61 Search Results

May 13, 2016 |
1st Circ. Video Privacy Decision Creates Split With 11th Circ.

​Orange County and Palo Alto partner Joshua Jessen and Palo Alto associate Priyanka Rajagopalan are the authors of "1st Circ. Video Privacy Decision Creates Split With 11th Circ." [PDF] published on May 13, 2016 by Law360.

January 22, 2014 |
2013 Year-End Strategic Sourcing and Technology Transactions Update

2013 proved to be another active year in the outsourcing and technology transactions marketplace.  We continued to see a steady flow of traditional information technology outsourcing transactions mixed with an ever expanding variety of business process outsourcing transactions.  We also saw an increase in the adoption of cloud-based solutions, including SaaS, IaaS and PaaS.  Outlined below are a few trends we have observed during the past year and some considerations for the future.              Practice Observations on 2013 and Some Thoughts for 2014 S. 744 – Immigration Reform:  The U.S. Senate’s proposed "Border Security, Economic Opportunity, and Immigration Modernization Act" (S. 744) H-1B visa reform provisions would have significantly affected the U.S. outsourcing industry and India-based service providers in particular.  Among other requirements, S. 744 capped the percentage of an entity’s U.S.-based workforce that could consist of H-1B visa holders, increased the cost of obtaining H-1B visas and prohibited the deployment of H-1B visa holders at customer locations by certain H-1B-dependent service providers.  While gridlock in Washington prevented the bill from proceeding through the House, we anticipate that immigration reform generally, and H-1B visa reform in particular, is one area that may be ripe for political compromise in 2014. Data Security:  Popular interest in governmental and private sector data collection practices, media attention to data breaches and the correspondingly large notification and remediation costs have raised the stakes for both service providers and customers.  In 2013, these factors drove heavy negotiation of provisions allocating responsibility and authority for resolving data breaches, with provisions becoming increasingly customized to particular situations.  This trend will likely continue into 2014, and may accelerate if regulators increase enforcement efforts or if the plaintiffs’ bar is able to overcome hurdles to class certification for claims by data subjects. EU Data Privacy:  Data protection reform continues to advance in the European Parliament, with proponents hoping to see their 2012 proposal for changes to the EU Data Protection Directive enacted in 2014.  The contemplated changes would offer some benefits for global outsourcing deals, such as increased uniformity and "one stop shopping" in the EU (enabling global enterprises to work with a single data protection authority in the EU instead of many).  The potential downsides include significantly increased sanctions for non-compliance and the new "right to be forgotten," which may require substantial changes to technology and re-examination of existing agreements to allocate responsibility for implementation. Cloud Computing:  The ease of administration and attractive economics of cloud computing have led to more deals with cloud computing components, as even businesses with highly sensitive data are testing the waters with providers and services geared towards their needs.  We expect use of cloud computing to further expand in 2014, as more providers work through how to meet the needs of regulated businesses and adopt approaches that address the security challenges faced by their customers. SaaS:  Although SaaS providers remain more resistant to negotiating terms and conditions than traditional outsourcing providers, in 2013 we were increasingly successful in negotiating key legal terms for our clients.  As more activities migrate towards the SaaS model, we are seeing increased customization of both the services offered and the legal agreements that can be negotiated, and we expect this trend to continue into 2014.  Negotiation Results:  The notion that there would be a convergence among service providers in the outsourcing marketplace regarding terms and conditions was debunked once again in 2013.  We observed a wide-ranging difference in the terms and conditions service providers were willing to accept.  Additionally, customers who raised key terms and conditions earlier in the negotiating process (e.g., pre-down select) were generally able to obtain more favorable terms and to move to closing in a more expeditious manner. Solution Mix:  In 2013, customers continued to deploy multi-service provider, multi-platform solutions.  Moving beyond "anchor" service providers, we observed many clients implementing task-based or process-specific solutions, often leveraging SaaS or other cloud-based offerings.  We expect this trend to continue as customers gain comfort with more complex governance and data security concerns associated with the cloud. Disputes:  Our outsourcing disputes practice remained active in 2013.  The dueling forces of increased focus on contract governance and cost savings by customers and the rapid expansion and margin squeeze experienced by service providers have led to disputes that we have helped resolve successfully through negotiated settlements and restructurings.   Gibson Dunn’s Practice Gibson Dunn’s Strategic Sourcing and Technology Transactions Practice in particular enjoyed one of its busiest years ever and represented clients on some of the largest and most complex transactions completed in 2013.  In addition, the practice’s team of attorneys continued its steady expansion, adding members at both the partner and associate levels.  Below are some highlights regarding the practice in 2013. The practice was ranked by Chambers & Partners in Band 1 nationally. We are very pleased that Shaalu Mehra, as a partner, and three lateral associates, joined the practice in 2013, deepening our expertise in both technology transactions and outsourcing. In 2013, we advised on more than 50 significant strategic sourcing and technology transactions with a total contract value in excess of $2 billion. Our clients came from a wide variety of industries, including Apparel, Automotive, Chemical, Consumer Products, Energy, Financial Services, Food, Government, Healthcare, Hospitality, Insurance, Life Sciences, Pharmaceutical, Publishing and Technology.  Within the United States, we represented clients based in California, Colorado, Delaware, Georgia, Maryland, New Jersey, New York, Oregon, Tennessee, Texas, Washington and Wisconsin.  Looking outside the U.S., we represented clients based in Bahrain, Canada, Denmark, France, Germany, Ireland, Singapore, Switzerland and the United Kingdom and in several instances transactions that involved more than 65 countries.  Consistent with past years, in 2013, we worked with a broad range of clients, from mature public companies (over 35% of our clients were in the Fortune 500), to middle market and emerging growth companies. Last year marked one of our busiest years to date representing clients in technology transactions, including patent portfolio acquisitions, contract manufacturing, technology-related services arrangements and cloud-based services transactions. Below are some of the more notable transactions that Gibson Dunn’s practice handled in 2013. Information Technology Outsourcing Transactions A Fortune 500 hospitality company in a series of global IT outsourcing transactions with Accenture, IBM, Mindtree, TCS and Xerox. A Fortune 500 life sciences company in the renegotiation of a global application development and maintenance transaction with Accenture. A Fortune 500 energy services company in an IT outsourcing transaction. A global specialty chemicals company in a full scope IT outsourcing transaction with HCL. A global financial services and communications company in an application development and maintenance transaction with TCS. An international media company in a renegotiation of an IT infrastructure transaction with HCL. A Fortune 500 IT distributor in multiple enterprise software distribution agreements and telecommunications hardware distribution agreements. A Fortune 500 technology company in the outsourcing of certain application development and maintenance services to Capgemini. Business Process Outsourcing Transactions A Fortune 500 hospitality company in the sale of its captive shared services center and the outsourcing of its back-office support functions to Accenture. A Fortune 500 consumer products company in the outsourcing of certain financial and accounting services to Capgemini. A Fortune 500 insurance company in the outsourcing of certain claims processing services to Alliance-One Services (a subsidiary of CSC). A Fortune 500 financial services company in the outsourcing of its print procurement functions to Williams Lea. A hedge fund in the outsourcing of its back-office asset management services to SEI. A publisher in the outsourcing of its supply chain to RR Donnelley. A Fortune 500 company in the outsourcing of quality assurance services. Cloud/SaaS Transactions An international food distribution company in the implementation of a global cloud-based human resource information system with SuccessFactors Inc. (an SAP company). A Fortune 500 chemicals company in a global, cloud-based enterprise human resources SaaS transaction with Workday. A leading apparel retailer in connection with a cloud-based enterprise human resources SaaS transaction with Workday. A Fortune 500 technology company in its outbound cloud services agreements. A Fortune 500 technology company in a multinational telecommunications services agreement with British Telecom. Other Significant Technology Transactions An investment bank in a global asset management services agreement. A Fortune 500 office technology company in the sale and licensing-back of certain patents and related know-how. A manufacturer of high performance computing solutions in a contract manufacturing transaction with Jabil. A Fortune 500 technology company in multiple enterprise-wide  software licenses.     Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding the outsourcing and technology transactions marketplace.  Please contact the Gibson Dunn lawyer with whom you usually work, or any of the following members of the Strategic Sourcing and Technology Transactions Practice Group:  Daniel R. Mummery – Palo Alto (650-849-5318, dmummery@gibsondunn.com)William J. Peters – Los Angeles (213-229-7515, wpeters@gibsondunn.com)Stephen D. Nordahl – New York (212-351-2442, snordahl@gibsondunn.com)Shaalu Mehra – Palo Alto (650-849-5282, smerhra@gibsondunn.com)     © 2014 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

February 9, 2017 |
2016 Year-End Aerospace and Related Technologies Update

This February 2017 edition of Gibson Dunn’s Aerospace and Related Technologies Update discusses newsworthy developments, trends, and key decisions from 2016 that are of interest to aerospace and defense, satellite, and drone companies, and new market entrants in the commercial space and related technology sectors, including the private equity and other financial institutions that support and enable their growth. Specifically, this update covers the following areas:  (1) commercial unmanned aircraft systems ("UAS"), or drones; (2) government contracts litigation involving companies in the aerospace and defense industry; and (3) the commercial space sector.  We discuss each of these areas in turn below. I.  COMMERCIAL UNMANNED AIRCRAFT SYSTEMS Unmanned aircraft systems ("UAS") technology has improved rapidly while becoming reasonably affordable for most organizations.  The commercial applications of UAS, more commonly referred to as "drones," include sensory data collection, building inspections, utility inspections, agriculture monitoring and treatment, railway inspections, pipeline inspections, mapping of mines, and photography.  New applications are being created on a regular basis.  For years, the law prohibited commercial drone operations absent a special exemption.  However, in 2016, a comprehensive set of regulations governing non-recreational drone operations was finalized, thus creating sweeping opportunities to implement commercial drone operations. In 2016, many organizations incorporated drones into their operations and tested future concepts.  The drone delivery concept was validated through multiple corporate deliveries:  Amazon Prime Air made its first delivery in the United Kingdom; DHL delivered packages to a mountain plateau in Germany; Google and Chipotle tested burrito deliveries at Virginia Tech; and 7-Eleven and Flirtey delivered products in Reno, Nevada.  Disney World, in collaboration with Intel, revealed a new holiday show consisting of drones performing in the night sky, rather than traditional fireworks.  Walmart announced it would use drones to better track inventory at distribution centers.  And CNN became the first U.S. broadcaster to launch a drone division.   Overall, 2016 was an historic year that officially ushered in a new industry.  We expect that the industry will continue to develop in the coming year, and that key topics such as rules governing flights over non-participating people, litigation concerning property owners’ rights to airspace, privacy, and operations beyond visual line of sight will be addressed.  Related jurisdictional disputes are likewise on the horizon. Expanded drone operations also created controversy.  Citizens and police shot down drones on several occasions, news organizations reported collisions between drones and commercial aircraft (all stories were proven false after investigations), and concerns about privacy continued to build.  To get you caught up on 2016’s groundbreaking drone developments, below we have briefly summarized:  (A) Part 107 drone regulations; (B) the likely Proposed Rule for Operations Over Non-Participating People; (C) Privacy; and (D) the Intersection of Federal and State/Local Drone Laws. A.  Part 107 – Drone Regulations On August 29, 2016, the long-awaited comprehensive regulations for Small Unmanned Aircraft Systems ("sUAS"), drones weighing 55 pounds or less, became law under Part 107 of Title 14 of the Code of Federal Regulations ("Part 107").[1]  These regulations are monumental for commercial drone operations because they provide the regulatory foundation for the burgeoning industry.  Prior to Part 107, the law prohibited commercial drone operations unless an operator obtained a Section 333 exemption from the Federal Aviation Administration ("FAA").  Part 107 permits commercial operations within certain parameters and eliminates the need for an exemption, unless one wants to operate outside of those parameters. Significantly, Part 107 removed the time-consuming and expensive Section 333 requirement that commercial drone operators obtain a recreational or sport pilot license.  Under the new regulations, commercial drone pilots must obtain the newly created remote pilot certificate with a sUAS rating or be under the direct supervision of a person with a certificate.  To obtain the certificate, a person must pass an aeronautical knowledge test at an FAA-approved center, be vetted by the Transportation Security Administration, be able to speak English, and be at least 16 years old.  Individuals with an existing pilot license need only take an online sUAS training course to obtain a remote pilot certificate.[2]  In 2016, the FAA issued over 14,000 remote pilot certificates. In addition, Part 107 set forth several key operational limits for commercial drones[3]: maximum weight is 55 pounds; maximum groundspeed is 100 mph (87 knots); maximum altitude is 400 feet above ground level or within 400 feet of a structure; flights must be within daylight hours or civil twilight if the drone utilizes anti-collision lighting; drones must remain within visual line of sight of the remote pilot or an optional visual observer; minimum flight visibility must be no less than three statute miles;  minimum distance from clouds must be no less than 500 feet below the cloud and 2000 feet horizontally from the cloud; drones may not operate over persons not directly participating in the operation; drones must yield the right of way to other aircraft; remote pilots cannot operate drones from a moving vehicle unless the flight is over a sparsely populated area; and remote pilots cannot operate more than one drone at a time (i.e., no swarming).               1.  Part 107 Waivers The FAA’s willingness to provide waivers is one of the most promising aspects of Part 107 and will allow regulations to expand as technology progresses.  The waivers permit remote pilots to deviate from the following operational limits:[4] operations from a moving vehicle; daylight operations; operations beyond a pilot’s visual line of sight; visual observer requirements; operations of multiple drones; yielding the right of way; operations over people; operating limitations; and operations in certain airspace. Applications for a Certificate of Waiver are completed online and granted on a case-by-case basis.  In 2016, the FAA granted 239 waivers.[5]  The majority of these waivers were for nighttime operations.  Notably, the following organizations received waivers: CNN received a waiver for operations over people; Precision Hawk and BNSF Railway Company received waivers allowing operations beyond visual line of sight; and Project Wing, Intel Corporation, and Walt Disney Parks and Resorts received waivers for the operation of multiple drones. If an organization needs an exemption from a particular section in Part 107 that is not subject to a waiver, it can request a Section 333 exemption or apply for a type certification.  This will be particularly relevant for operators wishing to fly drones greater than 55 pounds because Part 107 only applies to drones weighing 55 pounds or less.                2.  Airspace Authorization  In addition to applying for waivers, operators can now seek airspace authorization for operations in restricted airspace.  However, obtaining airspace authorization has been a source of frustration for many operators.  Part 107 allows operations "in Class B, Class C, or Class D airspace or within the lateral boundaries of the surface area of Class E airspace" if the remote pilot obtains "prior authorization from Air Traffic Control."[6]  But an FAA guidance letter from October 3, 2016, restricted Air Traffic Control from granting such authorization, stating that FAA headquarters will approve airspace waivers and coordinate with the relevant air traffic facility.[7]  The FAA UAS website’s authorization portal requires that applications be submitted at least 90 days prior to the operation, which can seriously hinder timely operations. *      *      * Although the waiver and airspace authorization process is far from perfect, the mere existence of an institutionalized waiver and airspace authorization program is promising.  We expect that the FAA will streamline the process in 2017, making waivers and airspace authorization more accessible to remote pilots. We also expect that Part 107 is the beginning, and not the end, of drone regulations.  For example, in the next few years, the FAA will likely propose rules for drones heavier than 55 pounds, and within the next few months, the FAA will likely publish a Notice of Proposed Rule Making for operating drones over non-participating people.  B.  Proposed Rule for Operations Over Non-Participating People is Expected in 2017 In February 2016, the FAA assembled an aviation rulemaking committee ("ARC") to recommend standards that would allow certain drones to be operated over people.  The ARC submitted its recommendations on April 1, 2016, dividing drones into four categories based on the level of risk correlated to a weight or impact energy equivalent.[8] The FAA’s Notice of Proposed Rulemaking ("NPRM") is expected to significantly vary from the ARC’s recommendations.  The FAA sent the proposed rule to the White House Office of Information and Regulatory Affairs ("OIRA") in November 2016.  Once OIRA approves the proposed rule, the NPRM will be published in the Federal Register and a public comment period will begin.  As with the NPRM for Part 107, there likely will be thousands of public comments concerning the proposed rule.  Timing for publishing the NPRM is uncertain.  On January 20, 2017, President Trump issued a memorandum to all executive departments and agencies freezing new or pending regulations for 60 days. The proposed rules have the potential to remove a tremendous obstacle for certain drone operators.  Under Part 107, drones are prohibited from flying over unsheltered people unless they are "[d]irectly participating in the operation."[9]  Individuals "[d]irectly participating" include the remote pilot, the person on the controls, a visual observer, and anyone else essential to the operation.  Those who have merely given consent for the operations are excluded.[10]  Therefore, under Part 107, implementing certain commercial drone operations may be a challenge, or impossible, due to the presence of non-participating people in the operational area.  For example, drone operations cannot take place over active construction or mining sites without first clearing the area of people, and news organizations may be prohibited from flying directly over a newsworthy event.  Part 107 does provide waivers for flights over non-participants on a case-by-case basis, but the waiver process is not always a practical option for addressing time-sensitive commercial needs.  The upcoming proposed rule will create standards for safe flights over non-participating people and should be a catalyst for many commercial operations.  Flights over non-participating people will likely increase privacy concerns.   C.  Privacy–Voluntary Best Practices As the popularity of both commercial and hobbyist drones increases, concerns over privacy and personal data collection continue to swell.  In February 2015, President Obama issued a Presidential Memorandum directing that privacy, civil rights, and civil liberties concerns be taken into account as drones are integrated into the national airspace.[11]  Obama ordered the National Telecommunications and Information Administration ("NTIA") of the U.S. Department of Commerce to create a private-sector engagement process to help develop voluntary best practices for privacy, accountability, and transparency issues regarding commercial and private drone use.  That process took place over the past year, with the participation of multiple private-sector groups.  On May 19, 2016, the NTIA released voluntary best privacy practices for drones.[12]  The voluntary best practices received agreement from technology companies, insurance companies, media organizations, drone industry associations, and privacy groups.  Although these best practices do not create any legal standards, they set useful guidelines for any organization conducting drone operations.  Many of the recommended best practices take into account the size and complexity of the operator (e.g., a large public company is expected to have a more comprehensive privacy policy with respect to its use of drones than an individual real estate photographer).  Moreover, newsgathering organizations, to which strong First Amendment protections apply, are expressly excluded.  The following summarizes the recommended best practices:   Covered Data:  The best practices focus heavily on the collection and storage of "covered data."  Covered data is information collected by drones that identifies a particular person.  If the data is unlikely to be linked to a particular person, or if it is altered so that a particular person is not recognizable, it is not considered covered data.  Privacy Policy:  Organizations collecting covered data should make reasonable efforts to inform individuals directly impacted by those organizations’ use of drones, and they should maintain a publicly available privacy policy appropriate to their size.  The policy should identify: the kind of covered data the drone operations will collect; the purpose for which the data is collected; retention and de-identification practices; the types of entities with whom the data will be shared; information on how to submit a privacy or security complaint; and the organization’s practices with respect to responding to law enforcement requests for data.  Reasonable Expectation of Privacy:  Absent a compelling need, drone operators should avoid collecting covered data when the subject has a reasonable expectation of privacy.  Operators should avoid intentional, persistent, and continuous collection of covered data about individuals.  Further, operators should make reasonable efforts to minimize flights over private property without consent of the owner or without appropriate legal authority. Data Sharing and Use Limits:  Drone operators should only use covered data for those purposes identified in their privacy policy.  Without consent, the data should not be shared for marketing purposes or publicly disclosed without reasonable efforts to obfuscate (e.g., blur) the data.  Further, without consent, operators should not use covered data for employment eligibility, promotion or retention, credit eligibility, or healthcare treatment eligibility, unless expressly permitted by a sector-specific regulatory framework.  Data Storage:  Covered data should not be stored longer than necessary for the purposes for which it was collected (as disclosed to the public in a privacy policy).  Further, organizations should develop easily accessible processes to receive privacy or security complaints about the organization’s use of drones.  These processes should include mechanisms by which individuals can request that an organization delete, de-identify, or otherwise obfuscate a person’s covered data. Data Security:  Organizations storing covered data should implement a program to address and manage cybersecurity risks.  The program should have reasonable administrative, technical, and physical safeguards appropriate to the organization’s size and the nature of the covered data.  Appropriate safeguards include those described in guidance from the Federal Trade Commission, the National Institute of Standards and Technology Cybersecurity Framework, and the International Organization for Standardization’s 27001 standard for information security management.  Corporations should consider the below practices to secure covered data: establish a written security policy detailing the collection, use, storage, and dissemination of covered data; regularly monitor systems for breach and data security risks; provide security training to employees with access to covered data; and limit access to covered data. Part 107 does not address privacy.  In the NPRM for Part 107, the FAA stated that privacy issues were "beyond the scope" of the rule, and "that state law and other legal protections for individual privacy may provide recourse for a person whose privacy may be affected through another person’s use of a UAS."[13]  During the comment period for the NPRM, the FAA received around 180 comments regarding privacy concerns, but declined to include privacy regulations within Part 107.[14]              1.  Litigation Regarding Whether the FAA Needs to Address Privacy The Electronic Privacy Information Center ("EPIC") challenged the FAA’s decision to exclude privacy regulations from Part 107 by filing a petition for review in August 2016.[15]  EPIC had previously sought review of the NPRM because it excluded privacy regulations, but in May 2016, the D.C. Circuit held that EPIC’s challenge was premature because the proposed rule was not final.[16]  After the rule became final, EPIC filed a new petition of review asking the court to vacate Part 107 and remand it to the FAA for further proceedings.[17]  EPIC contends that the FAA Modernization and Reform Act of 2012 requires the FAA to address privacy concerns related to drones, while the FAA asserts that privacy is beyond its charge to regulate aviation safety in the national airspace.  All eyes will be on the D.C. Circuit to determine if the FAA will be required to issue rules related to privacy. Regardless of whether or not there are federal rules directed towards drone privacy, corporations should make their best efforts to comply with the NTIA Voluntary Best Practices, as well as state and local privacy laws.  D.  Uncertainty Clouds the Intersection of Federal and State/Local Drone Laws Although Part 107 created a federal regulatory framework for commercial drone operations, there is still significant confusion as to what constitutes a legal flight under evolving state and local laws.  Laws regulating the drone industry exist in 32 states, and five states have adopted resolutions regarding drones.[18]  In 2016, at least 38 state legislatures considered legislation to regulate the drone industry, and 17 states (Alaska, Arizona, California, Delaware, Idaho, Illinois, Indiana, Kansas, Louisiana, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Vermont, Virginia and Wisconsin) passed 31 pieces of legislation.[19]  In addition, countless local governments proposed and passed ordinances impacting the drone industry at the local level.  Thus, it will be critical for companies launching commercial drone enterprises to work closely with counsel to determine which, if any, state and local laws apply to each commercial operation.  They will also need to evaluate preemption issues.  In the developing drone community, confusion stems from the FAA’s position that it controls the airspace "from the ground up," and that the notion that it does not control airspace below 400 feet is a "myth."[20]  However, many state and local governments do not agree with the FAA’s interpretation.  There are major implications for where navigable airspace begins, and the question ultimately will be settled by federal courts over the next several years.  This is one of the most important legal issues for the industry because, without clarification, legal compliance and enforcement may be impossible within some localities.  While the FAA governs the "navigable airspace" of the United States,[21]  navigable airspace is defined as the "airspace above the minimum altitudes of flight prescribed by regulations . . . including airspace needed to ensure safety in the takeoff and landing of aircraft."[22]  The FAA regulations list the minimum safe altitude as 500 feet above the surface in non-congested areas (lower in sparsely populated areas) and 1,000 feet above the highest obstacle in congested areas.[23]  Although aircraft can fly below these minimum safe altitudes for takeoff or landing, when these laws and regulations were created, the very concept of low-flying, low-price drones–which can take off and land on anyone’s property–only existed in science fiction.  The proliferation of drones requires clarification of where private property rights end and navigable airspace begins. The Supreme Court provided some guidance on property rights and navigable airspace in 1946 in United States v. Causby.[24]  In Causby, a chicken farm was located near an airport, and the glide path for one of the runways was 83 feet above the property.  The Court examined whether military aircraft flying 83 feet above the property was a taking.  The Court held that it was a taking and stated:  "[I]t is obvious that if the landowner is to have full enjoyment of the land, he must have exclusive control of the immediate reaches of the enveloping atmosphere.  Otherwise buildings could not be erected, trees could not be planted, and even fences could not be run."[25]  The court also acknowledged that an invasion of air above one’s property can be in the "same category as invasions of the surface."[26]  The Court declined to determine the exact boundary between one’s property and public airspace:  "We need not determine at this time what those precise limits are."[27]  Even if the Court did determine precise limits, a military aircraft landing at an airport in 1946 is fundamentally different from today’s low-flying, low-price, consumer and commercial drones.  In 2016, two pending lawsuits began to address the key question of defining navigable airspace in the context of drones.                    Boggs v. Merideth, No. 3:16-cv-00006 (W.D. Ky. Jan. 4, 2016) In Boggs v. Merideth (also known as the "Drone Slayer" case), a drone operator in the Western District of Kentucky filed a lawsuit against a landowner (the self-proclaimed "Drone Slayer") who downed the plaintiff’s drone with a shotgun.[28]  The drone was flying around 200 feet above the Defendant’s property, and the defendant claimed it was trespassing and invading his privacy.  After a state judge found the defendant was "within his rights," the plaintiff filed a complaint in federal court for declaratory judgement to "define clearly the rights of aircraft operators and property owners."[29]  The district court has not yet ruled on the issue.                     Huerta v. Haughwout, No. 3:16-cv-358, Dkt. No. 30 (D. Conn. Jul. 18, 2016) The most notable case of 2016 regarding the FAA’s authority over low-level airspace was Huerta v. Haughwout (also known as the "flamethrower drone" case).  The Haughwouts posted YouTube videos of a drone flying a few feet above their property.  In one video, a drone fired an attached handgun, and in another video, a drone roasted a turkey with an attached flamethrower.  The FAA sent the Haughwouts an administrative subpoena to acquire more information about these activities.  The Haughwouts declined to comply with the subpoenas and claimed their activities were not subject to investigation by the FAA.  The FAA sought enforcement of the subpoenas.  The District Court for the District of Connecticut found the administrative subpoenas to be valid and ordered the Haughwouts to comply.[30]  In his order, Judge Jeffrey Meyer included dicta that casts doubt on the FAA’s claim to controlling airspace from the ground up:  "the FAA believes it has regulatory sovereignty over every cubic inch of outdoor air in the United States . . . [T]hat ambition may be difficult to reconcile with the terms of the FAA’s statute that refer to ‘navigable airspace.’"  The dicta addressed the question of where the FAA’s authority begins, but noted that the "case does not yet require an answer to that question."[31]  Notably, the Judge stated: Congress surely understands that state and local authorities are (usually) well positioned to regulate what people do in their own backyards.  The Constitution creates a limited national government in recognition of the traditional police power of state and local government.  No clause in the Constitution vests the federal government with a general police power over all of the air or all objects that leave the ground.  Although the Commerce Clause allows for broad federal authority over interstate and foreign commerce, it is far from clear that Congress intends–or could constitutionally intend–to regulate all that is airborne on one’s own property and that poses no plausible threat to or substantial effect on air transport or interstate commerce in general.[32] The dicta in Huerta may indicate how federal courts will address this vital issue.  As drone operations continue to expand, the importance of the question will continue to grow.   E.  Looking Ahead 2017 will be an important year for the development of the commercial drone industry.  We can expect to see more organizations adopting drone operations; the FAA streamlining Part 107 waivers and airspace authorization; a proposed rule governing flights over non-participating people; litigation regarding property owners’ rights to airspace; more dialogue regarding privacy issues; and significant progress in operations beyond-the-visual-line-of-sight ("BVLOS"), given the approval obtained by the Northern Plains UAS Test Site for conducting BVLOS flights in 2017.  This approval will allow companies to develop, test, and evaluate BVLOS concepts and platforms without the need for a Part 107 waiver.  Progress in BVLOS operations combined with the upcoming proposed rule for flights over non-participating people will greatly expand commercial applications. In addition, the Trump administration’s approach to commercial drones, and any judicial decisions regarding federal preemption and privacy, will shape the future of this burgeoning industry. II.  GOVERNMENT CONTRACTS LITIGATION IN THE AEROSPACE AND DEFENSE INDUSTRY Gibson Dunn’s 2016 Year-End Government Contracts Litigation Update and 2016 Mid-Year Government Contracts Litigation Update cover the waterfront of the most important opinions issued by the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Federal Claims, Armed Services Board of Contract Appeals ("ASBCA"), and Civilian Board of Contract Appeals ("CBCA"), among other tribunals.  We invite you to review those publications for a full report on case law developments in the government contracts arena. In this update, we summarize key court decisions related to government contracting from 2016 that involve players in the aerospace and defense industry.  The cases discussed herein, and in the Government Contracts Litigation Updates referenced above, address a wide range of issues with which government contractors in the aerospace and defense industry are likely familiar, including issues of contract interpretation, jurisdictional requirements, limitations on the remedies available to contractors, and the various topics of federal common law that have developed in the government contracts tribunals.  In addition, we highlight the uncertainty surrounding the direction federal contracting policy will take under the new Trump administration. A.  Select Decisions of Interest to Government Contractors in the Aerospace and Defense Industry             1.  Jurisdictional Issues (Defining the Claim) Whether the courts and boards of contract appeals have jurisdiction over a matter turns on whether there is a valid "claim" and, relatedly, how that claim is defined.  Because the Contract Disputes Act, 41 U.S.C. §§ 7101‒7109 ("CDA") does not define the term "claim," the courts and boards of contract appeals look to the definition set forth in the Federal Acquisition Regulation ("FAR").  FAR 33.201 defines a "claim" as "a written demand or written assertion by one of the contracting parties seeking, as a matter of right, the payment of money in a sum certain, the adjustment or interpretation of contract terms, or other relief arising under or relating to this contract." In 2016, two decisions from the ASBCA that involved the aerospace and defense industry touched on jurisdictional issues.  In Military Aircraft Parts, ASBCA No. 60290 (Feb. 4, 2016), the ASBCA addressed whether a contractor’s claims could "merge" into or be precluded by related claims that would otherwise not be within the board’s jurisdiction.  In Alaska Aerospace Corp., ASBCA No. 59794 (Sept. 13, 2016), the ASBCA considered whether the contractor had submitted a claim as required by the CDA.                    Military Aircraft Parts, ASBCA No. 60290 (Feb. 4, 2016) Between 2009 and 2011, the Government issued three orders for parts for the C-130 aircraft from Military Aircraft Parts ("MAP").  MAP shipped two units under the first order for first-article testing, but the Government asserted that the parts had failed the "form, fit, and function" test, and subsequently issued a unilateral modification canceling the order.  The Government thereafter unilaterally canceled the second order, and the parties bilaterally canceled the third.  MAP submitted a claim for breach of contract, which was denied by the contracting officer.  The contracting officer admitted that the unilateral cancellation of the first order was improper, but converted the cancellation to a termination for convenience and denied relief for all three orders.  After MAP appealed, the Government moved to dismiss, arguing that MAP could not appeal before responding to the Government’s termination for convenience with a termination settlement proposal pursuant to FAR part 49. The board (O’Sullivan, A.J.) found that MAP was not required to make a termination settlement proposal prior to appealing the denial of its breach claim.  Relying upon the Federal Circuit’s decision in James M. Ellett Construction Co. v. United States, 93 F.3d 1537 (1996), Judge O’Sullivan held that "a contractor is not precluded by a pending termination settlement proposal from pursuing contract claims independent of that proposal."  Because the Government’s termination for convenience came later than its unilateral cancellation, the board reasoned, the relief available to MAP for a breach claim could be considerably different from the relief available for a claim arising from the termination for convenience.  (At the very least, MAP could have been eligible for interest on its breach claim.)  Therefore, MAP’s breach claim did not "merge" into the government’s termination for convenience, and the board denied the Government’s motion to dismiss for lack of jurisdiction.                    Alaska Aerospace Corp., ASBCA No. 59794 (Sept. 13, 2016) In 2003, the Missile Defense Agency awarded a contract to Alaska Aerospace for the use of a launch complex and support services.  The contract incorporated, by reference, FAR 52.216-7, Allowable Cost And Payment (Dec. 2002), which allows reimbursement of contributions to employee pension plans.  In 2014, the Government partially disallowed costs for employee pension plans and sought to recover the disallowed costs. The Board (Melnick, A.J.) first noted that because the Government was seeking to recoup money, the case was a Government claim for which the Government bore the burden of proof.  In finding that the Government failed to meet its burden, the Board explained that the Government’s reliance on the contracting officer’s final decision as evidence of overpayment was improper.  The contracting officer’s final decision attempted to impose a penalty, not establish recoupment as a basis for the demand for payment.  Further, findings of fact in the contracting officer’s final decision are not binding upon the parties and are not entitled to any deference.              2.  Jurisdictional Issues (Timeliness of Appeals at the Board of Contract Appeals) A host of recent cases addressed the CDA’s jurisdictional requirement to timely file an appeal after receipt of a contracting officer’s final decision.  Two such cases involve aerospace and defense companies and are discussed below.  Under the CDA, a board has jurisdiction over appeals taken within 90 days of receiving the contracting officer’s final decision; whereas, there is a one-year statutory clock applicable to appeals filed in the Court of Federal Claims.  In a pair of appeals before the ASCBA, Military Aircraft Parts attempted–unsuccessfully–to argue that the Federal Circuit’s ruling that the CDA’s six-year statute of limitations period is not jurisdictional, Sikorsky Aircraft Corp. v. United States, 773 F.3d 1315 (Fed. Cir. 2014), should give the board discretion to waive the 90-day appeal period.  Although the two cases were decided differently on the merits, the ASBCA made clear, in both instances, that it would not interpret Sikorsky to allow a waiver of the appeal period.                    Military Aircraft Parts, ASBCA No. 60336 (Apr. 25, 2016); and Military Aircraft Parts, ASBCA No. 60139 (June 3, 2016) In the first case, Military Aircraft Parts appealed the termination for default of its contract to provide aircraft frames to the Defense Logistics Agency and the cancellation of two purchase orders for more frames, claiming that the termination and cancellation were breaches of the contract.  The board (McIlmail, A.J.) held that it could not review the appeal from the termination of the original contract because it was not brought within 90 days after the termination decision.  Although the contractor urged the board to adopt a "good cause" exception to the 90-day deadline in light of the Federal Circuit’s ruling that the CDA’s statute of limitations is not jurisdictional, Judge McIlmail reiterated that the 90-day appeals period cannot be waived. In the second case, Military Aircraft Parts appealed the contracting officer’s final decisions that denied a number claims for breach of contract arising out of a contract that the Government terminated for default.  The Government argued that Military Aircraft Parts did not timely appeal the default terminations and was using its breach of contract claims on appeal to the board in an attempt to skirt the CDA’s 90-day jurisdictional deadline for appeal of the contracting officer’s final decision on the default termination.  Military Aircraft Parts denied the assertion that its complaint was merely a challenge to default terminations "clothed in breach of contract language" and, in the alternative, argued again that the reasoning in Sikorsky should allow the board to find that the 90-day appeal period is not jurisdictional.  The board (O’Sullivan, A.J.) agreed with the Government, finding that the board lacked jurisdiction over the claims because they were implicit challenges to the default termination.  In doing so, Judge O’Sullivan cited pre-Sikorsky precedent to reaffirm its long line of precedent holding that the 90-day deadline is "jurisdictional, absolute, and may not be waived."             3.  Contract Interpretation The following decision from the second half of 2016 articulates broadly applicable contract interpretation principles that government contractors should consider.                    King Aerospace, Inc., ASBCA No. 57057 (July 26, 2016) In 2005, the Government awarded a contract to King for the maintenance of a fleet of aircraft.  In 2009, King presented a certified claim incorporating a Request for an Equitable Adjustment ("REA") based on additional maintenance required as a result of aircraft conditions inferior to those represented in the contract.  The contracting officer denied the claim and King appealed.   The Board (McImail, A.J.) concluded that King was entitled to additional compensation, noting that in order to prevail on a claim of misrepresentation, the contractor needed to show that there was a false representation of material fact that the contractor reasonably relied on to the contractor’s detriment.  The Board determined that the contract represented that aircraft would be maintained in accordance with industry practices, and that the aircraft were not maintained in such a fashion.  Further, this misrepresentation was material because the condition of the aircraft was likely to affect the inducement of King in assenting to maintaining the aircraft.  Moreover, King honestly relied on the misrepresentation to its detriment because King would have bid higher had it known of the substandard condition of the aircraft.  The Board also found that King’s reliance was reasonable as there was no contrary representation of the aircrafts’ conditions.              4.  Cost Issues                    Raytheon Co., Space & Airborne Sys., ASBCA No. 58068 (Aug. 9, 2016) In 2007, Raytheon SAS revised its cost accounting practices, one of which the Defense Contract Audit Agency ("DCAA") determined to result in a $142,000 increase to the Government across all contracts with the business.  DCAA did not consider decreased costs to the Government from one of the related changes, which more than offset the modest increase from the first change, due to a revision to FAR 30.606 in 2005, that prohibits such offsets, as discussed in an earlier decision in this case covered in the 2015 Mid-Year Government Contracts Litigation Update .  The contracting officer subsequently issued a final decision on the alleged increased costs and Raytheon SAS appealed. The Board (O’Connell, A.J.) sustained the appeal, ruling for Raytheon SAS, because it found that the contracting officer improperly determined the amount at issue was "material" based solely upon the dollar value of the increased cost, without considering other required factors, such as the magnitude of the dollar value in relation to Raytheon SAS’s total contracting relationship with the Government (here, less than 0.005%), the cost impact per contract (here, $36 per contract, per year), or the benefit of reduced administrative processing costs by the Government.  The Board concluded that the contracting officer’s failure to consider these factors was an "abuse of discretion," which is significant because there was no evidence of bad faith by the contracting officer.                    Exelis, Inc., ASBCA No. 60131 (Aug. 29, 2016) Exelis appealed from a contracting officer’s final decision finding that Exelis improperly accounted for the costs of a building lease pursuant to Cost Accounting Standard ("CAS") 404, which governs Capitalization of Tangible Assets.  Exelis moved to dismiss and asserted that there was no CAS 404 violation, and that while the CAS 404 claim asserted a sum certain, it did not assert a sum certain with regard to a FAR violation, which the Government was also asserting. The Board (D’Alessandris, A.J.) determined that there was no CAS 404 violation.  First, the Board found the plain language of CAS 404 to be clear, that it applied to "tangible" assets, and that a building lease is an "intangible" asset since it does not have "physical substance."  Second, even if the language was not clear, the preamble to CAS 404 showed that the CAS Board did not intend that all leases should be "tangible capital assets."  Third, in considering other interpretive aids, the Board continued to find that the Government could not establish a CAS 404 violation. Regarding the alleged FAR violation, the Board first noted that new theories or new damages that arise from the same operative facts do not constitute new claims, and that the sum certain requirement simply requires a specified dollar amount for a claim.  The Board also explained that estimated or approximate costs in determining the value of a claim is sufficient, as long as the overall demand is for a sum certain.  In light of this, the Board found that the relevant facts in the appeal included the lease in question, and that the FAR and CAS claims involved the same operative facts and were the same claim for CDA purposes.  Thus, despite the Government’s sum certain being calculated based on a purported CAS violation rather than a FAR violation, the claim was still proper because the two purported violations were the same for CDA purposes. B.  Uncertainty in the Direction that Federal Contracting Policy Will Take Under the New Trump Administration The direction that federal contracting policy will take under the new Trump administration remains somewhat vague, and we will continue to keep you informed as the administration’s policy develops.  But we note that President Trump’s willingness to use Twitter to address the price of federal contracts will likely have implications in the industry.  Although prior administrations have been critical about allegedly wasteful spending, President Trump’s Twitter activity suggests that the President is willing to directly intervene in the negotiation and execution of government contracts, which is something federal contractors will have to take into account. III.  COMMERCIAL SPACE SECTOR A.  Developments in the Commercial Crew Program The National Aeronautics and Space Administration ("NASA") has lacked the domestic capability to transport astronauts to space since the expiration of the Space Shuttle Program in July 2011.  Since then, NASA has relied upon the Russian Federal Space Agency ("Roscosmos") to ferry astronauts to the International Space Station ("ISS"), at prices ranging from $21 million to $82 million per roundtrip.  To remedy this situation, NASA instituted the Commercial Crew Program to work with commercial companies to develop manned spaceflight systems.  In September 2014, NASA selected two companies to participate in this program:  The Boeing Company ("Boeing") and Space Exploration Technologies Corporation ("SpaceX"). On September 1, 2016, NASA announced that both companies were facing technical challenges that would delay the first flights carrying NASA astronauts to the ISS until late 2018–more than three years after NASA’s original 2015 goal.[33]  Boeing was experiencing issues related to vehicle mass and the effects of vibrations generated during launch.  SpaceX was experiencing delays from its decision to change its capsule design to enable water-based landings.  In light of these developments, NASA extended its contract with Roscosmos for astronaut transportation through 2018, at an additional cost of $490 million for six more seats. On January 4, 2017, NASA announced that it awarded additional space missions to Boeing and SpaceX.[34]  Originally, each firm was offered two roundtrip missions to the ISS.  Now each firm will launch six missions.  Boeing has scheduled an unmanned flight test for June 2018 and a crewed flight test for August 2018.  It has even released new spacesuit designs.[35]  SpaceX has scheduled an unmanned flight test for November 2017 and a crewed flight test for May 2018. B.  NOAA Policies on Commercial Activity The National Oceanic and Atmospheric Administration ("NOAA") released a commercial space policy on January 8, 2016.[36]  Among other things, it designated the Office of Space Commerce as a point of contact for commercial providers to promote more efficient commercial engagement.  The policy was part of NOAA’s efforts to understand better how partnerships with private firms in the rapidly changing commercial space sector could help the agency perform its functions.[37] NOAA’s National Environmental Satellite, Data, and Information Service ("NESDIS") published a Commercial Space Activities Assessment Process on January 6, 2017.[38]  This report indicated NOAA’s interest in commercially provided data satisfying its technical requirements at a lower cost than government alternatives.  It then set out a four-part process for future government contracts.  First, NESDIS will release one or more Requests for Information to convey its interest in new data sets and gather information about new, emerging, and existing commercial observation capabilities.  Based on these responses, NESDIS will then release one or more solicitations to acquire and evaluate commercial data satisfying the requisite specifications.  NOAA may then purchase data from one or more vendors for analysis and evaluations through a demonstration project.  Following these demonstrations, NESDIS may issue one or more solicitations to purchase on-orbit observations from commercial sources for operational use by NOAA. On September 15, 2016, NOAA announced that it awarded contracts to GeoOptics, Inc. ($695,000), and Spire Global, Inc. ($370,000), as part of its Commercial Weather Data Pilot.[39]  The firms will provide space-based GNSS radio occultation data to NOAA for the agency to evaluate.  They have until April 30, 2017, to complete the delivery of their data.  NESDIS will conduct an assessment of the data through the end of FY 2017 and produce a final report in early FY 2018. C.  For the First Time, Federal Agencies Authorize Private Company to Land on Moon On July 20, 2016, the Federal Aviation Administration approved a private company’s plans to land a robotic lander on the Moon, capping a series of unprecedented regulatory approvals from NASA and the State Department that blaze a trail for commercial lunar expeditions.[40]  The company, Moon Express, is an early-stage startup founded for the purpose of establishing commercial travel to, and gathering resources and metals from, the Moon.[41]  As previously there was "no existing regulatory framework for private missions beyond Earth orbit," Moon Express CEO Bob Richards says that "Moon Express created a proposed framework" for the necessary approvals.[42]  While more details have yet to emerge about Moon Express’s framework, it purportedly focused on "the safety of its payload as well as outlining [how] the United Nation’s Outer Space Treaty would not be violated."[43]  The framework uses "existing payload review and launch license processes under authorities of the Secretary of Transportation, and adds to them a series of voluntary disclosures intended to provide the Federal Government with sufficient information to help fulfill its supervisory obligations under the Outer Space Treaty."[44]   The approval is for a lunar mission in 2017, but Moon Express is still assembling its lander and coordinating for its rocket with Los Angeles-based "Rocket Lab."[45]  If Moon Express reaches the Moon by December 31, 2017, it may win the "Google Lunar X Prize competition for the first private organization to reach the moon" and also reap a $20 million reward.[46]  Four others teams from around the world purportedly have obtained 2017 launch contracts from their respective governments.[47]  Moon Express recently announced it has raised an additional $20M in series B-1 funding, which it claims "fully finance[s]" its 2017 launch.[48]  D.  Congress Passes Law Expanding Federal Aviation Administration and Secretary of Transportation Authority to Consider Proposed Construction’s Impacts on Space Operations On November 28, 2016, President Obama signed into law H.R. 6007,[49] a bill "[t]o amend title 49, United States Code, to include consideration of certain impacts on commercial space launch and reentry activities in a navigable airspace analysis, and for other purposes."  The bill amended 49 U.S.C. § 44718, which has long permitted the Secretary of Transportation to conduct studies and issue reports on any adverse impact on navigable airspace resulting from proposed construction.  H.R. 6007 required the Secretary of Transportation to conduct an aeronautical study if the Secretary determines that any proposed construction or alteration would interfere with "air or space navigation facilities."[50]  And in conducting such a study, the bill required the Secretary to consider "the impact on launch and reentry for launch and reentry vehicles arriving or departing from a launch site or reentry site licensed by the Secretary."[51]  The bill’s purview included "space ports established at existing airports," as airports are considered "General Aviation" facilities.[52]  By May 28, 2018, the FAA Administrator must "initiate a rulemaking to implement" the aforementioned amendments.[53]  H.R. 6007 came on the heels of "officials at California’s Mojave Air and Space Port criticiz[ing an] FAA decision to allow the construction of taller electric transmission lines near the airport."[54]  The bill’s sponsor, California Representative Kevin McCarthy, said on the House floor that the bill gave "the FAA the authority they now lack to examine whether structures being built near spaceports will obstruct spaceflight."[55]  McCarthy’s explicit intent was that the bill "ensures [] government policies keep up with the progress" of "commercial space flight."[56]  Both the House and Senate unanimously approved H.R. 6007.[57]  E.  FAA Rule on Reciprocal Waivers In August 2016, the Federal Aviation Administration (FAA) revised its rule on reciprocal waivers of claims for commercial launches and reentries.  The new rule simplifies the procedure for customers who contract with a first-tier customer, as opposed to the licensee or permittee.  Under the rule, these customers enter into a waiver agreement with the first-tier customer, not the licensee or permittee.  The rule also mandates that all customers waive claims against every other customer regardless of whether those customers sign a different set of reciprocal waivers.[58] F.  President Trump’s Commercial Space Policy The Trump administration has the potential to be the most supportive ever for the commercial space industry.  During the campaign, two of President Trump’s advisors wrote in an op-ed that "government must recognize that space is no longer the province of governments alone."  The advisors mentioned the work of Boeing/ULA, Orbital ATK, Virgin Galactic, Blue Origin, Paragon, Sierra Nevada, and Xcor, and they praised SpaceX for its "Made in America policy."  They also promised to resurrect the National Space Council under Vice President Mike Pence to coordinate space policy.[59] Since winning the election, Trump has consulted several advocates of commercial spaceflight.  Elon Musk of SpaceX and Jeff Bezos of Blue Origin both attended a meeting with Trump in December, and Peter Thiel, an investor in SpaceX, has been named to the President’s Strategic and Policy Forum.[60] But Senator Jeff Sessions, Trump’s nominee for attorney general, supports a more traditional space policy.  Sessions, whose state is home to NASA’s Marshall Space Flight Center, reportedly has been involved in choosing Trump’s NASA landing team and a nominee for NASA administrator.[61] This division is reflected in the composition of Trump’s NASA landing team.  After initially appointing a head of the team who appears to support a more traditional policy, the transition added several members who support commercial space exploration.[62] Trump has yet to nominate an administrator for NASA, but the early favorite is Congressman Jim Bridenstine, who has advocated for commercial space interests in Congress.  Other candidates reportedly include former NASA deputy administrator Shana Dale, former NASA administrator Mike Griffin, former NASA astronaut Eileen Collins, and Scott Pace of George Washington University.[63] IV.  CONCLUSION We will continue to keep you informed on these and other related issues as they develop.    [1]   Operation and Certification of Small Unmanned Aircraft Systems, 81 Fed. Reg. 42064 (June 28, 2016).    [2]   14 C.F.R §§ 107.12, 107.53–107.79 (2016).    [3]   Id. §§ 107.3, 107.25, 107.35, 107.51, 107.37, 107.39, 107.41 (2016).    [4]   Id. § 107.205 (2016).    [5]   See FAA, Part 107 Waivers Granted (Dec. 31, 2016), available at https://www.faa.gov/uas/ request_waiver/waivers_granted/.    [6]   14 C.F.R. § 107.41 (2016).    [7]   FAA Order JO 7200.23, Air Traffic Organization Policy (Oct. 3, 2016), available at https://www.faa.gov/ documentLibrary/media/Order/FAA_JO_7200_23_2.pdf.      [8]   See FAA, Micro Unmanned Aircraft Systems ARC Recommendations Final Report (April 1, 2016), available at https://www.faa.gov/uas/resources/uas_regulations_policy/media/Micro-UAS-ARC-FINAL-Report.pdf.    [9]   14 C.F.R. § 107.39 (2016). [10]   See 81 Fed. Reg. at 42128. [11]   The White House, Office of the Press Secretary, Presidential Memorandum:  Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems (Feb. 15, 2015), available at https://www.whitehouse.gov/the-press-office/2015/02/15/ presidential-memorandum-promoting-economic-competitiveness-while-safegua. [12]   Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, NTIA-Convened Multistakeholder Process (May 18, 2016), available at https://www.ntia.doc.gov/files/ntia/publications/ uas_privacy_best_practices_6-21-16.pdf. [13]   Notice of Proposed Rule Making, Operation and Certification of Small Unmanned Aircraft Systems, 80 Fed. Reg. 9544, 9552 (Feb. 23, 2015). [14]   81 Fed. Reg. at 42190. [15]   EPIC v. FAA, No. 16-1297 (D.C. Cir. 2016). [16]   EPIC v. FAA, 821 F.3d 39, 43 (D.C. Cir. 2016). [17]   See EPIC v. FAA, No. 16-1297 (D.C. Cir. 2016). [18]   Id. [19]   Current Unmanned Aircraft State Law Landscape, National Conference of State Legislatures (Dec. 16, 2016), available at http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx. [20]   FAA, Busting Myths About the FAA and Unmanned Aircraft (Mar. 7, 2014), available at https://www.faa.gov/news/updates/?newsId=76240. [21]   See 49 U.S.C. § 40103. [22]   Id. § 40102(32). [23]   14 C.F.R. § 91.119(b)(c). [24]   328 U.S. 256, 266 (1946). [25]   Id. at 264. [26]   Id. at 265. [27]   Id. at 266. [28]   See Boggs, No. 3:16-cv-00006, Dkt. No. 1 (W.D. Ky. Jan. 4, 2016). [29]   See id. [30]   See Huerta, No. 3:16-cv-358, Dkt. No. 30. [31]   Id. [32]   Id. [33]   NASA’s Commercial Crew Program:  Update on Development and Certification Efforts, NASA, Office of Inspector General, Office of Audits (Sept. 1, 2016), available at https://oig.nasa.gov/audits/reports/ FY16/IG-16-028.pdf. [34]   Steven Siceloff, Mission Awards Secure Commercial Crew Transportation for Coming Years, NASA (Jan. 3, 2017), available at https://www.nasa.gov/feature/mission-awards-secure-commercial-crew-transportation-for-coming-years. [35]   Steven Siceloff, New Spacesuit Unveiled for Starliner Astronauts, NASA (Jan. 25, 2017), available at https://www.nasa.gov/feature/new-spacesuit-unveiled-for-starliner-astronauts. [36]   NOAA Commercial Space Policy, NOAA (Jan. 8, 2016), available at http://www.noaanews.noaa.gov/ stories2016/images/NOAA%20Commercial%20Space%20Policy.pdf. [37]   NOAA Issues Commercial Space Policy, NOAA (Jan. 8, 2016), available at http://www.noaanews.noaa.gov/ stories2016/010816-noaa-statement-commercial-space-policy.html. [38]   Commercial Space Activities Assessment Process, NOAA/NESDIS (Jan. 6, 2017), available at https://www.nesdis.noaa.gov/NESDOCS/pdf/8000_8999/nesdis_commercial_space_activities_assessment_process_final%201.6.17%20readable.pdf.  See also NESDIS Commercial Space Activities Assessment Process, Office of Space Commerce (Jan. 6, 2017), available at http://www.space.commerce.gov/business-with-noaa/nesdis-commercial-space-activities-assessment-process/. [39]   NOAA Awards Commercial Weather Data Pilot Contracts, Office of Space Commerce (Sept. 15, 2016), available at http://www.space.commerce.gov/noaa-awards-commercial-weather-data-pilot-contracts/. [40]   Jordan Rice, The First Private Spaceflight Company Is Cleared for a Moon Landing, Astronomy Magazine (Aug. 4, 2016), http://www.astronomy.com/news/2016/08/next-stop-the-moon.  Up until this point, private companies have flown only 22,236 miles above the Earth–Moon Express intends to send its lander ten times that distance.  See Kenneth Chang, Florida Company Gets Approval to Put Robotic Lander on Moon, The New York Times (Aug. 3, 2016), available at https://www.nytimes.com/2016/08/04/science/moon-express-faa.html?_r=0. [41]   Saki Knago and AJ Barbosa, The New Space Biz:  Companies Seek Cash in the Cosmos, The Huffington Post (July 22, 2011), http://www.huffingtonpost.com/2011/07/22/new-space-business_n_907358.html. [42]   Rice, supra note 40. [43]   Rice, supra note 40. [44]   US Government Approves Plan for Moon Express to Become First Private Company to Venture Beyond Earth’s Orbit, Moon Express, http://www.moonexpress.com/files/moon-express-press-kit.pdf (last visited Jan. 27, 2016). [45]   Chang, supra note 40. [46]   Chang, supra note 40. [47]   Homepage, Google Lunar XPrize, http://lunar.xprize.org/ (last visited Jan. 27, 2016). [48]   Sam Levin, Moon Express Raises $20m for 2017 Voyage to the Moon, The Guardian (Jan. 17, 2017, https://www.theguardian.com/science/2017/jan/17/moon-express-raises-20m-for-2017-voyage-to-moon; see also Emily Calandrelli, Moon Express Raises $20M in Series B-1, Fully Funds Trip to the Moon, TechCrunch (Jan. 13, 2017), https://techcrunch.com/2017/01/13/moon-express-raises-20-million-in-series-b-1-fully-funds-trip-to-the-moon/. [49]   H.R. Rep No. 6007 (2016), available at https://www.congress.gov/bill/114th-congress/house-bill/6007/text.  [50]   49 U.S.C. § 44718(b)(1) (emphasis added).  [51]   49 U.S.C. § 44718(b)(1)(F). [52]   Steven Mayer, Obama Signs McCarthy Bill to Protect Space Ports, Bakersfield.com (Nov. 29, 2016), http://www.bakersfield.com/news/obama-signs-mccarthy-bill-to-protect-space-ports/article_317b54d7-dffc-590d-b121-c7a8e6b3b32e.html.  [53]   H.R. Rep No. 6007 (2016), available at https://www.congress.gov/bill/114th-congress/house-bill/6007/text.  [54]   Id.  [55]   Jeff Foust, House Advances Commercial Space and Astronaut Health Bills, SpaceNews (Sep. 22, 2016), http://spacenews.com/house-advances-commercial-space-and-astronaut-health-bills/#sthash.pqkTLvBT.dpuf. [56]   Mayer, supra note 52. [57]   Foust, supra note 55. [58]   Reciprocal Waivers of Claims for Licensed or Permitted Launch and Reentry Activities, 81 Fed. Reg. 55115 (2016) (codified at 14 C.F.R. § 440). [59]   Robert S. Walker & Peter Navarro, Op-ed:  Trump’s Space Policy Reaches for Mars and the Stars, SpaceNews (Oct. 19, 2016), http://spacenews.com/trumps-space-policy-reaches-for-mars-and-the-stars/. [60]   Eric Berger, Peter Thiel Now Leading the Fight for Commercial Space in Trump’s NASA, Ars Technica (Dec. 20, 2016, 6:31 PM), https://arstechnica.com/science/2016/12/peter-thiel-now-leading-the-fight-for-commercial-space-in-trumps-nasa/. [61]   Andy Pasztor, Sen. Jeff Sessions Exerts Wide Influence Over Trump Space Plans, Wall St. J. (Dec. 13, 2016, 6:56 PM), http://www.wsj.com/articles/sen-jeff-sessions-exerts-wide-influence-over-trump-space-plans-1481673405. [62]   Andy Pasztor, Thiel Pushes to Add Commercial-Space Backers to Trump NASA Team, Wall St. J. (Dec. 21, 2016, 11:22 AM), http://www.wsj.com/articles/thiel-others-push-for-trump-nasa-team-expansion-1482263645. [63]   Eric Berger, Will Trump Pick an "Agent of Change" or an Insider to Lead NASA, Ars Technica (Nov. 17, 2016, 9:58 AM), https://arstechnica.com/science/2016/11/will-trump-pick-an-agent-of-change-or-an-insider-to-lead-nasa/. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the issues discussed above.  Please contact the Aerospace and Related Technologies practice group co-chairs, Karen L. Manos, David Wilf, Perlette M. Jura, and William J. Peters; the additional authors of this update, Dhananjay S. Manthripragada, Jared Greenberg, and David M. Wolber; the Gibson Dunn lawyer with whom you usually work; or any of the following: Los Angeles David A. Battaglia (+1 213-229-7380, dbattaglia@gibsondunn.com) Perlette Michèle Jura (+1 213-229-7121, pjura@gibsondunn.com)William J. Peters (+1 213-229-7515, wpeters@gibsondunn.com)Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)Matthew B. Dubeck (+1 213-229-7622, mdubeck@gibsondunn.com) Dhananjay S. Manthripragada (+1 213-229-7366, dmanthripragada@gibsondunn.com) London Mitri J. Najjar (+44 (0)20 7071 4262, mnajjar@gibsondunn.com) Orange County Jared Greenberg (+1 949-451-3819, jgreenberg@gibsondunn.com)Casper J. Yen (+1 949-451-4105, cyen@gibsondunn.com) Rustin K. Mangum (+1 949-451-4069, rmangum@gibsondunn.com) New York David M. Wilf (+1 212-351-4027, dwilf@gibsondunn.com)Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)Nicolas H.R. Dumont (+1 212-351-3837, ndumont@gibsondunn.com) Eun Sung Lim (+1 212-351-2483, elim@gibsondunn.com) San Francisco Matthew Reagan (+1 415-393-8314, mreagan@gibsondunn.com) Washington, D.C. Karen L. Manos (+1 202-955-8536, kmanos@gibsondunn.com) David A. Wolber (+1 202-887-3727, dwolber@gibsondunn.com)Lindsay M. Paulin (+1 202-887-3701, lpaulin@gibsondunn.com)Erin N. Rankin (+1 202-955-8246, erankin@gibsondunn.com) Justin P. Accomando (+1 202-887-3796, jaccomando@gibsondunn.com)Brian M. Lipshutz (+1 202-887-3514, blipshutz@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 12, 2015 |
A Practical Guide to the Use of the Commissioned Public Report as an Effective Crisis-Management Tool

Washington, D.C. partner F. Joseph Warin and associates Oleh Vretsona and Lora MacDonald are the authors of "A Practical Guide to the Use of the Commissioned Public Report as an Effective Crisis-Management Tool" [PDF] published in the Notre Dame Journal of Law, Ethics & Public Policy, Volume 29, Issue 1.

