54 Search Results

May 13, 2016 |
1st Circ. Video Privacy Decision Creates Split With 11th Circ.

​Orange County and Palo Alto partner Joshua Jessen and Palo Alto associate Priyanka Rajagopalan are the authors of "1st Circ. Video Privacy Decision Creates Split With 11th Circ." [PDF] published on May 13, 2016 by Law360.

February 9, 2017 |
2016 Year-End Aerospace and Related Technologies Update

This February 2017 edition of Gibson Dunn’s Aerospace and Related Technologies Update discusses newsworthy developments, trends, and key decisions from 2016 that are of interest to aerospace and defense, satellite, and drone companies, and new market entrants in the commercial space and related technology sectors, including the private equity and other financial institutions that support and enable their growth. Specifically, this update covers the following areas:  (1) commercial unmanned aircraft systems ("UAS"), or drones; (2) government contracts litigation involving companies in the aerospace and defense industry; and (3) the commercial space sector.  We discuss each of these areas in turn below. I.  COMMERCIAL UNMANNED AIRCRAFT SYSTEMS Unmanned aircraft systems ("UAS") technology has improved rapidly while becoming reasonably affordable for most organizations.  The commercial applications of UAS, more commonly referred to as "drones," include sensory data collection, building inspections, utility inspections, agriculture monitoring and treatment, railway inspections, pipeline inspections, mapping of mines, and photography.  New applications are being created on a regular basis.  For years, the law prohibited commercial drone operations absent a special exemption.  However, in 2016, a comprehensive set of regulations governing non-recreational drone operations was finalized, thus creating sweeping opportunities to implement commercial drone operations. In 2016, many organizations incorporated drones into their operations and tested future concepts.  The drone delivery concept was validated through multiple corporate deliveries:  Amazon Prime Air made its first delivery in the United Kingdom; DHL delivered packages to a mountain plateau in Germany; Google and Chipotle tested burrito deliveries at Virginia Tech; and 7-Eleven and Flirtey delivered products in Reno, Nevada.  Disney World, in collaboration with Intel, revealed a new holiday show consisting of drones performing in the night sky, rather than traditional fireworks.  Walmart announced it would use drones to better track inventory at distribution centers.  And CNN became the first U.S. broadcaster to launch a drone division.   Overall, 2016 was an historic year that officially ushered in a new industry.  We expect that the industry will continue to develop in the coming year, and that key topics such as rules governing flights over non-participating people, litigation concerning property owners’ rights to airspace, privacy, and operations beyond visual line of sight will be addressed.  Related jurisdictional disputes are likewise on the horizon. Expanded drone operations also created controversy.  Citizens and police shot down drones on several occasions, news organizations reported collisions between drones and commercial aircraft (all stories were proven false after investigations), and concerns about privacy continued to build.  To get you caught up on 2016’s groundbreaking drone developments, below we have briefly summarized:  (A) Part 107 drone regulations; (B) the likely Proposed Rule for Operations Over Non-Participating People; (C) Privacy; and (D) the Intersection of Federal and State/Local Drone Laws. A.  Part 107 – Drone Regulations On August 29, 2016, the long-awaited comprehensive regulations for Small Unmanned Aircraft Systems ("sUAS"), drones weighing 55 pounds or less, became law under Part 107 of Title 14 of the Code of Federal Regulations ("Part 107").[1]  These regulations are monumental for commercial drone operations because they provide the regulatory foundation for the burgeoning industry.  Prior to Part 107, the law prohibited commercial drone operations unless an operator obtained a Section 333 exemption from the Federal Aviation Administration ("FAA").  Part 107 permits commercial operations within certain parameters and eliminates the need for an exemption, unless one wants to operate outside of those parameters. Significantly, Part 107 removed the time-consuming and expensive Section 333 requirement that commercial drone operators obtain a recreational or sport pilot license.  Under the new regulations, commercial drone pilots must obtain the newly created remote pilot certificate with a sUAS rating or be under the direct supervision of a person with a certificate.  To obtain the certificate, a person must pass an aeronautical knowledge test at an FAA-approved center, be vetted by the Transportation Security Administration, be able to speak English, and be at least 16 years old.  Individuals with an existing pilot license need only take an online sUAS training course to obtain a remote pilot certificate.[2]  In 2016, the FAA issued over 14,000 remote pilot certificates. In addition, Part 107 set forth several key operational limits for commercial drones[3]: maximum weight is 55 pounds; maximum groundspeed is 100 mph (87 knots); maximum altitude is 400 feet above ground level or within 400 feet of a structure; flights must be within daylight hours or civil twilight if the drone utilizes anti-collision lighting; drones must remain within visual line of sight of the remote pilot or an optional visual observer; minimum flight visibility must be no less than three statute miles;  minimum distance from clouds must be no less than 500 feet below the cloud and 2000 feet horizontally from the cloud; drones may not operate over persons not directly participating in the operation; drones must yield the right of way to other aircraft; remote pilots cannot operate drones from a moving vehicle unless the flight is over a sparsely populated area; and remote pilots cannot operate more than one drone at a time (i.e., no swarming).               1.  Part 107 Waivers The FAA’s willingness to provide waivers is one of the most promising aspects of Part 107 and will allow regulations to expand as technology progresses.  The waivers permit remote pilots to deviate from the following operational limits:[4] operations from a moving vehicle; daylight operations; operations beyond a pilot’s visual line of sight; visual observer requirements; operations of multiple drones; yielding the right of way; operations over people; operating limitations; and operations in certain airspace. Applications for a Certificate of Waiver are completed online and granted on a case-by-case basis.  In 2016, the FAA granted 239 waivers.[5]  The majority of these waivers were for nighttime operations.  Notably, the following organizations received waivers: CNN received a waiver for operations over people; Precision Hawk and BNSF Railway Company received waivers allowing operations beyond visual line of sight; and Project Wing, Intel Corporation, and Walt Disney Parks and Resorts received waivers for the operation of multiple drones. If an organization needs an exemption from a particular section in Part 107 that is not subject to a waiver, it can request a Section 333 exemption or apply for a type certification.  This will be particularly relevant for operators wishing to fly drones greater than 55 pounds because Part 107 only applies to drones weighing 55 pounds or less.                2.  Airspace Authorization  In addition to applying for waivers, operators can now seek airspace authorization for operations in restricted airspace.  However, obtaining airspace authorization has been a source of frustration for many operators.  Part 107 allows operations "in Class B, Class C, or Class D airspace or within the lateral boundaries of the surface area of Class E airspace" if the remote pilot obtains "prior authorization from Air Traffic Control."[6]  But an FAA guidance letter from October 3, 2016, restricted Air Traffic Control from granting such authorization, stating that FAA headquarters will approve airspace waivers and coordinate with the relevant air traffic facility.[7]  The FAA UAS website’s authorization portal requires that applications be submitted at least 90 days prior to the operation, which can seriously hinder timely operations. *      *      * Although the waiver and airspace authorization process is far from perfect, the mere existence of an institutionalized waiver and airspace authorization program is promising.  We expect that the FAA will streamline the process in 2017, making waivers and airspace authorization more accessible to remote pilots. We also expect that Part 107 is the beginning, and not the end, of drone regulations.  For example, in the next few years, the FAA will likely propose rules for drones heavier than 55 pounds, and within the next few months, the FAA will likely publish a Notice of Proposed Rule Making for operating drones over non-participating people.  B.  Proposed Rule for Operations Over Non-Participating People is Expected in 2017 In February 2016, the FAA assembled an aviation rulemaking committee ("ARC") to recommend standards that would allow certain drones to be operated over people.  The ARC submitted its recommendations on April 1, 2016, dividing drones into four categories based on the level of risk correlated to a weight or impact energy equivalent.[8] The FAA’s Notice of Proposed Rulemaking ("NPRM") is expected to significantly vary from the ARC’s recommendations.  The FAA sent the proposed rule to the White House Office of Information and Regulatory Affairs ("OIRA") in November 2016.  Once OIRA approves the proposed rule, the NPRM will be published in the Federal Register and a public comment period will begin.  As with the NPRM for Part 107, there likely will be thousands of public comments concerning the proposed rule.  Timing for publishing the NPRM is uncertain.  On January 20, 2017, President Trump issued a memorandum to all executive departments and agencies freezing new or pending regulations for 60 days. The proposed rules have the potential to remove a tremendous obstacle for certain drone operators.  Under Part 107, drones are prohibited from flying over unsheltered people unless they are "[d]irectly participating in the operation."[9]  Individuals "[d]irectly participating" include the remote pilot, the person on the controls, a visual observer, and anyone else essential to the operation.  Those who have merely given consent for the operations are excluded.[10]  Therefore, under Part 107, implementing certain commercial drone operations may be a challenge, or impossible, due to the presence of non-participating people in the operational area.  For example, drone operations cannot take place over active construction or mining sites without first clearing the area of people, and news organizations may be prohibited from flying directly over a newsworthy event.  Part 107 does provide waivers for flights over non-participants on a case-by-case basis, but the waiver process is not always a practical option for addressing time-sensitive commercial needs.  The upcoming proposed rule will create standards for safe flights over non-participating people and should be a catalyst for many commercial operations.  Flights over non-participating people will likely increase privacy concerns.   C.  Privacy–Voluntary Best Practices As the popularity of both commercial and hobbyist drones increases, concerns over privacy and personal data collection continue to swell.  In February 2015, President Obama issued a Presidential Memorandum directing that privacy, civil rights, and civil liberties concerns be taken into account as drones are integrated into the national airspace.[11]  Obama ordered the National Telecommunications and Information Administration ("NTIA") of the U.S. Department of Commerce to create a private-sector engagement process to help develop voluntary best practices for privacy, accountability, and transparency issues regarding commercial and private drone use.  That process took place over the past year, with the participation of multiple private-sector groups.  On May 19, 2016, the NTIA released voluntary best privacy practices for drones.[12]  The voluntary best practices received agreement from technology companies, insurance companies, media organizations, drone industry associations, and privacy groups.  Although these best practices do not create any legal standards, they set useful guidelines for any organization conducting drone operations.  Many of the recommended best practices take into account the size and complexity of the operator (e.g., a large public company is expected to have a more comprehensive privacy policy with respect to its use of drones than an individual real estate photographer).  Moreover, newsgathering organizations, to which strong First Amendment protections apply, are expressly excluded.  The following summarizes the recommended best practices:   Covered Data:  The best practices focus heavily on the collection and storage of "covered data."  Covered data is information collected by drones that identifies a particular person.  If the data is unlikely to be linked to a particular person, or if it is altered so that a particular person is not recognizable, it is not considered covered data.  Privacy Policy:  Organizations collecting covered data should make reasonable efforts to inform individuals directly impacted by those organizations’ use of drones, and they should maintain a publicly available privacy policy appropriate to their size.  The policy should identify: the kind of covered data the drone operations will collect; the purpose for which the data is collected; retention and de-identification practices; the types of entities with whom the data will be shared; information on how to submit a privacy or security complaint; and the organization’s practices with respect to responding to law enforcement requests for data.  Reasonable Expectation of Privacy:  Absent a compelling need, drone operators should avoid collecting covered data when the subject has a reasonable expectation of privacy.  Operators should avoid intentional, persistent, and continuous collection of covered data about individuals.  Further, operators should make reasonable efforts to minimize flights over private property without consent of the owner or without appropriate legal authority. Data Sharing and Use Limits:  Drone operators should only use covered data for those purposes identified in their privacy policy.  Without consent, the data should not be shared for marketing purposes or publicly disclosed without reasonable efforts to obfuscate (e.g., blur) the data.  Further, without consent, operators should not use covered data for employment eligibility, promotion or retention, credit eligibility, or healthcare treatment eligibility, unless expressly permitted by a sector-specific regulatory framework.  Data Storage:  Covered data should not be stored longer than necessary for the purposes for which it was collected (as disclosed to the public in a privacy policy).  Further, organizations should develop easily accessible processes to receive privacy or security complaints about the organization’s use of drones.  These processes should include mechanisms by which individuals can request that an organization delete, de-identify, or otherwise obfuscate a person’s covered data. Data Security:  Organizations storing covered data should implement a program to address and manage cybersecurity risks.  The program should have reasonable administrative, technical, and physical safeguards appropriate to the organization’s size and the nature of the covered data.  Appropriate safeguards include those described in guidance from the Federal Trade Commission, the National Institute of Standards and Technology Cybersecurity Framework, and the International Organization for Standardization’s 27001 standard for information security management.  Corporations should consider the below practices to secure covered data: establish a written security policy detailing the collection, use, storage, and dissemination of covered data; regularly monitor systems for breach and data security risks; provide security training to employees with access to covered data; and limit access to covered data. Part 107 does not address privacy.  In the NPRM for Part 107, the FAA stated that privacy issues were "beyond the scope" of the rule, and "that state law and other legal protections for individual privacy may provide recourse for a person whose privacy may be affected through another person’s use of a UAS."[13]  During the comment period for the NPRM, the FAA received around 180 comments regarding privacy concerns, but declined to include privacy regulations within Part 107.[14]              1.  Litigation Regarding Whether the FAA Needs to Address Privacy The Electronic Privacy Information Center ("EPIC") challenged the FAA’s decision to exclude privacy regulations from Part 107 by filing a petition for review in August 2016.[15]  EPIC had previously sought review of the NPRM because it excluded privacy regulations, but in May 2016, the D.C. Circuit held that EPIC’s challenge was premature because the proposed rule was not final.[16]  After the rule became final, EPIC filed a new petition of review asking the court to vacate Part 107 and remand it to the FAA for further proceedings.[17]  EPIC contends that the FAA Modernization and Reform Act of 2012 requires the FAA to address privacy concerns related to drones, while the FAA asserts that privacy is beyond its charge to regulate aviation safety in the national airspace.  All eyes will be on the D.C. Circuit to determine if the FAA will be required to issue rules related to privacy. Regardless of whether or not there are federal rules directed towards drone privacy, corporations should make their best efforts to comply with the NTIA Voluntary Best Practices, as well as state and local privacy laws.  D.  Uncertainty Clouds the Intersection of Federal and State/Local Drone Laws Although Part 107 created a federal regulatory framework for commercial drone operations, there is still significant confusion as to what constitutes a legal flight under evolving state and local laws.  Laws regulating the drone industry exist in 32 states, and five states have adopted resolutions regarding drones.[18]  In 2016, at least 38 state legislatures considered legislation to regulate the drone industry, and 17 states (Alaska, Arizona, California, Delaware, Idaho, Illinois, Indiana, Kansas, Louisiana, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Vermont, Virginia and Wisconsin) passed 31 pieces of legislation.[19]  In addition, countless local governments proposed and passed ordinances impacting the drone industry at the local level.  Thus, it will be critical for companies launching commercial drone enterprises to work closely with counsel to determine which, if any, state and local laws apply to each commercial operation.  They will also need to evaluate preemption issues.  In the developing drone community, confusion stems from the FAA’s position that it controls the airspace "from the ground up," and that the notion that it does not control airspace below 400 feet is a "myth."[20]  However, many state and local governments do not agree with the FAA’s interpretation.  There are major implications for where navigable airspace begins, and the question ultimately will be settled by federal courts over the next several years.  This is one of the most important legal issues for the industry because, without clarification, legal compliance and enforcement may be impossible within some localities.  While the FAA governs the "navigable airspace" of the United States,[21]  navigable airspace is defined as the "airspace above the minimum altitudes of flight prescribed by regulations . . . including airspace needed to ensure safety in the takeoff and landing of aircraft."[22]  The FAA regulations list the minimum safe altitude as 500 feet above the surface in non-congested areas (lower in sparsely populated areas) and 1,000 feet above the highest obstacle in congested areas.[23]  Although aircraft can fly below these minimum safe altitudes for takeoff or landing, when these laws and regulations were created, the very concept of low-flying, low-price drones–which can take off and land on anyone’s property–only existed in science fiction.  The proliferation of drones requires clarification of where private property rights end and navigable airspace begins. The Supreme Court provided some guidance on property rights and navigable airspace in 1946 in United States v. Causby.[24]  In Causby, a chicken farm was located near an airport, and the glide path for one of the runways was 83 feet above the property.  The Court examined whether military aircraft flying 83 feet above the property was a taking.  The Court held that it was a taking and stated:  "[I]t is obvious that if the landowner is to have full enjoyment of the land, he must have exclusive control of the immediate reaches of the enveloping atmosphere.  Otherwise buildings could not be erected, trees could not be planted, and even fences could not be run."[25]  The court also acknowledged that an invasion of air above one’s property can be in the "same category as invasions of the surface."[26]  The Court declined to determine the exact boundary between one’s property and public airspace:  "We need not determine at this time what those precise limits are."[27]  Even if the Court did determine precise limits, a military aircraft landing at an airport in 1946 is fundamentally different from today’s low-flying, low-price, consumer and commercial drones.  In 2016, two pending lawsuits began to address the key question of defining navigable airspace in the context of drones.                    Boggs v. Merideth, No. 3:16-cv-00006 (W.D. Ky. Jan. 4, 2016) In Boggs v. Merideth (also known as the "Drone Slayer" case), a drone operator in the Western District of Kentucky filed a lawsuit against a landowner (the self-proclaimed "Drone Slayer") who downed the plaintiff’s drone with a shotgun.[28]  The drone was flying around 200 feet above the Defendant’s property, and the defendant claimed it was trespassing and invading his privacy.  After a state judge found the defendant was "within his rights," the plaintiff filed a complaint in federal court for declaratory judgement to "define clearly the rights of aircraft operators and property owners."[29]  The district court has not yet ruled on the issue.                     Huerta v. Haughwout, No. 3:16-cv-358, Dkt. No. 30 (D. Conn. Jul. 18, 2016) The most notable case of 2016 regarding the FAA’s authority over low-level airspace was Huerta v. Haughwout (also known as the "flamethrower drone" case).  The Haughwouts posted YouTube videos of a drone flying a few feet above their property.  In one video, a drone fired an attached handgun, and in another video, a drone roasted a turkey with an attached flamethrower.  The FAA sent the Haughwouts an administrative subpoena to acquire more information about these activities.  The Haughwouts declined to comply with the subpoenas and claimed their activities were not subject to investigation by the FAA.  The FAA sought enforcement of the subpoenas.  The District Court for the District of Connecticut found the administrative subpoenas to be valid and ordered the Haughwouts to comply.[30]  In his order, Judge Jeffrey Meyer included dicta that casts doubt on the FAA’s claim to controlling airspace from the ground up:  "the FAA believes it has regulatory sovereignty over every cubic inch of outdoor air in the United States . . . [T]hat ambition may be difficult to reconcile with the terms of the FAA’s statute that refer to ‘navigable airspace.’"  The dicta addressed the question of where the FAA’s authority begins, but noted that the "case does not yet require an answer to that question."[31]  Notably, the Judge stated: Congress surely understands that state and local authorities are (usually) well positioned to regulate what people do in their own backyards.  The Constitution creates a limited national government in recognition of the traditional police power of state and local government.  No clause in the Constitution vests the federal government with a general police power over all of the air or all objects that leave the ground.  Although the Commerce Clause allows for broad federal authority over interstate and foreign commerce, it is far from clear that Congress intends–or could constitutionally intend–to regulate all that is airborne on one’s own property and that poses no plausible threat to or substantial effect on air transport or interstate commerce in general.[32] The dicta in Huerta may indicate how federal courts will address this vital issue.  As drone operations continue to expand, the importance of the question will continue to grow.   E.  Looking Ahead 2017 will be an important year for the development of the commercial drone industry.  We can expect to see more organizations adopting drone operations; the FAA streamlining Part 107 waivers and airspace authorization; a proposed rule governing flights over non-participating people; litigation regarding property owners’ rights to airspace; more dialogue regarding privacy issues; and significant progress in operations beyond-the-visual-line-of-sight ("BVLOS"), given the approval obtained by the Northern Plains UAS Test Site for conducting BVLOS flights in 2017.  This approval will allow companies to develop, test, and evaluate BVLOS concepts and platforms without the need for a Part 107 waiver.  Progress in BVLOS operations combined with the upcoming proposed rule for flights over non-participating people will greatly expand commercial applications. In addition, the Trump administration’s approach to commercial drones, and any judicial decisions regarding federal preemption and privacy, will shape the future of this burgeoning industry. II.  GOVERNMENT CONTRACTS LITIGATION IN THE AEROSPACE AND DEFENSE INDUSTRY Gibson Dunn’s 2016 Year-End Government Contracts Litigation Update and 2016 Mid-Year Government Contracts Litigation Update cover the waterfront of the most important opinions issued by the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Federal Claims, Armed Services Board of Contract Appeals ("ASBCA"), and Civilian Board of Contract Appeals ("CBCA"), among other tribunals.  We invite you to review those publications for a full report on case law developments in the government contracts arena. In this update, we summarize key court decisions related to government contracting from 2016 that involve players in the aerospace and defense industry.  The cases discussed herein, and in the Government Contracts Litigation Updates referenced above, address a wide range of issues with which government contractors in the aerospace and defense industry are likely familiar, including issues of contract interpretation, jurisdictional requirements, limitations on the remedies available to contractors, and the various topics of federal common law that have developed in the government contracts tribunals.  In addition, we highlight the uncertainty surrounding the direction federal contracting policy will take under the new Trump administration. A.  Select Decisions of Interest to Government Contractors in the Aerospace and Defense Industry             1.  Jurisdictional Issues (Defining the Claim) Whether the courts and boards of contract appeals have jurisdiction over a matter turns on whether there is a valid "claim" and, relatedly, how that claim is defined.  Because the Contract Disputes Act, 41 U.S.C. §§ 7101‒7109 ("CDA") does not define the term "claim," the courts and boards of contract appeals look to the definition set forth in the Federal Acquisition Regulation ("FAR").  FAR 33.201 defines a "claim" as "a written demand or written assertion by one of the contracting parties seeking, as a matter of right, the payment of money in a sum certain, the adjustment or interpretation of contract terms, or other relief arising under or relating to this contract." In 2016, two decisions from the ASBCA that involved the aerospace and defense industry touched on jurisdictional issues.  In Military Aircraft Parts, ASBCA No. 60290 (Feb. 4, 2016), the ASBCA addressed whether a contractor’s claims could "merge" into or be precluded by related claims that would otherwise not be within the board’s jurisdiction.  In Alaska Aerospace Corp., ASBCA No. 59794 (Sept. 13, 2016), the ASBCA considered whether the contractor had submitted a claim as required by the CDA.                    Military Aircraft Parts, ASBCA No. 60290 (Feb. 4, 2016) Between 2009 and 2011, the Government issued three orders for parts for the C-130 aircraft from Military Aircraft Parts ("MAP").  MAP shipped two units under the first order for first-article testing, but the Government asserted that the parts had failed the "form, fit, and function" test, and subsequently issued a unilateral modification canceling the order.  The Government thereafter unilaterally canceled the second order, and the parties bilaterally canceled the third.  MAP submitted a claim for breach of contract, which was denied by the contracting officer.  The contracting officer admitted that the unilateral cancellation of the first order was improper, but converted the cancellation to a termination for convenience and denied relief for all three orders.  After MAP appealed, the Government moved to dismiss, arguing that MAP could not appeal before responding to the Government’s termination for convenience with a termination settlement proposal pursuant to FAR part 49. The board (O’Sullivan, A.J.) found that MAP was not required to make a termination settlement proposal prior to appealing the denial of its breach claim.  Relying upon the Federal Circuit’s decision in James M. Ellett Construction Co. v. United States, 93 F.3d 1537 (1996), Judge O’Sullivan held that "a contractor is not precluded by a pending termination settlement proposal from pursuing contract claims independent of that proposal."  Because the Government’s termination for convenience came later than its unilateral cancellation, the board reasoned, the relief available to MAP for a breach claim could be considerably different from the relief available for a claim arising from the termination for convenience.  (At the very least, MAP could have been eligible for interest on its breach claim.)  Therefore, MAP’s breach claim did not "merge" into the government’s termination for convenience, and the board denied the Government’s motion to dismiss for lack of jurisdiction.                    Alaska Aerospace Corp., ASBCA No. 59794 (Sept. 13, 2016) In 2003, the Missile Defense Agency awarded a contract to Alaska Aerospace for the use of a launch complex and support services.  The contract incorporated, by reference, FAR 52.216-7, Allowable Cost And Payment (Dec. 2002), which allows reimbursement of contributions to employee pension plans.  In 2014, the Government partially disallowed costs for employee pension plans and sought to recover the disallowed costs. The Board (Melnick, A.J.) first noted that because the Government was seeking to recoup money, the case was a Government claim for which the Government bore the burden of proof.  In finding that the Government failed to meet its burden, the Board explained that the Government’s reliance on the contracting officer’s final decision as evidence of overpayment was improper.  The contracting officer’s final decision attempted to impose a penalty, not establish recoupment as a basis for the demand for payment.  Further, findings of fact in the contracting officer’s final decision are not binding upon the parties and are not entitled to any deference.              2.  Jurisdictional Issues (Timeliness of Appeals at the Board of Contract Appeals) A host of recent cases addressed the CDA’s jurisdictional requirement to timely file an appeal after receipt of a contracting officer’s final decision.  Two such cases involve aerospace and defense companies and are discussed below.  Under the CDA, a board has jurisdiction over appeals taken within 90 days of receiving the contracting officer’s final decision; whereas, there is a one-year statutory clock applicable to appeals filed in the Court of Federal Claims.  In a pair of appeals before the ASCBA, Military Aircraft Parts attempted–unsuccessfully–to argue that the Federal Circuit’s ruling that the CDA’s six-year statute of limitations period is not jurisdictional, Sikorsky Aircraft Corp. v. United States, 773 F.3d 1315 (Fed. Cir. 2014), should give the board discretion to waive the 90-day appeal period.  Although the two cases were decided differently on the merits, the ASBCA made clear, in both instances, that it would not interpret Sikorsky to allow a waiver of the appeal period.                    Military Aircraft Parts, ASBCA No. 60336 (Apr. 25, 2016); and Military Aircraft Parts, ASBCA No. 60139 (June 3, 2016) In the first case, Military Aircraft Parts appealed the termination for default of its contract to provide aircraft frames to the Defense Logistics Agency and the cancellation of two purchase orders for more frames, claiming that the termination and cancellation were breaches of the contract.  The board (McIlmail, A.J.) held that it could not review the appeal from the termination of the original contract because it was not brought within 90 days after the termination decision.  Although the contractor urged the board to adopt a "good cause" exception to the 90-day deadline in light of the Federal Circuit’s ruling that the CDA’s statute of limitations is not jurisdictional, Judge McIlmail reiterated that the 90-day appeals period cannot be waived. In the second case, Military Aircraft Parts appealed the contracting officer’s final decisions that denied a number claims for breach of contract arising out of a contract that the Government terminated for default.  The Government argued that Military Aircraft Parts did not timely appeal the default terminations and was using its breach of contract claims on appeal to the board in an attempt to skirt the CDA’s 90-day jurisdictional deadline for appeal of the contracting officer’s final decision on the default termination.  Military Aircraft Parts denied the assertion that its complaint was merely a challenge to default terminations "clothed in breach of contract language" and, in the alternative, argued again that the reasoning in Sikorsky should allow the board to find that the 90-day appeal period is not jurisdictional.  The board (O’Sullivan, A.J.) agreed with the Government, finding that the board lacked jurisdiction over the claims because they were implicit challenges to the default termination.  In doing so, Judge O’Sullivan cited pre-Sikorsky precedent to reaffirm its long line of precedent holding that the 90-day deadline is "jurisdictional, absolute, and may not be waived."             3.  Contract Interpretation The following decision from the second half of 2016 articulates broadly applicable contract interpretation principles that government contractors should consider.                    King Aerospace, Inc., ASBCA No. 57057 (July 26, 2016) In 2005, the Government awarded a contract to King for the maintenance of a fleet of aircraft.  In 2009, King presented a certified claim incorporating a Request for an Equitable Adjustment ("REA") based on additional maintenance required as a result of aircraft conditions inferior to those represented in the contract.  The contracting officer denied the claim and King appealed.   The Board (McImail, A.J.) concluded that King was entitled to additional compensation, noting that in order to prevail on a claim of misrepresentation, the contractor needed to show that there was a false representation of material fact that the contractor reasonably relied on to the contractor’s detriment.  The Board determined that the contract represented that aircraft would be maintained in accordance with industry practices, and that the aircraft were not maintained in such a fashion.  Further, this misrepresentation was material because the condition of the aircraft was likely to affect the inducement of King in assenting to maintaining the aircraft.  Moreover, King honestly relied on the misrepresentation to its detriment because King would have bid higher had it known of the substandard condition of the aircraft.  The Board also found that King’s reliance was reasonable as there was no contrary representation of the aircrafts’ conditions.              4.  Cost Issues                    Raytheon Co., Space & Airborne Sys., ASBCA No. 58068 (Aug. 9, 2016) In 2007, Raytheon SAS revised its cost accounting practices, one of which the Defense Contract Audit Agency ("DCAA") determined to result in a $142,000 increase to the Government across all contracts with the business.  DCAA did not consider decreased costs to the Government from one of the related changes, which more than offset the modest increase from the first change, due to a revision to FAR 30.606 in 2005, that prohibits such offsets, as discussed in an earlier decision in this case covered in the 2015 Mid-Year Government Contracts Litigation Update .  The contracting officer subsequently issued a final decision on the alleged increased costs and Raytheon SAS appealed. The Board (O’Connell, A.J.) sustained the appeal, ruling for Raytheon SAS, because it found that the contracting officer improperly determined the amount at issue was "material" based solely upon the dollar value of the increased cost, without considering other required factors, such as the magnitude of the dollar value in relation to Raytheon SAS’s total contracting relationship with the Government (here, less than 0.005%), the cost impact per contract (here, $36 per contract, per year), or the benefit of reduced administrative processing costs by the Government.  The Board concluded that the contracting officer’s failure to consider these factors was an "abuse of discretion," which is significant because there was no evidence of bad faith by the contracting officer.                    Exelis, Inc., ASBCA No. 60131 (Aug. 29, 2016) Exelis appealed from a contracting officer’s final decision finding that Exelis improperly accounted for the costs of a building lease pursuant to Cost Accounting Standard ("CAS") 404, which governs Capitalization of Tangible Assets.  Exelis moved to dismiss and asserted that there was no CAS 404 violation, and that while the CAS 404 claim asserted a sum certain, it did not assert a sum certain with regard to a FAR violation, which the Government was also asserting. The Board (D’Alessandris, A.J.) determined that there was no CAS 404 violation.  First, the Board found the plain language of CAS 404 to be clear, that it applied to "tangible" assets, and that a building lease is an "intangible" asset since it does not have "physical substance."  Second, even if the language was not clear, the preamble to CAS 404 showed that the CAS Board did not intend that all leases should be "tangible capital assets."  Third, in considering other interpretive aids, the Board continued to find that the Government could not establish a CAS 404 violation. Regarding the alleged FAR violation, the Board first noted that new theories or new damages that arise from the same operative facts do not constitute new claims, and that the sum certain requirement simply requires a specified dollar amount for a claim.  The Board also explained that estimated or approximate costs in determining the value of a claim is sufficient, as long as the overall demand is for a sum certain.  In light of this, the Board found that the relevant facts in the appeal included the lease in question, and that the FAR and CAS claims involved the same operative facts and were the same claim for CDA purposes.  Thus, despite the Government’s sum certain being calculated based on a purported CAS violation rather than a FAR violation, the claim was still proper because the two purported violations were the same for CDA purposes. B.  Uncertainty in the Direction that Federal Contracting Policy Will Take Under the New Trump Administration The direction that federal contracting policy will take under the new Trump administration remains somewhat vague, and we will continue to keep you informed as the administration’s policy develops.  But we note that President Trump’s willingness to use Twitter to address the price of federal contracts will likely have implications in the industry.  Although prior administrations have been critical about allegedly wasteful spending, President Trump’s Twitter activity suggests that the President is willing to directly intervene in the negotiation and execution of government contracts, which is something federal contractors will have to take into account. III.  COMMERCIAL SPACE SECTOR A.  Developments in the Commercial Crew Program The National Aeronautics and Space Administration ("NASA") has lacked the domestic capability to transport astronauts to space since the expiration of the Space Shuttle Program in July 2011.  Since then, NASA has relied upon the Russian Federal Space Agency ("Roscosmos") to ferry astronauts to the International Space Station ("ISS"), at prices ranging from $21 million to $82 million per roundtrip.  To remedy this situation, NASA instituted the Commercial Crew Program to work with commercial companies to develop manned spaceflight systems.  In September 2014, NASA selected two companies to participate in this program:  The Boeing Company ("Boeing") and Space Exploration Technologies Corporation ("SpaceX"). On September 1, 2016, NASA announced that both companies were facing technical challenges that would delay the first flights carrying NASA astronauts to the ISS until late 2018–more than three years after NASA’s original 2015 goal.[33]  Boeing was experiencing issues related to vehicle mass and the effects of vibrations generated during launch.  SpaceX was experiencing delays from its decision to change its capsule design to enable water-based landings.  In light of these developments, NASA extended its contract with Roscosmos for astronaut transportation through 2018, at an additional cost of $490 million for six more seats. On January 4, 2017, NASA announced that it awarded additional space missions to Boeing and SpaceX.[34]  Originally, each firm was offered two roundtrip missions to the ISS.  Now each firm will launch six missions.  Boeing has scheduled an unmanned flight test for June 2018 and a crewed flight test for August 2018.  It has even released new spacesuit designs.[35]  SpaceX has scheduled an unmanned flight test for November 2017 and a crewed flight test for May 2018. B.  NOAA Policies on Commercial Activity The National Oceanic and Atmospheric Administration ("NOAA") released a commercial space policy on January 8, 2016.[36]  Among other things, it designated the Office of Space Commerce as a point of contact for commercial providers to promote more efficient commercial engagement.  The policy was part of NOAA’s efforts to understand better how partnerships with private firms in the rapidly changing commercial space sector could help the agency perform its functions.[37] NOAA’s National Environmental Satellite, Data, and Information Service ("NESDIS") published a Commercial Space Activities Assessment Process on January 6, 2017.[38]  This report indicated NOAA’s interest in commercially provided data satisfying its technical requirements at a lower cost than government alternatives.  It then set out a four-part process for future government contracts.  First, NESDIS will release one or more Requests for Information to convey its interest in new data sets and gather information about new, emerging, and existing commercial observation capabilities.  Based on these responses, NESDIS will then release one or more solicitations to acquire and evaluate commercial data satisfying the requisite specifications.  NOAA may then purchase data from one or more vendors for analysis and evaluations through a demonstration project.  Following these demonstrations, NESDIS may issue one or more solicitations to purchase on-orbit observations from commercial sources for operational use by NOAA. On September 15, 2016, NOAA announced that it awarded contracts to GeoOptics, Inc. ($695,000), and Spire Global, Inc. ($370,000), as part of its Commercial Weather Data Pilot.[39]  The firms will provide space-based GNSS radio occultation data to NOAA for the agency to evaluate.  They have until April 30, 2017, to complete the delivery of their data.  NESDIS will conduct an assessment of the data through the end of FY 2017 and produce a final report in early FY 2018. C.  For the First Time, Federal Agencies Authorize Private Company to Land on Moon On July 20, 2016, the Federal Aviation Administration approved a private company’s plans to land a robotic lander on the Moon, capping a series of unprecedented regulatory approvals from NASA and the State Department that blaze a trail for commercial lunar expeditions.[40]  The company, Moon Express, is an early-stage startup founded for the purpose of establishing commercial travel to, and gathering resources and metals from, the Moon.[41]  As previously there was "no existing regulatory framework for private missions beyond Earth orbit," Moon Express CEO Bob Richards says that "Moon Express created a proposed framework" for the necessary approvals.[42]  While more details have yet to emerge about Moon Express’s framework, it purportedly focused on "the safety of its payload as well as outlining [how] the United Nation’s Outer Space Treaty would not be violated."[43]  The framework uses "existing payload review and launch license processes under authorities of the Secretary of Transportation, and adds to them a series of voluntary disclosures intended to provide the Federal Government with sufficient information to help fulfill its supervisory obligations under the Outer Space Treaty."[44]   The approval is for a lunar mission in 2017, but Moon Express is still assembling its lander and coordinating for its rocket with Los Angeles-based "Rocket Lab."[45]  If Moon Express reaches the Moon by December 31, 2017, it may win the "Google Lunar X Prize competition for the first private organization to reach the moon" and also reap a $20 million reward.[46]  Four others teams from around the world purportedly have obtained 2017 launch contracts from their respective governments.[47]  Moon Express recently announced it has raised an additional $20M in series B-1 funding, which it claims "fully finance[s]" its 2017 launch.[48]  D.  Congress Passes Law Expanding Federal Aviation Administration and Secretary of Transportation Authority to Consider Proposed Construction’s Impacts on Space Operations On November 28, 2016, President Obama signed into law H.R. 6007,[49] a bill "[t]o amend title 49, United States Code, to include consideration of certain impacts on commercial space launch and reentry activities in a navigable airspace analysis, and for other purposes."  The bill amended 49 U.S.C. § 44718, which has long permitted the Secretary of Transportation to conduct studies and issue reports on any adverse impact on navigable airspace resulting from proposed construction.  H.R. 6007 required the Secretary of Transportation to conduct an aeronautical study if the Secretary determines that any proposed construction or alteration would interfere with "air or space navigation facilities."[50]  And in conducting such a study, the bill required the Secretary to consider "the impact on launch and reentry for launch and reentry vehicles arriving or departing from a launch site or reentry site licensed by the Secretary."[51]  The bill’s purview included "space ports established at existing airports," as airports are considered "General Aviation" facilities.[52]  By May 28, 2018, the FAA Administrator must "initiate a rulemaking to implement" the aforementioned amendments.[53]  H.R. 6007 came on the heels of "officials at California’s Mojave Air and Space Port criticiz[ing an] FAA decision to allow the construction of taller electric transmission lines near the airport."[54]  The bill’s sponsor, California Representative Kevin McCarthy, said on the House floor that the bill gave "the FAA the authority they now lack to examine whether structures being built near spaceports will obstruct spaceflight."[55]  McCarthy’s explicit intent was that the bill "ensures [] government policies keep up with the progress" of "commercial space flight."[56]  Both the House and Senate unanimously approved H.R. 6007.[57]  E.  FAA Rule on Reciprocal Waivers In August 2016, the Federal Aviation Administration (FAA) revised its rule on reciprocal waivers of claims for commercial launches and reentries.  The new rule simplifies the procedure for customers who contract with a first-tier customer, as opposed to the licensee or permittee.  Under the rule, these customers enter into a waiver agreement with the first-tier customer, not the licensee or permittee.  The rule also mandates that all customers waive claims against every other customer regardless of whether those customers sign a different set of reciprocal waivers.[58] F.  President Trump’s Commercial Space Policy The Trump administration has the potential to be the most supportive ever for the commercial space industry.  During the campaign, two of President Trump’s advisors wrote in an op-ed that "government must recognize that space is no longer the province of governments alone."  The advisors mentioned the work of Boeing/ULA, Orbital ATK, Virgin Galactic, Blue Origin, Paragon, Sierra Nevada, and Xcor, and they praised SpaceX for its "Made in America policy."  They also promised to resurrect the National Space Council under Vice President Mike Pence to coordinate space policy.[59] Since winning the election, Trump has consulted several advocates of commercial spaceflight.  Elon Musk of SpaceX and Jeff Bezos of Blue Origin both attended a meeting with Trump in December, and Peter Thiel, an investor in SpaceX, has been named to the President’s Strategic and Policy Forum.[60] But Senator Jeff Sessions, Trump’s nominee for attorney general, supports a more traditional space policy.  Sessions, whose state is home to NASA’s Marshall Space Flight Center, reportedly has been involved in choosing Trump’s NASA landing team and a nominee for NASA administrator.[61] This division is reflected in the composition of Trump’s NASA landing team.  After initially appointing a head of the team who appears to support a more traditional policy, the transition added several members who support commercial space exploration.[62] Trump has yet to nominate an administrator for NASA, but the early favorite is Congressman Jim Bridenstine, who has advocated for commercial space interests in Congress.  Other candidates reportedly include former NASA deputy administrator Shana Dale, former NASA administrator Mike Griffin, former NASA astronaut Eileen Collins, and Scott Pace of George Washington University.[63] IV.  CONCLUSION We will continue to keep you informed on these and other related issues as they develop.    [1]   Operation and Certification of Small Unmanned Aircraft Systems, 81 Fed. Reg. 42064 (June 28, 2016).    [2]   14 C.F.R §§ 107.12, 107.53–107.79 (2016).    [3]   Id. §§ 107.3, 107.25, 107.35, 107.51, 107.37, 107.39, 107.41 (2016).    [4]   Id. § 107.205 (2016).    [5]   See FAA, Part 107 Waivers Granted (Dec. 31, 2016), available at https://www.faa.gov/uas/ request_waiver/waivers_granted/.    [6]   14 C.F.R. § 107.41 (2016).    [7]   FAA Order JO 7200.23, Air Traffic Organization Policy (Oct. 3, 2016), available at https://www.faa.gov/ documentLibrary/media/Order/FAA_JO_7200_23_2.pdf.      [8]   See FAA, Micro Unmanned Aircraft Systems ARC Recommendations Final Report (April 1, 2016), available at https://www.faa.gov/uas/resources/uas_regulations_policy/media/Micro-UAS-ARC-FINAL-Report.pdf.    [9]   14 C.F.R. § 107.39 (2016). [10]   See 81 Fed. Reg. at 42128. [11]   The White House, Office of the Press Secretary, Presidential Memorandum:  Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems (Feb. 15, 2015), available at https://www.whitehouse.gov/the-press-office/2015/02/15/ presidential-memorandum-promoting-economic-competitiveness-while-safegua. [12]   Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, NTIA-Convened Multistakeholder Process (May 18, 2016), available at https://www.ntia.doc.gov/files/ntia/publications/ uas_privacy_best_practices_6-21-16.pdf. [13]   Notice of Proposed Rule Making, Operation and Certification of Small Unmanned Aircraft Systems, 80 Fed. Reg. 9544, 9552 (Feb. 23, 2015). [14]   81 Fed. Reg. at 42190. [15]   EPIC v. FAA, No. 16-1297 (D.C. Cir. 2016). [16]   EPIC v. FAA, 821 F.3d 39, 43 (D.C. Cir. 2016). [17]   See EPIC v. FAA, No. 16-1297 (D.C. Cir. 2016). [18]   Id. [19]   Current Unmanned Aircraft State Law Landscape, National Conference of State Legislatures (Dec. 16, 2016), available at http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx. [20]   FAA, Busting Myths About the FAA and Unmanned Aircraft (Mar. 7, 2014), available at https://www.faa.gov/news/updates/?newsId=76240. [21]   See 49 U.S.C. § 40103. [22]   Id. § 40102(32). [23]   14 C.F.R. § 91.119(b)(c). [24]   328 U.S. 256, 266 (1946). [25]   Id. at 264. [26]   Id. at 265. [27]   Id. at 266. [28]   See Boggs, No. 3:16-cv-00006, Dkt. No. 1 (W.D. Ky. Jan. 4, 2016). [29]   See id. [30]   See Huerta, No. 3:16-cv-358, Dkt. No. 30. [31]   Id. [32]   Id. [33]   NASA’s Commercial Crew Program:  Update on Development and Certification Efforts, NASA, Office of Inspector General, Office of Audits (Sept. 1, 2016), available at https://oig.nasa.gov/audits/reports/ FY16/IG-16-028.pdf. [34]   Steven Siceloff, Mission Awards Secure Commercial Crew Transportation for Coming Years, NASA (Jan. 3, 2017), available at https://www.nasa.gov/feature/mission-awards-secure-commercial-crew-transportation-for-coming-years. [35]   Steven Siceloff, New Spacesuit Unveiled for Starliner Astronauts, NASA (Jan. 25, 2017), available at https://www.nasa.gov/feature/new-spacesuit-unveiled-for-starliner-astronauts. [36]   NOAA Commercial Space Policy, NOAA (Jan. 8, 2016), available at http://www.noaanews.noaa.gov/ stories2016/images/NOAA%20Commercial%20Space%20Policy.pdf. [37]   NOAA Issues Commercial Space Policy, NOAA (Jan. 8, 2016), available at http://www.noaanews.noaa.gov/ stories2016/010816-noaa-statement-commercial-space-policy.html. [38]   Commercial Space Activities Assessment Process, NOAA/NESDIS (Jan. 6, 2017), available at https://www.nesdis.noaa.gov/NESDOCS/pdf/8000_8999/nesdis_commercial_space_activities_assessment_process_final%201.6.17%20readable.pdf.  See also NESDIS Commercial Space Activities Assessment Process, Office of Space Commerce (Jan. 6, 2017), available at http://www.space.commerce.gov/business-with-noaa/nesdis-commercial-space-activities-assessment-process/. [39]   NOAA Awards Commercial Weather Data Pilot Contracts, Office of Space Commerce (Sept. 15, 2016), available at http://www.space.commerce.gov/noaa-awards-commercial-weather-data-pilot-contracts/. [40]   Jordan Rice, The First Private Spaceflight Company Is Cleared for a Moon Landing, Astronomy Magazine (Aug. 4, 2016), http://www.astronomy.com/news/2016/08/next-stop-the-moon.  Up until this point, private companies have flown only 22,236 miles above the Earth–Moon Express intends to send its lander ten times that distance.  See Kenneth Chang, Florida Company Gets Approval to Put Robotic Lander on Moon, The New York Times (Aug. 3, 2016), available at https://www.nytimes.com/2016/08/04/science/moon-express-faa.html?_r=0. [41]   Saki Knago and AJ Barbosa, The New Space Biz:  Companies Seek Cash in the Cosmos, The Huffington Post (July 22, 2011), http://www.huffingtonpost.com/2011/07/22/new-space-business_n_907358.html. [42]   Rice, supra note 40. [43]   Rice, supra note 40. [44]   US Government Approves Plan for Moon Express to Become First Private Company to Venture Beyond Earth’s Orbit, Moon Express, http://www.moonexpress.com/files/moon-express-press-kit.pdf (last visited Jan. 27, 2016). [45]   Chang, supra note 40. [46]   Chang, supra note 40. [47]   Homepage, Google Lunar XPrize, http://lunar.xprize.org/ (last visited Jan. 27, 2016). [48]   Sam Levin, Moon Express Raises $20m for 2017 Voyage to the Moon, The Guardian (Jan. 17, 2017, https://www.theguardian.com/science/2017/jan/17/moon-express-raises-20m-for-2017-voyage-to-moon; see also Emily Calandrelli, Moon Express Raises $20M in Series B-1, Fully Funds Trip to the Moon, TechCrunch (Jan. 13, 2017), https://techcrunch.com/2017/01/13/moon-express-raises-20-million-in-series-b-1-fully-funds-trip-to-the-moon/. [49]   H.R. Rep No. 6007 (2016), available at https://www.congress.gov/bill/114th-congress/house-bill/6007/text.  [50]   49 U.S.C. § 44718(b)(1) (emphasis added).  [51]   49 U.S.C. § 44718(b)(1)(F). [52]   Steven Mayer, Obama Signs McCarthy Bill to Protect Space Ports, Bakersfield.com (Nov. 29, 2016), http://www.bakersfield.com/news/obama-signs-mccarthy-bill-to-protect-space-ports/article_317b54d7-dffc-590d-b121-c7a8e6b3b32e.html.  [53]   H.R. Rep No. 6007 (2016), available at https://www.congress.gov/bill/114th-congress/house-bill/6007/text.  [54]   Id.  [55]   Jeff Foust, House Advances Commercial Space and Astronaut Health Bills, SpaceNews (Sep. 22, 2016), http://spacenews.com/house-advances-commercial-space-and-astronaut-health-bills/#sthash.pqkTLvBT.dpuf. [56]   Mayer, supra note 52. [57]   Foust, supra note 55. [58]   Reciprocal Waivers of Claims for Licensed or Permitted Launch and Reentry Activities, 81 Fed. Reg. 55115 (2016) (codified at 14 C.F.R. § 440). [59]   Robert S. Walker & Peter Navarro, Op-ed:  Trump’s Space Policy Reaches for Mars and the Stars, SpaceNews (Oct. 19, 2016), http://spacenews.com/trumps-space-policy-reaches-for-mars-and-the-stars/. [60]   Eric Berger, Peter Thiel Now Leading the Fight for Commercial Space in Trump’s NASA, Ars Technica (Dec. 20, 2016, 6:31 PM), https://arstechnica.com/science/2016/12/peter-thiel-now-leading-the-fight-for-commercial-space-in-trumps-nasa/. [61]   Andy Pasztor, Sen. Jeff Sessions Exerts Wide Influence Over Trump Space Plans, Wall St. J. (Dec. 13, 2016, 6:56 PM), http://www.wsj.com/articles/sen-jeff-sessions-exerts-wide-influence-over-trump-space-plans-1481673405. [62]   Andy Pasztor, Thiel Pushes to Add Commercial-Space Backers to Trump NASA Team, Wall St. J. (Dec. 21, 2016, 11:22 AM), http://www.wsj.com/articles/thiel-others-push-for-trump-nasa-team-expansion-1482263645. [63]   Eric Berger, Will Trump Pick an "Agent of Change" or an Insider to Lead NASA, Ars Technica (Nov. 17, 2016, 9:58 AM), https://arstechnica.com/science/2016/11/will-trump-pick-an-agent-of-change-or-an-insider-to-lead-nasa/. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the issues discussed above.  Please contact the Aerospace and Related Technologies practice group co-chairs, Karen L. Manos, David Wilf, Perlette M. Jura, and William J. Peters; the additional authors of this update, Dhananjay S. Manthripragada, Jared Greenberg, and David M. Wolber; the Gibson Dunn lawyer with whom you usually work; or any of the following: Los Angeles David A. Battaglia (+1 213-229-7380, dbattaglia@gibsondunn.com) Perlette Michèle Jura (+1 213-229-7121, pjura@gibsondunn.com)William J. Peters (+1 213-229-7515, wpeters@gibsondunn.com)Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)Matthew B. Dubeck (+1 213-229-7622, mdubeck@gibsondunn.com) Dhananjay S. Manthripragada (+1 213-229-7366, dmanthripragada@gibsondunn.com) London Mitri J. Najjar (+44 (0)20 7071 4262, mnajjar@gibsondunn.com) Orange County Jared Greenberg (+1 949-451-3819, jgreenberg@gibsondunn.com)Casper J. Yen (+1 949-451-4105, cyen@gibsondunn.com) Rustin K. Mangum (+1 949-451-4069, rmangum@gibsondunn.com) New York David M. Wilf (+1 212-351-4027, dwilf@gibsondunn.com)Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)Nicolas H.R. Dumont (+1 212-351-3837, ndumont@gibsondunn.com) Eun Sung Lim (+1 212-351-2483, elim@gibsondunn.com) San Francisco Matthew Reagan (+1 415-393-8314, mreagan@gibsondunn.com) Washington, D.C. Karen L. Manos (+1 202-955-8536, kmanos@gibsondunn.com) David A. Wolber (+1 202-887-3727, dwolber@gibsondunn.com)Lindsay M. Paulin (+1 202-887-3701, lpaulin@gibsondunn.com)Erin N. Rankin (+1 202-955-8246, erankin@gibsondunn.com) Justin P. Accomando (+1 202-887-3796, jaccomando@gibsondunn.com)Brian M. Lipshutz (+1 202-887-3514, blipshutz@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 12, 2015 |
A Practical Guide to the Use of the Commissioned Public Report as an Effective Crisis-Management Tool

Washington, D.C. partner F. Joseph Warin and associates Oleh Vretsona and Lora MacDonald are the authors of "A Practical Guide to the Use of the Commissioned Public Report as an Effective Crisis-Management Tool" [PDF] published in the Notre Dame Journal of Law, Ethics & Public Policy, Volume 29, Issue 1.

