the data flows • the content provider • the server that hosts the content provider’s information. The question remains: Whose national laws apply in a truly global online world? It is virtually impossible for a global online firm to comply with every applicable law in every nation when doing business around the world. Some law must apply, but whose national law that should be in a particular circumstance remains undecided. Enforcement of Online Jurisdiction Principles of National Enforcement A number of principles are employed to establish the power of countries over their national boundaries. These perceptions of 440 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. sovereignty have been well settled for hundreds of years. With the advent of cyberspace, they present significantly differing views on the sources of international authority for regulating cyberspace. The following three principles are the most relevant to jurisdictional issues in cyberspace: Territoriality Principle The territoriality principle states that a nation is sovereign over its physical territory to the exclusion of other states. Nations have the power to sanction and control conduct within the bounds of their own physical boundaries. The territoriality principle allows nations to regulate Internet content and services offered from within its boundaries. However, this principle cannot easily encompass cyberspace— because cyberspace does not have a concrete location. Cyberspace is a network so large and so distributed that removing one, ten, or even ten thousand computers would not damage the entire network. Nationality Principle The nationality principle affirms that a nation may control its citizens. This principle also defines the rights and responsibilities of citizens both inside and outside the territory of the nation. This principle has been used to establish that a court has criminal jurisdiction if the defendant is a national of the forum state and that a state may tax the worldwide income of its nationals. The nationality principle would guide Internet jurisdiction by establishing the nationality of the parties as the key factor determining jurisdiction, not their physical location. Effects Principle The effects principle holds that a country may protect its interests by criminalizing an act that it deems harmful to its national security. If a nation deems a practice particularly harmful, it may ban this act both within and outside its national borders. The Chinese government has passed a variety of laws that censor a variety of topics including online opinion critical of the government. The Saudi Arabian government censors certain “immoral” topics such as drug use, pornography, and religious conversion of Muslims. Other nations such as Australia and South Korea also engage in censorship of certain topics online. Although a number of disputes have arisen over which national law applies online, one particular dispute has become one of the most widely examined Internet jurisdictional cases in the world. This clash pits the commercial and speech interests of a leading multinational Internet corporation against the values and laws of a single nation banning a controversial practice. The following section and case shows how an American court resolved the challenge of enforcing national regulation in a truly borderless medium. Internet Jurisdiction in the European Union As discussed in Chapter 8, the United States’s approach to jurisdiction is based on “purposeful direction” of the individual or entity toward the jurisdiction. Any assertion of jurisdiction must meet basic standards of due process. Only if a citizen has some minimum contacts with the forum that are specifically directed toward that forum can a state’s jurisdiction apply. These rules are applied to both online and traditional transactions. The European Union bases its jurisdictional rules on the Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters, Brussels 1968, also known as the Brussels Convention. This Convention bases jurisdiction on the defendant’s domicile, if there is a close link between the court and the action, or if jurisdiction would facilitate the “sound administration of justice.” In 2002, the Brussels Regulation, a modification of the Brussels Convention, became effective. This Regulation does not modify the key principles of the Brussels Convention, but makes changes specifically targeted toward electronic commerce. Most notable is Article 15 of the Regulation, which permits jurisdiction in a consumer’s domicile if the foreign defendant pursues commercial or professional activities “by any means” in Chapter 14: International CyberLaw 441 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. the nation where the consumer lives. The “by any means” language does not include transmission of a merely passive website. However, businesses can submit themselves to jurisdiction by both the intended and unintended effects of the business on that jurisdiction. Not bound by limitations of the U.S. Constitution, the regulation does not require notice or minimum contacts for jurisdiction to attach. The Brussels Regulation was controversial, as industry groups complained that it would impede the development of electronic commerce due to the risk of being subjected to an uncertain number of jurisdictions. Regulators countered that a strong consumer-favorable jurisdictional rule would encourage wary shoppers to purchase goods and services online and help neutralize any competitive advantage held by proconsumer protection laws of the United States. American and European Principles Collide It did not take many years after the popularization of the Internet for jurisdictional conflicts to arise between interests in Europe and the United States. Yahoo!, a popular search engine and web directory, permitted Nazi memorabilia to be sold on its auction site. This practice conflicted with French law, which prohibits the sale or exhibition of objects that incite racial hatred. Two human rights organizations filed a lawsuit in France against Yahoo! alleging that its auction practices violated French law. The French court ruled that Yahoo! was violating French law by failing to block French users from accessing the prohibited material. The judge stayed the execution of the judgment until a panel of experts could decide whether it was technically possible for a U.S.-based Internet company to identify and exclude French users. The panel concluded, by inspecting the Internet service provider addresses of users, that a filtering system could be implemented that would block most French users. The judge then confirmed his ruling and gave Yahoo! 90 days to comply. If Yahoo! failed to do so, it would be fined $13,000 a day until it complied with the order. Yahoo! responded by removing the offending material from its French portal and placing warning messages on its U.S. site informing French users that they could be breaking the law in their country if they observed certain offensive material. However, the controversy did not end there. Yahoo! filed a lawsuit in California, seeking a declaration that the French court’s order was unenforceable in the United States. Should a French court order regarding an American corporation have any effect within U.S. borders? The following case resolves this difficult legal question. YAHOO!, INC. v. LA LIGUE CONTRE LE RACISME ET L’ANTISEMITISME 169 F. Supp. 2d 1181 (N.D. Ca. 2001) Jeremy Fogel, U.S. District Judge [The court described the facts, summarized above, leading up to this lawsuit in the United States. The court then turned to the relevant legal issues in this case.] As this Court and others have observed, the instant case presents novel and important issues arising from the global reach of the Internet. Indeed, the specific facts of this case implicate issues of policy, politics, and culture that are beyond the purview of one nation’s judiciary. Thus it is critical that the Court define at the outset what is and is not at stake in the present proceeding. This case is not about the moral acceptability of promoting the symbols or propaganda of Nazism. Most would agree that such acts are profoundly offensive. By any reasonable standard of morality, the Nazis were responsible for one of the worst displays of inhumanity in recorded history. This Court is acutely (Continued) 442 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. mindful of the emotional pain reminders of the Nazi era cause to Holocaust survivors and deeply respectful of the motivations of the French Republic in enacting the underlying statutes and of the defendant organizations in seeking relief under those statutes. Vigilance is the key to preventing atrocities such as the Holocaust from occurring again. Nor is this case about the right of France or any other nation to determine its own law and social policies. A basic function of a sovereign state is to determine by law what forms of speech and conduct are acceptable within its borders. In this instance, as a nation whose citizens suffered the effects of Nazism in ways that are incomprehensible to most Americans, France clearly has the right to enact and enforce laws such as those relied upon by the French Court here …. In particular, there is no doubt that France may and will continue to ban the purchase and possession within its borders of Nazi and Third Reich related matter and to seek criminal sanctions against those who violate the law. What is at issue here is whether it is consistent with the Constitution and laws of the United States for another nation to regulate speech by a United States resident within the United States on the basis that such speech can be accessed by Internet users in that nation. In a world in which ideas and information transcend borders and the Internet in particular renders the physical distance between speaker and audience virtually meaningless, the implications of this question go far beyond the facts of this case. The modern world is home to widely varied cultures with radically divergent value systems …. If the government or another party in one of these sovereign nations were to seek enforcement of such laws against Yahoo! or another U.S.-based Internet service provider, what principles should guide the court’s analysis? The Court has stated that it must and will decide this case in accordance with the Constitution and laws of the United States. It recognizes that in so doing, it necessarily adopts certain value judgments embedded in those enactments, including the fundamental judgment expressed in the First Amendment that it is preferable to permit the nonviolent expression of offensive viewpoints rather than to impose viewpoint-based governmental regulation upon speech. The government and people of France have made a different judgment based upon their own experience. In undertaking its inquiry as to the proper application of the laws of the United States, the Court intends no disrespect for that judgment or for the experience that has informed it …. COMITY No legal judgment has any effect, of its own force, beyond the limits of the sovereignty from which its authority is derived. 28 U.S.C. § 1738. However, the United States Constitution and implementing legislation require that full faith and credit be given to judgments of sister states, territories, and possessions of the United States. U.S. Const. art. IV, §§ 1, cl. 1. The extent to which the United States, or any state, honors the judicial decrees of foreign nations is a matter of choice, governed by “the comity of nations.” Hilton v. Guyot, 159 U.S. 113, 163, 16 S.Ct. 139, 40 L.Ed. 95 (1895). Comity “is neither a matter of absolute obligation, on the one hand, nor of mere courtesy and good will, upon the other.” Hilton, 159 U.S. at 163-64, 16 S.Ct. 139 (1895). United States courts generally recognize foreign judgments and decrees unless enforcement would be prejudicial or contrary to the country’s interests…. As discussed previously, the French order’s content and viewpoint-based regulation of the web pages and auction site on Yahoo.com, while entitled to great deference as an articulation of French law, clearly would be inconsistent with the First Amendment if mandated by a court in the United States. What makes this case uniquely challenging is that the Internet in effect allows one to speak in more than one place at the same time. Although France has the sovereign right to regulate what speech is permissible in France, this Court may not enforce a foreign order that violates the protections of the United States Constitution by chilling protected speech that occurs simultaneously within our borders…. The reason for limiting comity in this area is sound. The protection to free speech and the press embodied in the First amendment would be seriously jeopardized by the entry of foreign judgments granted pursuant to standards deemed appropriate in another country but considered antithetical to the protections afforded the press by the U.S. Constitution. Absent a body of law that establishes international standards with respect to speech on the Internet and an appropriate treaty or legislation addressing enforcement of such standards to speech originating within the United States, the principle of comity is outweighed by the Court’s obligation to uphold the First Amendment…. Accordingly, [Yahoo!’s] motion for summary judgment will be granted. The Clerk shall enter judgment and close the file. IT IS SO ORDERED. (Continued) Chapter 14: International CyberLaw 443 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. CASE QUESTIONS 1. This case was been widely discussed by commentators as a watershed decision. How does this case highlight the development of how courts, government, and society think about the Internet? 