March 16, 2018 |
Aerospace and Related Technologies – Key Developments in 2017 and Early 2018

Click for PDF This March 2018 edition of Gibson Dunn’s Aerospace and Related Technologies Update discusses newsworthy developments, trends, and key decisions from 2017 and early 2018 that are of interest to aerospace and defense, satellite, and drone companies; and new market entrants in the commercial space and related technology sectors, including the private equity and other financial institutions that support and enable their growth. Specifically, this update covers the following areas: (1) commercial unmanned aircraft systems (“UAS”), or drones; (2) government contracts litigation involving companies in the aerospace and defense industry; (3) the commercial space sector; and (4) cybersecurity and privacy issues related to the national airspace.  We discuss each of these areas in turn below. I.    COMMERCIAL UNMANNED AIRCRAFT SYSTEMS The commercial drone industry has continued to mature through advancements in technology, government relations, and public perception.  Commercial drones are being used for various sensory data collection, building inspections, utility inspections, agriculture monitoring and treatment, railway inspections, pipeline inspections, mapping of mines, and photography.  New drone applications are being created on a regular basis.  For example, the concept of flying drone taxis was validated in Dubai in September 2017 when an uncrewed two-seater drone successfully conducted its first test flight. Around a year and a half ago, United States regulations governing non-recreational drone operations were finalized.  Since then, the Federal Aviation Administration (“FAA”) has issued over 60,000 remote pilot certificates.  The FAA has and continues to make efforts to advance its technology, and it recently released a prototype application to provide operators with automatic approval of specific airspace authorizations.  The national beta test of this system will launch in 2018, and we will be sure to report back with the results. One of the biggest boons for the industry over the past 15 months was the positive public perception stemming from Hurricane Harvey relief efforts.  In the days following the disaster, drones worked in concert with government agencies to support search and rescue missions, inspect roads and railroads, and assess water plants, oil refineries, cell towers, and power lines.  Further, major insurance companies used drones to assess claims in a safer, faster, and more efficient manner.  The aftermath of this disaster demonstrated the value of drone technology and increasingly has driven a positive public perception of the industry.  Indeed, even aside from the disaster relief efforts, media sources continue to carry positive drone stories.  For example, in January 2018, Australian lifeguards were testing a drone with the ability to release an inflatable rescue pod; during its testing, the drone was called into action, and rescued two teenagers from drowning. The future is bright, but there are still many obstacles for the industry to overcome before it fully matures, such as clarity around low altitude airspace, privacy concerns, and the risk to people, property, and other aircraft. To get you caught up on 2017 and early 2018 drone developments, we have briefly summarized below: (A) highlights of drone litigation impacting airspace, including highlights from previous years for context; (B) drone registration; (C) privacy issues related to drones; (D) the United States government’s expanded use of drones; (E) drone countermeasures; (F) drone safety studies; and (G) the UAS airspace integration pilot program. A.    Litigation Highlights Regarding Airspace Huerta v. Haughwout, No. 3:16-cv-358, Dkt. No. 30 (D. Conn. Jul. 18, 2016) The latter half of 2016 featured an important decision regarding the FAA’s authority over low-level airspace.  The 2016 decision, Huerta v. Haughwout—also known as “the flamethrower drone case,” involved two YouTube videos posted by the Haughwouts.  One video featured a drone firing an attached handgun, while a second video showed a drone using an attached flamethrower to scorch a turkey.  After the videos were publicly uploaded, the FAA served the Haughwouts with an administrative subpoena to acquire further information about the activities featured in the videos.  The Haughwouts refused to comply with the FAA’s subpoenas, asserting that their activities were not subject to investigation by the FAA.  In response, the FAA sought enforcement of the subpoenas in the District of Connecticut.[1] Judge Jeffrey Meyer found the administrative subpoenas to be valid.  Most importantly, however, his order included dicta casting doubt on the FAA’s claim to control all airspace from the ground up:  “The FAA believes it has regulatory sovereignty over every inch of outdoor air in the United States…. [T]hat ambition may be difficult to reconcile with the terms of the FAA’s statute that refer to ‘navigable airspace.'”  While this dicta addressed the question of where the FAA’s authority begins, Judge Meyer also noted that “the case does not yet require an answer to that question.”[2]  Judge Meyer further stated: Congress surely understands that state and local authorities are (usually) well positioned to regulate what people do in their own backyards.  The Constitution creates a limited national government in recognition of the traditional police power of state and local government.  No clause in the Constitution vests the federal government with a general police power over all of the air or all objects that leave the ground.  Although the Commerce Clause allows for broad federal authority over interstate and foreign commerce, it is far from clear that Congress intends–or could constitutionally intend–to regulate all that is airborne on one’s own property and that poses no plausible threat to or substantial effect on air transport or interstate commerce in general.[3] 2017 featured the resolution of another lawsuit where the plaintiff attempted to extend the significance of Haughwout in an effort to get the courts to address the question of what “navigable airspace” means in the context of drones (see discussion of Singer v. City of Newton, infra). Boggs v. Merideth, No. 3:16-cv-00006 (W.D. Ky. Jan. 4, 2016) In Boggs v. Merideth—better known as “the Drone Slayer case”—a landowner shot down an operator’s drone with a shotgun in the Western District of Kentucky.[4]  The plaintiff flew his drone roughly 200 feet above the defendant’s property, causing the defendant—the self-anointed “Drone Slayer”—to claim the drone was trespassing and invading his privacy and shoot it down.  The plaintiff believed the airspace 200 feet above the ground was federal airspace and therefore the defendant could not claim the drone was trespassing. Following a state judge’s finding that the defendant acted “within his rights,” the drone operator filed a complaint in federal court for declaratory judgment to “define clearly the rights of aircraft operators and property owners.”[5]  The case had the potential to be a key decision on the scope of federal authority over the use of airspace.  Rather than claiming defense of property, however, the defendant moved to dismiss the complaint on jurisdictional grounds.  The plaintiff unsuccessfully attempted to rely on the decision in Huerta v. Haughwout for the proposition that all cases involving the regulation of drone flight should be resolved by federal courts.  The court rejected the plaintiff’s argument, noting that Haughwout only concerned the FAA’s ability to exercise subpoena power and enforce subpoenas in federal court.  In fact, the district court noted, the court in Haughwout “expressed serious skepticism as to whether all unmanned aircrafts are subject to FAA regulation.”[6]  In his March 2017 order, Senior District Court Judge Thomas B. Russell granted the defendant’s motion to dismiss for lack of federal jurisdiction, stating that the issue of whether or not the drone was in protected airspace only arises on the presumption that the defendant would raise the defense that he was defending his property.[7]  Consequently, there was no federal question jurisdiction and the case was thrown out without ever reaching its merits. While the answer to what exactly constitutes “navigable airspace” in the drone context remained unanswered in 2017, the year did mark the beginning of federal courts addressing the overlap between conflicting state, local, and federal drone laws. Singer v. City of Newton No. 1:17-cv-10071 (D. Mass. Jan. 17, 2017) On September 21, 2017, a federal judge in the District of Massachusetts held that portions of the City of Newton, Massachusetts’s (“Newton”) ordinance attempting to regulate unmanned aircraft operations within the city were invalid.[8] The case, Singer v. City of Newton, marks the first time a federal court has struck down a local ordinance attempting to regulate drones.  The court held the following four city ordinance provisions to be unenforceable: (1) a requirement that all owners register their drones with the city; (2) a ban on all drone operations under 400 feet that are over private property unless done with express permission of the property owner; (3) a ban on all drone operations over public property, regardless of altitude, unless done with the express permission of the city; and (4) a requirement that no drone be operated beyond the visual line of sight of its operator.[9] All four of these provisions of the Newton ordinance were found to be preempted by federal regulations promulgated by the FAA. In the course of holding that the four sections of Newton’s ordinance were each preempted, the court identified the congressional objectives each section inhibited.  One relevant congressional objective is to make the FAA the exclusive regulatory authority for registration of drones.  The Newton ordinance required the registration of drones with the City of Newton, which impeded Congress’s objective; thus, the court found that section to be preempted.[10] The court also identified a congressional objective for the FAA to develop a comprehensive plan to safely accelerate the integration of drones into the national airspace system.  The two sections of the Newton ordinance requiring prior permission to fly above both public and private property within the city effectively eliminated any drone activity without prior permission; thus those sections were held to interfere with the federal objective and were invalidated.[11] Lastly, the court found that the Newton ordinance’s provision barring drone usage beyond the visual line of sight of the operator conflicted with a less restrictive FAA rule allowing such usage if a waiver is obtained or if a separate visual observer can see the drone throughout its flight and assist the operator.[12] The Singer ruling marked the long-anticipated beginning of federal courts addressing overlapping state, local, and federal drone laws.  While the ruling is significant for invalidating sections of a local ordinance and thus establishing a framework that federal courts may follow to invalidate state and local drone laws elsewhere, it is important not to overstate the case’s current significance.  The court in Singer declined to hold that law relating to airspace was expressly preempted or field preempted, but rather decided it was conflict preempted.  Consequently, the case does not provide support for the assertion that all state and local drone laws related to airspace will be preempted by FAA regulations.  Further, the court did not opine on the lower limits of the National Airspace and whether it goes to the ground, an issue likely to come up in future litigation. The unchallenged portions of the Newton ordinance still stand, and the closing lines in the opinion recognize that Newton is free to redraft the invalidated portions to avoid direct conflict with FAA regulations.  Thus it remains possible, even in the District of Massachusetts, for federal law to coexist with state and local laws in this field.  In order to successfully avoid invalidation in the courts, however, state and local lawmakers must draft legislation that allows for compliance with federal regulations, and which does not interfere with any federal objectives. The year 2017 left much to still be determined by the courts.  While Newton demonstrated that preemption concerns do and will continue to exist, the case did not address the boundary of the National Airspace.  Haughwout did address the boundary—though only through dicta—and suggested that, when the issue is decided, the boundary will likely not extend to the ground.  Thus, as was the case at the start of 2017, where the boundary will be drawn remains to be seen. B.    Drone Registration: From Mandatory to Optional and Back to Mandatory In December 2015, days before tens of thousands of drones were gifted for the holidays, the FAA adopted rules requiring the registration of drones weighing more than 0.55 pounds prior to operation.  This registration requirement only impacted recreational users, as commercial users are required to register under Part 107.  This rule was challenged in Taylor v. Huerta, and on May 19, 2017, the U.S. Court of Appeals for the D.C. Circuit vacated the rule.[13]  The FAA instituted a program to issue refunds, and recreational pilots enjoyed the freedom of flying unregistered drones for the next seven months. The Circuit Court struck down the rule because the FAA lacked statutory authority to issue such a rule for recreational pilots.  Section 336 of the FAA Modernization and Reform Act of 2012 states that the “Administrator of the Federal Aviation Administration may not promulgate any rule or regulation regarding a model aircraft.”[14]  The Court held that the FAA’s registration rule “directly violates that clear statutory prohibition” and vacated the rule to the extent it applied to model aircraft.[15]  The FAA responded by offering $5 registration fee refunds and the option to have one’s information removed from the federal database, but encouraging recreational operators to voluntarily register their drones. However, in a turn of events, on December 12, 2017, the President signed the National Defense Authorization Act of 2018, which included a provision reinstating the rule: Restoration Of Rules For Registration And Marking Of Unmanned Aircraft.—The rules adopted by the Administrator of the Federal Aviation Administration in the matter of registration and marking requirements for small unmanned aircraft (FAA-2015-7396; published on December 16, 2015) that were vacated by the United States Court of Appeals for the District of Columbia Circuit in Taylor v. Huerta (No. 15-1495; decided on May 19, 2017) shall be restored to effect on the date of enactment of this Act.[16] As a result of the Act, both recreational and commercial pilots are now required to register their drones, and one can do so on the FAA’s website. C.    UAS and Privacy 1.    Voluntary Best Practices Remain Intact A 2015 Presidential Memorandum issued by then President Obama ordered the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce to create a private-sector engagement process to help develop voluntary best practices for privacy and transparency issues regarding commercial and private drone use.[17]  Since Part 107 of Title 14 of the Code of Federal Regulations (“Part 107”)[18] does not address privacy, privacy advocates hoped that the NTIA would force the FAA to promulgate privacy regulations.[19]  Prior attempts to petition the FAA to consider privacy concerns in its Notice of Proposed Rulemaking (“NPRM”) for Part 107 were unsuccessful.[20] The NTIA issued its voluntary best privacy practices for drones on May 19, 2016.[21]  While the final best practices found support from some privacy organizations and most of the commercial drone industry, other privacy groups raised concerns that the best practices neither established nor encouraged binding legal standards.[22]  Nonetheless, the best practices offer useful guidelines for companies testing and/or actively conducting drone operations. 2.    Litigation Regarding the FAA’s Role in Addressing Privacy As we discussed in an earlier update, the Electronic Privacy Information Center (“EPIC”) challenged the FAA’s decision to exclude privacy regulations from Part 107 in an August 2016 petition for review.[23]  In 2012, EPIC petitioned the FAA to promulgate privacy regulations applicable to drone use, which the FAA denied in February 2014.[24]  EPIC argued that the FAA Modernization and Reform Act of 2012 required the FAA to consider privacy issues in its NPRM.[25]  The FAA argued that while the Act directed the FAA to develop a comprehensive plan to safely integrate drones into the national airspace system, privacy considerations went “beyond the scope” of that plan.[26]  The D.C. Circuit dismissed EPIC’s petition for review on two grounds.[27]  First, the Court deemed EPIC’s petition for review “time-barred” because EPIC filed 65 days past the time allotted under 49 U.S.C. § 46110(a).[28]  Second, the Court held that the FAA’s “conclusion that privacy is beyond the scope of the NPRM” was not a final agency determination subject to judicial review.[29] After the rule became final, EPIC filed a new petition for review asking the court to vacate Part 107 and remand it to the FAA for further proceedings.[30]  Consolidated with a related case, Taylor v. FAA, No. 16-1302 (D.C. Cir. filed August 29, 2016), EPIC argues that the FAA violated the Act by: (1) refusing to consider “privacy hazards,” and (2) refusing to “conduct comprehensive drone rulemaking,” which necessarily includes issues related to privacy.[31]  The FAA argues: (1) EPIC lacks standing, (2) the FAA reasonably decided not to address privacy concerns, and (3) even if EPIC has standing, Section 333 of the Act does not require the FAA to promulgate privacy regulations.[32]  Judge Merrick Garland, Judge David Sentelle, and Judge A. Raymond Randolph heard oral arguments in the consolidated cases on January 25, 2018.[33]  All eyes thus remain on the D.C. Circuit to determine whether the FAA must issue regulations covering privacy concerns raised by increased drone use. D.    The United States Government Expands Its Use of Drones Four years after the U.S. Department of Defense (“DoD”) issued its 25-year “vision and strategy for the continued development, production, test, training, operation, and sustainment of unmanned [aircraft] systems technology,”[34] the drone defense industry continues to experience rapid growth.  A recent market report estimated that commercial and government drone sales will surpass $12 billion by 2021.[35]  However, that estimate is likely conservative when considering that the DoD allocated almost $5.7 billion to drone acquisition and research in 2017 alone.[36]  Likewise, the DoD allocates almost $7 billion to drone technology in its 2018 fiscal year Defense Budget.[37]  Additionally, Goldman Sachs forecasted a $70 billion market opportunity for military drones by 2020.[38]  According to Goldman Sachs: “Current drone technology has already surpassed manned aircraft in endurance, range, safety and cost efficiency — but research and development is far from over.  The next generation of drones will widen the gap between manned and unmanned flight even further, adding greater stealth, sensory, payload, range, autonomous, and communications capabilities.”[39]  It should thus come as no surprise that organizations developing defense-specific drones will expect increased demand for complete systems and parts in the coming years. 1.    United States Government’s Domestic Use Drones The U.S. government mostly acquires drones for overseas military operations, a trend dating back to the deployment of the Predator drone in post-9/11 conflict territories.[40]  Domestic use of DoD-owned drones remains subject to strict governmental approval, and armed drones are prohibited on U.S. soil.[41]  In February 2015, the Deputy Secretary of Defense issued Policy Memorandum 15-002 entitled “Guidance for the Domestic Use of Unmanned Aircraft Systems.”[42]  Under the policy, the Secretary of Defense must approve all domestic use of DoD-owned UAVs, with one exception—domestic search and rescue missions overseen by the Air Force Rescue Coordination Center.[43]  However, DoD personnel may use drones to surveil U.S. persons where permitted by law and where approved by the Secretary.[44]  The policy expired on February 17, 2018,[45] and it remains to be seen how the Trump administration will handle domestic use of DoD-owned drones and the integration of UAVs into day-to-day civilian operations. E.    Drone Countermeasures In response to the rapid growth of militarized consumer drones, particularly in ISIS-controlled territories,[48] 2017 saw an increased offering of anti-drone technologies in the U.S.[49]  In April 2017, the U.S. Army’s Rapid Equipment Force purchased 50 of Radio Hill Technologies’ “Dronebuster” radar guns.[50]  The Dronebuster uses radio frequency technology to interrupt the control of drones by effectively jamming the control frequency or the GPS signal.[51]  The end-user can overwhelm the drone and deprive its operator of control or cause the drone to “fall out of the sky.”[52]  Handheld radar-type guns like the Dronebuster weigh about five pounds and cost an average of $30,000.[53]  The U.S. military also experimented with the Mobile High-Energy Laser-equipped Stryker vehicle.[54]  Similar to the Dronebuster, the 5 to 10kW laser overwhelms target drones’ control systems with high bursts of energy.[55]  It can shoot down drones 600 meters away, all without making a sound.[56] F.    Drone Safety Studies Making UAS operations commonplace in urban airspace will be a big step in the technological and economic advancement of the U.S.; however, there are obstacles to overcome in ensuring the safe operation of drones in urban areas.  On April 28, 2017, the Alliance for System Safety of UAS through Research Excellence (“ASSURE”) released the results of a study that explored the severity of a UAS collision with people and property on the ground.[57]  First, ASSURE determined the most likely impact scenarios by reviewing various operating environments for UAS and determining their likely exposure to people and other manned aircraft.[58]  Then the team conducted crash tests and analyzed crash dynamics by measuring kinetic energy transfer.[59]  The results revealed that earlier measurements of the danger of collision grossly overestimate the risk of injury from a drone.[60]  ASSURE concluded that the DJI Phantom 3 drone has a 0.03% chance of causing a head injury if it falls on a person’s head.[61]  This is a very low probability considering blocks of steel or wood of the same weight have a 99% risk of causing a head injury in the same scenario.[62]  The disparity in probability of head injury is largely due to the fact that the DJI Phantom 3 drone absorbs most of the energy resulting from a collision, and therefore less energy is transferred on impact from the drone than from a block of steel or wood in the same collision.[63] In fact there are numerous steps that drone designers and manufacturers can take to reduce the likelihood of injury in the event of a collision.[64]  Projectile mass and velocity, as well as stiffness of the UAS, are the primary drivers of impact damage.[65]  As such, multi-rotor drones tend to be safer because they fall more slowly due to the drag of the rotors as the drones fall through the air.[66]  The study made clear that blade guards should be a design requirement for drones used in close proximity to people in order to minimize the lacerations that can result from a collision.[67]  Moreover, ASSURE found that the more flexible the structure of the drone, the more energy the drone retains during impact, causing less harm to the impacted object of the collision.[68] Regarding crashes with other manned aircraft, however, the study revealed that the impact of a drone can be much more severe than the impact of a bird of equivalent size and speed.[69]  As such, the structural components of a commercial aircraft that allows it to withstand bird strikes from birds up to eight pounds are not an appropriate guideline for preventing damage from a UAS strike.[70]  The study also examined the dangers associated with lithium batteries, which are used to power most drones, in collisions.[71]  The major concern is the risk of a battery fire.[72]  The study found that typical high-speed impacts cause complete destruction of the battery, eliminating any concerns about battery fires.[73]  However, the lower impact crashes, which are mainly associated with take-off and landing, left parts of the battery intact, posing a risk of battery fire.[74] While the ASSURE study is the first of its kind, it certainly marks the need for more studies that analyze the practical aspects of collisions and how to reduce risk to minimize harm.  The hazards associated with commonplace drone operation are many.[75]  Analysis of the physical impact of a collision is one aspect of minimizing UAS risks.  There is still much work to be done in order to minimize other collateral risks, such as the risk of technology failures, which range from UAS platform failures, to failures of hardware or communication links controlling the UAS.[76]  Environmental hazards, such as the effect of rain, lightning, and other types of weather remains to be studied.[77]  Ways to safeguard against human error or intentional interference is another aspect of UAS safety that has yet to be studied in detail.[78]  Data link spoofing, jamming, or hijacking poses significant safety hazards, particularly as incidents of data breaches become more and more common.[79]  Before the integration of UAS into national airspace can be fully implemented, industry stakeholders must collaborate to conduct studies that will help inform legislators about what kind of technological requirements and operational regulations are necessary. G.    UAS Airspace Integration Pilot Program In October 2017, the U.S. Department of Transportation (“DOT”) announced that it was launching the Unmanned Aircraft Systems Integration Pilot Program.[80]  The program, which was established in response to a presidential directive, is meant to accelerate the integration of UAS into the national airspace through the creation of public-private partnerships between UAS operators, governmental entities, and other private stakeholders.[81]  The program is designed to establish greater regulatory certainty and stability regarding drone use.[82]  After reviewing the applications, DOT will select a minimum of five partnerships with the goal of collaborating with the selected industry stakeholder in order to evaluate certain advanced UAS operational concepts, such as night operations, flights beyond the pilot’s line of sight, detect-and-avoid technologies, flights over people, counter-UAS security operations, package delivery, the integrity and dependability of data links between pilot and aircraft, and cooperation between local authorities and the FAA in overseeing UAS operations.[83] One such application was made by the City of Palo Alto, in partnership with the Stanford Blood Center, Stanford hospital, and Matternet, a private drone company.[84]  The City of Palo Alto has proposed the use of drones to deliver units of blood from the Stanford Blood Center to Stanford hospital, which would involve establishing an approved flight path for drones to transfer the units of blood in urgent situations.[85]  Matternet has already tested its drones’ capacity for transporting blood and other medical samples in Switzerland.[86]  A second project proposed by the City of Palo Alto involves the use of drones in order to monitor the perimeter of the Palo Alto Airport.[87]  This project involves a partnership between the city and a company called Multirotor, a German drone company that has experience working with the German army and the Berlin Police Department to integrate UAS as tools for law enforcement activities.[88] The creation of the pilot program has given stakeholders the sense that the current administration is supportive of integrating drones into the national airspace.  The support of the government has created the potential for unprecedented growth in an industry that could bring lucrative returns to its stakeholders.  The DOT has already received over 2,800 interested party applications.[89]  The majority of these applications have come from commercial drone companies, as well as various other stakeholders including energy companies, law enforcement agencies, and insurance providers.[90]  The UAS Pilot Program is to last for three years.[91]  The projected economic benefit of integrated UAS is estimated to equal $82 billion, creating up to 100,000 jobs.[92]  Industries that could see immediate returns from the program include precision agriculture, infrastructure inspection and monitoring, photography, commerce, and crisis management.[93]  The advent of established, government-sanctioned rules for the operation of UAS will motivate industry stakeholders both in the public and private sectors to push forward with new and innovative ways to use drones. II.    GOVERNMENT CONTRACTS LITIGATION IN THE AEROSPACE AND DEFENSE INDUSTRY Gibson Dunn’s 2017 Year-End Government Contracts Litigation Update and 2017 Mid-Year Government Contracts Litigation Update cover the waterfront of the most important opinions issued by the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Federal Claims, Armed Services Board of Contract Appeals (“ASBCA”), and Civilian Board of Contract Appeals among other tribunals.  We invite you to review those publications for a full report on case law developments in the government contracts arena. In this update, we (A) summarize key court decisions related to government contracting from 2017 that involve players in the aerospace and defense industry.  The cases discussed herein, and in the Government Contracts Litigation Updates referenced above, address a wide range of issues with which government contractors in the aerospace and defense industry are likely familiar. A.    Select Decisions Related to Government Contractors in the Aerospace and Defense Industry Technology Systems, Inc., ASBCA No. 59577 (Jan. 12, 2017) TSI held four cost-plus-fixed-fee contracts with the Navy for research and development.  Several years into the contracts, the government disallowed expenses that had not been questioned in prior years.  TSI appealed to the ASBCA, arguing that it relied to its detriment on the government’s failure to challenge those same expenses in prior years. The Board (Prouty, A.J.) held that the challenged costs were “largely not allowable” and that “the principle of retroactive disallowance,” which it deemed “a theory for challenging audits whose heyday has come and gone,” did not apply because the same costs had simply not come up in the prior audits.  The theory of retroactive disallowance, first articulated in a Court of Claims case in 1971, prevents the government from challenging costs already incurred when the cost previously had been accepted following final audit of historical costs; the contractor reasonably believed that it would continue to be approved; and it detrimentally relied on the prior acceptance.  Tracing the precedent discussing the principle, the Board cited the Federal Circuit’s decision in Rumsfeld v. United Technologies Corp., 315 F.3d 1361 (Fed. Cir. 2003), which stated that “affirmative misconduct” on the part of the government would be required for the principle of retroactive disallowance to apply because it is a form of estoppel against the government.  The Board “sum[med] up: there is no way to read our recent precedent or the Federal Circuit’s except to include an affirmative misconduct requirement amongst the elements of retroactive disallowance.  Period.”  Further, the Board held that the government’s failure to challenge the same costs in prior years did not constitute a “course of conduct precluding the government from disallowing the costs in subsequent audits.” Delfasco LLC, ASBCA No. 59153 (Feb. 14, 2017) Delfasco had a contract with the Army for the manufacture and delivery of a specified number of munition suspension lugs.  The Army thereafter exercised an option to double the number of lugs required.  When Delfasco stopped making deliveries due to an inability to pay its subcontractor, the Army terminated the contract for default.  Delfasco appealed to the ASBCA, asserting that the government had waived its right to terminate for untimely performance by allegedly stringing Delfasco along even after the notice of termination. The Board (Prouty, A.J.) set out the test for waiver in a case involving termination for default due to late delivery as follows:  “(1) failure to terminate within a reasonable time after the default under circumstances indicating forbearance, and (2) reliance by the contractor on the failure to terminate and continued performance by him under the contract with the Government’s knowledge and implied or express consent.”  The Board held that Delfasco failed to satisfy the first prong because the government’s show cause letter placed Delfasco on notice that any continued performance would only be for the purpose of mitigating damages.  Moreover, Delfasco failed to satisfy the second prong because Delfasco’s payment to its subcontractor after the show cause letter would have been owed regardless, and was not paid in reliance upon the government’s failure to terminate.  Therefore, the Board found that the government had not waived its right to terminate, and denied the appeal. Raytheon Co., ASBCA Nos. 57743 et al. (Apr. 17, 2017) Raytheon appealed from three final decisions determining that an assortment of costs—including those associated with consultants, lobbyists, a corporate development database, and executive aircraft—were expressly unallowable and thus subject to penalties.  After a two-week trial, the Board (Scott, A.J.) sided largely with Raytheon in a wide-ranging decision that covers a number of important cost principles issues. First, the Board rejected the government’s argument that the consultant costs were expressly unallowable simply because the government was dissatisfied with the level of written detail of the work product submitted to support the costs.  Judge Scott noted that written work product is not a requirement to support a consultant’s services under FAR 31.205-33(f), particularly not where, as here, much of the consultants’ work was delivered orally due to the classified nature of the work performed.  The Board found that not only were the consultant costs not expressly unallowable, but indeed were allowable.  This is a significant ruling because the documentation of consultant costs is a recurring issue as government auditors frequently make demands concerning the amount of documentation required to support these costs during audits. Second, the government sought to impose penalties for costs that inadvertently were not withdrawn in accordance with an advance agreement between Raytheon and the government concerning two executive aircraft.  Raytheon agreed that the costs should have been withdrawn and agreed to withdraw them when the error was brought to its attention, but asserted that the costs were not expressly unallowable and subject to penalty.  The Board agreed, holding that the advance agreements did not themselves clearly name and state the costs to be unallowable, and further that advance agreements do not have the ability to create penalties because a cost must be named and stated to be unallowable in a cost principle (not an advance agreement) to be subject to penalties.  This ruling could have significance for future disputes arising out of advance agreements. Third, the government alleged that costs associated with the design and development of a database to support the operations of Raytheon’s Corporate Development office were expressly unallowable organizational costs under FAR 31.205-27.  The Board disagreed, validating Raytheon’s argument that a significant purpose of the Corporate Development office was allowable generalized long-range management planning under FAR 31.205-12, thus rendering the costs allowable (not expressly unallowable). The only cost for which the Board denied Raytheon’s appeals concerned the salary costs of government relations personnel engaged in lobbying activities.  Raytheon presented evidence that it had a robust process for withdrawing these costs as unallowable under FAR 31.205-22, but inadvertently missed certain costs in this instance due to, among other things, “spreadsheet errors.”  Raytheon agreed that the costs were unallowable and should be withdrawn, but disputed that the costs of employee compensation (a generally allowable cost) were expressly unallowable and further argued that the contracting officer should have waived penalties under FAR 42.709-5(c) based on expert evidence that Raytheon’s control systems for excluding unallowable costs were “best in class.”  The Board found that salary costs associated with unallowable lobbying activities are expressly unallowable and that the contracting officer did not abuse his discretion in denying the penalty waiver. L-3 Comms. Integrated Sys. L.P. v. United States, No. 16-1265C (Fed. Cl. May 31, 2017) L-3 entered an “undefinitized contractual action” (“UCA”) with the Air Force in which it agreed to provide certain training services while still negotiating the terms of the contract.  After the parties failed to reach agreement on the prices for two line items in the UCA, the Air Force issued a unilateral contract modification, setting prices for those line items and definitizing the contract.  L-3 argued that the Air Force’s price determination was unreasonable, arbitrary and capricious, and in violation of the FAR, and filed suit seeking damages.  The government moved to dismiss for lack of subject matter jurisdiction. The Court of Federal Claims (Kaplan, J.) dismissed L-3’s complaint, concurring with the government that L-3 had never presented a certified claim to the contracting officer for payment “of a sum certain to cover the losses it allegedly suffered.”  The court found that the proposals L-3 had presented to the Air Force were not “claims,” but rather proposals made during contract negotiations that did not contain the requisite claim certification language. Innoventor, Inc., ASBCA No. 59903 (July 11, 2017) In 2011, the government entered into a fixed-price contract with Innoventor for the design and manufacture of a dynamic brake test stand.  As part of the contract’s purchase specifications, the new design had to undergo and pass certain testing.  After problems arose in the testing process, Innoventor submitted a proposal to modify certain design components and applied for an equitable adjustment due to “instability of expectations.”  The contracting officer denied Innoventor’s request for an equitable adjustment, stating that the government had not issued a modification directing a change that would give rise to such an adjustment.  Innoventor submitted a claim, which the contracting officer denied, and Innoventor appealed. The Board (Sweet, A.J.) held that the government was entitled to judgment as a matter of law because there was no evidence that the government changed Innoventor’s performance requirements, let alone that anyone with authority directed any constructive changes.  Here, the contract was clear that Innoventor’s design had to pass certain tests, and because it failed some of them, and did not perform pursuant to the contract terms, there was no change in the original contract terms that would give rise to a constructive change.  The Board also found that there was no evidence that any person beyond the contracting officer had authority to direct a change because the contract expressly provided that only the contracting officer has authority to change a contract.  Accordingly, the Board denied Innoventor’s appeal. L-3 Commc’ns Integrated Sys., L.P., ASBCA Nos. 60713 et al. (Sept. 27, 2017) L-3 appealed from multiple final decisions asserting government claims for the recovery of purportedly unallowable airfare costs.  Rather than audit and challenge specific airfare costs, the Defense Contract Audit Agency simply applied a 79% “decrement factor” to all of L-3’s international airfare costs over a specified dollar amount, claiming that this was justified based on prior-year audits.  After filing the appeals, L-3 moved to dismiss for lack of jurisdiction on the grounds that the government had failed to provide adequate notice of its claims by failing to identify which specific airfare costs were alleged to be unallowable, as well as the basis for those allegations. The Board (D’Alessandris, A.J.) denied the motion to dismiss, holding that the contracting officer’s final decisions sufficiently stated a claim in that they set forth a sum certain and a basis for such a claim.  The Board held that L-3 had enough information to understand how the government reached its claim, and its contention that this was not a valid basis for the disallowance of costs for the year in dispute went to the merits and not the sufficiency of the final decisions. Scott v. United States, No. 17-471 (Fed. Cl. Oct. 24, 2017) Brian X. Scott brought a pro se claim in the Court of Federal Claims seeking monetary and injunctive relief for alleged harms arising from the Air Force’s handling of his unsolicited proposal for contractual work.  Scott was an Air Force employee who submitted a proposal for countering the threat of a drone strike at the base where he was stationed.  The proposal was rejected, but Scott alleged that portions of the proposal were later partially implemented.  Scott sued, claiming that the Air Force failed properly to review his proposal and that his intellectual property was being misappropriated.  Scott argued that jurisdiction was proper under the Tucker Act because an implied-in-fact contract arose that prohibited the Air Force from using any data, concept, or idea from his proposal, which was submitted to a contracting officer with a restrictive legend consistent with FAR § 15.608. The Court of Federal Claims (Lettow, J.) found that it had jurisdiction under the Tucker Act because an implied-in-fact contract was formed when the Air Force became obligated to follow the FAR’s regulatory constraints with regard to Scott’s proposal.  Nevertheless, the Court granted the government’s motion to dismiss because Scott’s factual allegations, even taken in the light most favorable to him, did not plausibly establish that the government acted unreasonably or failed to properly evaluate his unsolicited proposal by using concepts from the proposal where Scott’s proposal addressed a previously published agency requirement. III.    COMMERCIAL SPACE SECTOR A.    Overview of Private Space Launches and Significant Milestones Space exploration is always fascinating—2017 and early 2018 was no exception.  Starting off in February 2017, India’s Polar Satellite Launch Vehicle launched 104 satellites, setting a record for the number of satellites launched from a single rocket.[101]  In June, NASA finally unveiled its 12 chosen candidates for its astronaut program out of a pool of over 18,000 applicants, which was a record-breaking number.[102]  A few months later, NASA’s Cassini spacecraft was intentionally plunged into Saturn, ending over a decade’s worth of service.[103]  President Donald Trump also signed Space Policy Directive 1, which instructs NASA to send astronauts back to the moon, which President Trump noted would help establish a foundation for an eventual mission to Mars.[104] In what was widely expected to be a record year for private space launches, SpaceX and other private space companies clearly delivered.  In 2017, SpaceX, the company founded and run by Elon Musk, flew a record 18 missions utilizing the Falcon 9 rocket.[105]  Blue Origin, the company founded by Jeff Bezos, also made significant progress.  It was able to launch a new version of its New Shepard vehicle on its first flight, which Bezos hopes will lay the foundation for potential crewed missions.[106]  Then, in late December, California startup Made in Space sent a machine designed to make exotic ZBLAN optical fiber to the International Space Station.[107]  Without a doubt, 2017 played witness to many significant milestones in space exploration. Additional milestones have already been surpassed in early 2018.  February 6, 2018 was a historic date for Space technology and exploration—SpaceX’s Falcon Heavy had its maiden launch.  The Falcon Heavy can carry payloads larger than any available commercial rocket, and it has the potential to launch payloads outside of Earth’s orbit.  In fact, the Falcon Heavy did just that by launching a Tesla Roadster, driven by “Starman” into interplanetary space.  Starman will likely continue driving its orbit for millions of years.  It is only a matter of time until Starman is replaced with astronauts and the destination becomes Mars—SpaceX plans to launch such a mission in 2024. B.    Update on Outer Space Treaty and Surrounding Debate The Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, otherwise known as the Outer Space Treaty, recently celebrated its 50th anniversary.  Signed in 1967 and designed to prevent a new form of colonial competition, the Treaty was lauded for its principal framework on international space law.  Indeed, shortly after the Treaty was entered into force, the United States and the Soviet Union successfully collaborated on many space missions and exercises.[108] The Treaty is not complex.  Consisting of 17 short articles, the Treaty obligates its signatories to perform space exploration “for the benefit and interest of all countries” and to not “place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction.”[109]  Having been in force for over 50 years, there have recently been discussions regarding whether the Treaty is ripe for an update.  Only as far back as half a decade ago, experts met in Australia to discuss moon-mining of anything from water and fuel to rare minerals in what was then a world’s first “Off-Earth Mining Forum.”[110]  Discussion surrounded the legality of such mining under the Treaty.  Then in 2014, NASA accepted applications from companies that desired to mine rare moon minerals in a program called “Lunar Cargo Transportation and Landing by Soft Touchdown.”[111]  This once again sparked a debate on the legality of such actions, specifically lunar property rights. In 2017, the focus turned toward private and commercial space flight, and spurred conversation as to whether the 50-year-old treaty needed an update.  For one, the Treaty was designed, and has been entirely focused, on only individual countries.  Thus, there is an argument that the Treaty does not apply to private appropriation of celestial territory.  Second, the quaint nature of the Treaty has spawned efforts at tackling the private appropriation issues.  For instance, the United States passed the Space Act of 2015, which provides for private commercial “exploration and exploitation of space resources.”[112]  The Act has incited further debate on the various legal loopholes that inherently afflict the Treaty and its ban on countries owning celestial territory. Meanwhile, the U.S. government has continued to find methods of regulation, specifically those involving the FAA and the Federal Communications Commission (“FCC”), among others.[113]  Now, lawmakers are purportedly discussing legislation that would provide a regulatory framework for private commercial space travel to adhere to the Treaty, as there currently does not exist a framework for the U.S. government to oversee the launch of private space stations.[114] Moreover, Senator Ted Cruz (R-TX) has been leading the charge on updating the Treaty to address issues related to modern spaceflight, where private commercial entities are playing an ever-increasing role.[115]  In May, Senator Cruz, the chairman of the Subcommittee on Space, Science, and Competitiveness, convened a hearing to “examine U.S. government obligations under the [Treaty]” and to also “explore the Treaty’s potential impacts on expansion of our nation’s commerce and settlement in space.”[116]  Featuring a panel of legal experts and a panel of commercial space business leaders, the hearing raised a number of different viewpoints with one apparently unifying message: the Treaty should not be amended.  One of the panel members, Peter Marquez, while acknowledging that the Treaty is not perfect, expressed concern that opening up the Treaty to modifications would leave the space industry worse off, and would be a detriment to national and international security.[117] One area of particular interest was Article VI of the Treaty, which provides that nations authorize and supervise space activities performed by non-governmental entities, such as a private commercial space company.  The CEO of Moon Express, Bob Richards, noted that while the Treaty should remain unchanged, the U.S. should adopt a streamlined regulatory procedure and process to make approvals for space activities more efficient and clear.[118]  One of the legal experts sitting on the panel, Laura Montgomery, expressed her belief that the U.S. need not further regulate new commercial space because a close reading of the Treaty would indicate that mining and other similar activities do not require such governmental approvals.[119] While the ultimate general consensus appeared to be that no change to the Treaty was necessary to accomplish the goals of private commercial space enterprises, the hearing did bring to light the issues that currently confront modern space protocols. C.    The American Space Commerce Free Enterprise Act of 2017, Which Seeks to Overhaul U.S. Commercial Space Licensing Regime, Passes Committee but Stalls in House On June 7, 2017, House members led by Rep. Lamar Smith (R-TX), Chairman of the U.S. House Science, Space, and Technology Committee, introduced H.R. 2809—the American Space, Commerce, and Free Enterprise Act of 2017 (“ASCFEA”).[120]  The bill, if adopted, would amend Title 51 of the United States Code to liberalize licensing requirements to conduct a variety of commercial space activities, while consolidating the licensing approval process for such activities under the authority of the U.S. Department of Commerce (“DOC”).[121] The regulation of commercial space activities historically has been distributed among a variety of agencies—with the National Oceanic and Atmospheric Administration (“NOAA”) governing remote sensing, the FCC governing communications satellites,[122] and the FAA/AST regulating launch, reentry, and some other non-traditional activities.[123]  But with that patchwork of authority, proponents of the Act believe there exists a regulatory gap for overseeing and authorizing new and innovative space activities.[124]  A primary goal of the Act is to address this perceived uncertainty, and in so doing, resolve long-standing questions associated with the United States’ responsibility to regulate commercial space activities under the Outer Space Treaty,[125] which the bill’s text references extensively. In its current form, the bill would grant the Office of Space Commerce (within the DOC) “the authority to issue certifications to U.S. nationals and nongovernmental entities for the operation of:  (1) specified human-made objects manufactured or assembled in outer space . . . and (2) all items carried on such objects that are intended for use in outer space.”[126]  The bill further eliminates the Commercial Remote Sensing Regulatory Affairs Office of the NOAA, and vests authority to issue permits for remote sensing systems, again, in the DOC.[127]  The bill also creates a certification process for other “commercial payloads not otherwise licensed by the government,” thereby providing fallback legislation for “non-traditional applications like satellite servicing, commercial space stations and lunar landers.”[128]  The DOC hence would occupy all the regulatory authority for commercial space activities, except for the FCC and FAA/AST’s current authority, which those agencies would maintain.[129] The commercial space industry supports the bill, and in particular the bill’s apparent presumption in favor of regulatory approval.[130]  Industry also supports the bill’s overhaul of the regulation of remote sensing—for example, the bill requires the DOC to issue a certification decision within just 60 days (or else the application is granted),[131] provide an explanation for any rejections, and grant every application that seeks authorization for activities involving “the same or substantially similar capabilities, derived data, products, or services are already commercially available or reasonably expected to be made available in the next 3 years in the international or domestic marketplace.”[132] Some opponents of the bill contend that the consolidation of regulatory approval will limit interagency review, which is important because the DoD, State Department, and the intelligence community currently play some regulatory role in the review of aspects of new commercial space activities that are perceived to potentially pose a threat to national security.[133]  Others contend that the Office of Space Commerce has inadequate resources and experience to handle the regulatory approvals.  The bill seeks to ameliorate these concerns by authorizing $5 million in funding for the Office in 2018.[134]  The Department of Justice also has voiced some constitutional concerns.[135] The House referred the bill to the House Committee on Science, Space, and Technology,[136] which on June 8, 2017 passed three amendments by voice vote.[137]  Since being marked up in committee, the bill has seen no further action by the House.[138]  The DOC currently is seeking public input on possible changes to commercial space operations licensing more broadly.[139] D.    Industry and Government Regulators Call for Changes to NOAA’s Licensing of Remote Sensing Technology ASCFEA’s effort to strip NOAA of its authority to regulate remote sensing technology coincides with a growing number of complaints from the remote sensing industry and government regulators concerning NOAA’s ability to handle an increased number of licensing applications.[140] The Land Remote Sensing Policy Act of 1992 authorized the Secretary of Commerce to “license private sector parties to operate private remote sensing space systems.”[141]  But despite a sea change in remote sensing technology and activities since 1992, that law remains the main source of authority for remote sensing licensing, and Congress has made few modifications to the law since its inception.[142]  Given the speed of technological change, and increased industry competition, remote sensing companies are advocating for NOAA to adopt a “permissive” approach to licensing, akin to the language proposed in the ASCFEA.[143] NOAA’s issues have been exacerbated by the fact that license applications are now more varied and complex than they were previously.[144]   Representatives from NOAA describe how prior to 2011, it took an average of 51 days to review license applications, since many applications sought permission for similar concepts for satellite systems.[145]  Even though the Land Remote Sensing Policy Act of 1992 calls for a 120-day approval window, in practice, applications now extend far longer than that—and further, NOAA sometimes provides little to no explanation about why it rejects particular applications.[146]  Under the ASCFEA, the DOC would be required to approve applications using the “same or substantially similar capabilities, derived data, products, or services as are already commercially available or reasonably expected to be made available in the next 3 years in the international or domestic marketplace.”[147] Another complexity is that many companies develop technology that do not solely or traditionally perform remote sensing functions, but have remote sensing capabilities.[148]  The ASCFEA addresses this problem by offering exceptions for “De Minimis” uses of remote sensing technology.[150] E.    Commercial Space Policy in the Trump Era On December 11, 2017, President Trump signed White House Space Policy Directive 1, entitled “Reinvigorating America’s Human Space Exploration Program.”[151]  As the subject suggests, the Directive’s goal is to bring a renewed focus on human space flight at a time when the United States lacks an organic capability to send American astronauts into low-Earth orbit, let alone beyond.[152]  Fittingly, President Trump signed the directive on the forty-fifth anniversary of the lunar landing of Apollo 17, with Apollo 17 astronaut Senator Harrison Schmitt present at the ceremony.[153] According to the Directive, the United States will “[l]ead an innovative and sustainable program of exploration with commercial and international partners to enable human expansion across the solar system….”[154]  The directive calls for missions beyond low-Earth orbit, with the United States “lead[ing] the return of humans to the Moon for long-term exploration and utilization, followed by human missions to Mars and other destinations.”[155] NASA is already working with several commercial entities to develop transportation to and from low-Earth orbit, as well as to the International Space Station.[156]  And a call for a return to the moon for use as a stepping-stone to other destinations is not new with President Trump; previous administrations have expressed a similar desire.[157]  What remains to be seen is how this “long-term exploration” will be funded, with a good indicator being what “will be reflected in NASA’s FISCAL Year 2019 budget request.”[158]  Until then, “No bucks, no Buck Rogers.”[159] F.    Updates on Space Law in Luxembourg, India, and Australia Luxembourg Continues its Push for Commercial Space Prominence The small country of Luxembourg, a signatory to the Outer Space Treaty,[160] has major commercial space ambitions.  In 2016, Luxembourg passed a law to set aside €200 million to fund commercial space mining activities, and also offered to help interested companies obtain private financing.[161]  On July 13, 2017, following the United States’ lead,[162] Luxembourg passed a law that gives qualifying companies the right to own any space resources they extract from celestial bodies including asteroids.[163]  The law further outlines a regulatory framework for “the government to authorize and supervise resource extraction and other space activities,” except for communications satellites, which a different Luxembourg agency regulates.[164]  To qualify for a space mining license, companies must be centrally administered and own a registered office in Luxembourg, and also must obtain regulatory approval.[165]  It is as of now unclear whether the Luxembourg law (as well as the U.S.’s analogous law) violate the Outer Space Treaty, which prohibits companies from claiming territory on celestial bodies, but does not clarify whether that prohibition extends to materials extracted from those celestial bodies.[166] India Unveils Draft of New Commercial Space Law; Sets Satellite Launch Record In November 2017, the India Department of Space released and sought comments for the “Space Activities Act, 2017.”[167]  The stated goal of the bill is to “encourage enhanced participation of non-governmental/private sector agencies in space activities in India.”[168]  The bill as currently drafted vests authority in the Indian Government to formulate a licensing scheme for any and all “Commercial Space Activity,” and states that licenses may be granted if the sought activity does not jeopardize public health or safety, and does not violate India’s international treaty obligations, such as the Outer Space Treaty, to which India is a signatory.[169] India’s space agency also made headlines this year when it sent 104 satellites into space in 18 minutes—purportedly tripling the prior record for single-day satellite launches.[170]  The New York Times reports that satellite and other orbital companies closely scrutinized the launch, since India’s space agency is cheaper to employ for satellite launches than its European and North American counterparts.[171] Australia Announced that It Will Create a Space Agency; Details Pending In September 2017, Australia’s Acting Minister for Industry, Innovation and Science announced that Australia will create a national space agency.[172]  While details are still pending, Australia’s goal purportedly is to take advantage of the $300-$400 billion space economy, while creating Australian jobs in the process.[173] IV.    CYBERSECURITY AND PRIVACY ISSUES IN THE NATIONAL AIRSPACE A.    Cybersecurity Issues The Federal Aviation Administration (FAA) has lagged behind other sectors in establishing robust cybersecurity and privacy safeguards in the national airspace, although federal policy identifies the transportation sector (which includes the aviation industry) as one of the 16 “critical infrastructure” sectors that have the ability to impact significantly the nation’s security, economy, and public health and safety.[174]  The need for the FAA to establish robust safeguards is obvious, as the catastrophic impact of a cyber attack on the national airspace is not hard to imagine post-9/11.  Recently, one hacker claimed he compromised the cabin-based in-flight entertainment system to control a commercial airline engine in flight. One development of note is the reintroduction of the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2017 by U.S. Senators Edward Markey and Richard Blumenthal.[175] Senator Markey first introduced legislation aimed at improving aircraft cyber security protection in April 2016, following a 2015 survey of U.S. airline CEOs to discover standard cybersecurity protocols used by the aviation industry.  If signed into law, the bill would require the U.S. Department of Transportation to work with DoD, Homeland Security, the Director of National Intelligence, and the FCC to incorporate requirements relating to cybersecurity into the requirements for certification.  Additionally, the bill would establish standard protections for all “entry points” to the electronic systems of aircraft operating in the U.S.  This would include the use of isolation measures to separate critical software systems from noncritical software systems. B.    UAS Privacy Concerns UAS are equipped with highly sophisticated surveillance technology with the ability to collect personal information, including physical location.  Senator Ayotte, Chair of the Subcommittee on Aviation Operations, Safety, and Security, summarized the privacy concerns drones pose as follows: “Unlimited surveillance by government or private actors is not something that our society is ready or willing or should accept.  Because [drones] can significantly lower the threshold for observation, the risk of abuse and the risk of abusive surveillance increases.”  We describe below several recent federal and state efforts to address this issue. 1.    State Legislation Addressing Privacy Concerns At least five out of the twenty-one states that either passed legislation or adopted resolutions related to UAS in 2017 specifically addressed privacy concerns.[176] Colorado HB 1070 requires the center of excellence within the department of public safety to perform a study that identifies ways to integrate UAS within local and state government functions relating to firefighting, search and rescue, accident reconstruction, crime scene documentation, emergency management, and emergencies involving significant property loss, injury or death.  The study must consider privacy concerns, in addition to costs and timeliness of deployment, for each of these uses. New Jersey SB 3370 allows UAS operation that is consistent with federal law, but also creates criminal offenses for certain UAS surveillance and privacy violations.  For example, using a UAS to conduct surveillance of a correction facility is a third degree crime.  Additionally, the law also applies the operation of UAS to limitations within restraining orders and specifies that convictions under the law are separate from other convictions such as harassment, stalking, and invasion of privacy. South Dakota SB 22 also prohibits operation of drones over the grounds of correctional and military facilities, making such operation a class 1 misdemeanor.  Further, the law modifies the crime of unlawful surveillance to include intentional use of a drone to observe, photograph or record someone in a private place with a reasonable expectation of privacy, and landing a drone on the property of an individual without that person’s consent.  Such purportedly unlawful surveillance is a class 1 misdemeanor unless the individual is operating the drone for commercial or agricultural purposes, or the individual is acting within his or her capacity as an emergency management worker. Utah HB 217 modifies criminal trespass to include drones entering and remaining unlawfully over property with specified intent.  Depending on the intent, a violation is either a class B misdemeanor, a class A misdemeanor, or an infraction, unless the person is operating a UAS for legitimate commercial or educational purposes consistent with FAA regulations.  Utah HB 217 also modifies the offense of voyeurism, a class B misdemeanor, to include the use of any type of technology, including UAS, to secretly record video of a person in certain instances. Virginia HB 2350 makes it a Class 1 misdemeanor to use UAS to trespass upon the property of another for the purpose of secretly or furtively peeping, spying, or attempting to peep or spy into a dwelling or occupied building located on such property. 2.    UAS Identification and Tracking Report The FAA chartered an Aviation Rulemaking Committee (“ARC”) in June 2017 to provide recommendations on the technologies available for remote identification and tracking of UAS, and how remote identification may be implemented.[177]  However, the ARC’s 213 page final report, dated September 30, 2017, notes that the ARC lacked sufficient time to fully address privacy and data protection concerns, and that therefore those topics were not addressed: [T]he ARC also lacks sufficient time to perform an exhaustive analysis of all the privacy implications of remote ID, tracking, or UTM, and did not specifically engage with privacy experts, from industry or otherwise, during this ARC.  These members agree, however, that it is fundamentally important that privacy be fully considered and that appropriate privacy protections are in place before data collection and sharing by any party (either through remote ID and/or UTM) is required for operations.  A non-exhaustive list of important privacy considerations include, amongst other issues, any data collection, retention, sharing, use and access.  Privacy must be considered with regard to both PII and historical tracking information.  The privacy of all individuals (including operators and customers) should be addressed, and privacy should be a consideration during the rulemaking for remote ID and tracking. Accordingly, the ARC recognizes the fundamental importance of fully addressing privacy and data protection concerns, and we anticipate that future rulemaking will address these issues. IV.    CONCLUSION We will continue to keep you informed on these and other related issues as they develop. [1] See Huerta, No. 3:16-cv-358, Dkt. No. 30. [2] Id. [3] Id. [4] See Boggs, No. 3:16-cv-00006, Dkt. No. 1 (W.D. Ky. Jan. 4, 2016). [5] See id. [6] See Boggs, No. 3:16-cv-00006, Dkt. No. 20 (W.D. Ky. Jan. 4, 2016). [7] See id. [8] See Singer, No. 1:17-cv-10071, Dkt. N. 63 (D. Mass. Jan. 17, 2017). [9] See id. [10] See id. [11] See id. [12] See id. [13] See Taylor v. Huerta, 856 F.3d 1089 (D.C. Cir. 2017). [14] See Pub. L. No. 112–95, § 336(a), 126 Stat. 11, 77 (2012) (codified at 49 U.S.C. § 40101 note). [15] See Taylor, 856 F.3d at 1090. [16] See Pub. L. No. 115–91, § 3 1092(d), (2017). [17] The White House, Office of the Press Secretary, Presidential Memorandum:  Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems, Feb. 15, 2015, available at https://obamawhitehouse.archives.gov/the-press-office/2015/02/15/presidential-memorandum-promoting-economic-competitiveness-while-safegua. [18] Operation and Certification of Small Unmanned Aircraft Systems, 81 Fed. Reg. 42064 (June 28, 2016). [19] Electronic Privacy Information Center (“EPIC”), EPIC v. FAA: Challenging the FAA’s Failure to Establish Drone Privacy Rules, https://epic.org/privacy/litigation/apa/faa/drones/ (last visited Jan. 18, 2018). [20] See generally Electronic Privacy Information Center v. FAA (EPIC I), 821 F.3d 39, 41-42 (D.C. Cir. 2016) (noting that FAA denied EPIC’s petition for rulemaking requesting that the FAA consider privacy concerns). [21] Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, NTIA-Convened Multistakeholder Process (May 18, 2016), https://www.ntia.doc.gov/files/ntia/publications/ uas_privacy_best_practices_6-21-16.pdf. [22] EPIC, supra, note xix. [23] EPIC I, supra, note xx, at 41. [24] Id. 41-42. [25] Id. [26] Id. [27] Id. at 42-43. [28] Id. at 42. [29] Id. at 43. [30] Pet. For Review, Electronic Privacy Information Center v. FAA (EPIC II), Nos. 16-1297, 16-1302 (Filed Aug. 22, 2016), https://epic.org/privacy/litigation/apa/faa/drones/EPIC-Petition-08222016.pdf. [31] Appellant Opening Br., EPIC II, Nos. 16-1297, 16-1302 (Filed Feb. 28, 2017), https://epic.org/privacy/litigation/apa/faa/drones/1663292-EPIC-Brief.pdf. [32] Appellee Reply Br., EPIC II, Nos. 16-1297, 16-1302 (Filed April 27, 2017), https://epic.org/privacy/litigation/apa/faa/drones/1673002-FAA-Reply-Brief.pdf. [33] United States Court of Appeals District of Columbia Circuit, Oral Argument Calendar, https://www.cadc.uscourts.gov/internet/sixtyday.nsf/fullcalendar?OpenView&count=1000 (last visited Jan. 18, 2018). [34] United States Department of Defense, Unmanned Systems Integrated Roadmap (2013), https://www.defense.gov/Portals/1/Documents/pubs/DOD-USRM-2013.pdf. [35] Andrew Meola, Drone Marker Shows Positive Outlook with Strong Industry Growth and Trends, Business Insider, July 13, 2017, available at http://www.businessinsider.com/drone-industry-analysis-market-trends-growth-forecasts-2017-7. [36] Office of the Under Secretary of Defense, U.S. Department of Defense Fiscal Year 2017 Budget Request (Feb. 2016). [37] Office of the Under Secretary of Defense, U.S. Department of Defense Fiscal Year 2018 Budget Request (May 2017). [38] Goldman Sachs, Drones: Reporting for Work, http://www.goldmansachs.com/our-thinking/technology-driving-innovation/drones/ (last visited Jan. 18, 2017). [39] Id. [40] Chris Woods, The Story of America’s Very First Drone Strike, The Atlantic, May 30, 2016, available at https://www.theatlantic.com/international/archive/2015/05/america-first-drone-strike-afghanistan/394463/. [41] Deputy Secretary of Defense, Policy Memorandum 15-002, “Guidance for the Domestic Use of Unmanned Aircraft Systems” (Feb. 17, 2015), https://www.defense.gov/Portals/1/Documents/Policy%20Memorandum%2015-002%20_Guidance%20for%20the%20Domestic%20Use%20of%20Unmanned%20Aircraft%20Systems_.pdf. [42] Id. [43] Id. [44] Id. [45] Id. [47] Id. [48] Eric Schmitt, Pentagon Tests Lasers and Nets to Combat Vexing Foe: ISIS Drones, N.Y. Times, Sept. 23, 2017, available at https://www.nytimes.com/2017/09/23/world/middleeast/isis-drones-pentagon-experiments.html. [49] Id. [50] Christopher Woody, The Pentagon is Getting Better at Stopping Enemy Drones—and Testing Its Own for Delivering Gear to the Battlefield, Business Insider, Apr. 24, 2017, available at https://www.businessinsider.com/military-adding-drones-and-drone-defense-to-its-arensal-2017-4. [51] Id. [52] Radio Hill Technology, Birth of the Dronebuster, http://www.radiohill.com/product/ (last visited Jan. 18, 2018). [53] Id. [54] Kyle Mizokami, The Army’s Drone-Killing Lasers are Getting a Tenfold Power Boost, Popular Mechanics, July 18, 2017, available at http://www.popularmechanics.com/military/research/news/a27381/us-army-drone-killing-laser-power/. [55] Sydney J. Freedberg Jr., Drone Killing Laser Stars in Army Field Test, Breaking Defense, May 11, 2017, available at https://breakingdefense.com/2017/05/drone-killing-laser-stars-in-army-field-test/. [56] Mizokami, supra, note lv. [57] ASSURE, UAS Ground Collision Severity Evaluation Final Report, United States (2017), available at http://www.assureuas.org/projects/deliverables/sUASGroundCollisionReport.php?Code=230 (ASSURE Study). [58] Id. [59] Id. [60] Id. [61] DJI, DJI Welcomes FAA-Commissioned Report Analyzing Drone Safety Near People, Newsroom News, Apr. 28, 2017, available at https://www.dji.com/newsroom/news/dji-welcomes-faa-commissioned-report-analyzing-drone-safety-near-people. [62] Id. [63] Id. [64] ASSURE Study, supra note lviii. [65] Id. [66] Id. [67] Id. [68] Id. [69] ASSURE, FAA and Assure Announce Results of Air-to-Air Collision Study, ASSURE: Alliance for System Safety of UAS through Research Excellence, Nov. 27, 2017, available at https://pr.cirlot.com/faa-and-assure-announce-results-of-air-to-air-collision-study/. [70] Id. [71] ASSURE Study, supra note lviii. [72] Id. [73] Id. [74] Id. [75] See Pathiyil, et al., Issues of Safety and Risk management for Unmanned Aircraft Operations in Urban Airspace, 2017 Workshop on Research, Education and Development of Unmanned Aerial Systems (RED-UAS), Oct. 3, 2017, available at http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8101671. [76] Id. [77] Id. [78] Id. [79] Id. [80] Patrick C. Miller, 2,800 Interested Parties Apply for UAS Integration Pilot Program, UAS Magazine, Jan. 3, 2018, available at http://www.uasmagazine.com/articles/1801/2-800-interested-parties-apply-for-uas-integration-pilot-program. [81] Unmanned Aircraft Systems Integration Pilot Program, 82 Fed. Reg. 50,301 (Oct. 25, 2017) (Presidential directive creating the program); see also Unmanned Aircraft Systems Integration Pilot Program—Announcement of Establishment of Program and Request for Applications, 82 Fed. Reg. 215 (Nov. 8, 2017) (Department of Transportation Notice of the UAS Pilot Program). [82] See id. [83] See id. [84] Elaine Goodman, Blood Deliveries by Drone Proposed—City Submits Unique Ideas to FAA, Daily Post, Jan. 5, 2018, available at http://padailypost.com/2018/01/05/blood-deliveries-by-drone-proposed-city-submits-unique-ideas-to-faa/. [85] Id. [86] Id. [87] Id. [88] Id. [89] Miller, supra note lxxxi. [90] Id. [91] Id. [92] Id. [93] Id. [101]   NASA Spaceflight, India’s PSLV deploys a record 104 satellites (Feb. 14, 2017), available at https://www.nasaspaceflight.com/2017/02/indias-pslv-record-104-satellites/. [102]   NASA, NASA’s Newest Astronaut Recruits to Conduct Research off the Earth, For the Earth and Deep Space Missions (June 7, 2017), available at https://www.nasa.gov/press-release/nasa-s-newest-astronaut-recruits-to-conduct-research-off-the-earth-for-the-earth-and. [103]   NASA, Cassini Spacecraft Ends Its Historic Exploration of Saturn (Sept. 15, 2017), available at https://www.nasa.gov/press-release/nasa-s-cassini-spacecraft-ends-its-historic-exploration-of-saturn. [104]   NASA, New Space Policy Directive Calls for Human Expansion Across Solar System (Dec. 11, 2017), available at https://www.nasa.gov/press-release/new-space-policy-directive-calls-for-human-expansion-across-solar-system. [105]   TechCrunch, SpaceX caps a record year with 18th successful launch of 2017 (Dec. 22, 2017), available at https://techcrunch.com/2017/12/22/spacex-caps-a-record-year-with-18th-successful-launch-of-2017/. [106]   The Verge, After a year away from test flights, Blue Origin launches and lands its rocket again (Dec. 12, 2017), available at https://www.theverge.com/2017/12/12/16759934/blue-origin-new-shepard-test-flight-launch-landing. [107]   Space.com, SpaceX Launches (and Lands) Used Rocket on Historic NASA Cargo Mission (Dec. 15, 2017), available at https://www.space.com/39063-spacex-launches-used-rocket-dragon-spacecraft-for-nasa.html. [108]   U.S. Department of State, Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, available at https://www.state.gov/t/isn/5181.htm#treaty. [109] NTI, Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (Outer Space Treaty) (Feb. 1, 2017), available at http://www.nti.org/learn/treaties-and-regimes/treaty-principles-governing-activities-states-exploration-and-use-outer-space-including-moon-and-other-celestial-bodies-outer-space-treaty/. [110] PHYS.ORG, Space likely for rare earth search, scientists say (Feb. 20, 2013), available at https://phys.org/news/2013-02-space-rare-earths-scientists.html. [111]   NASA, Lunar CATALYST (Jan. 16, 2014), available at https://www.nasa.gov/content/lunar-catalyst/#.WmLx1qinGHs. [112]   The Conversation, The Outer Space Treaty has been remarkably successful – but is it fit for the modern age? (Jan. 27, 2017), available at http://theconversation.com/the-outer-space-treaty-has-been-remarkably-successful-but-is-it-fit-for-the-modern-age-71381. [113]   The Verge, How an international treaty signed 50 years ago became the backbone for space law (Jan. 27, 2017), available at https://www.theverge.com/2017/1/27/14398492/outer-space-treaty-50-anniversary-exploration-guidelines. [114]   Id. [115]   The Space Review, Is it time to update the Outer Space Treaty? (June 5, 2017), available at http://www.thespacereview.com/article/3256/1. [116]   U.S. Senate, Reopening the American Frontier:  Exploring How the Outer Space Treaty Will Impact American Commerce and Settlement in Space (May 23, 2017), available at https://www.commerce.senate.gov/public/index.cfm/hearings?ID=5A91CD95-CDA5-46F2-8E18-2D2DFCAE4355. [117]   The Space Review, supra note cxvi. [118]   Id. [119]   Id. [120] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809.  The other primary sponsors of the bill are Brian Babin (R-TX), chairman of the space subcommittee; and Rep. Jim Bridenstine (R-OK). [121] Sandy Mazza, Space exploration regulations need overhaul, new report says, Daily Breeze (Dec. 2, 2017), https://www.dailybreeze.com/2017/12/02/space-exploration-regulations-need-overhaul-new-report-says/.  The Act’s stated purpose is to “provide greater transparency, greater efficiency, and less administrative burden for nongovernmental entities of the United States seeking to conduct space activities.”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Section 2(c)). [122] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [123] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [124] Under the Obama administration, many in government and industry presumed that the regulation of new space activities would fall to FAA/AST.  See Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/ (In fact, the agency heads of the FAA/AST, and the Office of Science and Technology Policy, recommended the same). [125] Marcia Smith, Companies Agree FAA Best Agency to Regulate Non-Traditional Space Activities, Space Policy Online (Nov. 15, 2017), https://spacepolicyonline.com/news/companies-agree-faa-best-agency-to-regulate-non-traditional-space-activities/. [126] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [127] Id. [128] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [129] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [130] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/; Marcia Smith, Companies Agree FAA Best Agency to Regulate Non-Traditional Space Activities, Space Policy Online (Nov. 15, 2017), https://spacepolicyonline.com/news/companies-agree-faa-best-agency-to-regulate-non-traditional-space-activities/.  The bill, for example, requires e the Secretary of Commerce to issue certifications or permits for commercial space activities, unless, for example, the Secretary finds by “clear and convincing evidence” that the permit would violate the Outer Space Treaty.  Bob Zimmerman, What You Need To Know About The Space Law Congress Is Considering, The Federalist (July 11, 2017), http://thefederalist.com/2017/07/11/need-know-space-law-congress-considering/.  Indeed, the policy section of the bill finds that “United States citizens and entities are free to explore and use space, including the utilization of outer space and resources contained therein, without conditions or limitations” and “this freedom is only to be limited when necessary to assure United States national security interests are met” or fulfill treaty obligations.  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [131] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [132] Joshua Hampson, The American Space Commerce Free Enterprise Act, Niskanen Center (June 15, 2017), https://niskanencenter.org/blog/american-space-commerce-free-enterprise-act/. [133] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [134] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/; Congressional Budget Office Cost Estimate, Congressional Budget Office (July 7, 2017), https://www.cbo.gov/system/files/115th-congress-2017-2018/costestimate/hr2809.pdf. [135] Samuel R. Ramer, Letter from the Office of the Assistant Attorney General, Justice Department (July 17, 2017), https://www.justice.gov/ola/page/file/995646/download. [136] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809/all-actions. [137] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [138] Jeffrey Hill, Congressman Babin Hints that Cybersecurity Could be Included in Larger Commercial Space Legislative Package, Satellite Today (Nov. 7, 2017), http://www.satellitetoday.com/government/2017/11/07/cybersecurity-featured-space-commerce-act/. [139] Commerce Department Now Accepting Public Inputs on Regulatory Streamlining, Space Commerce (Oct. 27, 2017), http://www.space.commerce.gov/commerce-department-now-accepting-public-inputs-on-regulatory-streamlining/; Sandy Mazza, Space exploration regulations need overhaul, new report says, Daily Breeze (Dec. 2, 2017), https://www.dailybreeze.com/2017/12/02/space-exploration-regulations-need-overhaul-new-report-says/. [140] Sean Kelly, The new national security strategy prioritizes space, The Hill (Jan. 3, 2018), http://thehill.com/opinion/national-security/367240-the-new-national-security-strategy-prioritizes-space; Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/.  Critics argue that the NOAA’s approval pace is harming U.S. companies to the benefit of foreign competitors. Randy Showstack, Remote Sensing Regulations Come Under Congressional Scrutiny, EOS (Sept. 14, 2016), https://eos.org/articles/remote-sensing-regulations-come-under-congressional-scrutiny. [141] H.R. Rep No. 6133 (1992), available at https://www.congress.gov/bill/102nd-congress/house-bill/6133. [142] Randy Showstack, Remote Sensing Regulations Come Under Congressional Scrutiny, EOS (Sept. 14, 2016), https://eos.org/articles/remote-sensing-regulations-come-under-congressional-scrutiny.  Indeed, the Commercial Space Launch Competitiveness Act, signed into law in November 2016, requires the Department of Commerce to analyze possible statutory updates to the remote sensing licensing scheme.  Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/.  The text of the ASCFEA also recognizes that since “the passage of the Land Remote Sensing Policy Act of 1992, the National Oceanic and Atmospheric Administration’s Office of Commercial Remote Sensing has experienced a significant increase in applications for private remote sensing space system licenses . . .”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [143] Joshua Hampson, The American Space Commerce Free Enterprise Act, Niskanen Center (June 15, 2017), https://niskanencenter.org/blog/american-space-commerce-free-enterprise-act/.  The ASCFEA defines a Space-Based Remote Sensing System as “a space object in Earth orbit that is “(A) designed to image the Earth; or (B) capable of imaging a space object in Earth orbit operated by the Federal Government.”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [144] Jeff Foust, Commercial remote sensing companies seek streamlined regulations, Space News (Mar. 17, 2017), http://spacenews.com/commercial-remote-sensing-companies-seek-streamlined-regulations/. [145] Id. [146] Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/. [147] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Chapter 8012 § 80202(e)(1)). [148] Jeff Foust, Commercial remote sensing companies seek streamlined regulations, Space News (Mar. 17, 2017), http://spacenews.com/commercial-remote-sensing-companies-seek-streamlined-regulations/. [150] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Chapter 802 § 80201(d)). [151] Reinvigorating America’s Human Space Exploration Program, 82 Fed. Reg. 59501 (Dec. 11, 2017) [152] Nell Greenfieldboyce, President Trump Is Sending NASA Back to the Moon (Dec. 11, 2017) available at https://www.npr.org/sections/thetwo-way/2017/12/11/569936446/president-trump-is-sending-nasa-back-to-the-moon. [153] See Press Release, NASA, New Space Policy Directive Calls for Human Expansion Across Solar System (Dec. 11, 2017); see also NASA, https://www.nasa.gov/mission_pages/apollo/missions/apollo17.html (last visited Jan. 21, 2018). [154] Reinvigorating America’s Human Space Exploration Program, supra note clii. [155] Id. [156] NASA, Commercial Crew Program – The Essentials, available at https://www.nasa.gov/content/commercial-crew-program-the-essentials/#.VjOJ3berRaT. [157] Michael Sheetz, Trump Orders NASA to Send American Astronauts to the Moon, Mars, CNBC (Dec. 11, 2017) available at https://www.cnbc.com/2017/12/11/trump-orders-nasa-to-send-american-astronauts-to-the-moon-mars.html. [158] See New Space Policy Directive Calls for Human Expansion Across Solar System, supra note cv; see also Christian Davenport, Trump Vows Americans Will Return to the Moon.  The Question Is How?, (Dec. 11, 2017) available at https://www.washingtonpost.com/news/the-switch/wp/2017/12/11/trump-vows-americans-will-return-to-the-moon-the-question-is-how/?utm_term=.4ceb20131cdf. [159] The Right Stuff (The Ladd Company 1983). [160] Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law. [161] Reuters Staff, Luxembourg sets aside 200 million euros to fund space mining ventures, Reuters (June 3, 2016), https://www.reuters.com/article/us-luxembourg-space-mining/luxembourg-sets-aside-200-million-euros-to-fund-space-mining-ventures-idUSKCN0YP22H; Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law.  Luxembourg invested €23 million in U.S. company Planetary Resources, and now owns a 10% share in the company.  Kenneth Chang, If no one owns the moon, can anyone make money up there?, The Independent (Dec. 4, 2017), http://www.independent.co.uk/news/long_reads/if-no-one-owns-the-moon-can-anyone-make-money-up-there-space-astronomy-a8087126.html. [162] In 2015, the U.S. passed the Commercial Space Launch Competitiveness Act, which clarified that companies that extract materials from celestial bodies can own those materials.  Andrew Silver, Luxembourg passes first EU space mining law. One can possess the Spice, The Register (July 14, 2017), https://www.theregister.co.uk/2017/07/14/luxembourg_passes_space_mining_law/. [163] Jeff Foust, Luxembourg adopts space resources law, Space News (July 17, 2017), http://spacenews.com/luxembourg-adopts-space-resources-law/. [164] Jeff Foust, Luxembourg adopts space resources law, Space News (July 17, 2017), http://spacenews.com/luxembourg-adopts-space-resources-law;  Paul Zenners, Press Release, Space Resources (July 13, 2017), http://www.spaceresources.public.lu/content/dam/spaceresources/press-release/2017/2017_07_13%20PressRelease_Law_Space_Resources_EN.pdf. [165] Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law.  Reportedly, two American companies already plan to move to Luxembourg:  Deep Space Industries and Planetary Resources. Vasudevan Mukunth, Fiat Luxembourg: How a Tiny European Nation is Leading the Evolution of Space Law, The Wire (July 15, 2017), https://thewire.in/157687/luxembourg-space-asteroid-mining-dsi/. [166] Andrew Silver, Luxembourg passes first EU space mining law. One can possess the Spice, The Register (July 14, 2017), https://www.theregister.co.uk/2017/07/14/luxembourg_passes_space_mining_law/;  Mark Kaufman, Luxembourg’s Asteroid Mining is Legal Says Space Law Expert, inverse.com (Aug. 1, 2017), https://www.inverse.com/article/34935-luxembourg-s-asteroid-mining-is-legal-says-space-law-expert. [167] Antariksh Bhavan, Seeking comments on Draft “Space Activities Bill, 2017” from the stake holders/public-regarding, ISRO (Nov. 21, 2017), https://www.isro.gov.in/update/21-nov-2017/seeking-comments-draft-space-activities-bill-2017-stake-holders-public-regarding;  Special Correspondent, Govt. unveils draft of law to regulate space sector, The Hindu (Nov. 22, 2017), http://www.thehindu.com/sci-tech/science/govt-unveils-draft-of-law-to-regulate-space-sector/article20629386.ece;  Raghu Krishnan & T E Narasimhan, Draft space law gives private firms a grip on rocket, satellite making, Business Standard (Nov. 22, 2017), http://www.business-standard.com/article/economy-policy/draft-space-law-gives-private-firms-a-grip-on-rocket-satellite-making-117112101234_1.html. [168] Antariksh Bhavan, Seeking comments on Draft “Space Activities Bill, 2017” from the stake holders/public-regarding, ISRO (Nov. 21, 2017), https://www.isro.gov.in/update/21-nov-2017/seeking-comments-draft-space-activities-bill-2017-stake-holders-public-regarding. [169] Id. [170] Ellen Barry, India Launches 104 Satellites From a Single Rocket, Ramping Up a Space Race, The New York Times (Feb. 15, 2017), https://www.nytimes.com/2017/02/15/world/asia/india-satellites-rocket.html. [171] Id. [172] Yes, Australia will have a space agency. What does this mean? Experts respond, The Conversation (Sept. 25, 2017), http://theconversation.com/yes-australia-will-have-a-space-agency-what-does-this-mean-experts-respond-84588;  Jordan Chong, Better late than never, Australia heads (back) to space, Australian Aviation (Dec. 29, 2017), http://australianaviation.com.au/2017/12/better-late-than-never-australia-heads-back-to-space/. [173] Andrew Griffin, Australia launches brand new space agency in attempt to flee the Earth, The Independent (Sept. 25, 2017), http://www.independent.co.uk/news/science/australia-space-agency-nasa-earth-roscosmos-malcolm-turnbull-economy-a7966751.html;  Henry Belot, Australian space agency to employ thousands and tap $420b industry, Government says, ABC (Sept. 25, 2017), http://www.abc.net.au/news/2017-09-25/government-to-establish-national-space-agency/8980268. [174]   White House, Critical Infrastructure Security and Resilience, Presidential Policy Directive/PPD-21 (Feb. 12, 2013). [175]   Woodrow Bellamy III, Senators Reintroduce Aircraft Cyber Security Legislation, Aviation Today (Mar. 24, 2017), http://www.aviationtoday.com/2017/03/24/senators-reintroduce-aircraft-cyber-security-legislation/. [176]   The eighteen states that passed UAS legislation in 2017 were Colorado, Connecticut, Florida, Georgia, Indiana, Kentucky, Louisiana, Minnesota, Montana, Nevada, New Jersey, North Carolina, Oregon, South Dakota, Texas, Utah, Virginia and Wyoming. The three states that passed resolutions related to UAS were Alaska, North Dakota and Utah. [177]   Under Section 2202 of the FAA Extension, Safety, and Security Act of 2016, Pub. L. 114-190, Congress directed the FAA to convene industry stakeholders to facilitate the development of consensus standards for identifying operators and UAS owners.  The final report identifies the following as the ARC’s stated objectives: The stated objectives of the ARC charter were: to identify, categorize and recommend available and emerging technology for the remote identification and tracking of UAS; to identify the requirements for meeting the security and public safety needs of the law enforcement, homeland defense, and national security communities for the remote identification and tracking of UAS; and to evaluate the feasibility and affordability of available technical solutions, and determine how well those technologies address the needs of the law enforcement and air traffic control communities. The final ARC report is available at: https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/UAS%20ID%20ARC%20Final%20Report%20with%20Appendices.pdf. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the issues discussed above. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the Aerospace and Related Technologies industry group, or any of the following: Washington, D.C. Karen L. Manos – Co-Chair (+1 202-955-8536, kmanos@gibsondunn.com) Lindsay M. Paulin (+1 202-887-3701, lpaulin@gibsondunn.com) Erin N. Rankin (+1 202-955-8246, erankin@gibsondunn.com) Christopher T. Timura (+1 202-887-3690, ctimura@gibsondunn.com) Justin P. Accomando (+1 202-887-3796, jaccomando@gibsondunn.com) Brian M. Lipshutz (+1 202-887-3514, blipshutz@gibsondunn.com) Melinda R. Biancuzzo (+1 202-887-3724, mbiancuzzo@gibsondunn.com) New York David M. Wilf – Co-Chair (+1 212-351-4027, dwilf@gibsondunn.com) Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com) Nicolas H.R. Dumont (+1 212-351-3837, ndumont@gibsondunn.com) Eun Sung Lim (+1 212-351-2483, elim@gibsondunn.com) Los Angeles William J. Peters – Co-Chair (+1 213-229-7515, wpeters@gibsondunn.com) David A. Battaglia (+1 213-229-7380, dbattaglia@gibsondunn.com) Perlette M. Jura (+1 213-229-7121, pjura@gibsondunn.com) Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com) Matthew B. Dubeck (+1 213-229-7622, mdubeck@gibsondunn.com) Lauren M. Fischer (+1 213-229-7983, lfischer@gibsondunn.com) Dhananjay S. Manthripragada (+1 213-229-7366, dmanthripragada@gibsondunn.com) James A. Santiago (+1 213-229-7929, jsantiago@gibsondunn.com) Denver Jared Greenberg (+1 303-298-5707, jgreenberg@gibsondunn.com) London Mitri J. Najjar (+44 (0)20 7071 4262, mnajjar@gibsondunn.com) Orange County Casper J. Yen (+1 949-451-4105, cyen@gibsondunn.com) Rustin K. Mangum (+1 949-451-4069, rmangum@gibsondunn.com) Sydney Sherman (+1 949-451-3804, ssherman@gibsondunn.com) Paris Ahmed Baladi (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) San Francisco Kristin A. Linsley (+1 415-393-8395, klinsley@gibsondunn.com) Matthew Reagan (+1 415-393-8314, mreagan@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 7, 2017 |
Analysis of March 6, 2017 Executive Order on Immigration