March 16, 2018 |
Aerospace and Related Technologies – Key Developments in 2017 and Early 2018

Click for PDF This March 2018 edition of Gibson Dunn’s Aerospace and Related Technologies Update discusses newsworthy developments, trends, and key decisions from 2017 and early 2018 that are of interest to aerospace and defense, satellite, and drone companies; and new market entrants in the commercial space and related technology sectors, including the private equity and other financial institutions that support and enable their growth. Specifically, this update covers the following areas: (1) commercial unmanned aircraft systems (“UAS”), or drones; (2) government contracts litigation involving companies in the aerospace and defense industry; (3) the commercial space sector; and (4) cybersecurity and privacy issues related to the national airspace.  We discuss each of these areas in turn below. I.    COMMERCIAL UNMANNED AIRCRAFT SYSTEMS The commercial drone industry has continued to mature through advancements in technology, government relations, and public perception.  Commercial drones are being used for various sensory data collection, building inspections, utility inspections, agriculture monitoring and treatment, railway inspections, pipeline inspections, mapping of mines, and photography.  New drone applications are being created on a regular basis.  For example, the concept of flying drone taxis was validated in Dubai in September 2017 when an uncrewed two-seater drone successfully conducted its first test flight. Around a year and a half ago, United States regulations governing non-recreational drone operations were finalized.  Since then, the Federal Aviation Administration (“FAA”) has issued over 60,000 remote pilot certificates.  The FAA has and continues to make efforts to advance its technology, and it recently released a prototype application to provide operators with automatic approval of specific airspace authorizations.  The national beta test of this system will launch in 2018, and we will be sure to report back with the results. One of the biggest boons for the industry over the past 15 months was the positive public perception stemming from Hurricane Harvey relief efforts.  In the days following the disaster, drones worked in concert with government agencies to support search and rescue missions, inspect roads and railroads, and assess water plants, oil refineries, cell towers, and power lines.  Further, major insurance companies used drones to assess claims in a safer, faster, and more efficient manner.  The aftermath of this disaster demonstrated the value of drone technology and increasingly has driven a positive public perception of the industry.  Indeed, even aside from the disaster relief efforts, media sources continue to carry positive drone stories.  For example, in January 2018, Australian lifeguards were testing a drone with the ability to release an inflatable rescue pod; during its testing, the drone was called into action, and rescued two teenagers from drowning. The future is bright, but there are still many obstacles for the industry to overcome before it fully matures, such as clarity around low altitude airspace, privacy concerns, and the risk to people, property, and other aircraft. To get you caught up on 2017 and early 2018 drone developments, we have briefly summarized below: (A) highlights of drone litigation impacting airspace, including highlights from previous years for context; (B) drone registration; (C) privacy issues related to drones; (D) the United States government’s expanded use of drones; (E) drone countermeasures; (F) drone safety studies; and (G) the UAS airspace integration pilot program. A.    Litigation Highlights Regarding Airspace Huerta v. Haughwout, No. 3:16-cv-358, Dkt. No. 30 (D. Conn. Jul. 18, 2016) The latter half of 2016 featured an important decision regarding the FAA’s authority over low-level airspace.  The 2016 decision, Huerta v. Haughwout—also known as “the flamethrower drone case,” involved two YouTube videos posted by the Haughwouts.  One video featured a drone firing an attached handgun, while a second video showed a drone using an attached flamethrower to scorch a turkey.  After the videos were publicly uploaded, the FAA served the Haughwouts with an administrative subpoena to acquire further information about the activities featured in the videos.  The Haughwouts refused to comply with the FAA’s subpoenas, asserting that their activities were not subject to investigation by the FAA.  In response, the FAA sought enforcement of the subpoenas in the District of Connecticut.[1] Judge Jeffrey Meyer found the administrative subpoenas to be valid.  Most importantly, however, his order included dicta casting doubt on the FAA’s claim to control all airspace from the ground up:  “The FAA believes it has regulatory sovereignty over every inch of outdoor air in the United States…. [T]hat ambition may be difficult to reconcile with the terms of the FAA’s statute that refer to ‘navigable airspace.'”  While this dicta addressed the question of where the FAA’s authority begins, Judge Meyer also noted that “the case does not yet require an answer to that question.”[2]  Judge Meyer further stated: Congress surely understands that state and local authorities are (usually) well positioned to regulate what people do in their own backyards.  The Constitution creates a limited national government in recognition of the traditional police power of state and local government.  No clause in the Constitution vests the federal government with a general police power over all of the air or all objects that leave the ground.  Although the Commerce Clause allows for broad federal authority over interstate and foreign commerce, it is far from clear that Congress intends–or could constitutionally intend–to regulate all that is airborne on one’s own property and that poses no plausible threat to or substantial effect on air transport or interstate commerce in general.[3] 2017 featured the resolution of another lawsuit where the plaintiff attempted to extend the significance of Haughwout in an effort to get the courts to address the question of what “navigable airspace” means in the context of drones (see discussion of Singer v. City of Newton, infra). Boggs v. Merideth, No. 3:16-cv-00006 (W.D. Ky. Jan. 4, 2016) In Boggs v. Merideth—better known as “the Drone Slayer case”—a landowner shot down an operator’s drone with a shotgun in the Western District of Kentucky.[4]  The plaintiff flew his drone roughly 200 feet above the defendant’s property, causing the defendant—the self-anointed “Drone Slayer”—to claim the drone was trespassing and invading his privacy and shoot it down.  The plaintiff believed the airspace 200 feet above the ground was federal airspace and therefore the defendant could not claim the drone was trespassing. Following a state judge’s finding that the defendant acted “within his rights,” the drone operator filed a complaint in federal court for declaratory judgment to “define clearly the rights of aircraft operators and property owners.”[5]  The case had the potential to be a key decision on the scope of federal authority over the use of airspace.  Rather than claiming defense of property, however, the defendant moved to dismiss the complaint on jurisdictional grounds.  The plaintiff unsuccessfully attempted to rely on the decision in Huerta v. Haughwout for the proposition that all cases involving the regulation of drone flight should be resolved by federal courts.  The court rejected the plaintiff’s argument, noting that Haughwout only concerned the FAA’s ability to exercise subpoena power and enforce subpoenas in federal court.  In fact, the district court noted, the court in Haughwout “expressed serious skepticism as to whether all unmanned aircrafts are subject to FAA regulation.”[6]  In his March 2017 order, Senior District Court Judge Thomas B. Russell granted the defendant’s motion to dismiss for lack of federal jurisdiction, stating that the issue of whether or not the drone was in protected airspace only arises on the presumption that the defendant would raise the defense that he was defending his property.[7]  Consequently, there was no federal question jurisdiction and the case was thrown out without ever reaching its merits. While the answer to what exactly constitutes “navigable airspace” in the drone context remained unanswered in 2017, the year did mark the beginning of federal courts addressing the overlap between conflicting state, local, and federal drone laws. Singer v. City of Newton No. 1:17-cv-10071 (D. Mass. Jan. 17, 2017) On September 21, 2017, a federal judge in the District of Massachusetts held that portions of the City of Newton, Massachusetts’s (“Newton”) ordinance attempting to regulate unmanned aircraft operations within the city were invalid.[8] The case, Singer v. City of Newton, marks the first time a federal court has struck down a local ordinance attempting to regulate drones.  The court held the following four city ordinance provisions to be unenforceable: (1) a requirement that all owners register their drones with the city; (2) a ban on all drone operations under 400 feet that are over private property unless done with express permission of the property owner; (3) a ban on all drone operations over public property, regardless of altitude, unless done with the express permission of the city; and (4) a requirement that no drone be operated beyond the visual line of sight of its operator.[9] All four of these provisions of the Newton ordinance were found to be preempted by federal regulations promulgated by the FAA. In the course of holding that the four sections of Newton’s ordinance were each preempted, the court identified the congressional objectives each section inhibited.  One relevant congressional objective is to make the FAA the exclusive regulatory authority for registration of drones.  The Newton ordinance required the registration of drones with the City of Newton, which impeded Congress’s objective; thus, the court found that section to be preempted.[10] The court also identified a congressional objective for the FAA to develop a comprehensive plan to safely accelerate the integration of drones into the national airspace system.  The two sections of the Newton ordinance requiring prior permission to fly above both public and private property within the city effectively eliminated any drone activity without prior permission; thus those sections were held to interfere with the federal objective and were invalidated.[11] Lastly, the court found that the Newton ordinance’s provision barring drone usage beyond the visual line of sight of the operator conflicted with a less restrictive FAA rule allowing such usage if a waiver is obtained or if a separate visual observer can see the drone throughout its flight and assist the operator.[12] The Singer ruling marked the long-anticipated beginning of federal courts addressing overlapping state, local, and federal drone laws.  While the ruling is significant for invalidating sections of a local ordinance and thus establishing a framework that federal courts may follow to invalidate state and local drone laws elsewhere, it is important not to overstate the case’s current significance.  The court in Singer declined to hold that law relating to airspace was expressly preempted or field preempted, but rather decided it was conflict preempted.  Consequently, the case does not provide support for the assertion that all state and local drone laws related to airspace will be preempted by FAA regulations.  Further, the court did not opine on the lower limits of the National Airspace and whether it goes to the ground, an issue likely to come up in future litigation. The unchallenged portions of the Newton ordinance still stand, and the closing lines in the opinion recognize that Newton is free to redraft the invalidated portions to avoid direct conflict with FAA regulations.  Thus it remains possible, even in the District of Massachusetts, for federal law to coexist with state and local laws in this field.  In order to successfully avoid invalidation in the courts, however, state and local lawmakers must draft legislation that allows for compliance with federal regulations, and which does not interfere with any federal objectives. The year 2017 left much to still be determined by the courts.  While Newton demonstrated that preemption concerns do and will continue to exist, the case did not address the boundary of the National Airspace.  Haughwout did address the boundary—though only through dicta—and suggested that, when the issue is decided, the boundary will likely not extend to the ground.  Thus, as was the case at the start of 2017, where the boundary will be drawn remains to be seen. B.    Drone Registration: From Mandatory to Optional and Back to Mandatory In December 2015, days before tens of thousands of drones were gifted for the holidays, the FAA adopted rules requiring the registration of drones weighing more than 0.55 pounds prior to operation.  This registration requirement only impacted recreational users, as commercial users are required to register under Part 107.  This rule was challenged in Taylor v. Huerta, and on May 19, 2017, the U.S. Court of Appeals for the D.C. Circuit vacated the rule.[13]  The FAA instituted a program to issue refunds, and recreational pilots enjoyed the freedom of flying unregistered drones for the next seven months. The Circuit Court struck down the rule because the FAA lacked statutory authority to issue such a rule for recreational pilots.  Section 336 of the FAA Modernization and Reform Act of 2012 states that the “Administrator of the Federal Aviation Administration may not promulgate any rule or regulation regarding a model aircraft.”[14]  The Court held that the FAA’s registration rule “directly violates that clear statutory prohibition” and vacated the rule to the extent it applied to model aircraft.[15]  The FAA responded by offering $5 registration fee refunds and the option to have one’s information removed from the federal database, but encouraging recreational operators to voluntarily register their drones. However, in a turn of events, on December 12, 2017, the President signed the National Defense Authorization Act of 2018, which included a provision reinstating the rule: Restoration Of Rules For Registration And Marking Of Unmanned Aircraft.—The rules adopted by the Administrator of the Federal Aviation Administration in the matter of registration and marking requirements for small unmanned aircraft (FAA-2015-7396; published on December 16, 2015) that were vacated by the United States Court of Appeals for the District of Columbia Circuit in Taylor v. Huerta (No. 15-1495; decided on May 19, 2017) shall be restored to effect on the date of enactment of this Act.[16] As a result of the Act, both recreational and commercial pilots are now required to register their drones, and one can do so on the FAA’s website. C.    UAS and Privacy 1.    Voluntary Best Practices Remain Intact A 2015 Presidential Memorandum issued by then President Obama ordered the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce to create a private-sector engagement process to help develop voluntary best practices for privacy and transparency issues regarding commercial and private drone use.[17]  Since Part 107 of Title 14 of the Code of Federal Regulations (“Part 107”)[18] does not address privacy, privacy advocates hoped that the NTIA would force the FAA to promulgate privacy regulations.[19]  Prior attempts to petition the FAA to consider privacy concerns in its Notice of Proposed Rulemaking (“NPRM”) for Part 107 were unsuccessful.[20] The NTIA issued its voluntary best privacy practices for drones on May 19, 2016.[21]  While the final best practices found support from some privacy organizations and most of the commercial drone industry, other privacy groups raised concerns that the best practices neither established nor encouraged binding legal standards.[22]  Nonetheless, the best practices offer useful guidelines for companies testing and/or actively conducting drone operations. 2.    Litigation Regarding the FAA’s Role in Addressing Privacy As we discussed in an earlier update, the Electronic Privacy Information Center (“EPIC”) challenged the FAA’s decision to exclude privacy regulations from Part 107 in an August 2016 petition for review.[23]  In 2012, EPIC petitioned the FAA to promulgate privacy regulations applicable to drone use, which the FAA denied in February 2014.[24]  EPIC argued that the FAA Modernization and Reform Act of 2012 required the FAA to consider privacy issues in its NPRM.[25]  The FAA argued that while the Act directed the FAA to develop a comprehensive plan to safely integrate drones into the national airspace system, privacy considerations went “beyond the scope” of that plan.[26]  The D.C. Circuit dismissed EPIC’s petition for review on two grounds.[27]  First, the Court deemed EPIC’s petition for review “time-barred” because EPIC filed 65 days past the time allotted under 49 U.S.C. § 46110(a).[28]  Second, the Court held that the FAA’s “conclusion that privacy is beyond the scope of the NPRM” was not a final agency determination subject to judicial review.[29] After the rule became final, EPIC filed a new petition for review asking the court to vacate Part 107 and remand it to the FAA for further proceedings.[30]  Consolidated with a related case, Taylor v. FAA, No. 16-1302 (D.C. Cir. filed August 29, 2016), EPIC argues that the FAA violated the Act by: (1) refusing to consider “privacy hazards,” and (2) refusing to “conduct comprehensive drone rulemaking,” which necessarily includes issues related to privacy.[31]  The FAA argues: (1) EPIC lacks standing, (2) the FAA reasonably decided not to address privacy concerns, and (3) even if EPIC has standing, Section 333 of the Act does not require the FAA to promulgate privacy regulations.[32]  Judge Merrick Garland, Judge David Sentelle, and Judge A. Raymond Randolph heard oral arguments in the consolidated cases on January 25, 2018.[33]  All eyes thus remain on the D.C. Circuit to determine whether the FAA must issue regulations covering privacy concerns raised by increased drone use. D.    The United States Government Expands Its Use of Drones Four years after the U.S. Department of Defense (“DoD”) issued its 25-year “vision and strategy for the continued development, production, test, training, operation, and sustainment of unmanned [aircraft] systems technology,”[34] the drone defense industry continues to experience rapid growth.  A recent market report estimated that commercial and government drone sales will surpass $12 billion by 2021.[35]  However, that estimate is likely conservative when considering that the DoD allocated almost $5.7 billion to drone acquisition and research in 2017 alone.[36]  Likewise, the DoD allocates almost $7 billion to drone technology in its 2018 fiscal year Defense Budget.[37]  Additionally, Goldman Sachs forecasted a $70 billion market opportunity for military drones by 2020.[38]  According to Goldman Sachs: “Current drone technology has already surpassed manned aircraft in endurance, range, safety and cost efficiency — but research and development is far from over.  The next generation of drones will widen the gap between manned and unmanned flight even further, adding greater stealth, sensory, payload, range, autonomous, and communications capabilities.”[39]  It should thus come as no surprise that organizations developing defense-specific drones will expect increased demand for complete systems and parts in the coming years. 1.    United States Government’s Domestic Use Drones The U.S. government mostly acquires drones for overseas military operations, a trend dating back to the deployment of the Predator drone in post-9/11 conflict territories.[40]  Domestic use of DoD-owned drones remains subject to strict governmental approval, and armed drones are prohibited on U.S. soil.[41]  In February 2015, the Deputy Secretary of Defense issued Policy Memorandum 15-002 entitled “Guidance for the Domestic Use of Unmanned Aircraft Systems.”[42]  Under the policy, the Secretary of Defense must approve all domestic use of DoD-owned UAVs, with one exception—domestic search and rescue missions overseen by the Air Force Rescue Coordination Center.[43]  However, DoD personnel may use drones to surveil U.S. persons where permitted by law and where approved by the Secretary.[44]  The policy expired on February 17, 2018,[45] and it remains to be seen how the Trump administration will handle domestic use of DoD-owned drones and the integration of UAVs into day-to-day civilian operations. E.    Drone Countermeasures In response to the rapid growth of militarized consumer drones, particularly in ISIS-controlled territories,[48] 2017 saw an increased offering of anti-drone technologies in the U.S.[49]  In April 2017, the U.S. Army’s Rapid Equipment Force purchased 50 of Radio Hill Technologies’ “Dronebuster” radar guns.[50]  The Dronebuster uses radio frequency technology to interrupt the control of drones by effectively jamming the control frequency or the GPS signal.[51]  The end-user can overwhelm the drone and deprive its operator of control or cause the drone to “fall out of the sky.”[52]  Handheld radar-type guns like the Dronebuster weigh about five pounds and cost an average of $30,000.[53]  The U.S. military also experimented with the Mobile High-Energy Laser-equipped Stryker vehicle.[54]  Similar to the Dronebuster, the 5 to 10kW laser overwhelms target drones’ control systems with high bursts of energy.[55]  It can shoot down drones 600 meters away, all without making a sound.[56] F.    Drone Safety Studies Making UAS operations commonplace in urban airspace will be a big step in the technological and economic advancement of the U.S.; however, there are obstacles to overcome in ensuring the safe operation of drones in urban areas.  On April 28, 2017, the Alliance for System Safety of UAS through Research Excellence (“ASSURE”) released the results of a study that explored the severity of a UAS collision with people and property on the ground.[57]  First, ASSURE determined the most likely impact scenarios by reviewing various operating environments for UAS and determining their likely exposure to people and other manned aircraft.[58]  Then the team conducted crash tests and analyzed crash dynamics by measuring kinetic energy transfer.[59]  The results revealed that earlier measurements of the danger of collision grossly overestimate the risk of injury from a drone.[60]  ASSURE concluded that the DJI Phantom 3 drone has a 0.03% chance of causing a head injury if it falls on a person’s head.[61]  This is a very low probability considering blocks of steel or wood of the same weight have a 99% risk of causing a head injury in the same scenario.[62]  The disparity in probability of head injury is largely due to the fact that the DJI Phantom 3 drone absorbs most of the energy resulting from a collision, and therefore less energy is transferred on impact from the drone than from a block of steel or wood in the same collision.[63] In fact there are numerous steps that drone designers and manufacturers can take to reduce the likelihood of injury in the event of a collision.[64]  Projectile mass and velocity, as well as stiffness of the UAS, are the primary drivers of impact damage.[65]  As such, multi-rotor drones tend to be safer because they fall more slowly due to the drag of the rotors as the drones fall through the air.[66]  The study made clear that blade guards should be a design requirement for drones used in close proximity to people in order to minimize the lacerations that can result from a collision.[67]  Moreover, ASSURE found that the more flexible the structure of the drone, the more energy the drone retains during impact, causing less harm to the impacted object of the collision.[68] Regarding crashes with other manned aircraft, however, the study revealed that the impact of a drone can be much more severe than the impact of a bird of equivalent size and speed.[69]  As such, the structural components of a commercial aircraft that allows it to withstand bird strikes from birds up to eight pounds are not an appropriate guideline for preventing damage from a UAS strike.[70]  The study also examined the dangers associated with lithium batteries, which are used to power most drones, in collisions.[71]  The major concern is the risk of a battery fire.[72]  The study found that typical high-speed impacts cause complete destruction of the battery, eliminating any concerns about battery fires.[73]  However, the lower impact crashes, which are mainly associated with take-off and landing, left parts of the battery intact, posing a risk of battery fire.[74] While the ASSURE study is the first of its kind, it certainly marks the need for more studies that analyze the practical aspects of collisions and how to reduce risk to minimize harm.  The hazards associated with commonplace drone operation are many.[75]  Analysis of the physical impact of a collision is one aspect of minimizing UAS risks.  There is still much work to be done in order to minimize other collateral risks, such as the risk of technology failures, which range from UAS platform failures, to failures of hardware or communication links controlling the UAS.[76]  Environmental hazards, such as the effect of rain, lightning, and other types of weather remains to be studied.[77]  Ways to safeguard against human error or intentional interference is another aspect of UAS safety that has yet to be studied in detail.[78]  Data link spoofing, jamming, or hijacking poses significant safety hazards, particularly as incidents of data breaches become more and more common.[79]  Before the integration of UAS into national airspace can be fully implemented, industry stakeholders must collaborate to conduct studies that will help inform legislators about what kind of technological requirements and operational regulations are necessary. G.    UAS Airspace Integration Pilot Program In October 2017, the U.S. Department of Transportation (“DOT”) announced that it was launching the Unmanned Aircraft Systems Integration Pilot Program.[80]  The program, which was established in response to a presidential directive, is meant to accelerate the integration of UAS into the national airspace through the creation of public-private partnerships between UAS operators, governmental entities, and other private stakeholders.[81]  The program is designed to establish greater regulatory certainty and stability regarding drone use.[82]  After reviewing the applications, DOT will select a minimum of five partnerships with the goal of collaborating with the selected industry stakeholder in order to evaluate certain advanced UAS operational concepts, such as night operations, flights beyond the pilot’s line of sight, detect-and-avoid technologies, flights over people, counter-UAS security operations, package delivery, the integrity and dependability of data links between pilot and aircraft, and cooperation between local authorities and the FAA in overseeing UAS operations.[83] One such application was made by the City of Palo Alto, in partnership with the Stanford Blood Center, Stanford hospital, and Matternet, a private drone company.[84]  The City of Palo Alto has proposed the use of drones to deliver units of blood from the Stanford Blood Center to Stanford hospital, which would involve establishing an approved flight path for drones to transfer the units of blood in urgent situations.[85]  Matternet has already tested its drones’ capacity for transporting blood and other medical samples in Switzerland.[86]  A second project proposed by the City of Palo Alto involves the use of drones in order to monitor the perimeter of the Palo Alto Airport.[87]  This project involves a partnership between the city and a company called Multirotor, a German drone company that has experience working with the German army and the Berlin Police Department to integrate UAS as tools for law enforcement activities.[88] The creation of the pilot program has given stakeholders the sense that the current administration is supportive of integrating drones into the national airspace.  The support of the government has created the potential for unprecedented growth in an industry that could bring lucrative returns to its stakeholders.  The DOT has already received over 2,800 interested party applications.[89]  The majority of these applications have come from commercial drone companies, as well as various other stakeholders including energy companies, law enforcement agencies, and insurance providers.[90]  The UAS Pilot Program is to last for three years.[91]  The projected economic benefit of integrated UAS is estimated to equal $82 billion, creating up to 100,000 jobs.[92]  Industries that could see immediate returns from the program include precision agriculture, infrastructure inspection and monitoring, photography, commerce, and crisis management.[93]  The advent of established, government-sanctioned rules for the operation of UAS will motivate industry stakeholders both in the public and private sectors to push forward with new and innovative ways to use drones. II.    GOVERNMENT CONTRACTS LITIGATION IN THE AEROSPACE AND DEFENSE INDUSTRY Gibson Dunn’s 2017 Year-End Government Contracts Litigation Update and 2017 Mid-Year Government Contracts Litigation Update cover the waterfront of the most important opinions issued by the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Federal Claims, Armed Services Board of Contract Appeals (“ASBCA”), and Civilian Board of Contract Appeals among other tribunals.  We invite you to review those publications for a full report on case law developments in the government contracts arena. In this update, we (A) summarize key court decisions related to government contracting from 2017 that involve players in the aerospace and defense industry.  The cases discussed herein, and in the Government Contracts Litigation Updates referenced above, address a wide range of issues with which government contractors in the aerospace and defense industry are likely familiar. A.    Select Decisions Related to Government Contractors in the Aerospace and Defense Industry Technology Systems, Inc., ASBCA No. 59577 (Jan. 12, 2017) TSI held four cost-plus-fixed-fee contracts with the Navy for research and development.  Several years into the contracts, the government disallowed expenses that had not been questioned in prior years.  TSI appealed to the ASBCA, arguing that it relied to its detriment on the government’s failure to challenge those same expenses in prior years. The Board (Prouty, A.J.) held that the challenged costs were “largely not allowable” and that “the principle of retroactive disallowance,” which it deemed “a theory for challenging audits whose heyday has come and gone,” did not apply because the same costs had simply not come up in the prior audits.  The theory of retroactive disallowance, first articulated in a Court of Claims case in 1971, prevents the government from challenging costs already incurred when the cost previously had been accepted following final audit of historical costs; the contractor reasonably believed that it would continue to be approved; and it detrimentally relied on the prior acceptance.  Tracing the precedent discussing the principle, the Board cited the Federal Circuit’s decision in Rumsfeld v. United Technologies Corp., 315 F.3d 1361 (Fed. Cir. 2003), which stated that “affirmative misconduct” on the part of the government would be required for the principle of retroactive disallowance to apply because it is a form of estoppel against the government.  The Board “sum[med] up: there is no way to read our recent precedent or the Federal Circuit’s except to include an affirmative misconduct requirement amongst the elements of retroactive disallowance.  Period.”  Further, the Board held that the government’s failure to challenge the same costs in prior years did not constitute a “course of conduct precluding the government from disallowing the costs in subsequent audits.” Delfasco LLC, ASBCA No. 59153 (Feb. 14, 2017) Delfasco had a contract with the Army for the manufacture and delivery of a specified number of munition suspension lugs.  The Army thereafter exercised an option to double the number of lugs required.  When Delfasco stopped making deliveries due to an inability to pay its subcontractor, the Army terminated the contract for default.  Delfasco appealed to the ASBCA, asserting that the government had waived its right to terminate for untimely performance by allegedly stringing Delfasco along even after the notice of termination. The Board (Prouty, A.J.) set out the test for waiver in a case involving termination for default due to late delivery as follows:  “(1) failure to terminate within a reasonable time after the default under circumstances indicating forbearance, and (2) reliance by the contractor on the failure to terminate and continued performance by him under the contract with the Government’s knowledge and implied or express consent.”  The Board held that Delfasco failed to satisfy the first prong because the government’s show cause letter placed Delfasco on notice that any continued performance would only be for the purpose of mitigating damages.  Moreover, Delfasco failed to satisfy the second prong because Delfasco’s payment to its subcontractor after the show cause letter would have been owed regardless, and was not paid in reliance upon the government’s failure to terminate.  Therefore, the Board found that the government had not waived its right to terminate, and denied the appeal. Raytheon Co., ASBCA Nos. 57743 et al. (Apr. 17, 2017) Raytheon appealed from three final decisions determining that an assortment of costs—including those associated with consultants, lobbyists, a corporate development database, and executive aircraft—were expressly unallowable and thus subject to penalties.  After a two-week trial, the Board (Scott, A.J.) sided largely with Raytheon in a wide-ranging decision that covers a number of important cost principles issues. First, the Board rejected the government’s argument that the consultant costs were expressly unallowable simply because the government was dissatisfied with the level of written detail of the work product submitted to support the costs.  Judge Scott noted that written work product is not a requirement to support a consultant’s services under FAR 31.205-33(f), particularly not where, as here, much of the consultants’ work was delivered orally due to the classified nature of the work performed.  The Board found that not only were the consultant costs not expressly unallowable, but indeed were allowable.  This is a significant ruling because the documentation of consultant costs is a recurring issue as government auditors frequently make demands concerning the amount of documentation required to support these costs during audits. Second, the government sought to impose penalties for costs that inadvertently were not withdrawn in accordance with an advance agreement between Raytheon and the government concerning two executive aircraft.  Raytheon agreed that the costs should have been withdrawn and agreed to withdraw them when the error was brought to its attention, but asserted that the costs were not expressly unallowable and subject to penalty.  The Board agreed, holding that the advance agreements did not themselves clearly name and state the costs to be unallowable, and further that advance agreements do not have the ability to create penalties because a cost must be named and stated to be unallowable in a cost principle (not an advance agreement) to be subject to penalties.  This ruling could have significance for future disputes arising out of advance agreements. Third, the government alleged that costs associated with the design and development of a database to support the operations of Raytheon’s Corporate Development office were expressly unallowable organizational costs under FAR 31.205-27.  The Board disagreed, validating Raytheon’s argument that a significant purpose of the Corporate Development office was allowable generalized long-range management planning under FAR 31.205-12, thus rendering the costs allowable (not expressly unallowable). The only cost for which the Board denied Raytheon’s appeals concerned the salary costs of government relations personnel engaged in lobbying activities.  Raytheon presented evidence that it had a robust process for withdrawing these costs as unallowable under FAR 31.205-22, but inadvertently missed certain costs in this instance due to, among other things, “spreadsheet errors.”  Raytheon agreed that the costs were unallowable and should be withdrawn, but disputed that the costs of employee compensation (a generally allowable cost) were expressly unallowable and further argued that the contracting officer should have waived penalties under FAR 42.709-5(c) based on expert evidence that Raytheon’s control systems for excluding unallowable costs were “best in class.”  The Board found that salary costs associated with unallowable lobbying activities are expressly unallowable and that the contracting officer did not abuse his discretion in denying the penalty waiver. L-3 Comms. Integrated Sys. L.P. v. United States, No. 16-1265C (Fed. Cl. May 31, 2017) L-3 entered an “undefinitized contractual action” (“UCA”) with the Air Force in which it agreed to provide certain training services while still negotiating the terms of the contract.  After the parties failed to reach agreement on the prices for two line items in the UCA, the Air Force issued a unilateral contract modification, setting prices for those line items and definitizing the contract.  L-3 argued that the Air Force’s price determination was unreasonable, arbitrary and capricious, and in violation of the FAR, and filed suit seeking damages.  The government moved to dismiss for lack of subject matter jurisdiction. The Court of Federal Claims (Kaplan, J.) dismissed L-3’s complaint, concurring with the government that L-3 had never presented a certified claim to the contracting officer for payment “of a sum certain to cover the losses it allegedly suffered.”  The court found that the proposals L-3 had presented to the Air Force were not “claims,” but rather proposals made during contract negotiations that did not contain the requisite claim certification language. Innoventor, Inc., ASBCA No. 59903 (July 11, 2017) In 2011, the government entered into a fixed-price contract with Innoventor for the design and manufacture of a dynamic brake test stand.  As part of the contract’s purchase specifications, the new design had to undergo and pass certain testing.  After problems arose in the testing process, Innoventor submitted a proposal to modify certain design components and applied for an equitable adjustment due to “instability of expectations.”  The contracting officer denied Innoventor’s request for an equitable adjustment, stating that the government had not issued a modification directing a change that would give rise to such an adjustment.  Innoventor submitted a claim, which the contracting officer denied, and Innoventor appealed. The Board (Sweet, A.J.) held that the government was entitled to judgment as a matter of law because there was no evidence that the government changed Innoventor’s performance requirements, let alone that anyone with authority directed any constructive changes.  Here, the contract was clear that Innoventor’s design had to pass certain tests, and because it failed some of them, and did not perform pursuant to the contract terms, there was no change in the original contract terms that would give rise to a constructive change.  The Board also found that there was no evidence that any person beyond the contracting officer had authority to direct a change because the contract expressly provided that only the contracting officer has authority to change a contract.  Accordingly, the Board denied Innoventor’s appeal. L-3 Commc’ns Integrated Sys., L.P., ASBCA Nos. 60713 et al. (Sept. 27, 2017) L-3 appealed from multiple final decisions asserting government claims for the recovery of purportedly unallowable airfare costs.  Rather than audit and challenge specific airfare costs, the Defense Contract Audit Agency simply applied a 79% “decrement factor” to all of L-3’s international airfare costs over a specified dollar amount, claiming that this was justified based on prior-year audits.  After filing the appeals, L-3 moved to dismiss for lack of jurisdiction on the grounds that the government had failed to provide adequate notice of its claims by failing to identify which specific airfare costs were alleged to be unallowable, as well as the basis for those allegations. The Board (D’Alessandris, A.J.) denied the motion to dismiss, holding that the contracting officer’s final decisions sufficiently stated a claim in that they set forth a sum certain and a basis for such a claim.  The Board held that L-3 had enough information to understand how the government reached its claim, and its contention that this was not a valid basis for the disallowance of costs for the year in dispute went to the merits and not the sufficiency of the final decisions. Scott v. United States, No. 17-471 (Fed. Cl. Oct. 24, 2017) Brian X. Scott brought a pro se claim in the Court of Federal Claims seeking monetary and injunctive relief for alleged harms arising from the Air Force’s handling of his unsolicited proposal for contractual work.  Scott was an Air Force employee who submitted a proposal for countering the threat of a drone strike at the base where he was stationed.  The proposal was rejected, but Scott alleged that portions of the proposal were later partially implemented.  Scott sued, claiming that the Air Force failed properly to review his proposal and that his intellectual property was being misappropriated.  Scott argued that jurisdiction was proper under the Tucker Act because an implied-in-fact contract arose that prohibited the Air Force from using any data, concept, or idea from his proposal, which was submitted to a contracting officer with a restrictive legend consistent with FAR § 15.608. The Court of Federal Claims (Lettow, J.) found that it had jurisdiction under the Tucker Act because an implied-in-fact contract was formed when the Air Force became obligated to follow the FAR’s regulatory constraints with regard to Scott’s proposal.  Nevertheless, the Court granted the government’s motion to dismiss because Scott’s factual allegations, even taken in the light most favorable to him, did not plausibly establish that the government acted unreasonably or failed to properly evaluate his unsolicited proposal by using concepts from the proposal where Scott’s proposal addressed a previously published agency requirement. III.    COMMERCIAL SPACE SECTOR A.    Overview of Private Space Launches and Significant Milestones Space exploration is always fascinating—2017 and early 2018 was no exception.  Starting off in February 2017, India’s Polar Satellite Launch Vehicle launched 104 satellites, setting a record for the number of satellites launched from a single rocket.[101]  In June, NASA finally unveiled its 12 chosen candidates for its astronaut program out of a pool of over 18,000 applicants, which was a record-breaking number.[102]  A few months later, NASA’s Cassini spacecraft was intentionally plunged into Saturn, ending over a decade’s worth of service.[103]  President Donald Trump also signed Space Policy Directive 1, which instructs NASA to send astronauts back to the moon, which President Trump noted would help establish a foundation for an eventual mission to Mars.[104] In what was widely expected to be a record year for private space launches, SpaceX and other private space companies clearly delivered.  In 2017, SpaceX, the company founded and run by Elon Musk, flew a record 18 missions utilizing the Falcon 9 rocket.[105]  Blue Origin, the company founded by Jeff Bezos, also made significant progress.  It was able to launch a new version of its New Shepard vehicle on its first flight, which Bezos hopes will lay the foundation for potential crewed missions.[106]  Then, in late December, California startup Made in Space sent a machine designed to make exotic ZBLAN optical fiber to the International Space Station.[107]  Without a doubt, 2017 played witness to many significant milestones in space exploration. Additional milestones have already been surpassed in early 2018.  February 6, 2018 was a historic date for Space technology and exploration—SpaceX’s Falcon Heavy had its maiden launch.  The Falcon Heavy can carry payloads larger than any available commercial rocket, and it has the potential to launch payloads outside of Earth’s orbit.  In fact, the Falcon Heavy did just that by launching a Tesla Roadster, driven by “Starman” into interplanetary space.  Starman will likely continue driving its orbit for millions of years.  It is only a matter of time until Starman is replaced with astronauts and the destination becomes Mars—SpaceX plans to launch such a mission in 2024. B.    Update on Outer Space Treaty and Surrounding Debate The Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, otherwise known as the Outer Space Treaty, recently celebrated its 50th anniversary.  Signed in 1967 and designed to prevent a new form of colonial competition, the Treaty was lauded for its principal framework on international space law.  Indeed, shortly after the Treaty was entered into force, the United States and the Soviet Union successfully collaborated on many space missions and exercises.[108] The Treaty is not complex.  Consisting of 17 short articles, the Treaty obligates its signatories to perform space exploration “for the benefit and interest of all countries” and to not “place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction.”[109]  Having been in force for over 50 years, there have recently been discussions regarding whether the Treaty is ripe for an update.  Only as far back as half a decade ago, experts met in Australia to discuss moon-mining of anything from water and fuel to rare minerals in what was then a world’s first “Off-Earth Mining Forum.”[110]  Discussion surrounded the legality of such mining under the Treaty.  Then in 2014, NASA accepted applications from companies that desired to mine rare moon minerals in a program called “Lunar Cargo Transportation and Landing by Soft Touchdown.”[111]  This once again sparked a debate on the legality of such actions, specifically lunar property rights. In 2017, the focus turned toward private and commercial space flight, and spurred conversation as to whether the 50-year-old treaty needed an update.  For one, the Treaty was designed, and has been entirely focused, on only individual countries.  Thus, there is an argument that the Treaty does not apply to private appropriation of celestial territory.  Second, the quaint nature of the Treaty has spawned efforts at tackling the private appropriation issues.  For instance, the United States passed the Space Act of 2015, which provides for private commercial “exploration and exploitation of space resources.”[112]  The Act has incited further debate on the various legal loopholes that inherently afflict the Treaty and its ban on countries owning celestial territory. Meanwhile, the U.S. government has continued to find methods of regulation, specifically those involving the FAA and the Federal Communications Commission (“FCC”), among others.[113]  Now, lawmakers are purportedly discussing legislation that would provide a regulatory framework for private commercial space travel to adhere to the Treaty, as there currently does not exist a framework for the U.S. government to oversee the launch of private space stations.[114] Moreover, Senator Ted Cruz (R-TX) has been leading the charge on updating the Treaty to address issues related to modern spaceflight, where private commercial entities are playing an ever-increasing role.[115]  In May, Senator Cruz, the chairman of the Subcommittee on Space, Science, and Competitiveness, convened a hearing to “examine U.S. government obligations under the [Treaty]” and to also “explore the Treaty’s potential impacts on expansion of our nation’s commerce and settlement in space.”[116]  Featuring a panel of legal experts and a panel of commercial space business leaders, the hearing raised a number of different viewpoints with one apparently unifying message: the Treaty should not be amended.  One of the panel members, Peter Marquez, while acknowledging that the Treaty is not perfect, expressed concern that opening up the Treaty to modifications would leave the space industry worse off, and would be a detriment to national and international security.[117] One area of particular interest was Article VI of the Treaty, which provides that nations authorize and supervise space activities performed by non-governmental entities, such as a private commercial space company.  The CEO of Moon Express, Bob Richards, noted that while the Treaty should remain unchanged, the U.S. should adopt a streamlined regulatory procedure and process to make approvals for space activities more efficient and clear.[118]  One of the legal experts sitting on the panel, Laura Montgomery, expressed her belief that the U.S. need not further regulate new commercial space because a close reading of the Treaty would indicate that mining and other similar activities do not require such governmental approvals.[119] While the ultimate general consensus appeared to be that no change to the Treaty was necessary to accomplish the goals of private commercial space enterprises, the hearing did bring to light the issues that currently confront modern space protocols. C.    The American Space Commerce Free Enterprise Act of 2017, Which Seeks to Overhaul U.S. Commercial Space Licensing Regime, Passes Committee but Stalls in House On June 7, 2017, House members led by Rep. Lamar Smith (R-TX), Chairman of the U.S. House Science, Space, and Technology Committee, introduced H.R. 2809—the American Space, Commerce, and Free Enterprise Act of 2017 (“ASCFEA”).[120]  The bill, if adopted, would amend Title 51 of the United States Code to liberalize licensing requirements to conduct a variety of commercial space activities, while consolidating the licensing approval process for such activities under the authority of the U.S. Department of Commerce (“DOC”).[121] The regulation of commercial space activities historically has been distributed among a variety of agencies—with the National Oceanic and Atmospheric Administration (“NOAA”) governing remote sensing, the FCC governing communications satellites,[122] and the FAA/AST regulating launch, reentry, and some other non-traditional activities.[123]  But with that patchwork of authority, proponents of the Act believe there exists a regulatory gap for overseeing and authorizing new and innovative space activities.[124]  A primary goal of the Act is to address this perceived uncertainty, and in so doing, resolve long-standing questions associated with the United States’ responsibility to regulate commercial space activities under the Outer Space Treaty,[125] which the bill’s text references extensively. In its current form, the bill would grant the Office of Space Commerce (within the DOC) “the authority to issue certifications to U.S. nationals and nongovernmental entities for the operation of:  (1) specified human-made objects manufactured or assembled in outer space . . . and (2) all items carried on such objects that are intended for use in outer space.”[126]  The bill further eliminates the Commercial Remote Sensing Regulatory Affairs Office of the NOAA, and vests authority to issue permits for remote sensing systems, again, in the DOC.[127]  The bill also creates a certification process for other “commercial payloads not otherwise licensed by the government,” thereby providing fallback legislation for “non-traditional applications like satellite servicing, commercial space stations and lunar landers.”[128]  The DOC hence would occupy all the regulatory authority for commercial space activities, except for the FCC and FAA/AST’s current authority, which those agencies would maintain.[129] The commercial space industry supports the bill, and in particular the bill’s apparent presumption in favor of regulatory approval.[130]  Industry also supports the bill’s overhaul of the regulation of remote sensing—for example, the bill requires the DOC to issue a certification decision within just 60 days (or else the application is granted),[131] provide an explanation for any rejections, and grant every application that seeks authorization for activities involving “the same or substantially similar capabilities, derived data, products, or services are already commercially available or reasonably expected to be made available in the next 3 years in the international or domestic marketplace.”[132] Some opponents of the bill contend that the consolidation of regulatory approval will limit interagency review, which is important because the DoD, State Department, and the intelligence community currently play some regulatory role in the review of aspects of new commercial space activities that are perceived to potentially pose a threat to national security.[133]  Others contend that the Office of Space Commerce has inadequate resources and experience to handle the regulatory approvals.  The bill seeks to ameliorate these concerns by authorizing $5 million in funding for the Office in 2018.[134]  The Department of Justice also has voiced some constitutional concerns.[135] The House referred the bill to the House Committee on Science, Space, and Technology,[136] which on June 8, 2017 passed three amendments by voice vote.[137]  Since being marked up in committee, the bill has seen no further action by the House.[138]  The DOC currently is seeking public input on possible changes to commercial space operations licensing more broadly.[139] D.    Industry and Government Regulators Call for Changes to NOAA’s Licensing of Remote Sensing Technology ASCFEA’s effort to strip NOAA of its authority to regulate remote sensing technology coincides with a growing number of complaints from the remote sensing industry and government regulators concerning NOAA’s ability to handle an increased number of licensing applications.[140] The Land Remote Sensing Policy Act of 1992 authorized the Secretary of Commerce to “license private sector parties to operate private remote sensing space systems.”[141]  But despite a sea change in remote sensing technology and activities since 1992, that law remains the main source of authority for remote sensing licensing, and Congress has made few modifications to the law since its inception.[142]  Given the speed of technological change, and increased industry competition, remote sensing companies are advocating for NOAA to adopt a “permissive” approach to licensing, akin to the language proposed in the ASCFEA.[143] NOAA’s issues have been exacerbated by the fact that license applications are now more varied and complex than they were previously.[144]   Representatives from NOAA describe how prior to 2011, it took an average of 51 days to review license applications, since many applications sought permission for similar concepts for satellite systems.[145]  Even though the Land Remote Sensing Policy Act of 1992 calls for a 120-day approval window, in practice, applications now extend far longer than that—and further, NOAA sometimes provides little to no explanation about why it rejects particular applications.[146]  Under the ASCFEA, the DOC would be required to approve applications using the “same or substantially similar capabilities, derived data, products, or services as are already commercially available or reasonably expected to be made available in the next 3 years in the international or domestic marketplace.”[147] Another complexity is that many companies develop technology that do not solely or traditionally perform remote sensing functions, but have remote sensing capabilities.[148]  The ASCFEA addresses this problem by offering exceptions for “De Minimis” uses of remote sensing technology.[150] E.    Commercial Space Policy in the Trump Era On December 11, 2017, President Trump signed White House Space Policy Directive 1, entitled “Reinvigorating America’s Human Space Exploration Program.”[151]  As the subject suggests, the Directive’s goal is to bring a renewed focus on human space flight at a time when the United States lacks an organic capability to send American astronauts into low-Earth orbit, let alone beyond.[152]  Fittingly, President Trump signed the directive on the forty-fifth anniversary of the lunar landing of Apollo 17, with Apollo 17 astronaut Senator Harrison Schmitt present at the ceremony.[153] According to the Directive, the United States will “[l]ead an innovative and sustainable program of exploration with commercial and international partners to enable human expansion across the solar system….”[154]  The directive calls for missions beyond low-Earth orbit, with the United States “lead[ing] the return of humans to the Moon for long-term exploration and utilization, followed by human missions to Mars and other destinations.”[155] NASA is already working with several commercial entities to develop transportation to and from low-Earth orbit, as well as to the International Space Station.[156]  And a call for a return to the moon for use as a stepping-stone to other destinations is not new with President Trump; previous administrations have expressed a similar desire.[157]  What remains to be seen is how this “long-term exploration” will be funded, with a good indicator being what “will be reflected in NASA’s FISCAL Year 2019 budget request.”[158]  Until then, “No bucks, no Buck Rogers.”[159] F.    Updates on Space Law in Luxembourg, India, and Australia Luxembourg Continues its Push for Commercial Space Prominence The small country of Luxembourg, a signatory to the Outer Space Treaty,[160] has major commercial space ambitions.  In 2016, Luxembourg passed a law to set aside €200 million to fund commercial space mining activities, and also offered to help interested companies obtain private financing.[161]  On July 13, 2017, following the United States’ lead,[162] Luxembourg passed a law that gives qualifying companies the right to own any space resources they extract from celestial bodies including asteroids.[163]  The law further outlines a regulatory framework for “the government to authorize and supervise resource extraction and other space activities,” except for communications satellites, which a different Luxembourg agency regulates.[164]  To qualify for a space mining license, companies must be centrally administered and own a registered office in Luxembourg, and also must obtain regulatory approval.[165]  It is as of now unclear whether the Luxembourg law (as well as the U.S.’s analogous law) violate the Outer Space Treaty, which prohibits companies from claiming territory on celestial bodies, but does not clarify whether that prohibition extends to materials extracted from those celestial bodies.[166] India Unveils Draft of New Commercial Space Law; Sets Satellite Launch Record In November 2017, the India Department of Space released and sought comments for the “Space Activities Act, 2017.”[167]  The stated goal of the bill is to “encourage enhanced participation of non-governmental/private sector agencies in space activities in India.”[168]  The bill as currently drafted vests authority in the Indian Government to formulate a licensing scheme for any and all “Commercial Space Activity,” and states that licenses may be granted if the sought activity does not jeopardize public health or safety, and does not violate India’s international treaty obligations, such as the Outer Space Treaty, to which India is a signatory.[169] India’s space agency also made headlines this year when it sent 104 satellites into space in 18 minutes—purportedly tripling the prior record for single-day satellite launches.[170]  The New York Times reports that satellite and other orbital companies closely scrutinized the launch, since India’s space agency is cheaper to employ for satellite launches than its European and North American counterparts.[171] Australia Announced that It Will Create a Space Agency; Details Pending In September 2017, Australia’s Acting Minister for Industry, Innovation and Science announced that Australia will create a national space agency.[172]  While details are still pending, Australia’s goal purportedly is to take advantage of the $300-$400 billion space economy, while creating Australian jobs in the process.[173] IV.    CYBERSECURITY AND PRIVACY ISSUES IN THE NATIONAL AIRSPACE A.    Cybersecurity Issues The Federal Aviation Administration (FAA) has lagged behind other sectors in establishing robust cybersecurity and privacy safeguards in the national airspace, although federal policy identifies the transportation sector (which includes the aviation industry) as one of the 16 “critical infrastructure” sectors that have the ability to impact significantly the nation’s security, economy, and public health and safety.[174]  The need for the FAA to establish robust safeguards is obvious, as the catastrophic impact of a cyber attack on the national airspace is not hard to imagine post-9/11.  Recently, one hacker claimed he compromised the cabin-based in-flight entertainment system to control a commercial airline engine in flight. One development of note is the reintroduction of the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2017 by U.S. Senators Edward Markey and Richard Blumenthal.[175] Senator Markey first introduced legislation aimed at improving aircraft cyber security protection in April 2016, following a 2015 survey of U.S. airline CEOs to discover standard cybersecurity protocols used by the aviation industry.  If signed into law, the bill would require the U.S. Department of Transportation to work with DoD, Homeland Security, the Director of National Intelligence, and the FCC to incorporate requirements relating to cybersecurity into the requirements for certification.  Additionally, the bill would establish standard protections for all “entry points” to the electronic systems of aircraft operating in the U.S.  This would include the use of isolation measures to separate critical software systems from noncritical software systems. B.    UAS Privacy Concerns UAS are equipped with highly sophisticated surveillance technology with the ability to collect personal information, including physical location.  Senator Ayotte, Chair of the Subcommittee on Aviation Operations, Safety, and Security, summarized the privacy concerns drones pose as follows: “Unlimited surveillance by government or private actors is not something that our society is ready or willing or should accept.  Because [drones] can significantly lower the threshold for observation, the risk of abuse and the risk of abusive surveillance increases.”  We describe below several recent federal and state efforts to address this issue. 1.    State Legislation Addressing Privacy Concerns At least five out of the twenty-one states that either passed legislation or adopted resolutions related to UAS in 2017 specifically addressed privacy concerns.[176] Colorado HB 1070 requires the center of excellence within the department of public safety to perform a study that identifies ways to integrate UAS within local and state government functions relating to firefighting, search and rescue, accident reconstruction, crime scene documentation, emergency management, and emergencies involving significant property loss, injury or death.  The study must consider privacy concerns, in addition to costs and timeliness of deployment, for each of these uses. New Jersey SB 3370 allows UAS operation that is consistent with federal law, but also creates criminal offenses for certain UAS surveillance and privacy violations.  For example, using a UAS to conduct surveillance of a correction facility is a third degree crime.  Additionally, the law also applies the operation of UAS to limitations within restraining orders and specifies that convictions under the law are separate from other convictions such as harassment, stalking, and invasion of privacy. South Dakota SB 22 also prohibits operation of drones over the grounds of correctional and military facilities, making such operation a class 1 misdemeanor.  Further, the law modifies the crime of unlawful surveillance to include intentional use of a drone to observe, photograph or record someone in a private place with a reasonable expectation of privacy, and landing a drone on the property of an individual without that person’s consent.  Such purportedly unlawful surveillance is a class 1 misdemeanor unless the individual is operating the drone for commercial or agricultural purposes, or the individual is acting within his or her capacity as an emergency management worker. Utah HB 217 modifies criminal trespass to include drones entering and remaining unlawfully over property with specified intent.  Depending on the intent, a violation is either a class B misdemeanor, a class A misdemeanor, or an infraction, unless the person is operating a UAS for legitimate commercial or educational purposes consistent with FAA regulations.  Utah HB 217 also modifies the offense of voyeurism, a class B misdemeanor, to include the use of any type of technology, including UAS, to secretly record video of a person in certain instances. Virginia HB 2350 makes it a Class 1 misdemeanor to use UAS to trespass upon the property of another for the purpose of secretly or furtively peeping, spying, or attempting to peep or spy into a dwelling or occupied building located on such property. 2.    UAS Identification and Tracking Report The FAA chartered an Aviation Rulemaking Committee (“ARC”) in June 2017 to provide recommendations on the technologies available for remote identification and tracking of UAS, and how remote identification may be implemented.[177]  However, the ARC’s 213 page final report, dated September 30, 2017, notes that the ARC lacked sufficient time to fully address privacy and data protection concerns, and that therefore those topics were not addressed: [T]he ARC also lacks sufficient time to perform an exhaustive analysis of all the privacy implications of remote ID, tracking, or UTM, and did not specifically engage with privacy experts, from industry or otherwise, during this ARC.  These members agree, however, that it is fundamentally important that privacy be fully considered and that appropriate privacy protections are in place before data collection and sharing by any party (either through remote ID and/or UTM) is required for operations.  A non-exhaustive list of important privacy considerations include, amongst other issues, any data collection, retention, sharing, use and access.  Privacy must be considered with regard to both PII and historical tracking information.  The privacy of all individuals (including operators and customers) should be addressed, and privacy should be a consideration during the rulemaking for remote ID and tracking. Accordingly, the ARC recognizes the fundamental importance of fully addressing privacy and data protection concerns, and we anticipate that future rulemaking will address these issues. IV.    CONCLUSION We will continue to keep you informed on these and other related issues as they develop. [1] See Huerta, No. 3:16-cv-358, Dkt. No. 30. [2] Id. [3] Id. [4] See Boggs, No. 3:16-cv-00006, Dkt. No. 1 (W.D. Ky. Jan. 4, 2016). [5] See id. [6] See Boggs, No. 3:16-cv-00006, Dkt. No. 20 (W.D. Ky. Jan. 4, 2016). [7] See id. [8] See Singer, No. 1:17-cv-10071, Dkt. N. 63 (D. Mass. Jan. 17, 2017). [9] See id. [10] See id. [11] See id. [12] See id. [13] See Taylor v. Huerta, 856 F.3d 1089 (D.C. Cir. 2017). [14] See Pub. L. No. 112–95, § 336(a), 126 Stat. 11, 77 (2012) (codified at 49 U.S.C. § 40101 note). [15] See Taylor, 856 F.3d at 1090. [16] See Pub. L. No. 115–91, § 3 1092(d), (2017). [17] The White House, Office of the Press Secretary, Presidential Memorandum:  Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems, Feb. 15, 2015, available at https://obamawhitehouse.archives.gov/the-press-office/2015/02/15/presidential-memorandum-promoting-economic-competitiveness-while-safegua. [18] Operation and Certification of Small Unmanned Aircraft Systems, 81 Fed. Reg. 42064 (June 28, 2016). [19] Electronic Privacy Information Center (“EPIC”), EPIC v. FAA: Challenging the FAA’s Failure to Establish Drone Privacy Rules, https://epic.org/privacy/litigation/apa/faa/drones/ (last visited Jan. 18, 2018). [20] See generally Electronic Privacy Information Center v. FAA (EPIC I), 821 F.3d 39, 41-42 (D.C. Cir. 2016) (noting that FAA denied EPIC’s petition for rulemaking requesting that the FAA consider privacy concerns). [21] Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, NTIA-Convened Multistakeholder Process (May 18, 2016), https://www.ntia.doc.gov/files/ntia/publications/ uas_privacy_best_practices_6-21-16.pdf. [22] EPIC, supra, note xix. [23] EPIC I, supra, note xx, at 41. [24] Id. 41-42. [25] Id. [26] Id. [27] Id. at 42-43. [28] Id. at 42. [29] Id. at 43. [30] Pet. For Review, Electronic Privacy Information Center v. FAA (EPIC II), Nos. 16-1297, 16-1302 (Filed Aug. 22, 2016), https://epic.org/privacy/litigation/apa/faa/drones/EPIC-Petition-08222016.pdf. [31] Appellant Opening Br., EPIC II, Nos. 16-1297, 16-1302 (Filed Feb. 28, 2017), https://epic.org/privacy/litigation/apa/faa/drones/1663292-EPIC-Brief.pdf. [32] Appellee Reply Br., EPIC II, Nos. 16-1297, 16-1302 (Filed April 27, 2017), https://epic.org/privacy/litigation/apa/faa/drones/1673002-FAA-Reply-Brief.pdf. [33] United States Court of Appeals District of Columbia Circuit, Oral Argument Calendar, https://www.cadc.uscourts.gov/internet/sixtyday.nsf/fullcalendar?OpenView&count=1000 (last visited Jan. 18, 2018). [34] United States Department of Defense, Unmanned Systems Integrated Roadmap (2013), https://www.defense.gov/Portals/1/Documents/pubs/DOD-USRM-2013.pdf. [35] Andrew Meola, Drone Marker Shows Positive Outlook with Strong Industry Growth and Trends, Business Insider, July 13, 2017, available at http://www.businessinsider.com/drone-industry-analysis-market-trends-growth-forecasts-2017-7. [36] Office of the Under Secretary of Defense, U.S. Department of Defense Fiscal Year 2017 Budget Request (Feb. 2016). [37] Office of the Under Secretary of Defense, U.S. Department of Defense Fiscal Year 2018 Budget Request (May 2017). [38] Goldman Sachs, Drones: Reporting for Work, http://www.goldmansachs.com/our-thinking/technology-driving-innovation/drones/ (last visited Jan. 18, 2017). [39] Id. [40] Chris Woods, The Story of America’s Very First Drone Strike, The Atlantic, May 30, 2016, available at https://www.theatlantic.com/international/archive/2015/05/america-first-drone-strike-afghanistan/394463/. [41] Deputy Secretary of Defense, Policy Memorandum 15-002, “Guidance for the Domestic Use of Unmanned Aircraft Systems” (Feb. 17, 2015), https://www.defense.gov/Portals/1/Documents/Policy%20Memorandum%2015-002%20_Guidance%20for%20the%20Domestic%20Use%20of%20Unmanned%20Aircraft%20Systems_.pdf. [42] Id. [43] Id. [44] Id. [45] Id. [47] Id. [48] Eric Schmitt, Pentagon Tests Lasers and Nets to Combat Vexing Foe: ISIS Drones, N.Y. Times, Sept. 23, 2017, available at https://www.nytimes.com/2017/09/23/world/middleeast/isis-drones-pentagon-experiments.html. [49] Id. [50] Christopher Woody, The Pentagon is Getting Better at Stopping Enemy Drones—and Testing Its Own for Delivering Gear to the Battlefield, Business Insider, Apr. 24, 2017, available at https://www.businessinsider.com/military-adding-drones-and-drone-defense-to-its-arensal-2017-4. [51] Id. [52] Radio Hill Technology, Birth of the Dronebuster, http://www.radiohill.com/product/ (last visited Jan. 18, 2018). [53] Id. [54] Kyle Mizokami, The Army’s Drone-Killing Lasers are Getting a Tenfold Power Boost, Popular Mechanics, July 18, 2017, available at http://www.popularmechanics.com/military/research/news/a27381/us-army-drone-killing-laser-power/. [55] Sydney J. Freedberg Jr., Drone Killing Laser Stars in Army Field Test, Breaking Defense, May 11, 2017, available at https://breakingdefense.com/2017/05/drone-killing-laser-stars-in-army-field-test/. [56] Mizokami, supra, note lv. [57] ASSURE, UAS Ground Collision Severity Evaluation Final Report, United States (2017), available at http://www.assureuas.org/projects/deliverables/sUASGroundCollisionReport.php?Code=230 (ASSURE Study). [58] Id. [59] Id. [60] Id. [61] DJI, DJI Welcomes FAA-Commissioned Report Analyzing Drone Safety Near People, Newsroom News, Apr. 28, 2017, available at https://www.dji.com/newsroom/news/dji-welcomes-faa-commissioned-report-analyzing-drone-safety-near-people. [62] Id. [63] Id. [64] ASSURE Study, supra note lviii. [65] Id. [66] Id. [67] Id. [68] Id. [69] ASSURE, FAA and Assure Announce Results of Air-to-Air Collision Study, ASSURE: Alliance for System Safety of UAS through Research Excellence, Nov. 27, 2017, available at https://pr.cirlot.com/faa-and-assure-announce-results-of-air-to-air-collision-study/. [70] Id. [71] ASSURE Study, supra note lviii. [72] Id. [73] Id. [74] Id. [75] See Pathiyil, et al., Issues of Safety and Risk management for Unmanned Aircraft Operations in Urban Airspace, 2017 Workshop on Research, Education and Development of Unmanned Aerial Systems (RED-UAS), Oct. 3, 2017, available at http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8101671. [76] Id. [77] Id. [78] Id. [79] Id. [80] Patrick C. Miller, 2,800 Interested Parties Apply for UAS Integration Pilot Program, UAS Magazine, Jan. 3, 2018, available at http://www.uasmagazine.com/articles/1801/2-800-interested-parties-apply-for-uas-integration-pilot-program. [81] Unmanned Aircraft Systems Integration Pilot Program, 82 Fed. Reg. 50,301 (Oct. 25, 2017) (Presidential directive creating the program); see also Unmanned Aircraft Systems Integration Pilot Program—Announcement of Establishment of Program and Request for Applications, 82 Fed. Reg. 215 (Nov. 8, 2017) (Department of Transportation Notice of the UAS Pilot Program). [82] See id. [83] See id. [84] Elaine Goodman, Blood Deliveries by Drone Proposed—City Submits Unique Ideas to FAA, Daily Post, Jan. 5, 2018, available at http://padailypost.com/2018/01/05/blood-deliveries-by-drone-proposed-city-submits-unique-ideas-to-faa/. [85] Id. [86] Id. [87] Id. [88] Id. [89] Miller, supra note lxxxi. [90] Id. [91] Id. [92] Id. [93] Id. [101]   NASA Spaceflight, India’s PSLV deploys a record 104 satellites (Feb. 14, 2017), available at https://www.nasaspaceflight.com/2017/02/indias-pslv-record-104-satellites/. [102]   NASA, NASA’s Newest Astronaut Recruits to Conduct Research off the Earth, For the Earth and Deep Space Missions (June 7, 2017), available at https://www.nasa.gov/press-release/nasa-s-newest-astronaut-recruits-to-conduct-research-off-the-earth-for-the-earth-and. [103]   NASA, Cassini Spacecraft Ends Its Historic Exploration of Saturn (Sept. 15, 2017), available at https://www.nasa.gov/press-release/nasa-s-cassini-spacecraft-ends-its-historic-exploration-of-saturn. [104]   NASA, New Space Policy Directive Calls for Human Expansion Across Solar System (Dec. 11, 2017), available at https://www.nasa.gov/press-release/new-space-policy-directive-calls-for-human-expansion-across-solar-system. [105]   TechCrunch, SpaceX caps a record year with 18th successful launch of 2017 (Dec. 22, 2017), available at https://techcrunch.com/2017/12/22/spacex-caps-a-record-year-with-18th-successful-launch-of-2017/. [106]   The Verge, After a year away from test flights, Blue Origin launches and lands its rocket again (Dec. 12, 2017), available at https://www.theverge.com/2017/12/12/16759934/blue-origin-new-shepard-test-flight-launch-landing. [107]   Space.com, SpaceX Launches (and Lands) Used Rocket on Historic NASA Cargo Mission (Dec. 15, 2017), available at https://www.space.com/39063-spacex-launches-used-rocket-dragon-spacecraft-for-nasa.html. [108]   U.S. Department of State, Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, available at https://www.state.gov/t/isn/5181.htm#treaty. [109] NTI, Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (Outer Space Treaty) (Feb. 1, 2017), available at http://www.nti.org/learn/treaties-and-regimes/treaty-principles-governing-activities-states-exploration-and-use-outer-space-including-moon-and-other-celestial-bodies-outer-space-treaty/. [110] PHYS.ORG, Space likely for rare earth search, scientists say (Feb. 20, 2013), available at https://phys.org/news/2013-02-space-rare-earths-scientists.html. [111]   NASA, Lunar CATALYST (Jan. 16, 2014), available at https://www.nasa.gov/content/lunar-catalyst/#.WmLx1qinGHs. [112]   The Conversation, The Outer Space Treaty has been remarkably successful – but is it fit for the modern age? (Jan. 27, 2017), available at http://theconversation.com/the-outer-space-treaty-has-been-remarkably-successful-but-is-it-fit-for-the-modern-age-71381. [113]   The Verge, How an international treaty signed 50 years ago became the backbone for space law (Jan. 27, 2017), available at https://www.theverge.com/2017/1/27/14398492/outer-space-treaty-50-anniversary-exploration-guidelines. [114]   Id. [115]   The Space Review, Is it time to update the Outer Space Treaty? (June 5, 2017), available at http://www.thespacereview.com/article/3256/1. [116]   U.S. Senate, Reopening the American Frontier:  Exploring How the Outer Space Treaty Will Impact American Commerce and Settlement in Space (May 23, 2017), available at https://www.commerce.senate.gov/public/index.cfm/hearings?ID=5A91CD95-CDA5-46F2-8E18-2D2DFCAE4355. [117]   The Space Review, supra note cxvi. [118]   Id. [119]   Id. [120] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809.  The other primary sponsors of the bill are Brian Babin (R-TX), chairman of the space subcommittee; and Rep. Jim Bridenstine (R-OK). [121] Sandy Mazza, Space exploration regulations need overhaul, new report says, Daily Breeze (Dec. 2, 2017), https://www.dailybreeze.com/2017/12/02/space-exploration-regulations-need-overhaul-new-report-says/.  The Act’s stated purpose is to “provide greater transparency, greater efficiency, and less administrative burden for nongovernmental entities of the United States seeking to conduct space activities.”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Section 2(c)). [122] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [123] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [124] Under the Obama administration, many in government and industry presumed that the regulation of new space activities would fall to FAA/AST.  See Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/ (In fact, the agency heads of the FAA/AST, and the Office of Science and Technology Policy, recommended the same). [125] Marcia Smith, Companies Agree FAA Best Agency to Regulate Non-Traditional Space Activities, Space Policy Online (Nov. 15, 2017), https://spacepolicyonline.com/news/companies-agree-faa-best-agency-to-regulate-non-traditional-space-activities/. [126] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [127] Id. [128] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [129] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [130] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/; Marcia Smith, Companies Agree FAA Best Agency to Regulate Non-Traditional Space Activities, Space Policy Online (Nov. 15, 2017), https://spacepolicyonline.com/news/companies-agree-faa-best-agency-to-regulate-non-traditional-space-activities/.  The bill, for example, requires e the Secretary of Commerce to issue certifications or permits for commercial space activities, unless, for example, the Secretary finds by “clear and convincing evidence” that the permit would violate the Outer Space Treaty.  Bob Zimmerman, What You Need To Know About The Space Law Congress Is Considering, The Federalist (July 11, 2017), http://thefederalist.com/2017/07/11/need-know-space-law-congress-considering/.  Indeed, the policy section of the bill finds that “United States citizens and entities are free to explore and use space, including the utilization of outer space and resources contained therein, without conditions or limitations” and “this freedom is only to be limited when necessary to assure United States national security interests are met” or fulfill treaty obligations.  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [131] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [132] Joshua Hampson, The American Space Commerce Free Enterprise Act, Niskanen Center (June 15, 2017), https://niskanencenter.org/blog/american-space-commerce-free-enterprise-act/. [133] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/. [134] Jeff Foust, House bill seeks to streamline oversight of commercial space activities, Space News (June 8, 2017), http://spacenews.com/house-bill-seeks-to-streamline-oversight-of-commercial-space-activities/; Congressional Budget Office Cost Estimate, Congressional Budget Office (July 7, 2017), https://www.cbo.gov/system/files/115th-congress-2017-2018/costestimate/hr2809.pdf. [135] Samuel R. Ramer, Letter from the Office of the Assistant Attorney General, Justice Department (July 17, 2017), https://www.justice.gov/ola/page/file/995646/download. [136] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809/all-actions. [137] Marcia Smith, New Commercial Space Bill Clears House Committee, Space Policy Online (June 8, 2017), https://spacepolicyonline.com/news/new-commercial-space-bill-clears-house-committee/. [138] Jeffrey Hill, Congressman Babin Hints that Cybersecurity Could be Included in Larger Commercial Space Legislative Package, Satellite Today (Nov. 7, 2017), http://www.satellitetoday.com/government/2017/11/07/cybersecurity-featured-space-commerce-act/. [139] Commerce Department Now Accepting Public Inputs on Regulatory Streamlining, Space Commerce (Oct. 27, 2017), http://www.space.commerce.gov/commerce-department-now-accepting-public-inputs-on-regulatory-streamlining/; Sandy Mazza, Space exploration regulations need overhaul, new report says, Daily Breeze (Dec. 2, 2017), https://www.dailybreeze.com/2017/12/02/space-exploration-regulations-need-overhaul-new-report-says/. [140] Sean Kelly, The new national security strategy prioritizes space, The Hill (Jan. 3, 2018), http://thehill.com/opinion/national-security/367240-the-new-national-security-strategy-prioritizes-space; Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/.  Critics argue that the NOAA’s approval pace is harming U.S. companies to the benefit of foreign competitors. Randy Showstack, Remote Sensing Regulations Come Under Congressional Scrutiny, EOS (Sept. 14, 2016), https://eos.org/articles/remote-sensing-regulations-come-under-congressional-scrutiny. [141] H.R. Rep No. 6133 (1992), available at https://www.congress.gov/bill/102nd-congress/house-bill/6133. [142] Randy Showstack, Remote Sensing Regulations Come Under Congressional Scrutiny, EOS (Sept. 14, 2016), https://eos.org/articles/remote-sensing-regulations-come-under-congressional-scrutiny.  Indeed, the Commercial Space Launch Competitiveness Act, signed into law in November 2016, requires the Department of Commerce to analyze possible statutory updates to the remote sensing licensing scheme.  Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/.  The text of the ASCFEA also recognizes that since “the passage of the Land Remote Sensing Policy Act of 1992, the National Oceanic and Atmospheric Administration’s Office of Commercial Remote Sensing has experienced a significant increase in applications for private remote sensing space system licenses . . .”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [143] Joshua Hampson, The American Space Commerce Free Enterprise Act, Niskanen Center (June 15, 2017), https://niskanencenter.org/blog/american-space-commerce-free-enterprise-act/.  The ASCFEA defines a Space-Based Remote Sensing System as “a space object in Earth orbit that is “(A) designed to image the Earth; or (B) capable of imaging a space object in Earth orbit operated by the Federal Government.”  H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809. [144] Jeff Foust, Commercial remote sensing companies seek streamlined regulations, Space News (Mar. 17, 2017), http://spacenews.com/commercial-remote-sensing-companies-seek-streamlined-regulations/. [145] Id. [146] Jeff Foust, House panel criticizes commercial remote sensing licensing, Space News (Sept. 8, 2016), http://spacenews.com/house-panel-criticizes-commercial-remote-sensing-licensing/. [147] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Chapter 8012 § 80202(e)(1)). [148] Jeff Foust, Commercial remote sensing companies seek streamlined regulations, Space News (Mar. 17, 2017), http://spacenews.com/commercial-remote-sensing-companies-seek-streamlined-regulations/. [150] H.R. Rep No. 2809 (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/2809 (Chapter 802 § 80201(d)). [151] Reinvigorating America’s Human Space Exploration Program, 82 Fed. Reg. 59501 (Dec. 11, 2017) [152] Nell Greenfieldboyce, President Trump Is Sending NASA Back to the Moon (Dec. 11, 2017) available at https://www.npr.org/sections/thetwo-way/2017/12/11/569936446/president-trump-is-sending-nasa-back-to-the-moon. [153] See Press Release, NASA, New Space Policy Directive Calls for Human Expansion Across Solar System (Dec. 11, 2017); see also NASA, https://www.nasa.gov/mission_pages/apollo/missions/apollo17.html (last visited Jan. 21, 2018). [154] Reinvigorating America’s Human Space Exploration Program, supra note clii. [155] Id. [156] NASA, Commercial Crew Program – The Essentials, available at https://www.nasa.gov/content/commercial-crew-program-the-essentials/#.VjOJ3berRaT. [157] Michael Sheetz, Trump Orders NASA to Send American Astronauts to the Moon, Mars, CNBC (Dec. 11, 2017) available at https://www.cnbc.com/2017/12/11/trump-orders-nasa-to-send-american-astronauts-to-the-moon-mars.html. [158] See New Space Policy Directive Calls for Human Expansion Across Solar System, supra note cv; see also Christian Davenport, Trump Vows Americans Will Return to the Moon.  The Question Is How?, (Dec. 11, 2017) available at https://www.washingtonpost.com/news/the-switch/wp/2017/12/11/trump-vows-americans-will-return-to-the-moon-the-question-is-how/?utm_term=.4ceb20131cdf. [159] The Right Stuff (The Ladd Company 1983). [160] Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law. [161] Reuters Staff, Luxembourg sets aside 200 million euros to fund space mining ventures, Reuters (June 3, 2016), https://www.reuters.com/article/us-luxembourg-space-mining/luxembourg-sets-aside-200-million-euros-to-fund-space-mining-ventures-idUSKCN0YP22H; Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law.  Luxembourg invested €23 million in U.S. company Planetary Resources, and now owns a 10% share in the company.  Kenneth Chang, If no one owns the moon, can anyone make money up there?, The Independent (Dec. 4, 2017), http://www.independent.co.uk/news/long_reads/if-no-one-owns-the-moon-can-anyone-make-money-up-there-space-astronomy-a8087126.html. [162] In 2015, the U.S. passed the Commercial Space Launch Competitiveness Act, which clarified that companies that extract materials from celestial bodies can own those materials.  Andrew Silver, Luxembourg passes first EU space mining law. One can possess the Spice, The Register (July 14, 2017), https://www.theregister.co.uk/2017/07/14/luxembourg_passes_space_mining_law/. [163] Jeff Foust, Luxembourg adopts space resources law, Space News (July 17, 2017), http://spacenews.com/luxembourg-adopts-space-resources-law/. [164] Jeff Foust, Luxembourg adopts space resources law, Space News (July 17, 2017), http://spacenews.com/luxembourg-adopts-space-resources-law;  Paul Zenners, Press Release, Space Resources (July 13, 2017), http://www.spaceresources.public.lu/content/dam/spaceresources/press-release/2017/2017_07_13%20PressRelease_Law_Space_Resources_EN.pdf. [165] Laurent Thailly and Fiona Schneider, Luxembourg set to become Europe’s commercial space exploration hub with new Space law, Ogier (Jan. 8, 2017), https://www.ogier.com/news/the-luxembourg-space-law.  Reportedly, two American companies already plan to move to Luxembourg:  Deep Space Industries and Planetary Resources. Vasudevan Mukunth, Fiat Luxembourg: How a Tiny European Nation is Leading the Evolution of Space Law, The Wire (July 15, 2017), https://thewire.in/157687/luxembourg-space-asteroid-mining-dsi/. [166] Andrew Silver, Luxembourg passes first EU space mining law. One can possess the Spice, The Register (July 14, 2017), https://www.theregister.co.uk/2017/07/14/luxembourg_passes_space_mining_law/;  Mark Kaufman, Luxembourg’s Asteroid Mining is Legal Says Space Law Expert, inverse.com (Aug. 1, 2017), https://www.inverse.com/article/34935-luxembourg-s-asteroid-mining-is-legal-says-space-law-expert. [167] Antariksh Bhavan, Seeking comments on Draft “Space Activities Bill, 2017” from the stake holders/public-regarding, ISRO (Nov. 21, 2017), https://www.isro.gov.in/update/21-nov-2017/seeking-comments-draft-space-activities-bill-2017-stake-holders-public-regarding;  Special Correspondent, Govt. unveils draft of law to regulate space sector, The Hindu (Nov. 22, 2017), http://www.thehindu.com/sci-tech/science/govt-unveils-draft-of-law-to-regulate-space-sector/article20629386.ece;  Raghu Krishnan & T E Narasimhan, Draft space law gives private firms a grip on rocket, satellite making, Business Standard (Nov. 22, 2017), http://www.business-standard.com/article/economy-policy/draft-space-law-gives-private-firms-a-grip-on-rocket-satellite-making-117112101234_1.html. [168] Antariksh Bhavan, Seeking comments on Draft “Space Activities Bill, 2017” from the stake holders/public-regarding, ISRO (Nov. 21, 2017), https://www.isro.gov.in/update/21-nov-2017/seeking-comments-draft-space-activities-bill-2017-stake-holders-public-regarding. [169] Id. [170] Ellen Barry, India Launches 104 Satellites From a Single Rocket, Ramping Up a Space Race, The New York Times (Feb. 15, 2017), https://www.nytimes.com/2017/02/15/world/asia/india-satellites-rocket.html. [171] Id. [172] Yes, Australia will have a space agency. What does this mean? Experts respond, The Conversation (Sept. 25, 2017), http://theconversation.com/yes-australia-will-have-a-space-agency-what-does-this-mean-experts-respond-84588;  Jordan Chong, Better late than never, Australia heads (back) to space, Australian Aviation (Dec. 29, 2017), http://australianaviation.com.au/2017/12/better-late-than-never-australia-heads-back-to-space/. [173] Andrew Griffin, Australia launches brand new space agency in attempt to flee the Earth, The Independent (Sept. 25, 2017), http://www.independent.co.uk/news/science/australia-space-agency-nasa-earth-roscosmos-malcolm-turnbull-economy-a7966751.html;  Henry Belot, Australian space agency to employ thousands and tap $420b industry, Government says, ABC (Sept. 25, 2017), http://www.abc.net.au/news/2017-09-25/government-to-establish-national-space-agency/8980268. [174]   White House, Critical Infrastructure Security and Resilience, Presidential Policy Directive/PPD-21 (Feb. 12, 2013). [175]   Woodrow Bellamy III, Senators Reintroduce Aircraft Cyber Security Legislation, Aviation Today (Mar. 24, 2017), http://www.aviationtoday.com/2017/03/24/senators-reintroduce-aircraft-cyber-security-legislation/. [176]   The eighteen states that passed UAS legislation in 2017 were Colorado, Connecticut, Florida, Georgia, Indiana, Kentucky, Louisiana, Minnesota, Montana, Nevada, New Jersey, North Carolina, Oregon, South Dakota, Texas, Utah, Virginia and Wyoming. The three states that passed resolutions related to UAS were Alaska, North Dakota and Utah. [177]   Under Section 2202 of the FAA Extension, Safety, and Security Act of 2016, Pub. L. 114-190, Congress directed the FAA to convene industry stakeholders to facilitate the development of consensus standards for identifying operators and UAS owners.  The final report identifies the following as the ARC’s stated objectives: The stated objectives of the ARC charter were: to identify, categorize and recommend available and emerging technology for the remote identification and tracking of UAS; to identify the requirements for meeting the security and public safety needs of the law enforcement, homeland defense, and national security communities for the remote identification and tracking of UAS; and to evaluate the feasibility and affordability of available technical solutions, and determine how well those technologies address the needs of the law enforcement and air traffic control communities. The final ARC report is available at: https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/UAS%20ID%20ARC%20Final%20Report%20with%20Appendices.pdf. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the issues discussed above. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the Aerospace and Related Technologies industry group, or any of the following: Washington, D.C. Karen L. Manos – Co-Chair (+1 202-955-8536, kmanos@gibsondunn.com) Lindsay M. Paulin (+1 202-887-3701, lpaulin@gibsondunn.com) Erin N. Rankin (+1 202-955-8246, erankin@gibsondunn.com) Christopher T. Timura (+1 202-887-3690, ctimura@gibsondunn.com) Justin P. Accomando (+1 202-887-3796, jaccomando@gibsondunn.com) Brian M. Lipshutz (+1 202-887-3514, blipshutz@gibsondunn.com) Melinda R. Biancuzzo (+1 202-887-3724, mbiancuzzo@gibsondunn.com) New York David M. Wilf – Co-Chair (+1 212-351-4027, dwilf@gibsondunn.com) Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com) Nicolas H.R. Dumont (+1 212-351-3837, ndumont@gibsondunn.com) Eun Sung Lim (+1 212-351-2483, elim@gibsondunn.com) Los Angeles William J. Peters – Co-Chair (+1 213-229-7515, wpeters@gibsondunn.com) David A. Battaglia (+1 213-229-7380, dbattaglia@gibsondunn.com) Perlette M. Jura (+1 213-229-7121, pjura@gibsondunn.com) Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com) Matthew B. Dubeck (+1 213-229-7622, mdubeck@gibsondunn.com) Lauren M. Fischer (+1 213-229-7983, lfischer@gibsondunn.com) Dhananjay S. Manthripragada (+1 213-229-7366, dmanthripragada@gibsondunn.com) James A. Santiago (+1 213-229-7929, jsantiago@gibsondunn.com) Denver Jared Greenberg (+1 303-298-5707, jgreenberg@gibsondunn.com) London Mitri J. Najjar (+44 (0)20 7071 4262, mnajjar@gibsondunn.com) Orange County Casper J. Yen (+1 949-451-4105, cyen@gibsondunn.com) Rustin K. Mangum (+1 949-451-4069, rmangum@gibsondunn.com) Sydney Sherman (+1 949-451-3804, ssherman@gibsondunn.com) Paris Ahmed Baladi (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) San Francisco Kristin A. Linsley (+1 415-393-8395, klinsley@gibsondunn.com) Matthew Reagan (+1 415-393-8314, mreagan@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 10, 2018 |
Artificial Intelligence and Autonomous Systems Legal Update (3Q18)