2. Would the court’s decision be different if Yahoo! could block access by French users with a minimum of cost and effort? Why or why not? 3. How does this decision enlighten lawmakers about the power of individual governments to regulate global cyberspace? Self-Regulation: The Future of Dispute Resolution? Although it is unlikely that national governments will converge on a single set of jurisdictional rules, large online commercial enterprises have filled the gap. One interesting example is eBay, one of the largest online auction and shopping websites in the world. eBay facilitates several million transactions daily, many small in value, and disputes between buyers and sellers are inevitable. These disputes are resolved by a proprietary dispute resolution mechanism, an online computer-assistant negotiation, and then online mediation. Parties use an interactive computer program that helps focus the issues in disputes and recommends agreements that have frequently been accepted before in similar situations. This program, known as an expert system, learns from its successes and failures, which in turn improves the suggestions available to parties in its database. Once this process is complete, human mediation occurs between the parties entirely online. Although such a process is currently utilized by large entities like eBay who have a committed user base, the potential for broader application is intriguing. The system operates at low cost and as a result fewer than one in a thousand eBay disputes end up in court. International Regulation of Trademark Law Trademark law is primarily a creature of national law. However, international law sets down guidelines of uniform definition and protection and establishes ways to make it easier for owners to acquire rights in different countries. The following discussion provides examples of leading international trademark laws and problems. Key International Trademark Treaties Trade-Related Aspects of Intellectual Property Rights The Trade-Related Aspects of Intellectual Property Rights agreement (TRIPS) is one of the World Trade Organization’s (WTO) multilateral agreements. Like the other WTO multilateral agreements, the WTO member countries are automatically members of the TRIPS Agreement. TRIPS establishes a comprehensive set of rights and obligations governing international trade in intellectual property. To accomplish this, the Agreement establishes a common minimum of protection for intellectual property rights within the territories of all WTO member countries. The TRIPS Agreement offers a number of important points. Multilateral Intellectual Property Agreements WTO member countries are required to observe the substantive provisions of major multilateral intellectual property agreements such as the Berne Convention and Paris Convention (both will be discussed further later in this Chapter). TRIPS also supplements these multilateral intellectual property agreements. For example, the Agreements set the minimum terms of copyrights at 50 years, patents at 20 years, and trademarks at 7 years. 444 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Enforcement of Intellectual Property Rights TRIPS establishes criteria for the effective enforcement of intellectual property rights. WTO member countries are bound by the WTO’s Dispute Resolution Understanding agreement. This understanding establishes a mechanism for settling intellectual property disputes between WTO member countries. It establishes a system of panels and appellate review to administer dispute resolution provisions and encourages voluntary compliance with its rules. International Intellectual Property Rights The Agreements extends basic international trade principles to the field of international intellectual property rights. The national treatment principle requires each member country to extend to nationals of other members treatment “no less favorable” than that which it gives its own nationals regarding intellectual property rights. The transparency principle requires member countries to publish and notify the WTO’s TRIPS Council of all relevant laws, regulations, and practices, and to promptly respond to other member countries’ requests for information about its intellectual property rules. The most favored nation principle requires a member country to grant to the nationals of all other member countries the most favorable treatment that it grants to the nationals of any one of them. The International Convention for the Protection of Industrial Property (Paris Convention) The Paris Convention establishes a “union” of countries responsible for protecting industrial property rights. Industrial property rights include patent, trademarks, and industrial designs. Member countries have three requirements for compliance. First, signatory nations must follow the principle of national treatment as mentioned earlier in the TRIPS agreement. Second, signatory nations must establish a right of priority in their intellectual property systems, whereby an applicant for protection in one country has up to 12 months to file an application in other countries, and that those other countries must then treat the application as if it were filed on the same day as the original application. Finally, the nation must establish basic minimum criteria and procedures for granting industrial property rights. Trademark Law Treaty The Trademark Law Treaty seeks to achieve uniformity in various trademark procedures. The treaty was signed at the Diplomatic Conference in Geneva on October 27, 1994. The key features of the treaty seek to harmonize the following rules: • the initial and renewal terms of registering trademarks is 10 years; • service marks now have equal protection as trademarks under the Paris Convention; • various procedures related to renewal applications, powers of attorney, authentication, and others have been streamlined. Madrid Protocol The Madrid Protocol establishes a single international trademark application and registration system that provides trademark protection in a number of countries. Managed by the WIPO, international registration has the same effect as if registration was made in each of the signatory countries. If a particular national office does not refuse protection, then the trademark has the same protection in that country as any other. The Madrid system significantly simplifies trademark management. Companies may record subsequent changes (i.e. change of ownership, change of address of the holder, even renewal of registration) with a single procedural step. A number of countries have signed the Madrid Protocol, such as China, France, Poland, Russia, Spain, the United Kingdom, and Switzerland. After some initial reluctance related to E.U. voting rights, the United States joined the Madrid Protocol in November, 2003. Chapter 14: International CyberLaw 445 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Resolving Trademark Domain Name Disputes through a Uniform Dispute Resolution Policy The WIPO has established a Uniform Dispute Resolution Policy (UDRP) that aids in resolving domain main disputes between trademark holders and domain name owners. The UDRP holds that if a domain name registrant refuses in bad faith to transfer the domain name over to a valid trademark holder of the name, the trademark holder may obtain cancellation of the domain through the UDRP. A UDRP complainant must show three things in order to retrieve the domain from the respondent: • the respondent’s domain name is identical or confusingly similar to the trademark, • the respondent has no rights in the domain name, and • the respondent has registered the domain name and possesses it in bad faith. Unlike traditional trademark infringement, where subjective intent is relevant, under the UDRP a showing of the respondent’s bad faith is mandatory. “Bad faith” includes, for example, purchasing the domain name with the intent to resell it at a higher price, prevent the trademark owner from obtaining the name, disrupt a competitor’s business, or attract the trademark holder’s potential customers for commercial gain. Although many nations follow the UDRP standards, some countries have developed their own policies toward dispute resolution. For example, the United Kingdom has developed its own dispute resolution service policy that requires the trademark holder prove the domain name owner is engaged in an “abusive registration.” This system is more complainant-friendly in that it does not require the trademark owner to meet the burden of showing bad faith by the domain name owner, which the UDRP requires. China, by contrast, now shields from complaints owners of .cn domains (the top level domain for China) who have registered at least two years with an accredited dispute resolution service provider. Australia’s dispute resolution policy applies to domain names not only similar to trademark or a service mark but to any name in which a complainant possesses rights, including the complainant’s personal name. Ireland’s policy is also expansive, covering trade and service marks, reputable personal names and pseudonyms, as well as geographical indications. Resolution of a UDRP proceeding occurs quickly by judicial standards, generally taking about two months to resolve. Thus the UDRP becomes most attractive to trademark owners who are most interested in having the offending domain name transferred rather than obtaining money damages that a court can provide. If necessary, decisions of the UDRP may be appealed to a U.S. federal court. Global Disputes Over Domain Names Disputes as to who owns a domain name (the owner of the real-world trademark or the owner of the domain name online) have arisen both within the United States and throughout the world. Unfortunately, no single overarching rule exists regarding the trademark status of domain names and what circumstances permit the transfer of what domain name to another. Purchasers who buy domain names in order to extract revenue from the legitimate trademark holder are generally denied ownership. In addition, purchasers who own domains similar to legitimate trademarks for the purpose of commercially exploiting the similarity are also generally denied ownership. Uniformity is not complete, however, and court rulings can be fact-dependent in the absence of clear international consensus on domain name rights. Below are some are examples of national treatment related to defining ownership of a domain name. United Kingdom The U.K. courts faced one of the earliest domain name disputes, which involved conflicting trademark owners. In Prince plc v. Prince Sports Group, Inc., a 446 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. U.S. manufacturer of sports equipment sought to enjoin a U.K. defendant, Prince plc, an information technology company, from using the domain name prince.com. Both parties had valid trademarks supporting use of the name. Prince plc held valid common law rights in the United Kingdom to use the prince mark, while the U.S. firm completed valid trademark registrations of the word “prince” in both the United Kingdom and the United States. The U.K. court, relying on the principle of “first in time, first in right,” concluded that Prince plc could retain the domain because it had registered the domain name first. The U.K. court also concluded that Prince plc could retain the domain name because, as an information technology company, it was completely distinct from the U.S. sports company and would not cause a likelihood of confusion between the companies. U.K. courts have also ruled against cybersquatters, concluding that various defendants have “passed off” the trademark holder’s well-known marks by cybersquatting on domain names. In addition, a U.K. court found that it had jurisdiction over a German website because the U.K. plaintiff alleged harm and damages resulting within the United Kingdom. The U.K. plaintiff cited Section 2 of the Brussels convention, which permits lawsuits to be heard where the unlawful event occurred. Russia Russia’s policy toward domain names has changed significantly since the early days of the Internet. In 2001, Eastman Kodak filed suit in Russia to stop a former dealer from using the www.kodak.ru website. The Russian court ruled that because a domain name was neither a good nor a service, trademark law did not apply to it and allowed the dealer to keep the site. After the enactment of a 2002 Trademark Law, trademark owners have been able to promptly register domains purchased by squatters. Both Google and Gilette have been successful in seizing Russian domain names sporting their trademarks from illegal purchasers. Although some critics have charged that dispute resolution authorities may have bias in favor of repeat users of the system, there is significant progress toward a transparent and reliable system. South America Many South American nations have an array of legal sources that can apply to domain names, including international treaties, national constitutions, general principles of civil and criminal law, trademark legislation, court decisions, and administration policies. In spite of this complexity, courts appear willing to transfer domain names when trademark interests are threatened. In Chile, an arbitrator reassigned the domain name hugoboss.cl to Hugo Boss from a local representative of a perfume distribution company. Another Chilean arbitrator reassigned meetro.cl from a third party to a public transit corporation that provides subway services on the grounds the site would create confusion amongst public consumers. In Colombia, national airline Avianca failed to timely renew its domain name. The domain was quickly snatched up by a resident of Florida who linked it with a travel agency website. The arbitrator found that the new owner had no rights to the domain and ordered reassignment to the national airline. A firm’s right to seize another’s domain name is not limitless, however. In Peru, a WIPO panel rejected a petition by a cosmetics company who owned the trademark “Esika” to seize the esika.com and esika.net domain names from a real estate enterprise. The court reasoned that the two firm’s marks are both registered trademarks and exist in different and noncompeting industries. Asia As Internet use in Asia has increased, so has the number of domain name disputes. For example, in India, Yahoo! sued to stop an Indian company from acquiring and using the domain name Yahooindia.com without a license. Yahooindia raised a number of common defenses, such as placing disclaimers on its website disassociating Chapter 14: International CyberLaw 447 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. itself with Yahoo!, citing the sophistication of Internet users, claiming its