Gibson Dunn previously issued several client alerts regarding President Trump’s January 27, 2017, Executive Order restricting entry into the United States for individuals from certain nations and making other immigration-related policy changes. This client alert addresses the replacement Executive Order entitled "Protecting the Nation from Foreign Terrorist Entry into the United States," signed on March 6, 2017.[1]  It also addresses a recent announcement suspending expedited processing of H-1B visas. I.          Overview of March 6, 2017 Replacement Executive Order The new order is in some regards narrower than the prior order, and its scope appears to be more clearly defined.  However, there is still some ambiguity as to the process for obtaining waivers, and the order continues to provide for the possible extension or expansion of the travel ban.  The order and the accompanying official statements also include considerably more material seeking to justify the provisions than contained in the prior order.[2] The Department of Homeland Security has released detailed Q&As[3] and a fact sheet regarding the new order;[4] additional guidance from the Department of State is expected.[5]  Key features of the new order include: Effective Date.  The effective date of the order is deferred for 10 days; the order goes into effect at 12:01 am ET on March 16, 2017.  Sec. 14. Status of Prior Order.  The new order fully rescinds and replaces the January 27 order.  Sec. 13. Travel Ban For 6 Countries.  Like the prior order, the new order suspends for 90 days entry for nationals of a number of Muslim-majority countries: Iran, Libya, Somalia, Sudan, Syria, and Yemen.  Sec. 1(e). Exclusions and Exceptions to Travel Ban.  The travel ban and related provisions have been narrowed and clarified in various respects: Iraq.  Iraq is no longer identified among the affected countries.  The other six nations designated in the original order are still covered.  However, the order specifically calls for additional review when an Iraqi national who holds a visa applies for "admission," meaning upon arrival to the U.S.  Secs. 1(g), 4.   Lawful Permanent Residents.  Lawful permanent residents (green-card holders) are explicitly excluded from the order.  Sec. 3(b)(i). Current Visa Holders.  Existing visas are not revoked by the order, and they can be used during the 90-day period otherwise covered by the order by the visa-holders under their existing terms, regardless of whether the visa-holder has previously been to the United States or is arriving for the first time.  Those who had a visa physically marked as cancelled as result of the January order are also entitled to admission.  Secs. 3(a), 12(c)-(d); Q&As 3, 5, 7. Dual-Citizens.  Dual citizens of one of the designated nations are also explicitly excluded from the order provided that they are travelling on a passport of a country other than the six designated.  For example, a dual-citizen of Somalia and the United Kingdom would still be eligible for admission to the United States if travelling on his U.K. passport.  Sec. 3(b)(iv). Refugees, Asylees, and Convention Against Torture.  Foreign nationals who are granted asylum status prior to the March 16 effective date, refugees already admitted, and those granted withholding of removal, advance parole, or protection under the Convention Against Torture are not barred from entry into the U.S. Sec. 3(b)(vi).  Note, however, that under existing law, individuals with those statuses may need certain advance permission or authorization if they wish to leave and return to the United States without jeopardizing that status. Certain Diplomatic and Related Visas.  As in the January order, diplomatic and diplomatic-type visas, NATO visas, C-2 (United Nations) visas, and G-1 through G-4 visas are excluded from the order.  Sec. 3(b)(v) Travel Ban Waivers.  The new order provides authority to certain Department of State and Homeland Security officials to grant waivers to the travel ban’s limitations on a case-by-case basis.  The new order identifies nine scenarios in which such treatment "could be appropriate."  These include a variety of hardship scenarios which arose under the January order, such as those needing urgent medical care or those who can document that they have "provided faithful and valuable service" to the United States government (e.g. foreign translators).  Sec. 3(c).  Importantly, these are still case-by-case waivers, not automatic exemptions.  It is also not yet clear if individuals seeking waivers will be allowed to board flights to the U.S. Suspension of Visa Interview Waiver Program.  As before, the Visa Interview Waiver program (often used by repeat business travelers from certain nations) is suspended.  Sec. 9. Suspension of Refugee Admission Program.  As in the January order, the Refugee Admission Program is suspended for 120 days, with a cap of 50,000 entrants for the current fiscal year upon resumption.  Sec. 6.  Unlike the January order, the new order does not indefinitely halt refugee admissions from Syria or prioritize religious minorities upon resumption.  The treatment of those already granted refugee status but not yet in the United States is somewhat unclear.  The DHS Q&A says such individuals "whose travel was already formally scheduled by the Department of State … are permitted to travel to the United States and seek admission," and they are covered by the text of the carve-out in Section 3(b)(vi). See Q&A 10.  But the Q&A also says those individuals "are exempt from the Executive Order."  Q&A 27.  Admission thus may require a case-by-case waiver. Possible Expansion and Extension.  Like the prior order, this order requires a global review to identify categories of individuals appropriate for further limitations.  Secs. 2(e)-(f).  Another provision requires re-alignment of any visa reciprocity programs, under which the United States offers visas of similar validity period and type (e.g. multiple-entry) on the basis of those offered to U.S. citizens.  Sec. 10. II.        Impact on Current Litigation There are approximately 20 active lawsuits challenging aspects of the January order.  Additional, key parts of that Order are currently subject to a preliminary injunction issued by the United States District Court for the Western District of Washington.  The Ninth Circuit declined to temporarily stay that injunction pending a fuller appeal.[6]  The Eastern District of Virginia has also issued a preliminary injunction against certain parts of the January order as it applies to Virginia residents and institutions. There are hearings and briefing deadlines scheduled in both the Washington and Ninth Circuit proceedings, as well as in many of the other cases.  Because the new order rescinds the old order, effective March 16, those challenges may become moot, and the Department of Justice has said it will be seeking dismissal.[7]  However, it is highly likely that some of the existing complaints and requests for relief will be amended to challenge the new ban.  New challenges to the newly announced Executive Order are also anticipated.  It is difficult to predict how the courts will approach litigation, either substantively or procedurally.  Given that the new order does not go into effect until March 16, there will be opportunity for more substantive (although expedited) proceedings than was the case with the original order.  Gibson Dunn will continue to monitor challenges for possible impacts on the new order. III.       Issues for Companies to Consider As with the January order, there is no "one size fits all" approach for companies addressing employee and business issues related to the new Executive Order. Accordingly, companies should again evaluate whether they will need to develop strategies to deal with the impact of the replacement Executive Order, both internally and as it relates to potential shareholder and business relations. In the immediate term, companies should consider outreach to their employees, particularly those who are or may be affected by the Executive Order.  Companies should also consider whether plans or policies are needed for travel by executives, employees, or other stakeholders.  In many ways, the new order is clearer than the January order, but as we describe in more detail below it not clear how all aspects of the order will be implemented.  Accordingly, employers may want to consider the following: Outreach to employees who may be affected.  Companies should consider proactively identifying and reaching out to all employees who may be affected.  As noted above, the Executive Order, on its face, applies to both immigrants and non-immigrants from the six covered countries.  Thus, employees traveling for business or leisure may be equally affected.  Note that different employees’ immigration statuses may compel differing guidance on how to approach any issues that arise in the enforcement of the Order. Outreach to employees who may have family members affected.  It is important to remember that some of your employees, even if not directly impacted by the Executive Order, will have family and loved ones who are or may be impacted.  Companies may consider providing counseling and support for employees with these concerns. Communicating with employees.  Companies should consider identifying employees who frequently travel to and from the affected countries or who are visa holders from affected countries, to explain company plans with respect to the Executive Order.  Given issues that arose for travelers in connection with the implementation of the original Executive Order in January, employees from affected countries who are currently outside the United States, but have a legal right to enter, should be advised to stay in communication with individuals in the United States about their travel plans, in the event they have difficulty re-entering the country, and have a plan to obtain appropriate assistance in that event.  Identifying a point of contact.  Consider identifying a contact point for any employee questions or concerns regarding the Executive Order.  Furthermore, ensure that this contact is prepared to field questions from affected or potentially affected employees, to discuss visa renewal or travel to and from the affected countries, and to refer employees with specific issues to the appropriate resources. Communicating with shareholders, business partners and other stakeholders.  Companies should consider whether communications with shareholders, business partners or other stakeholders regarding potential impacts on business as a result of enforcement of the Executive Order are appropriate. Modifying travel and meeting obligations.  Companies should consider modifying (or allowing for employee choice regarding) employee travel obligations, as appropriate to the company’s business needs, to avoid potential difficulties with travel to and from the United States.  Likewise, if companies have board members or executives affected by the Executive Order, or business stakeholders who will not be able to enter the United States due to the Executive Order, consider whether meetings can be conducted remotely or outside the United States.  Companies involved in pending litigation that may require employee travel to the United States should consider seeking the advice of litigation counsel to determine what, if any, notice to the relevant court or parties may be advisable at this stage. Reviewing non-discrimination policies.  Companies may wish to send reminders of applicable equal employment policies.  Many employers included such statements in communications regarding the original Order.  Companies may also wish to consider how their policies apply to employment and hiring decisions in light of travel restrictions.  This list addresses just some of the issues that companies will face in light of the Executive Order.  Gibson, Dunn & Crutcher’s lawyers, including its employment, securities, administrative law, constitutional law, and sanctions teams, are available to assist clients with navigating these and other issues that arise with respect to enforcement of the March 6 Order. IV.       Suspension of Expedited Processing for H-1B Visas On March 3, U.S. Citizen and Immigration Services (USCIS) announced it will suspend "premium processing" of applications for H-1B visas.[8]  This change is effective April 3, 2017, the first date for filing FY18 applications.  The agency says that this is necessary to process back-logged petitions.  It also says that "expedited" processing is still available for applications meeting certain criteria, and subject to "the discretion of office leadership."  Applications that remain eligible for premium processing include those involving:  Severe financial loss to company or ​person​;​ Emergency situation;​ Humanitarian reasons;​ Nonprofit organization whose request is in furtherance of the cultural and social interests of the United States​;​ Department of Defense or ​national ​interest ​​situation; USCIS error; or​ compelling interest of USCIS.​[9] *      *      * Gibson Dunn will continue to monitor these rapidly developing issues closely.    [1]   "Executive Order Protecting The Nation From Foreign Terrorist Entry Into The United States," Mar. 6, 2017, https://www.whitehouse.gov/the-press-office/2017/03/06/executive-order-protecting-nation-foreign-terrorist-entry-united-states.    [2]   See, e.g., Letter from Attorney General and Sec’y of Homeland Security, Mar. 6, 2017, https://www.dhs.gov/sites/default/files/publications/17_0306_S1_DHS-DOJ-POTUS-letter.pdf    [3]   U.S. Dep’t of Homeland Security, "Q&A: Protecting the Nation From Foreign Terrorist Entry To The United States," Mar. 6, 2017, https://www.dhs.gov/news/2017/03/06/qa-protecting-nation-foreign-terrorist-entry-united-states.    [4]   U.S. Dep’t of Homeland Security, "Fact Sheet: Protecting the Nation From Foreign Terrorist Entry To The United States," Mar. 6, 2017, https://www.dhs.gov/news/2017/03/06/fact-sheet-protecting-nation-foreign-terrorist-entry-united-states.    [5]   U.S. Dep’t of State, "Executive Order on Visas," Mar. 6, 2017, https://travel.state.gov/content/travel/en/news/important-announcement.html.    [6]   http://cdn.ca9.uscourts.gov/datastore/general/2017/02/27/17-35105%20-%20Motion%20Denied.pdf; https://cdn.ca9.uscourts.gov/datastore/opinions/2017/02/09/17-35105.pdf.    [7]   http://www.politico.com/story/2017/03/trump-releases-new-travel-ban-executive-order-235720.    [8]   U.S. Citizenship and Immigration Services, "USCIS Will Temporarily Suspend Premium Processing for All H-1B Petitions," Mar. 3, 2017 https://www.uscis.gov/news/alerts/uscis-will-temporarily-suspend-premium-processing-all-h-1b-petitions.    [9]   U.S. Citizenship and Immigration Services, "Expedite Criteria," https://www.uscis.gov/forms/expedite-criteria. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work or any of the following: Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, tboutrous@gibsondunn.com)Rachel S. Brass – San Francisco (+1 415-393-8293, rbrass@gibsondunn.com)Anne M. Champion – New York (+1 212-351-5361, achampion@gibsondunn.com)Ethan Dettmer – San Francisco (+1 415-393-8292, edettmer@gibsondunn.com) Theane Evangelis – Los Angeles (+1 213-229-7726, tevangelis@gibsondunn.com) Kirsten Galler – Los Angeles (+1 213-229-7681, kgaller@gibsondunn.com) Ronald Kirk – Dallas (+1 214-698-3295, rkirk@gibsondunn.com)Joshua S. Lipshutz – Washington D.C. (+1 202-955-8217, jlipshutz@gibsondunn.com) Katie Marquart, Pro Bono Counsel & Director – New York (+1 212-351-5261, kmarquart@gibsondunn.com) Samuel A. Newman – Los Angeles (+1 213-229-7644, snewman@gibsondunn.com) Jason C. Schwartz – Washington D.C. (+1 202-955-8242, jschwartz@gibsondunn.com) Kahn A. Scolnick – Los Angeles (+1 213-229-7656, kscolnick@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 10, 2018 |
Artificial Intelligence and Autonomous Systems Legal Update (3Q18)