Click for PDF We are pleased to provide the following update on recent legal developments in the areas of artificial intelligence, machine learning, and autonomous systems (or “AI” for short), and their implications for companies developing or using products based on these technologies.  As the spread of AI rapidly increases, legal scrutiny in the U.S. of the potential uses and effects of these technologies (both beneficial and harmful) has also been increasing.  While we have chosen to highlight below several governmental and legislative actions from the past quarter, the area is rapidly evolving and we will continue to monitor further actions in these and related areas to provide future updates of potential interest on a regular basis. I.       Increasing Federal Government Interest in AI Technologies The Trump Administration and Congress have recently taken a number of steps aimed at pushing AI forward on the U.S. agenda, while also treating with caution foreign involvement in U.S.-based AI technologies.  Some of these actions may mean additional hurdles for cross-border transactions involving AI technology.  On the other hand, there may also be opportunities for companies engaged in the pursuit of AI technologies to influence the direction of future legislation at an early stage. A.       White House Studies AI In May, the Trump Administration kicked off what is becoming an active year in AI for the federal government by hosting an “Artificial Intelligence for American Industry” summit as part of its designation of AI as an “Administration R&D priority.”[1] During the summit, the White House also announced the establishment of a “Select Committee on Artificial Intelligence” to advise the President on research and development priorities and explore partnerships within the government and with industry.[2]  This Select Committee is housed within the National Science and Technology Council, and is chaired by Office of Science and Technology Policy leadership. Administration officials have said that a focus of the Select Committee will be to look at opportunities for increasing federal funds into AI research in the private sector, to ensure that the U.S. has (or maintains) a technological advantage in AI over other countries.  In addition, the Committee is to look at possible uses of the government’s vast store of taxpayer-funded data to promote the development of advanced AI technologies, without compromising security or individual privacy.  While it is believed that there will be opportunities for private stakeholders to have input into the Select Committee’s deliberations, the inaugural meeting of the Committee, which occurred in late June, was not open to the public for input. B.       AI in the NDAA for 2019 More recently, on August 13th, President Trump signed into law the John S. McCain National Defense Authorization Act (NDAA) for 2019,[3] which specifically authorizes the Department of Defense to appoint a senior official to coordinate activities relating to the development of AI technologies for the military, as well as to create a strategic plan for incorporating a number of AI technologies into its defense arsenal.  In addition, the NDAA includes the Foreign Investment Risk Review Modernization Act (FIRRMA)[4] and the Export Control Reform Act (ECRA),[5] both of which require the government to scrutinize cross-border transactions involving certain new technologies, likely including AI-related technologies. FIRRMA modifies the review process currently used by the Committee on Foreign Investment in the United States (CFIUS), an interagency committee that reviews the national security implications of investments by foreign entities in the United States.  With FIRRMA’s enactment, the scope of the transactions that CFIUS can review is expanded to include those involving “emerging and foundational technologies,” defined as those that are critical for maintaining the national security technological advantage of the United States.  While the changes to the CFIUS process are still fresh and untested, increased scrutiny under FIRRMA will likely have an impact on available foreign investment in the development and use of AI, at least where the AI technology involved is deemed such a critical technology and is sought to be purchased or licensed by foreign investors. Similarly, ECRA requires the President to establish an interagency review process with various agencies including the Departments of Defense, Energy, State and the head of other agencies “as appropriate,” to identify emerging and foundational technologies essential to national security in order to impose appropriate export controls.  Export licenses are to be denied if the proposed export would have a “significant negative impact” on the U.S. defense industrial base.  The terms “emerging and foundational technologies” are not expressly defined, but it is likely that AI technologies, which are of course “emerging,” would receive a close look under ECRA and that ECRA might also curtail whether certain AI technologies can be sold or licensed to foreign entities. The NDAA also established a National Security Commission on Artificial Intelligence “to review advances in artificial intelligence, related machine learning developments, and associated technologies.”  The Commission, made up of certain senior members of Congress as well as the Secretaries of Defense and Commerce, will function independently from other such panels established by the Trump Administration and will review developments in AI along with assessing risks related to AI and related technologies to consider how those methods relate to the national security and defense needs of the United States.  The Commission will focus on technologies that provide the U.S. with a competitive AI advantage, and will look at the need for AI research and investment as well as consider the legal and ethical risks associated with the use of AI.  Members are to be appointed within 90 days of the Commission being established and an initial report to the President and Congress is to be submitted by early February 2019. C.       Additional Congressional Interest in AI/Automation While a number of existing bills with potential impacts on the development of AI technologies remain stalled in Congress,[6] two more recently-introduced pieces of legislation are also worth monitoring as they progress through the legislative process. In late June, Senator Feinstein (D-CA) sponsored the “Bot Disclosure and Accountability Act of 2018,” which is intended to address  some of the concerns over the use of automated systems for distributing content through social media.[7] As introduced, the bill seeks to prohibit certain types of bot or other automated activity directed to political advertising, at least where such automated activity appears to impersonate human activity.  The bill would also require the Federal Trade Commission to establish and enforce regulations to require public disclosure of the use of bots, defined as any “automated software program or process intended to impersonate or replicate human activity online.”  The bill provides that any such regulations are to be aimed at the “social media provider,” and would place the burden of compliance on such providers of social media websites and other outlets.  Specifically, the FTC is to promulgate regulations requiring the provider to take steps to ensure that any users of a social media website owned or operated by the provider would receive “clear and conspicuous notice” of the use of bots and similar automated systems.  FTC regulations would also require social media providers to police their systems, removing non-compliant postings and/or taking other actions (including suspension or removal) against users that violate such regulations.  While there are significant differences, the Feinstein bill is nevertheless similar in many ways to California’s recently-enacted Bot disclosure law (S.B. 1001), discussed more fully in our previous client alert located here.[8] Also of note, on September 26th, a bipartisan group of Senators introduced the “Artificial Intelligence in Government Act,” which seeks to provide the federal government with additional resources to incorporate AI technologies in the government’s operations.[9] As written, this new bill would require the General Services Administration to bring on technical experts to advise other government agencies, conduct research into future federal AI policy, and promote inter-agency cooperation with regard to AI technologies.  The bill would also create yet another federal advisory board to advise government agencies on AI policy opportunities and concerns.  In addition, the newly-introduced legislation seeks to require the Office of Management and Budget to identify ways for the federal government to invest in and utilize AI technologies and tasks the Office of Personal Management with anticipating and providing training for the skills and competencies the government requires going-forward for incorporating AI into its overall data strategy. II.       Potential Impact on AI Technology of Recent California Privacy Legislation Interestingly, in the related area of data privacy regulation, the federal government has been slower to respond, and it is the state legislatures that are leading the charge.[10] Most machine learning algorithms depend on the availability of large data sets for purpose of training, testing, and refinement.  Typically, the larger and more complete the datasets available, the better.  However, these datasets often include highly personal information about consumers, patients, or others of interest—data that can sometimes be used to predict information specific to a particular person even if attempts are made to keep the source of such data anonymous. The European Union’s General Data Protection Regulation, or GDPR, which went into force on May 25, 2018, has deservedly garnered a great deal of press as one of the first, most comprehensive collections of data privacy protections. While we’re only months into its effective period, the full impact and enforcement of the GDPR’s provisions have yet to be felt.  Still, many U.S. companies, forced to take steps to comply with the provisions of GDPR at least with regard to EU citizens, have opted to take many of those same steps here in the U.S., despite the fact that no direct U.S. federal analogue to the GDPR yet exists.[11] Rather than wait for the federal government to act, several states have opted to follow the lead of the GDPR and enact their own versions of comprehensive data privacy laws.  Perhaps the most significant of these state-legislated omnibus privacy laws is the California Consumer Privacy Act (“CCPA”), signed into law on June 28, 2108, and slated to take effect on January 1, 2020.[12]  The CCPA is not identical to the GDPR, differing in a number of key respects.  However there are many similarities, in that the CCPA also has broadly defined definitions of personal information/data, and seeks to provide a right to notice of data collection, a right of access to and correction of collected data, a right to be forgotten, and a right to data portability.  But how do the CCPA’s requirements differ from the GDPR for companies engaged in the development and use of AI technologies?  While there are many issues to consider, below we examine several of the key differences of the CCPA and their impact on machine learning and other AI-based processing of collected data. A.       Inferences Drawn from Personal Information The GDPR defines personal data as “any information relating to an identified or identifiable natural person,” such as “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that nature person.”[13]  Under the GDPR, personal data has implications in the AI space beyond just the data that is actually collected from an individual.  AI technology can be and often is used to generate additional information about a person from collected data, e.g., spending habits, facial features, risk of disease, or other inferences that can be made from the collected data.  Such inferences, or derivative data, may well constitute “personal data” under a broad view of the GDPR, although there is no specific mention of derivative data in the definition. By contrast, the CCPA goes farther and specifically includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”[14]  An “inference” is defined as “the derivation of information, data, assumptions, or conclusions from evidence, or another source of information or data.”[15] Arguably the primary purpose of many AI systems is to draw inferences from a user’s information, by mining data, looking for patterns, and generating analysis.  Although the CCPA does limit inferences to those drawn “to create a profile about a consumer,” the term “profile” is not defined in the CCPA.  However, the use of consumer information that is “deidentified” or “aggregated” is permitted by the CCPA.  Thus, one possible solution may be to take steps to “anonymize” any personal data used to derive any inferences.  As a result, when looking to CCPA compliance, companies may want to carefully consider the derivative/processed data that they are storing about a user, and consider additional steps that may be required for CCPA compliance. B.       Identifying Categories of Personal Information The CCPA also requires disclosures of the categories of personal information being collected, the categories of sources from which personal information is collected, the purpose for collecting and selling personal information, and the categories of third parties with whom the business shares personal information. [16]  Although these categories are likely known and definable for static data collection, it may be more difficult to specifically disclose the purpose and categories for certain information when dynamic machine learning algorithms are used.  This is particularly true when, as discussed above, inferences about a user are included as personal information.  In order to meet these disclosure requirements, companies may need to carefully consider how they will define all of the categories of personal information collected or the purposes of use of that information, particularly when machine learning algorithms are used to generate additional inferences from, or derivatives of, personal data. C.       Personal Data Includes Households The CCPA’s definition of “personal data” also includes information pertaining to non-individuals, such as “households” – a term that the CCPA does not further define.[17]  In the absence of an explicit definition, the term “household” would seem to target information collected about a home and its inhabits through smart home devices, such as thermostats, cameras, lights, TVs, and so on.  When looking to the types of personal data being collected, the CCPA may also encompass information about each of these smart home devices, such as name, location, usage, and special instructions (e.g., temperature controls, light timers, and motion sensing).  Furthermore, any inferences or derivative information generated by AI algorithms from the information collected from these smart home devices may also be covered as personal information.  Arguably, this could include information such as conversations with voice assistants or even information about when people are likely to be home determined via cameras or motion sensors.  Companies developing smart home, or other Internet of Things, devices thus should carefully consider whether the scope and use they make of any information collected from “households” falls under the CCPA requirements for disclosure or other restrictions. III.       Continuing Efforts to Regulate Autonomous Vehicles Much like the potential for a comprehensive U.S. data privacy law, and despite a flurry of legislative activity in Congress in 2017 and early 2018 towards such a national regulatory framework, autonomous vehicles continue to operate under a complex patchwork of state and local rules with limited federal oversight.  We previously provided an update (located here)[18] discussing the Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution (SELF DRIVE) Act[19], which passed the U.S. House of Representatives by voice vote in September 2017 and its companion bill (the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act).[20]  Both bills have since stalled in the Senate, and with them the anticipated implementation of a uniform regulatory framework for the development, testing and deployment of autonomous vehicles. As the two bills languish in Congress, ‘chaperoned’ autonomous vehicles have already begun coexisting on roads alongside human drivers.  The accelerating pace of policy proposals—and debate surrounding them—looks set to continue in late 2018 as virtually every major automaker is placing more autonomous vehicles on the road for testing and some manufacturers prepare to launch commercial services such as self-driving taxi ride-shares[21] into a national regulatory vacuum. A.       “Light-touch” Regulation The delineation of federal and state regulatory authority has emerged as a key issue because autonomous vehicles do not fit neatly into the existing regulatory structure.  One of the key aspects of the proposed federal legislation is that it empowers the National Highway Traffic Safety Administration (NHTSA) with the oversight of manufacturers of self-driving cars through enactment of future rules and regulations that will set the standards for safety and govern areas of privacy and cybersecurity relating to such vehicles.  The intention is to have a single body (the NHTSA) develop a consistent set of rules and regulations for manufacturers, rather than continuing to allow the states to adopt a web of potentially widely differing rules and regulations that may ultimately inhibit development and deployment of autonomous vehicles.  This approach was echoed by safety guidelines released by the Department of Transportation (DoT) for autonomous vehicles.  Through the guidelines (“a nonregulatory approach to automated vehicle technology safety”),[22] the DoT avoids any compliance requirement or enforcement mechanism, at least for the time being, as the scope of the guidance is expressly to support the industry as it develops best practices in the design, development, testing, and deployment of automated vehicle technologies. Under the proposed federal legislation, the states can still regulate autonomous vehicles, but the guidance encourages states not to pass laws that would “place unnecessary burdens on competition and innovation by limiting [autonomous vehicle] testing or deployment to motor vehicle manufacturers only.”[23]  The third iteration of the DoT’s federal guidance, published on October 4, 2018, builds upon—but does not replace—the existing guidance, and reiterates that the federal government is placing the onus for safety on companies developing the technologies rather than on government regulation. [24]  The guidelines, which now include buses, transit and trucks in addition to cars, remain voluntary. B.       Safety Much of the delay in enacting a regulatory framework is a result of policymakers’ struggle to balance the industry’s desire to speed both the development and deployment of autonomous vehicle technologies with the safety and security concerns of consumer advocates. The AV START bill requires that NHTSA must construct comprehensive safety regulations for AVs with a mandated, accelerated timeline for rulemaking, and the bill puts in place an interim regulatory framework that requires manufacturers to submit a Safety Evaluation Report addressing a range of key areas at least 90 days before testing, selling, or commercialization of an driverless cars.  But some lawmakers and consumer advocates remain skeptical in the wake of highly publicized setbacks in autonomous vehicle testing.[25]  Although the National Safety Transportation Board (NSTB) has authority to investigate auto accidents, there is still no federal regulatory framework governing liability for individuals and states.[26]  There are also ongoing concerns over cybersecurity risks[27], the use of forced arbitration clauses by autonomous vehicle manufacturers,[28] and miscellaneous engineering problems that revolve around the way in which autonomous vehicles interact with obstacles commonly faced by human drivers, such as emergency vehicles,[29] graffiti on road signs or even raindrops and tree shadows.[30] In August 2018, the Governors Highway Safety Association (GHSA) published a report outlining the key questions that manufacturers should urgently address.[31]  The report suggested that states seek to encourage “responsible” autonomous car testing and deployment while protecting public safety and that lawmakers “review all traffic laws.”  The report also notes that public debate often blurs the boundaries between the different levels of automation the NHTSA has defined (ranging from level 0 (no automation) to level 5 (fully self-driving without the need for human occupants)), remarking that “most AVs for the foreseeable future will be Levels 2 through 4.  Perhaps they should be called ‘occasionally self-driving.'”[32] C.       State Laws Currently, 21 states and the District of Columbia have passed laws regulating the deployment and testing of self-driving cars, and governors in 10 states have issued executive orders related to them.[33]  For example, California expanded its testing rules in April 2018 to allow for remote monitoring instead of a safety driver inside the vehicle.[34]  However, state laws differ on basic terminology, such as the definition of “vehicle operator.” Tennessee SB 151[35] points to the autonomous driving system (ADS) while Texas SB 2205[36] designates a “natural person” riding in the vehicle.  Meanwhile, Georgia SB 219[37] identifies the operator as the person who causes the ADS to engage, which might happen remotely in a vehicle fleet. These distinctions will affect how states license both human drivers and autonomous vehicles going forward.  Companies operating in this space accordingly need to stay abreast of legal developments in states in which they are developing or testing autonomous vehicles, while understanding that any new federal regulations may ultimately preempt those states’ authorities to determine, for example, crash protocols or how they handle their passengers’ data. D.       ‘Rest of the World’ While the U.S. was the first country to legislate for the testing of automated vehicles on public roads, the absence of a national regulatory framework risks impeding innovation and development.  In the meantime, other countries are vying for pole position among manufacturers looking to test vehicles on roads.[38]  KPMG’s 2018 Autonomous Vehicles Readiness Index ranks 20 countries’ preparedness for an autonomous vehicle future. The Netherlands took the top spot, outperforming the U.S. (3rd) and China (16th).[39]  Japan and Australia plan to have self-driving cars on public roads by 2020.[40]  The U.K. government has announced that it expects to see fully autonomous vehicles on U.K. roads by 2021, and is introducing legislation—the Automated and Electric Vehicles Act 2018—which installs an insurance framework addressing product liability issues arising out of accidents involving autonomous cars, including those wholly caused by an autonomous vehicle “when driving itself.”[41] E.       Looking Ahead While autonomous vehicles operating on public roads are likely to remain subject to both federal and state regulation, the federal government is facing increasing pressure to adopt a federal regulatory scheme for autonomous vehicles in 2018.[42]  Almost exactly one year after the House passed the SELF DRIVE Act, House Energy and Commerce Committee leaders called on the Senate to advance automated vehicle legislation, stating that “[a]fter a year of delays, forcing automakers and innovators to develop in a state-by-state patchwork of rules, the Senate must act to support this critical safety innovation and secure America’s place as a global leader in technology.”[43]  The continued absence of federal regulation renders the DoT’s informal guidance increasingly important.  The DoT has indicated that it will enact “flexible and technology-neutral” policies—rather than prescriptive performance-based standards—to encourage regulatory harmony and consistency as well as competition and innovation.[44]  Companies searching for more tangible guidance on safety standards at federal level may find it useful to review the recent guidance issued alongside the DoT’s announcement that it is developing (and seeking public input into) a pilot program for ‘highly or fully’ autonomous vehicles on U.S. roads.[45]  The safety standards being considered include technology disabling the vehicle if a sensor fails or barring vehicles from traveling above safe speeds, as well as a requirement that NHTSA be notified of any accident within 24 hours. [1] See https://www.whitehouse.gov/wp-content/uploads/2018/05/Summary-Report-of-White-House-AI-Summit.pdf; note also that the Trump Administration’s efforts in studying AI technologies follow, but appear largely separate from, several workshops on AI held by the Obama Administration in 2016, which resulted in two reports issued in late 2016 (see Preparing for the Future of Artificial Intelligence, and Artificial Intelligence, Automation, and the Economy). [2] Id. at Appendix A. [3] See https://www.mccain.senate.gov/public/index.cfm/2018/8/senate-passes-the-john-s-mccain-national-defense-authorization-act-for-fiscal-year-2019.  The full text of the NDAA is available at https://www.congress.gov/bill/115th-congress/house-bill/5515/text.  For additional information on CFIUS reform implemented by the NDAA, please see Gibson Dunn’s previous client update at https://www.gibsondunn.com/cfius-reform-our-analysis/. [4] See id.; see also https://www.treasury.gov/resource-center/international/Documents/FIRRMA-FAQs.pdf. [5] See https://foreignaffairs.house.gov/wp-content/uploads/2018/02/HR-5040-Section-by-Section.pdf.   [6] See, e.g. infra., Section III discussion of SELF DRIVE and AV START Acts, among others. [7] S.3127, 115th Congress (2018). [8] https://www.gibsondunn.com/new-california-security-of-connected-devices-law-and-ccpa-amendments/. [9] S.3502, 115th Congress (2018). [10] See also, infra., Section III for more discussion of specific regulatory efforts for autonomous vehicles. [11] However, as 2018 has already seen a fair number of hearings before Congress relating to digital data privacy issues, including appearances by key executives from many major tech companies, it seems likely that it may not be long before we see the introduction of a “GDPR-like” comprehensive data privacy bill.  Whether any resulting federal legislation would actually pre-empt state-enacted privacy laws to establish a unified federal framework is itself a hotly-contested issue, and remains to be seen. [12] AB 375 (2018); Cal. Civ. Code §1798.100, et seq. [13] Regulation (EU) 2016/679 (General Data Protection Regulation), Article 4 (1). [14] Cal. Civ. Code §1798.140(o)(1)(K). [15] Id.. at §1798.140(m). [16] Id. at §1798.110(c). [17] Id. at §1798.140(o)(1). [18] https://www.gibsondunn.com/accelerating-progress-toward-a-long-awaited-federal-regulatory-framework-for-autonomous-vehicles-in-the-united-states/. [19]   H.R. 3388, 115th Cong. (2017). [20]   U.S. Senate Committee on Commerce, Science and Transportation, Press Release, Oct. 24, 2017, available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C. [21]   Sean O’Kane, Mercedes-Benz Self-Driving Taxi Pilot Coming to Silicon Valley in 2019, The Verge, Jul. 11, 2018, available at https://www.theverge.com/2018/7/11/17555274/mercedes-benz-self-driving-taxi-pilot-silicon-valley-2019. [22]   U.S. Dept. of Transp., Automated Driving Systems 2.0: A Vision for Safety 2.0, Sept. 2017, https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf. [23]   Id., at para 2. [24]   U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf. [25]   Sasha Lekach, Waymo’s Self-Driving Taxi Service Could Have Some Major Issues, Mashable, Aug. 28, 2018, available at https://mashable.com/2018/08/28/waymo-self-driving-taxi-problems/#dWzwp.UAEsqM. [26]   Robert L. Rabin, Uber Self-Driving Cars, Liability, and Regulation, Stanford Law School Blog, Mar. 20, 2018, available at https://law.stanford.edu/2018/03/20/uber-self-driving-cars-liability-regulation/. [27]   David Shephardson, U.S. Regulators Grappling with Self-Driving Vehicle Security, Reuters. Jul. 10, 2018, available at https://www.reuters.com/article/us-autos-selfdriving/us-regulators-grappling-with-self-driving-vehicle-security-idUSKBN1K02OD. [28]   Richard Blumenthal, Press Release, Ten Senators Seek Information from Autonomous Vehicle Manufacturers on Their Use of Forced Arbitration Clauses, Mar. 23, 2018, available at https://www.blumenthal.senate.gov/newsroom/press/release/ten-senators-seek-information-from-autonomous-vehicle-manufacturers-on-their-use-of-forced-arbitration-clauses. [29]   Kevin Krewell, How Will Autonomous Cars Respond to Emergency Vehicles, Forbes, Jul. 31, 2018, available at https://www.forbes.com/sites/tiriasresearch/2018/07/31/how-will-autonomous-cars-respond-to-emergency-vehicles/#3eed571627ef. [30]   Michael J. Coren, All The Things That Still Baffle Self-Driving Cars, Starting With Seagulls, Quartz, Sept. 23, 2018, available at https://qz.com/1397504/all-the-things-that-still-baffle-self-driving-cars-starting-with-seagulls/. [31]   ghsa, Preparing For Automated Vehicles: Traffic Safety Issues For States, Aug. 2018, available at https://www.ghsa.org/sites/default/files/2018-08/Final_AVs2018.pdf. [32]   Id., at 7. [33]   Brookings, The State of Self-Driving Car Laws Across the U.S., May 1, 2018, available at https://www.brookings.edu/blog/techtank/2018/05/01/the-state-of-self-driving-car-laws-across-the-u-s/. [34]   Aarian Marshall, Fully Self-Driving Cars Are Really Truly Coming to California, Wired, Feb. 26, 2018, available at, https://www.wired.com/story/california-self-driving-car-laws/; State of California, Department of Motor Vehicles, Autonomous Vehicles in California, available at https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/bkgd. [35]   SB 151, available at http://www.capitol.tn.gov/Bills/110/Bill/SB0151.pdf. [36]   SB 2205, available at https://legiscan.com/TX/text/SB2205/2017. [37]   SB 219, available at http://www.legis.ga.gov/Legislation/en-US/display/20172018/SB/219. [38]   Tony Peng & Michael Sarazen, Global Survey of Autonomous Vehicle Regulations, Medium, Mar. 15, 2018, available at https://medium.com/syncedreview/global-survey-of-autonomous-vehicle-regulations-6b8608f205f9. [39]   KPMG, Autonomous Vehicles Readiness Index: Assessing Countries’ Openness and Preparedness for Autonomous Vehicles, 2018, (“The US has a highly innovative but largely disparate environment with little predictability regarding the uniform adoption of national standards for AVs. Therefore the prospect of  widespread driverless vehicles is unlikely in the near future. However, federal policy and regulatory guidance could certainly accelerate early adoption . . .”), p. 17, available at https://assets.kpmg.com/content/dam/kpmg/nl/pdf/2018/sector/automotive/autonomous-vehicles-readiness-index.pdf. [40]   Stanley White, Japan Looks to Launch Autonomous Car System in Tokyo by 2020, Automotive News, Jun. 4, 2018, available at http://www.autonews.com/article/20180604/MOBILITY/180609906/japan-self-driving-car; National Transport Commission Australia, Automated vehicles in Australia, available at https://www.ntc.gov.au/roads/technology/automated-vehicles-in-australia/. [41]   The Automated and Electric Vehicles Act 2018, available at http://www.legislation.gov.uk/ukpga/2018/18/contents/enacted; Lexology, Muddy Road Ahead Part II: Liability Legislation for Autonomous Vehicles in the United Kingdom, Sept. 21, 2018,  https://www.lexology.com/library/detail.aspx?g=89029292-ad7b-4c89-8ac9-eedec3d9113a; see further Anne Perkins, Government to Review Law Before Self-Driving Cars Arrive on UK Roads, The Guardian, Mar. 6, 2018, available at https://www.theguardian.com/technology/2018/mar/06/self-driving-cars-in-uk-riding-on-legal-review. [42]   Michaela Ross, Code & Conduit Podcast: Rep. Bob Latta Eyes Self-Driving Car Compromise This Year, Bloomberg Law, Jul. 26, 2018, available at https://www.bna.com/code-conduit-podcast-b73014481132/. [43]   Freight Waves, House Committee Urges Senate to Advance Self-Driving Vehicle Legislation, Sept. 10, 2018, available at https://www.freightwaves.com/news/house-committee-urges-senate-to-advance-self-driving-vehicle-legislation; House Energy and Commerce Committee, Press Release, Sept. 5, 2018, available at https://energycommerce.house.gov/news/press-release/media-advisory-walden-ec-leaders-to-call-on-senate-to-pass-self-driving-car-legislation/. [44]   See supra n. 24, U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, iv. [45]   David Shephardson, Self-driving cars may hit U.S. roads in pilot program, NHTSA says, Automotive News, Oct. 9, 2018, available at http://www.autonews.com/article/20181009/MOBILITY/181009630/self-driving-cars-may-hit-u.s.-roads-in-pilot-program-nhtsa-says. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors: H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Claudia M. Barrett – Washington, D.C. (+1 202-887-3642, cbarrett@gibsondunn.com) Frances Annika Smithson – Los Angeles (+1 213-229-7914, fsmithson@gibsondunn.com) Ryan K. Iwahashi – Palo Alto (+1 650-849-5367, riwahashi@gibsondunn.com) Please also feel free to contact any of the following: Automotive/Transportation: Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, tboutrous@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Theane Evangelis – Los Angeles (+1 213-229-7726, tevangelis@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection: Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Public Policy: Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com) Mylan L. Denerstein – New York (+1 212-351-3850, mdenerstein@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 21, 2017 |
Channeling the Channel-Partner Risk: Addressing Anti-Corruption Risk with Channel Partners in the Technology Sector

​Orange County partner Nicola Hanna, Los Angeles partner Michael Farhang, Washington, D.C. associate Pedro Soto and Orange Country associate Caitlin Peters are the authors of "Channeling the Channel-Partner Risk: Addressing Anti-Corruption Risk with Channel Partners in the Technology Sector," [PDF] published in FCPA Report on June 21, 2017.

February 18, 2016 |
Commercial Drone Industry May Be Ready For Takeoff Soon

​Orange County associate Jared Greenberg is the author of "Commercial Drone Industry May Be Ready For Takeoff Soon" [PDF] published on February 18, 2016 by Law360.