registration of the domain name is a complete defense, and asserting that because India did not have legislation protecting service marks it could not be restrained. The Indian court rejected Yahooindia’s arguments, reasoning that a disclaimer does not reduce confusion, and stating that trademark law applies with equal force online as well as in the physical world. Other Asian countries have also witnessed trademark domain name disputes. In China, Yahoo! prevailed in securing the domain name yahoo.com.cn from various cybersquatters. In New Zealand, quokka.com, which had a license to use the America’s Cup Trademark, filed a complaint against two New Zealanders who registered an Internet address using the trademark. Lawsuits were filed in both New Zealand and the United States. Hours before a U.S. federal judge was to rule in the case, the parties settled, and the two New Zealanders agreed to transfer the domain names. The Problem of Enforcement Even if a company with a valid trademark discovers a potentially infringing cybersquatter, enforcing that trademark on an international scale may pose the following significant difficulties. • A popular trademark is subject to dilution online because of the plethora of available domain names with deceptively similar marks. For example, the website att.com has attracted such deceptive imitators as attt.com, at-t.com, attcellular.com, attweb.com, attonline.com, attnetwork.net, and others. • Even if a cybersquatter is found, effective judicial service on the squatter may be difficult, as addresses given are often fictitious. • If a deceptive domain name holder is found and served with a cease-and-desist notice, the holder could transfer the domain name to a third party. • The holder’s name may remain listed for a time with Network Solutions, Inc. (NSI), the entity responsible for many domain name allocations, even if it does not pay registration fees or loses a lawsuit. The best strategy for protecting domain name trademarks may be a good offensive stance. Purchase a domain name and its related terms as quickly as possible before a cybersquatter grabs it. Protection of Creative Works through Copyright Law A basic international purpose of copyright law is to encourage creativity by recognizing a property right in the artist’s creation. The creator of the work should have the power to regulate dissemination of the creation as well as profit from it. Like trademark law, copyright law is generally regulated on a nation by nation basis. The following section discusses key issues related to international copyright law and cyberspace. Important International Copyright Initiatives The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) As noted earlier in this chapter, TRIPS is one of the most important agreements impacting intellectual property rights, establishing comprehensive rights and obligations through minimum standards of protections. Although TRIPS does specifically speak to copyright issues, such as protection of computer programs, compilations of data, and rental rights, its most significant powers arise from incorporation of the copyright-focused Berne Convention for the Protection of Literary and Artistic Works, also known as the Berne Convention. 448 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. The Berne Convention The Berne Convention creates a union of countries responsible for protecting literary and artistic rights (that is, copyrights). Like the TRIPS agreement, Berne Convention members must practice the principle of national treatment. In addition, no formalities (such as the use of the copyright symbol ©) may be required to protect artistic property. Third, artistic property protected in one member country is protected in all. Finally, the Berne Convention establishes basic minimum criteria and procedures for granting literary artistic rights. A number of the cyberlaw cases that courts hear globally involve claims of copyright infringement in violation of the national laws that implement the Berne Convention. Examples include the following: • Wang Meng v. Century Internet Communications Technology Co.: A case in which a court in Beijing, China, held that the defendant had violated the copyrights of several authors by posting their works on a website without their permission. • International Federation of the Phonographic Industry v. Olsson: A case in which a Swedish court held that a teenager had not infringed any copyrights by posting links to copyright recordings on his website. European Union Copyright Directive The European Union Copyright Directive (EUCD) was formally adopted by the European Parliament on February 14, 2001. The EUCD provides harmonization of copyright protection for rightholders. The EUCD establishes a universal definition of noncommercial private copying. Also, the EUCD authorizes the imposition of penalties against any person who attempts to circumvent security measures from digital files. Article 6 outlaws devices or products “designed to circumvent technological measures” that thwart piracy. The EUCD permits limited replication of copyrighted material for “transient and incidental” reproductions that are an essential part of computer transmission, such as the distribution of files on computer networks. Most E.U. member nations have implemented the directive nationally. Nations such as Finland, France, the United Kingdom, and others have made specific changes to bring their laws in compliance of the directive. WIPO Copyright Treaty The WIPO Copyright Treaty (WCT) builds upon the foundation of the Berne Convention and explicitly states that it does not “derogate from existing obligations” of that convention. The WCT gives copyright holders the power to authorize publication of their works in both wire and wireless modes and in a manner established by the copyright holder. The determination of when infringement occurs is left to the individual member state’s national law. However, Article 12 states that signatories must provide legal remedies to copyright holders whose works have been illegally copied through the circumvention of antipiracy technologies. Injunctions and other speedy legal tools must be available to enforce the copyright. Although the WCT requires that signatories develop enforcement measures, the WCT does not have a specific enforcement provision similar to TRIPS. Global Obligations of Internet Service Providers One of the most pressing global online copyright issues is that of liability of Internet service providers (ISPs) for copyright-infringing materials that pass through their networks or data storage. An ISP typically provides its customers access to online services such as email and Internet access in exchange for a monthly fee. The DMCA, discussed in Chapter 5, protects online service providers in the United States from copyright infringement of its users unless evidence exists of willful or purposeful disregard of copyrights. Similar protection is available for European ISPs. This protection is provided through European Community Electronic Commerce Directive (ECD). This directive affirms that free circulation of information in the European Chapter 14: International CyberLaw 449 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Community is a guaranteed freedom of expression protected by Article 10(1) of the European Convention for the Protection of Human Rights and Fundamental Freedoms. The ECD specifically shields ISPs from monetary liability arising from the transient storage or reproduction of illegal materials. Only injunctive relief, the removal of offending material and prevention of further infringement, remains available to copyright holders. Furthermore, an ISP will not be held liable for storing illegal information placed there by a user as long as the provider is not aware of the activity and fails to act quickly to remove or disable access to the information. Under the ECD, providers will also not be held liable for transitory transmission of illegal data if the provider, once informed of the illegal information, acts expeditiously to remove or disable access to the illegal information from the user. The ECD also prevents E.U. nations from imposing obligations on providers to monitor transmitted or stored information. E.U. nations also cannot impose upon ISPs a general obligation to seek out facts or circumstances indicating illegal activity. ISPs in the European Union may be insulated from providing even the most basic of information. In 2008, the European Court of Justice ruled that European nations do not have to pass legislation requiring that ISPs disclose the personal data of subscribers because of a pending civil lawsuit. In Productores de Música de España v. Telefónica de España, a group of Spanish music and video producers requested a Spanish ISP provide them with identities of anonymous users arising out of a lawsuit alleging illegal file sharing. The court said that European law compels no such legal requirement, and it urged E.U. nations to strike a “fair balance …between the various fundamental rights protected by the Community legal order.” Although the ECD in the European Union is one of the most developed regimes regulating ISPs, a number of common principles exist in national laws toward ISPs. For example, with regard to hosting of third-party information, legislation exists in China, New Zealand, and Singapore as well as Europe and the United States that provides safe harbor protection to ISPs. In addition, China, South Korea, Japan, Singapore, New Zealand, and a host of other nations immunize providers from copyright infringing content that exists on their servers. Like in Europe, liability generally attaches only when providers fail to take action after becoming aware of allegations. Many nations even have formalized “notice and takedown” systems, whereby copyright owners may contact providers with allegations of infringement which in turn triggers an obligation to remove the content that is the subject of the notice. If a provider fails to do so, it loses the safe harbor protections. One exception is Japan, whereby alleged infringers are notified of the notice-and-takedown proceeding and have an opportunity to challenge the claim of infringement before content is removed. In order to deter frivolous claims, Singapore, China, South Korea, and the United States all have legislation authorizing punishment of those who knowingly file false claims of infringement with the ISP. GoogleGoogle China: Search Engine Giant Meets Government Censorship Google is the world’s largest Internet search engine firm. One of its basic mottos is “don’t be evil.” Google has been a strong proponent of the free flow of information on the Internet. Google, however, faced a significant challenge to that philosophy when in 2006 it agreed to filter certain keywords given to it by the Chinese government. Some searches such as the phrase “Tank Man,” which was related to the 1989 Tiananmen Square democracy protests, were blocked altogether. Google’s reluctant cooperation received such disapproval that Congress threatened Google in the United States with sanctions over its role in handing over information about Chinese dissidents. One member of Congress even introduced the Global Online Freedom Act, which if passed would have 450 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Business Method Patents and Trade Secrets The rapid increase of electronic commerce has made business methods increasingly essential for global business. Obtaining a patent for a novel business method, such as oneclick ordering of a product, can give a company a significant competitive advantage on an international scale. Although many countries recognize some form of business method patents, in particular for software-related applications, the details and specific coverage can vary from country to country. As noted in Chapter 6, computer software in the United States is protected under the federal patent legal regime. In the European Union, Article 52 of the Convention on the Grant of European Patents of the European Patent Convention (EPC) states that “programs for computers” are excluded from patentability. In 2000, a diplomatic conference group attempted to revise the EPC in order to change Article 52 and grant patent protection, but the measure was not successfully adopted. However, a closer look at the E.U. system reveals that the European Patent Office has issued tens of thousands of patents related to computer programs. For example, in the Auction Method/Hitachi case, the Boards of Appeal of the European Patent Office (BAEPO) considered whether an automated auction system constituted patentable subject matter under Article 52 of the EPC. The BAEPO concluded that the system was a patentable invention because it encompassed technical features such as a network, server computer, and client computers. In a later decision known as The Duns Licensing Case, the BAEPO reaffirmed this approach and approved a business method for estimating sales and product distribution in situations with limited data as patentable under the EPC. Through these and other cases, the BAEPO established a pattern of identifying a physical feature of a patent claim and using that feature to conclude the claim had technical character and thus a patentable invention under Article 52. Japanese patent law resembles E.U. patent law in many respects. Whereas inventions under European law must be “susceptible to industrial application,” Japanese patent law criminalized Google’s conduct in China, such as censoring the results of search engines and handing over personally identifiable information to Chinese law enforcement. The bill never became law, and would have precluded most U.S. information technology firms from working in China, but shows the deep consternation held by members of Congress over China’s actions. In early 2010, Google finally relented and stated that it was “no longer willing to continue censoring” its results on google.cn. The trigger for this reversal was the discovery of hackers who accessed two gmail accounts as part of a vast Chinese espionage campaign. Experts believed their purpose was the gaining of information about Chinese political dissents and secret military technology. The state-run