Click for PDF We are pleased to provide the following update on recent legal developments in the areas of artificial intelligence, machine learning, and autonomous systems (or “AI” for short), and their implications for companies developing or using products based on these technologies.  As the spread of AI rapidly increases, legal scrutiny in the U.S. of the potential uses and effects of these technologies (both beneficial and harmful) has also been increasing.  While we have chosen to highlight below several governmental and legislative actions from the past quarter, the area is rapidly evolving and we will continue to monitor further actions in these and related areas to provide future updates of potential interest on a regular basis. I.       Increasing Federal Government Interest in AI Technologies The Trump Administration and Congress have recently taken a number of steps aimed at pushing AI forward on the U.S. agenda, while also treating with caution foreign involvement in U.S.-based AI technologies.  Some of these actions may mean additional hurdles for cross-border transactions involving AI technology.  On the other hand, there may also be opportunities for companies engaged in the pursuit of AI technologies to influence the direction of future legislation at an early stage. A.       White House Studies AI In May, the Trump Administration kicked off what is becoming an active year in AI for the federal government by hosting an “Artificial Intelligence for American Industry” summit as part of its designation of AI as an “Administration R&D priority.”[1] During the summit, the White House also announced the establishment of a “Select Committee on Artificial Intelligence” to advise the President on research and development priorities and explore partnerships within the government and with industry.[2]  This Select Committee is housed within the National Science and Technology Council, and is chaired by Office of Science and Technology Policy leadership. Administration officials have said that a focus of the Select Committee will be to look at opportunities for increasing federal funds into AI research in the private sector, to ensure that the U.S. has (or maintains) a technological advantage in AI over other countries.  In addition, the Committee is to look at possible uses of the government’s vast store of taxpayer-funded data to promote the development of advanced AI technologies, without compromising security or individual privacy.  While it is believed that there will be opportunities for private stakeholders to have input into the Select Committee’s deliberations, the inaugural meeting of the Committee, which occurred in late June, was not open to the public for input. B.       AI in the NDAA for 2019 More recently, on August 13th, President Trump signed into law the John S. McCain National Defense Authorization Act (NDAA) for 2019,[3] which specifically authorizes the Department of Defense to appoint a senior official to coordinate activities relating to the development of AI technologies for the military, as well as to create a strategic plan for incorporating a number of AI technologies into its defense arsenal.  In addition, the NDAA includes the Foreign Investment Risk Review Modernization Act (FIRRMA)[4] and the Export Control Reform Act (ECRA),[5] both of which require the government to scrutinize cross-border transactions involving certain new technologies, likely including AI-related technologies. FIRRMA modifies the review process currently used by the Committee on Foreign Investment in the United States (CFIUS), an interagency committee that reviews the national security implications of investments by foreign entities in the United States.  With FIRRMA’s enactment, the scope of the transactions that CFIUS can review is expanded to include those involving “emerging and foundational technologies,” defined as those that are critical for maintaining the national security technological advantage of the United States.  While the changes to the CFIUS process are still fresh and untested, increased scrutiny under FIRRMA will likely have an impact on available foreign investment in the development and use of AI, at least where the AI technology involved is deemed such a critical technology and is sought to be purchased or licensed by foreign investors. Similarly, ECRA requires the President to establish an interagency review process with various agencies including the Departments of Defense, Energy, State and the head of other agencies “as appropriate,” to identify emerging and foundational technologies essential to national security in order to impose appropriate export controls.  Export licenses are to be denied if the proposed export would have a “significant negative impact” on the U.S. defense industrial base.  The terms “emerging and foundational technologies” are not expressly defined, but it is likely that AI technologies, which are of course “emerging,” would receive a close look under ECRA and that ECRA might also curtail whether certain AI technologies can be sold or licensed to foreign entities. The NDAA also established a National Security Commission on Artificial Intelligence “to review advances in artificial intelligence, related machine learning developments, and associated technologies.”  The Commission, made up of certain senior members of Congress as well as the Secretaries of Defense and Commerce, will function independently from other such panels established by the Trump Administration and will review developments in AI along with assessing risks related to AI and related technologies to consider how those methods relate to the national security and defense needs of the United States.  The Commission will focus on technologies that provide the U.S. with a competitive AI advantage, and will look at the need for AI research and investment as well as consider the legal and ethical risks associated with the use of AI.  Members are to be appointed within 90 days of the Commission being established and an initial report to the President and Congress is to be submitted by early February 2019. C.       Additional Congressional Interest in AI/Automation While a number of existing bills with potential impacts on the development of AI technologies remain stalled in Congress,[6] two more recently-introduced pieces of legislation are also worth monitoring as they progress through the legislative process. In late June, Senator Feinstein (D-CA) sponsored the “Bot Disclosure and Accountability Act of 2018,” which is intended to address  some of the concerns over the use of automated systems for distributing content through social media.[7] As introduced, the bill seeks to prohibit certain types of bot or other automated activity directed to political advertising, at least where such automated activity appears to impersonate human activity.  The bill would also require the Federal Trade Commission to establish and enforce regulations to require public disclosure of the use of bots, defined as any “automated software program or process intended to impersonate or replicate human activity online.”  The bill provides that any such regulations are to be aimed at the “social media provider,” and would place the burden of compliance on such providers of social media websites and other outlets.  Specifically, the FTC is to promulgate regulations requiring the provider to take steps to ensure that any users of a social media website owned or operated by the provider would receive “clear and conspicuous notice” of the use of bots and similar automated systems.  FTC regulations would also require social media providers to police their systems, removing non-compliant postings and/or taking other actions (including suspension or removal) against users that violate such regulations.  While there are significant differences, the Feinstein bill is nevertheless similar in many ways to California’s recently-enacted Bot disclosure law (S.B. 1001), discussed more fully in our previous client alert located here.[8] Also of note, on September 26th, a bipartisan group of Senators introduced the “Artificial Intelligence in Government Act,” which seeks to provide the federal government with additional resources to incorporate AI technologies in the government’s operations.[9] As written, this new bill would require the General Services Administration to bring on technical experts to advise other government agencies, conduct research into future federal AI policy, and promote inter-agency cooperation with regard to AI technologies.  The bill would also create yet another federal advisory board to advise government agencies on AI policy opportunities and concerns.  In addition, the newly-introduced legislation seeks to require the Office of Management and Budget to identify ways for the federal government to invest in and utilize AI technologies and tasks the Office of Personal Management with anticipating and providing training for the skills and competencies the government requires going-forward for incorporating AI into its overall data strategy. II.       Potential Impact on AI Technology of Recent California Privacy Legislation Interestingly, in the related area of data privacy regulation, the federal government has been slower to respond, and it is the state legislatures that are leading the charge.[10] Most machine learning algorithms depend on the availability of large data sets for purpose of training, testing, and refinement.  Typically, the larger and more complete the datasets available, the better.  However, these datasets often include highly personal information about consumers, patients, or others of interest—data that can sometimes be used to predict information specific to a particular person even if attempts are made to keep the source of such data anonymous. The European Union’s General Data Protection Regulation, or GDPR, which went into force on May 25, 2018, has deservedly garnered a great deal of press as one of the first, most comprehensive collections of data privacy protections. While we’re only months into its effective period, the full impact and enforcement of the GDPR’s provisions have yet to be felt.  Still, many U.S. companies, forced to take steps to comply with the provisions of GDPR at least with regard to EU citizens, have opted to take many of those same steps here in the U.S., despite the fact that no direct U.S. federal analogue to the GDPR yet exists.[11] Rather than wait for the federal government to act, several states have opted to follow the lead of the GDPR and enact their own versions of comprehensive data privacy laws.  Perhaps the most significant of these state-legislated omnibus privacy laws is the California Consumer Privacy Act (“CCPA”), signed into law on June 28, 2108, and slated to take effect on January 1, 2020.[12]  The CCPA is not identical to the GDPR, differing in a number of key respects.  However there are many similarities, in that the CCPA also has broadly defined definitions of personal information/data, and seeks to provide a right to notice of data collection, a right of access to and correction of collected data, a right to be forgotten, and a right to data portability.  But how do the CCPA’s requirements differ from the GDPR for companies engaged in the development and use of AI technologies?  While there are many issues to consider, below we examine several of the key differences of the CCPA and their impact on machine learning and other AI-based processing of collected data. A.       Inferences Drawn from Personal Information The GDPR defines personal data as “any information relating to an identified or identifiable natural person,” such as “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that nature person.”[13]  Under the GDPR, personal data has implications in the AI space beyond just the data that is actually collected from an individual.  AI technology can be and often is used to generate additional information about a person from collected data, e.g., spending habits, facial features, risk of disease, or other inferences that can be made from the collected data.  Such inferences, or derivative data, may well constitute “personal data” under a broad view of the GDPR, although there is no specific mention of derivative data in the definition. By contrast, the CCPA goes farther and specifically includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”[14]  An “inference” is defined as “the derivation of information, data, assumptions, or conclusions from evidence, or another source of information or data.”[15] Arguably the primary purpose of many AI systems is to draw inferences from a user’s information, by mining data, looking for patterns, and generating analysis.  Although the CCPA does limit inferences to those drawn “to create a profile about a consumer,” the term “profile” is not defined in the CCPA.  However, the use of consumer information that is “deidentified” or “aggregated” is permitted by the CCPA.  Thus, one possible solution may be to take steps to “anonymize” any personal data used to derive any inferences.  As a result, when looking to CCPA compliance, companies may want to carefully consider the derivative/processed data that they are storing about a user, and consider additional steps that may be required for CCPA compliance. B.       Identifying Categories of Personal Information The CCPA also requires disclosures of the categories of personal information being collected, the categories of sources from which personal information is collected, the purpose for collecting and selling personal information, and the categories of third parties with whom the business shares personal information. [16]  Although these categories are likely known and definable for static data collection, it may be more difficult to specifically disclose the purpose and categories for certain information when dynamic machine learning algorithms are used.  This is particularly true when, as discussed above, inferences about a user are included as personal information.  In order to meet these disclosure requirements, companies may need to carefully consider how they will define all of the categories of personal information collected or the purposes of use of that information, particularly when machine learning algorithms are used to generate additional inferences from, or derivatives of, personal data. C.       Personal Data Includes Households The CCPA’s definition of “personal data” also includes information pertaining to non-individuals, such as “households” – a term that the CCPA does not further define.[17]  In the absence of an explicit definition, the term “household” would seem to target information collected about a home and its inhabits through smart home devices, such as thermostats, cameras, lights, TVs, and so on.  When looking to the types of personal data being collected, the CCPA may also encompass information about each of these smart home devices, such as name, location, usage, and special instructions (e.g., temperature controls, light timers, and motion sensing).  Furthermore, any inferences or derivative information generated by AI algorithms from the information collected from these smart home devices may also be covered as personal information.  Arguably, this could include information such as conversations with voice assistants or even information about when people are likely to be home determined via cameras or motion sensors.  Companies developing smart home, or other Internet of Things, devices thus should carefully consider whether the scope and use they make of any information collected from “households” falls under the CCPA requirements for disclosure or other restrictions. III.       Continuing Efforts to Regulate Autonomous Vehicles Much like the potential for a comprehensive U.S. data privacy law, and despite a flurry of legislative activity in Congress in 2017 and early 2018 towards such a national regulatory framework, autonomous vehicles continue to operate under a complex patchwork of state and local rules with limited federal oversight.  We previously provided an update (located here)[18] discussing the Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution (SELF DRIVE) Act[19], which passed the U.S. House of Representatives by voice vote in September 2017 and its companion bill (the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act).[20]  Both bills have since stalled in the Senate, and with them the anticipated implementation of a uniform regulatory framework for the development, testing and deployment of autonomous vehicles. As the two bills languish in Congress, ‘chaperoned’ autonomous vehicles have already begun coexisting on roads alongside human drivers.  The accelerating pace of policy proposals—and debate surrounding them—looks set to continue in late 2018 as virtually every major automaker is placing more autonomous vehicles on the road for testing and some manufacturers prepare to launch commercial services such as self-driving taxi ride-shares[21] into a national regulatory vacuum. A.       “Light-touch” Regulation The delineation of federal and state regulatory authority has emerged as a key issue because autonomous vehicles do not fit neatly into the existing regulatory structure.  One of the key aspects of the proposed federal legislation is that it empowers the National Highway Traffic Safety Administration (NHTSA) with the oversight of manufacturers of self-driving cars through enactment of future rules and regulations that will set the standards for safety and govern areas of privacy and cybersecurity relating to such vehicles.  The intention is to have a single body (the NHTSA) develop a consistent set of rules and regulations for manufacturers, rather than continuing to allow the states to adopt a web of potentially widely differing rules and regulations that may ultimately inhibit development and deployment of autonomous vehicles.  This approach was echoed by safety guidelines released by the Department of Transportation (DoT) for autonomous vehicles.  Through the guidelines (“a nonregulatory approach to automated vehicle technology safety”),[22] the DoT avoids any compliance requirement or enforcement mechanism, at least for the time being, as the scope of the guidance is expressly to support the industry as it develops best practices in the design, development, testing, and deployment of automated vehicle technologies. Under the proposed federal legislation, the states can still regulate autonomous vehicles, but the guidance encourages states not to pass laws that would “place unnecessary burdens on competition and innovation by limiting [autonomous vehicle] testing or deployment to motor vehicle manufacturers only.”[23]  The third iteration of the DoT’s federal guidance, published on October 4, 2018, builds upon—but does not replace—the existing guidance, and reiterates that the federal government is placing the onus for safety on companies developing the technologies rather than on government regulation. [24]  The guidelines, which now include buses, transit and trucks in addition to cars, remain voluntary. B.       Safety Much of the delay in enacting a regulatory framework is a result of policymakers’ struggle to balance the industry’s desire to speed both the development and deployment of autonomous vehicle technologies with the safety and security concerns of consumer advocates. The AV START bill requires that NHTSA must construct comprehensive safety regulations for AVs with a mandated, accelerated timeline for rulemaking, and the bill puts in place an interim regulatory framework that requires manufacturers to submit a Safety Evaluation Report addressing a range of key areas at least 90 days before testing, selling, or commercialization of an driverless cars.  But some lawmakers and consumer advocates remain skeptical in the wake of highly publicized setbacks in autonomous vehicle testing.[25]  Although the National Safety Transportation Board (NSTB) has authority to investigate auto accidents, there is still no federal regulatory framework governing liability for individuals and states.[26]  There are also ongoing concerns over cybersecurity risks[27], the use of forced arbitration clauses by autonomous vehicle manufacturers,[28] and miscellaneous engineering problems that revolve around the way in which autonomous vehicles interact with obstacles commonly faced by human drivers, such as emergency vehicles,[29] graffiti on road signs or even raindrops and tree shadows.[30] In August 2018, the Governors Highway Safety Association (GHSA) published a report outlining the key questions that manufacturers should urgently address.[31]  The report suggested that states seek to encourage “responsible” autonomous car testing and deployment while protecting public safety and that lawmakers “review all traffic laws.”  The report also notes that public debate often blurs the boundaries between the different levels of automation the NHTSA has defined (ranging from level 0 (no automation) to level 5 (fully self-driving without the need for human occupants)), remarking that “most AVs for the foreseeable future will be Levels 2 through 4.  Perhaps they should be called ‘occasionally self-driving.'”[32] C.       State Laws Currently, 21 states and the District of Columbia have passed laws regulating the deployment and testing of self-driving cars, and governors in 10 states have issued executive orders related to them.[33]  For example, California expanded its testing rules in April 2018 to allow for remote monitoring instead of a safety driver inside the vehicle.[34]  However, state laws differ on basic terminology, such as the definition of “vehicle operator.” Tennessee SB 151[35] points to the autonomous driving system (ADS) while Texas SB 2205[36] designates a “natural person” riding in the vehicle.  Meanwhile, Georgia SB 219[37] identifies the operator as the person who causes the ADS to engage, which might happen remotely in a vehicle fleet. These distinctions will affect how states license both human drivers and autonomous vehicles going forward.  Companies operating in this space accordingly need to stay abreast of legal developments in states in which they are developing or testing autonomous vehicles, while understanding that any new federal regulations may ultimately preempt those states’ authorities to determine, for example, crash protocols or how they handle their passengers’ data. D.       ‘Rest of the World’ While the U.S. was the first country to legislate for the testing of automated vehicles on public roads, the absence of a national regulatory framework risks impeding innovation and development.  In the meantime, other countries are vying for pole position among manufacturers looking to test vehicles on roads.[38]  KPMG’s 2018 Autonomous Vehicles Readiness Index ranks 20 countries’ preparedness for an autonomous vehicle future. The Netherlands took the top spot, outperforming the U.S. (3rd) and China (16th).[39]  Japan and Australia plan to have self-driving cars on public roads by 2020.[40]  The U.K. government has announced that it expects to see fully autonomous vehicles on U.K. roads by 2021, and is introducing legislation—the Automated and Electric Vehicles Act 2018—which installs an insurance framework addressing product liability issues arising out of accidents involving autonomous cars, including those wholly caused by an autonomous vehicle “when driving itself.”[41] E.       Looking Ahead While autonomous vehicles operating on public roads are likely to remain subject to both federal and state regulation, the federal government is facing increasing pressure to adopt a federal regulatory scheme for autonomous vehicles in 2018.[42]  Almost exactly one year after the House passed the SELF DRIVE Act, House Energy and Commerce Committee leaders called on the Senate to advance automated vehicle legislation, stating that “[a]fter a year of delays, forcing automakers and innovators to develop in a state-by-state patchwork of rules, the Senate must act to support this critical safety innovation and secure America’s place as a global leader in technology.”[43]  The continued absence of federal regulation renders the DoT’s informal guidance increasingly important.  The DoT has indicated that it will enact “flexible and technology-neutral” policies—rather than prescriptive performance-based standards—to encourage regulatory harmony and consistency as well as competition and innovation.[44]  Companies searching for more tangible guidance on safety standards at federal level may find it useful to review the recent guidance issued alongside the DoT’s announcement that it is developing (and seeking public input into) a pilot program for ‘highly or fully’ autonomous vehicles on U.S. roads.[45]  The safety standards being considered include technology disabling the vehicle if a sensor fails or barring vehicles from traveling above safe speeds, as well as a requirement that NHTSA be notified of any accident within 24 hours. [1] See https://www.whitehouse.gov/wp-content/uploads/2018/05/Summary-Report-of-White-House-AI-Summit.pdf; note also that the Trump Administration’s efforts in studying AI technologies follow, but appear largely separate from, several workshops on AI held by the Obama Administration in 2016, which resulted in two reports issued in late 2016 (see Preparing for the Future of Artificial Intelligence, and Artificial Intelligence, Automation, and the Economy). [2] Id. at Appendix A. [3] See https://www.mccain.senate.gov/public/index.cfm/2018/8/senate-passes-the-john-s-mccain-national-defense-authorization-act-for-fiscal-year-2019.  The full text of the NDAA is available at https://www.congress.gov/bill/115th-congress/house-bill/5515/text.  For additional information on CFIUS reform implemented by the NDAA, please see Gibson Dunn’s previous client update at https://www.gibsondunn.com/cfius-reform-our-analysis/. [4] See id.; see also https://www.treasury.gov/resource-center/international/Documents/FIRRMA-FAQs.pdf. [5] See https://foreignaffairs.house.gov/wp-content/uploads/2018/02/HR-5040-Section-by-Section.pdf.   [6] See, e.g. infra., Section III discussion of SELF DRIVE and AV START Acts, among others. [7] S.3127, 115th Congress (2018). [8] https://www.gibsondunn.com/new-california-security-of-connected-devices-law-and-ccpa-amendments/. [9] S.3502, 115th Congress (2018). [10] See also, infra., Section III for more discussion of specific regulatory efforts for autonomous vehicles. [11] However, as 2018 has already seen a fair number of hearings before Congress relating to digital data privacy issues, including appearances by key executives from many major tech companies, it seems likely that it may not be long before we see the introduction of a “GDPR-like” comprehensive data privacy bill.  Whether any resulting federal legislation would actually pre-empt state-enacted privacy laws to establish a unified federal framework is itself a hotly-contested issue, and remains to be seen. [12] AB 375 (2018); Cal. Civ. Code §1798.100, et seq. [13] Regulation (EU) 2016/679 (General Data Protection Regulation), Article 4 (1). [14] Cal. Civ. Code §1798.140(o)(1)(K). [15] Id.. at §1798.140(m). [16] Id. at §1798.110(c). [17] Id. at §1798.140(o)(1). [18] https://www.gibsondunn.com/accelerating-progress-toward-a-long-awaited-federal-regulatory-framework-for-autonomous-vehicles-in-the-united-states/. [19]   H.R. 3388, 115th Cong. (2017). [20]   U.S. Senate Committee on Commerce, Science and Transportation, Press Release, Oct. 24, 2017, available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C. [21]   Sean O’Kane, Mercedes-Benz Self-Driving Taxi Pilot Coming to Silicon Valley in 2019, The Verge, Jul. 11, 2018, available at https://www.theverge.com/2018/7/11/17555274/mercedes-benz-self-driving-taxi-pilot-silicon-valley-2019. [22]   U.S. Dept. of Transp., Automated Driving Systems 2.0: A Vision for Safety 2.0, Sept. 2017, https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf. [23]   Id., at para 2. [24]   U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf. [25]   Sasha Lekach, Waymo’s Self-Driving Taxi Service Could Have Some Major Issues, Mashable, Aug. 28, 2018, available at https://mashable.com/2018/08/28/waymo-self-driving-taxi-problems/#dWzwp.UAEsqM. [26]   Robert L. Rabin, Uber Self-Driving Cars, Liability, and Regulation, Stanford Law School Blog, Mar. 20, 2018, available at https://law.stanford.edu/2018/03/20/uber-self-driving-cars-liability-regulation/. [27]   David Shephardson, U.S. Regulators Grappling with Self-Driving Vehicle Security, Reuters. Jul. 10, 2018, available at https://www.reuters.com/article/us-autos-selfdriving/us-regulators-grappling-with-self-driving-vehicle-security-idUSKBN1K02OD. [28]   Richard Blumenthal, Press Release, Ten Senators Seek Information from Autonomous Vehicle Manufacturers on Their Use of Forced Arbitration Clauses, Mar. 23, 2018, available at https://www.blumenthal.senate.gov/newsroom/press/release/ten-senators-seek-information-from-autonomous-vehicle-manufacturers-on-their-use-of-forced-arbitration-clauses. [29]   Kevin Krewell, How Will Autonomous Cars Respond to Emergency Vehicles, Forbes, Jul. 31, 2018, available at https://www.forbes.com/sites/tiriasresearch/2018/07/31/how-will-autonomous-cars-respond-to-emergency-vehicles/#3eed571627ef. [30]   Michael J. Coren, All The Things That Still Baffle Self-Driving Cars, Starting With Seagulls, Quartz, Sept. 23, 2018, available at https://qz.com/1397504/all-the-things-that-still-baffle-self-driving-cars-starting-with-seagulls/. [31]   ghsa, Preparing For Automated Vehicles: Traffic Safety Issues For States, Aug. 2018, available at https://www.ghsa.org/sites/default/files/2018-08/Final_AVs2018.pdf. [32]   Id., at 7. [33]   Brookings, The State of Self-Driving Car Laws Across the U.S., May 1, 2018, available at https://www.brookings.edu/blog/techtank/2018/05/01/the-state-of-self-driving-car-laws-across-the-u-s/. [34]   Aarian Marshall, Fully Self-Driving Cars Are Really Truly Coming to California, Wired, Feb. 26, 2018, available at, https://www.wired.com/story/california-self-driving-car-laws/; State of California, Department of Motor Vehicles, Autonomous Vehicles in California, available at https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/bkgd. [35]   SB 151, available at http://www.capitol.tn.gov/Bills/110/Bill/SB0151.pdf. [36]   SB 2205, available at https://legiscan.com/TX/text/SB2205/2017. [37]   SB 219, available at http://www.legis.ga.gov/Legislation/en-US/display/20172018/SB/219. [38]   Tony Peng & Michael Sarazen, Global Survey of Autonomous Vehicle Regulations, Medium, Mar. 15, 2018, available at https://medium.com/syncedreview/global-survey-of-autonomous-vehicle-regulations-6b8608f205f9. [39]   KPMG, Autonomous Vehicles Readiness Index: Assessing Countries’ Openness and Preparedness for Autonomous Vehicles, 2018, (“The US has a highly innovative but largely disparate environment with little predictability regarding the uniform adoption of national standards for AVs. Therefore the prospect of  widespread driverless vehicles is unlikely in the near future. However, federal policy and regulatory guidance could certainly accelerate early adoption . . .”), p. 17, available at https://assets.kpmg.com/content/dam/kpmg/nl/pdf/2018/sector/automotive/autonomous-vehicles-readiness-index.pdf. [40]   Stanley White, Japan Looks to Launch Autonomous Car System in Tokyo by 2020, Automotive News, Jun. 4, 2018, available at http://www.autonews.com/article/20180604/MOBILITY/180609906/japan-self-driving-car; National Transport Commission Australia, Automated vehicles in Australia, available at https://www.ntc.gov.au/roads/technology/automated-vehicles-in-australia/. [41]   The Automated and Electric Vehicles Act 2018, available at http://www.legislation.gov.uk/ukpga/2018/18/contents/enacted; Lexology, Muddy Road Ahead Part II: Liability Legislation for Autonomous Vehicles in the United Kingdom, Sept. 21, 2018,  https://www.lexology.com/library/detail.aspx?g=89029292-ad7b-4c89-8ac9-eedec3d9113a; see further Anne Perkins, Government to Review Law Before Self-Driving Cars Arrive on UK Roads, The Guardian, Mar. 6, 2018, available at https://www.theguardian.com/technology/2018/mar/06/self-driving-cars-in-uk-riding-on-legal-review. [42]   Michaela Ross, Code & Conduit Podcast: Rep. Bob Latta Eyes Self-Driving Car Compromise This Year, Bloomberg Law, Jul. 26, 2018, available at https://www.bna.com/code-conduit-podcast-b73014481132/. [43]   Freight Waves, House Committee Urges Senate to Advance Self-Driving Vehicle Legislation, Sept. 10, 2018, available at https://www.freightwaves.com/news/house-committee-urges-senate-to-advance-self-driving-vehicle-legislation; House Energy and Commerce Committee, Press Release, Sept. 5, 2018, available at https://energycommerce.house.gov/news/press-release/media-advisory-walden-ec-leaders-to-call-on-senate-to-pass-self-driving-car-legislation/. [44]   See supra n. 24, U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, iv. [45]   David Shephardson, Self-driving cars may hit U.S. roads in pilot program, NHTSA says, Automotive News, Oct. 9, 2018, available at http://www.autonews.com/article/20181009/MOBILITY/181009630/self-driving-cars-may-hit-u.s.-roads-in-pilot-program-nhtsa-says. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors: H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Claudia M. Barrett – Washington, D.C. (+1 202-887-3642, cbarrett@gibsondunn.com) Frances Annika Smithson – Los Angeles (+1 213-229-7914, fsmithson@gibsondunn.com) Ryan K. Iwahashi – Palo Alto (+1 650-849-5367, riwahashi@gibsondunn.com) Please also feel free to contact any of the following: Automotive/Transportation: Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, tboutrous@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Theane Evangelis – Los Angeles (+1 213-229-7726, tevangelis@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection: Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Public Policy: Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com) Mylan L. Denerstein – New York (+1 212-351-3850, mdenerstein@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 21, 2017 |
Channeling the Channel-Partner Risk: Addressing Anti-Corruption Risk with Channel Partners in the Technology Sector

​Orange County partner Nicola Hanna, Los Angeles partner Michael Farhang, Washington, D.C. associate Pedro Soto and Orange Country associate Caitlin Peters are the authors of "Channeling the Channel-Partner Risk: Addressing Anti-Corruption Risk with Channel Partners in the Technology Sector," [PDF] published in FCPA Report on June 21, 2017.

February 18, 2016 |
Commercial Drone Industry May Be Ready For Takeoff Soon

​Orange County associate Jared Greenberg is the author of "Commercial Drone Industry May Be Ready For Takeoff Soon" [PDF] published on February 18, 2016 by Law360.