February 17, 2015 |
Cybersecurity and Data Privacy Outlook and Review: 2015

Concerns about cybersecurity and data privacy have exploded into the public consciousness in recent years, accompanied by a host of new and rapidly developing legal issues.  From data breaches potentially affecting millions of consumers, to increasingly active policing of cybersecurity by the FTC and other U.S. regulators, to the protection of "the right to be forgotten" in the European Union, the headlines have been filled with cybersecurity and data privacy news and legal developments–and there is no end in sight. In this annual edition of Gibson Dunn’s Cybersecurity and Data Privacy Outlook and Review, the firm’s Information Technology and Data Privacy group describes key data privacy and security events from 2014 and sets forth anticipated trends for the near future.  The topics covered are: (i) civil litigation; (ii) regulatory and policy developments; (iii) legislative developments; (iv) criminal enforcement; and (v) select international developments in the European Union and the Asia-Pacific region. Table of Contents  I.       Class Action and Civil Litigation Developments A.     Article III Standing 1.     Statutory Rights of Action As Substitute for Harm 2.     Theories of Harm in the Data Breach Context 3.     Resource Consumption and Overpayment as Theories of Harm 4.     Requirement of Certainly Impending Harm B.     Substantive Trends in Data Privacy Class Actions 1.     Data Breach Litigation 2.     Email Scanning Litigation 3.     VPPA Litigation 4.     ECPA Litigation and the "Contents of Communications" 5.     California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection 6.     TCPA Litigation II.     Regulatory and Policy Developments A.     FTC Enforcement Trends 1.     Cybersecurity, Data Breaches, and Legal Challenges to the FTC’s Authority 2.     The U.S.-EU Safe Harbor 3.     High-Profile FTC Consent Decrees B.     The FTC’s Revised COPPA Rule C.     FCC Guidance and Amendments to the TCPA D.     The NIST Cybersecurity Framework III.    Legislative Developments A.     Proposed Federal Data Breach Notification and Cybersecurity Legislation 1.     Legislation Arising From Prominent Retailer Data Breaches 2.     Cybersecurity Legislative Efforts 3.     Health Exchange Security and Transparency Act 4.     The Law Enforcement Access to Data Stored Abroad Act 5.     Protecting Student Privacy Act 6.     Do Not Track Kids Act 7.     The Edward Snowden Affair and NSA Surveillance B.     Recently Enacted State Privacy Laws 1.     Data Breach Notification 2.     Credit Card Monitoring After Data Breach 3.     Social Media Access 4.     Drone Regulation 5.     California’s "Do Not Track" Law 6.     California’s "Digital Eraser" Law 7.     California’s Privacy for Student Records Laws C.     Legislative Outlook IV.    Criminal Enforcement A.     Fourth Amendment Developments 1.     U.S. v. Ringmaiden 2.     Cell Phones and Warrantless Searches B.     Identity Theft and Carding Crimes 1.     United States v. Lazar (E.D. Va.) 2.     United States v. Vega (E.D.N.Y) C.     Money Laundering 1.     United States v. Dotcom (E.D. Va.) 2.     United States v. Faiella (S.D.N.Y) 3.     United States v. Liberty Reserve S.A. (S.D.N.Y) D.     Economic Espionage Act 1.     United States v. Aleynikov (2d Cir.) and United States v. Agrawal (2d Cir.) 2.     United States v. Liew (N.D. Cal.) 3.     United States v. Wang Dong (W.D. Penn.) 4.     United States v. Leroux (D. Del.) E.      Computer Fraud and Abuse Act 1.     United States v. Nosal (N.D. Cal.) 2.     Hacktivism F.      The Year Ahead V.     International Developments A.     European Union 1.     Developments at the European Union Level 2.     France 3.     Germany 4.     United Kingdom 5.     Other European Nations B.     Asia-Pacific Region 1.     India 2.     China and Hong Kong 3.     Japan 4.     South Korea 5.     Malaysia 6.     Singapore C.     Other International Developments of Note I.   Class Action and Civil Litigation Developments The pace of litigation related to the alleged unauthorized collection, use, or disclosure of consumer information has continued to increase.  In the past year, a flurry of decisions at the district and circuit court levels have grappled with plaintiff standing, pleading requirements, and the enforceability of arbitration clauses and class action waivers, in addition to substantive data privacy law.       A.   Article III Standing As the plaintiffs’ bar continues to adapt and bring claims predicated on novel theories of harm, litigants continue to contest Article III standing challenges in data privacy cases.  As Magistrate Judge Grewal observed in In re Google, Inc. Privacy Policy Litigation: [D]espite generating little or no discussion in most other cases, the issue of injury-in-fact has become standard fare in cases involving data privacy.  In fact, the court is hard-pressed to find even one recent data privacy case, at least in this district, in which injury-in-fact has not been challenged.  Second, in this district’s recent case law on data privacy claims, injury-in-fact has proven to be a significant barrier to entry.  And so even though injury-in-fact may not generally be Mount Everest, as then-Judge Alito observed, in data privacy cases in the Northern District of California, the doctrine might still reasonably be described as Kilimanjaro. No. 12-CV-01382, 2013 WL 6248499, at *4 (N.D. Cal. Dec. 3, 2013) (finding that allegations of loss of personal identifying information were insufficient to establish injury-in-fact, but certain alleged economic and statutory injuries were sufficient to support Article III standing); see also In re Google, Inc. Privacy Policy Litig., No. 12-CV-01382, 2014 WL 3707508, at *4 (N.D. Cal. July 21, 2014) (reviewing second amended complaint and dismissing claims premised on allegations of conjectural heightened security risk from data disclosure, but holding other alleged economic theories sufficient to support Article III standing).  Judge Grewal’s statement that "injury-in-fact has proven to be a significant barrier to entry" to data privacy plaintiffs largely continues to hold true, even in the face of recent decisions showing an increased tolerance for claims predicated on theories of future harm or statutes requiring no showing of actual harm.             1.   Statutory Rights of Action As Substitute for Harm Where plaintiffs might not otherwise be able to satisfy Article III standing requirements–in particular the element of actual injury–they have seen increased success in predicating privacy claims on statutory rights of action, which some courts have found do not require actual injury.  See Robins v. Spokeo, Inc., 742 F.3d 409, 414 (9th Cir. 2014), petition for cert. filed, No. 13-1339; Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (the injury required by Article III "may exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing’"); In re Google, Inc. Privacy Policy Litig., 2013 WL 6248499, at *8-9.  In Robins v. Spokeo, the Ninth Circuit held that the plaintiff could adequately plead Article III standing, despite lack of actual harm, by alleging a claim for a willful violation of the Fair Credit Reporting Act ("FCRA") (15 U.S.C. § 1681).  742 F.3d at 414.  The Ninth Circuit here followed up on its earlier decision in Edwards v. First American Corporation.  Thus, the Ninth Circuit, at least, has given plaintiffs in putative data privacy class actions a stronger foothold upon which to satisfy the Article III standing requirement and seek enforcement of federal or state statutes concerning data privacy rights. The federal statutes most frequently utilized by data privacy plaintiffs to allege violations of statutorily imposed duties, and thus standing in the absence of injury, are the Wiretap Act (18 U.S.C. §§ 2510, et seq.) and the Stored Communications Act ("SCA") (18 U.S.C. §§ 2701, et seq.).  See, e.g., Perkins v. LinkedIn Corp., No. 13-CV-04303-LHK, 2014 WL 2751053 (N.D. Cal. June 12, 2014); see also In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012); In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011).  In suits against electronic platforms that offer video content, plaintiffs also increasingly have alleged violations of the Video Privacy Protection Act ("VPPA") (18 U.S.C. § 2710).  See, e.g., Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014); In re Nickelodeon Consumer Privacy Litig., No. CIV.A. 12-07829, 2014 WL 3012873 (D.N.J. July 2, 2014). State statutes also may provide a path to Article III standing.  See, e.g., In re Google, Inc. Privacy Policy Litigation, 2013 WL 6248499, at *9.  The court in In re Google, Inc. Privacy Policy Litigation found that the plaintiff could satisfy standing obligations pursuant to a state law, California Civil Code § 3344, which prohibits the commercial use of another’s name or likeness.  Id. ("Where a plaintiff alleges an unauthorized commercial use of a person’s name or likeness, courts generally presume that [injury] has been established for a Section 3344 claim.") (internal quotation marks omitted).  By contrast, however, in Mendoza v. Microsoft Inc., the court granted Microsoft’s motion to dismiss on standing grounds where the plaintiffs offered little more than "broad conclusory statements and formulaic recitations of the VPPA and [California Customer Records Act] statutes . . . without a single fact to support their allegation that Microsoft allegedly retained and disclosed personally identifiable information."  No. C-14-316, 2014 WL 4540213, at *3 (W.D. Wash. Sept. 11, 2014). Practitioners continue to wait on guidance from the U.S. Supreme Court in this area. Action by the Court might be imminent.  In 2012, privacy practitioners had anxiously awaited the Supreme Court’s anticipated ruling in First American Financial Corp. v. Edwards, a decision many hoped would resolve the issue of whether an alleged statutory violation alone is sufficient to create Article III standing where the plaintiff fails to allege any actual harm.  In June 2012, however, the Supreme Court dismissed the petition for certiorari as having been improvidently granted, leaving intact the Ninth Circuit’s decision that the standing requirement had been satisfied.  First Am. Fin. Corp. v. Edwards, 132 S. Ct. 2536 (2012).  Then in March 2014, after the Eighth Circuit found that a plaintiff had standing under the "informational injury" provision of the Electronic Fund Transfer Act ("EFTA"), the Supreme Court denied certiorari, again delaying resolution of the issue.  Charvat v. Mutual First Fed. Credit Union, 725 F.3d 819 (8th Cir. 2013), cert. denied, 134 S. Ct. 1515 (2014).  As of this writing, a petition for certiorari in Robins v. Spokeo is pending.  Robins v. Spokeo, Inc., 742 F.3d 409, 414 (9th Cir. 2014), petition for cert. filed, 82 U.S.L.W. 3689 (U.S. May 1, 2014) (No. 13-1339).  Petitioner Spokeo pointed out a deep circuit split, pitting the Ninth Circuit and several other circuit courts against the Second and Fourth Circuits.  See Kendall v. Employees Ret. Plan of Avon Prods., 561 F.3d 112, 121 (2d Cir. 2009) (holding allegations of breached statutory duties in the ERISA context do not "in and of themselves constitute[] an injury-in-fact sufficient for constitutional standing"); David v. Alphin, 704 F.3d 327, 338 (4th Cir. 2013) (holding that theory of standing-based deprivation of statutory rights without injury-in-fact impermissibly "conflates statutory standing with constitutional standing").  Prominent technology companies have jointly filed an amicus brief in support of Spokeo’s petition.  On October 6, 2014, the Court called for the views of the U.S. Solicitor General, perhaps signaling the Court’s interest in resolving the circuit split. Until the Supreme Court speaks, federal courts remain divided on whether the mere assertion that a statutory right has been violated is sufficient to confer Article III standing at the pleadings stage.             2.   Theories of Harm in the Data Breach Context While standing based on statutory rights of action alone remains a hotly debated but unsettled issue, plaintiffs also continue to rely on more concrete, albeit attenuated, theories of harm.  The closely watched Target breach litigation raised the issue of whether plaintiffs suffered harm in connection with a data breach targeting a national retail chain.  In this multidistrict litigation, a Minnesota district court found that plaintiffs satisfied the standing requirements, at least at the pleading stage, by alleging plaintiffs suffered "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees."  In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522, 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014).  Target had argued that the plaintiffs did not allege injury because they failed to "allege that their expenses were unreimbursed or say whether they or their bank closed their accounts."  Id.  But the court found that those arguments "set a too-high standard for Plaintiffs to meet" and that "Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct."  Id. (citations omitted).             3.   Resource Consumption and Overpayment as Theories of Harm Plaintiffs have also continued the recent trend of alleging theories of harm (1) to their electronic devices in the form of unexpected "resource consumption," and (2) in the form of "overpayment" (i.e., by asserting that a plaintiff would not have purchased the good or service at issue or would have paid less for it had the "true facts" been disclosed to him or her).  For example, both the first and second amended complaints in In re Google, Inc. Privacy Policy Litigation included allegations regarding battery and bandwidth usage and overpayment, which the court found adequate at the pleadings stage to establish cognizable injury for Article III standing purposes.  2013 WL 6248499, at *6-7; 2014 WL 3707508, at *6-7.  No matter the theory of harm offered by plaintiffs, given courts’ continuing uncertainty regarding speculative damages in the data privacy context, defendants should not lose sight of the standing issue (which goes to the court’s subject matter jurisdiction) if the complaint survives a standing challenge based on the pleadings.  As the U.S. Supreme Court held in Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992), a plaintiff bears the burden of proving standing under Article III "with the manner and degree of evidence required at the successive stages of the litigation."  At the pleadings stage, "general factual allegations of injury resulting from the defendant’s conduct may suffice," but "[i]n response to a summary judgment motion, . . . the plaintiff can no longer rest on such ‘mere allegations,’ but must ‘set forth’ by affidavit or other evidence ‘specific facts’ to support standing."  Id. at 561; see also In re Target Corp. Customer Data Sec. Breach Litig., 2014 WL 7192478, at *2 ("[if] discovery fail[s] to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue [of standing]"); In re Google, Inc. Privacy Policy Litig., 2014 WL 3707508, at *7 (noting challenges to "causal nexus between [the] alleged conduct and the Plaintiffs’ alleged injury [] require[] a heavily and inherently fact-bound inquiry that the court may not reach at this state in the litigation").  Accordingly, a defendant in a data privacy case may wish to consider, particularly in developing its discovery strategy, whether standing may be challenged at a later stage of litigation, such as the summary judgment stage.             4.   Requirement of Certainly Impending Harm Courts in data breach cases are now grappling with how to apply the holding of Clapper v. Amnesty International, a key 2013 Supreme Court decision focusing on the issue of Article III standing.  133 S. Ct. 1138 (2013).  In Clapper, human rights organizations and media groups challenged the constitutionality of an amendment to the Foreign Intelligence Surveillance Act that made it easier for the government to obtain wiretaps on intelligence targets outside of the United States.  The plaintiffs, all U.S. citizens, alleged that they had standing because their work included telephone and email communications with people who were likely foreign targets of surveillance and such communications could be intercepted in the future.  The plaintiffs also alleged that they had suffered injury by undertaking costly steps to protect their communications from surveillance. The Supreme Court held that the allegations of potential interception of attorney-client privileged communications were too speculative to sustain a claim, determining that "a highly attenuated chain of possibilities[] does not satisfy the requirement that threatened injury must be certainly impending" and that plaintiffs cannot manufacture standing "merely by inflicting harm on themselves based on their fears of hypothetical future harm."  Id. at 1148.  Based on Clapper, several lower courts have since held that an increased risk of future harm is not sufficient to establish standing because typically harm is not imminent.  See, e.g., Remijas v. Neiman Marcus Grp., LLC, No. 14-C-1735, 2014 WL 4627893, at *4 (N.D. Ill. Sept. 16, 2014) ("[T]he complaint does not adequately allege that the risk of identity theft is sufficiently imminent to confer standing."); In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig., No. MDL-2360, 2014 WL 1858458 (D.D.C. May 9, 2014) (finding that "[t]he degree by which the risk of harm has increased is irrelevant–instead, the question is whether the harm is certainly impending"); Strautins v. Trustwave Holdings, Inc., No. 12-CV-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) ("To the extent that [plaintiff’s claims] are premised on the mere possibility that her [] [personal information] was stolen and compromised, and a concomitant increase in the risk that she will become a victim of identity theft, Strautins’ claim is too speculative to confer Article III standing."). Other district courts, however, have taken a narrower view of Clapper.  In one recent data breach case, a district court found that Clapper did not set forth a new Article III framework; rather, it "simply reiterated an already well-established framework for assessing whether a plaintiff had sufficiently alleged an ‘injury-in-fact’ for purposes of establishing Article III standing."  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 961 (S.D. Cal. 2014) (finding allegations that personal information was collected and wrongfully disclosed via a breach and subject to a "credible threat" of impending harm sufficient to establish Article III standing at the pleading stage); see also In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916, at *7 (N.D. Cal. Sept. 4, 2014) (holding that the threat of future harm was sufficient to satisfy Article III standing requirements and noting that "the Court is reluctant to conclude that Clapper represents the sea change that Adobe suggests").  We anticipate that the import of Clapper will continue to be vigorously litigated, but for now, it remains a potentially powerful shield for defendants combatting nonspecific allegations of indeterminate harm.       B.   Substantive Trends in Data Privacy Class Actions             1.   Data Breach Litigation The pace, scope, and sophistication of data breaches and cyberattacks continued to increase in 2014, placing businesses’ data security practices under heightened scrutiny from consumers, private litigants, and regulators.  Breaches can expose the data of millions of individual consumers, resulting in potentially massive liability.  As a result, companies may wish to consider such exposure and consult with experienced counsel when making decisions about data security measures, developing a data breach response plan before an incident occurs, and taking responsive action at the first sign of a potential breach.  Although an early and informed response may not altogether prevent a wave of putative class action suits, it makes it easier for a company to mount an effective defense. While we have yet to see a data breach class action successfully reach a jury verdict, in 2014 plaintiffs survived motions to dismiss in a number of key cases.  This section examines data breach class action suits in the following postures: (a) those that have been dismissed due to lack of standing; (b) those that have survived motions to dismiss despite alleging only an increased risk of future harm; (c) those that have survived motions to dismiss through allegation of more than a risk of future harm; and (d) those that have just recently been filed.                     a.   Cases Dismissed for Lack of Standing Despite the proliferation of data breach class actions, plaintiffs still face significant obstacles in getting their claims into court.  The greatest roadblock–as discussed above–continues to be establishing standing under Article III of the U.S. Constitution, and most suits fail at this stage.  In data breach cases, standing is a significant issue when personal information has been exposed or stolen but there is no evidence that it has been misused.  In these cases, plaintiffs seek to establish standing based on a fear of potential future harm, such as identity theft or fraud. Several defendants have successfully filed motions to dismiss for lack of standing by relying on the 2013 Supreme Court case, Clapper v. Amnesty International, discussed in greater detail above.  Recent examples of class action data breach lawsuits dismissed for lack of standing demonstrate the difficult standard plaintiffs must reach to demonstrate actual injury.  When Nationwide, P.F. Chang’s China Bistro, and Neiman Marcus each reported massive consumer data breaches, several of their customers filed putative class actions, but failed to move beyond the motion to dismiss stage.  In all three actions, the courts found a lack of standing on the basis that an increased risk of identity theft or costs associated with mitigating that risk did not sufficiently demonstrate a redressable injury.  Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (holding that "an increased risk of identity theft . . . is not itself an injury-in-fact because Named Plaintiffs did not allege . . . that such harm is ‘certainly impending’"); Lewert v. P.F. Chang’s China Bistro, No. 14-cv-4787, 2014 U.S. Dist. LEXIS 171142, at *8-9 (N.D. Ill. Dec. 10, 2014) (holding that speculation of future harm–such as potential identity theft–does not constitute actual injury and any unauthorized charges and bank fees would have been reimbursed by banks) (notice of appeal pending before Seventh Circuit); Remijas v. Neiman Marcus Group, LLC, No. 14 C 1735, 2014 U.S. Dist. LEXIS 129574, at *9  (N.D. Ill. Sep. 16, 2014)  (N.D. Ill.) (holding that while increased risk of fraudulent charges was sufficiently imminent under Clapper because 9,200 stolen cards had already been misused, plaintiffs would not suffer any concrete harm given banks’ reimbursement policies).                     b.   Cases Where an Increased Risk of Harm Was Sufficient to Confer Standing While most cases to date have failed when plaintiffs cannot allege that their information has actually been misused, two district courts, both within the Ninth Circuit, found standing this year under exactly those circumstances.  First, in In re Sony Gaming Networks & Customer Data Security Breach Litigation, hackers obtained data for as many as 31 million Sony users through the PlayStation network, including credit and debit card information.  In response to Sony’s first motion to dismiss, the district court cited Krottner v. Starbucks, 628 F. 3d 1139 (9th Cir. 2010), and held that plaintiffs had shown standing based on an increased risk of future harm.  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 958 (S.D. Cal. 2012).  Sony then asked the court to reevaluate its opinion in light of the Supreme Court’s holding in Clapper, but the court once again found that plaintiffs had standing, holding that neither Krottner nor Clapper requires plaintiffs to allege that information was misused by a third party.  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014).  The court further held that Clapper had not set forth a new Article III framework overruling Krottner‘s standard that injury be "real and immediate."  Id. at 961.  The court left eight of the fifty-three claims intact, dismissing the others.  In July 2014, Sony agreed to a $15 million preliminary settlement, which the court will review in a final fairness hearing in May 2015. Second, Adobe Systems was hit with several putative class actions following a 2013 attack on its network that compromised the private information of approximately 38 million customers.  Several of these cases were consolidated in the U.S. District Court for the Northern District of California, and plaintiffs filed a consolidated class action complaint in April 2014.  The court, in response to Adobe’s motion to dismiss for lack of standing, found that "the threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper" because plaintiffs’ personal information (including names, usernames, passwords, phone numbers, addresses, and credit card numbers) had allegedly been stolen during the breach, and had in some instance already surfaced on the Internet.  In re Adobe Systems Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 U.S. Dist. LEXIS 124126, at *27 (N.D. Cal. Sep. 4, 2014). Accordingly, the court held that "there is no need to speculate as to whether Plaintiffs’ information has been stolen  . . . [or] whether the hackers intend to misuse the personal information . . . or whether they will be able to do so."  Id. at *28.  Finally, since the court found that the threatened harm was certainly impending, it held that costs for credit-monitoring services were also an injury that conferred standing.                     c.   Cases Alleging More Than an Increased Risk of Harm While plaintiffs have been mostly unsuccessful at establishing standing based on increased risk of future misuse of their personal information, they have more effectively defeated motions to dismiss when their alleged injuries have extended beyond risk of future harm.  In 2012, hackers infiltrated LinkedIn’s computer systems and posted the passwords of approximately 6.5 million users on the Internet.  Within days, plaintiffs filed suit, alleging breach of contract and violations of both the fraud and unfair business act prongs of California’s Unfair Competition Law ("UCL").  The court dismissed the named plaintiff’s initial complaint for lack of standing because she had only alleged an increased risk of future harm without alleging actual misuse of her information.  In her second amended complaint, the plaintiff alleged that she was among a group of individuals who had paid for LinkedIn’s premium subscription in reliance on LinkedIn’s Privacy Policy, which had stated that LinkedIn had adequate security procedures.  Accordingly, she asserted that LinkedIn’s failure to adhere to industry standards and its Privacy Policy had causing the breach that revealed her password.  The plaintiff’s allegation that she had acted in reliance upon LinkedIn’s misrepresentation in its Privacy Policy, and would not have purchased a premium subscription otherwise, proved sufficient to confer standing under both Article III and California’s UCL.  In re LinkedIn User Privacy Litig., No. 5:12-CV-03088-EJD, 2014 U.S. Dist. LEXIS 42696, at *11 (N.D. Cal. March 28, 2014).  The judge dismissed most of the claims, but allowed the plaintiffs to proceed with the fraud claim under the UCL.  LinkedIn has since agreed to pay $1.25 million to settle this suit, and the court is scheduled to review the parties’ proposed settlement this month. In December 2013, Target experienced a massive data breach that compromised credit card information for around 40 million customers and personal information for about 70 million customers.  The company was subsequently named in over fifty class actions, both on behalf of consumers and on behalf of issuer banks, which were later consolidated in in the U.S. District Court for the District of Minnesota.  Upon Target’s motion to dismiss the consumer complaint, the court disagreed with Target’s argument that plaintiffs had not sufficiently demonstrated an injury based on unauthorized credit/debit card charges because there was no indication that these charges had gone unreimbursed.  In re Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 PAM/JJK, 2014 WL 7192478 (D. Minn. Dec. 18, 2014).  The court held that this argument "set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage," and that it was sufficient for plaintiffs to allege that they had suffered injuries that were "fairly traceable" to Target’s conduct.  Id. at *2.  With respect to the issuer banks’ class complaint, the court likewise denied Target’s motion to dismiss.  In re Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 PAM, 2014 U.S. Dist. LEXIS 167802 (D. Minn. Dec. 2, 2014).  Notably, standing was not a concern in this instance, since the plaintiff issuer banks had borne the financial losses arising from fraudulent charges on their customers’ payment cards.  Moreover, the court found that Target owed a duty of care to the issuer banks with regard to its data security practices, and that the breach was foreseeable because Target had deliberately disabled one of the security features that could have prevented the harm.  Id. at *9.  The claims brought on behalf of consumers and banks will now move forward to the class certification stage.                     d.   Recently Filed Complaints There are several additional data breach class actions currently pending in courts across the country.  For example, plaintiffs filed a class action complaint against eBay in July 2014, stemming from a cyberattack in which up to 233 million consumers’ personal data allegedly was compromised due to eBay’s lack of sufficient data encryption.  See Collin Green v. eBay Inc., No. 2:14-cv-01688-SM-KWR (E.D. La. July 23, 2014).  eBay has filed a motion to dismiss based on lack of standing under Clapper, which is currently pending before the court.  Several other class actions are currently at the filing stage; it remains to be seen how the decisions in these cases will further shape the nature of the burden that plaintiffs and defendants face to prevail in data breach lawsuits.  See, e.g., Shane K. Enslin, et al. v. The Coca-Cola Co., et al., No. 2:14-cv-06476-JHS (E.D. Penn Nov 12, 2014) (putative class action based on theft of 55 computers containing personal information of 74,000 current and former Coca-Cola employees); Barbara Irwin v. Jimmy Johns, No. 2:14-cv-02275-HAB-DGB (C. D. Ill. Nov. 6, 2014) (putative class action based on credit card fraud resulting from data breach at over 200 Jimmy Johns’ locations and theft of thousands of consumers’ personal information); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., No.14-md-02583 (N.D. Ga. Dec. 11, 2014) (putative class action based on data breach exposing up to 56 million credit and debit card numbers); Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-9600 (C.D. Cal. Dec. 15, 2014) (action based on data breach that exposed internal emails and the Social Security numbers, employee files, and medical information of over 47,000 current and former employees, allegedly due to inadequate encryption and password protection).             2.   Email Scanning Litigation In the last few years, plaintiffs have filed several class action lawsuits against major players in the Silicon Valley alleging that scanning user emails for use in targeting advertising violates various state and federal laws.  As is often the case in privacy class actions, the initial proposed classes in some of these suits include all or many users of the services, and therefore the scope of these cases, at least at the outset, is potentially massive.  What is more surprising is that these lawsuits allege privacy violations based on what many consider to be standard industry practices.  Companies operating any sort of electronic communications service should consider the issues raised by these suits, particularly with respect to the permissible collection and use of such communications and the kinds of disclosures that may satisfy consent to such collection and use. In the first of several suits, together collectively known as the In re Google Gmail Litigation, plaintiffs sued Google alleging improper scanning of user emails without consent.  See Dunbar v. Google, Inc., No. 10-cv-194 (E.D. Tex. Nov. 17, 2010).  By May 2013, the Dunbar action and six other actions involving substantially similar allegations against Google were centralized into a multidistrict action before U.S. District Judge Lucy H. Koh of the Northern District of California.  Plaintiffs in the seven actions together filed a consolidated complaint in May 2013, asserting violations of the federal Electronic Communications Privacy Act ("ECPA") (18 U.S.C. §§ 2510, et seq.), the California Invasion of Privacy Act ("CIPA") (Cal. Penal Code §§ 631 and 632), and various state laws.  In re Google Gmail Litig., No. 13-md-02430, Dkt. No. 38.  Broadly stated, each plaintiff alleged that Google mined the content of private Gmail messages without users’ permission, for the purpose of targeting advertising, resulting in financial gain for the company. Google moved to dismiss the consolidated complaint shortly thereafter, asserting, among other things, that scanning emails fell within ECPA’s exemption for activities taking place in the "ordinary course of its business," and that, in any event, plaintiffs consented to scanning of their emails by agreeing to Google’s terms of service and privacy policies.  Judge Koh denied this motion to dismiss in September 2013.  She held that plaintiffs plausibly alleged that Google’s scanning of emails is not in its ordinary course of business because it is contrary to Google’s stated practices and is not instrumental to Google’s ability to transmit emails.  Judge Koh also held that the plaintiffs neither expressly nor impliedly consented to the scanning of their emails by accepting Google’s terms of service and privacy policies, since those policies merely disclosed the possibility, not the certainty, that Google scans emails, and did not disclose scanning for the specific purposes alleged by plaintiffs.  Judge Koh also denied Google’s motion to dismiss the CIPA § 631 claim, holding that CIPA does apply to email communications and that the public utility exception did not apply.  She did, however, grant Google’s motion to dismiss plaintiffs’ CIPA § 632 claim, holding that Internet-based communications cannot be "confidential" under CIPA.  Finally, Judge Koh granted Google’s motion to dismiss some of plaintiffs’ other state-law claims, but declined to dismiss those that derived from the ECPA claims.  Google then sought interlocutory review of the court’s order denying its motion to dismiss, requesting clarification of the "ordinary course of business" and "consent" exceptions to ECPA, but Judge Koh likewise denied this motion.  In March 2014, Judge Koh also denied plaintiffs’ motion for class certification, holding that individual issues regarding whether members of the various classes consented to the alleged interceptions would predominate over common issues.  The plaintiffs sought permission to appeal the decision under Federal Rule of Civil Procedure 23(f), but the Ninth Circuit denied the request.  The parties then stipulated to dismissal of all claims with prejudice.  In October 2013, shortly after Judge Koh’s decision denying Google’s motion to dismiss, six separate class action complaints were filed against Yahoo! alleging similar theories, each accusing the company of scanning emails for purposes of targeted advertising and user profiling in violation of plaintiffs’ privacy rights.  In January 2014, two plaintiffs stipulated to dismissal of  their claims, and Judge Koh consolidated the remaining four cases.  See Holland et al v. Yahoo! Inc., No. 13-cv-04980, Dkt. No. 27 (Jan. 22, 2014).  Plaintiffs filed a consolidated class action complaint in February 2014, and the following month, Yahoo! filed a motion to dismiss.  In August 2014, Judge Koh issued an opinion, without oral argument, granting Yahoo!’s motion in part and denying in part.  The court granted Yahoo!’s motion to dismiss the ECPA claim, finding that Yahoo!’s terms of service established express consent under ECPA, since they explicitly disclosed Yahoo!’s practice of scanning emails in order to target advertising and create user profiles.  The court also granted Yahoo!’s motion to dismiss plaintiffs’ claim under the SCA alleging that Yahoo! accessed stored communications, since electronic service providers have immunity from such claims.  The court also dismissed plaintiffs’ claim under the California Constitution, which requires that plaintiffs plead specific content in which they allege a privacy interest.  However, the court denied Yahoo!’s motion to dismiss plaintiffs’ CIPA § 631 claim and their claim under the SCA alleging that Yahoo! disclosed emails without authorization.  The plaintiffs did not file an amended complaint, and the parties are conducting discovery.  Plaintiffs have indicated that they will seek to certify only a Rule 23(b)(1) and/or (b)(2) class (not a (b)(3) "damages" class), perhaps in an effort to avoid the predominance issues that doomed the Gmail case.              3.   VPPA Litigation Plaintiffs have continued to bring putative privacy class action claims under previously infrequently litigated statutes like the Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710.  The VPPA creates significant monetary exposure via a minimum $2,500 per-person liquidated damages provision for "video tape service providers" that knowingly disclose "personally identifiable information concerning any consumer," subject to certain exceptions.  A plaintiff asserting a VPPA violation typically argues that the website publisher has violated the statute by disclosing the plaintiff’s video viewing information in connection with a device identifier to third-party analytics companies or advertising networks. A California federal magistrate judge ruled in 2012 that online digital content distributor Hulu was a "video tape service provider" within the meaning of the Act, even though Hulu does not distribute physical video tapes.  In re Hulu Privacy Litig., No. 11-cv-3764 LB, 2012 WL 3282960, at *6 (N.D. Cal. Aug. 10, 2012) (Beeler, Mag. J.) (analyzing the legislative history of the statute and the ordinary meaning of "audio visual materials").  Hulu subsequently moved for summary judgment on the basis that the plaintiffs had no evidence of actual injury, arguing that such injury is required by the statute.  On December 20, 2013, the court issued an order solely addressing the question of whether the VPPA requires plaintiffs to show actual injury separate from a statutory violation.  In re Hulu Privacy Litig., 2013 WL 6773794 (N.D. Cal. Dec. 20, 2013).  In a decision that adds to the split of authority on this issue, the court rejected Hulu’s argument that that the word "aggrieved" in the statute requires an additional injury, concluding that the VPPA "requires only injury in the form of a wrongful disclosure."  Id. at *4.  The court refused to credit Hulu’s reliance on Sterk v. Best Buy Stores, L.P., No. 11-cv-1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012), for the proposition that actual injury is a prerequisite to recovering any damages under the VPPA.  Id. at *8.  The court instead concluded that actual injury is not required by the statute, in part because "the Ninth Circuit recognizes that a plaintiff satisfies Article III’s injury-in-fact requirement by alleging a violation of a statutorily-created right."  Id. at *8 (citing Edwards v. First Am. Corp., 610 F.3d 514, 515-16 (9th Cir. 2010)).    Hulu brought a second motion for summary judgment in 2014, arguing that the company’s sharing of anonymized video viewing data with third parties did not constitute a "knowing" disclosure of personally identifiable information, as required by the VPPA.  In April 2014, the court granted the motion as to information Hulu shared with metrics company ComScore, but denied it as to information shared with a social networking company.  In re Hulu Privacy Litig., No. 11-cv-3764 LB, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) (observing that "[t]he statute does not require an actual name" and denying defendant summary judgment as to disclosures to third party of the user’s alleged identity, even though no "actual" name was transmitted).  The inquiry was fact-dependent, and the court held that the record contained fact issues concerning Hulu’s knowledge of what information was being transmitted.  The court held that, in appropriate circumstances, disclosing a user ID (rather than an actual name) along video viewing information could constitute a violation of the VPPA.  The most recent development in the Hulu case is the court’s denial of the plaintiffs’ motion for class certification–without prejudice–on June 17, 2014.  The court held that, on the record before it, the plaintiffs had not proposed an ascertainable class.  Hulu currently has another motion for summary judgment pending, which is scheduled for hearing on February 26, 2015. A recent unpublished federal decision in New Jersey relied on the Hulu court’s analysis with regard to the scope of information covered by the VPPA.  In re Nickelodeon Consumer Privacy Litig., No. 12-cv-7829, 2014 U.S. Dist. LEXIS 91286, at *39 (D.N.J. July 2, 2014).  Agreeing that the statute is triggered by disclosure of something "akin" to a name, the Nickelodeon court found that information disclosed to Google by Viacom did not rise to that level, dismissing the claims in that case.  Specifically, the Nickelodeon plaintiffs had alleged that Viacom collected their gender, age range, and video materials requested and disclosed that information to Google for purposes of targeted advertising.  The court found that such information "does not link an identified person to a specific video choice" and, therefore, did not qualify as personally identifiable information within the meaning of the statute.  Accordingly, the court dismissed the claim.  Id. at *40, *46-47.[1]  Three other recent decisions have narrowed the field regarding what types of disclosure actually constitute "personally identifiable information" under the VPPA.  In Ellis v. Cartoon Network Inc., a plaintiff downloaded an app onto his Android device to watch cartoon video clips, after which the app allegedly transmitted his video-watching history and "Android ID" to a data analytics company without the plaintiff’s consent.   2014 U.S. Dist. LEXIS 143078 (N.D. Ga. Oct. 8, 2014).  The court dismissed the plaintiff’s VPPA claim, finding that an Android ID did not identify a particular person, and thus there was no violation of the VPPA.  Id. at *8-9.  Similarly, in Eichenberger v. ESPN, the court held that the information allegedly disclosed to a third party (the plaintiff’s Roku device serial number and viewing records) did not fall within the VPPA’s definition of personally identifiable information ("PII").  No. 14-cv-0463 (W.D. Wash. Nov. 24, 2014).  It further added that while ESPN could be found liable for disclosing both "a unique identifier and a correlated look-up table" by which an individual could be identified as a particular person who watched particular videos, the plaintiff had not sufficiently supported his theory that Adobe already had such a "look-up table."  Finally, in Locklear v. Dow Jones & Co., the court dismissed the plaintiff’s claim that Dow Jones had distributed PII of consumers who used its Wall Street Journal Channel on Roku TV boxes to third parties, in violation of the VPPA.  No. 14-744 (N.D. Ga. Jan. 23, 2015).  The court rejected the plaintiff’s claims that third-party analytics providers could identify her based on Dow Jones’s disclosure of her Roku serial number and the video titles she watched.  In particular, the court deemed fatal the plaintiff’s admission that the third party had to incorporate information from ‘other sources’ in order to link her serial number to her; it concluded that the Roku serial number, without more, did not identify a particular person and did not constitute PII under the VPPA, and thus that no violation could be found. Still another key aspect of the recent VPPA decisions is whether particular plaintiffs fall within the VPPA’s definition of "consumers."  The VPPA defines "consumer" as a "renter, purchaser or subscriber of goods or services from a video tape service provider."  18 U.S.C. § 2710(a)(1).  Defendants have contended in recent VPPA cases that plaintiffs cannot be subscribers, and therefore are not consumers, simply by visiting a website.  While courts seem to accept that visiting a website alone is insufficient, the threshold for qualifying as a subscriber is low.  For example, the Hulu court determined that the plain language of the statute did not require that plaintiffs pay for a company’s services to be considered subscribers.  In re Hulu Privacy Litig., 2012 WL 3282960 at *8 ("If Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have done so.").  It was sufficient that plaintiffs alleged that "they signed up for a Hulu account, became registered users, received a Hulu ID, established Hulu profiles, and used Hulu’s video streaming services."  Id. at *7.  Likewise, in Ellis v. Cartoon Network, Inc., the court approved Judge Beeler’s analysis in Hulu and held plaintiff qualified as a subscriber, and accordingly, as a consumer, because "[h]e downloaded the CN App and used it to watch video clips.  His Android ID and viewing history were transmitted to [the data analytics company]." 2014 U.S. Dist. LEXIS 143078, at *5-*6. The courts have also recently analyzed the reach of the VPPA’s "ordinary course of business" exemption.  The VPPA provides this exemption for disclosures made for "debt collection activities, order fulfillment, request processing, and transfer of ownership."  18 U.S.C. § 2710(a)(2).  For instance, in Sterk v. Redbox, a district court granted summary judgment to Redbox, holding that its disclosure of consumer information to an outside party that provided customer support services was part of its ordinary course of business under the VPPA.  No. 11-1729, 2013 WL 4451223, at *5-6 (N.D. Ill. Aug. 16, 2013).  On appeal, the Seventh Circuit affirmed and held that Redbox’s actions fell within the VPPA’s exception for disclosures in the ordinary course of business–more precisely, disclosures incident to "request processing."  Sterk v. Redbox Automated Retail, LLC, No. 13-3037, 2014 WL 5369416, at *2-3 (7th Cir. Oct. 23, 2014). Finally, various plaintiffs have filed a series of lawsuits in the past year claiming that various online streaming media providers–such as CNN, The Wall Street Journal, and Disney–violated the VPPA.  As of this writing, there have been no substantive orders in these cases.  See, e.g., Perry v. CNN, No. 14-1194 (N.D. Ill.); Robinson v. Disney, No. 14-cv-04146 (S.D.N.Y.); Austin-Spearman v. AMC, No. 14-cv-06840 (S.D.N.Y.).             4.   ECPA Litigation and the "Contents of Communications" Over the past several months, several federal courts have weighed in on the scope of the ECPA, providing further color to the statute’s definition of the "contents of communications." Most notably, on May 8, 2014, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s dismissal of two putative class actions against Facebook and social gaming company Zynga in consolidated cases for alleged violations of the SCA, the federal Wiretap Act, and the ECPA.  In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014).  In Zynga, when a user clicked on an advertisement or the Zynga game icon on Facebook, the user’s web browser sent an HTTP request containing a "referer header" in order to access the online resource requested, which contained the user’s Facebook ID and the address of the Facebook page the user was viewing at the time.  According to the plaintiffs, Zynga’s collection and transmission of this information to third-party advertisers violated the ECPA.  The Ninth Circuit rejected the plaintiffs’ argument that Zynga’s actions violated the ECPA, holding that neither Facebook nor Zynga disclosed the "contents" of a communication, as required by the ECPA, in disclosing this referer header information to third-party advertisers.  In so holding, the Ninth Circuit reviewed the plain meaning and history of ECPA and concluded that it distinguishes between disclosure of customer "record information," such as name, address, and subscriber identity, which is permitted under the law, and disclosure of the "contents of communications," or the "intended message conveyed by the communication," which is not.  Zynga, 2014 WL 1814029 at *6-7.  The Ninth Circuit disagreed with the plaintiffs’ argument that a Facebook ID and/or information about the webpage a user was viewing constituted the "contents of communications" because such information could lead advertisers to learn other information about users.  Instead, the court concluded that the "referrer header information at issue here includes only basic identification and address information, not a search term or similar communication made by the user." Other federal courts have looked to Zynga for guidance in determining whether information constitutes the "contents of communications" under the ECPA.  For example, in July 2014, a New Jersey federal court dismissed six consolidated MDL class actions alleging that Viacom’s and Google’s practice of installing cookies on personal computers that were used by children to access three Nickelodeon websites violated several federal and state laws, including the Wiretap Act.  In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873 (D.N.J. July 2, 2014) (see supra for discussion of VPPA claim in Nickelodeon case).  In dismissing the Wiretap Act claim, the court held in part that the cookies that were allegedly intercepted did not constitute the "contents of communications."  Id. at *14.  Citing Zynga, the court found that "contents" are defined as "information the user intended to communicate, such as the spoken words of a telephone call."  Id.  Because personal information that is "automatically generated by the communication," such as an IP address or a URL, have "less in common with ‘the spoken words of a telephone call" than they do with the telephone number dialed to initiate the call, the cookies allegedly intercepted were "more akin to ‘identification and address information.’"  Id. at *15 (quoting In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014)).  Additionally, in August 2014, Google won dismissal of an putative class action complaint alleging that Google violated ECPA, among other laws, by sending users’ contact information to developers when they used Google Wallet to make purchases.  Svenson v. Google Inc., No. 13-CV-04080-BLF, 2014 WL 3962820, (N.D. Cal. Aug. 12, 2014).  In dismissing the ECPA claim, the court noted that it did not "read Zynga so narrowly to mean that only automatically generated data may constitute record information," finding that the information at issue in the case–namely, the user’s name, email address, Google account name, home city and state, zip code, and in some instances, telephone number–is "the type of information that the Ninth Circuit recognized as record information in Zynga."  Id. at *9.              5.   California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection Since the California Supreme Court’s landmark 2013 decision in the Krescent case, 56 Cal. 4th 128 (2013), courts have continued to weigh in on the scope of California’s Song-Beverly Credit Card Act of 1971 ("Song-Beverly"), Cal. Civ. Code §§ 1747, et seq., which prohibits merchants from requesting or requiring a customer’s personal identification information as a condition of accepting a credit card payment. The court in Krescent held that Song-Beverly "does not apply to online purchases in which the product is downloaded electronically."  56 Cal. 4th 128 at 133.  Krescent was a significant win for online retailers because–limited statutory exceptions notwithstanding, see Cal. Civ. Code § 1747.08(c)(3)(A)-(C)–the prohibitory language of Song-Beverly sweeps broadly, and those found in violation face potentially ruinous liability: merchants can face a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.  Id. § 1747.08(e).  The court in Krescent declined to address Song-Beverly’s applicability to online transactions in general; the holding is expressly limited to purchases of electronically downloadable products.  See Krescent, 56 Cal. 4th at 143.  That said, the court based its decision heavily on what it identified as the California legislature’s primary intent when drafting the statute: to protect consumer privacy and prevent fraud.  Id. at 139-41. While Krescent‘s holding is fairly narrow, the court’s concerns and reasoning about credit card fraud are hardly unique to electronically downloadable products.  Indeed, since Krescent was decided, California courts have tended to place fraud prevention practices beyond Song-Beverly’s reach.  See, e.g., Flores v. Chevron U.S.A. Inc., 217 Cal. App. 4th 337, 340 (2013) (granting summary judgment because requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud constituted a "special purpose" under §1747.08(c)(4) of the Act).  Moreover, just a few months after Krescent, a California federal district court turned to the question that the California Supreme Court left open.  In Ambers v. Buy.com, Inc., No. 13-cv-0196, 2013 WL 1944430 (C.D. Cal. Apr. 30, 2013), the court held that Song-Beverly does not apply to the online sales of shipped goods because a shipping address–the piece of additional information which the plaintiff conceded the retailer was permitted to collect–was not "equivalent to the ‘brick and mortar’ retailer’s ability to ask for a photo identification card or another ‘reasonable form of positive identification’ as ‘a condition to accepting the credit card’ under Section 1747.08(d)."  Id. at *7.  Applying Krescent, another California federal court held that email addresses constitute "personal identification information" under Song-Beverly, prohibiting offline retailers from collecting email addresses in connection with the completion of credit card transactions.  Capp v. Nordstrom, Inc., No. 13-cv-660 MCE AC, 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013).  In Capp, the court rejected the defendant’s argument that the California legislature could not have intended to include email addresses as "personal identification information" because the passage of Song-Beverly predated the use of email and e-receipts in consumer transactions.  Id. at *7-8.  The court concluded that the basis for the court’s ruling in Krescent was the unavailability of safeguards against fraud in online transactions–not the unforeseeable nature of online transaction technology generally.  Id.   Interestingly, the Ninth Circuit recently affirmed the dismissal of a putative class action alleging that Redbox Automated Retail LLC collects customers’ ZIP codes at Redbox kiosks in violation of the Song-Beverly Act, but it rejected the district court’s theory that Redbox was not liable because the California legislature could not have intended the statute to apply to automated kiosks due to the potential for fraud in kiosk transactions.  Sinibaldi v. Redbox Automated Retail, LLC, 754 F.3d 70, 705 (9th Cir. 2014).  Instead, the court held that Redbox uses credit card information to secure potential future payments, conduct that falls within a statutory exception to Song-Beverly for transactions where the credit card is being used as a deposit to secure payment "in the event of default, loss, damage or similar occurrence" (Cal. Civ. Code § 1747.08(c)(1)).  Id. at 707.  It remains to be seen whether this novel holding will apply beyond the very narrow subset of businesses that engage in similar rental-type transactions. California’s legislature has considered action in response to Krescent, Ambers, and the other cases described above.  The California Senate in January 2014 passed Senate Bill 383, which would expand Song-Beverly to apply to online transactions for downloadable goods, but the bill is stalled in committee and is "unlikely to move forward this year," according to a representative in the office of the bill’s sponsor.[2]  Certainty about Song-Beverly’s reach will come only when binding decisions are issued.  But such decisions may be especially elusive given the increasing tendency to settle these cases, as recent six-figure settlements by entities such as Kohl’s Corp. and Ann Taylor Inc. demonstrate.  Whittenburg v. Kohl’s Corp., No. 3:2011-cv-02320 (N.D. Cal.); Foos v. Ann Inc., No.  3:11-cv-02794 (S.D. Cal.).             6.   TCPA Litigation In the past two years, the number of lawsuits alleging violations of the Telephone Consumer Protection Act ("TCPA"), 42 U.S.C. §§ 227 et seq., has exploded.  The likely draw for plaintiffs is the TCPA’s authorization for $500 to $1,500 per violation in statutory damages, which can be aggregated in class claims.  This increased pursuit of TCPA claims has led to several large settlements, including a 2014 settlement in which Capital One Financial Corp. and three collection agencies agreed to collectively settle a putative class action suit for $75.5 million–the largest settlement to date under the TCPA.[3]  As companies continue to be targets for class action suits alleging TCPA violations, courts’ varying interpretations of the statute are particularly important. In recent years, courts and the Federal Communications Commission ("FCC") have expanded the scope of liability under the TCPA.  In May 2013, the FCC issued a declaratory ruling that sellers using third-party telemarketers can be vicariously liable for third-party violations of the TCPA under principles of agency.  See Joint Petition Filed by DISH Network, LLC, for Declaratory Ruling Concerning the Telephone Consumer Protection Act (TCPA) Rules, Declaratory Ruling, FCC 13-54, 2013 WL 1934349 (May 9, 2013).  The Ninth Circuit expanded upon the FCC’s ruling in Gomez v. Campbell-Ewald Co., 768 F.3d 871 (9th Cir. 2014), when it found that a third party, not just merchants, could be vicariously liable for violations of the TCPA.  See also Thomas v. Taco Bell Corp., 2014 U.S. App LEXIS 12547 (9th Cir. July 2, 2014).  Companies should also be aware of the potential for direct liability even when messages are distributed by third parties.  In Palm Beach Golf Center-Boca, Inc. v. John G. Sarris, D.D.S., P.A., the Eleventh Circuit found there was a genuine dispute as to whether a company could be directly liable for a fax sent on its behalf even when distributed by a third party.  2014 U.S. App. LEXIS 20870 (11th Cir. 2014).  The court reasoned that the TCPA provided for direct liability for an entity on whose behalf goods or services were promoted by unsolicited fax advertisements even though the unsolicited fax was sent by a third party.  Id. at *17.  Consent has been another area of focus for TCPA litigation.  Effective October 2013, telemarketers must have express written consent prior to placing artificial or prerecorded telemarketing calls to a residential phone line or wireless number, sending text messages, or calling a wireless number using an automatic telephone system.  See In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, FCC 12-21, ¶ 4 (February 15, 2012).  The Eleventh Circuit has held that a district court did not have the authority to reject FCC rulings.  See Mais v. Gulf Coast Collection Bureau, Inc., 768 F.3d 1110 (11th Cir. 2014).  Specifically, the FCC ruling that autodialed and prerecorded message calls to wireless numbers provided by the called party to a creditor in connection with an existing debt are permissible, as calls made with the ‘prior express consent’ of the called party continues to control.  Id. at 1118.  Though express consent can be obtained through intermediaries, companies relying on intermediaries should confirm the obtaining of prior express written consent, inasmuch as they can still be liable under the TCPA.  See In the Matter of Groupme, Inc./Skype Commc’ns S.A.R.L Petition for Expedited Declaratory Ruling Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 29 F.C.C. Rcd. 3442 (March 27, 2014).  Express consent may become a powerful tool in defeating TCPA claims.  Courts have also continued to debate whether lack of consent is an element of TCPA claims or an affirmative defense–and consequently, who has the burden of proving that customers have or have not consented to receive certain calls, texts, or faxes.  In 2012, the Ninth Circuit suggested in dicta that lack of consent is an affirmative element of a TCPA claim.  See Meyer v. Portfolio Recovery Assocs., LLC, 707 F.3d 1036 (9th Cir. 2012).  Some courts have relied on this to hold that plaintiffs have the burden of proving non-consent.  See, e.g., Stemple v. QC Holdings, Inc., 2014 WL 4409817, at *6-7 (S.D. Cal. Sept. 5, 2014); Sepehry-Fard v. MB Fin. Servs., 2014 WL 2191994, at *2 (N.D. Cal. May 23, 2014).  Others have stated "prior express consent is not an element of a TCPA plaintiff’s prima facie case, but rather is an affirmative defense for which the defendant bears the proof."  Sailola v. Mun. Servs. Bureau, 2014 WL 3389395, at *7 (D. Haw. July 9, 2014); see also Heinrichs v. Wells Fargo Bank, N.A., 2014 U.S. Dist. 29910 (N.D. Cal. 2014) (distinguishing Meyer on the grounds that Meyer "did not decide whether lack of consent must be affirmatively pled to survive a Rule 12(b)(6) motion . . .").  Additionally, a number of circuits still consider the lack of consent an affirmative defense and thus impose the burden on the defendant to establish it.  See Mais, 768 F.3d at 1126 (remanding case with instructions to enter summary judgment in favor of defendant’s "affirmative defense" of prior express consent); see also Crawford v. Target Corp., 2014 U.S. Dist. LEXIS 159203, *7 n.3 (N.D. Tex. Nov. 10, 2014) ("The Court is unpersuaded by Defendant’s argument that lack of consent is an element of the claim that plaintiff must assert."); Paldo Sign & Display Co. v. Wagener Equities, Inc., 2014 U.S. Dist. LEXIS 123111, *21-22 (N.D. Ill. 2014).  Companies should remain informed as courts continue to grapple with these issues.  A requirement that plaintiffs prove lack of consent could substantially decrease the likelihood of TCPA class actions and, therefore, companies’ potential exposure to TCPA violations. Another trend in TCPA case law has been the general consensus that customers have a right to revoke consent to be contacted by autodialing systems.  The Eleventh and Eighth Circuit have followed the Gager v. Dell Financial Services, 727 F.3d 265 (3d Cir. 2013) decision and the Third Circuit’s recognition of the right of revocation for consumers who no longer want to be contacted by autodialing systems.  Osorio v. State Farm Bank, F.S.B., 746 F.3d 1242, 1255 (11th Cir. 2014); Brenner v. Am. Educ. Servs., 575 F. App’x 703 (8th Cir. 2014).  Companies should be sure to recognize when customers have revoked their consent to be contacted. Finally in 2014, courts grappled with the interpretation of "capacity" for automatic telephone dialing systems ("ATDS")–which are defined as equipment with the capacity: (a) to store or produce telephone numbers to be called, using a random or sequential number generator; and (b) to dial such numbers.  47 U.S.C. § 227(a)(1)(A)-(B).  Most courts have held that a device is considered an ATDS only if it has the present capacity to generate random phone numbers, not if it has the potential capacity to generate numbers or make phone calls.  See Hunt v. 21st Mortg. Corp., 2013 U.S. Dist. LEXIS 132574 (N.D. Ala. Sept. 17, 2013); Gragg v. Orange Cab Co., 995 F. Supp. 2d 1189 (W.D. Wash. Feb. 7, 2014); Dominguez v. Yahoo!, Inc., 8 F. Supp. 3d 637 (E.D. Pa. 2014).  However, it is possible that the potential capacity to generate numbers is relevant to the ATDS inquiry.  See Sherman v. Yahoo! Inc., 997 F. Supp. 2d 1129 (S.D. Cal. 2014).  Companies should also be aware of the possibility of liability for devices that have the capability to store and dial numbers, as at least one court has found that a predictive dialer constitutes an ATDS regardless of whether the system has the capability of random or sequential number generation.  See Davis v. Diversified Consultants, Inc., 2014 U.S. Dist. LEXIS 87867 (D. Mass. June 27, 2014). II.   Regulatory and Policy Developments       A.   FTC Enforcement Trends             1.   Cybersecurity, Data Breaches, and Legal Challenges to the FTC’s Authority Having pursued more than 50 data security cases since 2000–and with almost half of those cases brought since 2010–the FTC has positioned itself as the de facto federal data-security regulator (despite the continuing lack of a clear congressional directive to fulfill this role).  In the past year, the FTC continued its aggressive pursuit of consent agreements related to cybersecurity and data breaches and other Internet- and mobile-related practices.  These consent agreements and settlements are detailed in Section II.A.3. Over the past three years, two companies have decided to test the FTC’s authority in this area in closely watched cases.  In 2014, a New Jersey federal court issued the first opinion by any court on whether the FTC has the authority to regulate in the data-security arena pursuant to Section 5 of the FTC Act.  In June 2012, the FTC filed suit against Wyndham Worldwide Corporation, a global hospitality company, alleging that (1) the breach of its franchisees’ computer systems, giving intruders access to Wyndham customers’ personal and financial information, constituted unfair business practices, and (2) Wyndham made deceptive representations to consumers that it employed reasonable and appropriate security measures.  Wyndham moved to dismiss the complaint, raising challenges to the FTC’s authority on two grounds.  First, Wyndham argued that Congress’s passage of various laws that touch on data security (including the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act ("COPPA")) has effectively limited the FTC’s authority to regulate data security issues.  The court rejected this challenge, holding instead that "the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme."  Second, Wyndham asserted that the FTC had failed to promulgate sufficiently clear regulations in violation of the due process clause.  The court rejected this challenge as well, finding that the test established under Section 5(n) of the FTC Act, as well as the host of publicly available prior FTC complaints and consent orders, collectively provide actors with sufficient notice of what constitutes noncompliant activity.  The court’s order is currently being challenged in an interlocutory appeal before the Third Circuit, and a decision is expected in 2015.  Another company joined the fight with a more narrowly tailored challenge to the FTC’s data-security authority in November 2013.  LabMD, a cancer-screening medical laboratory, moved to dismiss an administrative complaint that the FTC filed against it in August alleging that it lacked appropriate data security and unfairly exposed the private health and personal data of more than 9,000 consumers.  LabMD argued that the "plain language [of Section 5 of the FTC Act] does not authorize patient-information data-security regulation," and that only the U.S. Department of Health and Human Services ("HHS") is empowered to regulate patient-information data-security practices within the healthcare sector.  The Commission–which has the authority to resolve such motions filed in connection with administrative proceedings–disagreed, finding instead that Congress had delegated it "broad authority . . . to determine what practices were unfair, rather than enumerating the particular practices to which [the term ‘unfair’ in Section 5] was intended to apply." LabMD further argued that even if the FTC shares joint regulatory authority with the HHS over the healthcare sector, the FTC’s failure to publish data-security regulations, guidance, or standards explaining what is forbidden or required by Section 5 nevertheless deprives LabMD and similarly situated entities of "constitutionally required fair notice."  The Commission likewise rejected this argument, stating that "such complex questions relating to data-security practices in an online environment are particularly well-suited to case-by-case development in administrative adjudications or enforcement proceedings."  Nevertheless, the FTC’s administrative action against LabMD was delayed in June 2014, after a letter from a Republican-led House investigative committee surfaced claiming that crucial information in the FTC’s investigation provided by Tiversa, Inc.–a cybersecurity firm and a key player in the agency’s case–was incomplete and inaccurate.  The parties are currently awaiting the testimony of Rick Wallace, a former Tiversa employee, who was granted immunity by the Attorney General in November 2014. In addition to raising this aggressive defense in an administrative context, LabMD has also pursued a parallel strategy in federal court: in May 2014, the U.S. District Court for the Northern District of Georgia dismissed a motion for preliminary injunction filed by LabMD seeking to stay the FTC action.  The court found that it lacked jurisdiction to enjoin the ongoing proceedings of a federal agency.  LabMD appealed this decision to the Eleventh Circuit, arguing that the FTC’s actions are currently subject to judicial review because LabMD’s constitutional claims need not wait until the agency takes a final action and the Commission’s denial of LabMD’s motion to dismiss solidified the FTC’s position that its authority extends to regulation of medical data-privacy.  In a decision issued on January 20, 2015, the Eleventh Circuit rejected these arguments, ruling that federal courts don’t have jurisdiction to hear LabMD’s claim until the administrative proceeding concludes.  The court reasoned that "[b]ecause we hold that the FTC’s Order denying LabMD’s motion to dismiss was not a ‘final agency action,’ as is required of claims made under the [Administrative Procedure Act]," the district court properly dismissed LabMD’s claims. Although we will continue to watch these cases with interest, one thing can be said with certainty: these legal challenges to the FTC’s regulatory power of data-security matters do not appear to have inhibited the FTC’s vigor for bringing enforcement actions in this realm.  In 2014, the FTC brought eight additional data security-related enforcement actions–all of which have resulted in consent orders.             2.   The U.S.-EU Safe Harbor On January 21, 2014, the FTC announced that it had settled with twelve U.S. companies over noncompliance with international privacy frameworks.  Two other companies were added to this list in February and May 2014.  After a public comment period, the FTC approved final settlement orders on June 25, 2014.  The companies had represented that they abided by the U.S.-EU Safe Harbor framework (and, in three cases, also the U.S.-Swiss Safe Harbor framework) by displaying certification signage or statements in their privacy policies.  The FTC alleged that in reality, the companies did not comply with these data protection frameworks. The U.S.-EU Safe Harbor enables U.S. companies to transfer consumer data from the European Union ("EU") to the United States in compliance with EU law.  To participate, a company must comply with the principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement.  After opting in, a company must recertify every twelve months.  It can either perform a self-assessment to verify that it complies with the principles or hire a third party to conduct this assessment.  In this series of cases, the FTC focused on companies that allegedly allowed their self-certification to lapse while still asserting through website statements and privacy policies that their certifications were current.  The fourteen companies that settled with the FTC represent a cross-section of industries, including retail, laboratory science, data brokering, debt collection, information security, online gaming, and professional sports (including three NFL teams–the Atlanta Falcons, Denver Broncos, and Tennessee Titans).  Under the settlements, the companies agreed to cease misrepresenting the extent of their participation in privacy or data security programs sponsored by the government or any other self-regulatory or standard-setting organization.  This wave of consent decrees may be just the start of an increased focus on the Safe Harbor and the self-certification process at least in part in response to increased European scrutiny of U.S. data transfer and surveillance revealed by Edward Snowden. The FTC has also directed attention to third-party privacy certifications.  On November 17, 2014, the FTC announced a settlement with True Ultimate Standards Everywhere, Inc. ("TRUSTe").  TRUSTe is a leading provider of privacy certifications for online businesses.  TRUSTe provides certification seals that indicate that an online business complies with privacy standards such as the U.S.-EU Safe Harbor Framework, the COPPA, and TRUSTe-specific programs.  The FTC’s complaint alleged that TRUSTe represented that it conducted annual recertification of businesses displaying its privacy seals but in fact failed to conduct these recertification examinations in over 1,000 instances.  The complaint also alleged that TRUSTe–which converted from a non-profit to a for-profit entity in 2008–failed to require businesses to update website and privacy policy language that referred to TRUSTe as a non-profit entity.  Under the consent order, TRUSTe will be required to refrain from misrepresenting its certification process or timeline as well as its corporate status.  TRUSTe will also be required to pay $200,000 and to provide increased reporting and records to the FTC in relation to its COPPA certification activities.             3.   High-Profile FTC Consent Decrees                     a.   Consent decrees regarding faulty data security practices Much of the FTC’s work in the data security arena involves policing companies’ adherence to advertised security policies and practices via consent decrees and settlements.  For example, in March 2014, Fandango and Credit Karma settled with the FTC over charges that the companies’ apps had placed consumers’ personal data at risk, in contravention of the companies’ security promises, by disabling SSL certificate validation.[4] According to the FTC, this left the apps open to interception of data by third parties, particularly when users were connected on a public Wi-Fi network. [5]  These settlements require Fandango and Credit Karma to establish comprehensive security programs and consent to biennial privacy audits for the next twenty years.  The Fandango and Credit Karma settlements are indicative of the settlement conditions the FTC routinely seeks (and obtains) in data security consent decrees.  Indeed, several other settlements in the past year include nearly identical terms.  For example, recent settlements with Accretive Health,[6] Genelink,[7] and GMR Transcription Services, Inc.[8] all include requirements that the companies adopt comprehensive information security programs and undergo biennial monitoring for the next twenty years. A recent high-profile decision by the FTC not to sue Verizon, meanwhile, offers some insights into steps that companies can take to minimize the likelihood of this type of intrusive and far-reaching consent decree.  The FTC was investigating Verizon’s use of an outdated encryption method as the default security setting on Internet routers that Verizon shipped to customers.[9]  The practice allegedly made Verizon customers vulnerable to hackers.[10]  After investigation, however, the FTC declined to bring a complaint and cited factors including "Verizon’s overall data security practices related to its routers, along with efforts by Verizon to mitigate the risk to its customers’ information."[11]  In addition to having relatively robust data security policies, Verizon aggressively responded to the router issue by resetting all new routers with a more robust security setting and implementing an outreach campaign to all customers who were using the outdated security standards.[12]   Notably, FTC’s letter emphasized that "data security is an ongoing process" and that "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."[13]   Though the full import of the FTC decision not to bring an action against Verizon has yet to be determined, the letter at least affirms that the FTC will consider a company’s overall data security practices and responsiveness in light of a quickly evolving threat landscape.                      b.   Consent decrees regarding deceptive practices in collection of PII  The FTC also continued its crackdown on deceptive practices related to the use of PII throughout the past year, particularly related to various technology companies, from the perspective of both web and mobile applications.  Snapchat, the popular communications app, settled charges of misleading consumers over exactly how much PII it was collecting, as well as users’ abilities to store and share messages that Snapchat claimed were only temporary and would disappear.[14]  In addition, failure to secure certain PII resulted in release of nearly five million user names and phone numbers following a serious data breach.  As a part of the settlement, Snapchat is subject to ongoing privacy monitoring for the next twenty years.  The FTC was clear that it focused on Snapchat in part due to its business model focused on privacy.  According to the FTC, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises….  Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."[15] In another app settlement, the FTC settled with mobile app developer Goldenshores Technologies, LLC ("Goldenshores") over allegations its popular app, "Brightest Flashlight Free app," collected much more personal information than disclosed.[16]  In fact, the app collected precise geolocation information, along with persistent device identifiers, and then shared that information with third parties, including advertising networks.  Notably, the app was already collecting and sending information to third parties–even before the user had accepted the deficient terms in the end user license agreement.  The settlement required Goldenshores to provide a "just-in-time" disclosure, fully informing consumers when, how, and why their geolocation information is being collected, used and shared, and requires affirmative opt-in from consumers prior to collection.  Finally, in a parallel set of actions, against both the entity and its principal, the FTC entered into a proposed consent order with PaymentsMD, LLC ("PaymentsMD") and Michael Hughes (former CEO, sole employee, and partial owner of PaymentsMD).[17]  PaymentsMD obtained consumer authorization to collect sensitive health information for one purpose–to track medical bills–but in fact was using that authority to collect other sensitive health information, including treatment information, from various third parties.  In turn, PaymentsMD then used that information to create a comprehensive "Patient Health Report" for each consumer.  The FTC has proposed enjoining Hughes and PaymentsMD from continuing this activity, along with increasing disclosures to consumers regarding exactly what information will be collected, and what it will be used for.                     c.   Consent decrees regarding app purchases by children In the past year, the FTC also reached high-profile consent agreements with technology companies over accusations that the companies unfairly charged consumers for application purchases made from applications downloaded from mobile application stores.[18]  The FTC alleged that these companies violated Section 5 of the FTC Act by failing adequately to notify parent account holders that entering a password to install an application or to approve an in-app purchase would open up a window of fifteen minutes or more where a user could make subsequent in-app purchases without further authorization.[19]  This led to instances where children made purchases within applications, without parental approval.  As part of the settlement agreement, the companies must provide a refund to users who incurred such unauthorized or accidental charges.  Furthermore, the companies must obtain express consent from customers before billing them for in-app purchases.                     d.   Settlements over mobile cramming The FTC also reached settlement agreements with several online marketing and advertising companies over allegations that they engaged in a pattern of unfair and deceptive advertising by sending unwanted text messages to millions of consumers.  The FTC alleged that these companies sent text messages to consumers with offers for supposedly free merchandise as part of a scheme to collect and sell consumer information, cram unwanted charges on their mobile bills, and drive them to paid subscriptions for affiliate services.  As part of the agreements, the accused companies agreed to pay over $9.2 million in damages and stop engaging in similar unlawful and deceptive business practices in the future.  In related settlements, the FTC reached agreements with two telecommunications providers over allegations the companies unlawfully charged their customers with unwanted third-party mobile services.  The FTC noted that the companies did not take steps to fix the issue despite a large number of customer complaints about unauthorized third-party charges, and instead crammed the charges deep in phone bills.  In addition to paying fines to the FTC and state attorneys general, the companies agreed to provide refunds to their customers for the unauthorized charges.       B.   The FTC’s Revised COPPA Rule In recent years the FTC has maintained an aggressive focus on children’s privacy–perhaps most notably by revising the COPPA Rule to reflect changes in technology in 2013.  The COPPA Rule was originally mandated under the Children’s Online Privacy Protection Act of 1998, and it requires operators of websites or online services that are directed at children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to notify parents and get their verifiable consent before collecting, using, or disclosing such information.  The COPPA Rule also requires operators who fall within the above parameters to take steps to protect and secure any personal information that they collect from children under 13.  After more than two years of FTC review, and following approval by the Commission in December 2012, a revised version of the COPPA Rule went into effect on July 1, 2013.  Amendments to the Rule give parents greater control over the online collection of their children’s personal information.  Under this revised COPPA Rule, the term "website or online services" is now broadly defined to include: standard websites; mobile apps that send or receive information online; Internet-enabled gaming platforms; plug-ins; advertising networks; Internet-enabled location-based services; and voice-over Internet protocol services.  The term "personal information" now includes: full name; home or other physical address including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly–for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers. Additionally, operators are also required to post a "privacy policy" that clearly and comprehensively describes how personal information is be collected from children under 13, including by any affiliated collectors (for example, via website plug-ins or ad networks of which the operator is a member).  This closes a loophole that existed under the previous iteration of the COPPA Rule.  This privacy policy must include a list of all operators collecting this information, as well as a description of parental rights, and in fulfilling this final requirement, operators must implement a situationally reasonable "verification" method for obtaining affirmative parental consent.  The COPPA Rule Amendments added several new methods that operators may use to obtain parental consent, including: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems (provided that they meet certain criteria).  In December 2013, the FTC approved knowledge-based identification as an additional verifiable parental consent method, provided that the process uses dynamic, multiple-choice questions that are difficult for a child to guess the answers to.  Once an operator collects information from children under 13, the revised COPPA Rule imposes heightened ongoing duties to adopt reasonable procedures for data retention and security–including limitations on when, and to whom, this information can subsequently be released.  The FTC has also conferred "safe harbor" status on seven designated organizations, empowering them to create comprehensive self-compliance programs for their own members. Companies that voluntarily become members of one of these participating organizations are generally subject to intra-organizational review and disciplinary procedures, in lieu of formal FTC investigation and law enforcement.  The COPPA Rule safe harbor programs currently recognized by the FTC include: iKeepSafe; kidSAFE; Aristotle International, Inc.; Children’s Advertising Review Unit of the Council of Better Business Bureaus; ESRB Privacy Certified; PRIVO; and TRUSTe.  The FTC initially suspended enforcement of these 2013 revisions to allow companies time to develop and deploy conforming policies–but this grace period ended in September 2014, when online review site Yelp, Inc., and mobile app developer TinyCo, Inc., separately agreed to settle charges that they improperly collected children’s information in violation of the COPPA Rule.[20]  Under the terms of these respective settlements, Yelp agreed to pay a $450,000 civil penalty, TinyCo agreed to pay a $300,000 penalty, and both companies agreed to submit compliance reports to the FTC in 2015 outlining revamped internal COPPA Rule compliance programs.  Most recently, on December 17, 2014, the FTC sent a letter to BabyBus, a China-based developer of mobile applications directed to children, warning that the company may be in violation of the revised COPPA Rule because it appears to collect precise geolocation information about its users without obtaining parental consent beforehand. The 2013 revisions to the COPPA Rule–and the FTC’s aggressive enforcement of these provisions in late 2014–suggest that this is likely to be an area of continuing FTC focus for the foreseeable future.  Accordingly, businesses should take reasonable precautions to ensure that their data collection and storage policies are fully in compliance with the revised COPPA Rule.       C.   FCC Guidance and Amendments to the TCPA In October 2013, a report and order by the FCC modifying the implementation rules and regulations of the TCPA went into effect.  See Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, 27 FCC Rcd. 1830 (2012) (hereinafter the "FCC Guidance").  The modifications include requiring prior express written consent for telemarketing calls to wireless numbers and residential lines and eliminating the business relationship exemption for telemarketing calls to residential lines.  Id. at 1831, par. 2.[21]  The FCC stated that the changes were made to offer greater protections to consumers in the privacy arena and to maximize consistency with the analogous rules of the FTC.  Id.  Over the past year, these rules have led to an increase in TCPA litigation.  See Section I.B.6. Along with the increase in TCPA litigation, a related development is the increasing number of entities petitioning the FCC to make rulings interpreting various provisions of the TCPA.  There are currently over 20 petitions pending before the FCC asking the Commission to clarify the applicability of the TCPA to issues such as: (1) the definition of the called party as the intended recipient of a call;[22] (2) the delivery of voicemails directly to users;[23] (3) the revocation of  prior express consent for non-telemarketing calls;[24] (4) the definition of an automatic telephone dialing system;[25] (5) vicarious liability for individuals who aide telemarketers;[26] (6) liability for calls to reassigned cell phone numbers;[27] (7) liability for social network text-messaging systems;[28] (8) liability for automatic text messages generated in response to user requests;[29] (9) the requirement of prior express consent for notifications to users affected by data breaches and suspicious transactions;[30] and (10) the implementation of call blocking technology.[31]  These open petitions underscore the wide variety of unresolved TCPA issues that impact TCPA litigation today. The FCC closed out only a few of these petitions during the past year.  In two rulings issued on March 27, 2014, the Commission interpreted provisions of the TCPA that prohibit auto-calling or auto-texting cell phones without the recipients’ prior express consent.  See Order, In re GroupMe, Inc./Skype Communications S.A.R.L Petition for Expedited Declaratory Ruling, 59 Communications Reg. (P&F) 1554 (F.C.C. Mar. 27, 2014); see also In the Matter of Cargo Airline Assn. Pet. for Expedited Declaratory Ruling, 59 Communications Reg. (P&F) 1509 (F.C.C. Mar. 27, 2014).  In the GroupMe ruling, the FCC found that text-based social networks may send administrative text messages confirming consumers’ interest in joining text message groups, without violating the TCPA.  The Commission found that the consumers must provide express consent to participate in the groups but that the consent may be conveyed to the text-based social network by an intermediary.  In the Cargo Airline ruling, the FCC granted an exemption under the TCPA to allow package delivery services to provide automatic delivery notification alert calls and texts to cell phones of recipients of packages, even without their prior express consent.  However, this exemption was granted only under narrow conditions: the sender of the package must indicate that the recipient consents; the delivery notifications must be purely informational; the recipient of the call/text must not be charged; and the recipient must be able to easily opt out of future messages.  Finally, in an October 2014 ruling addressing issues raised by 24 pending FCC petitions, the Commission decided that the TCPA required "opt-out" language on all fax advertisements, even those sent with the prior express consent of the recipient.  In the Matter of Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 61 Communications Reg. (P&F) 671 (F.C.C. Oct. 30, 2014).  The ruling also granted a retroactive waiver to the petitioners and other similarly situated parties since the requirement was previously ambiguous.       D.   The NIST Cybersecurity Framework On February 12, 2014, the National Institute of Standards and Technology ("NIST") released its Cybersecurity Framework (the "Framework").[32]  The Framework is NIST’s response to President Obama’s direction set forth in Executive Order 13636, Improving Critical Infrastructure Cybersecurity, to develop a voluntary cybersecurity framework for reducing cybersecurity risk to critical infrastructure.[33]  The Framework is intended to provide a "prioritized, flexible, repeatable, performance-based, and cost-effective approach"[34] to assist organizations in the critical infrastructure sectors to manage cybersecurity risk.  NIST develop this Framework based on input from various constituencies regarding existing standards, guidelines, and best practices for managing cybersecurity threats.  The process involved more than 3,000 critical infrastructure owners and operators, industry leaders, government partners, and other stakeholders.  The final Framework was released with the guidance that it is to be a "living" document shaped by user feedback and experiences.[35] The Framework, which is essentially a voluntary cybersecurity risk management tool, is intended to encourage private and public sector organizations to develop more effective approaches to managing cybersecurity threats.  The voluntary Framework is specifically intended to serve as a resource for organizations in the sixteen critical infrastructure sectors identified by the Administration.  The Framework broadly defines "critical infrastructure" to include both organizations traditionally associated with national security, such as those in the defense industrial base, and organizations that one may not automatically associate with national security concerns, such as food- and agriculture-related enterprises, commercial facilities (including sports arenas, shopping malls, and apartment buildings), and certain manufacturing enterprises. The Framework seeks to provide a common language and mechanism for organizations to achieve five main objectives: (1) describe their current cybersecurity posture; (2) describe their target state for cybersecurity; (3) identify and prioritize opportunities for improvement within the context of risk management; (4) assess progress toward the target state; and (5) foster communication among internal and external stakeholders.[36]  The Framework itself comprises three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Core consists of five Functions–Identify, Protect, Detect, Respond, and Recover–that provide a high-level strategic categorization of cybersecurity risks.[37]  These functions are, in turn, broken into categories and subcategories, and matched with existing domestic and international standards, guidelines, and best practices.[38]  The Framework Profile is designed to align industry standards and best practices with the specific business requirements, resources, and risk tolerance of an organization.[39]  Organizations can use the Profile to develop a roadmap to reduce cybersecurity risks and conduct self-assessments.  The final part, the Implementation Tiers, categorize an organization’s cybersecurity practices into one of four levels based on the organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.[40]  This categorization allows organizations to assess their cybersecurity practices, ranging from informal, reactive implementations to flexible and risk-informed approaches.  In conjunction with the release of the Cybersecurity Framework in February 2014, NIST also published a Cybersecurity Framework Roadmap that detailed high-priority areas for development, alignment, and collaboration, with the intent to address these areas in future versions of the Cybersecurity Framework.[41]  These areas include the development of better identity and authentication technologies, automated indicator sharing, conformity assessments, data analytics, the cybersecurity workforce, supply chain risk management, and technical privacy standards.[42]  Pursuant to the Roadmap, NIST continues to serve as a convener and coordinator to assist organizations in private industry and the public sector to understand, use, and improve the Framework. Throughout 2014, NIST continued engagement with and sought input from stakeholders in government, industry and academia.  NIST focused specifically on the topic of privacy engineering, which "focuses on providing guidance to information system users, owners, developers and designers that handle personal information."[43]  Despite the significance of privacy today, the field has yet to fully develop models, technical standards and best practices for the protection of individuals’ privacy and civil liberties.  NIST held two privacy engineering workshops, one in April and a second in September, to address this gap and consider draft privacy engineering definitions and concepts."[44] NIST has also sought to increase awareness of the Framework and encourage organizations to use the Framework as a tool to manage cybersecurity risks.  For instance, NIST issued a formal Request for Information in August to solicit feedback on the level of awareness of the Framework and the Roadmap and initial experiences with the Framework from critical infrastructure organizations as well as government organizations and other stakeholders, including consumers and solution providers.[45]  And in October 2014, NIST hosted a workshop to gather input from critical infrastructure stakeholders about their awareness of and initial experiences with the Framework.[46]  These engagement efforts are intended to inform NIST’s planning and decision-making relating to the Framework, including both future versions of the Framework as well as the development of tools and resources to enable more effective use of the Framework.  In addition, the RFI responses are intended to inform the Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program, which was established as a public-private partnership to increase awareness and use of the Framework.[47] In 2015, NIST will continue to focus on increasing awareness of the Framework and facilitate its use through the development of information and training materials.[48]  NIST does not intend to revise the Framework itself in 2015, although it will continue to focus on the areas identified in the Roadmap.[49]  NIST plans to develop publicly available reference materials that will help organizations understand how to better use the Framework and how to integrate the cybersecurity risk management approach of the Framework into an organization’s broader risk-management program.[50]  Finally, NIST expects to continue to hold workshops, webinars, and similar meetings with stakeholders on the Framework. III.   Legislative Developments In the United States, legislative debates in the past two years have focused on disclosures of the NSA’s surveillance programs, data breach notification laws and cybersecurity, digital privacy, and other issues.  At the federal level, there has been much debate but little progress on passage of legislation in these areas.  In the days leading up to the State of the Union address on January 20, 2015, the White House announced a new legislative proposal outlining significant cybersecurity and data privacy initiatives intended to reboot the administration’s stalled efforts to pass cybersecurity legislation over the last few years.  Meanwhile, several states have moved to fill the void left by perceived Congressional inaction.        A.   Proposed Federal Data Breach Notification and Cybersecurity Legislation             1.   Legislation Arising From Prominent Retailer Data Breaches The many attacks on computer systems of major companies over the past year (discussed in detail in Section I.B.1 above) inspired a wave of legislation aimed at preventing such massive data breaches.  One prominent piece of proposed legislation is the Personal Data Privacy and Security Act of 2014, S. 1897, sponsored by Senator Patrick Leahy (D-VT) and cosponsored by five Democratic senators, which was introduced in the Senate on January 8, 2014.  An identical version of this bill was sponsored in the House by Rep. Carol Shea-Porter (D-NH) and introduced on February 4, 2014 (H.R. 3990).  This proposed legislation would create a federal standard for notifying customers of a data breach and impose additional restrictions on the storage of customer data, including requiring the implementation of a comprehensive data privacy security program.  Specifically, the bill would require businesses to comply with FTC guidelines for the protection of sensitive personally identifiable information and implement comprehensive personal data privacy and security programs.  In addition, businesses would be required to: (1) identify reasonably foreseeable vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive information; (2) assess the likelihood of and potential damage from unauthorized access to, or disclosure, use, or alteration of sensitive information; (3) assess the sufficiency of their policies, technologies, and safeguards to minimize risks from unauthorized access, disclosure, use, or alteration of sensitive information; (4) assess the vulnerability of sensitive information during destruction and disposal of such information; (5) design their personal data privacy and security programs to control risks; (6) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of activities of the entities that control access to systems and facilities containing sensitive information; (7) establish procedures for minimizing the amount of sensitive information maintained; and (8) take steps to ensure appropriate employee training and regular testing of key controls, systems, and procedures of the entity’s personal data privacy and security program.  Senator Leahy’s bill defines "personally identifiable information" broadly; the definition includes "any information, or compilation of information, in electronic or digital form that is a means of identification."  It would exempt from its provisions, however, certain financial and health-care institutions already subject to the data security requirements of the Gramm-Leach-Bliley Act or HIPAA.  The Senate bill is currently in the Committee on the Judiciary, where it has remained since January 2014.  In February 2014, the House bill was referred for consideration to the Committees on the Judiciary, Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget. Another bill introduced the same week, the Data Security Act of 2014, S. 1927, sponsored by Senator Tom Carper (D-DE) and cosponsored by Senator Roy Blunt (R-MO), would provide "clarity and certainty to all parties involved" by setting up a coherent set of national standards to replace the "patchwork" of 49 separate data security laws in U.S. states and its territories, according to the bill’s sponsors.  The Data Security Act’s definition of personal information requiring protection is narrower than the definition in Senator Leahy’s bill, and it explicitly excludes "publicly available information that is lawfully made available to the general public," and omits, for example, biometric data.  The bill would require notification of affected individuals only in the event of a breach that discloses information "reasonably likely to be misused in a manner causing substantial harm or inconvenience" (S. 1927, § 3(c)), while Senator Leahy’s bill requires notification when there is a "reasonable basis to conclude" that access to the information "is for an unauthorized purpose" (S. 1897, § 3(10)(A)).  The Data Security Act has been under consideration by the Committee on Banking, Housing, and Urban Affairs’ Subcommittee on National Security and International Trade and Finance since February 2014. Additionally, the Data Security and Breach Notification Act of 2014, S. 1976, sponsored by Senator John D. Rockefeller IV (D-WV) with three cosponsors, would–like Senator Leahy’s bill–give the FTC authority to set security standards for companies that hold consumers’ personal and financial information, and would also obligate companies to notify affected customers "following the discovery of a breach of security" of their data system.  The bill defines "breach of security" broadly: it is a compromise in data security that results in "unauthorized access to or acquisitions of personal information." Like Senator Carper’s bill, Senator Rockefeller’s bill defines "personal information" more narrowly than Senator Leahy’s bill; such information includes any "non-truncated social security number," credit card/account number with the access code or password "that is required for an individual to withdraw funds, or engage in a financial transaction," or an individual’s full name in combination with another piece of specific identifying information, such as a driver’s license number, unique account identifier, or biometric data.  See S. 1976 § 6(9)(a).  No action has been taken on this proposed legislation since its referral to the Committee on Commerce, Science, and Transportation on January 30, 2014.             2.   Cybersecurity Legislative Efforts Following President Obama’s call for comprehensive cybersecurity legislation in his 2013 State of the Union address, members of Congress proposed several bills in that area, but it is unclear whether any legislation will soon pass. Most notably, the Cyber Intelligence Sharing and Protection Act ("CISPA"), H.R. 624, introduced by Rep. Mike Rogers (R-MI), would create procedures for private entities to share cybersecurity threats with the Director of National Intelligence.  The bill was approved by the House and is in the Senate Select Committee on Intelligence. In November 2013, Department of Homeland Security ("DHS") Acting Undersecretary for National Protection and Programs Suzanne Spaulding called for legislation to exempt certain critical infrastructure operators (including banks and power grids) from liability for providing information about cyberattacks to the Department.  No movement on such specific legislation has yet occurred.  However, there has been a recent flurry of related legislation.   Congress passed two related statutes pertaining to cybersecurity and federal agencies as attachments to the Border Patrol Agent Pay Record Act, S. 1691.  The first, the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014, authorizes DHS to establish cybersecurity positions in the agency as positions in the "excepted service" and not subject to the regular federal pay scale, and sets forth DHS’s authority to make appointments, fix pay rates, and provide incentives and allowances for such positions.  The second, the Homeland Security Cybersecurity Workforce Assessment Act, further requires federal agencies to identify and code cybersecurity workforce positions within the agency, directs each agency head to submit a report identifying critical needs in the agency’s cybersecurity workforce, and requires the Office of Management and Budget ("OMB") to provide guidance to agencies on identifying cybersecurity workforce needs.  The President signed both bills into law on December 18, 2014. Relatedly, the Cybersecurity Workforce Assessment Act, introduced as H.R. 2952 by Rep. Patrick Meehan (R-Pa) on August 1, 2013, and signed into law by President Obama on December 18, 2014, directs DHS to develop a comprehensive strategic plan to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of DHS, and to report to Congress about the progress of certain critical infrastructure security technologies.  The statute requires DHS to develop a plan for a Cybersecurity Fellowship Program offering a tuition payment plan for students pursuing undergraduate and doctoral degrees who agree to work for DHS for an agreed-upon period of time. The National Cybersecurity and Critical Infrastructure Protection Act, H.R. 3696, introduced by Rep. Michael T. McCaul (R-TX) with three cosponsors, would require the Secretary of Homeland Security to conduct and share the results of certain cybersecurity activities.  It also would establish a federal civilian information sharing interface to share cyberthreat information among public and private entities and critical infrastructure owners and operators.  The bill was approved by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies in January 2014, and was to be reported in February by the full Homeland Security Committee.  While there has been no further action since February, President Obama recently signed into law similar legislation, the National Cybersecurity Protection Act of 2014 (introduced as S. 2519 by Sen. Thomas Carper (D-DE) on June 24, 2014).  This statute codifies DHS’ National Cybersecurity and Communications Integration Center ("NCCIC") as a "federal civilian interface" to provide both federal and nonfederal entities "shared situational awareness" to address cybersecurity risks, coordinate the sharing of cybersecurity information, conduct and share analysis and provide technical assistance and recommendations on network security.  Notably, the statute makes clear that nothing in the Act shall be construed as providing new regulatory authority.  The CyberSecurity Enhancement Act of 2014 (introduced as S. 1353 by Sen. John Rockefeller (D-WV) on July 24, 2013), signed into law by President Obama on December 18, 2014, codifies NIST’s process for developing industry-driven, consensus-based, voluntary cybersecurity standards for critical infrastructure.  Also without conferring any new regulatory authority, it directs and authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation’s cybersecurity workforce.  Finally, Congress recently passed two more general statutes that address cybersecurity on a more administrative level.  First, the Consolidated and Further Continuing Appropriations Act, H.R. 83, was signed into law on December 16, 2014 at Public Law No. 113-235.  The relevant provision prohibits the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation from acquiring high-impact or moderate-impact information systems without first assessing the risk of cyberespionage or sabotage associated with the acquisition of such systems from any country posing a cyber threat, including China.  The legislation further directs the Securities and Exchange Commission to submit a report to Congress on its efforts to modernize disclosure requirements, including an update on cybersecurity.  The Federal Information Security Modernization Act of 2014, signed by President Obama on December 18, 2014, codifies DHS’ role in administering the implementation of information security policies and practices in civilian federal information systems, while retaining OMB’s role in overseeing the security of federal government information systems generally.  It further describes the information security responsibilities of various federal agencies, including eliminating the requirement that such agencies file annual checklists that show the steps taken to secure systems.  Instead, the statute requires agencies to continuously diagnose and mitigate against cyber threats and vulnerabilities.  The statute overall increases DHS’ role in overseeing the cybersecurity efforts of federal agencies.             3.   Health Exchange Security and Transparency Act On January 10, 2014, the House of Representatives passed the Health Exchange Security and Transparency Act of 2014 ("H.R. 3811") by a 291-122 vote.  This bill would require the Department of Health and Human Services to notify consumers participating in health insurance marketplaces (also known as insurance exchanges) of any breach of their personal information within two days of discovering a breach.  The one-sentence bill, introduced by Representative Joe Pitts (R-PA) and 75 cosponsors on January 7, 2014, would apply to "any system maintained" by a federal or state-run insurance exchange. Dozens of House Democrats sided with Republicans in support of H.R. 3811, likely in response to the epidemic of nationwide cybersecurity breaches and well-publicized issues surrounding the rollout of the HeathCare.gov website.  After passage by the House, the bill was referred to the Senate Committee on Health, Education, Labor, and Pensions.  To date there has been no action in the Senate.  The White House issued a statement opposing H.R. 3811, stating that the measure "would impose an administratively burdensome reporting requirement that is less effective than existing industry standards and those already in place for federal agencies that possess such information."[51]               4.   The Law Enforcement Access to Data Stored Abroad Act On September 18, 2014, Senators Orin Hatch (R-UT), Chris Coons (D-DE) and Dean Heller (R-NV) introduced bipartisan legislation in the Senate that would amend the ECPA to address conflicts of laws and safeguard Americans’ electronic data stored abroad.  ECPA, discussed in detail above in Section I.B.4, seeks to balance individuals’ rights to privacy of electronic communications and the legitimate needs of law enforcement to access records stored by service providers by authorizing governmental entities to obtain certain categories of data from providers using warrants and subpoenas.  However, ECPA does not extend this power extraterritorially, and therefore, does not permit courts to issue warrants for law enforcement to seize covered data that service providers store abroad.  The Law Enforcement Access to Data Stored Abroad ("LEADS") Act, S. 2871, would amend ECPA to explicitly require a search warrant (and authorize the issuance of such extraterritorial warrants) for law enforcement to obtain the contents of electronic communications stored overseas which belong to a "U.S. person"–defined as a U.S. citizen, permanent resident, or company incorporated in the U.S.  To address a concern of service providers, the LEADS Act also would require the court to modify or vacate the warrant if compliance would require the service provider to violate the laws of the country in which the electronic data is stored.  To address users’ data privacy interests, the bill would require notifying the user of the warrant, the law enforcement inquiry, and any user data disclosed pursuant to the warrant, although notice may be delayed for up to 10 business days.  The proposed bill is currently in the Senate Judiciary Committee.             5.   Protecting Student Privacy Act On July 30, 2014, Senator Edward Markey (D-MA) introduced the Protecting Student Privacy Act of 2014.  The bill currently has three cosponsors in the Senate.  This proposed legislation would require all state educational agencies or institutions receiving federal funding to implement information security policies that: "(i) protect personally identifiable information from education records maintained by the educational agency or institution; and (ii) require each outside party to whom personally identifiable information from education records is disclosed to have information security policies and procedures that include a comprehensive security program designed to protect the personally identifiable information from education records."  S. 2690, § 2(2).  The bill was introduced amid increased concern over how schools are using the sensitive student data they collect and seeks to amend the Family Education Rights and Privacy Act of 1974 to address this concern. The bill would further safeguard student data by requiring each educational agency or institution receiving federal funds to ensure that any third party with access to student data holds the data in a manner that gives parents the right to access the information and to challenge, correct, or delete inaccurate information, to have a policy that promotes data minimization, and to have a policy requiring that personally identifiable information is destroyed when no longer needed for the specified purpose of its collection.  The bill has been in the Senate Committee on Health, Education, Labor, and Pensions since July 30, 2014.             6.   Do Not Track Kids Act The Do Not Track Kids Act of 2013 (H.R. 3481; S. 1700), sponsored in the House of Representatives by Rep. Joe Barton (R-TX) and 46 cosponsors, and sponsored in the Senate by Senator Edward Markey (D-MA) and four cosponsors, was introduced as a response to what the sponsors say is an increasing amount of time spent online among children, especially through the use of mobile devices, and at younger ages.  The bill addresses the collection, use, and disclosure of the personal information of children and minors, following a failed attempt to enact a similar law in 2011.  It would update the COPPA, discussed previously in the context of FTC enforcement in Section II.B., which requires operators of commercial websites and online services directed to children under the age of 13 to abide by various privacy safeguards as they collect, use, or disclose personal information collected from children. The Do Not Track Kids Act would impose age-based restrictions beyond those in the current COPPA law by prohibiting Internet companies from collecting personal and location information from anyone 13 to 15 years old without the user’s consent, while also requiring consent of the parent or teen prior to sending targeted advertising to the teen.  The bill also would create an "eraser button" by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible, and empower the FTC to promulgate rules requiring operators to implement appropriate "eraser button" mechanisms.  The "eraser button" provision is similar to legislation recently enacted in California, which allows minors under 18 to request that companies delete specified information that the requestor has previously posted online.  (We discuss this law in Section III.B.6 below.)  The Do Not Track Kids Act also would prohibit companies from collecting personal information from minors without adopting a "Digital Marketing Bill of Rights for Teens" that is consistent with the Fair Information Practices Principles established by the bill.  Companies would be required to explain the types of personal information collected and how that information is used and disclosed, and to disclose any personal information collection policies. The House and Senate versions of the bill are substantially identical.  The Senate bill is currently in the Committee on Commerce, Science and Transportation, while the House bill is in the Energy and Commerce Committee’s Subcommittee on Communications and Technology, where they have remained since November 2013.             7.   The Edward Snowden Affair and NSA Surveillance                     a.   Background In 2013, Edward Snowden’s leaks regarding the U.S. National Security Agency ("NSA") "PRISM" program revealed that the government collects massive amounts of telephone and Internet data about foreigners and Americans.  Snowden’s revelations have transformed the landscape of the national and international discussion about privacy and national security.  Mr. Snowden’s leaks led to revelations that the NSA collects, retains, and can search a large trove of data from domestic and foreign communications, acting under authority granted to it under Section 215 of the USA PATRIOT Act.  Such surveillance includes bulk collection of telephonic metadata, including phone numbers called, the time a call was made, and the duration of a given call.  NSA analysts may search a database of such information based on a reasonable, articulable suspicion that the telephone number is connected to terrorism.  PRISM was first authorized during the Administration of President George W. Bush in the Protect America Act of 2007 and the FISA Amendments Act of 2008.  PRISM’s data collection practices also have been approved by the Foreign Intelligence Surveillance Court ("FISC").  Yet the extent of the government’s surveillance was unknown to the general public until Snowden’s disclosures. Mr. Snowden’s leaks also revealed, among other things, that the NSA’s interception of foreign targets’ communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act ("FISA") also resulted in the collection of the communications of American citizens, despite legal protections against domestic surveillance.                      b.   Significant Disclosures in 2014 Snowden’s initial revelations were published in a series of articles for British paper The Guardian in summer and fall 2013.  Since then, additional disclosures and the release of certain court documents have shed additional light on U.S. and international government surveillance programs. There were several significant disclosures about the different types of NSA surveillance and monitoring programs that currently exist or are in development: Journalists for The Intercept described an NSA computer program called TURBINE, which allows the NSA to use an automated program to infect, on a mass scale, computers and phone networks around the world with spyware.  The spyware allows the NSA to break into targeted computers and siphon data from Internet and phone networks located abroad.  It was also revealed that the NSA intercepts routers, servers, and other networking equipment before it is exported outside the United States to impact surveillance tools into the systems.[52]  In an interview, Snowden discussed the MonsterMind program, a cyber-warfare program under development by the NSA, intended to discover known or suspected cyberattacks from abroad, and automatically fire back.[53]  It was revealed that the NSA harvests millions of faces from Internet images for use in a facial recognition database.[54]  There were additional disclosures about the scope of the NSA’s surveillance program, and the extent to which the government monitors individuals who are not suspected terrorists and organizations not traditionally affiliated with terrorists.  For example, Mr. Snowden informed the Council of Europe that the United States has monitored confidential communications of the leaders of a number of civil and non-governmental organizations, including Amnesty International and Human Rights Watch.  And in March, Director of National Intelligence James Clapper admitted that U.S. intelligence agencies had searched the contents of emails and other electronic communications of U.S. citizens without warrants.  Clapper asserted that FISA, which prohibits the government from targeting Americans, authorizes the collection of Americans’ data because the data was obtained to eventually target foreign suspects.[55]  Additionally, The Washington Post, relying on information provided by Snowden, reported that 90% of those placed under surveillance in the U.S. are not intended targets.  There were also disclosures about the extent to which international governments cooperate with the NSA.  For example, it was revealed that the NSA’s Australian counterpart spied on communications between U.S. law firm Mayer Brown and its client, the government of Indonesia, and offered to provide the information so acquired to the NSA.  Mayer Brown was representing Indonesia in a trade dispute with the U.S. government, and the surveillance may have included information protected by the attorney-client privilege.  Additionally, a German newspaper revealed that Germany’s secret service shared at least 5% of the Internet data it has collected about German citizens with the NSA.[56]  In September, The Washington Post published a story that shed light on the genesis of the PRISM program.  The Post reported that in 2008, the government had threatened to fine Yahoo!, Inc. $250,000 per day if it did not comply with a FISC order on appeal granting the government access to Yahoo! emails and email metadata.[57]  Yahoo! had originally contested the government’s demand for user data, arguing that it violated the Fourth Amendment’s prohibition against unreasonable searches and seizures, but was unsuccessful.  Yahoo! appealed the decision, and the government threatened Yahoo! with the fine if it did not begin handing over data while the case was on appeal.  Yahoo! complied, and ultimately lost the appeal.  The information regarding the government order came to light when 1,500 pages were unsealed in the FISC case in September 2014, after Yahoo! won its long battle to declassify and un-seal the documents.  It was revealed that this FISC ruling became the key decision in the development of PRISM, helping government officials to convince several companies to comply with its demand for data.[58]                      c.   Proposed Reform Legislation In late 2013 and early 2014, several representatives drafted bills aimed at reforming PRISM.  Of the proposed bills, the one that has come closest to passing is the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring Act (the "USA FREEDOM Act").  The bill was introduced on October 29, 2013 by Rep. Sensenbrenner (R-WI) and Sen. Leahy (D-VT).  A version of the bill passed the US House of Representatives on May 22, 2014.  The House version did not ban bulk government collection of data, but rather allowed collection if approved by a FISC order based on reasonable, articulable suspicion of wrongdoing.  The bill also renewed the USA PATRIOT Act until the end of 2017.  Because the bill permits bulk collection of Americans’ data, it was criticized by many civil libertarians and technology companies. In July 2014, Senator Leahy introduced a new version of the bill in the Senate.  The Senate version requires the government to limit the scope of its bulk data collection–for example, it specifies that the government may not gather in bulk data relating to a particular phone or Internet company or to a broad geographic region.  Further, the Senate bill would have left the phone and Internet data of Americans in the hands of the service providers, not the government.  The government could obtain records of calls made and received by individual Americans who were the target of a terrorist communication after the government demonstrated that it has a reasonable, articulable suspicion that the conversation involves a terrorist.  The Senate version of the USA FREEDOM Act had wide support from the technology industry, many privacy advocacy groups, Democrats, some Republicans, the White House, and the intelligence community.  However, in November 2014, the bill failed to obtain the 60 votes needed to prevent a Republican filibuster by two votes.[59] Although the Obama administration supported the USA FREEDOM Act, in December 2014, the administration announced that it would renew the PRISM program.  The government sought a 90-day reauthorization of the existing program, as modified by changes directed by President Obama in January 2014.  Those changes require the NSA to obtain a court order before searching the NSA’s database of metadata and phone and Internet data, and limits the search to phone numbers two "hops," or connections, away from a target (instead of the previous rule of three hops).[60]                      d.   Technology Sector Response The technology industry faced significant criticism in 2013 and 2014 due to what many characterized as aiding or at least being complicit with handing over troves of consumer data to the US government.  This led to US-based technology companies losing many international customers, with industry experts predicting that the US cloud computing industry could lose between $35 and $180 billion by 2016.[61]  As a response to the criticism, several technology companies have begun to build data centers overseas.                      e.   Legal Challenges to Surveillance Practices There have been three significant decisions about the legality of government surveillance since the first Snowden revelation.  In Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013), Judge Richard Leon of the U.S. District Court for the District of Columbia held that broad-scale collection of Americans’ telephone metadata is likely unconstitutional.  Judge Leon called the program "almost Orwellian" and questioned the efficacy of the program in combatting terrorism.  He granted an injunction ordering the government to stop collecting the plaintiffs’ telephone data and to destroy the existing records; however, the injunction was stayed pending appeal.  Appellate arguments took place in November 2014. In ACLU v. Clapper, 959 F. Supp. 2d 724 (S.D.N.Y. Dec. 27, 2013), Judge William Pauley held that the NSA phone records collection is constitutional and necessary to national security.  The case is currently on appeal, and arguments before the Second Circuit took place in September 2014. The decisions in Klayman and ACLU v. Clapper took divergent views on the precedential value of Smith v. Maryland, 442 U.S. 735 (1979).  There, the Supreme Court held that there is no reasonable expectation of privacy in information voluntarily turned over to third parties such as telephone companies.  Klayman distinguished Maryland as outdated, while ACLU v. Clapper determined that it was controlling precedent.  More recently, a June 2014 decision of the District of Idaho held that Maryland precluded that court from ruling in the plaintiff’s favor on allegations that the government violated her Fourth Amendment rights by collecting cellphone tracking location data.  Smith v. Obama, 24 F. Supp. 3d 1005 (D. Idaho June 3, 2014).  Judge B. Lynn Winmill wrote, however, that he believed Maryland to be outdated.  Judge Winmill called Judge Leon’s decision in Klayman "thoughtful and well-reasoned," urging that it should "serve as a template for a Supreme Court opinion."  Id. at 1009.  Smith v. Obama is currently on appeal.       B.   Recently Enacted State Privacy Laws State legislatures have continued to pass laws covering a wide range of topics relating to information privacy and security, with important impacts on private sector businesses.             1.   Data Breach Notification Several states enacted new data breach notification laws, and those with preexisting laws reformed their data breach reporting requirements.  For example, in 2013, California amended its groundbreaking data breach notification law by broadening the definition of "personal information."  Under Section 1798.82 of the California Civil Code, a breach of the following types of information now triggers a notification obligation: passwords, usernames, and security questions.  These categories of information are in addition to Social Security Numbers, driver’s license numbers, credit card information, and medical and health insurance information.  In 2014, California further amended its data breach notification law by passing Assembly Bill 1710.  Under the amendment, which took effect on January 1, 2015, the law applies to businesses that merely maintain personal information (in addition to businesses that own and license personal information, which were already covered).  Importantly, this amendment requires third-party service providers that obtain personal information from an owner or licensee of the personal information to implement data security practices.  