newspaper China Daily authored an aggressive response, noting that Internet information is far from free in other countries, and it recounted how the United States granted significant increases to the government to monitor communications without permission following the attacks of 9/11. The article concluded, “Google should take the Chinese people’s feelings into consideration and stop using Chinese customers as hostage to confront the Chinese government…. We do not hope that giant multinational enterprises such as Google will become pure political tools for the U.S. to export its own concepts of values. A lot of Chinese people like Google, but they do not want to become tools being used by Google.” Chapter 14: International CyberLaw 451 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. requires an invention be “industrially applicable.” Although Japan has drafted guidelines that prohibit patents for business methods, it permits patenting of software or computerimplemented business methods that involve the “creation of technical ideas.” In short, whereas Europe and Japan have recognized business method patents for technical and computer-implemented methods, only the United States has accepted business methods for nontechnical or computer-related patent applications. In China, the standing practice of their patent office has been to allow business method patents for computer- or software-related activities. Applicants are not routinely granted, however, and must be implemented through computer or network technologies (not just software alone), solve technical problems, be novel and inventive, and be capable of repeated application. For example, Citibank obtained two business method patents related to money management systems. Amazon has filed 12 patent applications in China, all of which are still pending. Extraterritorial Enforcement of Business Method Patents The conflicting view of business method patents worldwide presents significant obstacles for United States businesses. A prospective patentee must disclose information about the patent in the application. That information may be used by foreign competitions to duplicate the invention in nations where such patents are not recognized. The most obvious choice for enforcing business method patents is to bring suit in the United States against the infringing party. Section 402(1)(c) of the Restatement of Foreign Relations states that a country has “jurisdiction to prescribe law with respect to …conduct outside its territory that has or has intended to have a substantial effect within its territory.” Infringement of a business method patent on foreign soil through a cyberspace or real-world medium could arguably constitute a “substantial effect” within U.S. territory. However, an American court would only apply the law if that foreign state’s law recognizes the patentability of business methods. Another provision, Section 271(g) of the Patent Act of 1994, allows businesses to block the importation of infringing products into the United States. The patent holder must show a connection between the alleged infringement and the imported product. If the product is a direct result of a violation of the patent, the patentee may block the importation of that product. However, for a business method patent to receive this protection, it must be an essential part of the development or manufacturing process. Global Protection of Trade Secrets Unlike business method patents, trade secrets have an established history of international recognition and protection. For example, the Paris Convention prohibits unfair trade practices amongst its over 150 members, including the United States. The Paris Convention states that unfair trade practices include “[a]ny act of competition which is in conflict with the fair customs of industry and trade.” Although examples provided by the Paris Convention do not explicitly include trade secrets, trade secret infringement could likely be interpreted as a form of “unfair competition” under its provisions. Trade Related Aspects of Intellectual Property Rights The most relevant TRIPS provision to trade secret protection is Article 39(2) that states: Natural and legal persons shall have the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without 452 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. their consent in a manner contrary to honest commercial practices so long as such information: a. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; b. has commercial value because it is secret; and c. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret. Although this section does not use the phrase “trade secret,” it clearly contemplates protection for undisclosed commercial information. Article 39(2) requires that the information must be secret and not generally known among individuals knowledgeable in the field. Also, the information must have some commercial value in the marketplace. Finally, the owners of the information must have taken some steps to keep the information from public disclosure. The phrase “manner contrary to honest commercial practices” arguably encompasses a broad range of improper disclosures such as breach of confidence by a confidant and the acquisition of the information by third parties who knew or should have known that the practice in question was a trade secret. Thus, the violation of trade secrets under TRIPS may include unlawful disclosers, as well as third-party acquirers of secret information. The Vulnerability of Trade Secrets to Online Distribution Bargain shoppers are constantly looking for the best deals online or in traditional markets. Some websites, such as fatwallet.com, offer forums where consumers can exchange information about the prices. Retailers learned that their upcoming sales circulars were being posted online. They demanded websites like fatwallet.com remove these postings and demanded the names, contact information, and IP addresses of the anonymous users who posted the circulars. The retailers not only claimed the postings violated the Digital Millennium Copyright Act (discussed in Chapter 5), but also asserted that the postings constituted misappropriation of their trade secrets. The global reach of the Internet makes company trade secrets more vulnerable than ever. A single posting by a disgruntled employee or vendor can irrevocably release valuable information to anyone with access to a computer. Customers could use the information to shape purchase decisions. Competitors could modify planned promotions based upon forthcoming sales or business strategies. National laws possess a wide variety of trade secret protection. India, for example, does not have a specific law regulating trade secrets. India is a signatory to TRIPS, however, and must adhere to its requirements to pass laws providing minimum protections for trade secrets. Although India lacks specific statutes, courts have been willing to enforce trade secret rights, granting immediate injunctive relief in a number of cases where private company information was threatened with disclosure. In Germany, as with other European countries, employment relationships hold special mutual significance. Employment contracts in Germany carry an implied obligation that the employee will not disclose trade secrets during his or her employment. Like France, Poland, Austria, and other countries, Germany criminalizes the misappropriation of trade secrets by employees and any third parties who knowingly receive the trade secret information. In the United Kingdom, employees cannot publicize or distribute a firm’s confidential information or trade secrets. According to the leading case of Coco v. A. N. Clark (Engineers) Ltd., 1 a firm trying to prove a breach of confidence by an employee must prove three things. First, the information must “have the necessary qualify of confidence about 1 (1969) R.P.C. 41 (U.K.). Chapter 14: International CyberLaw 453 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. it.” This is similar to the U.S. requirement that the information must be treated or kept as a secret to be protected. Second, the information must have been provided in circumstances imposing an obligation of confidence, such as a contract. Third, the information must have been used in an unauthorized fashion to the detriment of the owner. In the following case, a former employee of a U.K. recruitment firm posted information about its clients on LinkedIn, a popular job networking site. The recruitment firm sued the former employee for damages in court claiming a violation of trade secret law. HAYS SPECIALIST RECRUITMENT (HOLDINGS) LTD. v. IONS [2008] EWHC 745 (Ch) High Court of Justice (Chancery Division), United Kingdom Hon. Mr. Justice David Richards Hays [Specialist Recruitment (Holdings) Limited (Hays)] through its subsidiaries carries on business as specialist recruitment employment agencies and as providers of staff bureau services. The business is carried on in the UK and abroad[.] … Mark Ions was for six and a half years … an employee of … Hays …. Exclusive Human Resources Limited (EHR) is a company established by Mr. Ions which has since the termination of his employment with Hays been carrying on business in competition with Hays. It is not suggested that this is itself in breach of any contractual or other duty. The potential action against Mr. Ions and EHR would be based on allegations that while still an employee Mr. Ions copied and then retained confidential information concerning clients and contacts of Hays, that he and EHR have used that information in EHR’s business[.] Mr. Ion’s employment with Hays commenced on 12 January 2001 as a recruitment consultant in the field of human resources and he was later promoted to a managing consultant. From September 2006 he specialized in placing training and similar personnel for a broad range of professional, public sector and commercial clients. He covered Leeds, Newcastle and Edinburgh. He is described in Hays’ evidence as “middle ranked.” Mr. Ions’ contract of employment signed by him on 12 January 2001 required him to devote his whole time and attention during business hours to the business of Hays and to use his endeavours to promote Hays’ interests in every respect, giving at all times the full benefit of his knowledge, expertise and skill…. Clause 18 provided: “You must not, during the course of your employment or at any time thereafter, make use of, or disclose or divulge to any person, firm or company, any trade secrets, business methods or information which you know, or ought reasonably to have known to be of a confidential nature concerning the businesses, finances, dealings, transactions, client database or other affairs of the Company or the Group or of any person having dealings with the Company which may have come to your knowledge during the course of your employment unless it is necessary for the proper execution of your duties hereunder, and you shall use your best endeavors to prevent the publication or disclosure of any such information.” The material evidence as regards the transfer and alleged misuse of information may be summarized as follows. On 18 May 2007 Mr. Ions incorporated EHR and he does not dispute that he intended to carry on a competing business through it once he left Hays. When he gave notice on 8 June 2007, he made no secret of his intention to set up a competing business. Although his employment continued for 28 days, he was not permitted to work for Hays during that period. A later search of his e-mail account at Hays has shown that on 18 May 2007, Mr. Ions sent invitations to at least two clients or candidates of Hays to join his professional network with a website called LinkedIn. LinkedIn is similar in basic concept to social networking sites such as Facebook but is designed solely for the purpose of professional networking. A person joining LinkedIn, in this case Mr. Ions, registers and creates a profile page, with information about his employment and education history. Once registered, the member can use the site in a number of different ways for establishing contacts. The relevant method for present purpose is to upload e-mail contacts and LinkedIn will invite them by e-mail to join the member’s network. If the contact accepts the invitation, he or she becomes a “connection” whose contact details will be available to the other connections to the member’s network. LinkedIn is widely used by recruitment companies. Mr. Ions gives evidence that he had been a member of (Continued) 454 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. LinkedIn for over a year, with the encouragement of Hays, and he exhibits a print-out which appears to show that other employees of Hays, including [Ions’ manager], were members for business purposes…. Ms. Sullivan alleges that on or around 18 May 2007 “Mr. Ions began a campaign of migrating confidential client and candidate contact details from the Applicants’ confidential database to his own personal account at the web facility Linked-In”[.] …Hays’ solicitors wrote on 5 September 2007 requiring a copy of all “business contacts” on Mr. Ions’ LinkedIn network before any steps were taken to delete them and warning him to preserve this evidence. In an unsigned witness statement received by Hays’ solicitors on 26 October 2007 Mr. Ions stated that he had arranged for the whole of his old LinkedIn network to be deleted, thereby destroying “any contact information that existed”, and that he had not separately maintained a copy of the contact list nor would he able to recreate it. However, the U.S. operators of LinkedIn retain the data and have agreed to preserve it. The upshot is therefore that Mr. Ions had “Hays linked contacts” on his network. He has given no indication of numbers but they are likely to be more than a handful, because he says that he would not able to recreate the contact list. He states in his evidence that “all of the information was put on to the site during the course of my employment with the Applicants.” His case, denied by Hays, is that it was done with Hays’ consent and that once uploaded and once the invitation to join his network is accepted, the information ceased to be confidential because it was accessible to a wider audience through his network …. [Mr. Ion’s attorney] submits that it is not Mr. Ions’ action in uploading e-mail addresses to LinkedIn, but the invitees’ acceptance to become connections, which resulted in the information becoming available on his network and it is not then confidential but publicly available, at least to his other connections. In my view, this breaks down at the first stage. If the information was confidential, it was Mr. Ions’ action in uploading the e-mail addresses which involved a transfer of information to a site where at least the details of those addressees who accepted his invitation would be accessible by him after his employment had ceased. The evidence suggests that he may have done so, not for the benefit of Hays but for the benefit of his posttermination business. If so, even if confidentiality in the information was thereafter lost, Hays may well have a claim against Mr. Ions…. [Mr. Ions] accepts that he had Hays linked contacts on his site. He has given no indication as to numbers, but it seems very likely to be more than just a few, and he has given no indication as to when he uploaded the contacts except that it was during his employment…. This is not a case of a former employee remembering some contact details after the termination of his employment. The transfer to his network occurred during his employment and the list was such that he could not recreate it once he deleted it…. In my judgment Hays has reasonable grounds for considering that it may have a claim against Mr. Ions as regards the transfer of information concerning clients and applicants by uploading it to his LinkedIn network while still employed by Hays and with a view to its subsequent use by him in his own business. CASE QUESTIONS 1. Hays already had a contract with Mr. Ions preventing disclosure of trade secrets. What could Hays have done, if anything, to prevent disclosure of their information on LinkedIn? 