February 17, 2015 |
Cybersecurity and Data Privacy Outlook and Review: 2015

Concerns about cybersecurity and data privacy have exploded into the public consciousness in recent years, accompanied by a host of new and rapidly developing legal issues.  From data breaches potentially affecting millions of consumers, to increasingly active policing of cybersecurity by the FTC and other U.S. regulators, to the protection of "the right to be forgotten" in the European Union, the headlines have been filled with cybersecurity and data privacy news and legal developments–and there is no end in sight. In this annual edition of Gibson Dunn’s Cybersecurity and Data Privacy Outlook and Review, the firm’s Information Technology and Data Privacy group describes key data privacy and security events from 2014 and sets forth anticipated trends for the near future.  The topics covered are: (i) civil litigation; (ii) regulatory and policy developments; (iii) legislative developments; (iv) criminal enforcement; and (v) select international developments in the European Union and the Asia-Pacific region. Table of Contents  I.       Class Action and Civil Litigation Developments A.     Article III Standing 1.     Statutory Rights of Action As Substitute for Harm 2.     Theories of Harm in the Data Breach Context 3.     Resource Consumption and Overpayment as Theories of Harm 4.     Requirement of Certainly Impending Harm B.     Substantive Trends in Data Privacy Class Actions 1.     Data Breach Litigation 2.     Email Scanning Litigation 3.     VPPA Litigation 4.     ECPA Litigation and the "Contents of Communications" 5.     California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection 6.     TCPA Litigation II.     Regulatory and Policy Developments A.     FTC Enforcement Trends 1.     Cybersecurity, Data Breaches, and Legal Challenges to the FTC’s Authority 2.     The U.S.-EU Safe Harbor 3.     High-Profile FTC Consent Decrees B.     The FTC’s Revised COPPA Rule C.     FCC Guidance and Amendments to the TCPA D.     The NIST Cybersecurity Framework III.    Legislative Developments A.     Proposed Federal Data Breach Notification and Cybersecurity Legislation 1.     Legislation Arising From Prominent Retailer Data Breaches 2.     Cybersecurity Legislative Efforts 3.     Health Exchange Security and Transparency Act 4.     The Law Enforcement Access to Data Stored Abroad Act 5.     Protecting Student Privacy Act 6.     Do Not Track Kids Act 7.     The Edward Snowden Affair and NSA Surveillance B.     Recently Enacted State Privacy Laws 1.     Data Breach Notification 2.     Credit Card Monitoring After Data Breach 3.     Social Media Access 4.     Drone Regulation 5.     California’s "Do Not Track" Law 6.     California’s "Digital Eraser" Law 7.     California’s Privacy for Student Records Laws C.     Legislative Outlook IV.    Criminal Enforcement A.     Fourth Amendment Developments 1.     U.S. v. Ringmaiden 2.     Cell Phones and Warrantless Searches B.     Identity Theft and Carding Crimes 1.     United States v. Lazar (E.D. Va.) 2.     United States v. Vega (E.D.N.Y) C.     Money Laundering 1.     United States v. Dotcom (E.D. Va.) 2.     United States v. Faiella (S.D.N.Y) 3.     United States v. Liberty Reserve S.A. (S.D.N.Y) D.     Economic Espionage Act 1.     United States v. Aleynikov (2d Cir.) and United States v. Agrawal (2d Cir.) 2.     United States v. Liew (N.D. Cal.) 3.     United States v. Wang Dong (W.D. Penn.) 4.     United States v. Leroux (D. Del.) E.      Computer Fraud and Abuse Act 1.     United States v. Nosal (N.D. Cal.) 2.     Hacktivism F.      The Year Ahead V.     International Developments A.     European Union 1.     Developments at the European Union Level 2.     France 3.     Germany 4.     United Kingdom 5.     Other European Nations B.     Asia-Pacific Region 1.     India 2.     China and Hong Kong 3.     Japan 4.     South Korea 5.     Malaysia 6.     Singapore C.     Other International Developments of Note I.   Class Action and Civil Litigation Developments The pace of litigation related to the alleged unauthorized collection, use, or disclosure of consumer information has continued to increase.  In the past year, a flurry of decisions at the district and circuit court levels have grappled with plaintiff standing, pleading requirements, and the enforceability of arbitration clauses and class action waivers, in addition to substantive data privacy law.       A.   Article III Standing As the plaintiffs’ bar continues to adapt and bring claims predicated on novel theories of harm, litigants continue to contest Article III standing challenges in data privacy cases.  As Magistrate Judge Grewal observed in In re Google, Inc. Privacy Policy Litigation: [D]espite generating little or no discussion in most other cases, the issue of injury-in-fact has become standard fare in cases involving data privacy.  In fact, the court is hard-pressed to find even one recent data privacy case, at least in this district, in which injury-in-fact has not been challenged.  Second, in this district’s recent case law on data privacy claims, injury-in-fact has proven to be a significant barrier to entry.  And so even though injury-in-fact may not generally be Mount Everest, as then-Judge Alito observed, in data privacy cases in the Northern District of California, the doctrine might still reasonably be described as Kilimanjaro. No. 12-CV-01382, 2013 WL 6248499, at *4 (N.D. Cal. Dec. 3, 2013) (finding that allegations of loss of personal identifying information were insufficient to establish injury-in-fact, but certain alleged economic and statutory injuries were sufficient to support Article III standing); see also In re Google, Inc. Privacy Policy Litig., No. 12-CV-01382, 2014 WL 3707508, at *4 (N.D. Cal. July 21, 2014) (reviewing second amended complaint and dismissing claims premised on allegations of conjectural heightened security risk from data disclosure, but holding other alleged economic theories sufficient to support Article III standing).  Judge Grewal’s statement that "injury-in-fact has proven to be a significant barrier to entry" to data privacy plaintiffs largely continues to hold true, even in the face of recent decisions showing an increased tolerance for claims predicated on theories of future harm or statutes requiring no showing of actual harm.             1.   Statutory Rights of Action As Substitute for Harm Where plaintiffs might not otherwise be able to satisfy Article III standing requirements–in particular the element of actual injury–they have seen increased success in predicating privacy claims on statutory rights of action, which some courts have found do not require actual injury.  See Robins v. Spokeo, Inc., 742 F.3d 409, 414 (9th Cir. 2014), petition for cert. filed, No. 13-1339; Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (the injury required by Article III "may exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing’"); In re Google, Inc. Privacy Policy Litig., 2013 WL 6248499, at *8-9.  In Robins v. Spokeo, the Ninth Circuit held that the plaintiff could adequately plead Article III standing, despite lack of actual harm, by alleging a claim for a willful violation of the Fair Credit Reporting Act ("FCRA") (15 U.S.C. § 1681).  742 F.3d at 414.  The Ninth Circuit here followed up on its earlier decision in Edwards v. First American Corporation.  Thus, the Ninth Circuit, at least, has given plaintiffs in putative data privacy class actions a stronger foothold upon which to satisfy the Article III standing requirement and seek enforcement of federal or state statutes concerning data privacy rights. The federal statutes most frequently utilized by data privacy plaintiffs to allege violations of statutorily imposed duties, and thus standing in the absence of injury, are the Wiretap Act (18 U.S.C. §§ 2510, et seq.) and the Stored Communications Act ("SCA") (18 U.S.C. §§ 2701, et seq.).  See, e.g., Perkins v. LinkedIn Corp., No. 13-CV-04303-LHK, 2014 WL 2751053 (N.D. Cal. June 12, 2014); see also In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012); In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011).  In suits against electronic platforms that offer video content, plaintiffs also increasingly have alleged violations of the Video Privacy Protection Act ("VPPA") (18 U.S.C. § 2710).  See, e.g., Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014); In re Nickelodeon Consumer Privacy Litig., No. CIV.A. 12-07829, 2014 WL 3012873 (D.N.J. July 2, 2014). State statutes also may provide a path to Article III standing.  See, e.g., In re Google, Inc. Privacy Policy Litigation, 2013 WL 6248499, at *9.  The court in In re Google, Inc. Privacy Policy Litigation found that the plaintiff could satisfy standing obligations pursuant to a state law, California Civil Code § 3344, which prohibits the commercial use of another’s name or likeness.  Id. ("Where a plaintiff alleges an unauthorized commercial use of a person’s name or likeness, courts generally presume that [injury] has been established for a Section 3344 claim.") (internal quotation marks omitted).  By contrast, however, in Mendoza v. Microsoft Inc., the court granted Microsoft’s motion to dismiss on standing grounds where the plaintiffs offered little more than "broad conclusory statements and formulaic recitations of the VPPA and [California Customer Records Act] statutes . . . without a single fact to support their allegation that Microsoft allegedly retained and disclosed personally identifiable information."  No. C-14-316, 2014 WL 4540213, at *3 (W.D. Wash. Sept. 11, 2014). Practitioners continue to wait on guidance from the U.S. Supreme Court in this area. Action by the Court might be imminent.  In 2012, privacy practitioners had anxiously awaited the Supreme Court’s anticipated ruling in First American Financial Corp. v. Edwards, a decision many hoped would resolve the issue of whether an alleged statutory violation alone is sufficient to create Article III standing where the plaintiff fails to allege any actual harm.  In June 2012, however, the Supreme Court dismissed the petition for certiorari as having been improvidently granted, leaving intact the Ninth Circuit’s decision that the standing requirement had been satisfied.  First Am. Fin. Corp. v. Edwards, 132 S. Ct. 2536 (2012).  Then in March 2014, after the Eighth Circuit found that a plaintiff had standing under the "informational injury" provision of the Electronic Fund Transfer Act ("EFTA"), the Supreme Court denied certiorari, again delaying resolution of the issue.  Charvat v. Mutual First Fed. Credit Union, 725 F.3d 819 (8th Cir. 2013), cert. denied, 134 S. Ct. 1515 (2014).  As of this writing, a petition for certiorari in Robins v. Spokeo is pending.  Robins v. Spokeo, Inc., 742 F.3d 409, 414 (9th Cir. 2014), petition for cert. filed, 82 U.S.L.W. 3689 (U.S. May 1, 2014) (No. 13-1339).  Petitioner Spokeo pointed out a deep circuit split, pitting the Ninth Circuit and several other circuit courts against the Second and Fourth Circuits.  See Kendall v. Employees Ret. Plan of Avon Prods., 561 F.3d 112, 121 (2d Cir. 2009) (holding allegations of breached statutory duties in the ERISA context do not "in and of themselves constitute[] an injury-in-fact sufficient for constitutional standing"); David v. Alphin, 704 F.3d 327, 338 (4th Cir. 2013) (holding that theory of standing-based deprivation of statutory rights without injury-in-fact impermissibly "conflates statutory standing with constitutional standing").  Prominent technology companies have jointly filed an amicus brief in support of Spokeo’s petition.  On October 6, 2014, the Court called for the views of the U.S. Solicitor General, perhaps signaling the Court’s interest in resolving the circuit split. Until the Supreme Court speaks, federal courts remain divided on whether the mere assertion that a statutory right has been violated is sufficient to confer Article III standing at the pleadings stage.             2.   Theories of Harm in the Data Breach Context While standing based on statutory rights of action alone remains a hotly debated but unsettled issue, plaintiffs also continue to rely on more concrete, albeit attenuated, theories of harm.  The closely watched Target breach litigation raised the issue of whether plaintiffs suffered harm in connection with a data breach targeting a national retail chain.  In this multidistrict litigation, a Minnesota district court found that plaintiffs satisfied the standing requirements, at least at the pleading stage, by alleging plaintiffs suffered "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees."  In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522, 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014).  Target had argued that the plaintiffs did not allege injury because they failed to "allege that their expenses were unreimbursed or say whether they or their bank closed their accounts."  Id.  But the court found that those arguments "set a too-high standard for Plaintiffs to meet" and that "Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct."  Id. (citations omitted).             3.   Resource Consumption and Overpayment as Theories of Harm Plaintiffs have also continued the recent trend of alleging theories of harm (1) to their electronic devices in the form of unexpected "resource consumption," and (2) in the form of "overpayment" (i.e., by asserting that a plaintiff would not have purchased the good or service at issue or would have paid less for it had the "true facts" been disclosed to him or her).  For example, both the first and second amended complaints in In re Google, Inc. Privacy Policy Litigation included allegations regarding battery and bandwidth usage and overpayment, which the court found adequate at the pleadings stage to establish cognizable injury for Article III standing purposes.  2013 WL 6248499, at *6-7; 2014 WL 3707508, at *6-7.  No matter the theory of harm offered by plaintiffs, given courts’ continuing uncertainty regarding speculative damages in the data privacy context, defendants should not lose sight of the standing issue (which goes to the court’s subject matter jurisdiction) if the complaint survives a standing challenge based on the pleadings.  As the U.S. Supreme Court held in Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992), a plaintiff bears the burden of proving standing under Article III "with the manner and degree of evidence required at the successive stages of the litigation."  At the pleadings stage, "general factual allegations of injury resulting from the defendant’s conduct may suffice," but "[i]n response to a summary judgment motion, . . . the plaintiff can no longer rest on such ‘mere allegations,’ but must ‘set forth’ by affidavit or other evidence ‘specific facts’ to support standing."  Id. at 561; see also In re Target Corp. Customer Data Sec. Breach Litig., 2014 WL 7192478, at *2 ("[if] discovery fail[s] to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue [of standing]"); In re Google, Inc. Privacy Policy Litig., 2014 WL 3707508, at *7 (noting challenges to "causal nexus between [the] alleged conduct and the Plaintiffs’ alleged injury [] require[] a heavily and inherently fact-bound inquiry that the court may not reach at this state in the litigation").  Accordingly, a defendant in a data privacy case may wish to consider, particularly in developing its discovery strategy, whether standing may be challenged at a later stage of litigation, such as the summary judgment stage.             4.   Requirement of Certainly Impending Harm Courts in data breach cases are now grappling with how to apply the holding of Clapper v. Amnesty International, a key 2013 Supreme Court decision focusing on the issue of Article III standing.  133 S. Ct. 1138 (2013).  In Clapper, human rights organizations and media groups challenged the constitutionality of an amendment to the Foreign Intelligence Surveillance Act that made it easier for the government to obtain wiretaps on intelligence targets outside of the United States.  The plaintiffs, all U.S. citizens, alleged that they had standing because their work included telephone and email communications with people who were likely foreign targets of surveillance and such communications could be intercepted in the future.  The plaintiffs also alleged that they had suffered injury by undertaking costly steps to protect their communications from surveillance. The Supreme Court held that the allegations of potential interception of attorney-client privileged communications were too speculative to sustain a claim, determining that "a highly attenuated chain of possibilities[] does not satisfy the requirement that threatened injury must be certainly impending" and that plaintiffs cannot manufacture standing "merely by inflicting harm on themselves based on their fears of hypothetical future harm."  Id. at 1148.  Based on Clapper, several lower courts have since held that an increased risk of future harm is not sufficient to establish standing because typically harm is not imminent.  See, e.g., Remijas v. Neiman Marcus Grp., LLC, No. 14-C-1735, 2014 WL 4627893, at *4 (N.D. Ill. Sept. 16, 2014) ("[T]he complaint does not adequately allege that the risk of identity theft is sufficiently imminent to confer standing."); In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig., No. MDL-2360, 2014 WL 1858458 (D.D.C. May 9, 2014) (finding that "[t]he degree by which the risk of harm has increased is irrelevant–instead, the question is whether the harm is certainly impending"); Strautins v. Trustwave Holdings, Inc., No. 12-CV-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) ("To the extent that [plaintiff’s claims] are premised on the mere possibility that her [] [personal information] was stolen and compromised, and a concomitant increase in the risk that she will become a victim of identity theft, Strautins’ claim is too speculative to confer Article III standing."). Other district courts, however, have taken a narrower view of Clapper.  In one recent data breach case, a district court found that Clapper did not set forth a new Article III framework; rather, it "simply reiterated an already well-established framework for assessing whether a plaintiff had sufficiently alleged an ‘injury-in-fact’ for purposes of establishing Article III standing."  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 961 (S.D. Cal. 2014) (finding allegations that personal information was collected and wrongfully disclosed via a breach and subject to a "credible threat" of impending harm sufficient to establish Article III standing at the pleading stage); see also In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916, at *7 (N.D. Cal. Sept. 4, 2014) (holding that the threat of future harm was sufficient to satisfy Article III standing requirements and noting that "the Court is reluctant to conclude that Clapper represents the sea change that Adobe suggests").  We anticipate that the import of Clapper will continue to be vigorously litigated, but for now, it remains a potentially powerful shield for defendants combatting nonspecific allegations of indeterminate harm.       B.   Substantive Trends in Data Privacy Class Actions             1.   Data Breach Litigation The pace, scope, and sophistication of data breaches and cyberattacks continued to increase in 2014, placing businesses’ data security practices under heightened scrutiny from consumers, private litigants, and regulators.  Breaches can expose the data of millions of individual consumers, resulting in potentially massive liability.  As a result, companies may wish to consider such exposure and consult with experienced counsel when making decisions about data security measures, developing a data breach response plan before an incident occurs, and taking responsive action at the first sign of a potential breach.  Although an early and informed response may not altogether prevent a wave of putative class action suits, it makes it easier for a company to mount an effective defense. While we have yet to see a data breach class action successfully reach a jury verdict, in 2014 plaintiffs survived motions to dismiss in a number of key cases.  This section examines data breach class action suits in the following postures: (a) those that have been dismissed due to lack of standing; (b) those that have survived motions to dismiss despite alleging only an increased risk of future harm; (c) those that have survived motions to dismiss through allegation of more than a risk of future harm; and (d) those that have just recently been filed.                     a.   Cases Dismissed for Lack of Standing Despite the proliferation of data breach class actions, plaintiffs still face significant obstacles in getting their claims into court.  The greatest roadblock–as discussed above–continues to be establishing standing under Article III of the U.S. Constitution, and most suits fail at this stage.  In data breach cases, standing is a significant issue when personal information has been exposed or stolen but there is no evidence that it has been misused.  In these cases, plaintiffs seek to establish standing based on a fear of potential future harm, such as identity theft or fraud. Several defendants have successfully filed motions to dismiss for lack of standing by relying on the 2013 Supreme Court case, Clapper v. Amnesty International, discussed in greater detail above.  Recent examples of class action data breach lawsuits dismissed for lack of standing demonstrate the difficult standard plaintiffs must reach to demonstrate actual injury.  When Nationwide, P.F. Chang’s China Bistro, and Neiman Marcus each reported massive consumer data breaches, several of their customers filed putative class actions, but failed to move beyond the motion to dismiss stage.  In all three actions, the courts found a lack of standing on the basis that an increased risk of identity theft or costs associated with mitigating that risk did not sufficiently demonstrate a redressable injury.  Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (holding that "an increased risk of identity theft . . . is not itself an injury-in-fact because Named Plaintiffs did not allege . . . that such harm is ‘certainly impending’"); Lewert v. P.F. Chang’s China Bistro, No. 14-cv-4787, 2014 U.S. Dist. LEXIS 171142, at *8-9 (N.D. Ill. Dec. 10, 2014) (holding that speculation of future harm–such as potential identity theft–does not constitute actual injury and any unauthorized charges and bank fees would have been reimbursed by banks) (notice of appeal pending before Seventh Circuit); Remijas v. Neiman Marcus Group, LLC, No. 14 C 1735, 2014 U.S. Dist. LEXIS 129574, at *9  (N.D. Ill. Sep. 16, 2014)  (N.D. Ill.) (holding that while increased risk of fraudulent charges was sufficiently imminent under Clapper because 9,200 stolen cards had already been misused, plaintiffs would not suffer any concrete harm given banks’ reimbursement policies).                     b.   Cases Where an Increased Risk of Harm Was Sufficient to Confer Standing While most cases to date have failed when plaintiffs cannot allege that their information has actually been misused, two district courts, both within the Ninth Circuit, found standing this year under exactly those circumstances.  First, in In re Sony Gaming Networks & Customer Data Security Breach Litigation, hackers obtained data for as many as 31 million Sony users through the PlayStation network, including credit and debit card information.  In response to Sony’s first motion to dismiss, the district court cited Krottner v. Starbucks, 628 F. 3d 1139 (9th Cir. 2010), and held that plaintiffs had shown standing based on an increased risk of future harm.  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 958 (S.D. Cal. 2012).  Sony then asked the court to reevaluate its opinion in light of the Supreme Court’s holding in Clapper, but the court once again found that plaintiffs had standing, holding that neither Krottner nor Clapper requires plaintiffs to allege that information was misused by a third party.  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014).  The court further held that Clapper had not set forth a new Article III framework overruling Krottner‘s standard that injury be "real and immediate."  Id. at 961.  The court left eight of the fifty-three claims intact, dismissing the others.  In July 2014, Sony agreed to a $15 million preliminary settlement, which the court will review in a final fairness hearing in May 2015. Second, Adobe Systems was hit with several putative class actions following a 2013 attack on its network that compromised the private information of approximately 38 million customers.  Several of these cases were consolidated in the U.S. District Court for the Northern District of California, and plaintiffs filed a consolidated class action complaint in April 2014.  The court, in response to Adobe’s motion to dismiss for lack of standing, found that "the threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper" because plaintiffs’ personal information (including names, usernames, passwords, phone numbers, addresses, and credit card numbers) had allegedly been stolen during the breach, and had in some instance already surfaced on the Internet.  In re Adobe Systems Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 U.S. Dist. LEXIS 124126, at *27 (N.D. Cal. Sep. 4, 2014). Accordingly, the court held that "there is no need to speculate as to whether Plaintiffs’ information has been stolen  . . . [or] whether the hackers intend to misuse the personal information . . . or whether they will be able to do so."  Id. at *28.  Finally, since the court found that the threatened harm was certainly impending, it held that costs for credit-monitoring services were also an injury that conferred standing.                     c.   Cases Alleging More Than an Increased Risk of Harm While plaintiffs have been mostly unsuccessful at establishing standing based on increased risk of future misuse of their personal information, they have more effectively defeated motions to dismiss when their alleged injuries have extended beyond risk of future harm.  In 2012, hackers infiltrated LinkedIn’s computer systems and posted the passwords of approximately 6.5 million users on the Internet.  Within days, plaintiffs filed suit, alleging breach of contract and violations of both the fraud and unfair business act prongs of California’s Unfair Competition Law ("UCL").  The court dismissed the named plaintiff’s initial complaint for lack of standing because she had only alleged an increased risk of future harm without alleging actual misuse of her information.  In her second amended complaint, the plaintiff alleged that she was among a group of individuals who had paid for LinkedIn’s premium subscription in reliance on LinkedIn’s Privacy Policy, which had stated that LinkedIn had adequate security procedures.  Accordingly, she asserted that LinkedIn’s failure to adhere to industry standards and its Privacy Policy had causing the breach that revealed her password.  The plaintiff’s allegation that she had acted in reliance upon LinkedIn’s misrepresentation in its Privacy Policy, and would not have purchased a premium subscription otherwise, proved sufficient to confer standing under both Article III and California’s UCL.  In re LinkedIn User Privacy Litig., No. 5:12-CV-03088-EJD, 2014 U.S. Dist. LEXIS 42696, at *11 (N.D. Cal. March 28, 2014).  The judge dismissed most of the claims, but allowed the plaintiffs to proceed with the fraud claim under the UCL.  LinkedIn has since agreed to pay $1.25 million to settle this suit, and the court is scheduled to review the parties’ proposed settlement this month. In December 2013, Target experienced a massive data breach that compromised credit card information for around 40 million customers and personal information for about 70 million customers.  The company was subsequently named in over fifty class actions, both on behalf of consumers and on behalf of issuer banks, which were later consolidated in in the U.S. District Court for the District of Minnesota.  Upon Target’s motion to dismiss the consumer complaint, the court disagreed with Target’s argument that plaintiffs had not sufficiently demonstrated an injury based on unauthorized credit/debit card charges because there was no indication that these charges had gone unreimbursed.  In re Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 PAM/JJK, 2014 WL 7192478 (D. Minn. Dec. 18, 2014).  The court held that this argument "set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage," and that it was sufficient for plaintiffs to allege that they had suffered injuries that were "fairly traceable" to Target’s conduct.  Id. at *2.  With respect to the issuer banks’ class complaint, the court likewise denied Target’s motion to dismiss.  In re Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 PAM, 2014 U.S. Dist. LEXIS 167802 (D. Minn. Dec. 2, 2014).  Notably, standing was not a concern in this instance, since the plaintiff issuer banks had borne the financial losses arising from fraudulent charges on their customers’ payment cards.  Moreover, the court found that Target owed a duty of care to the issuer banks with regard to its data security practices, and that the breach was foreseeable because Target had deliberately disabled one of the security features that could have prevented the harm.  Id. at *9.  The claims brought on behalf of consumers and banks will now move forward to the class certification stage.                     d.   Recently Filed Complaints There are several additional data breach class actions currently pending in courts across the country.  For example, plaintiffs filed a class action complaint against eBay in July 2014, stemming from a cyberattack in which up to 233 million consumers’ personal data allegedly was compromised due to eBay’s lack of sufficient data encryption.  See Collin Green v. eBay Inc., No. 2:14-cv-01688-SM-KWR (E.D. La. July 23, 2014).  eBay has filed a motion to dismiss based on lack of standing under Clapper, which is currently pending before the court.  Several other class actions are currently at the filing stage; it remains to be seen how the decisions in these cases will further shape the nature of the burden that plaintiffs and defendants face to prevail in data breach lawsuits.  See, e.g., Shane K. Enslin, et al. v. The Coca-Cola Co., et al., No. 2:14-cv-06476-JHS (E.D. Penn Nov 12, 2014) (putative class action based on theft of 55 computers containing personal information of 74,000 current and former Coca-Cola employees); Barbara Irwin v. Jimmy Johns, No. 2:14-cv-02275-HAB-DGB (C. D. Ill. Nov. 6, 2014) (putative class action based on credit card fraud resulting from data breach at over 200 Jimmy Johns’ locations and theft of thousands of consumers’ personal information); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., No.14-md-02583 (N.D. Ga. Dec. 11, 2014) (putative class action based on data breach exposing up to 56 million credit and debit card numbers); Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-9600 (C.D. Cal. Dec. 15, 2014) (action based on data breach that exposed internal emails and the Social Security numbers, employee files, and medical information of over 47,000 current and former employees, allegedly due to inadequate encryption and password protection).             2.   Email Scanning Litigation In the last few years, plaintiffs have filed several class action lawsuits against major players in the Silicon Valley alleging that scanning user emails for use in targeting advertising violates various state and federal laws.  As is often the case in privacy class actions, the initial proposed classes in some of these suits include all or many users of the services, and therefore the scope of these cases, at least at the outset, is potentially massive.  What is more surprising is that these lawsuits allege privacy violations based on what many consider to be standard industry practices.  Companies operating any sort of electronic communications service should consider the issues raised by these suits, particularly with respect to the permissible collection and use of such communications and the kinds of disclosures that may satisfy consent to such collection and use. In the first of several suits, together collectively known as the In re Google Gmail Litigation, plaintiffs sued Google alleging improper scanning of user emails without consent.  See Dunbar v. Google, Inc., No. 10-cv-194 (E.D. Tex. Nov. 17, 2010).  By May 2013, the Dunbar action and six other actions involving substantially similar allegations against Google were centralized into a multidistrict action before U.S. District Judge Lucy H. Koh of the Northern District of California.  Plaintiffs in the seven actions together filed a consolidated complaint in May 2013, asserting violations of the federal Electronic Communications Privacy Act ("ECPA") (18 U.S.C. §§ 2510, et seq.), the California Invasion of Privacy Act ("CIPA") (Cal. Penal Code §§ 631 and 632), and various state laws.  In re Google Gmail Litig., No. 13-md-02430, Dkt. No. 38.  Broadly stated, each plaintiff alleged that Google mined the content of private Gmail messages without users’ permission, for the purpose of targeting advertising, resulting in financial gain for the company. Google moved to dismiss the consolidated complaint shortly thereafter, asserting, among other things, that scanning emails fell within ECPA’s exemption for activities taking place in the "ordinary course of its business," and that, in any event, plaintiffs consented to scanning of their emails by agreeing to Google’s terms of service and privacy policies.  Judge Koh denied this motion to dismiss in September 2013.  She held that plaintiffs plausibly alleged that Google’s scanning of emails is not in its ordinary course of business because it is contrary to Google’s stated practices and is not instrumental to Google’s ability to transmit emails.  Judge Koh also held that the plaintiffs neither expressly nor impliedly consented to the scanning of their emails by accepting Google’s terms of service and privacy policies, since those policies merely disclosed the possibility, not the certainty, that Google scans emails, and did not disclose scanning for the specific purposes alleged by plaintiffs.  Judge Koh also denied Google’s motion to dismiss the CIPA § 631 claim, holding that CIPA does apply to email communications and that the public utility exception did not apply.  She did, however, grant Google’s motion to dismiss plaintiffs’ CIPA § 632 claim, holding that Internet-based communications cannot be "confidential" under CIPA.  Finally, Judge Koh granted Google’s motion to dismiss some of plaintiffs’ other state-law claims, but declined to dismiss those that derived from the ECPA claims.  Google then sought interlocutory review of the court’s order denying its motion to dismiss, requesting clarification of the "ordinary course of business" and "consent" exceptions to ECPA, but Judge Koh likewise denied this motion.  In March 2014, Judge Koh also denied plaintiffs’ motion for class certification, holding that individual issues regarding whether members of the various classes consented to the alleged interceptions would predominate over common issues.  The plaintiffs sought permission to appeal the decision under Federal Rule of Civil Procedure 23(f), but the Ninth Circuit denied the request.  The parties then stipulated to dismissal of all claims with prejudice.  In October 2013, shortly after Judge Koh’s decision denying Google’s motion to dismiss, six separate class action complaints were filed against Yahoo! alleging similar theories, each accusing the company of scanning emails for purposes of targeted advertising and user profiling in violation of plaintiffs’ privacy rights.  In January 2014, two plaintiffs stipulated to dismissal of  their claims, and Judge Koh consolidated the remaining four cases.  See Holland et al v. Yahoo! Inc., No. 13-cv-04980, Dkt. No. 27 (Jan. 22, 2014).  Plaintiffs filed a consolidated class action complaint in February 2014, and the following month, Yahoo! filed a motion to dismiss.  In August 2014, Judge Koh issued an opinion, without oral argument, granting Yahoo!’s motion in part and denying in part.  The court granted Yahoo!’s motion to dismiss the ECPA claim, finding that Yahoo!’s terms of service established express consent under ECPA, since they explicitly disclosed Yahoo!’s practice of scanning emails in order to target advertising and create user profiles.  The court also granted Yahoo!’s motion to dismiss plaintiffs’ claim under the SCA alleging that Yahoo! accessed stored communications, since electronic service providers have immunity from such claims.  The court also dismissed plaintiffs’ claim under the California Constitution, which requires that plaintiffs plead specific content in which they allege a privacy interest.  However, the court denied Yahoo!’s motion to dismiss plaintiffs’ CIPA § 631 claim and their claim under the SCA alleging that Yahoo! disclosed emails without authorization.  The plaintiffs did not file an amended complaint, and the parties are conducting discovery.  Plaintiffs have indicated that they will seek to certify only a Rule 23(b)(1) and/or (b)(2) class (not a (b)(3) "damages" class), perhaps in an effort to avoid the predominance issues that doomed the Gmail case.              3.   VPPA Litigation Plaintiffs have continued to bring putative privacy class action claims under previously infrequently litigated statutes like the Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710.  The VPPA creates significant monetary exposure via a minimum $2,500 per-person liquidated damages provision for "video tape service providers" that knowingly disclose "personally identifiable information concerning any consumer," subject to certain exceptions.  A plaintiff asserting a VPPA violation typically argues that the website publisher has violated the statute by disclosing the plaintiff’s video viewing information in connection with a device identifier to third-party analytics companies or advertising networks. A California federal magistrate judge ruled in 2012 that online digital content distributor Hulu was a "video tape service provider" within the meaning of the Act, even though Hulu does not distribute physical video tapes.  In re Hulu Privacy Litig., No. 11-cv-3764 LB, 2012 WL 3282960, at *6 (N.D. Cal. Aug. 10, 2012) (Beeler, Mag. J.) (analyzing the legislative history of the statute and the ordinary meaning of "audio visual materials").  Hulu subsequently moved for summary judgment on the basis that the plaintiffs had no evidence of actual injury, arguing that such injury is required by the statute.  On December 20, 2013, the court issued an order solely addressing the question of whether the VPPA requires plaintiffs to show actual injury separate from a statutory violation.  In re Hulu Privacy Litig., 2013 WL 6773794 (N.D. Cal. Dec. 20, 2013).  In a decision that adds to the split of authority on this issue, the court rejected Hulu’s argument that that the word "aggrieved" in the statute requires an additional injury, concluding that the VPPA "requires only injury in the form of a wrongful disclosure."  Id. at *4.  The court refused to credit Hulu’s reliance on Sterk v. Best Buy Stores, L.P., No. 11-cv-1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012), for the proposition that actual injury is a prerequisite to recovering any damages under the VPPA.  Id. at *8.  The court instead concluded that actual injury is not required by the statute, in part because "the Ninth Circuit recognizes that a plaintiff satisfies Article III’s injury-in-fact requirement by alleging a violation of a statutorily-created right."  Id. at *8 (citing Edwards v. First Am. Corp., 610 F.3d 514, 515-16 (9th Cir. 2010)).    Hulu brought a second motion for summary judgment in 2014, arguing that the company’s sharing of anonymized video viewing data with third parties did not constitute a "knowing" disclosure of personally identifiable information, as required by the VPPA.  In April 2014, the court granted the motion as to information Hulu shared with metrics company ComScore, but denied it as to information shared with a social networking company.  In re Hulu Privacy Litig., No. 11-cv-3764 LB, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) (observing that "[t]he statute does not require an actual name" and denying defendant summary judgment as to disclosures to third party of the user’s alleged identity, even though no "actual" name was transmitted).  The inquiry was fact-dependent, and the court held that the record contained fact issues concerning Hulu’s knowledge of what information was being transmitted.  The court held that, in appropriate circumstances, disclosing a user ID (rather than an actual name) along video viewing information could constitute a violation of the VPPA.  The most recent development in the Hulu case is the court’s denial of the plaintiffs’ motion for class certification–without prejudice–on June 17, 2014.  The court held that, on the record before it, the plaintiffs had not proposed an ascertainable class.  Hulu currently has another motion for summary judgment pending, which is scheduled for hearing on February 26, 2015. A recent unpublished federal decision in New Jersey relied on the Hulu court’s analysis with regard to the scope of information covered by the VPPA.  In re Nickelodeon Consumer Privacy Litig., No. 12-cv-7829, 2014 U.S. Dist. LEXIS 91286, at *39 (D.N.J. July 2, 2014).  Agreeing that the statute is triggered by disclosure of something "akin" to a name, the Nickelodeon court found that information disclosed to Google by Viacom did not rise to that level, dismissing the claims in that case.  Specifically, the Nickelodeon plaintiffs had alleged that Viacom collected their gender, age range, and video materials requested and disclosed that information to Google for purposes of targeted advertising.  The court found that such information "does not link an identified person to a specific video choice" and, therefore, did not qualify as personally identifiable information within the meaning of the statute.  Accordingly, the court dismissed the claim.  Id. at *40, *46-47.[1]  Three other recent decisions have narrowed the field regarding what types of disclosure actually constitute "personally identifiable information" under the VPPA.  In Ellis v. Cartoon Network Inc., a plaintiff downloaded an app onto his Android device to watch cartoon video clips, after which the app allegedly transmitted his video-watching history and "Android ID" to a data analytics company without the plaintiff’s consent.   2014 U.S. Dist. LEXIS 143078 (N.D. Ga. Oct. 8, 2014).  The court dismissed the plaintiff’s VPPA claim, finding that an Android ID did not identify a particular person, and thus there was no violation of the VPPA.  Id. at *8-9.  Similarly, in Eichenberger v. ESPN, the court held that the information allegedly disclosed to a third party (the plaintiff’s Roku device serial number and viewing records) did not fall within the VPPA’s definition of personally identifiable information ("PII").  No. 14-cv-0463 (W.D. Wash. Nov. 24, 2014).  It further added that while ESPN could be found liable for disclosing both "a unique identifier and a correlated look-up table" by which an individual could be identified as a particular person who watched particular videos, the plaintiff had not sufficiently supported his theory that Adobe already had such a "look-up table."  Finally, in Locklear v. Dow Jones & Co., the court dismissed the plaintiff’s claim that Dow Jones had distributed PII of consumers who used its Wall Street Journal Channel on Roku TV boxes to third parties, in violation of the VPPA.  No. 14-744 (N.D. Ga. Jan. 23, 2015).  The court rejected the plaintiff’s claims that third-party analytics providers could identify her based on Dow Jones’s disclosure of her Roku serial number and the video titles she watched.  In particular, the court deemed fatal the plaintiff’s admission that the third party had to incorporate information from ‘other sources’ in order to link her serial number to her; it concluded that the Roku serial number, without more, did not identify a particular person and did not constitute PII under the VPPA, and thus that no violation could be found. Still another key aspect of the recent VPPA decisions is whether particular plaintiffs fall within the VPPA’s definition of "consumers."  The VPPA defines "consumer" as a "renter, purchaser or subscriber of goods or services from a video tape service provider."  18 U.S.C. § 2710(a)(1).  Defendants have contended in recent VPPA cases that plaintiffs cannot be subscribers, and therefore are not consumers, simply by visiting a website.  While courts seem to accept that visiting a website alone is insufficient, the threshold for qualifying as a subscriber is low.  For example, the Hulu court determined that the plain language of the statute did not require that plaintiffs pay for a company’s services to be considered subscribers.  In re Hulu Privacy Litig., 2012 WL 3282960 at *8 ("If Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have done so.").  It was sufficient that plaintiffs alleged that "they signed up for a Hulu account, became registered users, received a Hulu ID, established Hulu profiles, and used Hulu’s video streaming services."  Id. at *7.  Likewise, in Ellis v. Cartoon Network, Inc., the court approved Judge Beeler’s analysis in Hulu and held plaintiff qualified as a subscriber, and accordingly, as a consumer, because "[h]e downloaded the CN App and used it to watch video clips.  His Android ID and viewing history were transmitted to [the data analytics company]." 2014 U.S. Dist. LEXIS 143078, at *5-*6. The courts have also recently analyzed the reach of the VPPA’s "ordinary course of business" exemption.  The VPPA provides this exemption for disclosures made for "debt collection activities, order fulfillment, request processing, and transfer of ownership."  18 U.S.C. § 2710(a)(2).  For instance, in Sterk v. Redbox, a district court granted summary judgment to Redbox, holding that its disclosure of consumer information to an outside party that provided customer support services was part of its ordinary course of business under the VPPA.  No. 11-1729, 2013 WL 4451223, at *5-6 (N.D. Ill. Aug. 16, 2013).  On appeal, the Seventh Circuit affirmed and held that Redbox’s actions fell within the VPPA’s exception for disclosures in the ordinary course of business–more precisely, disclosures incident to "request processing."  Sterk v. Redbox Automated Retail, LLC, No. 13-3037, 2014 WL 5369416, at *2-3 (7th Cir. Oct. 23, 2014). Finally, various plaintiffs have filed a series of lawsuits in the past year claiming that various online streaming media providers–such as CNN, The Wall Street Journal, and Disney–violated the VPPA.  As of this writing, there have been no substantive orders in these cases.  See, e.g., Perry v. CNN, No. 14-1194 (N.D. Ill.); Robinson v. Disney, No. 14-cv-04146 (S.D.N.Y.); Austin-Spearman v. AMC, No. 14-cv-06840 (S.D.N.Y.).             4.   ECPA Litigation and the "Contents of Communications" Over the past several months, several federal courts have weighed in on the scope of the ECPA, providing further color to the statute’s definition of the "contents of communications." Most notably, on May 8, 2014, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s dismissal of two putative class actions against Facebook and social gaming company Zynga in consolidated cases for alleged violations of the SCA, the federal Wiretap Act, and the ECPA.  In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014).  In Zynga, when a user clicked on an advertisement or the Zynga game icon on Facebook, the user’s web browser sent an HTTP request containing a "referer header" in order to access the online resource requested, which contained the user’s Facebook ID and the address of the Facebook page the user was viewing at the time.  According to the plaintiffs, Zynga’s collection and transmission of this information to third-party advertisers violated the ECPA.  The Ninth Circuit rejected the plaintiffs’ argument that Zynga’s actions violated the ECPA, holding that neither Facebook nor Zynga disclosed the "contents" of a communication, as required by the ECPA, in disclosing this referer header information to third-party advertisers.  In so holding, the Ninth Circuit reviewed the plain meaning and history of ECPA and concluded that it distinguishes between disclosure of customer "record information," such as name, address, and subscriber identity, which is permitted under the law, and disclosure of the "contents of communications," or the "intended message conveyed by the communication," which is not.  Zynga, 2014 WL 1814029 at *6-7.  The Ninth Circuit disagreed with the plaintiffs’ argument that a Facebook ID and/or information about the webpage a user was viewing constituted the "contents of communications" because such information could lead advertisers to learn other information about users.  Instead, the court concluded that the "referrer header information at issue here includes only basic identification and address information, not a search term or similar communication made by the user." Other federal courts have looked to Zynga for guidance in determining whether information constitutes the "contents of communications" under the ECPA.  For example, in July 2014, a New Jersey federal court dismissed six consolidated MDL class actions alleging that Viacom’s and Google’s practice of installing cookies on personal computers that were used by children to access three Nickelodeon websites violated several federal and state laws, including the Wiretap Act.  In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873 (D.N.J. July 2, 2014) (see supra for discussion of VPPA claim in Nickelodeon case).  In dismissing the Wiretap Act claim, the court held in part that the cookies that were allegedly intercepted did not constitute the "contents of communications."  Id. at *14.  Citing Zynga, the court found that "contents" are defined as "information the user intended to communicate, such as the spoken words of a telephone call."  Id.  Because personal information that is "automatically generated by the communication," such as an IP address or a URL, have "less in common with ‘the spoken words of a telephone call" than they do with the telephone number dialed to initiate the call, the cookies allegedly intercepted were "more akin to ‘identification and address information.’"  Id. at *15 (quoting In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014)).  Additionally, in August 2014, Google won dismissal of an putative class action complaint alleging that Google violated ECPA, among other laws, by sending users’ contact information to developers when they used Google Wallet to make purchases.  Svenson v. Google Inc., No. 13-CV-04080-BLF, 2014 WL 3962820, (N.D. Cal. Aug. 12, 2014).  In dismissing the ECPA claim, the court noted that it did not "read Zynga so narrowly to mean that only automatically generated data may constitute record information," finding that the information at issue in the case–namely, the user’s name, email address, Google account name, home city and state, zip code, and in some instances, telephone number–is "the type of information that the Ninth Circuit recognized as record information in Zynga."  Id. at *9.              5.   California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection Since the California Supreme Court’s landmark 2013 decision in the Krescent case, 56 Cal. 4th 128 (2013), courts have continued to weigh in on the scope of California’s Song-Beverly Credit Card Act of 1971 ("Song-Beverly"), Cal. Civ. Code §§ 1747, et seq., which prohibits merchants from requesting or requiring a customer’s personal identification information as a condition of accepting a credit card payment. The court in Krescent held that Song-Beverly "does not apply to online purchases in which the product is downloaded electronically."  56 Cal. 4th 128 at 133.  Krescent was a significant win for online retailers because–limited statutory exceptions notwithstanding, see Cal. Civ. Code § 1747.08(c)(3)(A)-(C)–the prohibitory language of Song-Beverly sweeps broadly, and those found in violation face potentially ruinous liability: merchants can face a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.  Id. § 1747.08(e).  The court in Krescent declined to address Song-Beverly’s applicability to online transactions in general; the holding is expressly limited to purchases of electronically downloadable products.  See Krescent, 56 Cal. 4th at 143.  That said, the court based its decision heavily on what it identified as the California legislature’s primary intent when drafting the statute: to protect consumer privacy and prevent fraud.  Id. at 139-41. While Krescent‘s holding is fairly narrow, the court’s concerns and reasoning about credit card fraud are hardly unique to electronically downloadable products.  Indeed, since Krescent was decided, California courts have tended to place fraud prevention practices beyond Song-Beverly’s reach.  See, e.g., Flores v. Chevron U.S.A. Inc., 217 Cal. App. 4th 337, 340 (2013) (granting summary judgment because requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud constituted a "special purpose" under §1747.08(c)(4) of the Act).  Moreover, just a few months after Krescent, a California federal district court turned to the question that the California Supreme Court left open.  In Ambers v. Buy.com, Inc., No. 13-cv-0196, 2013 WL 1944430 (C.D. Cal. Apr. 30, 2013), the court held that Song-Beverly does not apply to the online sales of shipped goods because a shipping address–the piece of additional information which the plaintiff conceded the retailer was permitted to collect–was not "equivalent to the ‘brick and mortar’ retailer’s ability to ask for a photo identification card or another ‘reasonable form of positive identification’ as ‘a condition to accepting the credit card’ under Section 1747.08(d)."  Id. at *7.  Applying Krescent, another California federal court held that email addresses constitute "personal identification information" under Song-Beverly, prohibiting offline retailers from collecting email addresses in connection with the completion of credit card transactions.  Capp v. Nordstrom, Inc., No. 13-cv-660 MCE AC, 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013).  In Capp, the court rejected the defendant’s argument that the California legislature could not have intended to include email addresses as "personal identification information" because the passage of Song-Beverly predated the use of email and e-receipts in consumer transactions.  Id. at *7-8.  The court concluded that the basis for the court’s ruling in Krescent was the unavailability of safeguards against fraud in online transactions–not the unforeseeable nature of online transaction technology generally.  Id.   Interestingly, the Ninth Circuit recently affirmed the dismissal of a putative class action alleging that Redbox Automated Retail LLC collects customers’ ZIP codes at Redbox kiosks in violation of the Song-Beverly Act, but it rejected the district court’s theory that Redbox was not liable because the California legislature could not have intended the statute to apply to automated kiosks due to the potential for fraud in kiosk transactions.  Sinibaldi v. Redbox Automated Retail, LLC, 754 F.3d 70, 705 (9th Cir. 2014).  Instead, the court held that Redbox uses credit card information to secure potential future payments, conduct that falls within a statutory exception to Song-Beverly for transactions where the credit card is being used as a deposit to secure payment "in the event of default, loss, damage or similar occurrence" (Cal. Civ. Code § 1747.08(c)(1)).  Id. at 707.  It remains to be seen whether this novel holding will apply beyond the very narrow subset of businesses that engage in similar rental-type transactions. California’s legislature has considered action in response to Krescent, Ambers, and the other cases described above.  The California Senate in January 2014 passed Senate Bill 383, which would expand Song-Beverly to apply to online transactions for downloadable goods, but the bill is stalled in committee and is "unlikely to move forward this year," according to a representative in the office of the bill’s sponsor.[2]  Certainty about Song-Beverly’s reach will come only when binding decisions are issued.  But such decisions may be especially elusive given the increasing tendency to settle these cases, as recent six-figure settlements by entities such as Kohl’s Corp. and Ann Taylor Inc. demonstrate.  Whittenburg v. Kohl’s Corp., No. 3:2011-cv-02320 (N.D. Cal.); Foos v. Ann Inc., No.  3:11-cv-02794 (S.D. Cal.).             6.   TCPA Litigation In the past two years, the number of lawsuits alleging violations of the Telephone Consumer Protection Act ("TCPA"), 42 U.S.C. §§ 227 et seq., has exploded.  The likely draw for plaintiffs is the TCPA’s authorization for $500 to $1,500 per violation in statutory damages, which can be aggregated in class claims.  This increased pursuit of TCPA claims has led to several large settlements, including a 2014 settlement in which Capital One Financial Corp. and three collection agencies agreed to collectively settle a putative class action suit for $75.5 million–the largest settlement to date under the TCPA.[3]  As companies continue to be targets for class action suits alleging TCPA violations, courts’ varying interpretations of the statute are particularly important. In recent years, courts and the Federal Communications Commission ("FCC") have expanded the scope of liability under the TCPA.  In May 2013, the FCC issued a declaratory ruling that sellers using third-party telemarketers can be vicariously liable for third-party violations of the TCPA under principles of agency.  See Joint Petition Filed by DISH Network, LLC, for Declaratory Ruling Concerning the Telephone Consumer Protection Act (TCPA) Rules, Declaratory Ruling, FCC 13-54, 2013 WL 1934349 (May 9, 2013).  The Ninth Circuit expanded upon the FCC’s ruling in Gomez v. Campbell-Ewald Co., 768 F.3d 871 (9th Cir. 2014), when it found that a third party, not just merchants, could be vicariously liable for violations of the TCPA.  See also Thomas v. Taco Bell Corp., 2014 U.S. App LEXIS 12547 (9th Cir. July 2, 2014).  Companies should also be aware of the potential for direct liability even when messages are distributed by third parties.  In Palm Beach Golf Center-Boca, Inc. v. John G. Sarris, D.D.S., P.A., the Eleventh Circuit found there was a genuine dispute as to whether a company could be directly liable for a fax sent on its behalf even when distributed by a third party.  2014 U.S. App. LEXIS 20870 (11th Cir. 2014).  The court reasoned that the TCPA provided for direct liability for an entity on whose behalf goods or services were promoted by unsolicited fax advertisements even though the unsolicited fax was sent by a third party.  Id. at *17.  Consent has been another area of focus for TCPA litigation.  Effective October 2013, telemarketers must have express written consent prior to placing artificial or prerecorded telemarketing calls to a residential phone line or wireless number, sending text messages, or calling a wireless number using an automatic telephone system.  See In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, FCC 12-21, ¶ 4 (February 15, 2012).  The Eleventh Circuit has held that a district court did not have the authority to reject FCC rulings.  See Mais v. Gulf Coast Collection Bureau, Inc., 768 F.3d 1110 (11th Cir. 2014).  Specifically, the FCC ruling that autodialed and prerecorded message calls to wireless numbers provided by the called party to a creditor in connection with an existing debt are permissible, as calls made with the ‘prior express consent’ of the called party continues to control.  Id. at 1118.  Though express consent can be obtained through intermediaries, companies relying on intermediaries should confirm the obtaining of prior express written consent, inasmuch as they can still be liable under the TCPA.  See In the Matter of Groupme, Inc./Skype Commc’ns S.A.R.L Petition for Expedited Declaratory Ruling Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 29 F.C.C. Rcd. 3442 (March 27, 2014).  Express consent may become a powerful tool in defeating TCPA claims.  Courts have also continued to debate whether lack of consent is an element of TCPA claims or an affirmative defense–and consequently, who has the burden of proving that customers have or have not consented to receive certain calls, texts, or faxes.  In 2012, the Ninth Circuit suggested in dicta that lack of consent is an affirmative element of a TCPA claim.  See Meyer v. Portfolio Recovery Assocs., LLC, 707 F.3d 1036 (9th Cir. 2012).  Some courts have relied on this to hold that plaintiffs have the burden of proving non-consent.  See, e.g., Stemple v. QC Holdings, Inc., 2014 WL 4409817, at *6-7 (S.D. Cal. Sept. 5, 2014); Sepehry-Fard v. MB Fin. Servs., 2014 WL 2191994, at *2 (N.D. Cal. May 23, 2014).  Others have stated "prior express consent is not an element of a TCPA plaintiff’s prima facie case, but rather is an affirmative defense for which the defendant bears the proof."  Sailola v. Mun. Servs. Bureau, 2014 WL 3389395, at *7 (D. Haw. July 9, 2014); see also Heinrichs v. Wells Fargo Bank, N.A., 2014 U.S. Dist. 29910 (N.D. Cal. 2014) (distinguishing Meyer on the grounds that Meyer "did not decide whether lack of consent must be affirmatively pled to survive a Rule 12(b)(6) motion . . .").  Additionally, a number of circuits still consider the lack of consent an affirmative defense and thus impose the burden on the defendant to establish it.  See Mais, 768 F.3d at 1126 (remanding case with instructions to enter summary judgment in favor of defendant’s "affirmative defense" of prior express consent); see also Crawford v. Target Corp., 2014 U.S. Dist. LEXIS 159203, *7 n.3 (N.D. Tex. Nov. 10, 2014) ("The Court is unpersuaded by Defendant’s argument that lack of consent is an element of the claim that plaintiff must assert."); Paldo Sign & Display Co. v. Wagener Equities, Inc., 2014 U.S. Dist. LEXIS 123111, *21-22 (N.D. Ill. 2014).  Companies should remain informed as courts continue to grapple with these issues.  A requirement that plaintiffs prove lack of consent could substantially decrease the likelihood of TCPA class actions and, therefore, companies’ potential exposure to TCPA violations. Another trend in TCPA case law has been the general consensus that customers have a right to revoke consent to be contacted by autodialing systems.  The Eleventh and Eighth Circuit have followed the Gager v. Dell Financial Services, 727 F.3d 265 (3d Cir. 2013) decision and the Third Circuit’s recognition of the right of revocation for consumers who no longer want to be contacted by autodialing systems.  Osorio v. State Farm Bank, F.S.B., 746 F.3d 1242, 1255 (11th Cir. 2014); Brenner v. Am. Educ. Servs., 575 F. App’x 703 (8th Cir. 2014).  Companies should be sure to recognize when customers have revoked their consent to be contacted. Finally in 2014, courts grappled with the interpretation of "capacity" for automatic telephone dialing systems ("ATDS")–which are defined as equipment with the capacity: (a) to store or produce telephone numbers to be called, using a random or sequential number generator; and (b) to dial such numbers.  47 U.S.C. § 227(a)(1)(A)-(B).  Most courts have held that a device is considered an ATDS only if it has the present capacity to generate random phone numbers, not if it has the potential capacity to generate numbers or make phone calls.  See Hunt v. 21st Mortg. Corp., 2013 U.S. Dist. LEXIS 132574 (N.D. Ala. Sept. 17, 2013); Gragg v. Orange Cab Co., 995 F. Supp. 2d 1189 (W.D. Wash. Feb. 7, 2014); Dominguez v. Yahoo!, Inc., 8 F. Supp. 3d 637 (E.D. Pa. 2014).  However, it is possible that the potential capacity to generate numbers is relevant to the ATDS inquiry.  See Sherman v. Yahoo! Inc., 997 F. Supp. 2d 1129 (S.D. Cal. 2014).  Companies should also be aware of the possibility of liability for devices that have the capability to store and dial numbers, as at least one court has found that a predictive dialer constitutes an ATDS regardless of whether the system has the capability of random or sequential number generation.  See Davis v. Diversified Consultants, Inc., 2014 U.S. Dist. LEXIS 87867 (D. Mass. June 27, 2014). II.   Regulatory and Policy Developments       A.   FTC Enforcement Trends             1.   Cybersecurity, Data Breaches, and Legal Challenges to the FTC’s Authority Having pursued more than 50 data security cases since 2000–and with almost half of those cases brought since 2010–the FTC has positioned itself as the de facto federal data-security regulator (despite the continuing lack of a clear congressional directive to fulfill this role).  In the past year, the FTC continued its aggressive pursuit of consent agreements related to cybersecurity and data breaches and other Internet- and mobile-related practices.  These consent agreements and settlements are detailed in Section II.A.3. Over the past three years, two companies have decided to test the FTC’s authority in this area in closely watched cases.  In 2014, a New Jersey federal court issued the first opinion by any court on whether the FTC has the authority to regulate in the data-security arena pursuant to Section 5 of the FTC Act.  In June 2012, the FTC filed suit against Wyndham Worldwide Corporation, a global hospitality company, alleging that (1) the breach of its franchisees’ computer systems, giving intruders access to Wyndham customers’ personal and financial information, constituted unfair business practices, and (2) Wyndham made deceptive representations to consumers that it employed reasonable and appropriate security measures.  Wyndham moved to dismiss the complaint, raising challenges to the FTC’s authority on two grounds.  First, Wyndham argued that Congress’s passage of various laws that touch on data security (including the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act ("COPPA")) has effectively limited the FTC’s authority to regulate data security issues.  The court rejected this challenge, holding instead that "the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme."  Second, Wyndham asserted that the FTC had failed to promulgate sufficiently clear regulations in violation of the due process clause.  The court rejected this challenge as well, finding that the test established under Section 5(n) of the FTC Act, as well as the host of publicly available prior FTC complaints and consent orders, collectively provide actors with sufficient notice of what constitutes noncompliant activity.  The court’s order is currently being challenged in an interlocutory appeal before the Third Circuit, and a decision is expected in 2015.  Another company joined the fight with a more narrowly tailored challenge to the FTC’s data-security authority in November 2013.  LabMD, a cancer-screening medical laboratory, moved to dismiss an administrative complaint that the FTC filed against it in August alleging that it lacked appropriate data security and unfairly exposed the private health and personal data of more than 9,000 consumers.  LabMD argued that the "plain language [of Section 5 of the FTC Act] does not authorize patient-information data-security regulation," and that only the U.S. Department of Health and Human Services ("HHS") is empowered to regulate patient-information data-security practices within the healthcare sector.  The Commission–which has the authority to resolve such motions filed in connection with administrative proceedings–disagreed, finding instead that Congress had delegated it "broad authority . . . to determine what practices were unfair, rather than enumerating the particular practices to which [the term ‘unfair’ in Section 5] was intended to apply." LabMD further argued that even if the FTC shares joint regulatory authority with the HHS over the healthcare sector, the FTC’s failure to publish data-security regulations, guidance, or standards explaining what is forbidden or required by Section 5 nevertheless deprives LabMD and similarly situated entities of "constitutionally required fair notice."  The Commission likewise rejected this argument, stating that "such complex questions relating to data-security practices in an online environment are particularly well-suited to case-by-case development in administrative adjudications or enforcement proceedings."  Nevertheless, the FTC’s administrative action against LabMD was delayed in June 2014, after a letter from a Republican-led House investigative committee surfaced claiming that crucial information in the FTC’s investigation provided by Tiversa, Inc.–a cybersecurity firm and a key player in the agency’s case–was incomplete and inaccurate.  The parties are currently awaiting the testimony of Rick Wallace, a former Tiversa employee, who was granted immunity by the Attorney General in November 2014. In addition to raising this aggressive defense in an administrative context, LabMD has also pursued a parallel strategy in federal court: in May 2014, the U.S. District Court for the Northern District of Georgia dismissed a motion for preliminary injunction filed by LabMD seeking to stay the FTC action.  The court found that it lacked jurisdiction to enjoin the ongoing proceedings of a federal agency.  LabMD appealed this decision to the Eleventh Circuit, arguing that the FTC’s actions are currently subject to judicial review because LabMD’s constitutional claims need not wait until the agency takes a final action and the Commission’s denial of LabMD’s motion to dismiss solidified the FTC’s position that its authority extends to regulation of medical data-privacy.  In a decision issued on January 20, 2015, the Eleventh Circuit rejected these arguments, ruling that federal courts don’t have jurisdiction to hear LabMD’s claim until the administrative proceeding concludes.  The court reasoned that "[b]ecause we hold that the FTC’s Order denying LabMD’s motion to dismiss was not a ‘final agency action,’ as is required of claims made under the [Administrative Procedure Act]," the district court properly dismissed LabMD’s claims. Although we will continue to watch these cases with interest, one thing can be said with certainty: these legal challenges to the FTC’s regulatory power of data-security matters do not appear to have inhibited the FTC’s vigor for bringing enforcement actions in this realm.  In 2014, the FTC brought eight additional data security-related enforcement actions–all of which have resulted in consent orders.             2.   The U.S.-EU Safe Harbor On January 21, 2014, the FTC announced that it had settled with twelve U.S. companies over noncompliance with international privacy frameworks.  Two other companies were added to this list in February and May 2014.  After a public comment period, the FTC approved final settlement orders on June 25, 2014.  The companies had represented that they abided by the U.S.-EU Safe Harbor framework (and, in three cases, also the U.S.-Swiss Safe Harbor framework) by displaying certification signage or statements in their privacy policies.  The FTC alleged that in reality, the companies did not comply with these data protection frameworks. The U.S.-EU Safe Harbor enables U.S. companies to transfer consumer data from the European Union ("EU") to the United States in compliance with EU law.  To participate, a company must comply with the principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement.  After opting in, a company must recertify every twelve months.  It can either perform a self-assessment to verify that it complies with the principles or hire a third party to conduct this assessment.  In this series of cases, the FTC focused on companies that allegedly allowed their self-certification to lapse while still asserting through website statements and privacy policies that their certifications were current.  The fourteen companies that settled with the FTC represent a cross-section of industries, including retail, laboratory science, data brokering, debt collection, information security, online gaming, and professional sports (including three NFL teams–the Atlanta Falcons, Denver Broncos, and Tennessee Titans).  Under the settlements, the companies agreed to cease misrepresenting the extent of their participation in privacy or data security programs sponsored by the government or any other self-regulatory or standard-setting organization.  This wave of consent decrees may be just the start of an increased focus on the Safe Harbor and the self-certification process at least in part in response to increased European scrutiny of U.S. data transfer and surveillance revealed by Edward Snowden. The FTC has also directed attention to third-party privacy certifications.  On November 17, 2014, the FTC announced a settlement with True Ultimate Standards Everywhere, Inc. ("TRUSTe").  TRUSTe is a leading provider of privacy certifications for online businesses.  TRUSTe provides certification seals that indicate that an online business complies with privacy standards such as the U.S.-EU Safe Harbor Framework, the COPPA, and TRUSTe-specific programs.  The FTC’s complaint alleged that TRUSTe represented that it conducted annual recertification of businesses displaying its privacy seals but in fact failed to conduct these recertification examinations in over 1,000 instances.  The complaint also alleged that TRUSTe–which converted from a non-profit to a for-profit entity in 2008–failed to require businesses to update website and privacy policy language that referred to TRUSTe as a non-profit entity.  Under the consent order, TRUSTe will be required to refrain from misrepresenting its certification process or timeline as well as its corporate status.  TRUSTe will also be required to pay $200,000 and to provide increased reporting and records to the FTC in relation to its COPPA certification activities.             3.   High-Profile FTC Consent Decrees                     a.   Consent decrees regarding faulty data security practices Much of the FTC’s work in the data security arena involves policing companies’ adherence to advertised security policies and practices via consent decrees and settlements.  For example, in March 2014, Fandango and Credit Karma settled with the FTC over charges that the companies’ apps had placed consumers’ personal data at risk, in contravention of the companies’ security promises, by disabling SSL certificate validation.[4] According to the FTC, this left the apps open to interception of data by third parties, particularly when users were connected on a public Wi-Fi network. [5]  These settlements require Fandango and Credit Karma to establish comprehensive security programs and consent to biennial privacy audits for the next twenty years.  The Fandango and Credit Karma settlements are indicative of the settlement conditions the FTC routinely seeks (and obtains) in data security consent decrees.  Indeed, several other settlements in the past year include nearly identical terms.  For example, recent settlements with Accretive Health,[6] Genelink,[7] and GMR Transcription Services, Inc.[8] all include requirements that the companies adopt comprehensive information security programs and undergo biennial monitoring for the next twenty years. A recent high-profile decision by the FTC not to sue Verizon, meanwhile, offers some insights into steps that companies can take to minimize the likelihood of this type of intrusive and far-reaching consent decree.  The FTC was investigating Verizon’s use of an outdated encryption method as the default security setting on Internet routers that Verizon shipped to customers.[9]  The practice allegedly made Verizon customers vulnerable to hackers.[10]  After investigation, however, the FTC declined to bring a complaint and cited factors including "Verizon’s overall data security practices related to its routers, along with efforts by Verizon to mitigate the risk to its customers’ information."[11]  In addition to having relatively robust data security policies, Verizon aggressively responded to the router issue by resetting all new routers with a more robust security setting and implementing an outreach campaign to all customers who were using the outdated security standards.[12]   Notably, FTC’s letter emphasized that "data security is an ongoing process" and that "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."[13]   Though the full import of the FTC decision not to bring an action against Verizon has yet to be determined, the letter at least affirms that the FTC will consider a company’s overall data security practices and responsiveness in light of a quickly evolving threat landscape.                      b.   Consent decrees regarding deceptive practices in collection of PII  The FTC also continued its crackdown on deceptive practices related to the use of PII throughout the past year, particularly related to various technology companies, from the perspective of both web and mobile applications.  Snapchat, the popular communications app, settled charges of misleading consumers over exactly how much PII it was collecting, as well as users’ abilities to store and share messages that Snapchat claimed were only temporary and would disappear.[14]  In addition, failure to secure certain PII resulted in release of nearly five million user names and phone numbers following a serious data breach.  As a part of the settlement, Snapchat is subject to ongoing privacy monitoring for the next twenty years.  The FTC was clear that it focused on Snapchat in part due to its business model focused on privacy.  According to the FTC, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises….  Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."[15] In another app settlement, the FTC settled with mobile app developer Goldenshores Technologies, LLC ("Goldenshores") over allegations its popular app, "Brightest Flashlight Free app," collected much more personal information than disclosed.[16]  In fact, the app collected precise geolocation information, along with persistent device identifiers, and then shared that information with third parties, including advertising networks.  Notably, the app was already collecting and sending information to third parties–even before the user had accepted the deficient terms in the end user license agreement.  The settlement required Goldenshores to provide a "just-in-time" disclosure, fully informing consumers when, how, and why their geolocation information is being collected, used and shared, and requires affirmative opt-in from consumers prior to collection.  Finally, in a parallel set of actions, against both the entity and its principal, the FTC entered into a proposed consent order with PaymentsMD, LLC ("PaymentsMD") and Michael Hughes (former CEO, sole employee, and partial owner of PaymentsMD).[17]  PaymentsMD obtained consumer authorization to collect sensitive health information for one purpose–to track medical bills–but in fact was using that authority to collect other sensitive health information, including treatment information, from various third parties.  In turn, PaymentsMD then used that information to create a comprehensive "Patient Health Report" for each consumer.  The FTC has proposed enjoining Hughes and PaymentsMD from continuing this activity, along with increasing disclosures to consumers regarding exactly what information will be collected, and what it will be used for.                     c.   Consent decrees regarding app purchases by children In the past year, the FTC also reached high-profile consent agreements with technology companies over accusations that the companies unfairly charged consumers for application purchases made from applications downloaded from mobile application stores.[18]  The FTC alleged that these companies violated Section 5 of the FTC Act by failing adequately to notify parent account holders that entering a password to install an application or to approve an in-app purchase would open up a window of fifteen minutes or more where a user could make subsequent in-app purchases without further authorization.[19]  This led to instances where children made purchases within applications, without parental approval.  As part of the settlement agreement, the companies must provide a refund to users who incurred such unauthorized or accidental charges.  Furthermore, the companies must obtain express consent from customers before billing them for in-app purchases.                     d.   Settlements over mobile cramming The FTC also reached settlement agreements with several online marketing and advertising companies over allegations that they engaged in a pattern of unfair and deceptive advertising by sending unwanted text messages to millions of consumers.  The FTC alleged that these companies sent text messages to consumers with offers for supposedly free merchandise as part of a scheme to collect and sell consumer information, cram unwanted charges on their mobile bills, and drive them to paid subscriptions for affiliate services.  As part of the agreements, the accused companies agreed to pay over $9.2 million in damages and stop engaging in similar unlawful and deceptive business practices in the future.  In related settlements, the FTC reached agreements with two telecommunications providers over allegations the companies unlawfully charged their customers with unwanted third-party mobile services.  The FTC noted that the companies did not take steps to fix the issue despite a large number of customer complaints about unauthorized third-party charges, and instead crammed the charges deep in phone bills.  In addition to paying fines to the FTC and state attorneys general, the companies agreed to provide refunds to their customers for the unauthorized charges.       B.   The FTC’s Revised COPPA Rule In recent years the FTC has maintained an aggressive focus on children’s privacy–perhaps most notably by revising the COPPA Rule to reflect changes in technology in 2013.  The COPPA Rule was originally mandated under the Children’s Online Privacy Protection Act of 1998, and it requires operators of websites or online services that are directed at children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to notify parents and get their verifiable consent before collecting, using, or disclosing such information.  The COPPA Rule also requires operators who fall within the above parameters to take steps to protect and secure any personal information that they collect from children under 13.  After more than two years of FTC review, and following approval by the Commission in December 2012, a revised version of the COPPA Rule went into effect on July 1, 2013.  Amendments to the Rule give parents greater control over the online collection of their children’s personal information.  Under this revised COPPA Rule, the term "website or online services" is now broadly defined to include: standard websites; mobile apps that send or receive information online; Internet-enabled gaming platforms; plug-ins; advertising networks; Internet-enabled location-based services; and voice-over Internet protocol services.  The term "personal information" now includes: full name; home or other physical address including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly–for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers. Additionally, operators are also required to post a "privacy policy" that clearly and comprehensively describes how personal information is be collected from children under 13, including by any affiliated collectors (for example, via website plug-ins or ad networks of which the operator is a member).  This closes a loophole that existed under the previous iteration of the COPPA Rule.  This privacy policy must include a list of all operators collecting this information, as well as a description of parental rights, and in fulfilling this final requirement, operators must implement a situationally reasonable "verification" method for obtaining affirmative parental consent.  The COPPA Rule Amendments added several new methods that operators may use to obtain parental consent, including: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems (provided that they meet certain criteria).  In December 2013, the FTC approved knowledge-based identification as an additional verifiable parental consent method, provided that the process uses dynamic, multiple-choice questions that are difficult for a child to guess the answers to.  Once an operator collects information from children under 13, the revised COPPA Rule imposes heightened ongoing duties to adopt reasonable procedures for data retention and security–including limitations on when, and to whom, this information can subsequently be released.  The FTC has also conferred "safe harbor" status on seven designated organizations, empowering them to create comprehensive self-compliance programs for their own members. Companies that voluntarily become members of one of these participating organizations are generally subject to intra-organizational review and disciplinary procedures, in lieu of formal FTC investigation and law enforcement.  The COPPA Rule safe harbor programs currently recognized by the FTC include: iKeepSafe; kidSAFE; Aristotle International, Inc.; Children’s Advertising Review Unit of the Council of Better Business Bureaus; ESRB Privacy Certified; PRIVO; and TRUSTe.  The FTC initially suspended enforcement of these 2013 revisions to allow companies time to develop and deploy conforming policies–but this grace period ended in September 2014, when online review site Yelp, Inc., and mobile app developer TinyCo, Inc., separately agreed to settle charges that they improperly collected children’s information in violation of the COPPA Rule.[20]  Under the terms of these respective settlements, Yelp agreed to pay a $450,000 civil penalty, TinyCo agreed to pay a $300,000 penalty, and both companies agreed to submit compliance reports to the FTC in 2015 outlining revamped internal COPPA Rule compliance programs.  Most recently, on December 17, 2014, the FTC sent a letter to BabyBus, a China-based developer of mobile applications directed to children, warning that the company may be in violation of the revised COPPA Rule because it appears to collect precise geolocation information about its users without obtaining parental consent beforehand. The 2013 revisions to the COPPA Rule–and the FTC’s aggressive enforcement of these provisions in late 2014–suggest that this is likely to be an area of continuing FTC focus for the foreseeable future.  Accordingly, businesses should take reasonable precautions to ensure that their data collection and storage policies are fully in compliance with the revised COPPA Rule.       C.   FCC Guidance and Amendments to the TCPA In October 2013, a report and order by the FCC modifying the implementation rules and regulations of the TCPA went into effect.  See Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, 27 FCC Rcd. 1830 (2012) (hereinafter the "FCC Guidance").  The modifications include requiring prior express written consent for telemarketing calls to wireless numbers and residential lines and eliminating the business relationship exemption for telemarketing calls to residential lines.  Id. at 1831, par. 2.[21]  The FCC stated that the changes were made to offer greater protections to consumers in the privacy arena and to maximize consistency with the analogous rules of the FTC.  Id.  Over the past year, these rules have led to an increase in TCPA litigation.  See Section I.B.6. Along with the increase in TCPA litigation, a related development is the increasing number of entities petitioning the FCC to make rulings interpreting various provisions of the TCPA.  There are currently over 20 petitions pending before the FCC asking the Commission to clarify the applicability of the TCPA to issues such as: (1) the definition of the called party as the intended recipient of a call;[22] (2) the delivery of voicemails directly to users;[23] (3) the revocation of  prior express consent for non-telemarketing calls;[24] (4) the definition of an automatic telephone dialing system;[25] (5) vicarious liability for individuals who aide telemarketers;[26] (6) liability for calls to reassigned cell phone numbers;[27] (7) liability for social network text-messaging systems;[28] (8) liability for automatic text messages generated in response to user requests;[29] (9) the requirement of prior express consent for notifications to users affected by data breaches and suspicious transactions;[30] and (10) the implementation of call blocking technology.[31]  These open petitions underscore the wide variety of unresolved TCPA issues that impact TCPA litigation today. The FCC closed out only a few of these petitions during the past year.  In two rulings issued on March 27, 2014, the Commission interpreted provisions of the TCPA that prohibit auto-calling or auto-texting cell phones without the recipients’ prior express consent.  See Order, In re GroupMe, Inc./Skype Communications S.A.R.L Petition for Expedited Declaratory Ruling, 59 Communications Reg. (P&F) 1554 (F.C.C. Mar. 27, 2014); see also In the Matter of Cargo Airline Assn. Pet. for Expedited Declaratory Ruling, 59 Communications Reg. (P&F) 1509 (F.C.C. Mar. 27, 2014).  In the GroupMe ruling, the FCC found that text-based social networks may send administrative text messages confirming consumers’ interest in joining text message groups, without violating the TCPA.  The Commission found that the consumers must provide express consent to participate in the groups but that the consent may be conveyed to the text-based social network by an intermediary.  In the Cargo Airline ruling, the FCC granted an exemption under the TCPA to allow package delivery services to provide automatic delivery notification alert calls and texts to cell phones of recipients of packages, even without their prior express consent.  However, this exemption was granted only under narrow conditions: the sender of the package must indicate that the recipient consents; the delivery notifications must be purely informational; the recipient of the call/text must not be charged; and the recipient must be able to easily opt out of future messages.  Finally, in an October 2014 ruling addressing issues raised by 24 pending FCC petitions, the Commission decided that the TCPA required "opt-out" language on all fax advertisements, even those sent with the prior express consent of the recipient.  In the Matter of Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 61 Communications Reg. (P&F) 671 (F.C.C. Oct. 30, 2014).  The ruling also granted a retroactive waiver to the petitioners and other similarly situated parties since the requirement was previously ambiguous.       D.   The NIST Cybersecurity Framework On February 12, 2014, the National Institute of Standards and Technology ("NIST") released its Cybersecurity Framework (the "Framework").[32]  The Framework is NIST’s response to President Obama’s direction set forth in Executive Order 13636, Improving Critical Infrastructure Cybersecurity, to develop a voluntary cybersecurity framework for reducing cybersecurity risk to critical infrastructure.[33]  The Framework is intended to provide a "prioritized, flexible, repeatable, performance-based, and cost-effective approach"[34] to assist organizations in the critical infrastructure sectors to manage cybersecurity risk.  NIST develop this Framework based on input from various constituencies regarding existing standards, guidelines, and best practices for managing cybersecurity threats.  The process involved more than 3,000 critical infrastructure owners and operators, industry leaders, government partners, and other stakeholders.  The final Framework was released with the guidance that it is to be a "living" document shaped by user feedback and experiences.[35] The Framework, which is essentially a voluntary cybersecurity risk management tool, is intended to encourage private and public sector organizations to develop more effective approaches to managing cybersecurity threats.  The voluntary Framework is specifically intended to serve as a resource for organizations in the sixteen critical infrastructure sectors identified by the Administration.  The Framework broadly defines "critical infrastructure" to include both organizations traditionally associated with national security, such as those in the defense industrial base, and organizations that one may not automatically associate with national security concerns, such as food- and agriculture-related enterprises, commercial facilities (including sports arenas, shopping malls, and apartment buildings), and certain manufacturing enterprises. The Framework seeks to provide a common language and mechanism for organizations to achieve five main objectives: (1) describe their current cybersecurity posture; (2) describe their target state for cybersecurity; (3) identify and prioritize opportunities for improvement within the context of risk management; (4) assess progress toward the target state; and (5) foster communication among internal and external stakeholders.[36]  The Framework itself comprises three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Core consists of five Functions–Identify, Protect, Detect, Respond, and Recover–that provide a high-level strategic categorization of cybersecurity risks.[37]  These functions are, in turn, broken into categories and subcategories, and matched with existing domestic and international standards, guidelines, and best practices.[38]  The Framework Profile is designed to align industry standards and best practices with the specific business requirements, resources, and risk tolerance of an organization.[39]  Organizations can use the Profile to develop a roadmap to reduce cybersecurity risks and conduct self-assessments.  The final part, the Implementation Tiers, categorize an organization’s cybersecurity practices into one of four levels based on the organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.[40]  This categorization allows organizations to assess their cybersecurity practices, ranging from informal, reactive implementations to flexible and risk-informed approaches.  In conjunction with the release of the Cybersecurity Framework in February 2014, NIST also published a Cybersecurity Framework Roadmap that detailed high-priority areas for development, alignment, and collaboration, with the intent to address these areas in future versions of the Cybersecurity Framework.[41]  These areas include the development of better identity and authentication technologies, automated indicator sharing, conformity assessments, data analytics, the cybersecurity workforce, supply chain risk management, and technical privacy standards.[42]  Pursuant to the Roadmap, NIST continues to serve as a convener and coordinator to assist organizations in private industry and the public sector to understand, use, and improve the Framework. Throughout 2014, NIST continued engagement with and sought input from stakeholders in government, industry and academia.  NIST focused specifically on the topic of privacy engineering, which "focuses on providing guidance to information system users, owners, developers and designers that handle personal information."[43]  Despite the significance of privacy today, the field has yet to fully develop models, technical standards and best practices for the protection of individuals’ privacy and civil liberties.  NIST held two privacy engineering workshops, one in April and a second in September, to address this gap and consider draft privacy engineering definitions and concepts."[44] NIST has also sought to increase awareness of the Framework and encourage organizations to use the Framework as a tool to manage cybersecurity risks.  For instance, NIST issued a formal Request for Information in August to solicit feedback on the level of awareness of the Framework and the Roadmap and initial experiences with the Framework from critical infrastructure organizations as well as government organizations and other stakeholders, including consumers and solution providers.[45]  And in October 2014, NIST hosted a workshop to gather input from critical infrastructure stakeholders about their awareness of and initial experiences with the Framework.[46]  These engagement efforts are intended to inform NIST’s planning and decision-making relating to the Framework, including both future versions of the Framework as well as the development of tools and resources to enable more effective use of the Framework.  In addition, the RFI responses are intended to inform the Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program, which was established as a public-private partnership to increase awareness and use of the Framework.[47] In 2015, NIST will continue to focus on increasing awareness of the Framework and facilitate its use through the development of information and training materials.[48]  NIST does not intend to revise the Framework itself in 2015, although it will continue to focus on the areas identified in the Roadmap.[49]  NIST plans to develop publicly available reference materials that will help organizations understand how to better use the Framework and how to integrate the cybersecurity risk management approach of the Framework into an organization’s broader risk-management program.[50]  Finally, NIST expects to continue to hold workshops, webinars, and similar meetings with stakeholders on the Framework. III.   Legislative Developments In the United States, legislative debates in the past two years have focused on disclosures of the NSA’s surveillance programs, data breach notification laws and cybersecurity, digital privacy, and other issues.  At the federal level, there has been much debate but little progress on passage of legislation in these areas.  In the days leading up to the State of the Union address on January 20, 2015, the White House announced a new legislative proposal outlining significant cybersecurity and data privacy initiatives intended to reboot the administration’s stalled efforts to pass cybersecurity legislation over the last few years.  Meanwhile, several states have moved to fill the void left by perceived Congressional inaction.        A.   Proposed Federal Data Breach Notification and Cybersecurity Legislation             1.   Legislation Arising From Prominent Retailer Data Breaches The many attacks on computer systems of major companies over the past year (discussed in detail in Section I.B.1 above) inspired a wave of legislation aimed at preventing such massive data breaches.  One prominent piece of proposed legislation is the Personal Data Privacy and Security Act of 2014, S. 1897, sponsored by Senator Patrick Leahy (D-VT) and cosponsored by five Democratic senators, which was introduced in the Senate on January 8, 2014.  An identical version of this bill was sponsored in the House by Rep. Carol Shea-Porter (D-NH) and introduced on February 4, 2014 (H.R. 3990).  This proposed legislation would create a federal standard for notifying customers of a data breach and impose additional restrictions on the storage of customer data, including requiring the implementation of a comprehensive data privacy security program.  Specifically, the bill would require businesses to comply with FTC guidelines for the protection of sensitive personally identifiable information and implement comprehensive personal data privacy and security programs.  In addition, businesses would be required to: (1) identify reasonably foreseeable vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive information; (2) assess the likelihood of and potential damage from unauthorized access to, or disclosure, use, or alteration of sensitive information; (3) assess the sufficiency of their policies, technologies, and safeguards to minimize risks from unauthorized access, disclosure, use, or alteration of sensitive information; (4) assess the vulnerability of sensitive information during destruction and disposal of such information; (5) design their personal data privacy and security programs to control risks; (6) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of activities of the entities that control access to systems and facilities containing sensitive information; (7) establish procedures for minimizing the amount of sensitive information maintained; and (8) take steps to ensure appropriate employee training and regular testing of key controls, systems, and procedures of the entity’s personal data privacy and security program.  Senator Leahy’s bill defines "personally identifiable information" broadly; the definition includes "any information, or compilation of information, in electronic or digital form that is a means of identification."  It would exempt from its provisions, however, certain financial and health-care institutions already subject to the data security requirements of the Gramm-Leach-Bliley Act or HIPAA.  The Senate bill is currently in the Committee on the Judiciary, where it has remained since January 2014.  In February 2014, the House bill was referred for consideration to the Committees on the Judiciary, Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget. Another bill introduced the same week, the Data Security Act of 2014, S. 1927, sponsored by Senator Tom Carper (D-DE) and cosponsored by Senator Roy Blunt (R-MO), would provide "clarity and certainty to all parties involved" by setting up a coherent set of national standards to replace the "patchwork" of 49 separate data security laws in U.S. states and its territories, according to the bill’s sponsors.  The Data Security Act’s definition of personal information requiring protection is narrower than the definition in Senator Leahy’s bill, and it explicitly excludes "publicly available information that is lawfully made available to the general public," and omits, for example, biometric data.  The bill would require notification of affected individuals only in the event of a breach that discloses information "reasonably likely to be misused in a manner causing substantial harm or inconvenience" (S. 1927, § 3(c)), while Senator Leahy’s bill requires notification when there is a "reasonable basis to conclude" that access to the information "is for an unauthorized purpose" (S. 1897, § 3(10)(A)).  The Data Security Act has been under consideration by the Committee on Banking, Housing, and Urban Affairs’ Subcommittee on National Security and International Trade and Finance since February 2014. Additionally, the Data Security and Breach Notification Act of 2014, S. 1976, sponsored by Senator John D. Rockefeller IV (D-WV) with three cosponsors, would–like Senator Leahy’s bill–give the FTC authority to set security standards for companies that hold consumers’ personal and financial information, and would also obligate companies to notify affected customers "following the discovery of a breach of security" of their data system.  The bill defines "breach of security" broadly: it is a compromise in data security that results in "unauthorized access to or acquisitions of personal information." Like Senator Carper’s bill, Senator Rockefeller’s bill defines "personal information" more narrowly than Senator Leahy’s bill; such information includes any "non-truncated social security number," credit card/account number with the access code or password "that is required for an individual to withdraw funds, or engage in a financial transaction," or an individual’s full name in combination with another piece of specific identifying information, such as a driver’s license number, unique account identifier, or biometric data.  See S. 1976 § 6(9)(a).  No action has been taken on this proposed legislation since its referral to the Committee on Commerce, Science, and Transportation on January 30, 2014.             2.   Cybersecurity Legislative Efforts Following President Obama’s call for comprehensive cybersecurity legislation in his 2013 State of the Union address, members of Congress proposed several bills in that area, but it is unclear whether any legislation will soon pass. Most notably, the Cyber Intelligence Sharing and Protection Act ("CISPA"), H.R. 624, introduced by Rep. Mike Rogers (R-MI), would create procedures for private entities to share cybersecurity threats with the Director of National Intelligence.  The bill was approved by the House and is in the Senate Select Committee on Intelligence. In November 2013, Department of Homeland Security ("DHS") Acting Undersecretary for National Protection and Programs Suzanne Spaulding called for legislation to exempt certain critical infrastructure operators (including banks and power grids) from liability for providing information about cyberattacks to the Department.  No movement on such specific legislation has yet occurred.  However, there has been a recent flurry of related legislation.   Congress passed two related statutes pertaining to cybersecurity and federal agencies as attachments to the Border Patrol Agent Pay Record Act, S. 1691.  The first, the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014, authorizes DHS to establish cybersecurity positions in the agency as positions in the "excepted service" and not subject to the regular federal pay scale, and sets forth DHS’s authority to make appointments, fix pay rates, and provide incentives and allowances for such positions.  The second, the Homeland Security Cybersecurity Workforce Assessment Act, further requires federal agencies to identify and code cybersecurity workforce positions within the agency, directs each agency head to submit a report identifying critical needs in the agency’s cybersecurity workforce, and requires the Office of Management and Budget ("OMB") to provide guidance to agencies on identifying cybersecurity workforce needs.  The President signed both bills into law on December 18, 2014. Relatedly, the Cybersecurity Workforce Assessment Act, introduced as H.R. 2952 by Rep. Patrick Meehan (R-Pa) on August 1, 2013, and signed into law by President Obama on December 18, 2014, directs DHS to develop a comprehensive strategic plan to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of DHS, and to report to Congress about the progress of certain critical infrastructure security technologies.  The statute requires DHS to develop a plan for a Cybersecurity Fellowship Program offering a tuition payment plan for students pursuing undergraduate and doctoral degrees who agree to work for DHS for an agreed-upon period of time. The National Cybersecurity and Critical Infrastructure Protection Act, H.R. 3696, introduced by Rep. Michael T. McCaul (R-TX) with three cosponsors, would require the Secretary of Homeland Security to conduct and share the results of certain cybersecurity activities.  It also would establish a federal civilian information sharing interface to share cyberthreat information among public and private entities and critical infrastructure owners and operators.  The bill was approved by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies in January 2014, and was to be reported in February by the full Homeland Security Committee.  While there has been no further action since February, President Obama recently signed into law similar legislation, the National Cybersecurity Protection Act of 2014 (introduced as S. 2519 by Sen. Thomas Carper (D-DE) on June 24, 2014).  This statute codifies DHS’ National Cybersecurity and Communications Integration Center ("NCCIC") as a "federal civilian interface" to provide both federal and nonfederal entities "shared situational awareness" to address cybersecurity risks, coordinate the sharing of cybersecurity information, conduct and share analysis and provide technical assistance and recommendations on network security.  Notably, the statute makes clear that nothing in the Act shall be construed as providing new regulatory authority.  The CyberSecurity Enhancement Act of 2014 (introduced as S. 1353 by Sen. John Rockefeller (D-WV) on July 24, 2013), signed into law by President Obama on December 18, 2014, codifies NIST’s process for developing industry-driven, consensus-based, voluntary cybersecurity standards for critical infrastructure.  Also without conferring any new regulatory authority, it directs and authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation’s cybersecurity workforce.  Finally, Congress recently passed two more general statutes that address cybersecurity on a more administrative level.  First, the Consolidated and Further Continuing Appropriations Act, H.R. 83, was signed into law on December 16, 2014 at Public Law No. 113-235.  The relevant provision prohibits the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation from acquiring high-impact or moderate-impact information systems without first assessing the risk of cyberespionage or sabotage associated with the acquisition of such systems from any country posing a cyber threat, including China.  The legislation further directs the Securities and Exchange Commission to submit a report to Congress on its efforts to modernize disclosure requirements, including an update on cybersecurity.  The Federal Information Security Modernization Act of 2014, signed by President Obama on December 18, 2014, codifies DHS’ role in administering the implementation of information security policies and practices in civilian federal information systems, while retaining OMB’s role in overseeing the security of federal government information systems generally.  It further describes the information security responsibilities of various federal agencies, including eliminating the requirement that such agencies file annual checklists that show the steps taken to secure systems.  Instead, the statute requires agencies to continuously diagnose and mitigate against cyber threats and vulnerabilities.  The statute overall increases DHS’ role in overseeing the cybersecurity efforts of federal agencies.             3.   Health Exchange Security and Transparency Act On January 10, 2014, the House of Representatives passed the Health Exchange Security and Transparency Act of 2014 ("H.R. 3811") by a 291-122 vote.  This bill would require the Department of Health and Human Services to notify consumers participating in health insurance marketplaces (also known as insurance exchanges) of any breach of their personal information within two days of discovering a breach.  The one-sentence bill, introduced by Representative Joe Pitts (R-PA) and 75 cosponsors on January 7, 2014, would apply to "any system maintained" by a federal or state-run insurance exchange. Dozens of House Democrats sided with Republicans in support of H.R. 3811, likely in response to the epidemic of nationwide cybersecurity breaches and well-publicized issues surrounding the rollout of the HeathCare.gov website.  After passage by the House, the bill was referred to the Senate Committee on Health, Education, Labor, and Pensions.  To date there has been no action in the Senate.  The White House issued a statement opposing H.R. 3811, stating that the measure "would impose an administratively burdensome reporting requirement that is less effective than existing industry standards and those already in place for federal agencies that possess such information."[51]               4.   The Law Enforcement Access to Data Stored Abroad Act On September 18, 2014, Senators Orin Hatch (R-UT), Chris Coons (D-DE) and Dean Heller (R-NV) introduced bipartisan legislation in the Senate that would amend the ECPA to address conflicts of laws and safeguard Americans’ electronic data stored abroad.  ECPA, discussed in detail above in Section I.B.4, seeks to balance individuals’ rights to privacy of electronic communications and the legitimate needs of law enforcement to access records stored by service providers by authorizing governmental entities to obtain certain categories of data from providers using warrants and subpoenas.  However, ECPA does not extend this power extraterritorially, and therefore, does not permit courts to issue warrants for law enforcement to seize covered data that service providers store abroad.  The Law Enforcement Access to Data Stored Abroad ("LEADS") Act, S. 2871, would amend ECPA to explicitly require a search warrant (and authorize the issuance of such extraterritorial warrants) for law enforcement to obtain the contents of electronic communications stored overseas which belong to a "U.S. person"–defined as a U.S. citizen, permanent resident, or company incorporated in the U.S.  To address a concern of service providers, the LEADS Act also would require the court to modify or vacate the warrant if compliance would require the service provider to violate the laws of the country in which the electronic data is stored.  To address users’ data privacy interests, the bill would require notifying the user of the warrant, the law enforcement inquiry, and any user data disclosed pursuant to the warrant, although notice may be delayed for up to 10 business days.  The proposed bill is currently in the Senate Judiciary Committee.             5.   Protecting Student Privacy Act On July 30, 2014, Senator Edward Markey (D-MA) introduced the Protecting Student Privacy Act of 2014.  The bill currently has three cosponsors in the Senate.  This proposed legislation would require all state educational agencies or institutions receiving federal funding to implement information security policies that: "(i) protect personally identifiable information from education records maintained by the educational agency or institution; and (ii) require each outside party to whom personally identifiable information from education records is disclosed to have information security policies and procedures that include a comprehensive security program designed to protect the personally identifiable information from education records."  S. 2690, § 2(2).  The bill was introduced amid increased concern over how schools are using the sensitive student data they collect and seeks to amend the Family Education Rights and Privacy Act of 1974 to address this concern. The bill would further safeguard student data by requiring each educational agency or institution receiving federal funds to ensure that any third party with access to student data holds the data in a manner that gives parents the right to access the information and to challenge, correct, or delete inaccurate information, to have a policy that promotes data minimization, and to have a policy requiring that personally identifiable information is destroyed when no longer needed for the specified purpose of its collection.  The bill has been in the Senate Committee on Health, Education, Labor, and Pensions since July 30, 2014.             6.   Do Not Track Kids Act The Do Not Track Kids Act of 2013 (H.R. 3481; S. 1700), sponsored in the House of Representatives by Rep. Joe Barton (R-TX) and 46 cosponsors, and sponsored in the Senate by Senator Edward Markey (D-MA) and four cosponsors, was introduced as a response to what the sponsors say is an increasing amount of time spent online among children, especially through the use of mobile devices, and at younger ages.  The bill addresses the collection, use, and disclosure of the personal information of children and minors, following a failed attempt to enact a similar law in 2011.  It would update the COPPA, discussed previously in the context of FTC enforcement in Section II.B., which requires operators of commercial websites and online services directed to children under the age of 13 to abide by various privacy safeguards as they collect, use, or disclose personal information collected from children. The Do Not Track Kids Act would impose age-based restrictions beyond those in the current COPPA law by prohibiting Internet companies from collecting personal and location information from anyone 13 to 15 years old without the user’s consent, while also requiring consent of the parent or teen prior to sending targeted advertising to the teen.  The bill also would create an "eraser button" by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible, and empower the FTC to promulgate rules requiring operators to implement appropriate "eraser button" mechanisms.  The "eraser button" provision is similar to legislation recently enacted in California, which allows minors under 18 to request that companies delete specified information that the requestor has previously posted online.  (We discuss this law in Section III.B.6 below.)  The Do Not Track Kids Act also would prohibit companies from collecting personal information from minors without adopting a "Digital Marketing Bill of Rights for Teens" that is consistent with the Fair Information Practices Principles established by the bill.  Companies would be required to explain the types of personal information collected and how that information is used and disclosed, and to disclose any personal information collection policies. The House and Senate versions of the bill are substantially identical.  The Senate bill is currently in the Committee on Commerce, Science and Transportation, while the House bill is in the Energy and Commerce Committee’s Subcommittee on Communications and Technology, where they have remained since November 2013.             7.   The Edward Snowden Affair and NSA Surveillance                     a.   Background In 2013, Edward Snowden’s leaks regarding the U.S. National Security Agency ("NSA") "PRISM" program revealed that the government collects massive amounts of telephone and Internet data about foreigners and Americans.  Snowden’s revelations have transformed the landscape of the national and international discussion about privacy and national security.  Mr. Snowden’s leaks led to revelations that the NSA collects, retains, and can search a large trove of data from domestic and foreign communications, acting under authority granted to it under Section 215 of the USA PATRIOT Act.  Such surveillance includes bulk collection of telephonic metadata, including phone numbers called, the time a call was made, and the duration of a given call.  NSA analysts may search a database of such information based on a reasonable, articulable suspicion that the telephone number is connected to terrorism.  PRISM was first authorized during the Administration of President George W. Bush in the Protect America Act of 2007 and the FISA Amendments Act of 2008.  PRISM’s data collection practices also have been approved by the Foreign Intelligence Surveillance Court ("FISC").  Yet the extent of the government’s surveillance was unknown to the general public until Snowden’s disclosures. Mr. Snowden’s leaks also revealed, among other things, that the NSA’s interception of foreign targets’ communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act ("FISA") also resulted in the collection of the communications of American citizens, despite legal protections against domestic surveillance.                      b.   Significant Disclosures in 2014 Snowden’s initial revelations were published in a series of articles for British paper The Guardian in summer and fall 2013.  Since then, additional disclosures and the release of certain court documents have shed additional light on U.S. and international government surveillance programs. There were several significant disclosures about the different types of NSA surveillance and monitoring programs that currently exist or are in development: Journalists for The Intercept described an NSA computer program called TURBINE, which allows the NSA to use an automated program to infect, on a mass scale, computers and phone networks around the world with spyware.  The spyware allows the NSA to break into targeted computers and siphon data from Internet and phone networks located abroad.  It was also revealed that the NSA intercepts routers, servers, and other networking equipment before it is exported outside the United States to impact surveillance tools into the systems.[52]  In an interview, Snowden discussed the MonsterMind program, a cyber-warfare program under development by the NSA, intended to discover known or suspected cyberattacks from abroad, and automatically fire back.[53]  It was revealed that the NSA harvests millions of faces from Internet images for use in a facial recognition database.[54]  There were additional disclosures about the scope of the NSA’s surveillance program, and the extent to which the government monitors individuals who are not suspected terrorists and organizations not traditionally affiliated with terrorists.  For example, Mr. Snowden informed the Council of Europe that the United States has monitored confidential communications of the leaders of a number of civil and non-governmental organizations, including Amnesty International and Human Rights Watch.  And in March, Director of National Intelligence James Clapper admitted that U.S. intelligence agencies had searched the contents of emails and other electronic communications of U.S. citizens without warrants.  Clapper asserted that FISA, which prohibits the government from targeting Americans, authorizes the collection of Americans’ data because the data was obtained to eventually target foreign suspects.[55]  Additionally, The Washington Post, relying on information provided by Snowden, reported that 90% of those placed under surveillance in the U.S. are not intended targets.  There were also disclosures about the extent to which international governments cooperate with the NSA.  For example, it was revealed that the NSA’s Australian counterpart spied on communications between U.S. law firm Mayer Brown and its client, the government of Indonesia, and offered to provide the information so acquired to the NSA.  Mayer Brown was representing Indonesia in a trade dispute with the U.S. government, and the surveillance may have included information protected by the attorney-client privilege.  Additionally, a German newspaper revealed that Germany’s secret service shared at least 5% of the Internet data it has collected about German citizens with the NSA.[56]  In September, The Washington Post published a story that shed light on the genesis of the PRISM program.  The Post reported that in 2008, the government had threatened to fine Yahoo!, Inc. $250,000 per day if it did not comply with a FISC order on appeal granting the government access to Yahoo! emails and email metadata.[57]  Yahoo! had originally contested the government’s demand for user data, arguing that it violated the Fourth Amendment’s prohibition against unreasonable searches and seizures, but was unsuccessful.  Yahoo! appealed the decision, and the government threatened Yahoo! with the fine if it did not begin handing over data while the case was on appeal.  Yahoo! complied, and ultimately lost the appeal.  The information regarding the government order came to light when 1,500 pages were unsealed in the FISC case in September 2014, after Yahoo! won its long battle to declassify and un-seal the documents.  It was revealed that this FISC ruling became the key decision in the development of PRISM, helping government officials to convince several companies to comply with its demand for data.[58]                      c.   Proposed Reform Legislation In late 2013 and early 2014, several representatives drafted bills aimed at reforming PRISM.  Of the proposed bills, the one that has come closest to passing is the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring Act (the "USA FREEDOM Act").  The bill was introduced on October 29, 2013 by Rep. Sensenbrenner (R-WI) and Sen. Leahy (D-VT).  A version of the bill passed the US House of Representatives on May 22, 2014.  The House version did not ban bulk government collection of data, but rather allowed collection if approved by a FISC order based on reasonable, articulable suspicion of wrongdoing.  The bill also renewed the USA PATRIOT Act until the end of 2017.  Because the bill permits bulk collection of Americans’ data, it was criticized by many civil libertarians and technology companies. In July 2014, Senator Leahy introduced a new version of the bill in the Senate.  The Senate version requires the government to limit the scope of its bulk data collection–for example, it specifies that the government may not gather in bulk data relating to a particular phone or Internet company or to a broad geographic region.  Further, the Senate bill would have left the phone and Internet data of Americans in the hands of the service providers, not the government.  The government could obtain records of calls made and received by individual Americans who were the target of a terrorist communication after the government demonstrated that it has a reasonable, articulable suspicion that the conversation involves a terrorist.  The Senate version of the USA FREEDOM Act had wide support from the technology industry, many privacy advocacy groups, Democrats, some Republicans, the White House, and the intelligence community.  However, in November 2014, the bill failed to obtain the 60 votes needed to prevent a Republican filibuster by two votes.[59] Although the Obama administration supported the USA FREEDOM Act, in December 2014, the administration announced that it would renew the PRISM program.  The government sought a 90-day reauthorization of the existing program, as modified by changes directed by President Obama in January 2014.  Those changes require the NSA to obtain a court order before searching the NSA’s database of metadata and phone and Internet data, and limits the search to phone numbers two "hops," or connections, away from a target (instead of the previous rule of three hops).[60]                      d.   Technology Sector Response The technology industry faced significant criticism in 2013 and 2014 due to what many characterized as aiding or at least being complicit with handing over troves of consumer data to the US government.  This led to US-based technology companies losing many international customers, with industry experts predicting that the US cloud computing industry could lose between $35 and $180 billion by 2016.[61]  As a response to the criticism, several technology companies have begun to build data centers overseas.                      e.   Legal Challenges to Surveillance Practices There have been three significant decisions about the legality of government surveillance since the first Snowden revelation.  In Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013), Judge Richard Leon of the U.S. District Court for the District of Columbia held that broad-scale collection of Americans’ telephone metadata is likely unconstitutional.  Judge Leon called the program "almost Orwellian" and questioned the efficacy of the program in combatting terrorism.  He granted an injunction ordering the government to stop collecting the plaintiffs’ telephone data and to destroy the existing records; however, the injunction was stayed pending appeal.  Appellate arguments took place in November 2014. In ACLU v. Clapper, 959 F. Supp. 2d 724 (S.D.N.Y. Dec. 27, 2013), Judge William Pauley held that the NSA phone records collection is constitutional and necessary to national security.  The case is currently on appeal, and arguments before the Second Circuit took place in September 2014. The decisions in Klayman and ACLU v. Clapper took divergent views on the precedential value of Smith v. Maryland, 442 U.S. 735 (1979).  There, the Supreme Court held that there is no reasonable expectation of privacy in information voluntarily turned over to third parties such as telephone companies.  Klayman distinguished Maryland as outdated, while ACLU v. Clapper determined that it was controlling precedent.  More recently, a June 2014 decision of the District of Idaho held that Maryland precluded that court from ruling in the plaintiff’s favor on allegations that the government violated her Fourth Amendment rights by collecting cellphone tracking location data.  Smith v. Obama, 24 F. Supp. 3d 1005 (D. Idaho June 3, 2014).  Judge B. Lynn Winmill wrote, however, that he believed Maryland to be outdated.  Judge Winmill called Judge Leon’s decision in Klayman "thoughtful and well-reasoned," urging that it should "serve as a template for a Supreme Court opinion."  Id. at 1009.  Smith v. Obama is currently on appeal.       B.   Recently Enacted State Privacy Laws State legislatures have continued to pass laws covering a wide range of topics relating to information privacy and security, with important impacts on private sector businesses.             1.   Data Breach Notification Several states enacted new data breach notification laws, and those with preexisting laws reformed their data breach reporting requirements.  For example, in 2013, California amended its groundbreaking data breach notification law by broadening the definition of "personal information."  Under Section 1798.82 of the California Civil Code, a breach of the following types of information now triggers a notification obligation: passwords, usernames, and security questions.  These categories of information are in addition to Social Security Numbers, driver’s license numbers, credit card information, and medical and health insurance information.  In 2014, California further amended its data breach notification law by passing Assembly Bill 1710.  Under the amendment, which took effect on January 1, 2015, the law applies to businesses that merely maintain personal information (in addition to businesses that own and license personal information, which were already covered).  Importantly, this amendment requires third-party service providers that obtain personal information from an owner or licensee of the personal information to implement data security practices.  