Iowa also made an interesting modification its data breach notification law, by amending the definition of "breach" to include the acquisition of personal information that is maintained in paper form.  See S.F. 2259, 2013-2014 Reg. Sess. (Iowa 2014) (also requiring notification to state attorney general within five days if breach affects more than 500 Iowa residents). New York’s S. 2605-D, enacted in 2013, also made minor changes to the state’s data breach law by requiring public or private entities’ breaches of "private information" to be disclosed to the newly-formed Office of Information Technology Services instead of the Office of Cyber Security & Critical Infrastructure Coordination.  The New York law also continues to require data breach notification to the affected individual, the New York Attorney General, and the Consumer Protection Board.  See A. 3005-D, S. 2605-D (N.Y. 2013).[62] Florida also enacted an updated data privacy law, which went into effect on July 1, 2014.  See Information Protection Act, Fla. Stat. § 501.171.  Following California’s lead, Florida expanded the definition of "personal information," for which unauthorized disclosure can trigger breach notification obligations.  Among other things, Florida’s new law also requires notification to affected persons within 30 days after discovery of a breach as well as notification to the state’s Department of Legal Affairs following any breach involving 500 or more individuals in Florida.  Texas, Vermont, and North Dakota are among other states that have recently amended their data breach laws.[63]  With the passage of Kentucky’s law in April 2014, only three states–New Mexico, South Dakota, and Alabama–have no form of a data breach notification law.  See H.B. 232 2014 Gen. Assemb., Reg. Sess. (Ky. 2014).             2.   Credit Card Monitoring After Data Breach In 2014, California enacted a law regulating the way in which companies may offer credit card monitoring to individuals whose data is compromised by a data security breach.  So far it is the only state to do so.  Several other states, however, have considered legislation requiring businesses to offer credit monitoring services to individuals impacted by data breaches. As of January 1, 2015, if a business is the source of a security breach, "an offer to provide appropriate identity theft prevention and mitigation services [to California residents], if any, shall be provided at no cost to the affected person for not less than 12 months."  (emphasis added).  The business must also provide any information necessary for residents to take advantage of the services.  Some commentators have read this provision to require businesses to provide prevention and mitigation services after a security breach, but because the law includes the words, "if any," it merely regulates the type of credit monitoring a company must offer if the company chooses to offer credit monitoring at all.  The bill is unlikely to have a major impact, as most companies that currently offer customers credit monitoring offer at least 12 months of cost-free service.[64]             3.  Social Media Access Following Maryland’s lead, which enacted the first such bill (S.B. 433/H.B. 964, 2012 Reg. Sess. (effective Oct. 1, 2012)), a majority of states have enacted or have considered enacting legislation that would enhance employees’ privacy by prohibiting employers from requiring or requesting current or prospective employees to provide passwords to their social media accounts.[65]  In an interesting inverse of these new laws, Delaware enacted a law which provides heirs with access to a deceased person’s digital assets.  Fiduciary Access to Digital Assets and Digital Accounts, H.B. 345, 147th Gen. Assemb. (Del. 2014).  New Mexico and several other states have extended this principle by enacting legislation prohibiting colleges from requiring students or applicants to provide access to social media accounts.[66]              4.   Drone Regulation Over a dozen state legislatures have taken action on the use and regulation of drones, typically called unmanned aircraft systems ("UAS").  To date, these laws typically regulate how a government agency, primarily law enforcement, can utilize UAS.  For example, Florida’s Freedom from Unwanted Surveillance Act, S.B. 92, enacted on April 26, 2013, limited UAS use to law enforcement, and established a warrant requirement unless there is a terrorist threat or "swift action" is necessary to save a life or search for a missing person.  Any evidence obtained in violation of the law is inadmissible, and civil remedies are authorized if an individual is harmed by the inappropriate use of UAS.[67]  Louisiana created a crime for the unlawful use of an UAS order to conduct surveillance without the owner’s consent.  H.B. 1029, 2014 Reg. Sess. (La. 2014). An increasing number of states are taking steps to regulate the use of UAS by private individuals.  For example, North Carolina’s law created a wide swath of regulations for UAS, including a similar prohibition of UAS surveillance without consent, creating a civil cause of action for anyone whose privacy is violated.  S.B. 744 (N.C. 2014).  In October 2014, California passed a law some consider specifically aimed at paparazzi photographers, which creates a cause of action for the violation of someone’s privacy, and authorizes treble damages if the violating conduct was for commercial gain.  A.B. 2306 (Cal. 2014).  The Texas Privacy Act, H.B. 912, enacted on June 14, 2013, created 19 different categories of lawful public UAS use and criminalized capturing, possessing, and distributing an image captured by a UAS with the intent to conduct surveillance.[68]  See also S.B. 1892, 108th Reg. Sess. (Tenn. 2014) (creating a misdemeanor offense for intentional surveillance of another using UAS, but creating 18 lawful uses).             5.   California’s "Do Not Track" Law California’s "Do Not Track" law, Assembly Bill 370 ("A.B. 370"), went into effect on January 1, 2014.  A.B. 370 amends the California Online Privacy Protection Act ("CalOPPA") to require additional disclosures in corporate privacy policies.  Intended to facilitate transparency as to how a company tracks and shares user data, it requires disclosures dealing with three areas: (1) "do not track" signals; (2) third-party tracking; and (3) conspicuous opt-out notices.  In May 2014, the California attorney general issued guidelines for compliance with the Do Not Track law.[69]  First, A.B. 370 requires companies to disclose how they respond to "do not track" signals.  A "do not track" signal is an HTTP header field emitted by an Internet browser when a user selects "Do Not Track" in his or her browser settings.  To date, there is no regulatory or industry consensus on the appropriate response to a "do not track" signal.  The Federal Trade Commission has informally called for companies to honor "do not track" requests in its educational publications, though it has not introduced formal rules on the subject.  Without a specific requirement to honor such signals, many companies choose not to do so.  A.B. 370 is intended, in part, to create pressure for companies to honor "do not track" signals by forcing them to reveal whether and how they honor the signal.  The attorney general guidelines clarify that this disclosure is only required if an online service collects personally identifiable information about a consumer’s online activities over time and across third-party websites or online services. Second, A.B. 370 requires companies to disclose whether third parties may collect personally identifiable information about a consumer’s online activities when they visit the company’s website.  Importantly, the amendment only requires companies to disclose whether third parties collect information, not details regarding what information the third parties track.[70] Finally, A.B. 370 also permits a company to satisfy the "do not track" disclosure requirement by providing a "clear and conspicuous" hyperlink in its privacy policy to an explanation of the company’s opt-out program, and a mechanism for the user to opt-out of the company’s tracking practices.  However, the attorney general guidelines recommend that online services directly disclose how they respond to do not track requests, rather than hyperlinking, and treat the linking option as the less transparent method for complying with A.B. 370.  Also, linking to opt-out procedures only satisfies a company’s obligation to disclose how it treats "do not track" signals; it does not satisfy A.B. 370’s third-party tracking disclosure requirement.[71]             6.   California’s "Digital Eraser" Law California Senate Bill 568, "Privacy Rights for California Minors in a Digital World," ("S.B. 568") became effective on January 1, 2015.  S.B. 568 includes a provision known as the "Delete Button" or "Eraser" law, which allows minors under the age of 18 to request that companies delete specified information that the requestor had previously posted online. California is the first state to impose such an obligation on website and mobile app operators.  Additionally, the law bans companies from marketing prohibited items, including alcohol, tobacco, guns, and other products or services to minors or compiling underage users’ personal information in order to market the prohibited items to them. The "Delete Button" law applies to companies operating websites, mobile and Internet-based "apps," and online services; however, it only covers websites and apps "directed" to minors or whose operator has actual knowledge that a minor is using it.  The law defines a site "directed to minors" as one "created for the purpose" of reaching predominately those under 18. All covered companies must notify minors of their right to request removal of unwanted information posted by the minor on the company’s web site, and must remove such information upon request.  Alternatively, companies can comply with this law by providing minors with clear instructions as to how to directly remove information that they posted.  The "Delete Button" law has a number of enumerated limits that affect its scope.  First, minors can request deletion only of information that they posted.  S.B. 568 does not allow a minor to request deletion of information that was stored, republished, or reposted by a third party.  Second, only "registered users" of a company’s website can request deletion.  Third, if a minor fails to follow the procedures for deletion, a company need not delete the information.  Fourth, those receiving compensation for posted content cannot request deletion.  Finally, minors cannot request deletion of posted content that is inaccessible to third parties.[72]              7.   California’s Privacy for Student Records Laws A number of privacy protections for primary students’ records went into effect in California on January 1, 2015. Senate Bill 1177 prohibits an operator of an online service that the operator knows is marketed, designed, and primarily used for K-12 school purposes from knowingly engaging in targeted advertising to students or parents, creating a profile of a student using any information gathered through the service, or selling or disclosing a student’s information.  The operator must also maintain reasonable security measures to protect the student’s information from unauthorized access, destruction, use, modification or disclosure and delete school-controlled student information upon request from the school. Assembly Bill 1584 governs contracts between local educational agencies and third-party digital record and educational software providers.  It permits a school to use a third party for the "digital storage, management and retrieval of pupil records, or to provide digital educational software, or both."  But any contract with a third party must contain a number of provisions, including a description of the actions the third party will take "to ensure the security and confidentiality of pupil records," a description of procedures that will be used to notify affected students or parents of any unauthorized disclosure, a prohibition against using students’ information for purposes other than those contractually required, and a certification that students’ information will not be available to the third party upon completion of the contract. Finally, Assembly Bill 1442 establishes restrictions on school districts’ collection and use of pupils’ social media information.  In order to gather students’ information, a school must first notify students and parents and provide an opportunity for public comment.  If the school gathers social media information, it must notify each parent that information is being collected and must only gather information that pertains directly to school or student safety, provide the student with access to his or her information and an opportunity to correct or delete it, and destroy information after the student turns 18 or is no longer enrolled in the school.  Third parties retained by schools to gather students’ social media information may not use the information for any purpose other than to satisfy the contract, may not sell or share the information, and must destroy the information immediately upon conclusion of the contract.       C.   Legislative Outlook Prompted by events such as the Snowden leaks, major retailer security breaches, and Sony hacking incident, both state and federal lawmakers are expected to continue to address surveillance and data privacy issues and data breach notification legislation as priorities.  Additional potential legislative emphases on the horizon are likely to include: mobile data collection, retention, and sharing issues (addressing text messaging and mobile chat applications as well as other services); continued emphasis on children’s online and mobile privacy; strengthening European Union privacy legislation (stemming from the European Union Data Protection Regulation and "right to be forgotten" cases); intensified health care data protections; and an increased focus on geo-location/GPS privacy issues. On January 13, 2015, President Obama presented an update to the Administrations’ 2011 Cybersecurity Legislative Proposal.  The updated proposal identifies three priorities: 1) enhancing cyber threat information sharing within the private sector and between the private sector and the Federal Government;2) protecting individuals by requiring businesses to notify consumers if personal information is compromised; and 3) strengthening and clarifying law enforcement’s ability to investigate and prosecute cyber crimes. Under the proposal, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) would play a key role in sharing cyber threat information received from private sector entities with the relevant federal agencies and other private sector organizations.  Companies that share information would also be eligible to receive "targeted" liability protection. The proposal also aims to protect individuals by establishing a federal data breach notification scheme and creating a consumer privacy bill of rights.  The proposed legislation would also expand existing penalties for cybersecurity crimes, law enforcement authority to deter the sale of certain spyware, and court authority to shut down certain networks engaged in criminal cyberattack activity.[73] It is unclear whether the recent Republican takeover of Congress will have an impact on the success or trajectory of legislative efforts in the privacy arena.  A Republican will now chair the Senate Select Committee on Intelligence, which some would expect to chill NSA oversight, but the public response to the depth of government surveillance revealed in the last few years has generated support for reform from both sides. Whether there will be enough bipartisan support to achieve federal legislation on these issues remains to be seen. IV.   Criminal Enforcement       A.   Fourth Amendment Developments             1.   U.S. v. Ringmaiden The multi-year saga of United States v. Ringmaiden, No. 08-cr-814 (D. Ariz.), recently came to an end.  In 2008, the government indicted Ringmaiden on 74 counts of mail and wire fraud, aggravated identity theft, and conspiracy.  In the indictment, the government alleged that Ringmaiden devised a scheme to obtain fraudulent tax refunds by filing electronic tax returns in the names of hundreds of people, both deceased and living.  The government was able to locate and arrest Ringmaiden after surveillance involving use of the StingRay, a device used to track the International Mobile Subscriber Identity (IMSI) of cellular devices.  In 2013, Ringmaiden filed a motion to suppress evidence relating to his wireless aircard, historical cellular-site information, destination IP addresses, data from the security company that serviced Ringmaiden’s former apartment complex, the search of his apartment and computer, and the use of mobile tracking devices.  Citing earlier Ninth Circuit precedent, the district court concluded that Ringmaiden had no societally recognizable expectation of privacy in a computer or other equipment obtained through fraud–Ringmaiden had used fraudulent identities and credit cards to purchase his laptop and wireless aircard.  For the same reason, Ringmaiden had no reasonable expectation of privacy in the apartment and storage unit he rented with stolen and fraudulent identities.  The court rested this conclusion on Supreme Court authority recognizing that wrongful interests do not give rise to legitimate expectations of privacy.  Turning to the government’s use of electronic communications to isolate the location of Ringmaiden’s computer/aircard, the court declined to find a privacy violation where the government’s use of such technology was for the purpose of finding the devices being used to perpetrate an extensive fraudulent scheme through the defendant’s own use of electronic communications.  With respect to the government’s collection of historical cell-site data, the court found that even if Ringmaiden had a protected privacy interest in the aircard, the government’s collection of historical records (e.g., cell-site data, destination IP addresses associated with the aircard) pursuant to the Stored Communications Act ("SCA") did not violate Ringmaiden’s rights.  The court also noted that, in any event, suppression is not an available remedy for an SCA violation.  Distinguishing recent Supreme Court authority, the court further concluded that using cell-site information to triangulate the location of Ringmaiden’s aircard, pursuant to the SCA, was not tantamount to attaching a GPS device to a person’s vehicle over an extended period of time.  With respect to the historical IP addresses and data obtained from the security company, the court found this information covered by the third-party doctrine. Ringmaiden also challenged the warrant used to justify the use of a mobile tracking device to isolate his location, arguing it was not supported by probable cause and any searches conducted thereunder exceeded the warrant’s scope.  The ACLU filed an amicus brief in support of the scope argument.  The court found that the affidavit underlying the warrant supported probable cause and that the warrant was sufficiently particular with respect to the mobile tracking device to be used.  While the court acknowledged that the tracking warrant was no "model of clarity," it nonetheless concluded that the warrant contained all sufficient elements.  Moreover, the court found it irrelevant that the warrant did not disclose that the mobile tracking device would capture data of other cell phones and aircards in the vicinity of the subject aircard.  Lastly, although the government conceded its failure to comply with Rule 41(f) (requiring service of the warrant on a defendant), the court explained that suppression is not the appropriate remedy where there is no causal connection between the government’s failure to comply with this rule and its location of the aircard.  The court rejected Ringmaiden’s argument that he was prejudiced by this action where, had he been served, he would have fled and evaded capture.  Lastly, to the extent any Fourth Amendment violation occurred in searching Ringmaiden’s apartment and computer, which the court concluded did not happen, the court found that the good faith exception applied.  In light of the fact that Ringmaiden had filed many suppression-related motions during the case, the court ordered Ringmaiden not to file any additional motions of this sort.  Bringing this saga to an apparent end, on April 7, 2014, Ringmaiden pled guilty.  The Court sentenced him to 60 months’ imprisonment followed by three years of supervised release.             2.   Cell Phones and Warrantless Searches On April 29, 2014, the U.S. Supreme Court held that police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.  Riley v. California, ___ U.S. ___, 134 S. Ct. 2473 (2014).  Noting that a warrantless search is reasonable only if it falls within a specific exception to the Fourth Amendment’s warrant requirement, a unanimous Court refused to extend the "search incident to arrest" exception to searches of smart phones and other cell phones.  In so doing, the Court distinguished United States v. Robinson, 414 U.S. 218 (1973), in which the Court upheld the search of a cigarette pack found on an arrestee’s person.  Although the precise impact of the Riley decision remains to be seen, at least one federal district court has suggested that the Supreme Court’s holding likely prohibits the warrantless search of a digital camera.  See United States v. Whiteside, No. 13 Cr. 576 (PAC) (S.D.N.Y. Sept. 30, 2014).       B.   Identity Theft and Carding Crimes             1.   United States v. Lazar (E.D. Va.) While many identity theft crimes are motivated by financial gain, one notable case this past year was not.  In United States v. Lazar, 1:14-cr-213 (E.D. Va. June 12, 2014), the Department of Justice indicted Marcel Lehel Lazar, the hacker known as "Guccifer" on charges of wire fraud, unauthorized access, aggravated identity theft, and cyberstalking.  Lazar allegedly broke into the email and social media accounts of several high level government officials and celebrities and was linked to the release of private photos and portraits painted by former President George W. Bush.[74]  At the time of the indictment, Lazar was imprisoned in his native Romania.  It remains to be seen whether the United States will seek Lazar’s extradition after his release from Romanian prison.             2.   United States v. Vega (E.D.N.Y) Recent cases have resulted in increasingly severe sentences for those found guilty of identity theft and carding crimes.  In a New York federal case, Roman Vega was sentenced to 18 years in prison for his role as co-founder of CarderPlanet, one of the Internet’s first marketplaces for stolen data.  See United States v. Vega, No. 07-cr-707 ARR (E.D.N.Y. Dec. 18, 2013).  Vega conspired to steal personal information, including credit card numbers, through sophisticated means such as hacking, and used his website to sell the stolen data.  Vega pled guilty in 2009 to conspiracy to commit access device fraud, in violation of 18 U.S.C. § 1029, and conspiracy to commit money laundering, in violation of 18 U.S.C. § 1956.  Commenting on Vega’s lengthy sentence, Mythili Raman, former Acting Assistant Attorney General of the Justice Department’s Criminal Division, explained, "Vega helped create one of the largest and most sophisticated credit fraud sites in the cybercrime underworld–a distinction that has earned him the substantial sentence he received today."       C.   Money Laundering             1.   United States v. Dotcom (E.D. Va.) The United States continues its efforts to extradite Kim Dotcom for his involvement with the website Megaupload, an online file-sharing site which the U.S. alleges is at the center of an "international organized criminal enterprise" engaged in racketeering, money laundering, and copyright infringement.  United States v. Dotcom, No. 12-cr-003 (E.D. Va.).  Dotcom remains in New Zealand, where in March 2014 the New Zealand Supreme Court denied a request by Dotcom and three colleagues also facing extradition to gain broad access to all U.S. evidence against them.  Finding that such extensive disclosure would delay the process, the Court concluded that a summary of the U.S. case against Dotcom would be sufficient for purposes of an extradition hearing.  Meanwhile, it has been reported that the extradition hearing has been delayed until February 2015.             2.   United States v. Faiella (S.D.N.Y) In another notable money laundering case, the DOJ filed charges against Robert M. Faiella, an underground Bitcoin exchanger, and Charlie Shrem, the CEO of a Bitcoin exchange company, BitInstant, for selling over $1 million in Bitcoins to users of "Silk Road," an underground website that (among other things) enabled users to buy and sell illegal drugs anonymously.  United States v. Faiella, No. 14-cr-243 (S.D.N.Y).  Law enforcement shuttered the original Silk Road website in October 2013, and has since been engaged in a cat-and-mouse game with new anonymous marketplaces, seizing Silk Road 2.0 in November 2014.[75]  The Bitcoin-related charges in the Faiella case allege that Mr. Faiella and Mr. Shrem conspired to commit money laundering and operated an unlicensed money transmitting business.  The charges also allege that Mr. Shrem violated the Bank Secrecy Act.              3.   United States v. Liberty Reserve S.A. (S.D.N.Y) In 2013, the DOJ also filed charges against Liberty Reserve, a currency exchange that formerly operated out of Costa Rica, along with charges against seven individuals.  The charges allege conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business, and operation of an unlicensed money-transmitting business.  United States v. Liberty Reserve S.A., No. 13-cr-368 (S.D.N.Y).  The government alleges that Liberty Reserve laundered billions of dollars in 55 million transactions worldwide.  Liberty Reserve traded in virtual currency, which allegedly provided the anonymity sought by criminals.  While individual users were asked to provide a name, address, and date of birth, fictitious information could be used to create an account.  The case is reported to be the largest online money laundering case in history, and officials dubbed it the launch of the "cyber age of money laundering."  Along with filing criminal charges, law enforcement seized five domains and froze forty-five bank accounts.  Thus far, one defendant has pled guilty and received a five-year prison sentence.  Although Liberty Reserve is incorporated in Costa Rica, officials used a USA PATRIOT Act provision to target the entity.       D.   Economic Espionage Act             1.   United States v. Aleynikov (2d Cir.) and United States v. Agrawal (2d Cir.) As we reported last year, the Second Circuit reversed the conviction of Sergey Aleynikov, a former computer programmer for a financial institution, who was found guilty of stealing computer source code under the Economic Espionage Act ("EAA").  United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).  The court found that the program embodying the stolen source code was not "produced for" or "placed in" interstate commerce, because the company had no intention of licensing or selling the program.  Id. at 82.  Judge Calabresi’s concurrence noted that he believed Congress, in drafting the EEA, intended to capture the type of conduct at issue in this case.  In response, Congress passed the Trade Secrets Clarification Act ("TSCA"), on which we also reported last year.  The TSCA removed the requirement that the underlying trade secret be "used or intended for use in" interstate commerce.  Instead, the law now requires only that the trade secret be "related to" or "included in" a product produced for or placed in interstate or foreign commerce.  In 2010, a jury convicted defendant Samarth Agrawal for similar conduct of stealing computer code from his employer.  In August 2013, despite the Aleynikov precedent, the same court upheld Agrawal’s conviction.  United States v. Agrawal, 726 F.3d 235 (2d Cir. 2013), cert. denied 134 S. Ct. 1527 (2014).  In Agrawal, the defendant worked for Société Générale ("SocGen"), a French bank.  Like the defendant in Aleynikov, Agrawal took source code from his employer.  Agrawal printed the source code onto thousands of sheets of paper and took it to his home in New Jersey to replicate SocGen’s trading system to sell to a competitor for hundreds of thousands of dollars.  Although Agrawal raised challenges similar to the defendant in Aleynikov, the court distinguished the earlier case, writing that the "product" relied upon in Aleynikov was the proprietary source code while, in Agrawal’s case, the "product" was the publicly traded securities bought and sold by SocGen using the software embodying the stolen code.  The court found that the securities satisfied the jurisdictional requirement without raising the concerns present in Aleynikov (i.e., the fact the proprietary software was not intended for use in interstate commerce).  Judge Rosemary Pooler authored a dissent, arguing that the majority ignored the narrow construction of the EEA set forth in Aleynikov in order to "retroactively apply Congress’s statutory change made during the interim period."  Judge Pooler’s dissent noted that the government claimed at trial that the source code was the "product," whereas for the first time on appeal the government looked to the securities bought and sold through use of the software.             2.   United States v. Liew (N.D. Cal.) On March 6, 2014, a federal jury convicted Walter Liew of charges brought under the Economic Espionage Act.  United States v. Liew, No. 11-cr-573 (N.D. Cal.).  The DOJ claims Liew is the first person to be convicted for violations of the Economic Espionage Act in a jury trial.  Liew met with Chinese officials in the 1990s and agreed to procure chloride-route titanium dioxide (TiO2) technology for them.  TiO2 technology is used to create pigment in paint, plastics, and paper, and also has uses in aerospace materials.  The jury found that Liew, along with co-conspirators, stole TiO2 trade secrets from the DuPont chemical company and sold those secrets to state-owned companies in China.  The jury also convicted Liew on charges of obstruction of justice, witness tampering, filing false tax returns, and making false statements in connection with a bankruptcy filing.  In July 2014, Judge Jeffrey White sentenced Liew to a fifteen-year prison sentence, and ordered Liew to pay over $28 million in forfeitures and restitution.             3.   United States v. Wang Dong (W.D. Penn.) In May 2014, a grand jury in Pennsylvania federal court indicted five Chinese military hackers for computer hacking, economic espionage, trade secret theft, and other offenses directed at six U.S. companies in the nuclear power, metals, and solar products industries.  United States v. Wang Dong, No. 14-cr-118 (W.D. Penn.).  The indictment drew an angry response from China’s Foreign Ministry.  The defendants are alleged, inter alia, to have conspired to hack into the U.S. companies, to maintain unauthorized access to computers, and to steal information that would be beneficial to Chinese competitors, including state-owned enterprises.  However, because the U.S. does not have an extradition treaty with China, it is unlikely that the defendants will be brought to the U.S. to face charges. U.S. Attorney General Eric Holder reported that the Wang Dong indictment represents "the first ever charges against a state actor for this type of hacking," but Holder signaled that it would not be the last of its kind, warning that the U.S. "will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition."  Echoing that sentiment, FBI Director James B. Comey promised to "use all legal tools at [the FBI’s] disposal to counter cyber espionage from all sources."              4.   United States v. Leroux (D. Del.) In July 2013, the DOJ indicted four individuals for allegedly stealing trade secret information from a number of U.S. businesses.  United States v. Leroux, 13-cr-0078 (D. Del.).  The indictment alleges that the hackers stole popular Microsoft Xbox games such as "Call of Duty: Modern Warfare 3" and "Gears of War 3" before their release.  The hackers also allegedly broke into the servers of a U.S. Army contractor and accessed the software used to train Apache helicopter pilots.  Victims of the hacking ring include the computer networks of Microsoft Corporation, Epic Games Inc., Valve Corporation, Zombie Studios, and the U.S. Army.  The defendants were based in both the United States and Canada; the government arrested the Canadian defendant when he attempted to enter the United States at the Lewiston, NY port of entry.  In September 2014, the Canadian defendant and one other defendant pled guilty to conspiracy to commit computer fraud and copyright infringement.  The DOJ asserts that the Canadian defendant’s guilty plea marks the first conviction of a foreign-based individual for hacking into U.S. businesses to steal trade secret information.  In January 2015, the third defendant likewise pled guilty to the same conspiracy charge.  The three are to be sentenced in spring 2015.       E.   Computer Fraud and Abuse Act             1.   United States v. Nosal (N.D. Cal.) In Nosal, the government alleged that David Nosal, an executive recruiter in San Francisco, stole trade secrets from his former employer in order to open a competing firm.  After the Ninth Circuit Court of Appeals clarified the scope of the Computer Fraud Abuse Act ("CFAA") in a United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), which we discussed in our 2013 Outlook and Review, the court returned Nosal’s case to the district court for trial.  United States v. Nosal, No. 08-cr-237 EMC (N.D. Cal.).  In April 2013, a jury convicted Nosal of conspiracy to gain unauthorized access to his former employer’s computer systems, along with other computer intrusion and theft of trade secrets.  At the sentencing hearing, prosecutors asked the court to impose incarceration, arguing that "the sentence you give . . . will go through Silicon Valley like a bell."  The district court sentenced Nosal to one year and one day in prison.  In addition to incarceration, the Court recently ordered Nosal to reimburse his former employer over $800,000 in attorney’s fees and costs under the Mandatory Victims Restitution Act.  Nosal has again appealed to the Ninth Circuit but has yet to brief the issues on appeal.              2.   Hacktivism                     a.   Overview "Hacktivism" refers to computer hacking for social or political causes, typically free speech or information access.  Supporters often liken "hacktivism" to protests or civil disobedience.  While the prosecution and subsequent suicide of Aaron Swartz (described in our 2013 Outlook and Review) led to closer media scrutiny of criminal treatment of "hacktivism," the incident has not prompted meaningful legal changes.  In June 2013, "Aaron’s Law" was introduced in the U.S. House of Representatives, and companion legislation was introduced in the U.S. Senate, representing a bi-partisan proposal to reform the CFAA.  The bill has not been enacted, and the Justice Department continues zealously to prosecute hacking activity, whether activist or otherwise. A common tool of "hacktivists" and other cybercriminals is "distributed denial of service," or DDOS, attacks.  A DDOS attack is designed to cripple computer networks or servers by flooding them with irrelevant Internet traffic and rendering them inaccessible to legitimate users.  Another kind of attack, an SQL injection attack, exploits security vulnerabilities in software to steal information, such as personally identifying information, from targeted networks or servers.  Motives for such attacks vary.  Some are the means by which other crimes occur, such as a DDOS attack that locks up a company’s systems while wire transfers from its accounts are occurring, or an SQL Injection attack that steals information for the purpose of identity theft.  Others are politically or socially motivated–"hacktivist" activities, like the attacks that likely caused the state-owned Syrian Arab News Agency ("SANA") to go down in the wake of an alleged August 2013 chemical attack in disputed areas outside of Damascus.  Hacking networks, such as the international group called Anonymous and its offshoots, which include LulzSec, often orchestrate this type of activist attack.                     b.   Rejection of Argument that "Hacktivism" Is Victimless Civil Disobedience In November 2013, U.S. District Judge Loretta Preska of the Southern District of New York sentenced self-proclaimed "hacktivist" Jeremy Hammond to 10 years in prison and 3 years of probation.  Hammond, an affiliate of the international "hacktivist" network Anonymous and has a cybercriminal history, pled guilty to numerous computer hacking offenses.  These crimes included: stealing and/or deleting data from the computer servers of the private intelligence firm Strategic Forecasting Inc.; publishing tens of thousands of credit card numbers belonging to that firm’s clients and encouraging others to use the numbers to donate to charities; hacking into the Arizona Department of Public Safety and publishing the personal information of Arizona law enforcement agents and their families; and attacking several other entities, ranging from state and federal governmental agencies to police officers’ associations to private corporations.  Hammond had been indicted in 2012 along with four other defendants on charges of computer hacking and conspiracy to commit computer hacking.  Indictment, United States v. Hammond, No. 12-cr-185 LAP (S.D.N.Y. May 2, 2012).  Some of Hammond’s co-defendants were prosecuted and sentenced in the United Kingdom and remain under indictment in the United States. Hammond and his lawyers argued that his actions were political activism, aimed at exposing law enforcement policies and surveillance practices that he opposes.  Speaking at his sentencing hearing, Hammond, who also had been active in the "Occupy" movement, claimed that his crimes were "acts of civil disobedience" intended "to expose and confront injustice and to bring the truth to light."  Conceding he broke the law, Hammond proclaimed, "I believe that sometimes laws must be broken in order to make room for change."  Hammond’s lawyers drew on historical "moments where resistance has led to important social change," noting that actors like the founding fathers, Martin Luther King, and Nelson Mandela were "not always understood in the moment" and were often considered "criminals."  His lawyers highlighted the issue of surveillance technology as "one of the defining issues of our times" and emphasized Hammond’s community activism and the lack of personal gain obtained from his crimes.   In a stern oral opinion, Judge Preska rejected the characterization of Hammond’s actions as victimless civil disobedience: "These are not the actions of Martin Luther King, Nelson Mandela, John Adams, or even Daniel Ellsberg . . . [Mr. Hammond’s] hacks harmed many individuals and entities with little or no connection to Mr. Hammond’s supposed political motivation for the crime."  Judge Preska pointed out that his hack of the Arizona Department of Public Safety shut down vital computer systems, such as the sex offender website and the Amber alert system, and that all of the attacked entities suffered financial and reputational harm.  Judge Preska cited a need for both individual deterrence (this was not Hammond’s first brush with the law for cybercrime) and general deterrence, writing that "there’s certainly nothing high-minded or public-spirited about causing mayhem."  Judge Preska accepted the government’s recommended penalty, 10 years’ imprisonment, and imposed an additional 3 years’ probation.  See Sentencing Transcript, United States v. Hammond, No. 12-cr-185 LAP (S.D.N.Y. Nov. 13, 2013).                      c.   Prosecution of the LulzSec Attacks First-time offenders also have recently earned jail time.  Two college-student members of the Anonymous-affiliated hacker group LulzSec were each sentenced in the Central District of California to serve a year and a day in prison, to serve one year subsequent home detention, to complete 1,000 hours community service, and to pay $605,633 in restitution.  The defendants both pled guilty in 2012 to conspiracy and cybercrime-related offenses in connection with their participation in hacking the computer systems of Sony Pictures Entertainment.  The defendants used a SQL injection attack against the Sony Pictures website that compromised the company’s computer network and resulted in personal information of more than 138,000 individuals being posted online.  In its sentencing memorandum in the case, the United States Attorney’s Office for the Central District of California described LulzSec’s stated goal in the attacks: to see the "raw, uninterrupted, chaotic thrill of entertainment and anarchy" and to provide stolen personal information "so that equally evil people can entertain us with what they do with it."  See United States v. Rivera, No. CR 12-798-JAK (C.D. Cal. July 24, 2013). Law enforcement officials outside the United States also targeted LulzSec-affiliated hackers connected with the Sony Pictures attack and other attacks.  Four defendants (two of whom had been Hammond’s co-defendants in the Southern District of New York Hammond prosecution, discussed above) were sentenced in the United Kingdom in mid-2013 for cyberattacks on an number of private and government institutions, including attacks on Sony Pictures, the CIA, and the FBI.  Mostly first-time offenders, their jail time ranged from 1 year and 8 months to 2 years and 8 months.                      d.   Prosecution of Dozens of Anonymous-Affiliated Hackers for Widespread DDOS Attacks In October 2013, federal prosecutors filed a grand jury indictment in Virginia federal court accusing thirteen members of Anonymous of conducting a worldwide series of cyberattacks against government agencies, banks, anti-piracy organizations, individuals, and intellectual property law firms, among others.  For orchestrating these coordinated cyberattacks–part of a campaign dubbed "Operation Payback" that occurred between September 2010 and January 2011–the thirteen men were each charged with one count of conspiracy to intentionally cause damage to a protected computer.  The defendants allegedly synchronized DDOS attacks on each of the target’s networks, causing their websites to shut down.  The attacked institutions, the indictment alleged, were those that "Anonymous claimed opposed its stated philosophy of making all information free for all, including information protected by copyright laws or national security considerations."  An Anonymous flier quoted in the indictment described the motivation behind "Operation Payback": "We [are] sick and tired of these corporations seeking to control the Internet in their pursuit of profit.  Anonymous cannot sit by and do nothing while these organizations stifle the spread of ideas and attack those who wish to exercise their rights to share with others."  See Indictment, U.S. v. Collins et al., No. 13-cr-383 (E.D.Va. Oct. 3, 2013).  The government subsequently dismissed all charges against one defendant, and the other twelve defendants pled guilty.  Thus far, the court has sentenced eight of those defendants to time served and a period of supervised release.  The court has deferred ordering restitution until the remaining defendants are sentenced.  One of the defendants that pled guilty, Dennis Owen Collins, was also one of fourteen purported Anonymous hackers indicted in 2011 in the Northern District of California on various charges related to the 2010 cyberattack of PayPal Inc.’s website.  United States v. Collins, No. 11-cr-471 DLJ (N.D. Cal.).  All fourteen accused initially pled not guilty.  But in December 2013, Collins’s thirteen co-defendants entered into plea agreements with prosecutors, in which they admitted to participating in DDOS cyberattacks against PayPal in December 2010 as part of hacktivist group Anonymous.  The plea agreements describe the background of the coordinated attacks, which Anonymous called "Operation Avenge Assange."  In November 2010, the website WikiLeaks released a large trove of classified United States State Department cables on its website.  In reaction to the release of the classified information, and citing violations of the PayPal terms of service, PayPal suspended WikiLeaks’ accounts.  This meant WikiLeaks could no longer receive donations from supporters via PayPal.  Anonymous claimed to have executed the DDOS attacks in retribution for PayPal’s termination of WikiLeaks’ donation account.  See U.S. Department of Justice, U.S. Attorney’s Office for the Northern District of California, Press Release: Thirteen Defendants Plead Guilty For December 2010 Cyberattack Against PayPal (Dec. 6, 2013).  In October 2014, the court entered judgment against Collins’s thirteen co-defendants; each has since been sentenced to one year of probation and ordered to pay $5,600 in restitution.  Collins has maintained his plea of "not guilty" and awaits a trial date.  Meanwhile, Senator Patrick Leahy has introduced a bill in the U.S. Senate–entitled the "Personal Data Privacy and Security Act of 2014" (S. 1897)–that would strengthen the CFAA by making attempted hacks and conspiracies to hack subject to the same punishment as successful intrusions, while clarifying that mere violations of terms of service are not actionable.                     e.   Computer Crimes and Venue A jury convicted Andrew Auernheimer of violating the CFAA in New Jersey federal district court, and the court sentenced Auernheimer to 41 months’ imprisonment.  Auernheimer was found to have participated in an attack on AT&T servers in order to steal email addresses associated with iPad users.  Auernheimer, represented by the Electronic Frontier Foundation, appealed to the Third Circuit Court of Appeals, arguing that the New Jersey venue was improper because, at all relevant times, he and his co-conspirator were in Arkansas and San Francisco, respectively, and the affected servers were in Dallas and Atlanta.  The case received broad attention from various amici regarding the constitutionality of the charges against Auernheimer.  In April 2014, the Third Circuit vacated Auernheimer’s conviction on the basis of improper venue.  See United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014).  In so doing, the Third Circuit rejected the district court’s conclusion that venue was proper because Auernheimer’s disclosure of the email addresses of about 4,500 New Jersey residents affected them in New Jersey and violated New Jersey law.  The Third Circuit cautioned: "As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.  People and computers still exist in identifiable places in the physical world."  Id. at 541.       F.   The Year Ahead As cybercrime shows no signs of slowing in 2015, law enforcement officials have signaled that they will respond with increasingly robust enforcement tactics.  On December 4, 2014, shortly after the revelation that Sony Pictures had been the target of a sophisticated cyberattack, the Department of Justice announced the launch of a new Cyber Security unit, to be housed within the DOJ’s exiting Computer Crime and Intellectual Property Section.  Assistant Attorney General Leslie Caldwell explained that "[g]iven the growing complexity and volume of cyberattacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attack, the cybersecurity unit will play an important role in this field."  She also emphasized the importance of a "robust enforcement strategy as well as a broad prevention strategy." The Department of Justice has recognized that prevention depends in part on the ability of U.S. companies to share information with one another and the government concerning rapidly evolving cyber threats.  However, as the DOJ has emphasized, this information sharing "must occur without contravening federal law [e.g., the Stored Communications Act, 18 U.S.C. § 2701 et seq.] or the protections afforded individual privacy and civil liberties."  In an effort to facilitate lawful information sharing, the DOJ issued a white paper in May 2014, which articulates the DOJ’s interpretation of the Store Communications Act as permitting providers to share aggregated non-content data with governmental entities, so long as that data does not reveal information about a particular customer or subscriber.  V.   International Developments       A.   European Union             1.   Developments at the European Union Level                     a.   Draft EU Data Privacy Regulation The EU Data Privacy Regulation is intended to succeed the operative 1995 Data Privacy Directive (Directive 95/46/EC, hereinafter "EU Data Privacy Directive"). It was initially intended for enactment before the end of 2014, but due to the voting process and reestablishment of the EU Commission, the legislative process was significantly delayed. Thus, the new regulation has not yet been enacted and will likely not come into effect before 2017. Two particularly important issues discussed during the legislative process involve exemptions for the public sector and rules concerning data portability.  Core substantive elements of the current proposed regulation include the following: The draft regulation would implement a "right to be forgotten" (also officially called the "right to erasure") whereby personal data must be deleted when an individual no longer wants his or her data to be processed by a company and there are no legitimate reasons for retaining the data.  This part of the draft regulation may impose significant burdens on affected companies, as the creation of selective data destruction procedures often may impose significant costs. The draft law also would establish a right to data portability, which is intended to make it easier for individuals to transfer personal data from one service provider to another.  Upon request, individuals are entitled to obtain personal data that they have provided to a business in an interoperable and commonly used format.  This provision has also come under particular scrutiny due to its potential to significantly increase companies’ administrative burdens.  Privacy by design and privacy by default would be established as essential principles of the new EU data protection rules.  These principles would require data controllers to design data protection safeguards into their products and services right from the inception of the product development process.  Privacy-friendly default settings also would be standard. Data controllers and processors would be required to designate a Data Protection Officer ("DPO") in certain circumstances.  In the age of cloud computing, where even very small controllers can process large amounts of data through online services, the applicable threshold for a mandatory DPO may apply to even relatively small companies. Biometric and genetic data would be expressly defined as special categories of personal data.  Biometric data would be defined as any personal data relating to the physical, physiological, or behavioral characteristics of an individual that allow unique identification of the individual–e.g., facial images or fingerprints. The draft regulation also expressly sets out the requirements for Binding Corporate Rules ("BCRs") to enable the free transfer of data within global organizations to countries outside the EU.  A national supervisory authority would approve BCRs as a means of lawful intra-group data transfer, provided that the BCRs are legally binding and apply to, and are enforced by, every member within the controller’s group of affiliates (including employees) and external subcontractors.  BCRs also must expressly confer enforceable rights on data subjects and fulfill a set of minimum requirements, including specification of their legally binding nature and general data protection principles applicable within the particular group of companies. These requirements would be supplemented by a much more rigid regime of fines for violations.  Standard fines for data privacy violations ranging from 1% to 5% of a company’s annual worldwide turnover have been discussed.  As a result of the extra-territorial application of the draft law, companies located outside the EU also would have to take this into account. On the positive side, implementation of the draft regulation would allow a single EU regime to replace 28 different national data privacy laws with one directly applicable regulation.  The current EU Data Privacy Directive does not have direct effect and, therefore, was implemented by 28 different national laws–which gave rise to differences in scope, interpretation, and enforcement.  Thus, the new draft regulation also would create a "one-stop shop" for businesses concerned with privacy law compliance, because a company would be able to interact with the various national supervisory authorities through one lead authority.                     b.   Review of Safe Harbor Agreement As discussed above in Section II.A.2, the EU-U.S. Safe Harbor Agreement ("Safe Harbor") enables compliant data transfers between EU Member States and the United States provided that the U.S. company receiving the data adheres to certain minimum data privacy standards.  This adherence is ensured via a process of self-certification.  Following disclosures of extensive collection of EU citizens’ data by U.S. intelligence authorities, the current Safe Harbor regime came under scrutiny by EU policymakers.   Specifically, the EU Commission issued a set of recommendations designed to implement stricter Safe Harbor rules.  The goal is to further increase the level of data protection for EU citizens.  The conflict between data privacy and surveillance activities can be particularly sharp with regard to the Safe Harbor rules, because they contain exceptions for national security purposes.  Hence, personal data legally transferred to the United States may be disclosed by U.S. companies to intelligence agencies on the basis of national security interests. The EU Commission issued recommendations for tightening the Safe Harbor requirements.  The key recommendations are as follows: Privacy policies of self-certified companies as well as the privacy provisions in their agreements with sub-contractors should be disclosed publicly. Privacy policies of self-certified companies should include information about the extent to which public authorities in the United States are allowed to collect and process personal data transferred under the Safe Harbor. Data transfers under the Safe Harbor’s national security exception should take place only to the extent strictly necessary and proportionate.  The Department of Commerce should enforce the Safe Harbor framework by means of investigations in order to ensure that self-certified companies comply with privacy standards. The Department of Commerce should inform EU data protection authorities when there are concerns or complaints about an entity’s Safe Harbor compliance. The EU Commission has asked the U.S. Department of Commerce to provide feedback on its proposals.  In the meantime, the European Parliament passed a resolution in March 2014 calling for the immediate suspension of the Safe Harbor regime; this resolution had no immediate legal effect, but it may be indicative of sentiment among European policy makers.  Should negotiations on the EU Commission’s proposed amendments fail, resulting in a suspension of the Safe Harbor, the business community on both sides of the Atlantic could face substantially greater hurdles to compliant cross-border data transfers. Additionally, the European Court of Justice received a request for a preliminary ruling from the Irish High Court on the compatibility of the Safe Harbor framework with Article 8 of the Charter of Fundamental Rights of the EU. Although the Irish court in its June 2014 ruling held that data protection authorities are in principle bound by the Safe Harbor Agreement as long as it remains in place, a review of its compatibility with the Charter of Fundamental Rights was considered necessary by the court. Companies should, therefore, not solely rely on Safe Harbor certifications but initiate additional measures before they transfer data to the US. In this context, German data protection authorities recommend, for instance, to check data importer policies for potential conflicts with Safe Harbor principles, to verify whether individuals may exercise information rights and to check whether onward transfers to third parties are covered by data transfer agreements or sufficient consent requirements.                       c.   Opinions Issued by the Article 29 Working Party The Article 29 Working Party consists of representatives of national data privacy enforcement agencies, the EU Commission, and other EU institutions.  It has an advisory status and is regarded in Europe as an independent opinion leader in EU data privacy enforcement.  The Working Party’s opinions are frequently relied upon as interpretive guidance by national courts and the EU Commission. The Article 29 Working Party also published an opinion that addresses key data privacy risks in the context of mobile apps (WP 202 from February 2013).[76]  It found that mobile apps can raise particular privacy concerns due to their ability to collect large quantities of personal data from a user’s device, including contact information and location data.  The Working Party further wrote that certain data collection without user consent can transgress EU data privacy laws and that mobile apps must provide sufficient information about what data they are processing in order to allow for meaningful user consent. In April 2013, the Article 29 Working Party adopted an explanatory document (WP 204) concerning BCRs for data processors.[77]  These BCRs ensure that data transfers by a data processor who acts on behalf of his clients and in accordance with their instructions are compliant with requirements for the transfer of data outside the EU.  The explanatory document aims at providing further guidance to companies on the required content for data processor BCRs. The Article 29 Working Party also adopted an opinion concerning the use of cookies and similar tracking technologies for various purposes (WP 208 from October 2013).[78]  Based on the so-called e-Privacy Directive, 2002/58/EC, the opinion describes a framework for a compliant website across all EU Member States.  In so doing, it places a consent requirement at the heart of relevant compliance measures, recommending that consent mechanisms for cookies include specific information about cookies’ purposes, prior consent (before data processing starts), precise information about how users can actively signify their consent, and the provision of real choice whether to accept cookies. Furthermore in November 2014, the Article 29 Working Party adopted Guidelines Concerning the Implementation of the European Court of Justice’s ruling regarding the "Right to be Forgotten."[79]  As a key requirement, the Article 29 WP demands that, delisting decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights.  Therefore, delisting must not be limited to EU domains but instead must include all relevant domains (e.g. also ".com" domains).                     d.   Service Provider Data Breach Notification Obligations In August 2013, Regulation No. 611/2013 came into force.  This regulation seeks to harmonize the standards for notifications of personal data breaches.  A personal data breach is defined under EU law (Directive No. 2002/58/EC) as a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed in connection with the provision of a publicly available electronic communications service in the EU.  A notification obligation is imposed on providers of publicly available electronic communication services, i.e., telecom companies and Internet service providers.  When a data breach occurs, the affected service provider must notify the competent national authorities within 24 hours of the detection of the breach, where feasible.  In addition, the individuals concerned must be notified without undue delay if the personal data breach is likely to adversely affect the personal data or privacy of the individual.                     e.   Proposed EU Cyber Security Directive In March 2014, the EU Parliament assented to a proposed directive governing network and information security across the EU (the "Proposed Cyber Security Directive").  Among other things, the directive would seek to establish network information security strategies and common requirements for technical and organizational measures relating to IT security risk management.  Another core element of the proposal is an EU data security network that interlinks various authorities carrying out cyber security tasks.  The Proposed Cyber Security Directive also would establish a stricter breach notification requirement for critical infrastructure operators such as energy and transport companies, banks, and health care service providers.  Compliance requirements for businesses would be enforced with audits and inspections, binding instructions, and sanctions.  To become law, the Proposed Cyber Security Directive requires consent of the EU Member States which is currently expected to be granted during the course of 2015.  Member States would be granted an additional transition period of approximately 18 months to transpose the Directive into national law.  Currently, the most disputed issues concern the degree of information exchange within an envisaged EU data security network and the exact scope of the law, i.e., which industries in particular should be made subject to relevant obligations.                      f.   Google Held Subject to EU Data Privacy Law and the Right to Be Forgotten In May 2014, the European Court of Justice held that there is a right to be forgotten that individuals may invoke against operators of search engines.[80]  The case was brought by a Spanish citizen seeking the removal or concealment of information related to him available through the Google/Google Spain search engine.  The search results in question were links to a newspaper article which, 16 years prior, had announced a real estate auction following attachment proceedings for the recovery of social security debts owed by the individual. As a threshold matter, the court cleared the path for the application of EU data privacy law when it held that Google’s subsidiary in Spain qualifies as an "establishment" under the EU Data Privacy Directive, even though the subsidiary has only marketing functions and is not engaged in actual data processing (which occurs outside the EU).  The court held that it is sufficient that the subsidiary is intended to promote and sell, in the Member State in question, advertising space offered by the search engine in order to make the services offered by the search engine more profitable. The court then held that, by means of automatic, constant, and systematic searches for information published on the Internet, the search engine operator collects data within the meaning of the EU Data Privacy Directive.  It further held that activities performed by indexing programs–such as retrieving, recording, organizing, and disclosing information available on the Internet–qualify as data processing as far as personal data of individuals is concerned.  Because the search engine operator determines the purposes and means of these processing activities, the Court considered the search engine operator to be the data controller and the entity responsible for data privacy-related claims of affected individuals.  As to the actual scope of the right to be forgotten, the court based its judgment primarily on a balance of interests between an individual’s right to privacy and the protection of personal data, on the one hand, and the legitimate interest of the public in having access to that information, on the other.  The outcome of this balancing exercise may vary in individual cases depending on the nature of information in question, its sensitivity for the individual’s private life, and the interest of the public in having the information, which is largely determined by the role played by the individual in public life.  The court also highlighted the importance of the information’s staleness.  Even accurate data may, in the course of time, become inadequate, excessive, or no longer relevant to the public interest; hence, its processing by the search engine operator may become incompatible with the EU Data Privacy Directive.  In such a case, erasure of relevant links and information displayed on the list of search results is logically required by the EU Data Privacy Directive, according to the court. Google responded by establishing a process for EU persons to request the erasure of relevant search results linked to individuals’ names, and it began responding to such requests in June 2014.  Microsoft, which operates its Bing search engine in Europe, followed suit in July by publishing a form that would allow EU persons to request erasure.  The EU’s Article 29 Working Party has requested input from search companies like Google, Microsoft, and Yahoo! to finalize guidelines addressing implementation of the European Court of Justice’s decision.             2.   France In France, the protection of personal data is governed by the Loi Informatique et Libertés of January 6, 1978 (hereafter the "Data Protection Act"), which is implemented by the CNIL, a national agency.  The Data Protection Act applies to personal data, which is defined as any data allowing for direct or indirect identification of an individual (e.g., name, telephone number, photo, national identification card number, email address, or family status) or covering "sensitive information" (e.g., health, sexual orientation, political affinity, or membership in a trade union).                     a.   International Data Transfers In principle, any transfer of personal data outside of the EU is prohibited unless adequate protection of personal data has been implemented by the recipient of the data.  Because the United States has not been deemed to provide a sufficient level of protection of personal data, the transfer of such personal data outside of France to the United States triggers thorny issues, notably in the context of discovery requests.  In order to be legitimate, transfer of data outside of France must comply with the requirements set forth at the European level which have been implemented under French law.  Indeed, the CNIL deliberation No. 2009-474 of July 23, 2009 organizes the transfer of data to the Unites States in the context of discovery requests, which must be done either via Binding Corporate Rules, specific contractual clauses or to entities that have been Safe Harbor certified (see Section V.A.1.b).  When transferred to US judicial authorities, the CNIL requires that such authorities issue court orders to ensure a sufficient level of protection of the transferred personal data. The ongoing negotiations of the transatlantic trade and investment partnership (TTIP) between the European Union and the United States raise major concerns in France as to whether such negotiations will cover, and consequently ease, the transfer of personal data.                     b.   CNIL Enforcement Actions In 2014, the CNIL has pursued a number of enforcement actions, with several resulting in sanctions of up to €150,000, the maximum amount that may be imposed.  In particular, the CNIL fined Google Inc. €150,000 for failure to comply with the requirements of the Data Protection Act.  In this matter, the CNIL took issue with, among other things, Google’s "potentially unlimited combination of users’ data" across different Google services.  Aware that the fine was insignificant compared to Google’s revenues, the CNIL broadly publicized the fine in an attempt to impact the company’s public image.  Following the investigations performed by EU data protection authorities, the Article 29 Data Protection Working Party decided "to help Google" with its compliance efforts and thus adopted a compliance package of dedicated measures.  This package aims to offer specific and practical measures that could be implemented quickly by Google to meet the requirements of the European data protection framework.  The package was presented to representatives of Google on July 2, 2014, during a meeting held in Paris in presence of five EU data protection authorities.  In a letter to Google dated September 23, 2014, the Article 29 Working Party indicates that it may also consider issuing guidance on specific issues to the entire industry, at a later stage.   In addition, France has (alongside Germany) urged upon Google to put an end to its anticompetitive practices and to foster transparency for the ranking of websites.  The two countries seek to have the European Commission issue a more stringent regulatory framework designed to take a tougher line on Google (as well as on the other GAFAs), either in its antitrust investigation into the company or through the introduction of laws to curb its reach.  A draft motion is now calling for the European Commission to consider the "unbundling" of search engines from other commercial services as one possible solution to Google’s dominance, in a similar way to the electricity and gas or telecoms networks.  In theory, unbundling would mean preventing Google’s other commercial services (such as YouTube and Google Shopping) from benefiting from the company’s dominance in search. Other of the CNIL’s recent decisions compelled two French banks to comply with the Data Protection Act due to the malfunctioning of their recording system in the National Register of Household Credit (so-called "FICP") and for breach of confidentiality of their clients’ banking data. Over the past two years, the CNIL had indeed recorded several complaints from the banks’ clients arguing that certain payment incidents had been wrongly registered on the FICP, or that they should have been removed from the register. Certain clients also received confidential information about other of the banks’ clients. One of the two banks was sanctioned by an official warning and the other bank was under formal notice to comply with applicable legal requirements.                     c.   Social Networking On November 7, 2014, the French Commission on unfair terms (Commission des clauses abusives) issued a recommendation advocating for the removal of several unfair terms generally included in contracts of so-called "social networking services," notably in connection with data protection.  For instance, it recommends removing clauses according to which the user implicitly agrees to the processing of his/her personal data by the professional, or which organize the transfer of personal data to undesignated third parties, with no need for any formal consent from the user, or which provide for longer retention period than what is provided for by the CNIL, etc.  Interestingly, the Commission on unfair terms claims that the user of social networks still qualifies as a consumer even if such user participates in the functioning of the network (which could thus have resulted in qualifying the user as a service provider).  The Commission also innovates when asserting that the use of so-called "social networking service agreements" is not free, since these agreements rely on the processing of personal data to allow for targeted advertising, which should thus be analyzed as a compensation potentially valuable to the professional.                      d.   Right to Be Forgotten In the aftermath of the decision issued by the Court of Justice of the European Union (CJEU) dated May 13, 2014[81] which first recognized a "right to be forgotten" on the Internet, French courts have started ruling on delisting requests from plaintiffs seeking protection of their personal data. In a decision dated December 19, 2014, the Paris High Court ruled in favor of a plaintiff who sought to have Google delist an article discussing the plaintiff’s conviction for fraud in 2006, which came up as one of the first results for a Google search on her name. Interestingly, the plaintiff did not seek to have the article itself removed from the Internet, but rather to hinder its availability online, because it jeopardized her job search, and she had already been forced to resign from her electoral mandate following a tip-off from an anonymous source. She also argued that the personal data yielded by the search associated with her name was now inadequate and excessive considering that her conviction was over eight years old.  Finally, the plaintiff asserted that this conviction was not even mentioned on the publicly accessible version of her criminal record. In its decision, the Paris High Court applied the CJEU’s ruling and determined that the plaintiff had legitimate grounds to petition for the delisting of the incriminating search results. It thus ordered Google Inc., to remove the links to the disputed article within ten days. In so ruling, the High Court rejected Google’s argument that the public had a legitimate interest in information about the plaintiff’s conviction.  While several other French courts have urged Google to remove disputed articles because they included discriminatory statements, following the CJEU’s ruling, this decision is the first enforcement of the "right to be forgotten" in France.             3.   Germany                     a.   Regulatory Enforcement and Developments The German courts and data protection authorities also have been very busy recently.  In November 2013, a Berlin court held various clauses in Google’s terms of use and data privacy statements to be void.  In addition, in April 2013, Google was fined approximately €145,000 for the unintended collection of certain data during its Google Street View recording operations. In September 2014, the Higher Administrative Court of Schleswig-Holstein (Schleswig-Holsteinisches Oberverwaltungsgericht) held that operators of Facebook fanpages are not responsible for user data being further processed by Facebook.  The judgment was delivered upon appeal by the regional data protection authority in Schleswig-Holstein which had initially ordered a local chamber of commerce to deactivate its Facebook fanpage.  The Higher Administrative Court rejected the notion the Facebook fanpage operator had data control due to the fact that the fanpage operator had no influence on the technical and legal aspects of the data processing by Facebook itself.  Data control may neither be derived from the fact that Facebook provides statistical information to operators of fanpages.  As a result, the data protection authority did not have the necessary power to order the fanpage operator to deactivate the fanpage. Interestingly, Facebook had already obtained a significant favorable ruling in April 2013 before the same court concerning the applicable data privacy law.  This decision held that the European Facebook network was validly governed by Irish data privacy laws and fell under the competence of the Irish data privacy regulators.  (Facebook’s European headquarters are in Ireland.)  This division of competence also was true with respect to regulations affecting Facebook’s users in Germany and other EU member states.  The Court therefore revoked data privacy orders imposed against Facebook by a German regulator who had requested that Facebook implement a feature through which German Facebook users could anonymously use the Facebook network. In September 2014, the Higher Administrative Court of Lower-Saxony (Niedersächsisches Oberverwaltungsgericht) provided important guidance regarding the practical implementation of CCTV surveillance.  The court balanced the legitimate interests of individuals subject to CCTV surveillance against the CCTV operator’s rights to undisturbed possession of the protected property and legitimate interest of preventing abstract and concrete dangers of crime.  In the case under consideration, the cameras would only turn on if they detected movement, were pointed at a fixed observation area and did not have a zoom function.  Recordings were immediately transferred into a blackbox (no monitor observation) which was itself password-protected and after ten days, any recordings were deleted automatically.  In addition, signs were installed indicating that CCTV was in operation.  Consequently, the court held that the concrete CCTV measures had not severely intruded into the privacy of individuals because it had not been possible to recognize faces or generate movement profiles.  With regard to storage periods, the court also held that a storage period of up to 10 working days instead of just three days as typically requested by German data protection authorities would be reasonable in light of the objective to detect crime and given the potential absence of relevant employees due to holidays.  In another important decision from August 2013, the Higher Regional Court of Hamm (Oberlandesgericht Hamm) decided that YouTube did not have to remove a video clip revealing information about a German diplomat who had escaped prosecution for causing a car accident in Moscow based on diplomatic immunity.  The diplomat was ultimately sentenced by a German court, and the Higher Regional Court found that, in this case, the public interest in the information outweighed the diplomat’s privacy interests. On the regulatory front in June 2013, the Bavarian data privacy authority fined an employee of a company for using "open" email distribution lists.  The employee had unintentionally sent mass emails to customers disclosing the recipients’ identities in the "to" and "cc" lines of the email, enabling all recipients to obtain personal data (e.g., name and email address information) of other customers, which in the regulator’s view constituted a data privacy violation. Additionally, a data privacy regulator in Lower Saxony prohibited private companies from copying personal identification cards and passports, for data privacy reasons.  This decision was appealed but upheld by the competent appellate court (Administrative Court of Hannover) in November 2013.  Copying customer identification documents is a widespread practice in many industries; if other regulators share the very strict view of the Lower Saxony data protection authority, the results could significantly impact businesses operating in Germany. Finally, in December 2014, the data protection authority of North-Rine Palatinate closed an investigation concerning alleged data privacy violations by German insurance company Debeka.  The regulator had launched investigations in response to assertions that Debeka employees had illegally acquired personal data and information about public service candidates in order to gather and use the information on prospective insurance clients, without the consent of the individuals concerned.  Debeka agreed to a settlement of €1.3 million and additionally to fund university research on data privacy protection with an additional €600,000.  This fine significantly topped the fine of €1.1 million imposed on Deutsche Bahn in 2009 for the mass screening of 173,000 employees, and is a strong signal that German regulators are willing to rigorously enforce data privacy laws.                     b.   Internal Investigations and Email Reviews On May 27, 2013, the Administrative Court of Karlsruhe (Verwaltungsgericht Karlsruhe) issued an important judgment that brings more certainty into the process of reviewing emails during an internal investigation or in similar circumstances.  Under German law, a provider of telecommunications services may be held criminally liable for certain violations of user data privacy.  Authorities on the subject have debated whether an employer’s review of an employee’s emails violates this provision, which is part of the German Act for Telecommunications Services.  The Administrative Court of Karlsruhe ruled that an employer cannot be classified as a provider of telecommunications services under the Act, because the Act is not designed to regulate the internal relationship between employers and employees.  Despite this ruling, however, it is important to note that hurdles to the review of employee emails remain.  In particular, German data protection laws stipulate that an email review is permitted only if it is necessary and proportionate.  Moreover, where there is an investigation of an alleged criminal offense, concrete grounds for suspicion must exist with regard to the specific employee whose electronic data is the subject of the review.                     c.   Non-Enactment of EU Directive In April 2014, the European Court of Justice declared EU Directive No. 2006/24 to be incompatible with fundamental human rights.  That directive attempted to harmonize different national laws for the storage of telecommunications data for the purpose of criminal investigations.  The European Court of Justice decided that the storage of communication data as foreseen by the directive disproportionately infringed upon privacy rights.  In particular, the court held that the directive did not sufficiently distinguish between the seriousness of crimes, did not appropriately distinguish between separate data categories for the purpose of determining storage periods, and did not provide for sufficient preconditions for data access by national authorities.  The German government had decided to wait until the European Court of Justice’s opinion was handed down before enacting the directive.  Following the court’s nullification of the directive, there is a debate in Germany about whether a national initiative for the storage of telecommunications data should be pursued.                     d.   Draft Bill on Standing of Consumer Associations in Data Privacy Proceedings The German legislator intends to strengthen enforcement of data privacy laws by allowing consumer rights associations to bring actions for injunction and demand removal of infringements on behalf of consumers.  Relevant changes shall be included in the German Act Governing Collective Actions for Injunction (Unterlassungsklagengesetz–UklaG).  The draft has been heavily criticized for creating additional burdens for businesses and the risk of parallel decision-making as well as loss of legal certainty, particularly given that consumer protection organizations already often demand deletion of data collected in breach of data privacy laws.  Online service providers might ultimately be required to delete relevant user data even though individual users do not oppose to data processing by a particular company.  As of today, it remains in doubt whether and in what form the draft law will eventually be enacted and whether collective enforcement will in fact play a significant role in German data privacy law.             4.   United Kingdom The Information Commissioner’s Office ("ICO") has remained active following a marked increase in activity in 2012, and in July 2014 it was reported that it had received a record number of complaints in the preceding financial year.                     a.   ICO Activity and Enforcement Actions The ICO’s recent activities have included clamping down on unsolicited text messages and calls, and continuing ongoing dialogues on state surveillance in light of the Edward Snowden revelations and recent controversies relating to the NHS’s handling of confidential medical records.  While fines issued by the ICO had previously been limited to local authorities and financial services, in January 2013, Sony’s European subsidiary was fined 250,000 GBP for a "serious breach" of the Data Protection Act 1998 (the "Data Protection Act") for failing to protect the personal details of PlayStation network users.  In 2011, hackers had accessed the names, email and postal addresses, dates of birth and passwords of millions of customers, and the ICO held that the hack could have been prevented if Sony had used more up-to-date software. In line with its current priorities, in December 2014 the ICO issued a 70,000 GBP fine to the organizers of Manchester’s annual festival for sending unsolicited text messages, and fined a boiler insurance firm 90,000 GBP for continuously making nuisance sales calls to vulnerable people.  In August 2014 it also raided a call center in Llanelli, Wales, suspected of being connected to spam text operations. The ICO recently found that Caerphilly Council in Wales had breached the Data Protection Act in ordering the covert surveillance of an employee suspected of fraudulently claiming to be sick, holding that the council did not have sufficient grounds to undertake the surveillance, particularly as it began only four weeks into the employee’s sickness absence, and that no other measures were taken to discuss the employee’s absence before the covert surveillance commenced.[82] In addition, the ICO recently commented that users of Google Glass (and other similar wearable technology) would be subject to the same rules as CCTV, meaning that in some situations, the Data Protection Act could be breached.  In August 2014, the ICO warned barristers and solicitors to keep personal information secure (particularly paper files) following numerous breaches reported to the ICO involving the legal profession.[83]  Further, in November 2014, Grampian Health Board in Scotland was ordered to take action to ensure better protection of patient information after six data breaches in a thirteen month period involving the abandonment of papers containing sensitive personal data in public areas.                     b.   ICO Best Practice Guidance The ICO issued an updated CCTV Code of Practice, acknowledging that "[s]urveillance cameras are no longer a passive technology that only records and retains images, but is now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities…"  It warned that surveillance cameras should only be used as a necessary and proportionate response to a "real and pressing problem."  In addition, new guidance for drone operators was also issued by the ICO, which stated that drone pilots should protect the privacy of individuals when flying, and that if the drone has a camera, its use could pose a "privacy risk to other people" and be covered by the Data Protection Act.             5.   Other European Nations In November 2014, the Dutch government published the latest in a series of draft proposals for a new law regarding telecom data retention.  This newest proposed bill follows the European Court of Justice’s determination that the European Data Retention Directive (2006/24/EC) was invalid.  In response to the European Court’s judgment, this new proposal introduces several additional requirements for law enforcement agencies to gain access to the retained telecommunications data, although it leaves the existing set of regulations largely intact.  For instance, while telecom data providers would still be required to retain all traffic data falling under the retention obligation for a period of 12 months (telephony data) or 6 months (Internet data), they would now be required to retain all such required data within the Netherlands or another EU Member State.  As for law enforcement agencies, the proposed bill would require them to seek prior authorization from an examining judge before accessing the retained telecom data.  In addition, these agencies would only be able to access telephony data that is more than a year old in connection with investigating crimes for which the sentence is 8 years or more.  Dutch opposition parties have called for the new proposal to be scrapped, and may try to vote on an alternative bill that would revoke the data retention obligation altogether. In another interesting development, the Irish government has sided with Microsoft in latter’s battle to oppose a US court order demanding access to emails stored in the Microsoft data center in Dublin.  This issue arose at the end of July 2014, when U.S. District Judge Loretta Preska ruled that Microsoft had to give the U.S. Department of Justice access to Outlook.com emails stored on its Irish servers.  Microsoft appealed the ruling, arguing in a filing that the emails "are located exclusively on a computer in Dublin, where they are protected by Irish and European privacy laws." The Irish government has now openly backed Microsoft’s argument, indicating that Microsoft’s provision of this data could seriously compromise international sovereignty and digital privacy.  The Irish government’s submission in the case stated that its lack of participation in the U.S. court proceedings does not constitute a waiver of its sovereignty rights, and that the DOJ should make a request under the Mutual Legal Assistance Treaty as the appropriate mechanism to obtain the information it seeks.  In addition, a European Parliament member from Germany, Jan Philipp Albrecht, submitted a separate filing in the case highlighting the clash between European and US data privacy laws; his submission stated, among other things, that "[t]he refusal of the U.S. Attorney to recognize that the email account at issue is located in a foreign jurisdiction and subject to foreign data protection rules is not only offensive to the sensitivities of European citizens but also reinforces the already strong sentiment of many EU citizens that their data is not ‘safe’ when they use IT services offered by U.S. corporations."       B.   Asia-Pacific Region Data privacy remained in the Asia headlines during the latter part of 2013 and 2014, with record data breaches and fresh legislative action in key markets.  Countries in the Asia-Pacific region also have been active on the legislative front, with many new laws and regulations coming into effect in the past year.             1.   India In the first part of 2014, media reports were swirling that the Central Government was drafting a new data protection bill to significantly beef up its data privacy legal framework.  The purported bill, which has not been made public, is largely focused on providing protections against unauthorized surveillance by both individuals and government agencies.  If made into law, those illegally intercepting private communications sent by others will face significantly increased fines.  The bill takes particular aim at telecommunications companies, providing for suspensions or license revocation for allowing unauthorized interception of communications.  The bill would also create a new agency to enforce the law.[84]  Passage of the bill will also help to assuage recent fears of alleged cyber-snooping by the U.S. government.[85] A major breach in August allowed hackers to break into the Central Government’s National Informatics Centre ("NIC"), the agency charged with building the country’s information and communications technology infrastructure.[86]  The hackers were able to use the NIC’s credentials to issue a series of fake digital certificates.  The incident prompted fears by major IT players such as Microsoft, which wrote to the Indian government to express their displeasure at both the breach and NIC’s response.[87]             2.   China and Hong Kong China’s data privacy regime continues to evolve in an attempt to keep pace with its increasingly tech-savvy citizenry.  For instance, China recently amended its Consumer Protection Law in response to high-profile thefts of customer data.  Among other things, the amendments require business operators to obtain consent prior to the collection and use of consumers’ personal information, to expressly inform consumers of the purposes of the data collection, and to obtain explicit consent prior to marketing to consumers.  The amendments also prohibit businesses from selling consumers’ personal information to others.  The amendments went into effect on March 15, 2014.  On January 17, 2014, China promulgated forty-five implementing regulations for the Law on Guarding State Secrets (the "Regulations").  Many of the Regulations instruct Chinese government agencies on the proper classification and labeling of items designated as state secrets.  The Regulations also mandate that the security mechanisms of enterprises that work on the production, duplication, maintenance, or destruction of state secret carriers, integration of information systems involving state secrets, research or manufacture of weaponry equipment, or other business involving state secrets, shall be subject to review by authorities.  An enterprise engaging in business involving state secrets must further meet certain criteria: it must have been duly established in the PRC for over three years; it must not have a criminal record; and it must use PRC citizens to engage in any business involving state secrets.  China-based Alipay, which accounts for 61% of the country’s market share for third-party payment companies, apologized to customers in January 2014 after media reported that a former employee confessed to downloading 20 gigabytes of personal information, including customers’ names, email addresses, home addresses, and purchase records.  The former employee allegedly sold the information to e-commerce websites in search of potential customers. In October 2014, China’s Supreme Court issued new judicial interpretations allowing for civil suits against individuals posting personal details on the Internet without the subject’s consent.  The move is widely seen as a response to the "human flesh search engine" phenomenon, where groups of web users search out and post personal details of unpopular individuals.[88]  China also continued to take steps to strengthen its comparatively weak data infrastructure during the latter part of 2014 with the announcement of a communication cable linking Beijing and Shanghai.  The cable, according to media reports, features "quantum encryption" technology, which involves writing encryption codes on single photons of light.  Supporters of the technology call the forthcoming cable "unhackable." China also sent waves through the data privacy community when two corporate investigators were convicted in August of having illegally obtained information about Chinese citizens, including phone records and household registration data, which they subsequently resold to clients.  The investigators, who had purchased the data for clients in connection with their background and due diligence check services, were both sentenced to prison and received fines. Hong Kong’s Office of the Privacy Commissioner for Personal Data ("PCPD") recently published guidance on cross-border data transfers, an area of ambiguity in Hong Kong’s Personal Data (Privacy) Ordinance ("PDPO").  Currently, the PDPO contains prohibitions on transferring personal data outside of Hong Kong except in cases where (1) the data subject has consented in writing, (2) the destination has in place an adequate data privacy legal framework (as specified by the Privacy Commissioner), or (3) the data user reasonably believes that the destination provides protections similar to the PDPO.  The PCPD guidelines provide context to these exceptions, as well as examples and model data transfer agreement clauses.  Importantly, the guidelines are considered voluntary as the relevant portions of the PDPO have not yet come into force, but the PCPD states that the guidance "assists organizations to prepare for the eventual implementation" of the provisions.[89]              3.   Japan On April 30, 2014, Japan signaled its intent to further develop its data privacy regime when it was announced that it had become the third member of the Asia-Pacific Economic Cooperation ("APEC") Cross-Border Privacy Rules System ("CBPRS").  The CBPRS aims to facilitate cross-border data sharing consistent with a set of principles, with the stated goal of optimizing both protection of data as well as transfer efficiency.  Japan, which joins fellow APEC members United States and Mexico as CBPRS participants, was approved for the system after submitting a notice of intent to join and providing assurances that its current data privacy regime is consistent with CBPRS principles. The latter half of 2014 was marred by record data breaches in Japan.  In July 2014, a systems engineer at Benesse Corp., a children’s correspondence education provider, was arrested on suspicion of stealing 10 million customers’ data and reselling it to potentially hundreds of companies.  In August 2014, Japanese authorities discovered that the former engineer had, in fact, stolen an additional 20 million customers’ information, including names, phone numbers and birthdates, prior to his arrest.[90]  Further investigation revealed that up to 48 million customers had information compromised as a result of the breach.[91] Following these reports, Japan’s Ministry of Economy, Trade and Industry ("METI") announced enforcement proceedings against Benesse Corp. for violations of the Personal Information Protection Act.[92] In September, the country’s flagship carrier Japan Airlines reported the possible theft of personal information of up to 750,000 customers.  Information stolen by hackers included names, birthdates, addresses and places of work.[93]  These incidents have prompted METI to announce forthcoming amendments to data privacy rules.[94]               4.   South Korea While the South Korean government likely hoped for a reprieve from data breaches that have plagued the country, major issues persisted into 2014.  In August, it was revealed that personal details of fully half of South Korea’s population, including full names and national registration numbers, were stolen from online gaming and movie ticket websites.  Among other things, the hackers used personal information to buy and sell virtual currency. On the legislative side, the government sought to respond to demands for increased personal data protection by passing several amendments to the Act on the Promotion of Information Communication Network Utilization.  The amendments, which apply to IT service providers such as telecommunications companies and website operators, require businesses to obtain opt-in consent before sending consumers marketing messages, and provides for monetary compensation to victims of lax personal data security.  The amendments also raise the amount of potential fines, while simultaneously lowering the liability threshold for data processors.  One particularly unique aspect of the legislation also allows for fines of up to 3% of company revenue for violations of data protection laws.              5.   Malaysia On November 15, 2013, Malaysia published its long-awaited "Personal Data Protection Act 2010."  The comprehensive law is modeled after European data protection regimes and contains strict requirements as to consent, notification, and transfer of personal data.  One unique aspect of the law is its extraterritorial application.  According to the act, data collection occurring outside of Malaysia must comply with the law if that data is intended to be further "processed" in Malaysia.  This provision potentially may affect the practices of companies that store data in Malaysia, regardless where the data is collected.  The law and its accompanying regulations also require data processors in several major economic sectors to register with the government and to provide details about their data privacy programs.  A day after Malaysia Airlines Flight MH370 disappeared en route from Kuala Lumpur to Beijing, several government agencies in Malaysia fell victim to a cyberattack, resulting in the loss of classified data from around 30 computers in the Department of Civil Aviation, the National Security Council and Malaysia Airlines.  According to media reports, government departments were sent an virus disguised as a news story about the disappearance of the plane.  The attack was traced back to Chinese hackers, and halted by CyberSecurity Malaysia.              6.   Singapore Singapore has recently issued its first comprehensive data privacy law, the Personal Data Protection Act ("PDPA"), with most key provisions coming into effect throughout 2014.  The law’s provisions regarding notice, consent, data transfer, and disclosure come into effect on July 2, 2014 and are based on data privacy laws in jurisdictions such as the EU, Canada, Hong Kong, and Australia, as well as OECD guidelines.  While the law imposes strict conditions on the conduct of businesses in their interactions with customers, it contains several exemptions to key provisions where businesses are dealing with their own employees.  For example, collection of employees’ personal data does not require consent where "the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship."   Consent, use, and disclosure requirements also are relaxed in the context of "investigations," which could include internal investigations conducted by a company in connection with potential violations of law.  The Personal Data Protection Commission ("PDPC") has since issued a series of guidelines on PDPA compliance for telecommunications, real estate, social service, education and healthcare sector companies.[95] As expected, it has not taken long for the financial hub to begin investigating possible violations under the new legal framework.  The Personal Data Protection Commission commenced an investigation against China smartphone maker Xiaomi after users complained of receiving unsolicited marketing phone calls,[96] and publically announced prosecutions against a property salesperson and an education company for violations of the PDPA’s "Do Not Call" provisions.[97]  The government of Singapore also announced in June 2014 that approximately 1,500 online "SingPass" accounts, which contain sensitive personal information and are used by residents to access government services, may have been compromised.  The breach came to light when users received unexpected messages from SingPass notifying them that their passwords had been reset.  This is one of a series of incidents in a country attempting to get its fledgling data privacy regime off the ground.  Other data privacy breaches in the latter part of 2014 include the leaking of an internal database containing names, phone numbers and identity card numbers of 300,000 customers of a popular karaoke bar chain.[98]        C.   Other International Developments of Note Canada has also been steadily strengthening its protections for individual data and, correspondingly, regulations on cybersecurity and collection of individual data.  For example, Industry Canada–the Canadian governmental department tasked with fostering and enhancing a robust Canadian economy–has issued final regulations under Canada’s Anti-Spam Legislation (CASL).  CASL will be implemented in three phases: while the majority of CASL came into force July 1, 2014 (including substantive amendments to the Competition Act and the Personal Information Protection and Electronic Documents Act), the rules that apply to computer programs came into force January 15, 2015, followed by the private right of action on July 1, 2017.  Industry Canada has provided interpretive guidance on several issues under CASL, including the definition of a commercial electronic message (CEM), the retroactive application of CASL to express consent obtained before CASL came into force, the application of CASL to IP addresses and cookies, and the interaction between the "unsubscribe" requirement and implied consent.  In addition, as of early January 2015, the Office of the Privacy Commissioner of Canada is launching an effort to determine how advertisers monitor consumers’ online behavior, and whether such advertisers are in fact complying with Canadian privacy laws, and in particular, the Personal Information Protection and Electronic Documents Act (PIPEDA). Meanwhile in Kenya, citizens and international human rights groups are protesting the proposed Security Laws Bill 2014, which would amend Kenya’s existing anti-terrorism legislation in ways that, according to the concerned citizenry, would seriously impinge upon individuals’ right to basic expectations of privacy and right of free expression.  For instance, the bill also would empower Kenya’s National Intelligence Service to intercept and record telephone conversations without a court order.  In addition, the new bill would make it a felony punishable by a fine of up to 1 million shillings (or USD $11,000) or three years in jail to distribute "obscene, gory or offensive material which is likely to cause fear and alarm to the general public." Media outlets and journalists who publish or broadcast photographs of terror victims without their consent or permission from the police would also receive a jail sentence of up to three years or a fine of up to 5 million shillings (or USD $55,200), or both, according to the bill.  The bill further removes the security of tenure of the inspector general, director general of intelligence and that of the directorate of criminal investigations, which some opponents say will hamper job performance and undermine their independence, making them vulnerable to manipulation by the appointing authority. Meanwhile, in a spate of data breaches in the Cayman Islands reported in late 2014, hackers gained access to emails with bank transfer details and the overseas thieves were able to transfer money out of accounts from several local banks.  Hackers stole more than $300,000 from one victim.  Current banking regulations in the Cayman Islands do not require banks (or any other industry players) to tell customers if their data has been compromised by hackers.  The Cayman Islands Monetary Authority, which regulates banks, has guidance for banks on cybersecurity, but no actual requirements.  However, new data protection legislation, which has been circulating in the Legislative Assembly for over five years, would add consumer protections and could potentially force banks to notify customers when their data is stolen.  In August 2014, the government released a final consultation on the bill, known as the Data Protection Bill and it could come up for debate in the Assembly again in 2015.  The bill, which is based on European Union and United Kingdom regulations from the 1990s, has come under fire for being outdated, confusing, and overly complex, but may nevertheless be important simply by virtue of being the first law requiring banks and other entities to notify consumers about data breach incidents. Rounding out the efforts to tighten data privacy protections around the world, major attempts to reform privacy law in Australia and New Zealand also went underway in 2014.  Australia, in particular, after a decade-long-effort, has put in place a set of thirteen principles that regulate the handling of personal information by either Australian governmental entities or certain private entities.  The New Zealand government similarly indicated in May 2014, that it intends to reform its privacy laws to include a new requirement to report data breaches to any affected individuals, as well as the NZ privacy commissioner, and hike up fines for violators.    [1]   Despite the plaintiffs’ attempts to amend their complaint’s deficiencies, the court again dismissed the VPPA claim more recently, this time with prejudice.  In re Nickelodeon Consumer Privacy Litig., No. 12-7829, Opinion (N.D. Cal. Jan. 20, 2015).  The court reiterated its earlier holding regarding the VPPA’s specific definition of PII and held that "[n]othing in the amended Complaint changes the fact that Viacom’s disclosure does not – ‘without more’ – identify individual persons."  Op. at 5.  The court went on to state that plaintiffs’ allegations that Google could take the information it received from Viacom and combine it with other information Google possessed to personally identify the plaintiffs was "entirely hypothetical."  Id. at 6.    [2]   Kat Greene, 2 Tech-Opposed Consumer Bills Die In Calif. Assembly, Law360 (June 25, 2014), available at http://www.law360.com/articles/551523.    [3]   Margaret A. Dale, Capital One to Pay Largest Settlement on Record (Aug. 19, 2014), available at http://www.natlawreview.com/article/capital-one-to-pay-largest-tcpa-settlement-record-0.     [4]   Press Release, Federal Trade Commission, Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information (March 28, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers.    [5]   Id.    [6]   Press Release, Federal Trade Commission, FTC Approves Final Consent Settling Charges that Accretive Health Failed to Adequately Protect Consumers’ Personal Information (Feb. 24, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-consent-settling-charges-accretive-health.    [7]   Press Release, Federal Trade Commission,FTC Approves Final Consent Orders Settling Charges that Companies Deceptively Claimed Their Genetically Modified Nutritional Supplements Could Treat Diseases (May 12, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/05/ftc-approves-final-consent-orders-settling-charges-companies.    [8]   Press Release, Federal Trade Commission, Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information (Jan. 31, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it.    [9]   Letter from Maneesha Mithal, Associate Director, Federal Trade Commission, to Dana Rosenfeld, Counsel, Verizon Communications, Inc., (Nov. 12, 2014), available at http://www.ftc.gov/enforcement/cases-proceedings/closing-letters/verizon-communications-inc.   [10]   Id.   [11]   Id.   [12]   Id.   [13]   Id.   [14]   Press Release, Federal Trade Commission, Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False (May 8, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were.   [15]   Id.   [16]   Press Release, Federal Trade Commission, Android Flashlight App Developer Settles FTC Charges It Deceived Consumers (December 5, 2013), available at http://www.ftc.gov/news-events/press-releases/2013/12/android-flashlight-app-developer-settles-ftc-charges-it-deceived.   [17]   Press Release, Federal Trade Commission, Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data (December 3, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/12/medical-billing-provider-its-former-ceo-settle-ftc-charges-they.   [18]   Press Release, Federal Trade Commission, FTC Approves Final Order in Case About Google Billing for Kids’ In-App Charges Without Parental Consent (December 5, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/12/ftc-approves-final-order-case-about-google-billing-kids-app.   [19]   The FTC also alleged Google, in 2011, failed to require any authorization at all for certain in-app purchases.   [20]   Press Release, Federal Trade Commission, Yelp, TinyCo Settle FTC Charges Their Apps Improperly Collected Children’s Personal Information (September 17, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/09/yelp-tinyco-settle-ftc-charges-their-apps-improperly-collected.   [21]   Other changes include requiring all telemarketing calls to allow the consumer to opt-out of future calls during the call, limiting permissible abandoned calls on a per-calling campaign basis, and exempting telemarketing requirements for pre-recorded calls to residential lines made by healthcare-related entities governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPPA").  FCC Guidance at 1831, par. 2.   [22]   See Petition for Declaratory Ruling, CG Docket No. 02-278, filed by Consumer Bankers Association on Sept. 19, 2014. (Petition)   [23]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Vo Apps, Inc. on July 31, 2014. (Petition).   [24]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Santander Consumer USA, Inc. on July 10, 2014 (Petition).   [25]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Milton H. Fried, Jr. and Richard Evans on May 27, 2014 (Petition).   [26]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Vincent Lucas on June 18, 2014 (Petition).   [27]   See Petition for Expedited Declaratory Ruling, CG Docket No. 02-278, filed by Stage Stores, Inc. on June 4, 2014 (Petition).   [28]   See Petition for Expedited Declaratory Ruling and Clarification, CG Docket No. 02-278, filed by TextMe, Inc. on Mar. 18, 2014 (Petition).   [29]   See Petition for Declaratory Ruling, CG Docket No. 02-278, filed by the Retail Industry Leaders Association on Dec. 30, 2013 (Petition).   [30]   See Petition for Exemption, CG Docket No. 02-278, filed by the American Bankers Association on Oct. 14, 2014 (Petition).   [31]   See Letter from Indiana Attorney General Greg Zoeller et al. to Tom Wheeler, Chairman, Federal Communications Commission (Sept. 9, 2014) (Letter).   [32]   White House Press Release, "Launch of the Cybersecurity Framework" (Feb. 12, 2014), available at http://www.whitehouse.gov/the-press-office/2014/02/12/launch-cybersecurity-framework.   [33]   See Executive Order 13636, "Improving Critical Infrastructure" (Feb. 12, 2013), available at http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.   [34]   Id.   [35]   NIST, "Framework for Improving Critical Infrastructure Cybersecurity" (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.   [36]   Id. at 4.   [37]   Id. at 7.   [38]   Id.   [39]   Id. at 11.   [40]   Id. at 9.   [41]   See NIST, "NIST Roadmap for Improving Critical Infrastructure Cybersecurity" (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf.   [42]   Id.   [43]   NIST, "2nd Privacy Engineering Workshop" (July 28, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm.   [44]   NIST, "Privacy Engineering Workshop" (Feb. 13, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop.cfm; NIST, "2nd Privacy Engineering Workshop" (July 28, 2014), available at http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm.   [45]   "Experience with the Framework for Improving Critical Infrastructure Cybersecurity," 79 FR 50891 (Aug. 26, 2014), available at https://federalregister.gov/a/2014-20315.   [46]   See NIST, "6th Cybersecurity Framework Workshop" (Dec. 3, 2014), available at http://www.nist.gov/cyberframework/6th-cybersecurity-framework-workshop-october-29-30-2014.cfm   [47]   See http://www.us-cert.gov/ccubedvp.   [48]   NIST, "Update on the Cybersecurity Framework" (Dec. 5, 2014), available at http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf.   [49]   Id.   [50]   Id.   [51]   Statement of Administration Policy, Executive Office of the President, (Jan. 9, 2014), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/saphr3811h20140109.pdf.   [52]   Paul Szoldra, Snowden:  Here’s Everything We’ve Learned In One Year Of Unprecedented Top-Secret Leaks (June 7, 2014), available at http://www.businessinsider.com/snowden-leaks-timeline-2014-6.    [53]   James Bamford, The Most Wanted Man in the World, available at http://www.wired.com/2014/08/edward-snowden/.   [54]   Paul Szoldra, Snowden:  Here’s Everything We’ve Learned In One Year Of Unprecedented Top-Secret Leaks (June 7, 2014), available at http://www.businessinsider.com/snowden-leaks-timeline-2014-6.    [55]   See Bloomberg, NSA Searched Americans’ Email, Phone Calls, Clapper Says (Apr. 1, 2014), available at http://www.bloomberg.com/news/2014-04-02/nsa-searched-americans-email-phone-calls-clapper-says.html.   [56]   Germany’s Merkel Under Fire Over NSA Scandal (Oct. 5, 2014), available at http://www.worldbulletin.net/news/145683/germanys-merkel-under-fire-over-nsa-scandal.   [57]   Kim Zetter, Feds Threatened to Fine Yahoo $250K Daily for Not Complying with PRISM, (Sept. 11, 2014), available at http://www.wired.com/2014/09/feds-yahoo-fine-prism/.   [58]   Craig Timberg, U.S. Threatened Massive Fine to Force Yahoo to Release Data, (Sept. 11, 2014), available at http://www.washingtonpost.com/business/technology/us-threatened-massive-fine-to-force-yahoo-to-release-data/2014/09/11/38a7f69e-39e8-11e4-9c9f-ebb47272e40e_story.html.   [59]   Charlie Savage and Jeremy W. Peters, Bill to Restrict N.S.A. Data Collection Blocked in Vote by Senate Republicans, (Nov. 18, 2014), available at http://www.nytimes.com/2014/11/19/us/nsa-phone-records.html.   [60]   Julian Hattem, Obama Renews NSA Spying Program After Reform Bill Fails, (December 8, 2014), available at http://thehill.com/policy/technology/226322-obama-renews-nsa-program-after-reform-bill-fails.   [61]   Charlie Miller, Revelations of N.S.A. Spying Cost U.S. Tech Companies, (March 21, 2014), available at http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html.    [62]   See also N.Y.S. Div. of Homeland Sec. & Emergency Servs., NYS Breach Notification Law Changes, http://www.dhses.ny.gov/ocs/breach-notification/.    [63]   New Jersey is considering legislation which would also expand its data breach notification, which is currently pending in the Senate after clearing the Assembly.  H.B. 3146, S. 2188, 216th Leg. (N.J. 2014).   [64]   Bills recently proposed in other states would have required companies to offer free credit monitoring to state residents when security breaches exposed those residents’ personal information.  Both Rhode Island’s H. 7519, which would have required any "person required to disclose a breach" under Rhode Island’s data breach law, to "provide one year of credit monitoring to any resident of Rhode Island, at no cost to the resident, whose personal information was, or is reasonably believed to have been" compromised, and Minnesota’s H.F. 2253, which would have required companies to provide the same services to residents of Minnesota whose "unencrypted personal information" was compromised,  died in committee.    [65]   See, e.g., Personal Online Account Privacy Protection Act, H.B. 340, 40th Leg., Reg. Sess. 2014 (La. 2014); H.B. 1407, Reg. Sess. 2014 (N.H. 2014); Act Relating to Education and Labor–Social Media Policy, H.B. 7124 (R.I. 2014); Employee Online Privacy Act, S.B. 1808, H.B. 1852 (Tenn. 2014); S.B. 5211, 63rd Leg., 2013 Reg. Sess. (Wash. 2013); A.B. 2878, S.B. 1915, 215th Leg., 2012-2013 Reg. Sess. (N.J. 2013); see generally Nat’l Conf. on State Legs., http://www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx#2014 (cataloguing legislation regarding employer access to social media usernames and passwords).    [66]   See, e.g., No College Requests for Social Media, S.B. 422, 51st Leg., 1st Sess. (N.M. 2013); Act Relating to Education and Labor–Social Media Policy, H.B. 7124 (R.I. 2014).   [67]   See also Surveillance Act, S.B. 2937, 98th Reg. Sess. (Ill. 2014) (amends law to prohibit law enforcement use of information obtained from a drone owned by a private individual without a warrant); S.B. 196, 2013-2014 Reg. Sess. (Wis. 2014) (requiring a warrant before law enforcement may use UAS where a reasonable expectation of privacy exists); Freedom from Unwanted Surveillance Act, H.B. 591, S.B. 796, 108th Reg. Sess. (Tenn. 2013) (similar restrictions on use, court admissibility, and creation of a private remedy); Freedom from Drone Surveillance Act, S.B. 1587, 98th Gen. Assemb. (Ill. 2013) (enacting similar restrictions on the use of UAS without a warrant).    [68]   At the federal level, Congress has set a deadline of September 2015 for full integration of UAS into its regulations, although a government audit expressed doubts about this deadline being met.  See Office of Inspector General, FAA, Report AV-2014-061, FAA Faces Significant Barriers to Safely Integrate Unmanned Aircraft Systems into the National Airspace System (June 26, 2014),  https://www.oig.dot.gov/library-item/31975.  In July 2014 the Federal Aviation Administration issued a policy consolidating regulations on drone use in federal airspace, without the creation of any new regulations.  See U.S. Dep’t of Transportation, N JO 7210.873, Air Traffic Organization Policy, Unmanned Aircraft Operations in the National Airspace System, http://www.faa.gov/documentLibrary/media/Notice/N_JO_7210.873_Unmanned_Aircraft_Operations.pdf.  In addition, in June 2014 the FAA issued the first permit for a commercial unmanned aircraft to fly over U.S. soil.  Oil company BP will be allowed to conduct aerial surveys over Alaska.  See FAA, Press Release–FAA Approves First Commercial UAS Flights over Land (June 10, 2014), http://www.faa.gov/news/press_releases/news_story.cfm?newsId=16354.  Other exemptions were subsequently awarded by the FAA, for example to drones used in TV and movie productions with a proper permit. See FAA, Press Release–U.S. Transportation Secretary Foxx Announces FAA Exemptions for Commercial UAS Movie and TV Production (Sept. 25, 2014), http://www.faa.gov/news/press_releases/news_story.cfm?cid=TW251&newsId=17194.   [69]   Kamala D. Harris, California Dep’t of Justice, Making Your Privacy Policies Public: Recommendations on Developing a Meaningful Privacy Policy, (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.   [70]   The California legislature also is considering a bill that would prohibit online retailers from collecting certain information about their customers.  S.B. 383, Reg. Sess. (Cal. 2014).  The bill, which has cleared the Senate, is seen as a reaction to the California Supreme Court’s ruling in Krescent, 56 Cal.4th 128 (2013) (holding restrictions on data collection placed on brick-and-mortar business do not apply to online retailers).  (We discuss this case in Section I.B.5 above).  The bill would allow billing addresses and ZIP codes to be retained only if used to address identity theft and fraud, while also prohibiting selling such data to third parties.   [71]   For more information, see Gibson Dunn’s article, "California Tightens Privacy Protection, Part 1 of 2:  New California data privacy laws impose restrictions on third-party tracking and data breach notification," (Nov. 18, 2013), available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartOne.pdf.   [72]   For more information, see Gibson Dunn’s article, "California’s New ‘Digital Eraser’ Evaporates Embarrassment, Part 2 of 2: New California privacy laws will make it easier for kids to remove inappropriate posts from websites," (Nov. 19, 2013), available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellCaliforniaPrivacyPartTwo.pdf.   [73]   For more discussion regarding the new cybersecurity proposal, see Alexander H. Southwell, Eric D. Vandevelde, Ryan T. Bergsieker, Stephenie Gosnell Handler & Adam Chen, of Gibson, Dunn & Crutcher LLP, U.S. President Obama Announces Renewed Focus on Securing Cyberspace and Protecting Consumer Privacy, 15 Bloomberg BNA 1, available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/WorldDataProtectionReport-BNA-Jan2015.pdf.   [74]   See Sophia Pearson & Andrew Zajac, ‘Guccifer’ Indicted in U.S. for ID Theft, Cyberstalking, Bloomberg (June 12, 2014), available at http://www.bloomberg.com/news/2014-06-12/u-s-indicts-romanian-hacker-guccifer-for-cyberstalking-1-.html.   [75]   Bitcoin is a currency created in 2009 that is exchanged without the use of banks, thereby allowing holders of Bitcoin to make purchases anonymously.  Bitcoin exchanges allow customers to buy or sell Bitcoins using different currencies.  Bitcoin owners can transfer Bitcoins digitally via a computer file that serves as a public ledger called the "block chain."    [76]   See WP 202, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf.   [77]   See WP 204, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf.    [78]   See WP 208, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf.    [79]   See WP 225, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf.    [80]   For discussion of the current EU Data Privacy Regulation and the Article 29 Working Party Guidelines concerning the "right to be forgotten," see above at Sections V.A.1.a and V.A.1.c.   [81]   CJEU No. C-131/12, Google Spain SL v. Agencia Española de Protección de Datos. See discussion above in Section V.A.1.f.   [82]   It is worth noting that the ICO accepts that covert surveillance of employees may be justified as a last resort in exceptional circumstances; the employer should be satisfied there are grounds for suspecting criminal activity (or equivalent malpractice), and that notifying the employee concerned would prejudice detection or prevention.   [83]   Barristers and solicitors are generally classed as data controllers, making them legally responsible for the personal information they process.   [84]   Gulveen Aulakh, India Proposes to Penalise Invasion of Privacy Offences in Draft Bill, (Feb. 18, 2014), available at http://articles.economictimes.indiatimes.com/2014-02-18/news/47451233_1_personal-data-privacy-bill-draft-bill.   [85]   India Increasing Data Protection after US Cyber Snooping, (Dec. 10, 2014), available at http://www.business-standard.com/article/news-ians/india-increasing-data-protection-after-us-cyber-snooping-114121001016_1.html.   [86]   See http://www.nic.in/node/41.   [87]   Saikat Datta, Security Breach in NIC, Critical Data at Risk, (Aug. 10, 2014), available at http://www.hindustantimes.com/india-news/newdelhi/nic-security-breach-raises-concerns-about-india-s-net-security-practices/article1-1250464.aspx.   [88]   Chen Yifei, New Internet Rules Allow Websites to be Sued for Defamation in China, (Oct. 10, 2014), available at http://www.scmp.com/news/china-insider/article/1613890/new-internet-rules-allow-website-be-sued-defamation-china.   [89]   PCPD Publishes Guidance on Personal Data Protection in Cross-border Data Transfer, (Dec. 29, 2014), available at  http://www.pcpd.org.hk/english/news_events/media_statements/press_20141229.html.   [90]   See Benesse Suspect gets Fresh Warrant over Second Data Theft, http://www.japantimes.co.jp/news/2014/08/11/national/crime-legal/benesse-suspect-gets-fresh-warrant-over-second-data-theft/#.VK5StpgcTGg.   [91]   Toshio Aritake, Japan Ministry to Amend Data Security Rules As Breached Company Says 48.6M Affected, (Oct. 6, 2014), available at http://www.bna.com/japan-ministry-amend-n17179895732/.   [92]   Japan’s Ministry of Economy, Trade and Industry.   [93]   Megumi Fujikawa, Japan Airlines Reports Hacker Attack, available at http://www.wsj.com/articles/japan-airlines-reports-hacker-attack-1412053828.   [94]   Toshio Aritake, Japan Ministry to Amend Data Security Rules As Breached Company Says 48.6M Affected, (Oct. 6, 2014), available at http://www.bna.com/japan-ministry-amend-n17179895732/.   [95]   PDPC Advisory Guidelines, available at http://www.pdpc.gov.sg/legislation-and-guidelines/advisory-guidelines.   [96]   Irene Tham, Xiaomi Under Probe over Alleged Privacy Breach, (Aug. 14, 2014), available at http://www.straitstimes.com/news/singapore/more-singapore-stories/story/xiaomi-under-probe-over-alleged-privacy-breach-20140814.   [97]   Property Salesperson to be Charged for Breaching the Do Not Call Requirements, (Sept. 22, 2014), available at http://www.pdpc.gov.sg/news/press-room/page/0/year/2014/property-salesperson-to-be-charged-for-breaching-the-do-not-call-requirements.   [98]   Irene Tham and Pearl Lee, Personal Data of 300,000 K Box Singapore Clients Surfaces Online, (Sept. 16, 2014), available at http://www.straitstimes.com/news/singapore/courts-crime/story/personal-data-300000-k-box-singapore-clients-surfaces-online-20140.   The following Gibson Dunn attorneys assisted in preparing this client alert: Alexander H. Southwell, Michael Li-Ming Wong, Karl G. Nelson, Joshua A. Jessen, Michael Walther, James Cox, Michael Adelman, Nicolas Autet, Nathaniel L. Bach, Abbey Barrera, Ryan T. Bergsieker, Jennifer Bracht, Amy Chmielewski, Lyndy Davies, Kai Gesing, Jared Greenberg, Stephenie Gosnell Handler, Hartmut Kamrad, Kyle J. Kolb, Salomé Lemasson, Jeana Bisnar Maute, Tiffany Phan, Henry Pistell, Genevieve B. Quinn, Priyanka Rajagopalan, Reid Rector, Shawn D. Rodriguez, Ashley Rogers, Ilissa Samplin, Danielle Serbin, JP Shih, Jillian Stonecipher, Oliver Welch, Tristan Welham, Amy Wolf, Peter Wu, Adam Yarian, Lindsey Young, Alexander Zbrozek, Zhou Zhou, and Timothy Zimmerman. Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following members of the Information Technology and Data Privacy Group: United StatesM. Sean Royall – Co-Chair, Dallas (+1 214-698-3256, sroyall@gibsondunn.com)Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com)Debra Wong Yang – Co-Chair, Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)Howard S. Hogan – Member, Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Karl G. Nelson – Member, Dallas (+1 214-698-3203, knelson@gibsondunn.com)Joshua A. Jessen – Member, Orange County and Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Michael Li-Ming Wong – Member, San Francisco/Palo Alto (+1 415-393-8333/+1 650–849–5393, mwong@gibsondunn.com)Ryan T. Bergsieker – Member, Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)Richard H. Cunningham – Member, Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Eric D. Vandevelde – Member, Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) EuropeJames A. Cox – Member, London (+44 207 071 4250, jacox@gibsondunn.com)Andrés Font Galarza – Member, Brussels (+32 2 554 7230, afontgalarza@gibsondunn.com)Kai Gesing – Member, Munich (+49 89 189 33-180, kgesing@gibsondunn.com)Bernard Grinspan – Member, Paris (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)Alejandro Guerrero Perez – Member, Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com)Jean-Philippe Robé – Member, Paris (+33 1 56 43 13 00, jrobe@gibsondunn.com)Michael Walther – Member, Munich (+49 89 189 33-180, mwalther@gibsondunn.com) ChinaKelly Austin – Member, Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) IndiaJai S. Pathak – Member, Singapore (+65 6507 3683, jpathak@gibsondunn.com)  Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to any of the following members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney - Co-Chair, Orange County, CA (949-451-4343, jmoloney@gibsondunn.com)Elizabeth Ising – Member, Washington, D.C. (202-955-8287, eising@gibsondunn.com)    © 2015 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 9, 2018 |
D.C. Circuit Applies U.S. Copyright Law to Video Content Streamed from Abroad