2. During the last days of his employment, Ions conducted a number of what Hays considered to be “highly suspicious” searches of Hays’ database which contained business sensitive and confidential data on past, current, and prospective clients. Ions conceded that he performed the searches but that they carried out as part of his usual duties. How should this evidence affect this decision in this case? 3. What responsibility, if any, does LinkedIn have to provide deleted information to Hays as part of its lawsuit against Ions? Is LinkedIn liable at all for Ions’ conduct? The Online Employment Relationship One of the most pressing Internet-related issues is an employee’s right to privacy in his or her correspondence and records at work. Unlike the relatively meager rights accorded to employees in the United States (discussed in Chapter 10), privacy rights for European employees are significantly more robust. Privacy for European employees in Europe has Chapter 14: International CyberLaw 455 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. been traditionally linked with its powerful trade unions and a strong recognition of worker self-determination. Contrast this with the American system of employment at will, whose distinctive feature allows employers to punish or fire employees at almost any time and for a wide variety of reasons. The enhanced privacy protection for employees dates back to at least 2000, when the European Union established the Charter of Fundamental Rights of the European Union (Charter) delineating the fundamental rights of Europe’s citizens. Articles 7 and 8 in the European Union protect personal data, and drafters specifically replaced the word “correspondence” with “communications.” This word change was intended to include all kinds of modern communications for privacy protection, including email and other Internet-based communications. U.S. cases, by contrast, appear to have given less protection to emails than have been granted to telephone calls. The question of to what extent employee activity online at work can be monitored remains in some dispute. In the case that follows, an employee (referred to by the court as the applicant), challenges his proposed discharge from employment with the European Central Bank. The Bank claims that the employee engaged in a variety of inappropriate conduct through email and the Internet. The employee counters that the Bank cannot impose an Internet or email policy on his employment and that there was insufficient evidence to support a discharge. As you are reading this case, consider how attitudes toward privacy and the Internet influenced this decision and how they differ from attitudes in the United States. X v. EUROPEAN CENTRAL BANK Case T-333/99, [2001] ECR II-921 European Court of Justice J. Azizi, President, K. Lenaerts and M. Jaeger, Judges On 12 November 1998 the ECB adopted Administrative Circular 11/98 headed ‘ECB Internet Usage Policy’ (hereinafter ‘Circular 11/98’) laying down the rules governing the use by staff members of computers providing a link to the internet and enabling electronic mail to be sent and received. This provides, in particular: “3.1 The ECB internet facilities are provided for business use.” … The applicant, who had been a servant of the European Monetary Institute (‘the EMI’), entered into the service of the ECB on 1 July 1998. He was assigned to the ECB’s archives section, where he worked as a documentation officer. His work-station was equipped with a computer which was linked, like all the ECB’s other computers, to a central server. In November 1998 the applicant’s computer was fitted with an internet link and a facility enabling him to send and receive electronic mail. In August 1999, following a complaint by one of the applicant’s colleagues, the Personnel Department opened an internal investigation. On 18 October 1999 the administration of the ECB informed the applicant of the opening of disciplinary proceedings against him and of the fact that the Executive Board of the ECB had decided, on the same day, to suspend him from his duties pursuant to Article 44 of the Conditions of Employment, on the basis that he should continue to be paid his full basic salary. It also informed the applicant that he was suspected, first, of having repeatedly procured through the internet documents of a pornographic and political nature and of having sent them to third parties by electronic mail. Second, he was suspected of having importuned the colleague who had submitted the complaint, in particular by sending him numerous messages by electronic mail containing material of a pornographic and/or ideologically extreme nature, despite the fact that the colleague in question had clearly indicated that he did not approve…. The applicant’s lawyer …stated that the disciplinary regime provided for by the Conditions of Employment was lacking in any legal basis and that it violated general Community principles and principles common to the (Continued) 456 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Member States[.] …The applicant maintains that the ECB had no power to adopt a disciplinary regime …. [The employee argued that] the relationship between the ECB and its employees is of a straightforward contractual nature, based on the principle of freedom to contract and resulting from personal rights and freedom to pursue an occupation, the protection of which constitutes a general principle of Community law. It is not, therefore, based on a relationship of subordination. Consequently, the ECB is not empowered to prescribe in the Conditions of Employment, and to apply, a disciplinary regime enabling it unilaterally to modify the terms on which the contract is to be performed, in breach of the principle of freedom to contract. The ECB could have protected itself against breaches by its employees of their contractual obligations without setting up such a regime, by contractually reserving to itself an exceptional right to dismiss employees…. [The court responded that] the employment relationship between the ECB and its members of staff is of a contractual nature, and not of the type existing between the public service and its officials. Next, it should be noted that the contract in issue was concluded with a Community body which is responsible for the fulfillment of a task in the Community interest and which is empowered to lay down, in the form of regulations, the provisions applicable to its staff. In view of this, and contrary to the applicant’s assertions, the Governing Council [of the European Central Bank] was entitled … to provide in the Conditions of Employment for a disciplinary regime enabling it …, in the event of noncompliance by one of its staff with the obligations imposed by the employment contract, to take such measures as might be necessary in the light of the responsibilities and objectives assigned to it. [The employee also challenged the factual allegations supporting his proposed discharge.] According to the applicant, the ECB has not provided the slightest proof of the grounds on which his dismissal was based. The applicant observes in that regard, first, that, if the ECB wished to base its case on the 900-page file and the CD-ROM for the purposes of establishing the legality of the disciplinary measures, it should have specified the relevant complaints and allegations. It should also have indicated the subjective considerations on which the dismissal decision was based and which it alone could have known. Second, the applicant denies, in particular, having referred to himself on a regular basis as the ‘OaO/ MoU’ (‘One and Only/Master of the Universe’). At the very most, it is true that he occasionally used those terms in an ironic sense amongst his colleagues. He likewise denies having regularly made offensive remarks about his colleagues, having behaved towards them in an indecent or provocative manner, having from the outset displayed a negative attitude towards a specific colleague, having harassed a colleague and having been informed by the latter that he did not approve of this. The applicant claims that it was for the ECB to give details concerning that complaint, in order that he might be able to defend himself. Third, he claims that it was for the ECB to specify the dates on which he allegedly procured the pornographic or political messages which he is then said to have sent to third parties by electronic mail. Fourth, the applicant denies that the pornographic documents and biographies of Nazi leaders contained in the file constitute in themselves grounds for dismissal. They do not mean that the applicant identified himself with the political message of the Nazis. At the very most, it could be argued that those documents prove an infringement of Circular 11/98 prohibiting internet access to such documents. That is not a relevant factor, however, inasmuch as the circular does not form part of the contractual terms agreed by the parties and is not legally in force. Fifth, the applicant claims that the ECB has failed to show that the electronic mail messages complained of were in fact sent by the applicant himself and, consequently, that the applicant alone had access to his computer during the period under consideration…. [The court responded to the employee’s arguments.] [T]he harassment by the applicant of one of his colleagues and the intimidating and violent nature of his conduct towards the victim are established to the requisite legal standard by the corroborative testimony of the latter, of his immediate hierarchical superior and of the head of the Archives Section, and also by the content of the electronic mail messages …. [A]s regards the denial that the pornographic documents and the items containing biographies or photographs of Nazi leaders were capable in themselves of constituting grounds for dismissal, it must be observed that the documents in question were sent by internal electronic mail to the victim of the harassment and therefore constitute an aspect of that harassment. Furthermore, the file shows that websites of a pornographic nature were consulted on the internet from the applicant’s computer and that animated sequences of a pornographic nature were repeatedly sent by electronic mail to addressees outside the ECB, on 11 occasions between 18 August and 18 October 1999 …. (Continued) Chapter 14: International CyberLaw 457 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. The ECB rightly observes in that regard that, since the matters referred to above may become public and may be reported by the media, there is a serious risk that they could create a scandal which might be damaging to its image and, possibly, its credibility…. Moreover, since the applicant’s computer was located in an open-plan office occupied by six persons, and since its operation required the use of a personal password, it would have been difficult for a third party to use that computer, especially with the frequency and at the times [that the communications were made]. This conclusion is a fortiori inevitable since the applicant admitted at the hearing that he had not revealed his password to anyone else. The plea is likewise manifestly unfounded …. RULING: On those grounds, [the Court hereby dismisses the action.] CASE QUESTIONS 1. Representatives of the European Central Bank presented 900 pages and a CD-ROM worth of evidence in support of a discharge of a single employee. Why did the ECB need to marshal so much evidence in support of the dismissal? 2. Would the process have been handled differently in the United States? What are the costs and benefits of that process? 