Iowa also made an interesting modification its data breach notification law, by amending the definition of "breach" to include the acquisition of personal information that is maintained in paper form.  See S.F. 2259, 2013-2014 Reg. Sess. (Iowa 2014) (also requiring notification to state attorney general within five days if breach affects more than 500 Iowa residents). New York’s S. 2605-D, enacted in 2013, also made minor changes to the state’s data breach law by requiring public or private entities’ breaches of "private information" to be disclosed to the newly-formed Office of Information Technology Services instead of the Office of Cyber Security & Critical Infrastructure Coordination.  The New York law also continues to require data breach notification to the affected individual, the New York Attorney General, and the Consumer Protection Board.  See A. 3005-D, S. 2605-D (N.Y. 2013).[62] Florida also enacted an updated data privacy law, which went into effect on July 1, 2014.  See Information Protection Act, Fla. Stat. § 501.171.  Following California’s lead, Florida expanded the definition of "personal information," for which unauthorized disclosure can trigger breach notification obligations.  Among other things, Florida’s new law also requires notification to affected persons within 30 days after discovery of a breach as well as notification to the state’s Department of Legal Affairs following any breach involving 500 or more individuals in Florida.  Texas, Vermont, and North Dakota are among other states that have recently amended their data breach laws.[63]  With the passage of Kentucky’s law in April 2014, only three states–New Mexico, South Dakota, and Alabama–have no form of a data breach notification law.  See H.B. 232 2014 Gen. Assemb., Reg. Sess. (Ky. 2014).             2.   Credit Card Monitoring After Data Breach In 2014, California enacted a law regulating the way in which companies may offer credit card monitoring to individuals whose data is compromised by a data security breach.  So far it is the only state to do so.  Several other states, however, have considered legislation requiring businesses to offer credit monitoring services to individuals impacted by data breaches. As of January 1, 2015, if a business is the source of a security breach, "an offer to provide appropriate identity theft prevention and mitigation services [to California residents], if any, shall be provided at no cost to the affected person for not less than 12 months."  (emphasis added).  The business must also provide any information necessary for residents to take advantage of the services.  Some commentators have read this provision to require businesses to provide prevention and mitigation services after a security breach, but because the law includes the words, "if any," it merely regulates the type of credit monitoring a company must offer if the company chooses to offer credit monitoring at all.  The bill is unlikely to have a major impact, as most companies that currently offer customers credit monitoring offer at least 12 months of cost-free service.[64]             3.  Social Media Access Following Maryland’s lead, which enacted the first such bill (S.B. 433/H.B. 964, 2012 Reg. Sess. (effective Oct. 1, 2012)), a majority of states have enacted or have considered enacting legislation that would enhance employees’ privacy by prohibiting employers from requiring or requesting current or prospective employees to provide passwords to their social media accounts.[65]  In an interesting inverse of these new laws, Delaware enacted a law which provides heirs with access to a deceased person’s digital assets.  Fiduciary Access to Digital Assets and Digital Accounts, H.B. 345, 147th Gen. Assemb. (Del. 2014).  New Mexico and several other states have extended this principle by enacting legislation prohibiting colleges from requiring students or applicants to provide access to social media accounts.[66]              4.   Drone Regulation Over a dozen state legislatures have taken action on the use and regulation of drones, typically called unmanned aircraft systems ("UAS").  To date, these laws typically regulate how a government agency, primarily law enforcement, can utilize UAS.  For example, Florida’s Freedom from Unwanted Surveillance Act, S.B. 92, enacted on April 26, 2013, limited UAS use to law enforcement, and established a warrant requirement unless there is a terrorist threat or "swift action" is necessary to save a life or search for a missing person.  Any evidence obtained in violation of the law is inadmissible, and civil remedies are authorized if an individual is harmed by the inappropriate use of UAS.[67]  Louisiana created a crime for the unlawful use of an UAS order to conduct surveillance without the owner’s consent.  H.B. 1029, 2014 Reg. Sess. (La. 2014). An increasing number of states are taking steps to regulate the use of UAS by private individuals.  For example, North Carolina’s law created a wide swath of regulations for UAS, including a similar prohibition of UAS surveillance without consent, creating a civil cause of action for anyone whose privacy is violated.  S.B. 744 (N.C. 2014).  In October 2014, California passed a law some consider specifically aimed at paparazzi photographers, which creates a cause of action for the violation of someone’s privacy, and authorizes treble damages if the violating conduct was for commercial gain.  A.B. 2306 (Cal. 2014).  The Texas Privacy Act, H.B. 912, enacted on June 14, 2013, created 19 different categories of lawful public UAS use and criminalized capturing, possessing, and distributing an image captured by a UAS with the intent to conduct surveillance.[68]  See also S.B. 1892, 108th Reg. Sess. (Tenn. 2014) (creating a misdemeanor offense for intentional surveillance of another using UAS, but creating 18 lawful uses).             5.   California’s "Do Not Track" Law California’s "Do Not Track" law, Assembly Bill 370 ("A.B. 370"), went into effect on January 1, 2014.  A.B. 370 amends the California Online Privacy Protection Act ("CalOPPA") to require additional disclosures in corporate privacy policies.  Intended to facilitate transparency as to how a company tracks and shares user data, it requires disclosures dealing with three areas: (1) "do not track" signals; (2) third-party tracking; and (3) conspicuous opt-out notices.  In May 2014, the California attorney general issued guidelines for compliance with the Do Not Track law.[69]  First, A.B. 370 requires companies to disclose how they respond to "do not track" signals.  A "do not track" signal is an HTTP header field emitted by an Internet browser when a user selects "Do Not Track" in his or her browser settings.  To date, there is no regulatory or industry consensus on the appropriate response to a "do not track" signal.  The Federal Trade Commission has informally called for companies to honor "do not track" requests in its educational publications, though it has not introduced formal rules on the subject.  Without a specific requirement to honor such signals, many companies choose not to do so.  A.B. 370 is intended, in part, to create pressure for companies to honor "do not track" signals by forcing them to reveal whether and how they honor the signal.  The attorney general guidelines clarify that this disclosure is only required if an online service collects personally identifiable information about a consumer’s online activities over time and across third-party websites or online services. Second, A.B. 370 requires companies to disclose whether third parties may collect personally identifiable information about a consumer’s online activities when they visit the company’s website.  Importantly, the amendment only requires companies to disclose whether third parties collect information, not details regarding what information the third parties track.[70] Finally, A.B. 370 also permits a company to satisfy the "do not track" disclosure requirement by providing a "clear and conspicuous" hyperlink in its privacy policy to an explanation of the company’s opt-out program, and a mechanism for the user to opt-out of the company’s tracking practices.  However, the attorney general guidelines recommend that online services directly disclose how they respond to do not track requests, rather than hyperlinking, and treat the linking option as the less transparent method for complying with A.B. 370.  Also, linking to opt-out procedures only satisfies a company’s obligation to disclose how it treats "do not track" signals; it does not satisfy A.B. 370’s third-party tracking disclosure requirement.[71]             6.   California’s "Digital Eraser" Law California Senate Bill 568, "Privacy Rights for California Minors in a Digital World," ("S.B. 568") became effective on January 1, 2015.  S.B. 568 includes a provision known as the "Delete Button" or "Eraser" law, which allows minors under the age of 18 to request that companies delete specified information that the requestor had previously posted online. California is the first state to impose such an obligation on website and mobile app operators.  Additionally, the law bans companies from marketing prohibited items, including alcohol, tobacco, guns, and other products or services to minors or compiling underage users’ personal information in order to market the prohibited items to them. The "Delete Button" law applies to companies operating websites, mobile and Internet-based "apps," and online services; however, it only covers websites and apps "directed" to minors or whose operator has actual knowledge that a minor is using it.  The law defines a site "directed to minors" as one "created for the purpose" of reaching predominately those under 18. All covered companies must notify minors of their right to request removal of unwanted information posted by the minor on the company’s web site, and must remove such information upon request.  Alternatively, companies can comply with this law by providing minors with clear instructions as to how to directly remove information that they posted.  The "Delete Button" law has a number of enumerated limits that affect its scope.  First, minors can request deletion only of information that they posted.  S.B. 568 does not allow a minor to request deletion of information that was stored, republished, or reposted by a third party.  Second, only "registered users" of a company’s website can request deletion.  Third, if a minor fails to follow the procedures for deletion, a company need not delete the information.  Fourth, those receiving compensation for posted content cannot request deletion.  Finally, minors cannot request deletion of posted content that is inaccessible to third parties.[72]              7.   California’s Privacy for Student Records Laws A number of privacy protections for primary students’ records went into effect in California on January 1, 2015. Senate Bill 1177 prohibits an operator of an online service that the operator knows is marketed, designed, and primarily used for K-12 school purposes from knowingly engaging in targeted advertising to students or parents, creating a profile of a student using any information gathered through the service, or selling or disclosing a student’s information.  The operator must also maintain reasonable security measures to protect the student’s information from unauthorized access, destruction, use, modification or disclosure and delete school-controlled student information upon request from the school. Assembly Bill 1584 governs contracts between local educational agencies and third-party digital record and educational software providers.  It permits a school to use a third party for the "digital storage, management and retrieval of pupil records, or to provide digital educational software, or both."  But any contract with a third party must contain a number of provisions, including a description of the actions the third party will take "to ensure the security and confidentiality of pupil records," a description of procedures that will be used to notify affected students or parents of any unauthorized disclosure, a prohibition against using students’ information for purposes other than those contractually required, and a certification that students’ information will not be available to the third party upon completion of the contract. Finally, Assembly Bill 1442 establishes restrictions on school districts’ collection and use of pupils’ social media information.  In order to gather students’ information, a school must first notify students and parents and provide an opportunity for public comment.  If the school gathers social media information, it must notify each parent that information is being collected and must only gather information that pertains directly to school or student safety, provide the student with access to his or her information and an opportunity to correct or delete it, and destroy information after the student turns 18 or is no longer enrolled in the school.  Third parties retained by schools to gather students’ social media information may not use the information for any purpose other than to satisfy the contract, may not sell or share the information, and must destroy the information immediately upon conclusion of the contract.       C.   Legislative Outlook Prompted by events such as the Snowden leaks, major retailer security breaches, and Sony hacking incident, both state and federal lawmakers are expected to continue to address surveillance and data privacy issues and data breach notification legislation as priorities.  Additional potential legislative emphases on the horizon are likely to include: mobile data collection, retention, and sharing issues (addressing text messaging and mobile chat applications as well as other services); continued emphasis on children’s online and mobile privacy; strengthening European Union privacy legislation (stemming from the European Union Data Protection Regulation and "right to be forgotten" cases); intensified health care data protections; and an increased focus on geo-location/GPS privacy issues. On January 13, 2015, President Obama presented an update to the Administrations’ 2011 Cybersecurity Legislative Proposal.  The updated proposal identifies three priorities: 1) enhancing cyber threat information sharing within the private sector and between the private sector and the Federal Government;2) protecting individuals by requiring businesses to notify consumers if personal information is compromised; and 3) strengthening and clarifying law enforcement’s ability to investigate and prosecute cyber crimes. Under the proposal, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) would play a key role in sharing cyber threat information received from private sector entities with the relevant federal agencies and other private sector organizations.  Companies that share information would also be eligible to receive "targeted" liability protection. The proposal also aims to protect individuals by establishing a federal data breach notification scheme and creating a consumer privacy bill of rights.  The proposed legislation would also expand existing penalties for cybersecurity crimes, law enforcement authority to deter the sale of certain spyware, and court authority to shut down certain networks engaged in criminal cyberattack activity.[73] It is unclear whether the recent Republican takeover of Congress will have an impact on the success or trajectory of legislative efforts in the privacy arena.  A Republican will now chair the Senate Select Committee on Intelligence, which some would expect to chill NSA oversight, but the public response to the depth of government surveillance revealed in the last few years has generated support for reform from both sides. Whether there will be enough bipartisan support to achieve federal legislation on these issues remains to be seen. IV.   Criminal Enforcement       A.   Fourth Amendment Developments             1.   U.S. v. Ringmaiden The multi-year saga of United States v. Ringmaiden, No. 08-cr-814 (D. Ariz.), recently came to an end.  In 2008, the government indicted Ringmaiden on 74 counts of mail and wire fraud, aggravated identity theft, and conspiracy.  In the indictment, the government alleged that Ringmaiden devised a scheme to obtain fraudulent tax refunds by filing electronic tax returns in the names of hundreds of people, both deceased and living.  The government was able to locate and arrest Ringmaiden after surveillance involving use of the StingRay, a device used to track the International Mobile Subscriber Identity (IMSI) of cellular devices.  In 2013, Ringmaiden filed a motion to suppress evidence relating to his wireless aircard, historical cellular-site information, destination IP addresses, data from the security company that serviced Ringmaiden’s former apartment complex, the search of his apartment and computer, and the use of mobile tracking devices.  Citing earlier Ninth Circuit precedent, the district court concluded that Ringmaiden had no societally recognizable expectation of privacy in a computer or other equipment obtained through fraud–Ringmaiden had used fraudulent identities and credit cards to purchase his laptop and wireless aircard.  For the same reason, Ringmaiden had no reasonable expectation of privacy in the apartment and storage unit he rented with stolen and fraudulent identities.  The court rested this conclusion on Supreme Court authority recognizing that wrongful interests do not give rise to legitimate expectations of privacy.  Turning to the government’s use of electronic communications to isolate the location of Ringmaiden’s computer/aircard, the court declined to find a privacy violation where the government’s use of such technology was for the purpose of finding the devices being used to perpetrate an extensive fraudulent scheme through the defendant’s own use of electronic communications.  With respect to the government’s collection of historical cell-site data, the court found that even if Ringmaiden had a protected privacy interest in the aircard, the government’s collection of historical records (e.g., cell-site data, destination IP addresses associated with the aircard) pursuant to the Stored Communications Act ("SCA") did not violate Ringmaiden’s rights.  The court also noted that, in any event, suppression is not an available remedy for an SCA violation.  Distinguishing recent Supreme Court authority, the court further concluded that using cell-site information to triangulate the location of Ringmaiden’s aircard, pursuant to the SCA, was not tantamount to attaching a GPS device to a person’s vehicle over an extended period of time.  With respect to the historical IP addresses and data obtained from the security company, the court found this information covered by the third-party doctrine. Ringmaiden also challenged the warrant used to justify the use of a mobile tracking device to isolate his location, arguing it was not supported by probable cause and any searches conducted thereunder exceeded the warrant’s scope.  The ACLU filed an amicus brief in support of the scope argument.  The court found that the affidavit underlying the warrant supported probable cause and that the warrant was sufficiently particular with respect to the mobile tracking device to be used.  While the court acknowledged that the tracking warrant was no "model of clarity," it nonetheless concluded that the warrant contained all sufficient elements.  Moreover, the court found it irrelevant that the warrant did not disclose that the mobile tracking device would capture data of other cell phones and aircards in the vicinity of the subject aircard.  Lastly, although the government conceded its failure to comply with Rule 41(f) (requiring service of the warrant on a defendant), the court explained that suppression is not the appropriate remedy where there is no causal connection between the government’s failure to comply with this rule and its location of the aircard.  The court rejected Ringmaiden’s argument that he was prejudiced by this action where, had he been served, he would have fled and evaded capture.  Lastly, to the extent any Fourth Amendment violation occurred in searching Ringmaiden’s apartment and computer, which the court concluded did not happen, the court found that the good faith exception applied.  In light of the fact that Ringmaiden had filed many suppression-related motions during the case, the court ordered Ringmaiden not to file any additional motions of this sort.  Bringing this saga to an apparent end, on April 7, 2014, Ringmaiden pled guilty.  The Court sentenced him to 60 months’ imprisonment followed by three years of supervised release.             2.   Cell Phones and Warrantless Searches On April 29, 2014, the U.S. Supreme Court held that police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.  Riley v. California, ___ U.S. ___, 134 S. Ct. 2473 (2014).  Noting that a warrantless search is reasonable only if it falls within a specific exception to the Fourth Amendment’s warrant requirement, a unanimous Court refused to extend the "search incident to arrest" exception to searches of smart phones and other cell phones.  In so doing, the Court distinguished United States v. Robinson, 414 U.S. 218 (1973), in which the Court upheld the search of a cigarette pack found on an arrestee’s person.  Although the precise impact of the Riley decision remains to be seen, at least one federal district court has suggested that the Supreme Court’s holding likely prohibits the warrantless search of a digital camera.  See United States v. Whiteside, No. 13 Cr. 576 (PAC) (S.D.N.Y. Sept. 30, 2014).       B.   Identity Theft and Carding Crimes             1.   United States v. Lazar (E.D. Va.) While many identity theft crimes are motivated by financial gain, one notable case this past year was not.  In United States v. Lazar, 1:14-cr-213 (E.D. Va. June 12, 2014), the Department of Justice indicted Marcel Lehel Lazar, the hacker known as "Guccifer" on charges of wire fraud, unauthorized access, aggravated identity theft, and cyberstalking.  Lazar allegedly broke into the email and social media accounts of several high level government officials and celebrities and was linked to the release of private photos and portraits painted by former President George W. Bush.[74]  At the time of the indictment, Lazar was imprisoned in his native Romania.  It remains to be seen whether the United States will seek Lazar’s extradition after his release from Romanian prison.             2.   United States v. Vega (E.D.N.Y) Recent cases have resulted in increasingly severe sentences for those found guilty of identity theft and carding crimes.  In a New York federal case, Roman Vega was sentenced to 18 years in prison for his role as co-founder of CarderPlanet, one of the Internet’s first marketplaces for stolen data.  See United States v. Vega, No. 07-cr-707 ARR (E.D.N.Y. Dec. 18, 2013).  Vega conspired to steal personal information, including credit card numbers, through sophisticated means such as hacking, and used his website to sell the stolen data.  Vega pled guilty in 2009 to conspiracy to commit access device fraud, in violation of 18 U.S.C. § 1029, and conspiracy to commit money laundering, in violation of 18 U.S.C. § 1956.  Commenting on Vega’s lengthy sentence, Mythili Raman, former Acting Assistant Attorney General of the Justice Department’s Criminal Division, explained, "Vega helped create one of the largest and most sophisticated credit fraud sites in the cybercrime underworld–a distinction that has earned him the substantial sentence he received today."       C.   Money Laundering             1.   United States v. Dotcom (E.D. Va.) The United States continues its efforts to extradite Kim Dotcom for his involvement with the website Megaupload, an online file-sharing site which the U.S. alleges is at the center of an "international organized criminal enterprise" engaged in racketeering, money laundering, and copyright infringement.  United States v. Dotcom, No. 12-cr-003 (E.D. Va.).  Dotcom remains in New Zealand, where in March 2014 the New Zealand Supreme Court denied a request by Dotcom and three colleagues also facing extradition to gain broad access to all U.S. evidence against them.  Finding that such extensive disclosure would delay the process, the Court concluded that a summary of the U.S. case against Dotcom would be sufficient for purposes of an extradition hearing.  Meanwhile, it has been reported that the extradition hearing has been delayed until February 2015.             2.   United States v. Faiella (S.D.N.Y) In another notable money laundering case, the DOJ filed charges against Robert M. Faiella, an underground Bitcoin exchanger, and Charlie Shrem, the CEO of a Bitcoin exchange company, BitInstant, for selling over $1 million in Bitcoins to users of "Silk Road," an underground website that (among other things) enabled users to buy and sell illegal drugs anonymously.  United States v. Faiella, No. 14-cr-243 (S.D.N.Y).  Law enforcement shuttered the original Silk Road website in October 2013, and has since been engaged in a cat-and-mouse game with new anonymous marketplaces, seizing Silk Road 2.0 in November 2014.[75]  The Bitcoin-related charges in the Faiella case allege that Mr. Faiella and Mr. Shrem conspired to commit money laundering and operated an unlicensed money transmitting business.  The charges also allege that Mr. Shrem violated the Bank Secrecy Act.              3.   United States v. Liberty Reserve S.A. (S.D.N.Y) In 2013, the DOJ also filed charges against Liberty Reserve, a currency exchange that formerly operated out of Costa Rica, along with charges against seven individuals.  The charges allege conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business, and operation of an unlicensed money-transmitting business.  United States v. Liberty Reserve S.A., No. 13-cr-368 (S.D.N.Y).  The government alleges that Liberty Reserve laundered billions of dollars in 55 million transactions worldwide.  Liberty Reserve traded in virtual currency, which allegedly provided the anonymity sought by criminals.  While individual users were asked to provide a name, address, and date of birth, fictitious information could be used to create an account.  The case is reported to be the largest online money laundering case in history, and officials dubbed it the launch of the "cyber age of money laundering."  Along with filing criminal charges, law enforcement seized five domains and froze forty-five bank accounts.  Thus far, one defendant has pled guilty and received a five-year prison sentence.  Although Liberty Reserve is incorporated in Costa Rica, officials used a USA PATRIOT Act provision to target the entity.       D.   Economic Espionage Act             1.   United States v. Aleynikov (2d Cir.) and United States v. Agrawal (2d Cir.) As we reported last year, the Second Circuit reversed the conviction of Sergey Aleynikov, a former computer programmer for a financial institution, who was found guilty of stealing computer source code under the Economic Espionage Act ("EAA").  United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).  The court found that the program embodying the stolen source code was not "produced for" or "placed in" interstate commerce, because the company had no intention of licensing or selling the program.  Id. at 82.  Judge Calabresi’s concurrence noted that he believed Congress, in drafting the EEA, intended to capture the type of conduct at issue in this case.  In response, Congress passed the Trade Secrets Clarification Act ("TSCA"), on which we also reported last year.  The TSCA removed the requirement that the underlying trade secret be "used or intended for use in" interstate commerce.  Instead, the law now requires only that the trade secret be "related to" or "included in" a product produced for or placed in interstate or foreign commerce.  In 2010, a jury convicted defendant Samarth Agrawal for similar conduct of stealing computer code from his employer.  In August 2013, despite the Aleynikov precedent, the same court upheld Agrawal’s conviction.  United States v. Agrawal, 726 F.3d 235 (2d Cir. 2013), cert. denied 134 S. Ct. 1527 (2014).  In Agrawal, the defendant worked for Société Générale ("SocGen"), a French bank.  Like the defendant in Aleynikov, Agrawal took source code from his employer.  Agrawal printed the source code onto thousands of sheets of paper and took it to his home in New Jersey to replicate SocGen’s trading system to sell to a competitor for hundreds of thousands of dollars.  Although Agrawal raised challenges similar to the defendant in Aleynikov, the court distinguished the earlier case, writing that the "product" relied upon in Aleynikov was the proprietary source code while, in Agrawal’s case, the "product" was the publicly traded securities bought and sold by SocGen using the software embodying the stolen code.  The court found that the securities satisfied the jurisdictional requirement without raising the concerns present in Aleynikov (i.e., the fact the proprietary software was not intended for use in interstate commerce).  Judge Rosemary Pooler authored a dissent, arguing that the majority ignored the narrow construction of the EEA set forth in Aleynikov in order to "retroactively apply Congress’s statutory change made during the interim period."  Judge Pooler’s dissent noted that the government claimed at trial that the source code was the "product," whereas for the first time on appeal the government looked to the securities bought and sold through use of the software.             2.   United States v. Liew (N.D. Cal.) On March 6, 2014, a federal jury convicted Walter Liew of charges brought under the Economic Espionage Act.  United States v. Liew, No. 11-cr-573 (N.D. Cal.).  The DOJ claims Liew is the first person to be convicted for violations of the Economic Espionage Act in a jury trial.  Liew met with Chinese officials in the 1990s and agreed to procure chloride-route titanium dioxide (TiO2) technology for them.  TiO2 technology is used to create pigment in paint, plastics, and paper, and also has uses in aerospace materials.  The jury found that Liew, along with co-conspirators, stole TiO2 trade secrets from the DuPont chemical company and sold those secrets to state-owned companies in China.  The jury also convicted Liew on charges of obstruction of justice, witness tampering, filing false tax returns, and making false statements in connection with a bankruptcy filing.  In July 2014, Judge Jeffrey White sentenced Liew to a fifteen-year prison sentence, and ordered Liew to pay over $28 million in forfeitures and restitution.             3.   United States v. Wang Dong (W.D. Penn.) In May 2014, a grand jury in Pennsylvania federal court indicted five Chinese military hackers for computer hacking, economic espionage, trade secret theft, and other offenses directed at six U.S. companies in the nuclear power, metals, and solar products industries.  United States v. Wang Dong, No. 14-cr-118 (W.D. Penn.).  The indictment drew an angry response from China’s Foreign Ministry.  The defendants are alleged, inter alia, to have conspired to hack into the U.S. companies, to maintain unauthorized access to computers, and to steal information that would be beneficial to Chinese competitors, including state-owned enterprises.  However, because the U.S. does not have an extradition treaty with China, it is unlikely that the defendants will be brought to the U.S. to face charges. U.S. Attorney General Eric Holder reported that the Wang Dong indictment represents "the first ever charges against a state actor for this type of hacking," but Holder signaled that it would not be the last of its kind, warning that the U.S. "will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition."  Echoing that sentiment, FBI Director James B. Comey promised to "use all legal tools at [the FBI’s] disposal to counter cyber espionage from all sources."              4.   United States v. Leroux (D. Del.) In July 2013, the DOJ indicted four individuals for allegedly stealing trade secret information from a number of U.S. businesses.  United States v. Leroux, 13-cr-0078 (D. Del.).  The indictment alleges that the hackers stole popular Microsoft Xbox games such as "Call of Duty: Modern Warfare 3" and "Gears of War 3" before their release.  The hackers also allegedly broke into the servers of a U.S. Army contractor and accessed the software used to train Apache helicopter pilots.  Victims of the hacking ring include the computer networks of Microsoft Corporation, Epic Games Inc., Valve Corporation, Zombie Studios, and the U.S. Army.  The defendants were based in both the United States and Canada; the government arrested the Canadian defendant when he attempted to enter the United States at the Lewiston, NY port of entry.  In September 2014, the Canadian defendant and one other defendant pled guilty to conspiracy to commit computer fraud and copyright infringement.  The DOJ asserts that the Canadian defendant’s guilty plea marks the first conviction of a foreign-based individual for hacking into U.S. businesses to steal trade secret information.  In January 2015, the third defendant likewise pled guilty to the same conspiracy charge.  The three are to be sentenced in spring 2015.       E.   Computer Fraud and Abuse Act             1.   United States v. Nosal (N.D. Cal.) In Nosal, the government alleged that David Nosal, an executive recruiter in San Francisco, stole trade secrets from his former employer in order to open a competing firm.  After the Ninth Circuit Court of Appeals clarified the scope of the Computer Fraud Abuse Act ("CFAA") in a United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), which we discussed in our 2013 Outlook and Review, the court returned Nosal’s case to the district court for trial.  United States v. Nosal, No. 08-cr-237 EMC (N.D. Cal.).  In April 2013, a jury convicted Nosal of conspiracy to gain unauthorized access to his former employer’s computer systems, along with other computer intrusion and theft of trade secrets.  At the sentencing hearing, prosecutors asked the court to impose incarceration, arguing that "the sentence you give . . . will go through Silicon Valley like a bell."  The district court sentenced Nosal to one year and one day in prison.  In addition to incarceration, the Court recently ordered Nosal to reimburse his former employer over $800,000 in attorney’s fees and costs under the Mandatory Victims Restitution Act.  Nosal has again appealed to the Ninth Circuit but has yet to brief the issues on appeal.              2.   Hacktivism                     a.   Overview "Hacktivism" refers to computer hacking for social or political causes, typically free speech or information access.  Supporters often liken "hacktivism" to protests or civil disobedience.  While the prosecution and subsequent suicide of Aaron Swartz (described in our 2013 Outlook and Review) led to closer media scrutiny of criminal treatment of "hacktivism," the incident has not prompted meaningful legal changes.  In June 2013, "Aaron’s Law" was introduced in the U.S. House of Representatives, and companion legislation was introduced in the U.S. Senate, representing a bi-partisan proposal to reform the CFAA.  The bill has not been enacted, and the Justice Department continues zealously to prosecute hacking activity, whether activist or otherwise. A common tool of "hacktivists" and other cybercriminals is "distributed denial of service," or DDOS, attacks.  A DDOS attack is designed to cripple computer networks or servers by flooding them with irrelevant Internet traffic and rendering them inaccessible to legitimate users.  Another kind of attack, an SQL injection attack, exploits security vulnerabilities in software to steal information, such as personally identifying information, from targeted networks or servers.  Motives for such attacks vary.  Some are the means by which other crimes occur, such as a DDOS attack that locks up a company’s systems while wire transfers from its accounts are occurring, or an SQL Injection attack that steals information for the purpose of identity theft.  Others are politically or socially motivated–"hacktivist" activities, like the attacks that likely caused the state-owned Syrian Arab News Agency ("SANA") to go down in the wake of an alleged August 2013 chemical attack in disputed areas outside of Damascus.  Hacking networks, such as the international group called Anonymous and its offshoots, which include LulzSec, often orchestrate this type of activist attack.                     b.   Rejection of Argument that "Hacktivism" Is Victimless Civil Disobedience In November 2013, U.S. District Judge Loretta Preska of the Southern District of New York sentenced self-proclaimed "hacktivist" Jeremy Hammond to 10 years in prison and 3 years of probation.  Hammond, an affiliate of the international "hacktivist" network Anonymous and has a cybercriminal history, pled guilty to numerous computer hacking offenses.  These crimes included: stealing and/or deleting data from the computer servers of the private intelligence firm Strategic Forecasting Inc.; publishing tens of thousands of credit card numbers belonging to that firm’s clients and encouraging others to use the numbers to donate to charities; hacking into the Arizona Department of Public Safety and publishing the personal information of Arizona law enforcement agents and their families; and attacking several other entities, ranging from state and federal governmental agencies to police officers’ associations to private corporations.  Hammond had been indicted in 2012 along with four other defendants on charges of computer hacking and conspiracy to commit computer hacking.  Indictment, United States v. Hammond, No. 12-cr-185 LAP (S.D.N.Y. May 2, 2012).  Some of Hammond’s co-defendants were prosecuted and sentenced in the United Kingdom and remain under indictment in the United States. Hammond and his lawyers argued that his actions were political activism, aimed at exposing law enforcement policies and surveillance practices that he opposes.  Speaking at his sentencing hearing, Hammond, who also had been active in the "Occupy" movement, claimed that his crimes were "acts of civil disobedience" intended "to expose and confront injustice and to bring the truth to light."  Conceding he broke the law, Hammond proclaimed, "I believe that sometimes laws must be broken in order to make room for change."  Hammond’s lawyers drew on historical "moments where resistance has led to important social change," noting that actors like the founding fathers, Martin Luther King, and Nelson Mandela were "not always understood in the moment" and were often considered "criminals."  His lawyers highlighted the issue of surveillance technology as "one of the defining issues of our times" and emphasized Hammond’s community activism and the lack of personal gain obtained from his crimes.   In a stern oral opinion, Judge Preska rejected the characterization of Hammond’s actions as victimless civil disobedience: "These are not the actions of Martin Luther King, Nelson Mandela, John Adams, or even Daniel Ellsberg . . . [Mr. Hammond’s] hacks harmed many individuals and entities with little or no connection to Mr. Hammond’s supposed political motivation for the crime."  Judge Preska pointed out that his hack of the Arizona Department of Public Safety shut down vital computer systems, such as the sex offender website and the Amber alert system, and that all of the attacked entities suffered financial and reputational harm.  Judge Preska cited a need for both individual deterrence (this was not Hammond’s first brush with the law for cybercrime) and general deterrence, writing that "there’s certainly nothing high-minded or public-spirited about causing mayhem."  Judge Preska accepted the government’s recommended penalty, 10 years’ imprisonment, and imposed an additional 3 years’ probation.  See Sentencing Transcript, United States v. Hammond, No. 12-cr-185 LAP (S.D.N.Y. Nov. 13, 2013).                      c.   Prosecution of the LulzSec Attacks First-time offenders also have recently earned jail time.  Two college-student members of the Anonymous-affiliated hacker group LulzSec were each sentenced in the Central District of California to serve a year and a day in prison, to serve one year subsequent home detention, to complete 1,000 hours community service, and to pay $605,633 in restitution.  The defendants both pled guilty in 2012 to conspiracy and cybercrime-related offenses in connection with their participation in hacking the computer systems of Sony Pictures Entertainment.  The defendants used a SQL injection attack against the Sony Pictures website that compromised the company’s computer network and resulted in personal information of more than 138,000 individuals being posted online.  In its sentencing memorandum in the case, the United States Attorney’s Office for the Central District of California described LulzSec’s stated goal in the attacks: to see the "raw, uninterrupted, chaotic thrill of entertainment and anarchy" and to provide stolen personal information "so that equally evil people can entertain us with what they do with it."  See United States v. Rivera, No. CR 12-798-JAK (C.D. Cal. July 24, 2013). Law enforcement officials outside the United States also targeted LulzSec-affiliated hackers connected with the Sony Pictures attack and other attacks.  Four defendants (two of whom had been Hammond’s co-defendants in the Southern District of New York Hammond prosecution, discussed above) were sentenced in the United Kingdom in mid-2013 for cyberattacks on an number of private and government institutions, including attacks on Sony Pictures, the CIA, and the FBI.  Mostly first-time offenders, their jail time ranged from 1 year and 8 months to 2 years and 8 months.                      d.   Prosecution of Dozens of Anonymous-Affiliated Hackers for Widespread DDOS Attacks In October 2013, federal prosecutors filed a grand jury indictment in Virginia federal court accusing thirteen members of Anonymous of conducting a worldwide series of cyberattacks against government agencies, banks, anti-piracy organizations, individuals, and intellectual property law firms, among others.  For orchestrating these coordinated cyberattacks–part of a campaign dubbed "Operation Payback" that occurred between September 2010 and January 2011–the thirteen men were each charged with one count of conspiracy to intentionally cause damage to a protected computer.  The defendants allegedly synchronized DDOS attacks on each of the target’s networks, causing their websites to shut down.  The attacked institutions, the indictment alleged, were those that "Anonymous claimed opposed its stated philosophy of making all information free for all, including information protected by copyright laws or national security considerations."  An Anonymous flier quoted in the indictment described the motivation behind "Operation Payback": "We [are] sick and tired of these corporations seeking to control the Internet in their pursuit of profit.  Anonymous cannot sit by and do nothing while these organizations stifle the spread of ideas and attack those who wish to exercise their rights to share with others."  See Indictment, U.S. v. Collins et al., No. 13-cr-383 (E.D.Va. Oct. 3, 2013).  The government subsequently dismissed all charges against one defendant, and the other twelve defendants pled guilty.  Thus far, the court has sentenced eight of those defendants to time served and a period of supervised release.  The court has deferred ordering restitution until the remaining defendants are sentenced.  One of the defendants that pled guilty, Dennis Owen Collins, was also one of fourteen purported Anonymous hackers indicted in 2011 in the Northern District of California on various charges related to the 2010 cyberattack of PayPal Inc.’s website.  United States v. Collins, No. 11-cr-471 DLJ (N.D. Cal.).  All fourteen accused initially pled not guilty.  But in December 2013, Collins’s thirteen co-defendants entered into plea agreements with prosecutors, in which they admitted to participating in DDOS cyberattacks against PayPal in December 2010 as part of hacktivist group Anonymous.  The plea agreements describe the background of the coordinated attacks, which Anonymous called "Operation Avenge Assange."  In November 2010, the website WikiLeaks released a large trove of classified United States State Department cables on its website.  In reaction to the release of the classified information, and citing violations of the PayPal terms of service, PayPal suspended WikiLeaks’ accounts.  This meant WikiLeaks could no longer receive donations from supporters via PayPal.  Anonymous claimed to have executed the DDOS attacks in retribution for PayPal’s termination of WikiLeaks’ donation account.  See U.S. Department of Justice, U.S. Attorney’s Office for the Northern District of California, Press Release: Thirteen Defendants Plead Guilty For December 2010 Cyberattack Against PayPal (Dec. 6, 2013).  In October 2014, the court entered judgment against Collins’s thirteen co-defendants; each has since been sentenced to one year of probation and ordered to pay $5,600 in restitution.  Collins has maintained his plea of "not guilty" and awaits a trial date.  Meanwhile, Senator Patrick Leahy has introduced a bill in the U.S. Senate–entitled the "Personal Data Privacy and Security Act of 2014" (S. 1897)–that would strengthen the CFAA by making attempted hacks and conspiracies to hack subject to the same punishment as successful intrusions, while clarifying that mere violations of terms of service are not actionable.                     e.   Computer Crimes and Venue A jury convicted Andrew Auernheimer of violating the CFAA in New Jersey federal district court, and the court sentenced Auernheimer to 41 months’ imprisonment.  Auernheimer was found to have participated in an attack on AT&T servers in order to steal email addresses associated with iPad users.  Auernheimer, represented by the Electronic Frontier Foundation, appealed to the Third Circuit Court of Appeals, arguing that the New Jersey venue was improper because, at all relevant times, he and his co-conspirator were in Arkansas and San Francisco, respectively, and the affected servers were in Dallas and Atlanta.  The case received broad attention from various amici regarding the constitutionality of the charges against Auernheimer.  In April 2014, the Third Circuit vacated Auernheimer’s conviction on the basis of improper venue.  See United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014).  In so doing, the Third Circuit rejected the district court’s conclusion that venue was proper because Auernheimer’s disclosure of the email addresses of about 4,500 New Jersey residents affected them in New Jersey and violated New Jersey law.  The Third Circuit cautioned: "As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.  People and computers still exist in identifiable places in the physical world."  Id. at 541.       F.   The Year Ahead As cybercrime shows no signs of slowing in 2015, law enforcement officials have signaled that they will respond with increasingly robust enforcement tactics.  On December 4, 2014, shortly after the revelation that Sony Pictures had been the target of a sophisticated cyberattack, the Department of Justice announced the launch of a new Cyber Security unit, to be housed within the DOJ’s exiting Computer Crime and Intellectual Property Section.  Assistant Attorney General Leslie Caldwell explained that "[g]iven the growing complexity and volume of cyberattacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attack, the cybersecurity unit will play an important role in this field."  She also emphasized the importance of a "robust enforcement strategy as well as a broad prevention strategy." The Department of Justice has recognized that prevention depends in part on the ability of U.S. companies to share information with one another and the government concerning rapidly evolving cyber threats.  However, as the DOJ has emphasized, this information sharing "must occur without contravening federal law [e.g., the Stored Communications Act, 18 U.S.C. § 2701 et seq.] or the protections afforded individual privacy and civil liberties."  In an effort to facilitate lawful information sharing, the DOJ issued a white paper in May 2014, which articulates the DOJ’s interpretation of the Store Communications Act as permitting providers to share aggregated non-content data with governmental entities, so long as that data does not reveal information about a particular customer or subscriber.  V.   International Developments       A.   European Union             1.   Developments at the European Union Level                     a.   Draft EU Data Privacy Regulation The EU Data Privacy Regulation is intended to succeed the operative 1995 Data Privacy Directive (Directive 95/46/EC, hereinafter "EU Data Privacy Directive"). It was initially intended for enactment before the end of 2014, but due to the voting process and reestablishment of the EU Commission, the legislative process was significantly delayed. Thus, the new regulation has not yet been enacted and will likely not come into effect before 2017. Two particularly important issues discussed during the legislative process involve exemptions for the public sector and rules concerning data portability.  Core substantive elements of the current proposed regulation include the following: The draft regulation would implement a "right to be forgotten" (also officially called the "right to erasure") whereby personal data must be deleted when an individual no longer wants his or her data to be processed by a company and there are no legitimate reasons for retaining the data.  This part of the draft regulation may impose significant burdens on affected companies, as the creation of selective data destruction procedures often may impose significant costs. The draft law also would establish a right to data portability, which is intended to make it easier for individuals to transfer personal data from one service provider to another.  Upon request, individuals are entitled to obtain personal data that they have provided to a business in an interoperable and commonly used format.  This provision has also come under particular scrutiny due to its potential to significantly increase companies’ administrative burdens.  Privacy by design and privacy by default would be established as essential principles of the new EU data protection rules.  These principles would require data controllers to design data protection safeguards into their products and services right from the inception of the product development process.  Privacy-friendly default settings also would be standard. Data controllers and processors would be required to designate a Data Protection Officer ("DPO") in certain circumstances.  In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the applicable threshold for a mandatory DPO may apply to even relatively small companies. Biometric and genetic data would be expressly defined as special categories of personal data.  Biometric data would be defined as any personal data relating to the physical, physiological, or behavioral characteristics of an individual that allow unique identification of the individual–e.g., facial images or fingerprints. The draft regulation also expressly sets out the requirements for Binding Corporate Rules ("BCRs") to enable the free transfer of data within global organizations to countries outside the EU.  A national supervisory authority would approve BCRs as a means of lawful intra-group data transfer, provided that the BCRs are legally binding and apply to, and are enforced by, every member within the controller’s group of affiliates (including employees) and external subcontractors.  BCRs also must expressly confer enforceable rights on data subjects and fulfill a set of minimum requirements, including specification of their legally binding nature and general data protection principles applicable within the particular group of companies. These requirements would be supplemented by a much more rigid regime of fines for violations.  Standard fines for data privacy violations ranging from 1% to 5% of a company’s annual worldwide turnover have been discussed.  As a result of the extra-territorial application of the draft law, companies located outside the EU also would have to take this into account. On the positive side, implementation of the draft regulation would allow a single EU regime to replace 28 different national data privacy laws with one directly applicable regulation.  The current EU Data Privacy Directive does not have direct effect and, therefore, was implemented by 28 different national laws–which gave rise to differences in scope, interpretation, and enforcement.  Thus, the new draft regulation also would create a "one-stop shop" for businesses concerned with privacy law compliance, because a company would be able to interact with the various national supervisory authorities through one lead authority.                     b.   Review of Safe Harbor Agreement As discussed above in Section II.A.2, the EU-U.S. Safe Harbor Agreement ("Safe Harbor") enables compliant data transfers between EU Member States and the United States provided that the U.S. company receiving the data adheres to certain minimum data privacy standards.  This adherence is ensured via a process of self-certification.  Following disclosures of extensive collection of EU citizens’ data by U.S. intelligence authorities, the current Safe Harbor regime came under scrutiny by EU policymakers.   Specifically, the EU Commission issued a set of recommendations designed to implement stricter Safe Harbor rules.  The goal is to further increase the level of data protection for EU citizens.  The conflict between data privacy and surveillance activities can be particularly sharp with regard to the Safe Harbor rules, because they contain exceptions for national security purposes.  Hence, personal data legally transferred to the United States may be disclosed by U.S. companies to intelligence agencies on the basis of national security interests. The EU Commission issued recommendations for tightening the Safe Harbor requirements.  The key recommendations are as follows: Privacy policies of self-certified companies as well as the privacy provisions in their agreements with sub-contractors should be disclosed publicly. Privacy policies of self-certified companies should include information about the extent to which public authorities in the United States are allowed to collect and process personal data transferred under the Safe Harbor. Data transfers under the Safe Harbor’s national security exception should take place only to the extent strictly necessary and proportionate.  The Department of Commerce should enforce the Safe Harbor framework by means of investigations in order to ensure that self-certified companies comply with privacy standards. The Department of Commerce should inform EU data protection authorities when there are concerns or complaints about an entity’s Safe Harbor compliance. The EU Commission has asked the U.S. Department of Commerce to provide feedback on its proposals.  In the meantime, the European Parliament passed a resolution in March 2014 calling for the immediate suspension of the Safe Harbor regime; this resolution had no immediate legal effect, but it may be indicative of sentiment among European policy makers.  Should negotiations on the EU Commission’s proposed amendments fail, resulting in a suspension of the Safe Harbor, the business community on both sides of the Atlantic could face substantially greater hurdles to compliant cross-border data transfers. Additionally, the European Court of Justice received a request for a preliminary ruling from the Irish High Court on the compatibility of the Safe Harbor framework with Article 8 of the Charter of Fundamental Rights of the EU. Although the Irish court in its June 2014 ruling held that data protection authorities are in principle bound by the Safe Harbor Agreement as long as it remains in place, a review of its compatibility with the Charter of Fundamental Rights was considered necessary by the court. Companies should, therefore, not solely rely on Safe Harbor certifications but initiate additional measures before they transfer data to the US. In this context, German data protection authorities recommend, for instance, to check data importer policies for potential conflicts with Safe Harbor principles, to verify whether individuals may exercise information rights and to check whether onward transfers to third parties are covered by data transfer agreements or sufficient consent requirements.                       c.   Opinions Issued by the Article 29 Working Party The Article 29 Working Party consists of representatives of national data privacy enforcement agencies, the EU Commission, and other EU institutions.  It has an advisory status and is regarded in Europe as an independent opinion leader in EU data privacy enforcement.  The Working Party’s opinions are frequently relied upon as interpretive guidance by national courts and the EU Commission. The Article 29 Working Party also published an opinion that addresses key data privacy risks in the context of mobile apps (WP 202 from February 2013).[76]  It found that mobile apps can raise particular privacy concerns due to their ability to collect large quantities of personal data from a user’s device, including contact information and location data.  The Working Party further wrote that certain data collection without user consent can transgress EU data privacy laws and that mobile apps must provide sufficient information about what data they are processing in order to allow for meaningful user consent. In April 2013, the Article 29 Working Party adopted an explanatory document (WP 204) concerning BCRs for data processors.[77]  These BCRs ensure that data transfers by a data processor who acts on behalf of his clients and in accordance with their instructions are compliant with requirements for the transfer of data outside the EU.  The explanatory document aims at providing further guidance to companies on the required content for data processor BCRs. The Article 29 Working Party also adopted an opinion concerning the use of cookies and similar tracking technologies for various purposes (WP 208 from October 2013).[78]  Based on the so-called e-Privacy Directive, 2002/58/EC, the opinion describes a framework for a compliant website across all EU Member States.  In so doing, it places a consent requirement at the heart of relevant compliance measures, recommending that consent mechanisms for cookies include specific information about cookies’ purposes, prior consent (before data processing starts), precise information about how users can actively signify their consent, and the provision of real choice whether to accept cookies. Furthermore in November 2014, the Article 29 Working Party adopted Guidelines Concerning the Implementation of the European Court of Justice’s ruling regarding the "Right to be Forgotten."[79]  As a key requirement, the Article 29 WP demands that, delisting decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights.  Therefore, delisting must not be limited to EU domains but instead must include all relevant domains (e.g. also ".com" domains).                     d.   Service Provider Data Breach Notification Obligations In August 2013, Regulation No. 611/2013 came into force.  This regulation seeks to harmonize the standards for notifications of personal data breaches.  A personal data breach is defined under EU law (Directive No. 2002/58/EC) as a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed in connection with the provision of a publicly available electronic communications service in the EU.  A notification obligation is imposed on providers of publicly available electronic communication services, i.e., telecom companies and Internet service providers.  When a data breach occurs, the affected service provider must notify the competent national authorities within 24 hours of the detection of the breach, where feasible.  In addition, the individuals concerned must be notified without undue delay if the personal data breach is likely to adversely affect the personal data or privacy of the individual.                     e.   Proposed EU Cyber Security Directive In March 2014, the EU Parliament assented to a proposed directive governing network and information security across the EU (the "Proposed Cyber Security Directive").  Among other things, the directive would seek to establish network information security strategies and common requirements for technical and organizational measures relating to IT security risk management.  Another core element of the proposal is an EU data security network that interlinks various authorities carrying out cyber security tasks.  The Proposed Cyber Security Directive also would establish a stricter breach notification requirement for critical infrastructure operators such as energy and transport companies, banks, and health care service providers.  Compliance requirements for businesses would be enforced with audits and inspections, binding instructions, and sanctions.  To become law, the Proposed Cyber Security Directive requires consent of the EU Member States which is currently expected to be granted during the course of 2015.  Member States would be granted an additional transition period of approximately 18 months to transpose the Directive into national law.  Currently, the most disputed issues concern the degree of information exchange within an envisaged EU data security network and the exact scope of the law, i.e., which industries in particular should be made subject to relevant obligations.                      f.   Google Held Subject to EU Data Privacy Law and the Right to Be Forgotten In May 2014, the European Court of Justice held that there is a right to be forgotten that individuals may invoke against operators of search engines.[80]  The case was brought by a Spanish citizen seeking the removal or concealment of information related to him available through the Google/Google Spain search engine.  The search results in question were links to a newspaper article which, 16 years prior, had announced a real estate auction following attachment proceedings for the recovery of social security debts owed by the individual. As a threshold matter, the court cleared the path for the application of EU data privacy law when it held that Google’s subsidiary in Spain qualifies as an "establishment" under the EU Data Privacy Directive, even though the subsidiary has only marketing functions and is not engaged in actual data processing (which occurs outside the EU).  The court held that it is sufficient that the subsidiary is intended to promote and sell, in the Member State in question, advertising space offered by the search engine in order to make the services offered by the search engine more profitable. The court then held that, by means of automatic, constant, and systematic searches for information published on the Internet, the search engine operator collects data within the meaning of the EU Data Privacy Directive.  It further held that activities performed by indexing programs–such as retrieving, recording, organizing, and disclosing information available on the Internet–qualify as data processing as far as personal data of individuals is concerned.  Because the search engine operator determines the purposes and means of these processing activities, the Court considered the search engine operator to be the data controller and the entity responsible for data privacy-related claims of affected individuals.  As to the actual scope of the right to be forgotten, the court based its judgment primarily on a balance of interests between an individual’s right to privacy and the protection of personal data, on the one hand, and the legitimate interest of the public in having access to that information, on the other.  The outcome of this balancing exercise may vary in individual cases depending on the nature of information in question, its sensitivity for the individual’s private life, and the interest of the public in having the information, which is largely determined by the role played by the individual in public life.  The court also highlighted the importance of the information’s staleness.  Even accurate data may, in the course of time, become inadequate, excessive, or no longer relevant to the public interest; hence, its processing by the search engine operator may become incompatible with the EU Data Privacy Directive.  In such a case, erasure of relevant links and information displayed on the list of search results is logically required by the EU Data Privacy Directive, according to the court. Google responded by establishing a process for EU persons to request the erasure of relevant search results linked to individuals’ names, and it began responding to such requests in June 2014.  Microsoft, which operates its Bing search engine in Europe, followed suit in July by publishing a form that would allow EU persons to request erasure.  The EU’s Article 29 Working Party has requested input from search companies like Google, Microsoft, and Yahoo! to finalize guidelines addressing implementation of the European Court of Justice’s decision.             2.   France In France, the protection of personal data is governed by the Loi Informatique et Libertés of January 6, 1978 (hereafter the "Data Protection Act"), which is implemented by the CNIL, a national agency.  The Data Protection Act applies to personal data, which is defined as any data allowing for direct or indirect identification of an individual (e.g., name, telephone number, photo, national identification card number, email address, or family status) or covering "sensitive information" (e.g., health, sexual orientation, political affinity, or membership in a trade union).                     a.   International Data Transfers In principle, any transfer of personal data outside of the EU is prohibited unless adequate protection of personal data has been implemented by the recipient of the data.  Because the United States has not been deemed to provide a sufficient level of protection of personal data, the transfer of such personal data outside of France to the United States triggers thorny issues, notably in the context of discovery requests.  In order to be legitimate, transfer of data outside of France must comply with the requirements set forth at the European level which have been implemented under French law.  Indeed, the CNIL deliberation No. 2009-474 of July 23, 2009 organizes the transfer of data to the Unites States in the context of discovery requests, which must be done either via Binding Corporate Rules, specific contractual clauses or to entities that have been Safe Harbor certified (see Section V.A.1.b).  When transferred to US judicial authorities, the CNIL requires that such authorities issue court orders to ensure a sufficient level of protection of the transferred personal data. The ongoing negotiations of the transatlantic trade and investment partnership (TTIP) between the European Union and the United States raise major concerns in France as to whether such negotiations will cover, and consequently ease, the transfer of personal data.                     b.   CNIL Enforcement Actions In 2014, the CNIL has pursued a number of enforcement actions, with several resulting in sanctions of up to €150,000, the maximum amount that may be imposed.  In particular, the CNIL fined Google Inc. €150,000 for failure to comply with the requirements of the Data Protection Act.  In this matter, the CNIL took issue with, among other things, Google’s "potentially unlimited combination of users’ data" across different Google services.  Aware that the fine was insignificant compared to Google’s revenues, the CNIL broadly publicized the fine in an attempt to impact the company’s public image.  Following the investigations performed by EU data protection authorities, the Article 29 Data Protection Working Party decided "to help Google" with its compliance efforts and thus adopted a compliance package of dedicated measures.  This package aims to offer specific and practical measures that could be implemented quickly by Google to meet the requirements of the European data protection framework.  The package was presented to representatives of Google on July 2, 2014, during a meeting held in Paris in presence of five EU data protection authorities.  In a letter to Google dated September 23, 2014, the Article 29 Working Party indicates that it may also consider issuing guidance on specific issues to the entire industry, at a later stage.   In addition, France has (alongside Germany) urged upon Google to put an end to its anticompetitive practices and to foster transparency for the ranking of websites.  The two countries seek to have the European Commission issue a more stringent regulatory framework designed to take a tougher line on Google (as well as on the other GAFAs), either in its antitrust investigation into the company or through the introduction of laws to curb its reach.  A draft motion is now calling for the European Commission to consider the "unbundling" of search engines from other commercial services as one possible solution to Google’s dominance, in a similar way to the electricity and gas or telecoms networks.  In theory, unbundling would mean preventing Google’s other commercial services (such as YouTube and Google Shopping) from benefiting from the company’s dominance in search. Other of the CNIL’s recent decisions compelled two French banks to comply with the Data Protection Act due to the malfunctioning of their recording system in the National Register of Household Credit (so-called "FICP") and for breach of confidentiality of their clients’ banking data. Over the past two years, the CNIL had indeed recorded several complaints from the banks’ clients arguing that certain payment incidents had been wrongly registered on the FICP, or that they should have been removed from the register. Certain clients also received confidential information about other of the banks’ clients. One of the two banks was sanctioned by an official warning and the other bank was under formal notice to comply with applicable legal requirements.                     c.   Social Networking On November 7, 2014, the French Commission on unfair terms (Commission des clauses abusives) issued a recommendation advocating for the removal of several unfair terms generally included in contracts of so-called "social networking services," notably in connection with data protection.  For instance, it recommends removing clauses according to which the user implicitly agrees to the processing of his/her personal data by the professional, or which organize the transfer of personal data to undesignated third parties, with no need for any formal consent from the user, or which provide for longer retention period than what is provided for by the CNIL, etc.  Interestingly, the Commission on unfair terms claims that the user of social networks still qualifies as a consumer even if such user participates in the functioning of the network (which could thus have resulted in qualifying the user as a service provider).  The Commission also innovates when asserting that the use of so-called "social networking service agreements" is not free, since these agreements rely on the processing of personal data to allow for targeted advertising, which should thus be analyzed as a compensation potentially valuable to the professional.                      d.   Right to Be Forgotten In the aftermath of the decision issued by the Court of Justice of the European Union (CJEU) dated May 13, 2014[81] which first recognized a "right to be forgotten" on the Internet, French courts have started ruling on delisting requests from plaintiffs seeking protection of their personal data. In a decision dated December 19, 2014, the Paris High Court ruled in favor of a plaintiff who sought to have Google delist an article discussing the plaintiff’s conviction for fraud in 2006, which came up as one of the first results for a Google search on her name. Interestingly, the plaintiff did not seek to have the article itself removed from the Internet, but rather to hinder its availability online, because it jeopardized her job search, and she had already been forced to resign from her electoral mandate following a tip-off from an anonymous source. She also argued that the personal data yielded by the search associated with her name was now inadequate and excessive considering that her conviction was over eight years old.  Finally, the plaintiff asserted that this conviction was not even mentioned on the publicly accessible version of her criminal record. In its decision, the Paris High Court applied the CJEU’s ruling and determined that the plaintiff had legitimate grounds to petition for the delisting of the incriminating search results. It thus ordered Google Inc., to remove the links to the disputed article within ten days. In so ruling, the High Court rejected Google’s argument that the public had a legitimate interest in information about the plaintiff’s conviction.  While several other French courts have urged Google to remove disputed articles because they included discriminatory statements, following the CJEU’s ruling, this decision is the first enforcement of the "right to be forgotten" in France.             3.   Germany                     a.   Regulatory Enforcement and Developments The German courts and data protection authorities also have been very busy recently.  In November 2013, a Berlin court held various clauses in Google’s terms of use and data privacy statements to be void.  In addition, in April 2013, Google was fined approximately €145,000 for the unintended collection of certain data during its Google Street View recording operations. In September 2014, the Higher Administrative Court of Schleswig-Holstein (Schleswig-Holsteinisches Oberverwaltungsgericht) held that operators of Facebook fanpages are not responsible for user data being further processed by Facebook.  The judgment was delivered upon appeal by the regional data protection authority in Schleswig-Holstein which had initially ordered a local chamber of commerce to deactivate its Facebook fanpage.  The Higher Administrative Court rejected the notion the Facebook fanpage operator had data control due to the fact that the fanpage operator had no influence on the technical and legal aspects of the data processing by Facebook itself.  Data control may neither be derived from the fact that Facebook provides statistical information to operators of fanpages.  As a result, the data protection authority did not have the necessary power to order the fanpage operator to deactivate the fanpage. Interestingly, Facebook had already obtained a significant favorable ruling in April 2013 before the same court concerning the applicable data privacy law.  This decision held that the European Facebook network was validly governed by Irish data privacy laws and fell under the competence of the Irish data privacy regulators.  (Facebook’s European headquarters are in Ireland.)  This division of competence also was true with respect to regulations affecting Facebook’s users in Germany and other EU member states.  The Court therefore revoked data privacy orders imposed against Facebook by a German regulator who had requested that Facebook implement a feature through which German Facebook users could anonymously use the Facebook network. In September 2014, the Higher Administrative Court of Lower-Saxony (Niedersächsisches Oberverwaltungsgericht) provided important guidance regarding the practical implementation of CCTV surveillance.  The court balanced the legitimate interests of individuals subject to CCTV surveillance against the CCTV operator’s rights to undisturbed possession of the protected property and legitimate interest of preventing abstract and concrete dangers of crime.  In the case under consideration, the cameras would only turn on if they detected movement, were pointed at a fixed observation area and did not have a zoom function.  Recordings were immediately transferred into a blackbox (no monitor observation) which was itself password-protected and after ten days, any recordings were deleted automatically.  In addition, signs were installed indicating that CCTV was in operation.  Consequently, the court held that the concrete CCTV measures had not severely intruded into the privacy of individuals because it had not been possible to recognize faces or generate movement profiles.  With regard to storage periods, the court also held that a storage period of up to 10 working days instead of just three days as typically requested by German data protection authorities would be reasonable in light of the objective to detect crime and given the potential absence of relevant employees due to holidays.  In another important decision from August 2013, the Higher Regional Court of Hamm (Oberlandesgericht Hamm) decided that YouTube did not have to remove a video clip revealing information about a German diplomat who had escaped prosecution for causing a car accident in Moscow based on diplomatic immunity.  The diplomat was ultimately sentenced by a German court, and the Higher Regional Court found that, in this case, the public interest in the information outweighed the diplomat’s privacy interests. On the regulatory front in June 2013, the Bavarian data privacy authority fined an employee of a company for using "open" email distribution lists.  The employee had unintentionally sent mass emails to customers disclosing the recipients’ identities in the "to" and "cc" lines of the email, enabling all recipients to obtain personal data (e.g., name and email address information) of other customers, which in the regulator’s view constituted a data privacy violation. Additionally, a data privacy regulator in Lower Saxony prohibited private companies from copying personal identification cards and passports, for data privacy reasons.  This decision was appealed but upheld by the competent appellate court (Administrative Court of Hannover) in November 2013.  Copying customer identification documents is a widespread practice in many industries; if other regulators share the very strict view of the Lower Saxony data protection authority, the results could significantly impact businesses operating in Germany. Finally, in December 2014, the data protection authority of North-Rine Palatinate closed an investigation concerning alleged data privacy violations by German insurance company Debeka.  The regulator had launched investigations in response to assertions that Debeka employees had illegally acquired personal data and information about public service candidates in order to gather and use the information on prospective insurance clients, without the consent of the individuals concerned.  Debeka agreed to a settlement of €1.3 million and additionally to fund university research on data privacy protection with an additional €600,000.  This fine significantly topped the fine of €1.1 million imposed on Deutsche Bahn in 2009 for the mass screening of 173,000 employees, and is a strong signal that German regulators are willing to rigorously enforce data privacy laws.                     b.   Internal Investigations and Email Reviews On May 27, 2013, the Administrative Court of Karlsruhe (Verwaltungsgericht Karlsruhe) issued an important judgment that brings more certainty into the process of reviewing emails during an internal investigation or in similar circumstances.  Under German law, a provider of telecommunications services may be held criminally liable for certain violations of user data privacy.  Authorities on the subject have debated whether an employer’s review of an employee’s emails violates this provision, which is part of the German Act for Telecommunications Services.  The Administrative Court of Karlsruhe ruled that an employer cannot be classified as a provider of telecommunications services under the Act, because the Act is not designed to regulate the internal relationship between employers and employees.  Despite this ruling, however, it is important to note that hurdles to the review of employee emails remain.  In particular, German data protection laws stipulate that an email review is permitted only if it is necessary and proportionate.  Moreover, where there is an investigation of an alleged criminal offense, concrete grounds for suspicion must exist with regard to the specific employee whose electronic data is the subject of the review.                     c.   Non-Enactment of EU Directive In April 2014, the European Court of Justice declared EU Directive No. 2006/24 to be incompatible with fundamental human rights.  That directive attempted to harmonize different national laws for the storage of telecommunications data for the purpose of criminal investigations.  The European Court of Justice decided that the storage of communication data as foreseen by the directive disproportionately infringed upon privacy rights.  In particular, the court held that the directive did not sufficiently distinguish between the seriousness of crimes, did not appropriately distinguish between separate data categories for the purpose of determining storage periods, and did not provide for sufficient preconditions for data access by national authorities.  The German government had decided to wait until the European Court of Justice’s opinion was handed down before enacting the directive.  Following the court’s nullification of the directive, there is a debate in Germany about whether a national initiative for the storage of telecommunications data should be pursued.                     d.   Draft Bill on Standing of Consumer Associations in Data Privacy Proceedings The German legislator intends to strengthen enforcement of data privacy laws by allowing consumer rights associations to bring actions for injunction and demand removal of infringements on behalf of consumers.  Relevant changes shall be included in the German Act Governing Collective Actions for Injunction (Unterlassungsklagengesetz–UklaG).  The draft has been heavily criticized for creating additional burdens for businesses and the risk of parallel decision-making as well as loss of legal certainty, particularly given that consumer protection organizations already often demand deletion of data collected in breach of data privacy laws.  Online service providers might ultimately be required to delete relevant user data even though individual users do not oppose to data processing by a particular company.  As of today, it remains in doubt whether and in what form the draft law will eventually be enacted and whether collective enforcement will in fact play a significant role in German data privacy law.             4.   United Kingdom The Information Commissioner’s Office ("ICO") has remained active following a marked increase in activity in 2012, and in July 2014 it was reported that it had received a record number of complaints in the preceding financial year.                     a.   ICO Activity and Enforcement Actions The ICO’s recent activities have included clamping down on unsolicited text messages and calls, and continuing ongoing dialogues on state surveillance in light of the Edward Snowden revelations and recent controversies relating to the NHS’s handling of confidential medical records.  While fines issued by the ICO had previously been limited to local authorities and financial services, in January 2013, Sony’s European subsidiary was fined 250,000 GBP for a "serious breach" of the Data Protection Act 1998 (the "Data Protection Act") for failing to protect the personal details of PlayStation network users.  In 2011, hackers had accessed the names, email and postal addresses, dates of birth and passwords of millions of customers, and the ICO held that the hack could have been prevented if Sony had used more up-to-date software. In line with its current priorities, in December 2014 the ICO issued a 70,000 GBP fine to the organizers of Manchester’s annual festival for sending unsolicited text messages, and fined a boiler insurance firm 90,000 GBP for continuously making nuisance sales calls to vulnerable people.  In August 2014 it also raided a call center in Llanelli, Wales, suspected of being connected to spam text operations. The ICO recently found that Caerphilly Council in Wales had breached the Data Protection Act in ordering the covert surveillance of an employee suspected of fraudulently claiming to be sick, holding that the council did not have sufficient grounds to undertake the surveillance, particularly as it began only four weeks into the employee’s sickness absence, and that no other measures were taken to discuss the employee’s absence before the covert surveillance commenced.[82] In addition, the ICO recently commented that users of Google Glass (and other similar wearable technology) would be subject to the same rules as CCTV, meaning that in some situations, the Data Protection Act could be breached.  In August 2014, the ICO warned barristers and solicitors to keep personal information secure (particularly paper files) following numerous breaches reported to the ICO involving the legal profession.[83]  Further, in November 2014, Grampian Health Board in Scotland was ordered to take action to ensure better protection of patient information after six data breaches in a thirteen month period involving the abandonment of papers containing sensitive personal data in public areas.                     b.   ICO Best Practice Guidance The ICO issued an updated CCTV Code of Practice, acknowledging that "[s]urveillance cameras are no longer a passive technology that only records and retains images, but is now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities…"  It warned that surveillance cameras should only be used as a necessary and proportionate response to a "real and pressing problem."  In addition, new guidance for drone operators was also issued by the ICO, which stated that drone pilots should protect the privacy of individuals when flying, and that if the drone has a camera, its use could pose a "privacy risk to other people" and be covered by the Data Protection Act.             5.   Other European Nations In November 2014, the Dutch government published the latest in a series of draft proposals for a new law regarding telecom data retention.  This newest proposed bill follows the European Court of Justice’s determination that the European Data Retention Directive (2006/24/EC) was invalid.  In response to the European Court’s judgment, this new proposal introduces several additional requirements for law enforcement agencies to gain access to the retained telecommunications data, although it leaves the existing set of regulations largely intact.  For instance, while telecom data providers would still be required to retain all traffic data falling under the retention obligation for a period of 12 months (telephony data) or 6 months (Internet data), they would now be required to retain all such required data within the Netherlands or another EU Member State.  As for law enforcement agencies, the proposed bill would require them to seek prior authorization from an examining judge before accessing the retained telecom data.  In addition, these agencies would only be able to access telephony data that is more than a year old in connection with investigating crimes for which the sentence is 8 years or more.  Dutch opposition parties have called for the new proposal to be scrapped, and may try to vote on an alternative bill that would revoke the data retention obligation altogether. In another interesting development, the Irish government has sided with Microsoft in latter’s battle to oppose a US court order demanding access to emails stored in the Microsoft data center in Dublin.  This issue arose at the end of July 2014, when U.S. District Judge Loretta Preska ruled that Microsoft had to give the U.S. Department of Justice access to Outlook.com emails stored on its Irish servers.  Microsoft appealed the ruling, arguing in a filing that the emails "are located exclusively on a computer in Dublin, where they are protected by Irish and European privacy laws." The Irish government has now openly backed Microsoft’s argument, indicating that Microsoft’s provision of this data could seriously compromise international sovereignty and digital privacy.  The Irish government’s submission in the case stated that its lack of participation in the U.S. court proceedings does not constitute a waiver of its sovereignty rights, and that the DOJ should make a request under the Mutual Legal Assistance Treaty as the appropriate mechanism to obtain the information it seeks.  In addition, a European Parliament member from Germany, Jan Philipp Albrecht, submitted a separate filing in the case highlighting the clash between European and US data privacy laws; his submission stated, among other things, that "[t]he refusal of the U.S. Attorney to recognize that the email account at issue is located in a foreign jurisdiction and subject to foreign data protection rules is not only offensive to the sensitivities of European citizens but also reinforces the already strong sentiment of many EU citizens that their data is not ‘safe’ when they use IT services offered by U.S. corporations."       B.   Asia-Pacific Region Data privacy remained in the Asia headlines during the latter part of 2013 and 2014, with record data breaches and fresh legislative action in key markets.  Countries in the Asia-Pacific region also have been active on the legislative front, with many new laws and regulations coming into effect in the past year.             1.   India In the first part of 2014, media reports were swirling that the Central Government was drafting a new data protection bill to significantly beef up its data privacy legal framework.  The purported bill, which has not been made public, is largely focused on providing protections against unauthorized surveillance by both individuals and government agencies.  If made into law, those illegally intercepting private communications sent by others will face significantly increased fines.  The bill takes particular aim at telecommunications companies, providing for suspensions or license revocation for allowing unauthorized interception of communications.  The bill would also create a new agency to enforce the law.[84]  Passage of the bill will also help to assuage recent fears of alleged cyber-snooping by the U.S. government.[85] A major breach in August allowed hackers to break into the Central Government’s National Informatics Centre ("NIC"), the agency charged with building the country’s information and communications technology infrastructure.[86]  The hackers were able to use the NIC’s credentials to issue a series of fake digital certificates.  The incident prompted fears by major IT players such as Microsoft, which wrote to the Indian government to express their displeasure at both the breach and NIC’s response.[87]             2.   China and Hong Kong China’s data privacy regime continues to evolve in an attempt to keep pace with its increasingly tech-savvy citizenry.  For instance, China recently amended its Consumer Protection Law in response to high-profile thefts of customer data.  Among other things, the amendments require business operators to obtain consent prior to the collection and use of consumers’ personal information, to expressly inform consumers of the purposes of the data collection, and to obtain explicit consent prior to marketing to consumers.  The amendments also prohibit businesses from selling consumers’ personal information to others.  The amendments went into effect on March 15, 2014.  On January 17, 2014, China promulgated forty-five implementing regulations for the Law on Guarding State Secrets (the "Regulations").  Many of the Regulations instruct Chinese government agencies on the proper classification and labeling of items designated as state secrets.  The Regulations also mandate that the security mechanisms of enterprises that work on the production, duplication, maintenance, or destruction of state secret carriers, integration of information systems involving state secrets, research or manufacture of weaponry equipment, or other business involving state secrets, shall be subject to review by authorities.  An enterprise engaging in business involving state secrets must further meet certain criteria: it must have been duly established in the PRC for over three years; it must not have a criminal record; and it must use PRC citizens to engage in any business involving state secrets.  China-based Alipay, which accounts for 61% of the country’s market share for third-party payment companies, apologized to customers in January 2014 after media reported that a former employee confessed to downloading 20 gigabytes of personal information, including customers’ names, email addresses, home addresses, and purchase records.  The former employee allegedly sold the information to e-commerce websites in search of potential customers. In October 2014, China’s Supreme Court issued new judicial interpretations allowing for civil suits against individuals posting personal details on the Internet without the subject’s consent.  The move is widely seen as a response to the "human flesh search engine" phenomenon, where groups of web users search out and post personal details of unpopular individuals.[88]  China also continued to take steps to strengthen its comparatively weak data infrastructure during the latter part of 2014 with the announcement of a communication cable linking Beijing and Shanghai.  The cable, according to media reports, features "quantum encryption" technology, which involves writing encryption codes on single photons of light.  Supporters of the technology call the forthcoming cable "unhackable." China also sent waves through the data privacy community when two corporate investigators were convicted in August of having illegally obtained information about Chinese citizens, including phone records and household registration data, which they subsequently resold to clients.  The investigators, who had purchased the data for clients in connection with their background and due diligence check services, were both sentenced to prison and received fines. Hong Kong’s Office of the Privacy Commissioner for Personal Data ("PCPD") recently published guidance on cross-border data transfers, an area of ambiguity in Hong Kong’s Personal Data (Privacy) Ordinance ("PDPO").  Currently, the PDPO contains prohibitions on transferring personal data outside of Hong Kong except in cases where (1) the data subject has consented in writing, (2) the destination has in place an adequate data privacy legal framework (as specified by the Privacy Commissioner), or (3) the data user reasonably believes that the destination provides protections similar to the PDPO.  The PCPD guidelines provide context to these exceptions, as well as examples and model data transfer agreement clauses.  Importantly, the guidelines are considered voluntary as the relevant portions of the PDPO have not yet come into force, but the PCPD states that the guidance "assists organizations to prepare for the eventual implementation" of the provisions.[89]              3.   Japan On April 30, 2014, Japan signaled its intent to further develop its data privacy regime when it was announced that it had become the third member of the Asia-Pacific Economic Cooperation ("APEC") Cross-Border Privacy Rules System ("CBPRS").  The CBPRS aims to facilitate cross-border data sharing consistent with a set of principles, with the stated goal of optimizing both protection of data as well as transfer efficiency.  Japan, which joins fellow APEC members United States and Mexico as CBPRS participants, was approved for the system after submitting a notice of intent to join and providing assurances that its current data privacy regime is consistent with CBPRS principles. The latter half of 2014 was marred by record data breaches in Japan.  In July 2014, a systems engineer at Benesse Corp., a children’s correspondence education provider, was arrested on suspicion of stealing 10 million customers’ data and reselling it to potentially hundreds of companies.  In August 2014, Japanese authorities discovered that the former engineer had, in fact, stolen an additional 20 million customers’ information, including names, phone numbers and birthdates, prior to his arrest.[90]  Further investigation revealed that up to 48 million customers had information compromised as a result of the breach.[91] Following these reports, Japan’s Ministry of Economy, Trade and Industry ("METI") announced enforcement proceedings against Benesse Corp. for violations of the Personal Information Protection Act.[92] In September, the country’s flagship carrier Japan Airlines reported the possible theft of personal information of up to 750,000 customers.  Information stolen by hackers included names, birthdates, addresses and places of work.[93]  These incidents have prompted METI to announce forthcoming amendments to data privacy rules.[94]               4.   South Korea While the South Korean government likely hoped for a reprieve from data breaches that have plagued the country, major issues persisted into 2014.  In August, it was revealed that personal details of fully half of South Korea’s population, including full names and national registration numbers, were stolen from online gaming and movie ticket websites.  Among other things, the hackers used personal information to buy and sell virtual currency. On the legislative side, the government sought to respond to demands for increased personal data protection by passing several amendments to the Act on the Promotion of Information Communication Network Utilization.  The amendments, which apply to IT service providers such as telecommunications companies and website operators, require businesses to obtain opt-in consent before sending consumers marketing messages, and provides for monetary compensation to victims of lax personal data security.  The amendments also raise the amount of potential fines, while simultaneously lowering the liability threshold for data processors.  One particularly unique aspect of the legislation also allows for fines of up to 3% of company revenue for violations of data protection laws.              5.   Malaysia On November 15, 2013, Malaysia published its long-awaited "Personal Data Protection Act 2010."  The comprehensive law is modeled after European data protection regimes and contains strict requirements as to consent, notification, and transfer of personal data.  One unique aspect of the law is its extraterritorial application.  According to the act, data collection occurring outside of Malaysia must comply with the law if that data is intended to be further "processed" in Malaysia.  This provision potentially may affect the practices of companies that store data in Malaysia, regardless where the data is collected.  The law and its accompanying regulations also require data processors in several major economic sectors to register with the government and to provide details about their data privacy programs.  A day after Malaysia Airlines Flight MH370 disappeared en route from Kuala Lumpur to Beijing, several government agencies in Malaysia fell victim to a cyberattack, resulting in the loss of classified data from around 30 computers in the Department of Civil Aviation, the National Security Council and Malaysia Airlines.  According to media reports, government departments were sent an virus disguised as a news story about the disappearance of the plane.  The attack was traced back to Chinese hackers, and halted by CyberSecurity Malaysia.              6.   Singapore Singapore has recently issued its first comprehensive data privacy law, the Personal Data Protection Act ("PDPA"), with most key provisions coming into effect throughout 2014.  The law’s provisions regarding notice, consent, data transfer, and disclosure come into effect on July 2, 2014 and are based on data privacy laws in jurisdictions such as the EU, Canada, Hong Kong, and Australia, as well as OECD guidelines.  While the law imposes strict conditions on the conduct of businesses in their interactions with customers, it contains several exemptions to key provisions where businesses are dealing with their own employees.  For example, collection of employees’ personal data does not require consent where "the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship."   Consent, use, and disclosure requirements also are relaxed in the context of "investigations," which could include internal investigations conducted by a company in connection with potential violations of law.  The Personal Data Protection Commission ("PDPC") has since issued a series of guidelines on PDPA compliance for telecommunications, real estate, social service, education and healthcare sector companies.[95] As expected, it has not taken long for the financial hub to begin investigating possible violations under the new legal framework.  The Personal Data Protection Commission commenced an investigation against China smartphone maker Xiaomi after users complained of receiving unsolicited marketing phone calls,[96] and publically announced prosecutions against a property salesperson and an education company for violations of the PDPA’s "Do Not Call" provisions.[97]  The government of Singapore also announced in June 2014 that approximately 1,500 online "SingPass" accounts, which contain sensitive personal information and are used by residents to access government services, may have been compromised.  The breach came to light when users received unexpected messages from SingPass notifying them that their passwords had been reset.  This is one of a series of incidents in a country attempting to get its fledgling data privacy regime off the ground.  Other data privacy breaches in the latter part of 2014 include the leaking of an internal database containing names, phone numbers and identity card numbers of 300,000 customers of a popular karaoke bar chain.[98]        C.   Other International Developments of Note Canada has also been steadily strengthening its protections for individual data and, correspondingly, regulations on cybersecurity and collection of individual data.  For example, Industry Canada–the Canadian governmental department tasked with fostering and enhancing a robust Canadian economy–has issued final regulations under Canada’s Anti-Spam Legislation (CASL).  CASL will be implemented in three phases: while the majority of CASL came into force July 1, 2014 (including substantive amendments to the Competition Act and the Personal Information Protection and Electronic Documents Act), the rules that apply to computer programs came into force January 15, 2015, followed by the private right of action on July 1, 2017.  Industry Canada has provided interpretive guidance on several issues under CASL, including the definition of a commercial electronic message (CEM), the retroactive application of CASL to express consent obtained before CASL came into force, the application of CASL to IP addresses and cookies, and the interaction between the "unsubscribe" requirement and implied consent.  In addition, as of early January 2015, the Office of the Privacy Commissioner of Canada is launching an effort to determine how advertisers monitor consumers’ online behavior, and whether such advertisers are in fact complying with Canadian privacy laws, and in particular, the Personal Information Protection and Electronic Documents Act (PIPEDA). Meanwhile in Kenya, citizens and international human rights groups are protesting the proposed Security Laws Bill 2014, which would amend Kenya’s existing anti-terrorism legislation in ways that, according to the concerned citizenry, would seriously impinge upon individuals’ right to basic expectations of privacy and right of free expression.  For instance, the bill also would empower Kenya’s National Intelligence Service to intercept and record telephone conversations without a court order.  In addition, the new bill would make it a felony punishable by a fine of up to 1 million shillings (or USD $11,000) or three years in jail to distribute "obscene, gory or offensive material which is likely to cause fear and alarm to the general public." Media outlets and journalists who publish or broadcast photographs of terror victims without their consent or permission from the police would also receive a jail sentence of up to three years or a fine of up to 5 million shillings (or USD $55,200), or both, according to the bill.  The bill further removes the security of tenure of the inspector general, director general of intelligence and that of the directorate of criminal investigations, which some opponents say will hamper job performance and undermine their independence, making them vulnerable to manipulation by the appointing authority. Meanwhile, in a spate of data breaches in the Cayman Islands reported in late 2014, hackers gained access to emails with bank transfer details and the overseas thieves were able to transfer money out of accounts from several local banks.  Hackers stole more than $300,000 from one victim.  Current banking regulations in the Cayman Islands do not require banks (or any other industry players) to tell customers if their data has been compromised by hackers.  The Cayman Islands Monetary Authority, which regulates banks, has guidance for banks on cybersecurity, but no actual requirements.  However, new data protection legislation, which has been circulating in the Legislative Assembly for over five years, would add consumer protections and could potentially force banks to notify customers when their data is stolen.  In August 2014, the government released a final consultation on the bill, known as the Data Protection Bill and it could come up for debate in the Assembly again in 2015.  The bill, which is based on European Union and United Kingdom regulations from the 1990s, has come under fire for being outdated, confusing, and overly complex, but may nevertheless be important simply by virtue of being the first law requiring banks and other entities to notify consumers about data breach incidents. Rounding out the efforts to tighten data privacy protections around the world, major attempts to reform privacy law in Australia and New Zealand also went underway in 2014.  Australia, in particular, after a decade-long-effort, has put in place a set of thirteen principles that regulate the handling of personal information by either Australian governmental entities or certain private entities.  The New Zealand government similarly indicated in May 2014, that it intends to reform its privacy laws to include a new requirement to report data breaches to any affected individuals, as well as the NZ privacy commissioner, and hike up fines for violators.    [1]   Despite the plaintiffs’ attempts to amend their complaint’s deficiencies, the court again dismissed the VPPA claim more recently, this time with prejudice.  In re Nickelodeon Consumer Privacy Litig., No. 12-7829, Opinion (N.D. Cal. Jan. 20, 2015).  The court reiterated its earlier holding regarding the VPPA’s specific definition of PII and held that "[n]othing in the amended Complaint changes the fact that Viacom’s disclosure does not – ‘without more’ – identify individual persons."  Op. at 5.  The court went on to state that plaintiffs’ allegations that Google could take the information it received from Viacom and combine it with other information Google possessed to personally identify the plaintiffs was "entirely hypothetical."  Id. at 6.    [2]   Kat Greene, 2 Tech-Opposed Consumer Bills Die In Calif. Assembly, Law360 (June 25, 2014), available at http://www.law360.com/articles/551523.    [3]   Margaret A. Dale, Capital One to Pay Largest Settlement on Record (Aug. 19, 2014), available at http://www.natlawreview.com/article/capital-one-to-pay-largest-tcpa-settlement-record-0.     [4]   Press Release, Federal Trade Commission, Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information (March 28, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers.    [5]   Id.    [6]   Press Release, Federal Trade Commission, FTC Approves Final Consent Settling Charges that Accretive Health Failed to Adequately Protect Consumers’ Personal Information (Feb. 24, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-consent-settling-charges-accretive-health.    [7]   Press Release, Federal Trade Commission,FTC Approves Final Consent Orders Settling Charges that Companies Deceptively Claimed Their Genetically Modified Nutritional Supplements Could Treat Diseases (May 12, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/05/ftc-approves-final-consent-orders-settling-charges-companies.    [8]   Press Release, Federal Trade Commission, Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information (Jan. 31, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it.    [9]   Letter from Maneesha Mithal, Associate Director, Federal Trade Commission, to Dana Rosenfeld, Counsel, Verizon Communications, Inc., (Nov. 12, 2014), available at http://www.ftc.gov/enforcement/cases-proceedings/closing-letters/verizon-communications-inc.   [10]   Id.   [11]   Id.   [12]   Id.   [13]   Id.   [14]   Press Release, Federal Trade Commission, Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False (May 8, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were.   [15]   Id.   [16]   Press Release, Federal Trade Commission, Android Flashlight App Developer Settles FTC Charges It Deceived Consumers (December 5, 2013), available at http://www.ftc.gov/news-events/press-releases/2013/12/android-flashlight-app-developer-settles-ftc-charges-it-deceived.   [17]   Press Release, Federal Trade Commission, Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data (December 3, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/12/medical-billing-provider-its-former-ceo-settle-ftc-charges-they.   [18]   Press Release, Federal Trade Commission, FTC Approves Final Order in Case About Google Billing for Kids’ In-App Charges Without Parental Consent (December 5, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/12/ftc-approves-final-order-case-about-google-billing-kids-app.   [19]   The FTC also alleged Google, in 2011, failed to require any authorization at all for certain in-app purchases.   [20]   Press Release, Federal Trade Commission, Yelp, TinyCo Settle FTC Charges Their Apps Improperly Collected Children’s Personal Information (September 17, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/09/yelp-tinyco-settle-ftc-charges-their-apps-improperly-collected.   [21]   Other changes include requiring all telemarketing calls to allow the consumer to opt-out of future calls during the call, limiting permissible abandoned calls on a per-calling campaign basis, and exempting telemarketing requirements for pre-recorded calls to residential lines made by healthcare-related entities governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPPA").  FCC Guidance at 1831, par. 2.   [22]   See Petition for Declaratory Ruling, CG Docket No. 02-278, filed by Consumer Bankers Association on Sept. 19, 2014. (Petition)   [23]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Vo Apps, Inc. on July 31, 2014. (Petition).   [24]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Santander Consumer USA, Inc. on July 10, 2014 (Petition).   [25]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Milton H. Fried, Jr. and Richard Evans on May 27, 2014 (Petition).   [26]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Vincent Lucas on June 18, 2014 (Petition).   [27]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Stage Stores, Inc. on June 4, 2014 (Petition).   [28]   See Petition for Expedited Declaratory Ruling and Clarification, CG Docket No. 02-278, filed by TextMe, Inc. on Mar. 18, 2014 (Petition).   [29]   See Petition for Declaratory Ruling, CG Docket No. 02-278, filed by the Retail Industry Leaders Association on Dec. 30, 2013 (Petition).   [30]   See Petition for Exemption, CG Docket No. 02-278, filed by the American Bankers Association on Oct. 14, 2014 (Petition).   [31]   See Letter from Indiana Attorney General Greg Zoeller et al. to Tom Wheeler, Chairman, Federal Communications Commission (Sept. 9, 2014) (Letter).   [32]   White House Press Release, "Launch of the Cybersecurity Framework" (Feb. 12, 2014), available at http://www.whitehouse.gov/the-press-office/2014/02/12/launch-cybersecurity-framework.   [33]   See Executive Order 13636, "Improving Critical Infrastructure" (Feb. 12, 2013), available at http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.   [34]   Id.   [35]   NIST, "Framework for Improving Critical Infrastructure Cybersecurity" (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.   [36]   Id. at 4.   [37]   Id. at 7.   [38]   Id.   [39]   Id. at 11.   [40]   Id. at 9.   [41]   See NIST, "NIST Roadmap for Improving Critical Infrastructure Cybersecurity" (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf.   [42]   Id.   [43]   NIST, "2nd Privacy Engineering Workshop" (July 28, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm.   [44]   NIST, "Privacy Engineering Workshop" (Feb. 13, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop.cfm; NIST, "2nd Privacy Engineering Workshop" (July 28, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm.   [45]   "Experience with the Framework for Improving Critical Infrastructure Cybersecurity," 79 FR 50891 (Aug. 26, 2014), available at https://federalregister.gov/a/2014-20315.   [46]   See NIST, "6th Cybersecurity Framework Workshop" (Dec. 3, 2014), available at http://www.nist.gov/cyberframework/6th-cybersecurity-framework-workshop-october-29-30-2014.cfm   [47]   See http://www.us-cert.gov/ccubedvp.   [48]   NIST, "Update on the Cybersecurity Framework" (Dec. 5, 2014), available at http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf.   [49]   Id.   [50]   Id.   [51]   Statement of Administration Policy, Executive Office of the President, (Jan. 9, 2014), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/saphr3811h20140109.pdf.   [52]   Paul Szoldra, Snowden:  Here’s Everything We’ve Learned In One Year Of Unprecedented Top-Secret Leaks (June 7, 2014), available at http://www.businessinsider.com/snowden-leaks-timeline-2014-6.    [53]   James Bamford, The Most Wanted Man in the World, available at http://www.wired.com/2014/08/edward-snowden/.   [54]   Paul Szoldra, Snowden:  Here’s Everything We’ve Learned In One Year Of Unprecedented Top-Secret Leaks (June 7, 2014), available at http://www.businessinsider.com/snowden-leaks-timeline-2014-6.    [55]   See Bloomberg, NSA Searched Americans’ Email, Phone Calls, Clapper Says (Apr. 1, 2014), available at http://www.bloomberg.com/news/2014-04-02/nsa-searched-americans-email-phone-calls-clapper-says.html.   [56]   Germany’s Merkel Under Fire Over NSA Scandal (Oct. 5, 2014), available at http://www.worldbulletin.net/news/145683/germanys-merkel-under-fire-over-nsa-scandal.   [57]   Kim Zetter, Feds Threatened to Fine Yahoo $250K Daily for Not Complying with PRISM, (Sept. 11, 2014), available at http://www.wired.com/2014/09/feds-yahoo-fine-prism/.   [58]   Craig Timberg, U.S. Threatened Massive Fine to Force Yahoo to Release Data, (Sept. 11, 2014), available at http://www.washingtonpost.com/business/technology/us-threatened-massive-fine-to-force-yahoo-to-release-data/2014/09/11/38a7f69e-39e8-11e4-9c9f-ebb47272e40e_story.html.   [59]   Charlie Savage and Jeremy W. Peters, Bill to Restrict N.S.A. Data Collection Blocked in Vote by Senate Republicans, (Nov. 18, 2014), available at http://www.nytimes.com/2014/11/19/us/nsa-phone-records.html.   [60]   Julian Hattem, Obama Renews NSA Spying Program After Reform Bill Fails, (December 8, 2014), available at http://thehill.com/policy/technology/226322-obama-renews-nsa-program-after-reform-bill-fails.   [61]   Charlie Miller, Revelations of N.S.A. Spying Cost U.S. Tech Companies, (March 21, 2014), available at http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html.    [62]   See also N.Y.S. Div. of Homeland Sec. & Emergency Servs., NYS Breach Notification Law Changes, http://www.dhses.ny.gov/ocs/breach-notification/.    [63]   New Jersey is considering legislation which would also expand its data breach notification, which is currently pending in the Senate after clearing the Assembly.  H.B. 3146, S. 2188, 216th Leg. (N.J. 2014).   [64]   Bills recently proposed in other states would have required companies to offer free credit monitoring to state residents when security breaches exposed those residents’ personal information.  Both Rhode Island’s H. 7519, which would have required any "person required to disclose a breach" under Rhode Island’s data breach law, to "provide one year of credit monitoring to any resident of Rhode Island, at no cost to the resident, whose personal information was, or is reasonably believed to have been" compromised, and Minnesota’s H.F. 2253, which would have required companies to provide the same services to residents of Minnesota whose "unencrypted personal information" was compromised,  died in committee.    [65]   See, e.g., Personal Online Account Privacy Protection Act, H.B. 340, 40th Leg., Reg. Sess. 2014 (La. 2014); H.B. 1407, Reg. Sess. 2014 (N.H. 2014); Act Relating to Education and Labor–Social Media Policy, H.B. 7124 (R.I. 2014); Employee Online Privacy Act, S.B. 1808, H.B. 1852 (Tenn. 2014); S.B. 5211, 63rd Leg., 2013 Reg. Sess. (Wash. 2013); A.B. 2878, S.B. 1915, 215th Leg., 2012-2013 Reg. Sess. (N.J. 2013); see generally Nat’l Conf. on State Legs., http://www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx#2014 (cataloguing legislation regarding employer access to social media usernames and passwords).    [66]   See, e.g., No College Requests for Social Media, S.B. 422, 51st Leg., 1st Sess. (N.M. 2013); Act Relating to Education and Labor–Social Media Policy, H.B. 7124 (R.I. 2014).   [67]   See also Surveillance Act, S.B. 2937, 98th Reg. Sess. (Ill. 2014) (amends law to prohibit law enforcement use of information obtained from a drone owned by a private individual without a warrant); S.B. 196, 2013-2014 Reg. Sess. (Wis. 2014) (requiring a warrant before law enforcement may use UAS where a reasonable expectation of privacy exists); Freedom from Unwanted Surveillance Act, H.B. 591, S.B. 796, 108th Reg. Sess. (Tenn. 2013) (similar restrictions on use, court admissibility, and creation of a private remedy); Freedom from Drone Surveillance Act, S.B. 1587, 98th Gen. Assemb. (Ill. 2013) (enacting similar restrictions on the use of UAS without a warrant).    [68]   At the federal level, Congress has set a deadline of September 2015 for full integration of UAS into its regulations, although a government audit expressed doubts about this deadline being met.  See Office of Inspector General, FAA, Report AV-2014-061, FAA Faces Significant Barriers to Safely Integrate Unmanned Aircraft Systems into the National Airspace System (June 26, 2014),  https://www.oig.dot.gov/library-item/31975.  In July 2014 the Federal Aviation Administration issued a policy consolidating regulations on drone use in federal airspace, without the creation of any new regulations.  See U.S. Dep’t of Transportation, N JO 7210.873, Air Traffic Organization Policy, Unmanned Aircraft Operations in the National Airspace System, http://www.faa.gov/documentLibrary/media/Notice/N_JO_7210.873_Unmanned_Aircraft_Operations.pdf.  In addition, in June 2014 the FAA issued the first permit for a commercial unmanned aircraft to fly over U.S. soil.  Oil company BP will be allowed to conduct aerial surveys over Alaska.  See FAA, Press Release–FAA Approves First Commercial UAS Flights over Land (June 10, 2014), http://www.faa.gov/news/press_releases/news_story.cfm?newsId=16354.  Other exemptions were subsequently awarded by the FAA, for example to drones used in TV and movie productions with a proper permit. See FAA, Press Release–U.S. Transportation Secretary Foxx Announces FAA Exemptions for Commercial UAS Movie and TV Production (Sept. 25, 2014), http://www.faa.gov/news/press_releases/news_story.cfm?cid=TW251&newsId=17194.   [69]   Kamala D. Harris, California Dep’t of Justice, Making Your Privacy Policies Public: Recommendations on Developing a Meaningful Privacy Policy, (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.   [70]   The California legislature also is considering a bill that would prohibit online retailers from collecting certain information about their customers.  S.B. 383, Reg. Sess. (Cal. 2014).  The bill, which has cleared the Senate, is seen as a reaction to the California Supreme Court’s ruling in Krescent, 56 Cal.4th 128 (2013) (holding restrictions on data collection placed on brick-and-mortar business do not apply to online retailers).  (We discuss this case in Section I.B.5 above).  The bill would allow billing addresses and ZIP codes to be retained only if used to address identity theft and fraud, while also prohibiting selling such data to third parties.   [71]   For more information, see Gibson Dunn’s article, "California Tightens Privacy Protection, Part 1 of 2:  New California data privacy laws impose restrictions on third-party tracking and data breach notification," (Nov. 18, 2013), available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartOne.pdf.   [72]   For more information, see Gibson Dunn’s article, "California’s New ‘Digital Eraser’ Evaporates Embarrassment, Part 2 of 2: New California privacy laws will make it easier for kids to remove inappropriate posts from websites," (Nov. 19, 2013), available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartTwo.pdf.   [73]   For more discussion regarding the new cybersecurity proposal, see Alexander H. Southwell, Eric D. Vandevelde, Ryan T. Bergsieker, Stephenie Gosnell Handler & Adam Chen, of Gibson, Dunn & Crutcher LLP, U.S. President Obama Announces Renewed Focus on Securing Cyberspace and Protecting Consumer Privacy, 15 Bloomberg BNA 1, available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/WorldDataProtectionReport-BNA-Jan2015.pdf.   [74]   See Sophia Pearson & Andrew Zajac, ‘Guccifer’ Indicted in U.S. for ID Theft, Cyberstalking, Bloomberg (June 12, 2014), available at http://www.bloomberg.com/news/2014-06-12/u-s-indicts-romanian-hacker-guccifer-for-cyberstalking-1-.html.   [75]   Bitcoin is a currency created in 2009 that is exchanged without the use of banks, thereby allowing holders of Bitcoin to make purchases anonymously.  Bitcoin exchanges allow customers to buy or sell Bitcoins using different currencies.  Bitcoin owners can transfer Bitcoins digitally via a computer file that serves as a public ledger called the "block chain."    [76]   See WP 202, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf.   [77]   See WP 204, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf.    [78]   See WP 208, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf.    [79]   See WP 225, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf.    [80]   For discussion of the current EU Data Privacy Regulation and the Article 29 Working Party Guidelines concerning the "right to be forgotten," see above at Sections V.A.1.a and V.A.1.c.   [81]   CJEU No. C-131/12, Google Spain SL v. Agencia Española de Protección de Datos. See discussion above in Section V.A.1.f.   [82]   It is worth noting that the ICO accepts that covert surveillance of employees may be justified as a last resort in exceptional circumstances; the employer should be satisfied there are grounds for suspecting criminal activity (or equivalent malpractice), and that notifying the employee concerned would prejudice detection or prevention.   [83]   Barristers and solicitors are generally classed as data controllers, making them legally responsible for the personal information they process.   [84]   Gulveen Aulakh, India Proposes to Penalise Invasion of Privacy Offences in Draft Bill, (Feb. 18, 2014), available at http://articles.economictimes.indiatimes.com/2014-02-18/news/47451233_1_personal-data-privacy-bill-draft-bill.   [85]   India Increasing Data Protection after US Cyber Snooping, (Dec. 10, 2014), available at http://www.business-standard.com/article/news-ians/india-increasing-data-protection-after-us-cyber-snooping-114121001016_1.html.   [86]   See http://www.nic.in/node/41.   [87]   Saikat Datta, Security Breach in NIC, Critical Data at Risk, (Aug. 10, 2014), available at http://www.hindustantimes.com/india-news/newdelhi/nic-security-breach-raises-concerns-about-india-s-net-security-practices/article1-1250464.aspx.   [88]   Chen Yifei, New Internet Rules Allow Websites to be Sued for Defamation in China, (Oct. 10, 2014), available at http://www.scmp.com/news/china-insider/article/1613890/new-internet-rules-allow-website-be-sued-defamation-china.   [89]   PCPD Publishes Guidance on Personal Data Protection in Cross-border Data Transfer, (Dec. 29, 2014), available at  http://www.pcpd.org.hk/english/news_events/media_statements/press_20141229.html.   [90]   See Benesse Suspect gets Fresh Warrant over Second Data Theft, http://www.japantimes.co.jp/news/2014/08/11/national/crime-legal/benesse-suspect-gets-fresh-warrant-over-second-data-theft/#.VK5StpgcTGg.   [91]   Toshio Aritake, Japan Ministry to Amend Data Security Rules As Breached Company Says 48.6M Affected, (Oct. 6, 2014), available at http://www.bna.com/japan-ministry-amend-n17179895732/.   [92]   Japan’s Ministry of Economy, Trade and Industry.   [93]   Megumi Fujikawa, Japan Airlines Reports Hacker Attack, available at http://www.wsj.com/articles/japan-airlines-reports-hacker-attack-1412053828.   [94]   Toshio Aritake, Japan Ministry to Amend Data Security Rules As Breached Company Says 48.6M Affected, (Oct. 6, 2014), available at http://www.bna.com/japan-ministry-amend-n17179895732/.   [95]   PDPC Advisory Guidelines, available at http://www.pdpc.gov.sg/legislation-and-guidelines/advisory-guidelines.   [96]   Irene Tham, Xiaomi Under Probe over Alleged Privacy Breach, (Aug. 14, 2014), available at http://www.straitstimes.com/news/singapore/more-singapore-stories/story/xiaomi-under-probe-over-alleged-privacy-breach-20140814.   [97]   Property Salesperson to be Charged for Breaching the Do Not Call Requirements, (Sept. 22, 2014), available at http://www.pdpc.gov.sg/news/press-room/page/0/year/2014/property-salesperson-to-be-charged-for-breaching-the-do-not-call-requirements.   [98]   Irene Tham and Pearl Lee, Personal Data of 300,000 K Box Singapore Clients Surfaces Online, (Sept. 16, 2014), available at http://www.straitstimes.com/news/singapore/courts-crime/story/personal-data-300000-k-box-singapore-clients-surfaces-online-20140.   The following Gibson Dunn attorneys assisted in preparing this client alert: Alexander H. Southwell, Michael Li-Ming Wong, Karl G. Nelson, Joshua A. Jessen, Michael Walther, James Cox, Michael Adelman, Nicolas Autet, Nathaniel L. Bach, Abbey Barrera, Ryan T. Bergsieker, Jennifer Bracht, Amy Chmielewski, Lyndy Davies, Kai Gesing, Jared Greenberg, Stephenie Gosnell Handler, Hartmut Kamrad, Kyle J. Kolb, Salomé Lemasson, Jeana Bisnar Maute, Tiffany Phan, Henry Pistell, Genevieve B. Quinn, Priyanka Rajagopalan, Reid Rector, Shawn D. Rodriguez, Ashley Rogers, Ilissa Samplin, Danielle Serbin, JP Shih, Jillian Stonecipher, Oliver Welch, Tristan Welham, Amy Wolf, Peter Wu, Adam Yarian, Lindsey Young, Alexander Zbrozek, Zhou Zhou, and Timothy Zimmerman. Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following members of the Information Technology and Data Privacy Group: United StatesM. Sean Royall – Co-Chair, Dallas (+1 214-698-3256, sroyall@gibsondunn.com)Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com)Debra Wong Yang – Co-Chair, Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)Howard S. Hogan – Member, Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Karl G. Nelson – Member, Dallas (+1 214-698-3203, knelson@gibsondunn.com)Joshua A. Jessen – Member, Orange County and Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Michael Li-Ming Wong – Member, San Francisco/Palo Alto (+1 415-393-8333/+1 650–849–5393, mwong@gibsondunn.com)Ryan T. Bergsieker – Member, Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)Richard H. Cunningham – Member, Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Eric D. Vandevelde – Member, Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) EuropeJames A. Cox – Member, London (+44 207 071 4250, jacox@gibsondunn.com)Andrés Font Galarza – Member, Brussels (+32 2 554 7230, afontgalarza@gibsondunn.com)Kai Gesing – Member, Munich (+49 89 189 33-180, kgesing@gibsondunn.com)Bernard Grinspan – Member, Paris (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)Alejandro Guerrero Perez – Member, Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com)Jean-Philippe Robé – Member, Paris (+33 1 56 43 13 00, jrobe@gibsondunn.com)Michael Walther – Member, Munich (+49 89 189 33-180, mwalther@gibsondunn.com) ChinaKelly Austin – Member, Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) IndiaJai S. Pathak – Member, Singapore (+65 6507 3683, jpathak@gibsondunn.com)  Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to any of the following members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney - Co-Chair, Orange County, CA (949-451-4343, jmoloney@gibsondunn.com)Elizabeth Ising – Member, Washington, D.C. (202-955-8287, eising@gibsondunn.com)    © 2015 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 9, 2018 |
D.C. Circuit Applies U.S. Copyright Law to Video Content Streamed from Abroad