Click for PDF On March 2, 2018, the United States Court of Appeals for the D.C. Circuit decided an important case addressing two separate, still unsettled questions about the scope of copyright infringement liability.  See Spanski Enterprises v. Telewizja Polska, S.A., No. 17-7051 (D.C. Cir. Mar. 2, 2018).  In brief, the court held that the defendant infringed the plaintiff’s exclusive public performance right when, without authorization, it made copyright-protected television programming available to stream inside the United States, even though the stream was hosted outside the United States.  This was the first time a federal court of appeals considered whether streaming content originating extraterritorially is subject to U.S. copyright liability.  Separately, though the defendant insisted that it could not face liability unless it “volitionally” selected the content delivered to each user, the court held that operating a video-on-demand system which allowed members of the public to receive a copyright-protected performance constituted copyright infringement. Spanski Enterprises involved a longstanding licensing agreement between Telewizja Polska (TVP), the national broadcasting company of Poland, and Spanski Enterprises, a Canadian corporation in the business of distributing Polish-language programming.  A 2009 settlement agreement between the parties established that Spanski alone could distribute the programming at issue in North and South America, whether over the Internet or otherwise.  TVP continued to distribute its programming everywhere else in the world, including by offering episodes for streaming on its website, but used geoblocking technology to ensure that no IP address associated with North or South America could access any programming to which Spanski held the license.  However, in 2011 attorneys for Spanski discovered that users in North and South America could still access programming that should have been geoblocked.  Spanski sued TVP for infringement and, after a five-day bench trial, Judge Tanya Chutkan of the United States District Court for the District of Columbia found TVP liable. On appeal, TVP raised two main challenges to the district court’s ruling.  First, it argued that it could not commit copyright infringement because none of its conduct took place within the United States, and the Copyright Act does not apply extraterritorially.  Second, it argued that a defendant only faces copyright liability if its “conduct was volitional.”  Because TVP merely operated an “automatic content delivery system” from which the user “selects the content it will view” without TVP’s involvement in processing that request, TVP insisted it had not violated the law.  The United States filed an amicus brief on behalf of Spanski, urging the court to reject both TVP’s arguments. In an opinion written by Judge Tatel and joined by Judges Griffith and Wilkins, the court of appeals affirmed, holding TVP liable for infringing Spanski’s exclusive rights.  Applying the Copyright Act to TVP’s conduct is not an impermissible extraterritorial application, the Court explained, because “the infringing performances—and consequent violation of Spanski’s copyrights—occurred on the computer screens in the United States on which the episode’s images were shown.”  TVP argued that when a performance originates internationally but is shown to the public within the country, only the domestic viewer was liable for copyright infringement.  The court disagreed, holding that a broadcaster remains liable for “the infringing display of copyrighted images on the viewer’s screen” whenever such a performance occurs “in the United States,” no matter where the broadcaster is located. The court also held that an unauthorized performance via a video-on-demand system like TVP’s infringed Spanski’s exclusive rights, even without proof that TVP took a “volitional” act, because TVP made it possible for end users to select copyright-protected content.  The text of the Copyright Act, the court explained, imposes liability whenever a defendant makes it possible for “members of the public” to “receive[] the performance” of copyrighted content.  The court found it unnecessary to decide whether a “volitional conduct” requirement exists at all or how far it extends, holding that TVP’s conduct constitutes infringement “whatever the scope of any such requirement might otherwise be.” In rejecting TVP’s “volitional conduct” argument, the court of appeals relied heavily on the Supreme Court’s 2014 decision in American Broadcasting Cos. v. Aereo, Inc., 134 S. Ct. 2498 (2014).  In Aereo, the Supreme Court held that an intermediary service that automatically captured and retransmitted broadcast television signals infringed the public performance right, even where the end user and not the service selected which content to capture.  The D.C. Circuit concluded that Aereo “forecloses [TVP’s] argument that the automated nature of its video-on-demand system or the end user’s role in selecting which content to access insulates it from Copyright Act liability.”  The court noted that TVP’s video-on-demand service involved TVP itself even more directly in the infringing performances than did the system in Aereo: unlike in Aereo, TVP itself selected and uploaded the content its system made available. Both holdings are important developments.  No other federal court of appeals has yet squarely held that U.S. copyright law applies to performances originating internationally that can be viewed inside the United States—though, as Professor Nimmer puts it in his copyright treatise, it requires only “a straightforward application of the statute” to hold that such performances are actionable.   5 Melville B. Nimmer & David Nimmer, Nimmer on Copyright § 17.02 (rev. ed. 2017).  This holding will prevent would-be infringers from evading liability simply by relocating across a border. Separately, though the court refused to decide whether a “volitional conduct” requirement exists, its application of Aereo to TVP’s on-demand system adds fuel to the ongoing debate over the Copyright Act’s scope.  Several courts of appeals, both before and since the Supreme Court’s Aereo decision, have held that the Copyright Act only applies to “volitional conduct.”  BWP Media USA, Inc. v. T & S Software Associates, Inc., 852 F.3d 436 (5th Cir. 2017); Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657 (9th Cir. 2017); CoStar Group, Inc. v. LoopNet, Inc., 373 F.3d 544 (4th Cir. 2004); Parker v. Google, Inc., 242 F. App’x 833 (3d Cir. 2007).  In its amicus brief, however, the Government argued that Aereo “rejected” a volitional-conduct argument.  Thus, it will be up to future courts to decide the ultimate fate of the defense. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors: Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Connor S. Sullivan* – New York (+1 212-351-2459, cssullivan@gibsondunn.com) *Prior to joining the firm, Connor Sullivan contributed to an amicus curiae brief filed in this appeal in support of Spanski Enterprises. Please also feel free to contact the following practice group leaders: Intellectual Property Group: Wayne Barsky – Los Angeles (+1 310-552-8500, wbarsky@gibsondunn.com) Josh Krevitt – New York (+1 212-351-4000, jkrevitt@gibsondunn.com) Mark Reiter – Dallas (+1 214-698-3100, mreiter@gibsondunn.com) Media, Entertainment and Technology Group: Scott A. Edelman – Los Angeles (+1 310-557-8061, sedelman@gibsondunn.com) Ruth E. Fisher – Los Angeles (+1 310-557-8057, rfisher@gibsondunn.com) Orin Snyder– New York (+1 212-351-2400, osnyder@gibsondunn.com) Appellate and Constitutional Law Group: Mark A. Perry – Washington, D.C. (+1 202-887-3667, mperry@gibsondunn.com) Caitlin J. Halligan – New York (+1 212-351-4000, challigan@gibsondunn.com) Nicole A. Saharsky – Washington, D.C. (+1 202-887-3669, nsaharsky@gibsondunn.com) Technology Transactions Group: David H. Kennedy – Palo Alto (+1 650-849-5304, dkennedy@gibsondunn.com) Daniel Angel – New York (+1 212-351-2329, dangel@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 5, 2007 |
Deal Note: Gibson Dunn’s Media & Entertainment Group Represents Vivendi in Proposed Combination of the Businesses of Vivendi Games and Activision