3. What the European Central Bank done to have prevented this problem from happening in the first place? Codes of Conduct and Information Hotlines Significant mistrust exists toward an employer’s ability to manage employee data in Europe. In one survey, 39 percent of French respondents and 30 percent of German respondents reported that they did not trust employers to use personal information in an acceptable manner. This mistrust has encouraged governments to restrict employer flexibility in using employee information. Two cases from France provide typical examples of non-U.S. reactions to company reporting systems. In 1978, France established the French Data Protection Authority (CNIL), which was charged with the oversight and application of French law related to data protection. The law in its current state states information technology shall not violate individual’s human identity, human rights, privacy, or individual liberties. U.S. companies have encountered significant problems with implemented practice acceptable in the United States or even necessary to comply with U.S. law. For example, Exide Technologies sought to establish a hotline designed to permit employees to communicate accounting irregularities. The system enabled employees to report problems via a toll-free number or through email. Anonymity was guaranteed on request and the information would be sent via encrypted email to the manager in the company tasked with addressing the complained of issue. Further information would be gathered and the employee subject to the investigation would have an opportunity to respond. The data would be kept on this system for no longer than one year. Exide Technologies, as well as McDonald’s France who considered a similar system, requested a legal opinion from CNIL about the propriety of the system. In two written opinions, the CNIL considered both reporting systems. The CNIL reasoned that the reporting systems “could lead to an organized system of professional denunciation” and violate current laws regarding data protection. The system was also considered to be “disproportionate to the objectives sought” and could encourage the “stigmatization of employees” who were the subject of the calls or emails. Finally, the CNIL concluded that, notwithstanding what the companies claimed, employees would “not be, by definition, informed as soon as the data questioning their professional or personal integrity is recorded, and as such they would not have the means to contest the processing of such data.” As a result, the CNIL rejected both reporting systems because they were not found to comply with French Data Protection Law. 458 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. The reluctance of European courts (a German court rejected a similar system imposed by Wal-Mart in 2005) posed a real problem for U.S. companies. The purpose of the Exide’s system (and perhaps others) was to comply with Sarbanes-Oxley Act of 2002 (discussed in Chapter 11), which establishes new standards for financial reporting and internal accounting oversight. The failure to have such hotlines arguably makes U.S. firms in noncompliance with the Act.2 After the McDonalds and Exide case, the CNIL appeared to offer some relief to U.S. firms by authorizing processing of personal data through a whistleblowing system under certain controlled circumstances. In addition, the E.U. Working party (an entity that gives advice about the level of data protection in the European Union and third countries) issued a directive that also permitted whistleblowing reporting systems as long as privacy protections and protections for the rights of incriminated employees were in place. The Chairman of the Working Party sent a copy to the SEC stating that the opinion now clearly shows that E.U. data protection rules does not prevent whistleblowing systems or the processing of personal data related to these systems. It remains to be seen whether other countries follow Europe’s lead and strike a balance between permitting such systems and protecting the rights of accused employees and the privacy of personal data. International Aspects of Electronic Contracting As electronic commerce transforms into a truly global phenomenon, the need for international regulation of the area has developed along with it. A number of international regulatory frameworks exist that attempt to govern the global cyber marketplace. Although none of these frameworks are binding everywhere, each provides guidance on a number of issues regarding electronic commerce. U.N. Convention on Contracts for the International Sale of Goods The U.N. Convention on Contracts for the International Sale of Goods (CISG) represents the fundamental international framework addressing international goods commerce. Widely accepted amongst nations, the CISG was ratified by the United States on January 1, 1988. Thus, if a U.S. buyer contracts for goods with a seller that has also ratified the convention, CISG will govern the contract. It applies automatically unless the parties opted out. UNCITRAL Model Law on Ecommerce The United Nations Commission on International Trade Law (UNICTRAL) model law on electronic commerce is the international standard for developing a coherent global regulatory system. In 1996, the U.N. General Assembly recommended the model law for adoption by all members. This document represented the culmination of a decade of international cooperation. The model law focuses on general rather than specific prescriptions. It does not describe in detail how to create legally binding electronic documents, nor does it require the use of a particular technology in order to meet any requirements. Electronic documents are legally effective if they satisfy the functional equivalence of paper documents. Regarding signatures, Article 7 of the model law requires not only that a method be used that both 2 A 2006 appeals court decision, Carnero v. Boston Scientific Corp., 433 F.3d 1 (1st Cir. 2006), ruled that the whistleblower protection provision of the Sarbanes-Oxley Act did not have extraterritorial application to extend protection to a foreign employee who worked abroad for foreign subsidiary of a U.S. company. This decision, while not dispositive on hotlines and not binding on all U.S. regions, hints as to what courts might say in the future about the obligations of Sarbanes-Oxley for hotlines. Chapter 14: International CyberLaw 459 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. identifies the originator and confirms the originator’s approval, but also be “as reliable as was appropriate” for its intended purpose. Article 10 recognizes that information initially set out on paper may be transferred to an electronic medium and still satisfy record requirements for an original. Similarly, messages are also given equal respect to admissibility and evidentiary weight in legal proceedings. Finally, Article 14 discusses determining receipt of a message, focusing whether a data message was received, and not on whether it has been read, as the critical factor for acknowledgement. The model law has three general limitations. First, it does not establish specific provisions relating to consumers, perhaps because of the difficulty of defining a consumer in a global context. Second, the model law limits itself soley to commercial activities, although governments do look to the model law for the delivery of services and programs. Third, the model law does not contain significant enforcement and liability provisions. In spite of these weaknesses, this model law has had a significant effect on the development of electronic commerce regulations worldwide. Over a dozen countries, including Australia, Korea, France, and Ireland, have adopted legislation substantially based on the model law. The laws of many U.S. states have also been influenced by the model law’s provisions. European Union Electronic Commerce Directive European Union representatives are gradually developing a legal framework regulating electronic commerce through a number of initiatives. In 1998, for example, E.U. representatives proposed harmonizing legislation in the following five areas: commercial communications, online formation of contracts, liability of intermediaries, and enforcement issues. The result was the European Union Electronic Commerce Directive, which requires that member states allow contracts by electronic means and that they are given similar treatment to traditional agreements. It also requires that such contracts cannot be denied legal effectiveness simply because they are electronic. U.N. Convention on the Use of Electronic Communications in International Contracts Adopted by the U.N. General Assembly in 2005 and opened for signature by interested nations in 2006, the goal of the United Nations Convention on the Use of Electronic Communications in International Contracts is to increase certainty and predictability that had not been previously available in electronic commercial transactions. The Convention would require participating states to ensure that contracts are not denied validity simply because they occur through electronic communication. In addition, participating nations cannot refuse to enforce contracts simply because the automated systems creating the contract were not specifically reviewed or approved by a human being. Although a significant update to electronic contract regulation, the Convention is relatively limited in scope. Similar to coverage established by the UNCISG, the Convention only applies to electronic communications between parties whose places of businesses are in different participating countries. Although it is narrow in the parties it will cover, unlike the UNCISG (which only applies to goods), it potentially applies to a wide array of transactions, including services, software licenses, barter transactions, auctions, as well as goods. Purely domestic electronic contracts, even if a nation has signed the Convention, are not covered. Also, if only one of the two parties has its place of business in a participating nation, the Convention does not apply. Eighteen nations have signed this Convention, including China, Korea, Russia, and Singapore. The United States is not a signatory. 460 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Global Securities Regulation One of the unique characteristics of the Internet is its users’ capacity to send securitiesrelated information across national boundaries. This has made international enforcement of securities laws critical. Regulators are focusing on a variety of securities law topics and their application in a global format. They have to balance the need to prevent securities fraud with the need to promote the efficient use of the Internet. The SEC and other organizations around the world are now making significant efforts to regulate the flow of capital in cyberspace and enforce securities laws online. Regulation of the International Movement of Capital The intergovernmental organization (IGO) that has taken the leading role in regulating the international movement of capital is the Organization for Economic Cooperation and Development (OECD). Its Code of Liberalization of Capital Movements, first adopted in 1961 and last amended in 1989, requires the OECD member countries to progressively abolish their restrictions on the movement of capital. That is, it encourages member countries to let foreigners invest locally and to allow residents to invest abroad. The other IGO that has taken an interest in capital movements is the Council of Europe. Its 1989 Convention on Insider Trading establishes a cooperative mechanism for supervising securities markets. In particular, “because of the internationalization of markets and the ease of present-day communications,” the Convention focuses on uncovering insider trading activities “on the market of a state by persons not resident in that state or acting through persons not resident there.” The Convention, in essence, allows the regulatory agencies in one country to request the assistance of those in another country to uncover conduct by an individual or individuals that constitutes insider trading in the requesting country. Aside from the Council of Europe’s multilateral Convention on Insider Trading, the other international efforts to stop insider trading are found in bilateral “memorandums of understanding” (MOUs) between the U.S. Securities and Exchange Commission and its counterparts in other countries. The MOUs provide a mechanism for exchanging information and for mutual cooperation in the investigation of securities violations. International Cooperation and Securities Law Enforcement The International Organization of Securities Commissions (IOSCO) is a multinational body of governmental and nongovernmental organizations concerned with the regulation of securities fraud on a global scale. IOSCO’s members include organizations from at least a hundred countries, including the U.S. Securities and Exchange Commission. The IOSCO and its members have four objectives. First, members should cooperate together to promote high standards of regulation in order to maintain just, efficient, and sound markets. Second, members should exchange information on their respective experiences in order to promote the development of domestic markets. Third, members will attempt to unite their efforts to establish standards and an effective surveillance of international securities transactions. Fourth, members will provide mutual assistance to promote the integrity of the markets by a rigorous application of the standards and by effective enforcement against offenses. The IOSCO has also drafted a Multilateral Memorandum of Understanding that encourages cooperation amongst securities regulators. This nonbinding document states that signatories will provide assistance to one another to the fullest extent available to secure compliance with relevant securities rules. The memorandum also explains how requests for assistance should be made and defines rules for information use and the maintenance of confidentiality. Chapter 14: International CyberLaw 461 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Global Issues of Privacy in Cyberspace As an ever-increasing number of people access the Internet from all over the world, the question of what privacy should exist in cyberspace becomes all the more important. As national and international initiatives develop around the globe, significantly different perceptions of privacy begin to emerge, some in conflict with U.S. policy. The following section presents key initiatives around the world related to the issue of privacy in cyberspace. European Union Directive on Privacy Protection One of the most significant efforts protecting data privacy is the European Union’s Directive on Privacy Protection, which became effective on October 25, 1998. The directive 95/46/EC of the European Parliament and the Council of 24 October 1995 requires E.U. member states to adopt