Click for PDF On March 2, 2018, the United States Court of Appeals for the D.C. Circuit decided an important case addressing two separate, still unsettled questions about the scope of copyright infringement liability.  See Spanski Enterprises v. Telewizja Polska, S.A., No. 17-7051 (D.C. Cir. Mar. 2, 2018).  In brief, the court held that the defendant infringed the plaintiff’s exclusive public performance right when, without authorization, it made copyright-protected television programming available to stream inside the United States, even though the stream was hosted outside the United States.  This was the first time a federal court of appeals considered whether streaming content originating extraterritorially is subject to U.S. copyright liability.  Separately, though the defendant insisted that it could not face liability unless it “volitionally” selected the content delivered to each user, the court held that operating a video-on-demand system which allowed members of the public to receive a copyright-protected performance constituted copyright infringement. Spanski Enterprises involved a longstanding licensing agreement between Telewizja Polska (TVP), the national broadcasting company of Poland, and Spanski Enterprises, a Canadian corporation in the business of distributing Polish-language programming.  A 2009 settlement agreement between the parties established that Spanski alone could distribute the programming at issue in North and South America, whether over the Internet or otherwise.  TVP continued to distribute its programming everywhere else in the world, including by offering episodes for streaming on its website, but used geoblocking technology to ensure that no IP address associated with North or South America could access any programming to which Spanski held the license.  However, in 2011 attorneys for Spanski discovered that users in North and South America could still access programming that should have been geoblocked.  Spanski sued TVP for infringement and, after a five-day bench trial, Judge Tanya Chutkan of the United States District Court for the District of Columbia found TVP liable. On appeal, TVP raised two main challenges to the district court’s ruling.  First, it argued that it could not commit copyright infringement because none of its conduct took place within the United States, and the Copyright Act does not apply extraterritorially.  Second, it argued that a defendant only faces copyright liability if its “conduct was volitional.”  Because TVP merely operated an “automatic content delivery system” from which the user “selects the content it will view” without TVP’s involvement in processing that request, TVP insisted it had not violated the law.  The United States filed an amicus brief on behalf of Spanski, urging the court to reject both TVP’s arguments. In an opinion written by Judge Tatel and joined by Judges Griffith and Wilkins, the court of appeals affirmed, holding TVP liable for infringing Spanski’s exclusive rights.  Applying the Copyright Act to TVP’s conduct is not an impermissible extraterritorial application, the Court explained, because “the infringing performances—and consequent violation of Spanski’s copyrights—occurred on the computer screens in the United States on which the episode’s images were shown.”  TVP argued that when a performance originates internationally but is shown to the public within the country, only the domestic viewer was liable for copyright infringement.  The court disagreed, holding that a broadcaster remains liable for “the infringing display of copyrighted images on the viewer’s screen” whenever such a performance occurs “in the United States,” no matter where the broadcaster is located. The court also held that an unauthorized performance via a video-on-demand system like TVP’s infringed Spanski’s exclusive rights, even without proof that TVP took a “volitional” act, because TVP made it possible for end users to select copyright-protected content.  The text of the Copyright Act, the court explained, imposes liability whenever a defendant makes it possible for “members of the public” to “receive[] the performance” of copyrighted content.  The court found it unnecessary to decide whether a “volitional conduct” requirement exists at all or how far it extends, holding that TVP’s conduct constitutes infringement “whatever the scope of any such requirement might otherwise be.” In rejecting TVP’s “volitional conduct” argument, the court of appeals relied heavily on the Supreme Court’s 2014 decision in American Broadcasting Cos. v. Aereo, Inc., 134 S. Ct. 2498 (2014).  In Aereo, the Supreme Court held that an intermediary service that automatically captured and retransmitted broadcast television signals infringed the public performance right, even where the end user and not the service selected which content to capture.  The D.C. Circuit concluded that Aereo “forecloses [TVP’s] argument that the automated nature of its video-on-demand system or the end user’s role in selecting which content to access insulates it from Copyright Act liability.”  The court noted that TVP’s video-on-demand service involved TVP itself even more directly in the infringing performances than did the system in Aereo: unlike in Aereo, TVP itself selected and uploaded the content its system made available. Both holdings are important developments.  No other federal court of appeals has yet squarely held that U.S. copyright law applies to performances originating internationally that can be viewed inside the United States—though, as Professor Nimmer puts it in his copyright treatise, it requires only “a straightforward application of the statute” to hold that such performances are actionable.   5 Melville B. Nimmer & David Nimmer, Nimmer on Copyright § 17.02 (rev. ed. 2017).  This holding will prevent would-be infringers from evading liability simply by relocating across a border. Separately, though the court refused to decide whether a “volitional conduct” requirement exists, its application of Aereo to TVP’s on-demand system adds fuel to the ongoing debate over the Copyright Act’s scope.  Several courts of appeals, both before and since the Supreme Court’s Aereo decision, have held that the Copyright Act only applies to “volitional conduct.”  BWP Media USA, Inc. v. T & S Software Associates, Inc., 852 F.3d 436 (5th Cir. 2017); Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657 (9th Cir. 2017); CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544 (4th Cir. 2004); Parker v. Google, Inc., 242 F. App’x 833 (3d Cir. 2007).  In its amicus brief, however, the Government argued that Aereo “rejected” a volitional-conduct argument.  Thus, it will be up to future courts to decide the ultimate fate of the defense. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors: Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Connor S. Sullivan* – New York (+1 212-351-2459, cssullivan@gibsondunn.com) *Prior to joining the firm, Connor Sullivan contributed to an amicus curiae brief filed in this appeal in support of Spanski Enterprises. Please also feel free to contact the following practice group leaders: Intellectual Property Group: Wayne Barsky – Los Angeles (+1 310-552-8500, wbarsky@gibsondunn.com) Josh Krevitt – New York (+1 212-351-4000, jkrevitt@gibsondunn.com) Mark Reiter – Dallas (+1 214-698-3100, mreiter@gibsondunn.com) Media, Entertainment and Technology Group: Scott A. Edelman – Los Angeles (+1 310-557-8061, sedelman@gibsondunn.com) Ruth E. Fisher – Los Angeles (+1 310-557-8057, rfisher@gibsondunn.com) Orin Snyder– New York (+1 212-351-2400, osnyder@gibsondunn.com) Appellate and Constitutional Law Group: Mark A. Perry – Washington, D.C. (+1 202-887-3667, mperry@gibsondunn.com) Caitlin J. Halligan – New York (+1 212-351-4000, challigan@gibsondunn.com) Nicole A. Saharsky – Washington, D.C. (+1 202-887-3669, nsaharsky@gibsondunn.com) Technology Transactions Group: David H. Kennedy – Palo Alto (+1 650-849-5304, dkennedy@gibsondunn.com) Daniel Angel – New York (+1 212-351-2329, dangel@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 5, 2007 |
Deal Note: Gibson Dunn’s Media & Entertainment Group Represents Vivendi in Proposed Combination of the Businesses of Vivendi Games and Activision