Gibson, Dunn & Crutcher LLP’s Media & Entertainment Group is pleased to announce its representation of Vivendi in connection with the proposed combination of the businesses of Vivendi Games and Activision which will create Activision Blizzard, which will be the largest pure-play video game publisher. The transaction is valued at $18.9 billion. Upon consummation of the transaction, Vivendi will hold a 52% ownership interest in the combined business, which percentage could increase to as much as 68% depending on the results of a post-closing self-tender offer by Activision Blizzard.  The management of both companies hosted a joint conference call and live webcast on Monday, December 3, 2007. An audio replay of the call will be available through December 17, 2007 by calling (888) 203-1112 in the U.S. or (719) 457-0820 outside the U.S. and entering the pass-code: 5648597. In addition, a webcast replay also will be archived on the Investor Relations section of each company’s website.  Gibson Dunn’s team is led by Ruth Fisher, Co-Chair of the firm’s Media & Entertainment Practice Group, and includes Mark Lahive, Mary Ruth Hughes, Kristin Blazewicz and Ciara Stephens for corporate, Hatef Behnia and Afshin Beyzaee for tax, Ron Ben-Yehuda for intellectual property, Sean Feller for employment and employee benefits, and Sandy Pfunder, Joel Sanders and Rebecca Justice Lazarus for antitrust.  Details of this transaction are available on the Vivendi website.    Gibson Dunn’s Media & Entertainment Group comprises talented lawyers across our firm and practice areas who are among the most highly regarded in the converging media, entertainment and technology industries, offering a single "new media" platform that is unmatched in depth and scope among large law firms. For additional information on this matter, please contact the Gibson Dunn attorney with whom you work, Ruth Fisher (310-557-8057, rfisher@gibsondunn.com) or Mark Lahive (310-552-8580, mlahive@gibsondunn.com) in Gibson Dunn’s Century City office, or any member of the firm’s Media & Entertainment Practice Group. © 2007 Gibson, Dunn & Crutcher LLP Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

June 13, 2016 |
Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group

​Los Angeles of counsel Eric D. Vandevelde and Orange County associate Jared Greenberg are the authors of "Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group" [PDF] published in the June 13, 2016 issue of the Privacy and Security Law Report.

September 19, 2006 |
European Court of Justice Delivers Important Judgment in Laserdisken Case on Interplay Between National and EU Copyright Law

On 12 September 2006, the European Court of Justice (ECJ) delivered an important judgment on the interplay between national and EU copyright law, a judgment which also has implications for the interplay between IP and antitrust in the EU. The Laserdisken case concerned the import and sale in Denmark of DVDs lawfully marketed outside the European Economic Area (EEA). The key legal provision is Article 4(1) of EU Copyright Directive (2001/29) which enshrines the exclusive right for authors, in respect of the original of their works or of copies thereof, to authorise or prohibit any form of distribution to the public by sale or otherwise. Article 4(2) of the Directive provides that the distribution right is not to be exhausted except where the first sale or other transfer of ownership in the Community of that object is made by the rightholder or with his consent. It follows that for the right in question to be exhausted, two conditions must be fulfilled:  first, the original of a work or copies thereof must have been placed on the market by the rightholder or with his consent and,  second, they must have been placed on the market in the Community. The ECJ found that  Article 4(2) of the Directive did not leave it open to the Member States to introduce or maintain in their respective national laws a rule of exhaustion in respect of works placed on the market not only in the Community but also in non-member countries. The WIPO Copyright Treaty does not affect the contracting parties’ power to determine the conditions governing how exhaustion of that exclusive right may apply after the first sale.  The harmonisation of national copyright laws promotes competition in the internal market. The rule of exhaustion in the Community is not a disproportionate measure in view of the fact that legal protection of intellectual property rights is necessary in order to guarantee an appropriate reward for the use of works and to provide the opportunity for satisfactory returns on investment, and  is a way of ensuring that European cultural creativity and production receive the necessary resources and of safeguarding the independence and dignity of artistic creators and performers. That the principle of equal treatment does not apply as between a producer and a licence holder established in a non-member country and a producer and a licence holder established in the Community, since the two are manifestly not comparable.  Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work or David Wood (+32 2 554 7210; dwood@gibsondunn.com) in the firm’s Brussels office. © 2006 Gibson, Dunn & Crutcher LLP The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 14, 2013 |
Federal Trade Commission Updates Online Advertising Disclosure Guidelines; Addresses Mobile Devices and Social Media

On March 12, 2013, the Federal Trade Commission ("FTC") updated[1] its advertising disclosure guidelines for mobile and other online advertisers. The new guidance, .com Disclosures: How to Make Effective Disclosures in Digital Advertising, explains how advertisers can make disclosures "clear and conspicuous" to avoid deceiving consumers. In particular, the guidance addresses the expanding use of mobile devices with small screens and the rise of social media marketing.  In this regard, the guidance includes a helpful appendix of twenty-two illustrative mock advertisements. The guidance emphasizes that the consumer protection laws embodied in the FTC Act apply equally to advertisements across all media, whether those advertisements appear via desktop computer, mobile device, or more traditional media such as print, television, telephone, or radio. Disclosures that are required to prevent an advertisement from being deceptive, unfair, or otherwise violative of an FTC rule must be presented "clearly and conspicuously."  Thus, under the new guidance, advertisers must ensure that disclosures are clear and conspicuous across all devices and platforms that consumers may use to view a given advertisement.  If a particular platform does not provide an opportunity to make clear and conspicuous disclosures, advertisers should avoid that platform when disseminating advertisements that require disclosures. Whether a disclosure meets the clear and conspicuous standard is measured by the disclosure’s "performance–that is, how consumers actually perceive and understand the disclosure within the context of the entire ad."  The guidance points to a number of factors in this regard. For example, advertisers should consider: the placement of the disclosure in the advertisement and its proximity[2] to the claim it qualifies; the prominence of the disclosure; whether the disclosure is unavoidable; the extent to which items in other parts of the advertisement might distract attention from the disclosure; whether the disclosure needs to be repeated several times in order to be effectively communicated, or because consumers may enter the site at different locations or travel through the site on paths that cause them to miss the disclosure; whether disclosures in audio messages are presented in an adequate volume and cadence and visual disclosures appear for a sufficient duration; and whether the language of the disclosure is understandable to the intended audience. The new guidance provides a number of warnings and recommendations for advertisers using space-constrained advertisements, such as those appearing on mobile devices with smaller screens and those appearing on social media platforms.  For example, where consumers must scroll in order to view a disclosure, the guidance suggests that advertisers "use text or visual cues to encourage consumers to scroll" to the disclosures.  In addition, the guidance provides a number of considerations for evaluating the effectiveness of using hyperlinks to provide consumers additional information where disclosures are too complex to describe adjacent to the "triggering" claim.  The guidance also suggests that advertisers avoid disclosing necessary information using pop-ups or Adobe Flash because consumer web browsers and mobile devices may be configured to block or otherwise cannot display such content. Importantly, the guidance points out that "[d]isclosures must be effectively communicated to consumers before they make a purchase or incur a financial obligation." Thus, "[w]hen a product advertised online can be purchased from brick-and-mortar stores or from online retailers other than the advertiser itself, necessary disclosures should be made in the ad."  Advertisers may not rely on disclosures made by a third-party retailer that is promoted in the ad — even if the ad links directly to those disclosures on the third-party retailer’s website — because consumers may choose to purchase the product from a brick-and-mortar store or other unaffiliated online retailer.  In that case, consumers may not see the disclosures prior to making their purchases.  The same advice applies to "space-constrained ads," including sponsored "tweets."  The guidance further provides that "[i]f the disclosure needs to be in the ad itself but it does not fit, the ad should be modified so it does not require such a disclosure or, if that is not possible, the space-constrained ad should not be used."  Gibson Dunn recommends that companies advertising online carefully review their policies and practices to ensure compliance with the updated FTC guidance.    [1]   The FTC released its initial guidance, entitled Dot Com Disclosures: Information about Online Advertising, over a decade ago, in 2000.    [2]   Although the 2000 guidance defined proximity as "near, and when possible, on the same screen," and stated that advertisers should "draw attention to" disclosures, the new guidance states that disclosures should be "as close as possible" to the claim it qualifies.    Gibson Dunn’s Information Technology and Data Privacy Practice Group has counseled leading businesses across the country on a wide range of privacy and cybersecurity issues, including preventing, anticipating, and responding to security breach incidents, providing guidance on the legal implications of high-priority business actions, and representing clients in matters of privacy-related regulatory scrutiny, litigation, and law enforcement interest.  The Fashion, Retail and Consumer Products Practice Group includes a team of legal experts who focus on the complex and unique issues facing fashion designers, luxury goods companies, retail companies and manufacturing companies, including a broad range of corporate transactions, litigation, intellectual property, tax and real estate matters.    Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues.  Please contact the Gibson Dunn lawyer with whom you work, or any of the following: Information Technology and Data Privacy Practice Group:  S. Ashlie Beringer – Palo Alto (650-849-5219, aberinger@gibsondunn.com)Howard S. Hogan - Washington, D.C. (202-887-3640, hhogan@gibsondunn.com)Karl G. Nelson – Dallas (214-698-3203, knelson@gibsondunn.com)M. Sean Royall – Dallas (214-698-3256, sroyall@gibsondunn.com)Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)Debra Wong Yang – Los Angeles (213-229-7472, dwongyang@gibsondunn.com)Scott H. Mellon – Dallas (214-698-3199, smellon@gibsondunn.com) Fashion, Retail and Consumer Products Practice Group:Lois F. Herzeca – New York (212-351-2688, lherzeca@gibsondunn.com)David M. Wilf  – New York (212-351-4027, dwilf@gibsondunn.com) © 2013 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

May 3, 2016 |
How The Fight For Streaming Royalties Is Going Over The Top

​Los Angeles associate Nathaniel Bach is the author of "How The Fight For Streaming Royalties Is Going Over The Top" [PDF] published on May 3, 2016 by Law360. 

May 18, 2016 |
India – Legal and Regulatory Update

The Indian economy continues to be an attractive investment destination due to its sustained stable growth and implementation of further liberalization policies by the Government of India ("Government"). The Government’s focus remains on improving the ease of doing business in India and many effective steps have been taken in this direction. Following our nine-month update dated October 21, 2015 (which sets out an overview of key legal and regulatory developments in India from January 1, 2015 to September 30, 2015), this update provides a brief overview of the key legal and regulatory developments in India from October 1, 2015 to April 30, 2016. Key Legal and Regulatory Developments Foreign Direct Investment Policy 1.      November 2015 Amendments to the Foreign Direct Investment Policy: On November 24, 2015, the Government effected several important amendments[1] to India’s consolidated foreign direct investment policy ("FDI Policy"). These amendments enable increased levels of foreign direct investment in a number of business sectors and simplify various sector-specific conditions under the FDI Policy. For a detailed analysis, please refer to our client alert dated December 8, 2015 at http://www.gibsondunn.com/publications/pages/Indian-Government-Amends-Foreign-Direct-Investment-Policy-Dec2015.aspx. 2.      Foreign Direct Investment in Insurance[2]: Total foreign investment ownership through any means, including portfolio investment, in an Indian insurance company (which includes insurance brokers, insurance third party administrators, surveyors and loss assessors), directly or indirectly (through one or more holding companies), is now permitted up to 49% without the prior approval of the Government ("Automatic Route"). Previously, foreign investment not exceeding 26% was permitted under the Automatic Route and foreign investment beyond 26% and up to 49% required the prior approval of the Government (through the Foreign Investment Promotion Board ("FIPB"). Prior approval of the Insurance Regulatory and Development Authority is required in all circumstances where there is any change in shareholding of an Indian insurance company. The ownership and control of an Indian insurance company (including the appointment of the CEO) must remain in the hands of resident Indians at all times. "Control" is defined to mean the right to appoint a majority of the directors on the board of the company or the power to control the management or policy decisions of a company by virtue of shareholding, management rights, shareholders agreements or voting rights agreements. 3.             Foreign Direct Investment in Pension Funds[3]: In line with the policy on foreign investment in the insurance sector, the Government has permitted foreign investment in Indian pension funds up to 49% under the Automatic Route . Previously, 26% was permitted under the Automatic Route and foreign investment beyond 26% and up to 49% required the prior approval of the Government (through the FIPB). Foreign investment in the Indian pension sector continues to be subject to the conditions set out in the Pension Fund Regulatory and Development Authority Act, 2013.     4.             Foreign Investment in E-Commerce Activities[4]: The Government, on March 29, 2016, has clarified the position on foreign direct investment in e-commerce trading entities and e-commerce market place entities. There is no restriction on foreign investment in companies engaged in B2B e-commerce activities. In respect of companies engaged in B2C e-commerce activities, the key provisions are as follows: (a)          E-commerce has now been defined as the buying and selling of goods and services, including digital products, through a digital and electronic network. (b)          The term ‘digital and electronic network’ has been defined to include a ‘network of computers, television channels and any other internet application used in automated manner such as web pages, extranets, mobiles, etc.‘ (c)          The Government has drawn a distinction between an ‘inventory-based’ model of e-commerce ("Inventory Model") and a ‘marketplace based’ model of e-commerce ("Marketplace Model"). Inventory Model has been defined as an e-commerce business model where the inventory of goods and services is owned by an e-commerce entity and is sold to the consumers directly. Marketplace Model has been defined as the provision of an information technology platform by an e-commerce entity on a digital and electronic network to act as a facilitator between a buyer and a seller. (d)          The Government has clarified that foreign investment of up to 100% is permitted under the Automatic Route in companies that have a Marketplace Model. No foreign investment is permitted in companies that have an Inventory Model. (e)          Some of the key conditions that companies operating the Marketplace Model must comply with are: (i)                 Not more than 25% of the total sales of the company can be undertaken on its marketplace by a single vendor or such vendor’s group companies; (ii)               The company is permitted to provide support services to sellers in respect of warehousing, logistics, order fulfilment, call centres, payment collection and other similar services; and (iii)             The company cannot directly or indirectly influence the sale price of goods or services and are obligated to maintain a level playing field. While the above clarifications have removed ambiguities in relation to foreign investment in entities engaged in B2C ecommerce activities, there are certain grey areas that have arisen as a result of these clarifications. For example, (a) services have now been included within the definition of e-commerce – the presumption earlier was that this only includes goods, (b) there is also no guidance on what constitutes ‘influencing the sale price of goods directly or indirectly’ or how a ‘level playing field’ should be maintained by companies that have a Marketplace Model. Further clarity is required on these aspects. 5.             Foreign Investment in Asset Reconstruction Companies[5]: The Government has permitted foreign investment in asset reconstruction companies up to 100% under the Automatic Route. Previously, foreign investment of up to 49% was permitted under the Automatic Route and foreign investment beyond 49% and up to 100% required the prior approval of the Government (through the FIPB). Insurance On October 19, 2015, the Insurance Regulatory and Development Authority issued the "Guidelines on Indian Owned and Controlled" Insurance Companies (the "Guidelines") to further clarify the requirements with regard to Indian ownership and control of Indian insurance companies. The Guidelines apply to all Indian insurance companies that receive foreign investment. The Guidelines state that the ownership and control of an Indian insurance company (including the appointment of the CEO) must remain in the hands of resident Indians at all times. "Control" is defined to mean the right to appoint a majority of the directors on the board of the company or the power to control the management or policy decisions of a company by virtue of shareholding, management rights, shareholders agreements or voting rights agreements. For detailed analysis, please refer to our client alert dated October 22, 2015 at http://www.gibsondunn.com/publications/pages/Ownership-and-Control-of-Indian-Insurance-Companies-with-Foreign-Investment.aspx. Financing The Reserve Bank of India ("RBI") has promulgated the External Commercial Borrowings ("ECB") Policy-Revised Framework ("Revised Framework"). The Revised Framework lays down a more liberal approach for ECBs, whether they are long-term foreign currency denominated ECBs or Indian Rupee denominated ECBs. The Revised Framework expands the list of eligible borrowers, recognised lenders and reduces the restrictions on use of proceeds (i.e., end-use of the ECB). The Revised Framework became effective on December 2, 2015 with the publication of the relevant regulatory notifications in the Official Gazette of India. Borrowers were permitted to receive ECBs under the previous ECB regime until March 31, 2016 (if they had already executed the ECB agreement prior to the date of effectiveness of the Revised Framework). Additionally, borrowers that were in negotiations with lenders (at the time the Revised Framework became effective) were also permitted to execute ECB agreements under the previous ECB regime until March 31, 2016 for certain specific purposes such as working capital for airlines, loans for low cost affordable housing projects, etc. For detailed analysis, please refer to our client alert dated January 4, 2016 at http://www.gibsondunn.com/publications/Pages/Reserve-Bank-of-India-Introduces-Revised-ECB-Framework.aspx. Start-ups 1.             The Government launched a new initiative on January 17, 2016 aimed at providing various benefits to start-up companies in India. The following are key provisions in relation to start-up companies: (a)          A "start-up" has been defined to mean an entity incorporated/ registered in India  (i) for a period of up to 5 years from the date of its incorporation/ registration and (ii) its turnover in any financial year has not exceeded INR 250,000,000 (approx. USD 3.67 Million) and (iii) it is working towards innovation, development, deployment or commercialization of new products, processes or services driven by technology or intellectual property. (b)          The Government has clarified that a business would be considered a start-up only if it aims to develop and commercialize (i) a new product or service or (ii) significantly improves an existing product, service or process that will create and add value for customers. (c)          The RBI has made appropriate amendments to its foreign exchange regulations to state that  Foreign Venture Capital Investors ("FVCIs") are now permitted to invest in all start-ups, regardless of the sector that the start-up is engaged in. Prior to this amendment, FVCIs were permitted to only invest in a list of permissible sectors. Certain other benefits announced by the RBI for start-ups include (i) transfer of shares with deferred consideration, escrow or indemnity arrangements for a period of 18 months; (ii) simplification of the process for dealing with delayed reporting of FDI; (iii) easing access to rupee denominated loans under the ECB framework; and (iv) easing operational restrictions on overseas subsidiaries of start-ups. (d)          Start-ups are also exempted from certain statutory provisions relating to inspection under certain labour legislations in India by self-certifying compliance with such legislations. (e)          Eligible start-ups (established between April 2016 and March 2019) are entitled to a tax deduction of one hundred per cent of the profits and gains derived by them, for a period of three years, from a business involving innovation development, deployment or commercialisation of new products, processes or services driven by technology or intellectual property. Real Estate The Real Estate (Regulation and Development) Act, 2013 ("RERA") was notified on March 27, 2016. RERA seeks to establish a regulatory framework to govern transactions between buyers and promoters/sellers of real estate projects. It establishes state level regulatory authorities with the objective of  (a) ensuring that residential projects are registered, and their details uploaded on the authorities’ website; (b) ensuring that buyers, sellers, and agents comply with obligations under the RERA; and (c) advising the government on matters related to the development of real estate. RERA also imposes a requirement that at least 70% of the funds collected for a particular real estate project from buyers will be invested solely in such project. It seeks to protect buyers by prohibiting advertisements promoting real estate projects which have not obtained all regulatory approvals along with an additional provision for penalties for delay in construction. Antitrust On March 4, 2016, the Government, through the Ministry of Corporate Affairs issued a number of notifications (the "Notifications") which have substantially (a) amended and increased the merger control thresholds and, (b) amended as well as extended the existing target based exemption under the merger control regulations in India for another five years. 1.       Target Based Exemption: On March 4, 2011, the Government had introduced a de minimis target based exemption (i.e., based on the valuation of assets or turnover of the target company) which excluded certain transactions from the provisions of Section 5 of the [Indian] Competition Act, 2002 (the "Competition Act") for a period of five years. Transactions that fell below the threshold did not have to be notified to the Competition Commission of India ("CCI"). The Government, through the Notifications has extended the exemption for another five-year period, i.e., until March 4, 2021. The values of asset/turnover thresholds under this exemption have also been raised. 2.       Merger Control Thresholds: Section 5 of the Competition Act sets out the asset and turnover thresholds that are required to be satisfied for a transaction to qualify as a "combination". A qualifying combination is required to be mandatorily notified to the CCI for prior approval, unless the target based-exemption discussed above is applicable. The Notifications have amended and increased these thresholds. Please refer to our client alert dated March 15, 2016 for more details, including these revised thresholds: http://www.gibsondunn.com/publications/Pages/Indian-Government-Amends-Merger-Control-Regulations.aspx. Arbitration The Arbitration & Conciliation (Amendment) Ordinance, 2015 ("Ordinance") was promulgated on October 23, 2015 to introduce substantial changes to the [Indian] Arbitration & Conciliation Act, 1996 (the "Arbitration Act"). The Ordinance was approved by both houses of the Indian Parliament and was published in the official gazette on January 1, 2016 after receiving Presidential assent as the Arbitration and Conciliation (Amendment) Act, 2015 ("Amendment Act"). The primary objective of the Amendment Act is to encourage expeditious resolution of disputes and transparency in arbitration proceedings. The Amendment Act has reformed domestic arbitrations, foreign seated international commercial arbitrations (in so far as the Arbitration Act applies to them) and international commercial arbitrations seated in India by reducing delays and limiting the scope of judicial intervention. For detailed analysis, please refer to our client alert dated November 10, 2015 at  http://www.gibsondunn.com/publications/pages/Government-of-India-Amends-Indian-Arbitration-and-Conciliation-Act–1996.aspx. [1]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn12_2015.pdf [2]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn1_2016.pdf [3]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn2_2016.pdf [4]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn3_2016.pdf [5]       http://dipp.nic.in/English/acts_rules/Press_Notes/pn4_2016.pdf Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. For further details, please contact the Gibson Dunn lawyer with whom you usually work or the following authors in thefirm’s Singapore office: India Team:Jai S. Pathak (+65 6507 3683, jpathak@gibsondunn.com)Priya Mehra (+65 6507 3671, pmehra@gibsondunn.com)Bharat Bahadur (+65 6507 3634, bbahadur@gibsondunn.com)Karthik Ashwin Thiagarajan (+65 6507 3636, kthiagarajan@gibsondunn.com)Sidhant Kumar (+65 6507 3661, skumar@gibsondunn.com)  © 2016 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 23, 2014 |
Judicial Campaign Rules Go to Court

Los Angeles partner Blaine H. Evanson and associate Lali Madduri are the authors of "Judicial campaign rules go to court" [PDF] published in the December 23, 2014 issue of the Daily Journal.

October 24, 2018 |
Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case

The Federal Trade Commission (“FTC”) is increasingly focusing on the advertising, data privacy/security, and e-commerce processes of prominent companies marketing legitimate, valuable products and services, as compared to the types of fraudsters and shams that have been a central focus of FTC attention in the past. The FTC’s recently concluded action against DirecTV is emblematic of this trend. In FTC v. DirecTV, the FTC alleged that DirecTV’s marketing failed to adequately disclose that (a) the introductory discounted price lasted only twelve months while subscribers were bound to a 24-month commitment; (b) subscribers who cancelled early would be charged a cancellation fee; and (c) subscribers would automatically incur monthly charges if they did not cancel a premium channel package after a free three-month promotional period. On August 16, 2017, after hearing the FTC’s case-in-chief, Judge Gilliam of the U.S. District Court for the Northern District of California granted judgment for DirecTV on the majority of these claims. And earlier this week, the FTC agreed to voluntarily dismiss the remainder of its case with prejudice. Gibson Dunn partners Sean Royall and Rich Cunningham and associates Brett Rosenthal and Emily Riff recently published an article titled Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case in the Washington Legal Foundation’s The Legal Pulse blog. The article describes the case, the FTC’s evidence, and key takeaways for companies crafting advertising and marketing disclosures. Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case (click on link) © 2018, Washington Legal Foundation, The Legal Pulse, October 23, 2018. Reprinted with permission. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the authors of this Client Alert, the Gibson Dunn lawyer with whom you usually work, or one of the leaders and members of the firm’s Antitrust and Competition or Privacy, Cybersecurity and Consumer Protection practice groups: Washington, D.C. Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com) D. Jarrett Arp (+1 202-955-8678, jarp@gibsondunn.com) Adam Di Vincenzo (+1 202-887-3704, adivincenzo@gibsondunn.com) Howard S. Hogan (+1 202-887-3640, hhogan@gibsondunn.com) Joseph Kattan P.C. (+1 202-955-8239, jkattan@gibsondunn.com) Joshua Lipton (+1 202-955-8226, jlipton@gibsondunn.com) Cynthia Richman (+1 202-955-8234, crichman@gibsondunn.com) New York Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com) Eric J. Stock (+1 212-351-2301, estock@gibsondunn.com) Los Angeles Daniel G. Swanson (+1 213-229-7430, dswanson@gibsondunn.com) Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com) Samuel G. Liversidge (+1 213-229-7420, sliversidge@gibsondunn.com) Jay P. Srinivasan (+1 213-229-7296, jsrinivasan@gibsondunn.com) Rod J. Stone (+1 213-229-7256, rstone@gibsondunn.com) Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com) San Francisco Rachel S. Brass (+1 415-393-8293, rbrass@gibsondunn.com) Dallas M. Sean Royall (+1 214-698-3256, sroyall@gibsondunn.com) Veronica S. Lewis (+1 214-698-3320, vlewis@gibsondunn.com) Brian Robison (+1 214-698-3370, brobison@gibsondunn.com) Robert C. Walters (+1 214-698-3114, rwalters@gibsondunn.com) Denver Richard H. Cunningham (+1 303-298-5752, rhcunningham@gibsondunn.com) Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 5, 2017 |
Local Drone Law Preempted in First-of-its-Kind Ruling

​Orange County associates Jared Greenberg and Brett Long are the authors of “Local Drone Law Preempted in First-of-its-Kind Ruling,” [PDF] published by The Daily Journal on October 5, 2017.