legislation that protects the “fundamental rights and freedoms” of an individual, particularly the right to privacy as it relates to the processing and collection of personal data. Under the directive, “personal data” is defined as information that relates to an identified or identifiable natural person. Corporations are not included under this definition. The definition of “processing” personal data is “any operation or set of operations performed upon personal data” and includes its collection, storage, disclosure, and destruction. The provisions of the legislation also apply to nonmember states doing business with member states. Specifically, Article 6 of the directive requires member states involved in the collection and possession of personal data to ensure that the data are: • processed fairly and accurately • collected for specified and legitimate purposes and not further processed in a way incompatible with those purposes • adequate, relevant, and not excessive for the purposes for which they are collected and/or further processed • accurate and, where necessary, updated • kept in a form that permits identification of data subjects for no longer than is necessary Additionally, Article 7 of the directive states that personal data may only be processed if the person or corporation in control of the data can prove at least one of the following: • the consent of the data subject has been given unambiguously • the processing of the data is necessary for the performance or preparation of a contract to which the data subject is a party. • the processing of the data is necessary in order to protect the vital interests of the data subject • the processing of the data is in the public interest or in the exercise of official authority of the controller of the data or a third party • the processing is necessary for the legitimate interests of the controller or a third party except where the data subject’s privacy rights are greater. Article 25 prohibits the export of personal data to nonmembers countries that do not have laws that “adequately” protect personal data. “Adequate” does not have a specific definition, but is rather defined on a case-by-case basis “in light of all circumstances surrounding a data transfer operation or set of data transfer operations.” Article 25 has significant implications for U.S. businesses and other E.U. nonmembers. This article requires E.U. members to follow vague minimum standards regarding the protection of personal data. For nations like the United States, whose laws do not 462 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. conform to the strictures of the directive, U.S. companies may be denied access to the E.U. marketplace. If U.S. companies “misuse” E.U. privacy information, they may be subjected to monetary penalties. Industries that heavily rely on personal data, such as services, travel, and health care companies, are most drastically affected. Early implementation of the privacy directive has been quite stringent against E.U. nonmembers. For example, a Swedish privacy watchdog group demanded that American Airlines delete all health and medical information about Swedish passengers after each flight unless the passenger gave express consent otherwise. This would require American Airlines to delete details about allergies, asthma, and dietary needs, which is routinely collected in the United States, and not transmit that data to its reservation system in the United States. The Swedish court agreed with the privacy group, and transmission of this information was suspended. Although it is unclear whether this would happen today, this example shows how easily anyone can take action against an infringing non-E.U. company. The directive permits any of the over 350 million E.U. citizens to file an action against a company claiming abuse of personal data that can be pursued to the highest echelons of the E.U. court system. At any time during this process, courts can mandate injunctions, suspend data flow, and halt business operations of an infringing firm. This first directive reveals how far apart the European Union and other countries (especially the United States) are in their views of international data privacy. The United States/European Union Safe Harbor Agreement In response to the E.U. directive, the United States released draft “safe harbor” principles that purported to protect the privacy of data through a mix of government regulation, registration, and industry self-policing. After significant negotiations, the European Union and the United States reached an agreement on March 14, 2000, that established safe harbor privacy principles accessible to both parties. This agreement, known as The U.S.-E.U. Safe Harbor Agreement, establishes fixed requirements that U.S. companies must satisfy in order to meet the European Union’s minimum standards of privacy protection. See Exhibit 14.1. Meeting this standard would allow U.S. companies to avoid experiencing interruptions in their business dealings with the European Union or avoid prosecution by European authorities under European privacy laws. Certifying to the safe harbor assures the European Union that U.S. companies provides “adequate” privacy protection, as defined by the E.U. Directive. At least 130 companies have joined the list, with more additions on the horizon. Subsequent Interpretations The 1995 Directive states that national data protection laws apply when processing of personal data “is carried out in …the activities of an establishment of the controller on the territory of the Member State” or where the controller of the data “makes use of equipment, automated or otherwise, situated on the territory of the said Member State.” In 2002, the Article 29 Data Protection Working Party adopted an expansive interpretation of the scope of data protection law. Specifically, the opinion stated that the “use of equipment” language included websites that merely place a “cookie” or use JavaScript software on a user’s computer. This would imply that even the most modest of Internet-related activities by a user on a foreign or domestic website would implicate the full regime of E.U. data protection. In 2008, the Working Party reaffirmed its 2002 opinion and also explained what constituted an “establishment” in the territory of an E.U. member state. The Working Party said that a local office, subsidiary, or even the presence of a third-party agent can constitute an “establishment” in the European Union that would trigger the obligations of its data protection laws. If the firm owns search engines, local support of Chapter 14: International CyberLaw 463 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. customers or local ad sales would trigger the processing of personal data in the context of an E.U. establishment and also invoke the European Union’s legal regime. The implications are far-reaching. In modern Internet usage virtually every website collects and processes, however modest, some type of personal data. If any site is accessed by an E.U. user, then the owner of the site may be theoretically subject to E.U. data protection law. Enforcing rules against a web owner with no connections to Europe, however, would be another matter entirely. EXHIBIT 14.1 U.S. Compliance with the Safe Harbor Principles: A Checklist Firms must satisfy seven basic principles in order to qualify for the safe harbor. As stated by the U.S. Department of Commerce, they are: Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure. Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured. If an organization fails to comply with the safe harbor after certifying it has done so, it will be actionable under federal and state law provisions prohibiting unfair or deceptive acts. If the failure to comply continues, the company will no longer be entitled to benefit from the safe harbor coverage, and the company must notify the U.S. Department of Commerce. Source: United States Export Website, www.export.gov/safeharbor 464 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. E.U. Directive on Privacy and Electronic Communications The 2002 Directive on Privacy and Electronic Communications, also known as the EPrivacy Directive, supplements the earlier 1995 E.U. Directive on Privacy Protection. This directive regulates significant aspects of Internet marketing. The E-Privacy directive requires online providers to erase or make anonymous traffic data under most circumstances. Article 13 prohibits the use email addresses for marketing unless the marketer obtains the addresses through an opt-in system. Businesses that collect data through a sale can use that data for commercial purposes as long as the customer has an opportunity to refuse further communication from the firm. While recognizing the importance of cookies, the directive requires consumers be given the opportunity to opt out of receiving cookies on his computer. Implementation of this directive varies across member states. For example, when a company offers an incentive for a user to forward a company message to friends, the company must obtain permission before doing so. In the Netherlands, a court ruled in 2008 that online tell-a-friend forms were only allowed if the site offers no rewards, the user does so at his own initiative, the user can review the full email before it is sent, and the website does not store the recipient’s email address beyond what is needed to send the particular tell-a-friend message. In 2009, the European Union published another Council Directive (2009/136) clarifying when and how consent must be obtained before a website can download cookies or software onto a user’s computer. This directive requires that users receive “clear and comprehensive” information about the purpose of the downloaded cookie or software before consent is obtained. Arguably in contradiction to this earlier requirement, the right to refuse must be “as user-friendly as possible.” The Directive does allow consent to occur through settings of a browser or other application, so separate consent is not necessary for every downloaded item. Canada’s Personal Information Protection and Electronic Documents Act Privacy initiatives are not limited to Europe. For example, Canada’s leading privacy legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2001. The Act establishes basic ground rules regarding how private sector companies may collect, use, or disclosure personal information collected by them in the course of their commercial activities. With certain exceptions, the Act requires a company to obtain an individual’s consent when it collects, uses, or discloses personal information. The Act also requires companies to supply a consumer with a product or a service even if the consumer refuses to consent to the collection, use, or disclosure of personal information, unless the information is essential to the transaction. Companies must provide personal information policies that are clear, understandable, and readily available. Any information held by a company that remains after a transaction is completed with a consumer should be destroyed, erased, or made anonymous when that data is no longer necessary. The Act does not apply to information held by individuals for personal use (i.e., a personal greeting card list), provincial or territorial governments, an employee’s basic personal information, and the collection of information solely for journalistic, artistic, or literary purposes. If a complaint is filed, the Privacy Commissioner will investigate the complaint and attempt to resolve the dispute through mediation. That failing, the individual can ask for a hearing in the Federal Court. That court may award damages when appropriate. The court may also impose a fine as high as C$100,000 against any entity who inhibits a Commissioner’s investigation. Chapter 14: International CyberLaw 465 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Although PIPEDA is limited to Canadian firms in most situations, courts may allow Canadian officials to exercise a more global reach. In 2007, the Federal Court of Canada heard Lawson v. Accusearch Inc., which involved an investigation of a U.S. company that was collecting and using the personal information of Canadian citizens. The court ruled that, although the U.S. firm had no physical presence in Canada other than a website, Canada’s Privacy Commissioner had the authority to investigate complaints levied against foreign organizations that collect and use Canadian personal data. Since passage of the Act in 2000, Canada and the European Union worked toward an agreement confirming an equivalent level of privacy protection in both jurisdictions. Part of the process examined whether the legislation was “adequate” under the E.U. Directive on Data Protection. In January 2001, the Article 29 Working Party (Data Protection), composed of privacy commissioners from all E.U. member states, considered the Canadian legislation and issued a favorable opinion on the level of privacy protection in Canada. Data Security and Information Crime The Internet has become a powerful forum for engaging in illegal activities. There are many reasons, the most significant being that in this era there is a greater probability of not being prosecuted for an international cybercrime than for other classes of crime. Businesses are deeply concerned about the problem. As one CEO stated at a meeting of business executives: “Business transactions would be impeded or cease, complicating our economic recovery and sending our global stock markets into a tailspin. We must not allow this to happen. [Business and government leaders] need to better understand the enormous threat we face and take measures to secure cyberspace.” Most countries have a patchwork of legal regulations that deal with information crime and security. Some nations directly address protection of critical online information, while others regulate that information through pre-Internet regulations. The result has been a lack of a global standard on what constitutes cybercrime and how to coordinate national efforts to combat it. In spite of these patchwork regulations, a number of organizations have focused on issues of cybercrime. The International Telecommunication Union (ITU), for example, authored a resolution on Cybersecurity in 2004 that encouraged the ITU to evaluate existing communications protocols for vulnerability to Internet attacks. The resolution also encouraged awareness of the need to prepare for cyberattacks and encourage cooperation in the private and public sectors. The United Nations Economic Commission for Europe is a body focused on the harmonization of international trade. The Commission seeks to create intergovernmental collaborations that “secure the interoperability for the exchange of information between the public and private sector.” The Commission works on technical development projects and offers legal assistance to both governments and businesses. Council of Europe Convention on Cybercrime The Council of Europe is a group of 43 states, including all European Union members, that established a forum in 1949 to address topics of human rights, democracy, and the rule of law in Europe. Since the late 1980s, the Council has been working to address the growing international concern over threats posed by hacking and other computer related crimes. After publishing a series of studies and inviting other nations (including the United States, Canada, Japan, and South Africa) to participate, in 2001 it approved a key initiative called the Convention on Cybercrime. Most E.U. nations have signed the convention as well as Canada, Japan, and the United States. 