Gibson, Dunn & Crutcher LLP’s Media & Entertainment Group is pleased to announce its representation of Vivendi in connection with the proposed combination of the businesses of Vivendi Games and Activision which will create Activision Blizzard, which will be the largest pure-play video game publisher. The transaction is valued at $18.9 billion. Upon consummation of the transaction, Vivendi will hold a 52% ownership interest in the combined business, which percentage could increase to as much as 68% depending on the results of a post-closing self-tender offer by Activision Blizzard.  The management of both companies hosted a joint conference call and live webcast on Monday, December 3, 2007. An audio replay of the call will be available through December 17, 2007 by calling (888) 203-1112 in the U.S. or (719) 457-0820 outside the U.S. and entering the pass-code: 5648597. In addition, a webcast replay also will be archived on the Investor Relations section of each company’s website.  Gibson Dunn’s team is led by Ruth Fisher, Co-Chair of the firm’s Media & Entertainment Practice Group, and includes Mark Lahive, Mary Ruth Hughes, Kristin Blazewicz and Ciara Stephens for corporate, Hatef Behnia and Afshin Beyzaee for tax, Ron Ben-Yehuda for intellectual property, Sean Feller for employment and employee benefits, and Sandy Pfunder, Joel Sanders and Rebecca Justice Lazarus for antitrust.  Details of this transaction are available on the Vivendi website.    Gibson Dunn’s Media & Entertainment Group comprises talented lawyers across our firm and practice areas who are among the most highly regarded in the converging media, entertainment and technology industries, offering a single "new media" platform that is unmatched in depth and scope among large law firms. For additional information on this matter, please contact the Gibson Dunn attorney with whom you work, Ruth Fisher (310-557-8057, rfisher@gibsondunn.com) or Mark Lahive (310-552-8580, mlahive@gibsondunn.com) in Gibson Dunn’s Century City office, or any member of the firm’s Media & Entertainment Practice Group. © 2007 Gibson, Dunn & Crutcher LLP Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 13, 2016 |
Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group

​Los Angeles of counsel Eric D. Vandevelde and Orange County associate Jared Greenberg are the authors of "Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group" [PDF] published in the June 13, 2016 issue of the Privacy and Security Law Report.

September 19, 2006 |
European Court of Justice Delivers Important Judgment in Laserdisken Case on Interplay Between National and EU Copyright Law

On 12 September 2006, the European Court of Justice (ECJ) delivered an important judgment on the interplay between national and EU copyright law, a judgment which also has implications for the interplay between IP and antitrust in the EU. The Laserdisken case concerned the import and sale in Denmark of DVDs lawfully marketed outside the European Economic Area (EEA). The key legal provision is Article 4(1) of EU Copyright Directive (2001/29) which enshrines the exclusive right for authors, in respect of the original of their works or of copies thereof, to authorise or prohibit any form of distribution to the public by sale or otherwise. Article 4(2) of the Directive provides that the distribution right is not to be exhausted except where the first sale or other transfer of ownership in the Community of that object is made by the rightholder or with his consent. It follows that for the right in question to be exhausted, two conditions must be fulfilled:  first, the original of a work or copies thereof must have been placed on the market by the rightholder or with his consent and,  second, they must have been placed on the market in the Community. The ECJ found that  Article 4(2) of the Directive did not leave it open to the Member States to introduce or maintain in their respective national laws a rule of exhaustion in respect of works placed on the market not only in the Community but also in non-member countries. The WIPO Copyright Treaty does not affect the contracting parties’ power to determine the conditions governing how exhaustion of that exclusive right may apply after the first sale.  The harmonisation of national copyright laws promotes competition in the internal market. The rule of exhaustion in the Community is not a disproportionate measure in view of the fact that legal protection of intellectual property rights is necessary in order to guarantee an appropriate reward for the use of works and to provide the opportunity for satisfactory returns on investment, and  is a way of ensuring that European cultural creativity and production receive the necessary resources and of safeguarding the independence and dignity of artistic creators and performers. That the principle of equal treatment does not apply as between a producer and a licence holder established in a non-member country and a producer and a licence holder established in the Community, since the two are manifestly not comparable.  Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work or David Wood (+32 2 554 7210; dwood@gibsondunn.com) in the firm’s Brussels office. © 2006 Gibson, Dunn & Crutcher LLP The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 14, 2013 |
Federal Trade Commission Updates Online Advertising Disclosure Guidelines; Addresses Mobile Devices and Social Media

On March 12, 2013, the Federal Trade Commission ("FTC") updated[1] its advertising disclosure guidelines for mobile and other online advertisers. The new guidance, .com Disclosures: How to Make Effective Disclosures in Digital Advertising, explains how advertisers can make disclosures "clear and conspicuous" to avoid deceiving consumers. In particular, the guidance addresses the expanding use of mobile devices with small screens and the rise of social media marketing.  In this regard, the guidance includes a helpful appendix of twenty-two illustrative mock advertisements. The guidance emphasizes that the consumer protection laws embodied in the FTC Act apply equally to advertisements across all media, whether those advertisements appear via desktop computer, mobile device, or more traditional media such as print, television, telephone, or radio. Disclosures that are required to prevent an advertisement from being deceptive, unfair, or otherwise violative of an FTC rule must be presented "clearly and conspicuously."  Thus, under the new guidance, advertisers must ensure that disclosures are clear and conspicuous across all devices and platforms that consumers may use to view a given advertisement.  If a particular platform does not provide an opportunity to make clear and conspicuous disclosures, advertisers should avoid that platform when disseminating advertisements that require disclosures. Whether a disclosure meets the clear and conspicuous standard is measured by the disclosure’s "performance–that is, how consumers actually perceive and understand the disclosure within the context of the entire ad."  The guidance points to a number of factors in this regard. For example, advertisers should consider: the placement of the disclosure in the advertisement and its proximity[2] to the claim it qualifies; the prominence of the disclosure; whether the disclosure is unavoidable; the extent to which items in other parts of the advertisement might distract attention from the disclosure; whether the disclosure needs to be repeated several times in order to be effectively communicated, or because consumers may enter the site at different locations or travel through the site on paths that cause them to miss the disclosure; whether disclosures in audio messages are presented in an adequate volume and cadence and visual disclosures appear for a sufficient duration; and whether the language of the disclosure is understandable to the intended audience. The new guidance provides a number of warnings and recommendations for advertisers using space-constrained advertisements, such as those appearing on mobile devices with smaller screens and those appearing on social media platforms.  For example, where consumers must scroll in order to view a disclosure, the guidance suggests that advertisers "use text or visual cues to encourage consumers to scroll" to the disclosures.  In addition, the guidance provides a number of considerations for evaluating the effectiveness of using hyperlinks to provide consumers additional information where disclosures are too complex to describe adjacent to the "triggering" claim.  The guidance also suggests that advertisers avoid disclosing necessary information using pop-ups or Adobe Flash because consumer web browsers and mobile devices may be configured to block or otherwise cannot display such content. Importantly, the guidance points out that "[d]isclosures must be effectively communicated to consumers before they make a purchase or incur a financial obligation." Thus, "[w]hen a product advertised online can be purchased from brick-and-mortar stores or from online retailers other than the advertiser itself, necessary disclosures should be made in the ad."  Advertisers may not rely on disclosures made by a third-party retailer that is promoted in the ad — even if the ad links directly to those disclosures on the third-party retailer’s website — because consumers may choose to purchase the product from a brick-and-mortar store or other unaffiliated online retailer.  In that case, consumers may not see the disclosures prior to making their purchases.  The same advice applies to "space-constrained ads," including sponsored "tweets."  The guidance further provides that "[i]f the disclosure needs to be in the ad itself but it does not fit, the ad should be modified so it does not require such a disclosure or, if that is not possible, the space-constrained ad should not be used."  Gibson Dunn recommends that companies advertising online carefully review their policies and practices to ensure compliance with the updated FTC guidance.    [1]   The FTC released its initial guidance, entitled Dot Com Disclosures: Information about Online Advertising, over a decade ago, in 2000.    [2]   Although the 2000 guidance defined proximity as "near, and when possible, on the same screen," and stated that advertisers should "draw attention to" disclosures, the new guidance states that disclosures should be "as close as possible" to the claim it qualifies.    Gibson Dunn’s Information Technology and Data Privacy Practice Group has counseled leading businesses across the country on a wide range of privacy and cybersecurity issues, including preventing, anticipating, and responding to security breach incidents, providing guidance on the legal implications of high-priority business actions, and representing clients in matters of privacy-related regulatory scrutiny, litigation, and law enforcement interest.  The Fashion, Retail and Consumer Products Practice Group includes a team of legal experts who focus on the complex and unique issues facing fashion designers, luxury goods companies, retail companies and manufacturing companies, including a broad range of corporate transactions, litigation, intellectual property, tax and real estate matters.    Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues.  Please contact the Gibson Dunn lawyer with whom you work, or any of the following: Information Technology and Data Privacy Practice Group:  S. Ashlie Beringer – Palo Alto (650-849-5219, aberinger@gibsondunn.com)Howard S. Hogan - Washington, D.C. (202-887-3640, hhogan@gibsondunn.com)Karl G. Nelson – Dallas (214-698-3203, knelson@gibsondunn.com)M. Sean Royall – Dallas (214-698-3256, sroyall@gibsondunn.com)Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)Debra Wong Yang – Los Angeles (213-229-7472, dwongyang@gibsondunn.com)Scott H. Mellon – Dallas (214-698-3199, smellon@gibsondunn.com) Fashion, Retail and Consumer Products Practice Group:Lois F. Herzeca – New York (212-351-2688, lherzeca@gibsondunn.com)David M. Wilf  – New York (212-351-4027, dwilf@gibsondunn.com) © 2013 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

May 3, 2016 |
How The Fight For Streaming Royalties Is Going Over The Top

​Los Angeles associate Nathaniel Bach is the author of "How The Fight For Streaming Royalties Is Going Over The Top" [PDF] published on May 3, 2016 by Law360. 

May 18, 2016 |
India – Legal and Regulatory Update

The Indian economy continues to be an attractive investment destination due to its sustained stable growth and implementation of further liberalization policies by the Government of India ("Government"). The Government’s focus remains on improving the ease of doing business in India and many effective steps have been taken in this direction. Following our nine-month update dated October 21, 2015 (which sets out an overview of key legal and regulatory developments in India from January 1, 2015 to September 30, 2015), this update provides a brief overview of the key legal and regulatory developments in India from October 1, 2015 to April 30, 2016. Key Legal and Regulatory Developments Foreign Direct Investment Policy 1.      November 2015 Amendments to the Foreign Direct Investment Policy: On November 24, 2015, the Government effected several important amendments[1] to India’s consolidated foreign direct investment policy ("FDI Policy"). These amendments enable increased levels of foreign direct investment in a number of business sectors and simplify various sector-specific conditions under the FDI Policy. For a detailed analysis, please refer to our client alert dated December 8, 2015 at http://www.gibsondunn.com/publications/pages/Indian-Government-Amends-Foreign-Direct-Investment-Policy-Dec2015.aspx. 2.      Foreign Direct Investment in Insurance[2]: Total foreign investment ownership through any means, including portfolio investment, in an Indian insurance company (which includes insurance brokers, insurance third party administrators, surveyors and loss assessors), directly or indirectly (through one or more holding companies), is now permitted up to 49% without the prior approval of the Government ("Automatic Route"). Previously, foreign investment not exceeding 26% was permitted under the Automatic Route and foreign investment beyond 26% and up to 49% required the prior approval of the Government (through the Foreign Investment Promotion Board ("FIPB"). Prior approval of the Insurance Regulatory and Development Authority is required in all circumstances where there is any change in shareholding of an Indian insurance company. The ownership and control of an Indian insurance company (including the appointment of the CEO) must remain in the hands of resident Indians at all times. "Control" is defined to mean the right to appoint a majority of the directors on the board of the company or the power to control the management or policy decisions of a company by virtue of shareholding, management rights, shareholders agreements or voting rights agreements. 3.             Foreign Direct Investment in Pension Funds[3]: In line with the policy on foreign investment in the insurance sector, the Government has permitted foreign investment in Indian pension funds up to 49% under the Automatic Route . Previously, 26% was permitted under the Automatic Route and foreign investment beyond 26% and up to 49% required the prior approval of the Government (through the FIPB). Foreign investment in the Indian pension sector continues to be subject to the conditions set out in the Pension Fund Regulatory and Development Authority Act, 2013.     4.             Foreign Investment in E-Commerce Activities[4]: The Government, on March 29, 2016, has clarified the position on foreign direct investment in e-commerce trading entities and e-commerce market place entities. There is no restriction on foreign investment in companies engaged in B2B e-commerce activities. In respect of companies engaged in B2C e-commerce activities, the key provisions are as follows: (a)          E-commerce has now been defined as the buying and selling of goods and services, including digital products, through a digital and electronic network. (b)          The term ‘digital and electronic network’ has been defined to include a ‘network of computers, television channels and any other internet application used in automated manner such as web pages, extranets, mobiles, etc.‘ (c)          The Government has drawn a distinction between an ‘inventory-based’ model of e-commerce ("Inventory Model") and a ‘marketplace based’ model of e-commerce ("Marketplace Model"). Inventory Model has been defined as an e-commerce business model where the inventory of goods and services is owned by an e-commerce entity and is sold to the consumers directly. Marketplace Model has been defined as the provision of an information technology platform by an e-commerce entity on a digital and electronic network to act as a facilitator between a buyer and a seller. (d)          The Government has clarified that foreign investment of up to 100% is permitted under the Automatic Route in companies that have a Marketplace Model. No foreign investment is permitted in companies that have an Inventory Model. (e)          Some of the key conditions that companies operating the Marketplace Model must comply with are: (i)                 Not more than 25% of the total sales of the company can be undertaken on its marketplace by a single vendor or such vendor’s group companies; (ii)               The company is permitted to provide support services to sellers in respect of warehousing, logistics, order fulfilment, call centres, payment collection and other similar services; and (iii)             The company cannot directly or indirectly influence the sale price of goods or services and are obligated to maintain a level playing field. While the above clarifications have removed ambiguities in relation to foreign investment in entities engaged in B2C ecommerce activities, there are certain grey areas that have arisen as a result of these clarifications. For example, (a) services have now been included within the definition of e-commerce – the presumption earlier was that this only includes goods, (b) there is also no guidance on what constitutes ‘influencing the sale price of goods directly or indirectly’ or how a ‘level playing field’ should be maintained by companies that have a Marketplace Model. Further clarity is required on these aspects. 5.             Foreign Investment in Asset Reconstruction Companies[5]: The Government has permitted foreign investment in asset reconstruction companies up to 100% under the Automatic Route. Previously, foreign investment of up to 49% was permitted under the Automatic Route and foreign investment beyond 49% and up to 100% required the prior approval of the Government (through the FIPB). Insurance On October 19, 2015, the Insurance Regulatory and Development Authority issued the "Guidelines on Indian Owned and Controlled" Insurance Companies (the "Guidelines") to further clarify the requirements with regard to Indian ownership and control of Indian insurance companies. The Guidelines apply to all Indian insurance companies that receive foreign investment. The Guidelines state that the ownership and control of an Indian insurance company (including the appointment of the CEO) must remain in the hands of resident Indians at all times. "Control" is defined to mean the right to appoint a majority of the directors on the board of the company or the power to control the management or policy decisions of a company by virtue of shareholding, management rights, shareholders agreements or voting rights agreements. For detailed analysis, please refer to our client alert dated October 22, 2015 at http://www.gibsondunn.com/publications/pages/Ownership-and-Control-of-Indian-Insurance-Companies-with-Foreign-Investment.aspx. Financing The Reserve Bank of India ("RBI") has promulgated the External Commercial Borrowings ("ECB") Policy-Revised Framework ("Revised Framework"). The Revised Framework lays down a more liberal approach for ECBs, whether they are long-term foreign currency denominated ECBs or Indian Rupee denominated ECBs. The Revised Framework expands the list of eligible borrowers, recognised lenders and reduces the restrictions on use of proceeds (i.e., end-use of the ECB). The Revised Framework became effective on December 2, 2015 with the publication of the relevant regulatory notifications in the Official Gazette of India. Borrowers were permitted to receive ECBs under the previous ECB regime until March 31, 2016 (if they had already executed the ECB agreement prior to the date of effectiveness of the Revised Framework). Additionally, borrowers that were in negotiations with lenders (at the time the Revised Framework became effective) were also permitted to execute ECB agreements under the previous ECB regime until March 31, 2016 for certain specific purposes such as working capital for airlines, loans for low cost affordable housing projects, etc. For detailed analysis, please refer to our client alert dated January 4, 2016 at http://www.gibsondunn.com/publications/Pages/Reserve-Bank-of-India-Introduces-Revised-ECB-Framework.aspx. Start-ups 1.             The Government launched a new initiative on January 17, 2016 aimed at providing various benefits to start-up companies in India. The following are key provisions in relation to start-up companies: (a)          A "start-up" has been defined to mean an entity incorporated/ registered in India  (i) for a period of up to 5 years from the date of its incorporation/ registration and (ii) its turnover in any financial year has not exceeded INR 250,000,000 (approx. USD 3.67 Million) and (iii) it is working towards innovation, development, deployment or commercialization of new products, processes or services driven by technology or intellectual property. (b)          The Government has clarified that a business would be considered a start-up only if it aims to develop and commercialize (i) a new product or service or (ii) significantly improves an existing product, service or process that will create and add value for customers. (c)          The RBI has made appropriate amendments to its foreign exchange regulations to state that  Foreign Venture Capital Investors ("FVCIs") are now permitted to invest in all start-ups, regardless of the sector that the start-up is engaged in. Prior to this amendment, FVCIs were permitted to only invest in a list of permissible sectors. Certain other benefits announced by the RBI for start-ups include (i) transfer of shares with deferred consideration, escrow or indemnity arrangements for a period of 18 months; (ii) simplification of the process for dealing with delayed reporting of FDI; (iii) easing access to rupee denominated loans under the ECB framework; and (iv) easing operational restrictions on overseas subsidiaries of start-ups. (d)          Start-ups are also exempted from certain statutory provisions relating to inspection under certain labour legislations in India by self-certifying compliance with such legislations. (e)          Eligible start-ups (established between April 2016 and March 2019) are entitled to a tax deduction of one hundred per cent of the profits and gains derived by them, for a period of three years, from a business involving innovation development, deployment or commercialisation of new products, processes or services driven by technology or intellectual property. Real Estate The Real Estate (Regulation and Development) Act, 2013 ("RERA") was notified on March 27, 2016. RERA seeks to establish a regulatory framework to govern transactions between buyers and promoters/sellers of real estate projects. It establishes state level regulatory authorities with the objective of  (a) ensuring that residential projects are registered, and their details uploaded on the authorities’ website; (b) ensuring that buyers, sellers, and agents comply with obligations under the RERA; and (c) advising the government on matters related to the development of real estate. RERA also imposes a requirement that at least 70% of the funds collected for a particular real estate project from buyers will be invested solely in such project. It seeks to protect buyers by prohibiting advertisements promoting real estate projects which have not obtained all regulatory approvals along with an additional provision for penalties for delay in construction. Antitrust On March 4, 2016, the Government, through the Ministry of Corporate Affairs issued a number of notifications (the "Notifications") which have substantially (a) amended and increased the merger control thresholds and, (b) amended as well as extended the existing target based exemption under the merger control regulations in India for another five years. 1.       Target Based Exemption: On March 4, 2011, the Government had introduced a de minimis target based exemption (i.e., based on the valuation of assets or turnover of the target company) which excluded certain transactions from the provisions of Section 5 of the [Indian] Competition Act, 2002 (the "Competition Act") for a period of five years. Transactions that fell below the threshold did not have to be notified to the Competition Commission of India ("CCI"). The Government, through the Notifications has extended the exemption for another five-year period, i.e., until March 4, 2021. The values of asset/turnover thresholds under this exemption have also been raised. 2.       Merger Control Thresholds: Section 5 of the Competition Act sets out the asset and turnover thresholds that are required to be satisfied for a transaction to qualify as a "combination". A qualifying combination is required to be mandatorily notified to the CCI for prior approval, unless the target based-exemption discussed above is applicable. The Notifications have amended and increased these thresholds. Please refer to our client alert dated March 15, 2016 for more details, including these revised thresholds: http://www.gibsondunn.com/publications/Pages/Indian-Government-Amends-Merger-Control-Regulations.aspx. Arbitration The Arbitration & Conciliation (Amendment) Ordinance, 2015 ("Ordinance") was promulgated on October 23, 2015 to introduce substantial changes to the [Indian] Arbitration & Conciliation Act, 1996 (the "Arbitration Act"). The Ordinance was approved by both houses of the Indian Parliament and was published in the official gazette on January 1, 2016 after receiving Presidential assent as the Arbitration and Conciliation (Amendment) Act, 2015 ("Amendment Act"). The primary objective of the Amendment Act is to encourage expeditious resolution of disputes and transparency in arbitration proceedings. The Amendment Act has reformed domestic arbitrations, foreign seated international commercial arbitrations (in so far as the Arbitration Act applies to them) and international commercial arbitrations seated in India by reducing delays and limiting the scope of judicial intervention. For detailed analysis, please refer to our client alert dated November 10, 2015 at  http://www.gibsondunn.com/publications/pages/Government-of-India-Amends-Indian-Arbitration-and-Conciliation-Act–1996.aspx. [1]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn12_2015.pdf [2]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn1_2016.pdf [3]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn2_2016.pdf [4]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn3_2016.pdf [5]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn4_2016.pdf Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. For further details, please contact the Gibson Dunn lawyer with whom you usually work or the following authors in thefirm’s Singapore office: India Team:Jai S. Pathak (+65 6507 3683, jpathak@gibsondunn.com)Priya Mehra (+65 6507 3671, pmehra@gibsondunn.com)Bharat Bahadur (+65 6507 3634, bbahadur@gibsondunn.com)Karthik Ashwin Thiagarajan (+65 6507 3636, kthiagarajan@gibsondunn.com)Sidhant Kumar (+65 6507 3661, skumar@gibsondunn.com)  © 2016 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 23, 2014 |
Judicial Campaign Rules Go to Court

Los Angeles partner Blaine H. Evanson and associate Lali Madduri are the authors of "Judicial campaign rules go to court" [PDF] published in the December 23, 2014 issue of the Daily Journal.

October 24, 2018 |
Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case

The Federal Trade Commission (“FTC”) is increasingly focusing on the advertising, data privacy/security, and e-commerce processes of prominent companies marketing legitimate, valuable products and services, as compared to the types of fraudsters and shams that have been a central focus of FTC attention in the past. The FTC’s recently concluded action against DirecTV is emblematic of this trend. In FTC v. DirecTV, the FTC alleged that DirecTV’s marketing failed to adequately disclose that (a) the introductory discounted price lasted only twelve months while subscribers were bound to a 24-month commitment; (b) subscribers who cancelled early would be charged a cancellation fee; and (c) subscribers would automatically incur monthly charges if they did not cancel a premium channel package after a free three-month promotional period. On August 16, 2017, after hearing the FTC’s case-in-chief, Judge Gilliam of the U.S. District Court for the Northern District of California granted judgment for DirecTV on the majority of these claims. And earlier this week, the FTC agreed to voluntarily dismiss the remainder of its case with prejudice. Gibson Dunn partners Sean Royall and Rich Cunningham and associates Brett Rosenthal and Emily Riff recently published an article titled Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case in the Washington Legal Foundation’s The Legal Pulse blog. The article describes the case, the FTC’s evidence, and key takeaways for companies crafting advertising and marketing disclosures. Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case (click on link) © 2018, Washington Legal Foundation, The Legal Pulse, October 23, 2018. Reprinted with permission. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the authors of this Client Alert, the Gibson Dunn lawyer with whom you usually work, or one of the leaders and members of the firm’s Antitrust and Competition or Privacy, Cybersecurity and Consumer Protection practice groups: Washington, D.C. Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com) D. Jarrett Arp (+1 202-955-8678, jarp@gibsondunn.com) Adam Di Vincenzo (+1 202-887-3704, adivincenzo@gibsondunn.com) Howard S. Hogan (+1 202-887-3640, hhogan@gibsondunn.com) Joseph Kattan P.C. (+1 202-955-8239, jkattan@gibsondunn.com) Joshua Lipton (+1 202-955-8226, jlipton@gibsondunn.com) Cynthia Richman (+1 202-955-8234, crichman@gibsondunn.com) New York Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com) Eric J. Stock (+1 212-351-2301, estock@gibsondunn.com) Los Angeles Daniel G. Swanson (+1 213-229-7430, dswanson@gibsondunn.com) Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com) Samuel G. Liversidge (+1 213-229-7420, sliversidge@gibsondunn.com) Jay P. Srinivasan (+1 213-229-7296, jsrinivasan@gibsondunn.com) Rod J. Stone (+1 213-229-7256, rstone@gibsondunn.com) Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com) San Francisco Rachel S. Brass (+1 415-393-8293, rbrass@gibsondunn.com) Dallas M. Sean Royall (+1 214-698-3256, sroyall@gibsondunn.com) Veronica S. Lewis (+1 214-698-3320, vlewis@gibsondunn.com) Brian Robison (+1 214-698-3370, brobison@gibsondunn.com) Robert C. Walters (+1 214-698-3114, rwalters@gibsondunn.com) Denver Richard H. Cunningham (+1 303-298-5752, rhcunningham@gibsondunn.com) Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 5, 2017 |
Local Drone Law Preempted in First-of-its-Kind Ruling

​Orange County associates Jared Greenberg and Brett Long are the authors of “Local Drone Law Preempted in First-of-its-Kind Ruling,” [PDF] published by The Daily Journal on October 5, 2017.