466 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. The Convention has three broad goals. First, the Convention establishes common definitions of certain criminal offenses, which enables legislative language to be harmonized across nations. Second, the Convention defines common types of investigative powers amongst nations. Third, the Convention encourages closer cooperation between law enforcement agencies of participating nations. The Convention encompasses both traditional crimes that have found a new venue through the Internet as well as new crimes that now exist as a result of the Internet. The convention requires each signatory nation to criminalize a number of activities, relating to the confidentiality of computer data, the integrity of computer systems, computer fraud, computer forgery, and child pornography. The agreement also criminalizes copyright infringement consistent with other copyright conventions. The convention establishes rules for facilitating cooperative investigations of cybercrime. Signatories agree to help one another “to the widest extent possible” in criminal investigations or proceedings. Although cross border searches are still restricted, law enforcement agents from member nations may collect computer-based evidence from one another. The convention also establishes a “24/7 Network” whereby each signatory shall have a point of contact available to ensure immediate assistance for criminal investigations or proceedings. The convention also establishes procedures to facilitate criminal investigation. The convention requires that nations shall enact laws facilitating the expeditious preservation of computer data and computer traffic data. It also facilitates preservation of system search and seizure, and real-time data collection. Procedural rules must also be enacted by member states that provide conditions and safeguards to access of this data. Organization for Economic Cooperation and Development (OECD) Guidelines The OECD is an international organization of 30 industrial market-economy nations that examines issues involving economic, social, and governance challenges of a globalized economy. Members include Japan, Korea, Australia, Mexico, the United States, and most nations of Europe. The OECD has issued guidelines addressing cryptography, titled OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, which was adopted by the OECD Council on July 25, 2002. These guidelines provide nine principles that the OECD recommends should be followed by all nations regarding cryptography. 1. Awareness—Participants should be aware of the need for security of information systems and networks and what they can do to enhance security. 2. Responsibility—All participants are responsible for the security of information systems and networks. 3. Response—Participants should act in a timely and co-operative manner to prevent, detect, and respond to security incidents. 4. Ethics—Participants should respect the legitimate interests of others. 5. Democracy—The security of information systems should be compatible with essential values of a democratic society. 6. Risk assessment—Participants should conduct risk assessments. 7. Security design and Implementation—Participants should incorporate security as an essential element of information systems and networks. 8. Security management—Participants should adopt a comprehensive approach to security management. 9. Reassessment—Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures, and procedures. Chapter 14: International CyberLaw 467 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. These guidelines are a product of a consensus between OECD governments and nongovernmental representatives such as informational technology experts and businesses users of encryption. Although not binding, these principles have apparently been influential among policymakers. For example, a U.S. representative welcomed the guidelines, noting that the guidelines “call for new ways of thinking and behaving when using information systems,” and hailed them as “a milestone marking a new international understanding of the need to safeguard the information systems upon which we increasingly depend for our way of life.” The Future of International Cooperation Clearly, intergovernmental cooperation is essential to address the unique law enforcement problems that the Internet presents. Countries must each develop harmonious laws to combat cybercrime, for crime will migrate to the country with the weakest enforcement efforts. Second, treaties addressing the maintenance and sharing of information are critically important. Mutual assistance is necessary for law enforcement to have any effect. Third, there must be extradition treaties between nations that provide for the expeditious transfer of suspects and evidence. International Internet and computer crime has a growth potential like no other type of crime. It will flourish until agreements between countries are enacted regarding extradition, evidence gathering, and preservation. This pressure for international cooperation among countries in an effort to combat cybercrime may even yield other unexpected dividends. Summary National regulation of online activities is difficult enough considering the advancement of new technologies, the easy anonymity of users, and the rapidity by which commercial transactions are consummated. Regulation of global Internet activity exponentially amplifies these challenges. Global regulation requires the consent of multiple jurisdictions and necessitates close cooperation between a variety of national and private concerned interests. Compounding these requirements is the conflicting political, economic, and social goals that manifest themselves through attitudes toward online regulation. Viewing the current patchwork of regulations can cause dismay about the lack of global uniform rules online. Instead, the result thus far should be a welcome surprise as to how far governments and private interests have come in harmonizing national interests in a truly global and borderless communication medium. Key Terms territoriality principle, p. 441 nationality principle, p. 441 effects principle, p. 441 Brussels Convention, p. 441 Brussels Regulation, p. 441 Trade-Related Aspects of Intellectual Property Rights (TRIPS), p. 444 Dispute Resolution Understanding, p. 445 national treatment principle, p. 445 transparency principle, p. 445 most favored nation principle, p. 445 Paris Convention, p. 445 Trademark Law Treaty, p. 445 Madrid Protocol, p. 445 Uniform Dispute Resolution Policy (UDRP), p. 446 Berne Convention, p. 448 European Union Copyright Directive (EUCD), p. 449 WIPO Copyright Treaty (WCT), p. 449 European Community Electronic Commerce Directive (ECD), p. 449 Convention on the Grant of European Patents of the European Patent Convention (EPC), p. 451 Boards of Appeal of the European Patent Office (BAEPO), p. 451 French Data Protection Authority (CNIL), p. 458 United Nations Convention on Contracts for the International Sale of Goods (CISG), p. 459 United Nations Convention on the Use of Electronic Communications in International Contracts, p. 460 Code of Liberalization of Capital Movements (OECD), p. 461 468 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Manager’s Checklist • Review the relevant Internet laws of any nation in which the firm intends to conduct business • Establish explicit policies and procedures for the management and transmission of personal data • Treat online contracts seriously and as having equally binding effect as traditional agreements • Remember that privacy issues may be taken much more seriously in other nations than is currently practiced in the United States • Employ leading information security system to avoid theft from online crime Questions and Case Problems 1. Louis Vuitton designs and markets a variety of luxury goods such as wallets, purses, and other ready-to-wear products. The company learned that both authentic and counterfeit Louis Vuitton products were being sold on eBay, the foremost auction website in the world. Louis Vuitton sued eBay in a French court. eBay countered that the French court lacked jurisdiction because the alleged illegal action took place in the United States and the French public were not specifically targeted by any advertisements. Did the court give itself jurisdiction over the dispute?3 2. While considering the question of jurisdiction, the French court simultaneously addressed Louis Vuitton’s substantive claim that eBay “refus[ed], in spite of its repeated warnings since 1999, to take effective measures aimed at preventing infringement.” Louis Vuitton also alleged that eBay failed to terminate accounts of fraudulent members who repeatedly distribute counterfeit goods. eBay replied that it was shielded from liability because it merely hosts a site similar to an Internet service provider. eBay also touted its Verified Rights Owner (VeRO) Program, an intellectual property enforcement program where participating businesses benefit from dedicated eBay staff and rapid responses to problems of infringement, which Louis Vuitton refused to participate in. Is eBay liable for illegal counterfeiting activities of its members? 3. A journalist working for Penwell Publishing in Essex, United Kingdom created and maintained a Excel spreadsheet file that kept all of business and personal contacts on his employer’s computer system. This information included both contacts he formed while working at Penwell as well as contacts the journalist had before he joined the firm. The journalist downloaded the entire address on his list to his memory stick shortly before leaving employment with the firm. The journalist wanted to claim ownership of the contacts list, but his now former employer claimed ownership because the information resided on the company’s server. Who owns the contact list?4 4. A large American multinational corporation wants to establish a telephone and email hotline for employees to report wrongdoing within the company. The company has offices in the European Union and wants to ensure that it avoids violations of E.U. data protection laws. What steps can the company take to increase the likelihood that its hotline reporting system remains in compliance? 5. In 2004, the Hong Kong subsidiary of Yahoo! received a request from the Chinese State Security Bureau in Beijing for information about an email account, login times, and IP addresses. State Security claimed that the request was made because the account holder had items relating to “illegal provision of state secrets to foreign entities that is currently under investigation by our bureau.” Chinese authorities arrested the account holder, Chinese dissident Wang Xiaoning, who was tortured and found guilty of sedition because he “published articles …advocating for open elections, a multi-party system and separation of powers in the government.” Yu Ling, Wang’s spouse, sued Yahoo! alleging that it violated international law by helping the Chinese government uncover her husband’s identity. Yahoo! responded that it must comply with lawful official request for information and cannot “know know whether the demand for information is for 3 SA Louis Vuitton Malletier v. eBay, Inc., Tribunal de Commerce de Paris (Commercial Court of Paris), 1e ch. B, June 30, 2008, no. 2006077799. 4 Pennwell Publishing (UK) Ltd. v Ornstien, [2007] EWHC 1570 (QB). Chapter 14: International CyberLaw 469 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. a legitimate criminal investigation or is going to be used to prosecute political dissidents.” The burden must rest with the U.S. government, Yahoo! claims, to pressure China to free Wang and other dissidents. What should Yahoo! have done in this case? Additional Resources José Angelo Estrella Faria, Online Contracting: Legal Certainty for Global Business—The New U.N. Convention on the Use of Electronic Communications in International Contracts, 39 UCC L. J. 1 Art. 2 (2006) Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57 (2010) Global Perspectives in Information Security (Hossein Bidgoli ed. 2009) Trudy S. Martin, Vicarious and Contributory Liability for Internet Host Providers: Combating Copyright Infringement in the United States, Russia, and China, 27 Wis. Int’l L.J. 363 (2009) Michael L. Rustad & Sandra R. Paulsson, Monitoring Employee E-Mail and Internet Usage: Avoiding the Omniscient Electronic Sweatshop: Insights from Europe, 7 U. Pa. J. Lab. & Emp. L. 829 (2005) Thomas Schultz, Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International law Interface, 19 Eur. J. Int’l L. 799 (2008) Ariane Siegel et al., Survey of Privacy Law Developments in 2009: United States, Canada, and the European Union, 65 Bus. Law. 285 (2009) 470 Part 4: Regulatory, Compliance and Liability Issues Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.