August 4, 2016 |
Media, Entertainment and Technology Group – 2016 Mid-Year Update

As we cross the mid-point of 2016, Gibson Dunn’s Media, Entertainment and Technology practice group has been reflecting on many of the notable recent deals, cases, rulings, and trends that we have been closely following, and which we expect to continue to shape these industries.  From big movements toward consolidation in the cable industry, to regulatory trends, to an active copyright docket (especially in the fair use field), to stakeholders’ new forays into the streaming landscape and the challenges presented to industry groups and copyright holders, the field remains as dynamic as ever and presents ever newer legal challenges and opportunities.   Table of Contents I.        Transaction & Regulatory Overview              A.     Cable Mergers & Acquisitions: A Trend Toward Consolidation?              B.     The Relativity Media Bankruptcy              C.     Net Neutrality Goes to Court Again              D.     Exclusivity Rules for Cable Transmissions              E.      Trans-Pacific Partnership & Effect on the Industry II.       Recent Litigation Highlights              A.     Copyright Litigation                       1.   "Fair Use" Goes Front and Center                                 a.   Authors Guild v. Google, Inc. and Impact on Fair Use Doctrine                                 b.   Fox News Network, LLC v. TVEyes, Inc.                                 c.   The "Dancing Baby" Case:  The DMCA and Fair Use Assessments                                 d.   Parody Is Entitled Its Own Copyright Protection (The Point Break Case)                       2.   Roundup: A New Stampede of Older Copyright Claims                       3.   Copyrightable Subject Matter: New Revelations in an Old Doctrine              B.     Entertainment Litigation                       1.   Online Piracy: Two Steps Forward, One Step Back                                  a.   The MPAA Battles Content Piracy                                         (i)         Popcorn Time: the "Netflix for Piracy"                                         (ii)        MovieTube                       2.   Profit Participation Lawsuits March On                       3.   Developments in Defamation              C.     Right of Publicity                        1.   Athletes and Their Avatars                        2.   Antitrust Claims Brought by College Athletes                        3.   Restrictions on the Use of Likenesses Obtained in Public Places I.    Transaction & Regulatory Overview A.    Cable Mergers & Acquisitions: A Trend Toward Consolidation? "Bundling" is a term familiar to those in the cable television industry, and indeed it holds a second meaning for those keeping an eye on M&A developments.  On July 24, 2015, the Federal Communications Commission approved the $48.5 billion acquisition of DIRECTV by AT&T.  In approving the merger, the FCC found it to be in the public interest, despite previous regulatory pressure against similar deals in the recent past. The AT&T-DIRECTV transaction appears to have signaled the FCC’s receptiveness to approval of expansive media and communications deals, and may have opened the door to other mergers in the media and satellite cable fields.  For example, on April 25, 2016, the FCC approved Charter Communications’ proposed $65.5 billion acquisition of Time Warner Cable and Bright House Networks.  The FCC’s approval of that deal would pave the way for the creation of the country’s third largest cable provider with approximately 17.3 million subscribers.  As in the FCC’s approval of the AT&T-DIRECTV deal, we see in the Charter Communications’ approval examples of what companies can expect from the FCC.  Attached to the FCC’s approval of the AT&T-DIRECTV deal were targeted conditions focused on fair access to content, transparency of operations, and investment in fiber-optic infrastructure.  These conditions will remain effective for four years following the closing date of the AT&T-DIRECTV deal.  (Disclosure: Gibson Dunn represented AT&T in the acquisition.)  In approving the Charter Communications deal, the FCC and DOJ set a number of conditions, including measures seeking to protect streaming video enterprises and ensuring that cheaper broadband can be provided to low-income households.  FCC chairman Tom Wheeler stated, "The cumulative impact of these conditions will be to provide additional protection for new forms of video programming services offered over the Internet."[1] B.    The Relativity Media Bankruptcy After claiming debts totaling $1.2 billion, Relativity Media filed for Chapter 11 bankruptcy on July 30, 2015.  During the bankruptcy process, Relativity sold its unscripted television division to a group of its leading creditors.  Relativity also settled with other investors leading to a total reduction of $630 million in debt.  On Tuesday, February 2, 2016, U.S. Judge Michael Wiles conditionally approved Relativity’s reorganization.  The reorganization was conditioned on Relativity proving that it had secured $80 million in new funding and completed deals making Kevin Spacey the studio’s chairman and producer, and Dana Brunetti the studio’s president.  Despite the facts that Relativity was unable to hire Kevin Spacey as the studio’s chairman and producer, and that it raised only $75 million in funding, on March 18, 2016, Judge Wiles approved Relativity’s exit plan from bankruptcy.  (Disclosure: Gibson Dunn represented a creditor in the bankruptcy.)  C.    Net Neutrality Goes to Court Again The debate surrounding the FCC’s effort to regulate broadband Internet access service providers continues.  In March 2015, the FCC released an order that reclassified high-speed Internet as a telecommunications service rather than an information one, thereby subjecting providers to common carrier regulation under Title II of the Communications Act.  The FCC also issued specific rules governing broadband providers’ treatment of traffic.  Pursuant to the FCC’s reclassification, the FCC now has broad authority to regulate broadband providers like public utilities, with general authority to prohibit, among other things, unjust and unreasonable practices and charges.  Following the release of the FCC action, the U.S. Telecom Association, CTIA-The Wireless Association, the National Cable & Telecommunications Association, the American Cable Association, AT&T, and other stakeholders challenged the FCC’s open internet order principally on the bases that the FCC’s reclassification of internet access as a telecommunications service contravenes the Communications Act and was arbitrary and capricious.  These petitioners also challenged the FCC’s reclassification of mobile broadband internet as a common-carrier service.  On December 4, 2015, the Court of Appeals for the D.C. Circuit heard argument, and on June 14, 2016, a divided three-judge panel voted to uphold the FCC’s order.2  (Disclosure: Gibson Dunn is representing CTIA and NCTA in the appeal.) The Court of Appeals had previously ruled twice against the FCC since 2010.  In 2010, the Court of Appeals ruled against the FCC and in favor of Comcast on the issue of whether the FCC had lawfully sanctioned Comcast in a dispute regarding alleged slowing of Internet access to a popular file-sharing service.3  The court determined that the FCC lacked the requisite authority over broadband services to make the action against Comcast legal.4  The FCC relied upon various provisions of the Communications Act of 1934, which the court held did not support the exercise of ancillary authority over Comcast’s broadband services.5  In 2014, the Court of Appeals struck down the FCC’s attempt to adopt, for the first time, net neutrality rules, determining that the rules violated the Communications Act because they constituted prohibited common carrier regulation (at the time broadband was classified as an information source, which the statute immunizes from such regulation).6 D.    Exclusivity Rules for Cable Transmissions In August 2015, FCC Chairman Tom Wheeler announced the commission’s proposal to eliminate broadcast exclusivity rules.  These rules prevent a cable or satellite company from providing subscribers an out-of-market broadcast station, thereby allowing local stations to carry certain programming exclusively.  Supporters of exclusivity rights argue that the rules are a counterbalance to the compulsory licenses for cable companies.  Licenses ensure operators are able to retransmit programming contained in broadcast signals at set rates.  Proponents of exclusivity rights fear that without these agreements, and the ability to enforce them, cable providers would retransmit programming allowed in one market wherever they want, regardless of local agreements.  Without a similar decision by Congress to end compulsory copyright licenses, broadcasters worry that their bargaining power would be weakened relative to the cable companies.  They warn that the consequences would be programming "blackouts" and a depletion of local programming.  The FCC and supporters of the proposal argue that the rules in effect worsen TV blackouts and distort the free market, hurting the consumer more by prohibiting the broadcasting of distant signals.  Additionally, they argue that broadcasters are able to charge cable companies retransmission fees which are passed on to the consumer.  Supporters frequently point to the changed landscape from when the copyright laws were enacted as a reason to eliminate exclusivity.  Broadcasters now typically include exclusivity provisions in their contracts.  Furthermore, legislation passed in 1992 gave broadcasters the ability to negotiate for retransmission consent, all making the exclusivity rules superfluous and unnecessary. Senior lawmakers from both parties are moving to block the Commission’s proposal.  In October 2015, Senators Chuck Grassley (R-Iowa), Patrick Leahy (D-Vt.), John Thune (R-S.D.) and Bill Nelson (D-Fla.) wrote the Chairman arguing that the FCC risks "disrupt[ing] local television businesses and viewing households" if the agency moves forward with eliminating broadcast exclusivity rules.  Senators Chuck Schumer (D-N.Y.) and Diane Feinstein (D-Calif.) have also come out publicly in opposition to the proposal.[2]  In November 2015, Chairman Wheeler defended his proposal in letters posted online.  Responding to Congressional criticism, Wheeler argued that the current rules hurt consumers by "prohibiting the importation of distant signals, as well as strengthen the position of broadcasters in retransmission disputes."[3] E.    Trans-Pacific Partnership & Effect on the Industry Last year, the Trans-Pacific Partnership (TPP) was negotiated between 12 countries which account for more than 40% of U.S. exports.  The agreement creates the world’s largest free-trade area, spanning from Chile to Japan.  The final TPP agreement was announced in October 2015, signed on February 4, 2016, and despite well-publicized opposition, a vote may come up in Congress in 2016 (possibly during the lame duck session).  Proponents of the TPP emphasize the benefits of the largest regional trade accord in history, arguing that the agreement will abolish a large number of tariffs currently levied on U.S. exports.  This in turn will allow for better competition in lucrative partner markets, benefiting domestic producers back in the U.S. The service industry is likely to be one of the biggest beneficiaries of the TPP, particularly the software and entertainment sectors.  Motion Picture Association of America ("MPAA") chairman Chris Dodd announced his support for the pact last year:  "Enacting a high-standard TPP is an economic priority for the American motion picture and television industry, which registered nearly $16 billion in exports in 2013 and supports nearly two million jobs throughout all fifty states."[4] Copyright regulations stand to be particularly impacted.  The TPP is expected to adopt the U.S. term of life-plus-70 years for copyrighted films, music and other works.  This would exceed the international standard of life-plus-50 years from the Berne Convention.  The entertainment industry has strongly backed such a change.  Proponents of the new copyright terms argue that the world is moving away from the 50-year standard toward a much longer period that would "reduce friction, help protect content and open up rapidly growing foreign markets."[5]  The TPP would also require signatory countries to adopt the U.S. Digital Millennium Copyright Act Internet Intermediaries copyright regime in its entirety, which would require countries to "establish or maintain a framework of copyright safe harbors" for ISPs.[6]   However, ISPs will not be required to monitor their systems for infringing activity. The TPP attempts to bring uniformity to the fight against piracy, which has long been a challenge due to the varied levels of enforcement of infringement in different countries.  According to the United States Trade Representative, the pact specifically requires countries to have "strong enforcement systems, including, for example, civil procedures and penalties for commercial-scale trademark counterfeiting and copyright or related rights piracy."[7]  Proponents of the uniform enforcement say this will encourage expansion into other markets for U.S. movies, television shows and music.  The TPP also eliminates digital tariffs, specifically prohibiting "the imposition of customs duties on electronic transmissions," while at the same time prohibiting countries from "favoring national producers or suppliers of such products though discriminatory measures or outright blocking."[8] II.    Recent Litigation Highlights A.    Copyright Litigation 1.    "Fair Use" Goes Front and Center It has been a particularly fertile period for copyright cases considering fair use issues, with blockbuster cases being heard in the Second Circuit’s trial and appellate courts, and in the Ninth Circuit.  The "Google Books" and Fox News v. TVEyes cases can rightly be seen as a pair of companion cases in which the courts have been asked to weigh the rights of creators and copyright holders against transformative uses by companies that claim to offer social utility. a.    Authors Guild v. Google, Inc. and Impact on Fair Use Doctrine After a protracted ten-year lawsuit, in October 2015, the Second Circuit unanimously affirmed a lower court’s ruling that Google Books, a digital library, is protected by fair use and thereby does not amount to copyright infringement.[9]  Launched in 2004, Google Books is an ambitious project that seeks to scan every book in existence by working with participating libraries.  Google then makes those books searchable and provides short excerpts of the content while providing information for where consumers can purchase a full-length version.  In 2005, the Authors Guild sued Google.  The parties agreed to a $125 million settlement in 2008, but the District Court rejected the proposal in 2011, finding that it was unfair to class members and would grant Google a "de facto monopoly."[10]  In 2013, the District Court granted summary judgment in favor of Google, finding a fair use, and the Authors Guild appealed.  At issue in the appeal were (i) the user’s ability to search a book’s text under the Google Books system and (ii) the user’s ability to view the excerpts.  The Court of Appeals reasoned, in an opinion by Judge Pierre Leval, that "Google’s making of a digital copy to provide a search function is a transformative use, which augments public knowledge by making available information about Plaintiffs’ books without providing the public with a substantial substitute for matter protected by the Plaintiffs’ copyright interest in the original works or derivatives of them."[11]  Judge Leval noted that "while authors are undoubtedly important intended beneficiaries of copyright, the ultimate, primary intended beneficiary is the public, whose access to knowledge copyright seeks to advance by providing rewards for authorship."[12] The Court recognized that Google’s intended use of the scanned content may be for commercial purposes, but weighed that concern against the other statutory fair use factors.  The court concluded that "[t]he purpose of the copying is highly transformative, the public display of text is limited, and the revelations do not provide a significant market substitute for the protected aspects of the originals.  Google’s commercial nature and profit motivation do not justify denial of fair use."[13] At a recent IP conference attended by Gibson Dunn attorneys, Judge Leval commented on the case and how the Second Circuit’s Authors Guild decision may have impacted application of the fair use doctrine.  Asked about whether the 4-factor fair use test has collapsed into the "transformative use" factor that Judge Leval articulated, he demurred and said that if it has, then such a judicially created result would be a mistake, and reiterated the continuing importance of the economic factor (i.e., the effect of the use upon the potential market).  Judge Leval speculated that if the Authors Guild panel had found that the service had made the scanned works fully free to all (rather than only providing excerpts), for example, the court might have reached a very different result.  The Second Circuit’s decision is likely to be cited by research institutions that copy or make other uses of copyright-protected works.  The opinion suggests that where an unauthorized work has such an overwhelming public benefit or utility, courts will be more willing to find a transformative value.  On April 18, 2016, the Supreme Court denied (with no noted dissents) the Authors Guild’s petition for a writ of certiorari.[14]  b.    Fox News Network, LLC v. TVEyes, Inc.  While Authors Guild attracted most of the attention in the fair use arena, another case considered similar issues in the television context, and may provide the first indications of how Authors Guild will impact the fair use doctrine going forward.  In 2013, Fox News sued the media-monitoring service TVEyes–a tool used by journalists, politicians and companies to track cable news programming–for copyright infringement.  TVEyes records approximately 1,400 television and radio stations and charges users a flat fee of $500 a month for a searchable index of real-time clips.  In September 2014, the District Court for the Southern District of New York granted a partial summary judgment to TVEyes, holding that the indexing and excerpting functions of TVEyes were transformative uses and thus protected under the fair use doctrine.[15]  The Court denied judgment–and granted Fox News further discovery–with respect to TVEyes’ other functions, including tools allowing users to archive, download, and share videos as well as to search for clips. In May 2015, CBS Studios, NBCUniversal, CNN, Bright House Networks and News 12 Networks filed an amicus brief in support of Fox News’ motion for summary judgment on the remaining issues, arguing that TVEyes "systematically records content from over a thousand television channels, and charges subscription fees to its customers in exchange for distributing to them massive amounts of content it has neither created nor licensed."[16]  The amici also criticized the court’s September 2014 ruling, claiming the service "undermines the value of television news" and "encourages the mass appropriation of news that was created at great cost, and sometimes risk, while at the same time eviscerates copyright owners’ greatest commodity: control over content."[17] In August 2015, the District Court entered a second summary judgment order, resolving the remaining issues as to liability.  Importantly, the court held that TVEyes’ downloading, sharing and searching by date and time functions were not protected fair use.[18]  Although the court acknowledged that sharing clips can facilitate access for news reporting, commentary, criticism, teaching, scholarship, and other permitted uses under the Copyright Act, TVEyes lacked sufficient protections to "prevent indiscriminative sharing" and "risks becoming a substitute for Fox’s own website, thereby depriving Fox of advertising revenue."[19]  Rather, the court found that TVEyes "must develop protocols to reasonably assure that, when subscribers share video clips, they do so consistent" with the principles of fair use.[20]  In addition, on the issue of downloading clips, the court held that while "TVEyes is transformative because it allows users to search and monitor television news," "[d]ownloading [unlimited clips] also is not sufficiently related to the functions that make TVEyes valuable to the public, and poses undue danger to content-owners’ copyrights."[21]  The court did find that the archiving function was a fair use, reasoning as follows: Democracy works best when public discourse is vibrant and debate thriving.  But debate cannot thrive when the message itself disappears after airing into an abyss.  TVEyes’ service allows researchers to study Fox News’ coverage of an issue and compare it to other news stations; it allows targets of Fox News commentators to learn what is said about them on the network and respond; it allows other media networks to monitor Fox’s coverage in order to criticize it.  TVEyes helps promote the free exchange of ideas, and its archiving feature aids that purpose.[22] In November 2015, the court issued a broad permanent injunction that would have banned users from downloading Fox News Channel or Fox Business News clips; viewing such content by searching by date and time; and sharing video clips on social media websites.[23]  The order further limited TVEyes users to emailing clips to no more than five recipients, and then only from a registered work email address.[24]  Fox News had requested a more extensive injunction with additional limitations on use of its clips, including barring the emailing of clips until 72 hours after the original telecast, expiration dates for clips, and the requirement that all clips contain a watermark. The parties then agreed to appeal the injunction ruling to the Second Circuit, staying part of the injunction for the time being.  Unsurprisingly, TVEyes’ opening appellate brief cites heavily to the Second Circuit’s Authors Guild decision, including for the proposition that TVEyes’ various functions are transformative uses with significant public benefit.  Fox News indicated its intent "to cross-appeal to address the Court’s refusal to enter an injunction with a broader scope."[25] c.    The "Dancing Baby" Case:  The DMCA and Fair Use Assessments Eight years ago, Stephanie Lenz posted a 29-second video of her thirteen month-old son on YouTube.  The toddler danced, clumsily, in the family kitchen while the late, great Prince’s "Let’s Go Crazy" plays in the background.  Upon receiving Universal Music Group’s ("UMG") Digital Millennium Copyright Act ("DMCA") takedown request, YouTube removed the video, and after two rounds of protests and counter-requests, Lenz sued UMG under 17 U.S.C. § 512(f) for "knowingly" misrepresenting that her video infringed copyright.[26] On September 14, 2015, the Ninth Circuit issued its ruling that a copyright holder must assess whether the allegedly infringing work is a fair use before issuing a takedown notice under the DMCA.[27]  While the Ninth Circuit ruled for Lenz, it did not issue the sweeping ruling that some advocates sought to counter what they view as improperly aggressive steps to remove even non-infringing material from the web.  Rather, the Court of Appeals held that in considering whether Lenz’s use was "authorized" under the DCMA, UMG had to consider in good faith whether Lenz’s video was authorized by the fair use doctrine.[28]  The Court of Appeals noted that while fair use is often considered to be an affirmative defense because it is expressly authorized by the Copyright Act, a copyright owner must consider it before serving a DMCA takedown notice. In response to concerns regarding the workability of a hosting service conducting such a fair use determination, the opinion stated that such an analysis need not be an onerous or even an objective undertaking.  Rather, the Court of Appeals held that the copyright holder need only reach a subjective good-faith belief that their copyright has been infringed: "If []a copyright holder forms a subjective good-faith belief the allegedly infringing material does not constitute fair use, we are in no position to dispute the copyright holder’s belief even if we would have reached the opposite conclusion."[29]  According to the opinion, UMG would face liability if it misrepresented that "it had formed a good faith belief the video was not authorized by the law, i.e., did not constitute fair use," but that a jury would have to weigh such a determination.[30]  At the end of the day, the bar for copyright holders appears relatively low: they need only formulate a good faith belief that the material does not constitute fair use, and only if they either fail to consider fair use (or misrepresent such consideration) would liability attach under 17 U.S.C. § 512(f).  On March 17, 2016, the Ninth Circuit refused to rehear the case, but did make some amendments to its September 14, 2015 opinion.[31]  Notably, the court removed from its amended opinion a passage addressing the burden on the copyright holder, which had stated that a "copyright holder’s consideration of fair use need not be searching or intensive," and had also noted the "pressing crush of voluminous infringing content that copyright holders face in a digital age."  The amended opinion also removed dicta that could have been used to validate the use of automated enforcement programs; the original opinion stated that the implementation of such programs "appears to be a valid and good faith middle ground for processing a plethora of content while still meeting the DMCA’s requirements to somehow consider fair use."[32] d.    Parody Is Entitled Its Own Copyright Protection (The Point Break Case) The Second Circuit handed down another significant ruling in November 2015, regarding whether a creator of an unauthorized work, protected by fair use, may hold its own copyright in that unauthorized work.  In Keeling v. Hars, the court affirmed a lower court’s ruling and found that a parody can itself be entitled to copyright protection where it adds sufficient originality.[33]  The case involved Point Break Live!, playwright Jaime Keeling’s theatrical adaptation of the 1991 film Point Break.  While the parody "parallel[ed] the character and plot elements from Point Break and relie[d] almost exclusively on selected dialogue from the screenplay," the adaptation "added jokes, props, exaggerated staging, and humorous theatrical devices to transform the dramatic plot and dialogue of the film into an irreverent, interactive theatrical experience."[34]  The tongue-in-cheek nature of Point Break Live! is summed up by the fact that each production of the play includes the random selection of an audience member to play the part of Keanu Reeves’ character–"thereby lampooning Reeves’s reputedly stilted performance in the movie."[35]  Defendants had executed a production agreement with plaintiff for a two-month run of Point Break Live!, but continued to produce the play after its initial run for an additional four years without paying Keeling; so she registered a copyright in the parody and filed suit.   At the December 2012 trial, the jury returned a $250,000 verdict in Keeling’s favor, finding that her use of the material from Point Break was fair use and that defendants infringed her copyrighted parody.  Defendant Hars then appealed, claiming that Keeling’s parody was an unauthorized derivative work and thus was not entitled to copyright protection as a matter of law. The Second Circuit rejected Hars’ arguments and held that the Copyright Act made clear that "an unauthorized but lawful fair use employing preexisting copyrighted material may itself merit copyright protection" when there is sufficient originality in the derivative work.[36]  Invoking the Supreme Court’s ruling in Feist Publications, Inc. v. Rural Telephone Service Co., Inc., 499 U.S. 340 (1991), the appeals court held that Keeling was entitled to copyright protection for the way she selected, coordinated, and arranged the elements of her work to create a new parodic meaning.[37] What was most striking about Keeling was its unusual procedural posture.  As the court noted, "[t]ypically, fair use is invoked as a defense against a claim of copyright infringement brought by the source-material rightsholder.  Here, however, Keeling invoked the fair-use principle to establish an affirmative claim against defendants."[38]  The Second Circuit has thereby broadened the scope of the fair use doctrine and now permits plaintiffs to use it as a "sword" to litigate fair use as the basis for an affirmative claim for copyright infringement. 2.    Roundup: A New Stampede of Older Copyright Claims We continue to see fallout from the Supreme Court’s unexpected 2014 decision in Petrella v. Metro-Goldwyn-Mayer, Inc. (i.e., the "Raging Bull" case), which held that laches is not an applicable defense to allegations of copyright infringement.  In that case, the plaintiff brought a claim for alleged infringement of a 1963 screenplay written by her father based on acts alleged to have occurred in 2009, in connection with DVD distribution of Raging Bull, a film released in 1980.  Taking up the issue of whether the plaintiff had delayed too long in bringing her claim, the Supreme Court wrote, "[W]e have never applied laches to bar in their entirety claims for discrete wrongs occurring within a federally prescribed limitations period."[39]  (Disclosure: Gibson Dunn represented MGM at the Supreme Court.)  Following the decision, critics warned that the decision would encourage plaintiffs to lie in wait as their infringement actions increase in value.  And indeed, we have recently seen copyright plaintiffs bringing claims premised on decades-old art. For example, Led Zeppelin’s 1971 song "Stairway to Heaven" was released 45 years ago, but members of Led Zeppelin faced a 2016 jury trial in Los Angeles regarding whether aspects of "Stairway to Heaven" were substantially similar to a little-known 1968 recording titled "Taurus" by the band Spirit.[40]  On June 23, 2016, the jury returned a verdict in favor of Led Zeppelin, finding that although the band might have heard "Taurus" before writing "Stairway" (the two bands toured together), the two songs were not extrinsically similar.  The "Stairway" lawsuit followed another high-profile copyright case of song similarity, last year’s "Blurred Lines" case–which pitted Pharrell Williams and Robin Thicke against the heirs of Marvin Gaye.[41]  In that case, Gaye’s heirs cross-claimed against Williams and Thicke for infringing Marvin Gaye’s "Got to Get it Up" in their hit song "Blurred Lines."  Unlike in the "Stairway" trial, a jury agreed that the songs were substantially similar, awarding almost $7.4 million to Gaye’s heirs.  After the verdict, a juror admitted that testimony from the Gaye heirs’ expert witness, who testified about a "constellation" of non-coincidental similarities between the works, was highly influential to the outcome.  While these copyright claims were premised upon older acts, recent legal music news also includes a California federal judge’s dismissal of a lawsuit against Jay Z over the 1999 anthem "Big Pimpin’," which was premised solely on infringement of moral rights.[42]  Electronic DJ Deadmau5 filed a lawsuit soon thereafter, in Canada, against his former manager over unauthorized remixes, which is also premised almost entirely on infringement of moral rights (which are broader in Canada than the U.S.).[43]  Last year, Dr. Dre was sued for charges that–26 years ago–he improperly sampled portions of an obscure track in the making of NWA’s "If It Ain’t Ruff."[44]  And Warner recently faced claims for licensing fees dating back to 1949 regarding the song "Happy Birthday to You."[45] Looking at these cases together, Gibson Dunn partner Mark Perry was correct when he warned the Supreme Court at oral argument in the Raging Bull case that if laches was not recognized as an applicable defense in the copyright context, courts would see a number of seemingly stale claims filed over older art.  It would seem likely that this trend will continue. 3.    Copyrightable Subject Matter: New Revelations in an Old Doctrine Over the past year, several key copyrightability controversies came to the fore.  In an important case, a majority of the Sixth Circuit approved a copyright suit premised on a competitor’s use of some of the elements of the cheerleading outfits below.[46]   Weighing in on the issue of whether clothing designs are copyrightable, the court determined that the stripes and chevrons were not "utilitarian aspects of the article," under 17 U.S.C. § 101, and thus the maker could hold a valid copyright in the design.[47]  On May 2, 2016, the Supreme Court agreed to take up the case.[48] In a related decision, the Eleventh Circuit found a valid copyright in a laminate flooring design that was made to look "aged and rustic," and the Supreme Court later denied certiorari.[49] Recently, the Batmobile was also held to be a copyrightable character, and the Supreme Court declined to take up the matter, handing DC Comics a victory.[50]  But a few things have recently been deemed non-copyrightable as well: for one thing, a district court confirmed that copyrights subsist only in human artists, not primates, dismissing Naruto the monkey’s claim that he owned the selfie taken with a wildlife photographer’s camera.[51]  Also, the Ninth Circuit ultimately found that a copyright does not subsist in an actress through the reading of her lines.[52]  And it was determined that Yoga poses are uncopyrightable ideas or systems,[53] as are chicken sandwich recipes.[54] B.    Entertainment Litigation 1.    Online Piracy: Two Steps Forward, One Step Back In the wake of the internet piracy boom, ISPs and copyright owners settled upon a notice and tracking system, designed to shut down repeat infringers.  In essence, music labels identify putative piracy on the part of individual internet users and send notices to the associated ISP, which is supposed to take increasingly severe action to halt the infringement.  And ISPs have been targeted for an alleged unwillingness to take on the role of piracy enforcer.  But a jury verdict in December 2015 indicates the risk to ISPs.  In that case, Cox Communications allegedly "ripp[ed] up" 7.62 million notices of piracy that it had received from record labels, which demanded "settlement payments" or account suspension.[55]  Cox claimed that the entire system was flawed by reliance merely on the IP address of the putative pirate, and thus, it refused to take part in the labels’ "scheme."  The Virginia federal jury sided with the labels, ordering Cox to pay $25 million.[56] On the other hand, 2015 brought a court-imposed end to the partnership between copyright owners and the International Trade Commission ("ITC") in the fight against internet piracy.  In 2014, the ITC began blocking the "importation" of pirated media, concluding that digital data transmissions were "articles" within the meaning of 19 U.S.C. § 1337(a).[57]  The Federal Circuit reversed that decision in November 2015, with a majority concluding that "there is a fundamental difference between electronic transmissions and ‘material things.’"[58]  Notwithstanding the deference due the ITC’s interpretation under Chevron, U.S.A., Inc., v. Natural Resources Defense Council, Inc.,[59] "commonsense dictate[d]" that the ITC cannot get involved in blocking piracy.[60]  a.    The MPAA Battles Content Piracy Content piracy remains a pressing issue in the entertainment industry and has resulted in several lawsuits in the United States and internationally.                                  (i)    Popcorn Time: the "Netflix for Piracy" The MPAA has recently succeeded in bringing international legal actions against next-generation torrent site Popcorn Time, an application dubbed the "Netflix for piracy" that allowed viewers to stream pirated movies and television shows, and its derivatives.  The developers of Popcorn Time shut down their website in March 2014, under pressure from the MPAA.  However, several copycat versions of the site have since popped up, such as Popcorn Time IO, Flixtor, and others.  The original developers have endorsed these sites. In April 2015, the MPAA persuaded the United Kingdom’s High Court of Justice to issue website-blocking orders against several Popcorn Time websites.[61]  The court reasoned that "[t]he Popcorn Time application is the key means which procures and induces the user to access the host website and therefore causes the infringing communications to occur.  The suppliers of Popcorn Time plainly know and intend that to be the case. They provide the software and provide the information to keep the indexes up to date."[62]  The court then held that "the suppliers of Popcorn Time have a common design with the operators of the host websites to secure the communication to the public of the claimants’ protected works, thereby infringing copyright."[63] In October 2015, the MPAA won an injunction from the Canadian courts, ordering the shutdown of the Canadian operation of popcorntime.io.  That same month, the MPAA also obtained a preliminary injunction from a New Zealand court against the operator of YTS, another torrent site that provides movie content, shuttering the site.  About the MPAA’s campaign against such sites, Chairman Chris Dodd said, "This coordinated legal action is part of a larger comprehensive approach being taken by the MPAA and its international affiliates to combat content theft.  Popcorn Time and YTS are illegal platforms that exist for one clear reason: to distribute stolen copies of the latest motion picture and television shows without compensating the people who worked so hard to make them."                                  (ii)    MovieTube In November 2015, the MPAA additionally obtained a final default judgment of $10.5 million against the anonymous operators of the MovieTube website.  Like Popcorn Time, MovieTube is an Internet streaming service that has posted full-length films such as Avengers: The Age of Ultron prior to their U.S. theatrical release.  The MPAA sued the "John Doe" operators of the MovieTube sites in July 2015 for copyright and trademark infringement.  The complaint originally called for a sweeping preliminary injunction against "third parties used in connection with any of the MovieTube websites," including website providers and social-media platforms.[64]  In response to such broad-based relief, Google, Yahoo, Facebook, Twitter and Tumblr filed a joint amicus brief in August 2015, accusing the MPAA of trying to "resurrect" the Stop Online Piracy Act, which caused a well-publicized backlash in 2012.[65]  The MPAA swiftly withdrew its demand for a preliminary injunction, and instead requested a permanent injunction and $10.5 million.  When the "John Doe" defendants failed to respond to the complaint, the District Court for the Southern District of New York granted the MPAA’s motion.[66]  The filing of lawsuits seeking to permanently enjoin websites like MovieTube continues to be a successful strategy for the MPAA in its efforts to curtail content piracy.  However, the answers to the questions of whether the anonymous perpetrators will ever be held to account and who might ultimately be liable for the infringement remain unknown.  Even though litigation may be the only avenue for content providers to collect on lost revenues, it seems unlikely that they will be able to do so unless better methods are devised to identify these anonymous figures.  Until that time, content providers’ efforts may continue to resemble a high-stakes game of "Whack-a-Mole" as new sites pop up to replace the old ones. 2.    Profit Participation Lawsuits March On In an era in which content has become king, unsurprisingly the battles over the profits from successful films and shows continues, primarily in California and New York state courts.  The creator of the AMC television series The Walking Dead and the producers and stars of the Fox television series Bones brought two of the highest-profile profit participation suits over the past year.  And as the explosion of content continues across cable and streaming platforms, we expect that profit participation lawsuits will continue to be brought by Hollywood talent and producers. The creator of The Walking Dead, Frank Darabont, brought suit against AMC, claiming that it owes him millions of dollars after he was ousted as showrunner from the hit series to which he claims he gave life.  In 2013, immediately after AMC fired him, Darabont filed suit in New York state court alleging breach of contract, wrongful termination, and other claims.  Darabont amended his complaint in August 2015 to add an allegation that his profit participation had been wrongly reduced, and has in a recently unsealed deposition alleged that AMC created budget problems for the series.  In February 2016, a New York Supreme Court judge denied defendants’ motion to dismiss the added claims and permitted Darabont’s amended lawsuit to proceed. In November 2015, Bones executive producer Barry Josephson filed suit in Los Angeles Superior Court against Twentieth Century Fox Television claiming that he had been cheated out of millions of dollars in advertising, syndication, foreign sales, streaming, and other revenues from the show.[67]  Days later, Emily Deschanel and David Boreanaz, the two leads of Bones, along with executive producer Kathy Reichs filed an independent lawsuit making similar claims.[68]  They allege that they have seen zero profits for years despite the success of the series.  In April 2016, Fox’s motion to compel arbitration was granted and superior court proceedings were ordered stayed as to other, non-arbitrable claims when the court found that "the arbitrable claims are inextricably bound with the non-arbitrable claims, necessitating a stay."[69] 3.    Developments in Defamation Defamation suits, often involving the depiction of real-life figures in biopics, continue to be a regular occurrence in Hollywood.  Most notably, former N.W.A. manager Jerry Heller filed suit against the producers of the hit film Straight Outta Compton, along with Legendary Pictures, Comptown Records, director F. Gary Gray, and others, claiming that the film falsely portrayed him as responsible for instigating the breakup of N.W.A.[70]  In December 2015, the case was removed to federal court.[71]  Heller amended his complaint the following month.  On March 30, 2016, the court dismissed Heller’s misappropriation of likeness claim without leave to amend, finding that NWA’s history and Heller’s role in its rise is a matter of public interest, although Heller was permitted leave to amend his defamation claim.  A second amended complaint was filed in late April 2016.  On June 29, 2016, the Court granted defendants’ motion to strike as to all the allegedly defamatory scenes listed in the second amended complaint, except for two scenes stating or implying that Heller discouraged the rapper Ice Cube from retaining an attorney during contract negotiations.  The judge has permitted limited discovery on this issue and litigation remains ongoing. Elsewhere, a New York federal judge dismissed certain claims (including right of privacy) brought by former Stratton Oakmont director Andrew Greene regarding his alleged depiction in the film The Wolf of Wall Street, though the judge permitted Greene’s libel claim to proceed.[72]  And last fall, Sean Penn filed a $10 million defamation lawsuit against Empire creator Lee Daniels in New York Supreme Court, charging that in an interview with The Hollywood Reporter, Daniels falsely accused Penn of hitting women when comparing Penn to Empire star Terrence Howard.[73]  On May 4, 2016, it was reported that Penn and Daniels reached a settlement, which included Daniels issuing a letter of apology and making a donation to the J/P Haitian Relief Organization, one of Penn’s favorite charities.[74] C.     Right of Publicity A number of cases in recent months have tested the application of states’ right of publicity law to emerging technologies.  1.    Athletes and Their Avatars Three years ago, in Keller v. Electronic Arts, the Ninth Circuit ruled that video game developers’ use of the likenesses of college athletes in their games is not protected by the First Amendment.[75]  The suit specifically targeted Electronic Arts, Inc.’s ("EA") NCAA Football series of video games, in which the real-life football players on each college team have "a corresponding avatar in the game with the player’s actual jersey number and virtually identical height, weight, build, skin tone, hair color, and home state"[76], though the players’ names did not appear on their jerseys in the video game, and their hometowns were inaccurate.[77]  EA’s principal argument was that the Rogers test, which protects the unauthorized use of trademarks unless the trademark has "no artistic relevance to the underlying work whatsoever,"[78] should be applied in the right of publicity context as well.  Instead, the Ninth Circuit applied California’s "transformative use" test for right of publicity claims, and concluded that the "realisti[c] portray[al] of college football players in the context of college football games" is not transformative.[79] Following Keller, we saw the conclusion of the parallel right of publicity claim of former NFL players, in Davis v. Electronic Arts, Inc.[80]  In Davis, EA provided five First Amendment affirmative defenses (i.e., transformative use, the public interest defense, the public affairs exception to Cal. Civil Code § 3344(d), the Rogers test and the incidental use defense).[81]  The former players prevailed when the Ninth Circuit concluded that the outcome was dictated by Keller: "If EA did not think there was value in having an avatar designed to mimic each individual player, it would not go to the lengths it does to achieve realism in this regard."[82] 2.    Antitrust Claims Brought by College Athletes Courts heard multiple antitrust suits on behalf of college athletes in 2015.  Gibson Dunn represented OUTFRONT Media Sports, Inc. (formerly CBS Collegiate Sports Properties, Inc.) in Marshall v. ESPN and successfully argued that former college athletes’ claims against sports broadcasters for damages for alleged unauthorized broadcast of the athletes’ images during sporting events should be dismissed.[83]  The district court granted the defendants’ demurrer in its entirety, concluding, inter alia, that there is no individual right of publicity in sports broadcasts and that the defendants’ role "in complying with NCAA rules, [cannot] be said to be the cause of reduced competition and any concomitant antitrust injury."[84]  The former athletes’ appeal is currently pending before the Sixth Circuit. Recently, college athletes also sued the NCAA directly for antitrust violations, with both sides being rebuffed by the Ninth Circuit over the principal relief each sought.  In O’Bannon v. NCAA, the NCAA sought a declaration that, by virtue of its amateurism mission, it is immune to antitrust suits altogether.[85]  Alternatively, the NCAA contended that its activities are noncommercial, and that the players, in any event, lacked standing to bring a claim under the Sherman Act.[86]  The NCAA lost each of those arguments.  Instead, the Ninth Circuit determined that the NCAA’s existing amateurism rules violated the Sherman Act.[87]  On the other hand, the players sought a declaration that, even during college, they have the right to compensation for use of their likenesses.[88]  The Ninth Circuit disagreed, and instead applied a "Rule of Reason" analysis that ultimately hinged on the availability of substantially less restrictive alternatives for maintaining amateurism in college athletics.[89]  The appeals court ordered the NCAA to permit schools to cover the full cost of attendance, not merely the cost of tuition.[90]  But, to maintain amateurism, the Court of Appeals determined that NCAA may ban any additional payments, for a player’s likeness or otherwise. 3.    Restrictions on the Use of Likenesses Obtained in Public Places For years, manufacturers, restaurants, bars, film producers, and others claimed the right to shoot photographs or videos in public places for use in advertising.  Indeed, the right of publicity doctrine was established in part as a result, and, in 1902, New York became the first state to judicially recognize the right of publicity in response to public outrage over a flour company’s unconsented-to use of a girl’s image on its packaging.[91]  For years, complaints about the use of public-place images for commercial use have met varying degrees of success, but recent cases indicate that the tide may be turning against unconsented-to uses of likenesses in advertising. Targeting the use of photos obtained at locations from beaches and bars to photos found on the internet, over the past year, plaintiffs brought a series of suits arguing that their publicly available likenesses were wrongfully stolen.  Though most of the litigation remains in early stages, the overall trend is against the unconsented-to exploitation of another’s likeness, whether it was obtained in public or not.  In the end, courts may draw distinctions between commercial and noncommercial use of such likenesses, but much remains unresolved. [1] Ted Johnson, Charter-Time Warner Cable Deal Clears Justice Department; FCC Chairman Recommends Approval, (April 25, 2016), available at  http://variety.com/2016/biz/news/charter-time-warner-cable-fcc-1201741129/. 2 U.S. Telecom Ass’n v. FCC, 2016 WL 3251234 (D.C. Cir. June 14, 2016). 3 Comcast Corp. v. FCC, 600 F.3d 642, 661 (D.C. Cir. 2010).  4 Id. at 660-61.  5 Id. at 644.  6 Verizon v. FCC, 740 F.3d 623, 628 (D.C. Cir. 2014).  [2] Bryan Fung, The FCC’s proposed changes to TV rules are running into Senate resistance, (Oct. 9, 2015), available at https://www.washingtonpost.com/news/the-switch/wp/2015/10/09/the-fccs-proposed-changes-to-tv-rules-are-running-into-senate-resistance/. [3] Federal Communications Commission, Office of the Chairman, (Nov. 10, 2015), available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-336580A1.pdf. [4] John Eggerton, MPAA, Others Hail TPP Agreement, (Oct. 5, 2015), available at http://www.broadcastingcable.com/news/washington/mpaa-others-hail-tpp-agreement/144714. [5] Don Lee, Hollywood joins push for Obama’s Trans-Pacific Partnership trade deal, (April 6, 2015), http://www.latimes.com/business/la-fi-trade-pact-hollywood-20150407-story.html. [6] Executive Office of the President, Officer of the U.S. Trade Representative, (Oct. 10, 2015), available at https://ustr.gov/about-us/policy-offices/press-office/press-releases/2015/october/summary-trans-pacific-partnership. [7] Id. [8] Id. [9] Authors Guild v. Google, Inc., 804 F.3d 202 (2d Cir. 2015).  [10] Authors Guild v. Google, Inc., 2011 WL 986049 (S.D.N.Y. Mar. 22, 2011).  [11] Authors Guild, 804 F.3d at 207. [12] Id. at 212. [13] Id. at 229. [14] Authors Guild v. Google, Inc., 136 S.Ct. 1658 (U.S. 2016). [15] Fox News Network, LLC v. TVEyes, Inc., 2014 WL 4444043 (S.D.N.Y. Sept. 9, 2014).  [16] Fox News Network, LLC v. TVEyes, Inc., Case No. 1:13-cv-05315-AKH, Dkt. 118-1, at 3 (S.D.N.Y. May 22, 2015). [17] Id. at 6, 10. [18] Fox News Network, LLC v. TVEyes, Inc., 2015 WL 5025274 (Aug. 25, 2015).  [19] Id. at *8. [20] Id. [21] Id. [22] Id. at *6. [23]Fox News Network, LLC v. TVEyes, Inc.,  2015 WL 7769374; 2015 WL 8148831.  [24] Id.  [25] Fox News Network, LLC v. TVEyes, Inc., Case No. 1:13-cv-05315 (S.D.N.Y. Nov. 30, 2015), at Dkt. 190.  [26] Lenz v. Universal Music Corp., 801 F.3d 1126, 1129 (9th Cir. 2015). [27] Id. [28] Id. at 1131. [29] Id. at 1134-35. [30] Id. at 1139. [31] Lenz v. Universal Music Corp., 815 F.3d 1145 (9th Cir. 2016). [32] Lenz, 801 F.3d at 1129. [33] Keeling v. Hars, 2015 WL 6600571, at *1 (2d Cir. Oct. 30, 2015), [34] Id.  [35] Id.  [36] Id. at *5.  [37] Id. at *7. [38] Id. at *5.  [39] Petrella v. Metro-Goldwyn-Mayer, Inc., 134 S. Ct. 1962, 1975 (2014). [40] Skidmore v. Led Zeppelin, et al., Case No. 2:15-cv-03462 (C.D. Cal. 2015) [41] Williams, et al. v. Bridgeport Music, Inc., et al., Case No. 2:13-cv-06004 (C.D. Cal. 2013). [42] Fahmy v. Jay-Z, et al., Case No. 2:07-cv-05715 (C.D. Cal. 2007). [43] Zimmerman v. Play Records, Inc., Case No. cv-15-539129 (Sup. Ct. Ontario 2015). [44] Mitchell v. Universal Music Group, Inc., et al., 3:15-cv-00174 (C.D. Cal. 2015). [45] Marya v. Warner Chappel Music, Inc., Case No. 2:13-cv-04460 (C.D. 2013). [46] Varsity Brands, Inc. v. Star Athletica, LLC, 799 F.3d 468 (6th Cir. 2015).  [47] Id.  [48] Varsity Brands, Inc. v. Star Athletica, LLC, 136 S.Ct. 1823 (U.S. 2016). [49] Home Legend, LLC v. Mannington Mills, Inc., 784 F.3d 1404, 1407 (11th Cir. 2015). [50] DC Comics v. Towle, 802 F.3d 1012 (9th Cir. 2015). [51] Naruto v. Slater, 2016 WL 362231 (N.D. Cal. Jan. 28, 2016). [52] Garcia v. Google, Inc., 786 F.3d 733 (9th Cir. 2015). [53] Bikram’s Yoga College of India, L.P. v. Evolation Yoga, LLC, 803 F.3d 1032 (9th Cir. 2015). [54] Lorenzana v. South Am. Restaurants Corp., 799 F.3d 31 (1st Cir. 2015). [55] Bill Donahue, Cox Says Plaintiffs In Pirating Suit Wanted It To Join Scheme, (September 22, 2015), available at http://www.law360.com/articles/705612/cox-says-plaintiffs-in-pirating-suit-wanted-it-to-join-scheme?article_related_content=1. [56] Jimmy Hoover, Cox Must Pay BMG $25M For User Piracy, Jury Finds, (Dec. 17, 2015), available at http://www.law360.com/articles/739353/cox-must-pay-bmg-25m-for-user-piracy-jury-finds. [57] In re Certain Digital Models, Inv. No. 337-TA-833 at 55 (Apr. 3, 2014). [58] ClearCorrect Operating, LLC v. ITC, 810 F.3d 1283, 1286 (Fed. Cir. 2015).  [59] 467 U.S. 837, 843 (1984) [60] ClearCorrect Operating, LLC, 810 F.3d at 1286. [61] Twentieth Century Fox Film Corp. v. Sky UK Ltd., 2015 EWHC 1082 (Ch) (Apr. 28, 2015).  [62] Id. [63] Id. [64] Paramount Pictures Corp. v. John Doe, Case No. 15-cv-5819 (S.D.N.Y. July 24, 2015).   [65] Paramount Pictures Corp. v. John Doe, Case No. 15-cv-5819 (S.D.N.Y. Aug. 10, 2015), at Dkt. 32-1.  [66] Paramount Pictures Corp. v. John Doe, Case No. 15-cv-5819 (S.D.N.Y. Nov. 24, 2015), at Dkt. 46. [67] Wark Entm’t, Inc. v. Twentieth Century Fox Film Corp., Case No. BC602287 (L.A. Sup. Ct. Nov. 25, 2015).  [68] Temperance Brenann, L.P. v. Twenty-First Century Fox, Inc., Case No. BC602548 (L.A. Sup. Ct. Nov. 30, 2015).  [69] Wark Entm’t, Case. No. BC602287 (Apr. 8, 2016 Ruling). [70] Heller v. NBCUniversal, Inc., Case No. BC599499 (L.A. Sup. Ct. Oct. 30, 2015).  [71] Heller v. NBCUniversal, Inc., Case No. 2:15-cv-09631 (C.D. Cal.).  [72] Greene v. Paramount Pictures Corp., Case No. 2:14-cv-01044 (E.D.N.Y. Sept. 30, 2015), at Dkt. 25.   [73] Penn v. Daniels, Case No. 159710/2015 (N.Y. Sup. Ct. Sept. 22, 2015). [74] Ted Johnson, Sean Penn Reaches Settlement With Lee Daniels in Defamation Case, (May 5, 2016), available at  http://variety.com/2016/biz/news/sean-penn-lee-daniels-defamation-case-settlement-1201766360/. [75] Keller v. Elec. Arts, Inc., 724 F.3d 1268, 1283 (9th Cir. 2013) (en banc). [76] Id. at 1271. [77] Id. [78] Rogers v. Grimaldi, 875 F.2d 994, 999 (2d Cir. 1989). [79] Id. at 1279. [80] 775 F.3d 1172, 1176-81 (9th Cir. 2015). [81] Id. [82] Id. (quoting Keller v. Elec. Arts, Inc., 724 F.3d 1268, 1276 n.7 (9th Cir. 2013) (en banc)). [83] Marshall v. ESPN Inc., 111 F.Supp.3d 815, 824 (M.D. Tenn. 2015). [84] Id. at 835-36. [85] 802 F.3d 1049, 1061 (9th Cir. 2015). [86] Id. [87] Id. at 1075 (ordering the NCAA to allow player compensation up to the full cost of attendance). [88] Id. at 1076. [89] Id. at 1074. [90] Id. at 1075. [91] See Roberson v. Rochester Folding Box Co., 64 N.E. 442, 448 (N.Y. App. Div. 1902). The following Gibson Dunn lawyers assisted in the preparation of this client update:  Scott Edelman, Ruth Fisher, Ari Lanin, Ben Ross, Steve Tsoneff, Howard Hogan, Helgi Walker, Nathaniel Bach, Corey Singer, Colby Davis, Andria Montoya, Colleen Kenny, and Caitlin Forsyth. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Media, Entertainment & Technology Practice Group: Scott A. Edelman – Co-Chair, Los Angeles (+1 310-557-8061, sedelman@gibsondunn.com)Ruth E. Fisher – Co-Chair, Los Angeles (+1 310-557-8057, rfisher@gibsondunn.com)Orin Snyder – Co-Chair, New York (+1 212-351-2400, osnyder@gibsondunn.com)Stephen Tsoneff – Co-Chair, Los Angeles (+1 310-552-8698 stsoneff@gibsondunn.com)Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Ari Lanin – Los Angeles (+1 310-552-8581, alanin@gibsondunn.com)Benyamin S. Ross – Los Angeles (+1 213-229-7048, bross@gibsondunn.com)Helgi C. Walker – Washington, D.C. (+1202-887-3599, hwalker@gibsondunn.com) © 2016 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

February 16, 2017 |
Media, Entertainment and Technology Group – 2016 Year-End Update

As we look back on an active 2016, and ahead to the rest of 2017, ushered in by a new administration, Gibson Dunn’s Media, Entertainment and Technology practice group has taken stock of a particularly active period in deal-making, including Hollywood going (even more) global and the world coming to Hollywood.  First Amendment cases in privacy, defamation, and the right of publicity have reshaped the landscape and jolted the industry.  Elsewhere in litigation, there was much to consider in copyright, video gaming, and music, and it was a particularly fertile year for developments in art law.  As always, we are pleased to be able to keep you up to date on these cutting-edge issues.  __________________________ TABLE OF CONTENTS I.        Transaction & Regulatory Overview A.     An Active Year in Studio Deal-Making 1.   NBCUniversal Acquires DreamWorks Animation 2.   Lionsgate Acquires Starz 3.   Fox Turns to Sky B.     Consolidation in Cable 1.   Altice’s Acquisition of Cablevision C.     China Comes to Hollywood D.     Streaming Goes Global, Skinny, and Social (and Faces Some Resistance) 1.   The Global Streaming Race 2.   Hulu’s Skinny Bundle 3.   New Directions at Twitter 4.   The Rise of the "Netflix Tax" II.        Litigation Overview A.     First Amendment Takes Center Stage: Defamation, Privacy, and Publicity Rights 1.   Hulk Hogan v. Gawker 2.   Eramo v. Rolling Stone 3.   Sarver v. Chartier 4.   The Straight Outta Compton Case B.     Copyright Litigation 1.   The DMCA and Pre-1972 Sound Recordings 2.   Licensing and Sampling: UMG Recordings v. Global Eagle Entertainment 3.   VMG Salsoul LLC v. Ciccone 4.   Discipline and Attorneys’ Fees: Kirtsaeng v. John Wiley & Sons 5.   Copyrightable Subject Matter 6.   Other Copyright Developments C.     Agency Wars D.     Video Games:  Original Madden Creator Loses Big on Royalties E.      Music:  Mo’ Streamers, Mo’ Problems? F.      A Banner Year in Art Litigation 1.   The Battle Over VARA’s Scope Continues 2.   Authentication Triumph for Peter Doig 3.   California Resale Royalty Act Preempted by Copyright Law 4.   Fair Use and Richard Prince Go Another Round __________________________ I.     Transaction & Regulatory Overview A.     An Active Year in Studio Deal-Making In addition to the widely reported announcement of the proposed $85 billion merger of AT&T and Time Warner that will combine video content with video distribution, there have been a number of other notable deals in Hollywood over the past year.   1.     NBCUniversal Acquires DreamWorks Animation In August of 2016, NBCUniversal, part of the Comcast Corporation, acquired DreamWorks Animation ("DWA") for $3.8 billion.[1]  Former CEO of DWA Jeffrey Katzenberg will no longer serve as CEO following the acquisition, but will remain in a leadership position, serving as chairman of DreamWorks New Media, which oversees DWA’s two digital ventures: Awesomeness TV and NOVA.[2]  DWA will become part of the Universal Filmed Entertainment Group, alongside Universal Pictures, Fandango and NBCUniversal Brand Development.  Regarding the acquisition, Steve Burke, CEO of NBCUniversal, stated, "DreamWorks will help us grow our film, television, theme parks and consumer products businesses for years to come."[3]  While DWA is best known for its family films such as Shrek and Kung Fu Panda, many took note of Burke’s mention of theme parks and consumer products, believing that value in this deal could come from opportunities relating to amusement park integrations and merchandising, in the same vein as Disney’s acquisition of Lucasfilm and its early cross-platform successes with the Star Wars franchise. The $3.8 billion valuation of DWA was a welcome announcement for other entertainment production companies.  After the deal was announced, shares of Lionsgate rose more than 7 percent and Viacom saw its stock jump almost 9 percent.[4] 2.     Lionsgate Acquires Starz Two other recent mergers have signaled studios’ eagerness to diversify their media business and gain more direct distribution to consumers.  In December 2016, Lionsgate closed its acquisition of Starz for $4.4 billion in cash and stock.  The merger, first announced in June 2016, received the overwhelming approval of the two companies’ shareholders, receiving 98% and 95% approval at the companies’ respective shareholder meetings.[5]  Speculation of a merger began in February 2015, when the companies exchanged minority stakes and Starz investor John Malone joined the board of Lionsgate.[6]  As a result of the merger, Lionsgate has grown into a more diverse media company, now spanning film and TV production as well as cable-based subscription and online-streaming services. 3.     Fox Turns to Sky On December 15, 2016, 21st Century Fox announced that it had reached an agreement to acquire Sky plc, Europe’s largest pay-TV and online streaming service provider.  Fox offered Sky shareholders £10.75 ($13.61) per share in cash for the remaining 61% of shares not already owned by Fox, resulting in a £18 billion ($22 billion) valuation of Sky.[7]  The stock acquisition is being structured as a "scheme of arrangement," which would allow the takeover to move forward with only 75 percent approval of independent shareholders, rather than the standard 90 percent shareholder approval needed for a traditional takeover.[8]  The transaction would result in Rupert Murdoch, the owner of Fox, expanding his U.K. and European media business by growing Fox’s direct-to-consumer capabilities in the region.  B.     Consolidation in Cable 1.     Altice’s Acquisition of Cablevision Altice became the fourth-largest broadband provider in the U.S. in 2016 after its $17.7 billion (including debt) acquisition of the New York-based cable operator Cablevision Systems Corp. in June of 2016.[9] As a condition to approving the acquisition, the New York Public Service Commission required Altice to commit to passing on to customers 25% of its estimated $450 million in savings in operational costs from the merger.[10]  New York state regulators estimate that conditions of the deal will bring $243 million in benefits to New York consumers.  In addition, the FCC required Altice to retain Cablevision’s consumer-facing staff for the next five years.  Altice’s acquisition of Cablevision follows Altice’s 2015 acquisition of St. Louis-based cable company Suddenlink (which was the seventh largest U.S. cable company before being acquired).[11]  Chairman and chief executive of Altice USA, Dexter Goei, indicated that the company plans to continue its acquisitions in the U.S. cable market, but not before integrating its recently acquired assets and units across the country.[12] Altice’s recent acquisitions continue the market trend of cable company consolidation, with large cable companies acquiring smaller operators to take advantage of economies of scale.  As CEO of AT&T Entertainment Group John Stankey announced following AT&T’s acquisition of DirecTV, "We didn’t buy DirecTV because we love satellite exclusively as a distribution medium, we bought it because it gave us scale in entertainment."[13]  We may see even more consolidation in 2017 as the major cable providers continue to view acquisitions as a way to create cost savings and reach new audiences.  C.     China Comes to Hollywood  In December 2016, the Chinese State Administration of Press, Publication, Radio, Film and Television announced that there were 40,917 movie screens in mainland China.  Assuming the accuracy of these numbers, China has surpassed the United States in the number of movie screens in a single nation (the US had 40,759 screens in 2016).  With an average rate of twenty-six new screens opening per day in China in 2016, along with a rapid increase in box office revenues, China is on pace to become the biggest film market in the world in 2017.  Additionally, Chinese investors’ interest in the U.S. entertainment and media market has continued throughout 2016 and shows no sign of slowing down in 2017.  Between 2014 and the first half of 2016, Chinese investors made thirteen equity investments amounting to $5 billion, including the Wanda Group’s acquisition of Legendary Entertainment.  With this uptick in acquisitions by Chinese companies, it is speculated that China’s share of the U.S. entertainment and media market is currently around five percent and growing. As China continues to establish itself as a major player in world-wide entertainment, in October 2016, Wang Jianlin, Chairman of the Wanda Group, announced a forty percent rebate for foreign and domestic films and television shows that film at the Wanda Group’s studio in Qingdao, China.  The rebate amounts to a subsidy valued at $750 million over a five-year period.  However, the company has recently caught the attention of sixteen members of Congress who wrote a letter urging greater scrutiny of Chinese investments in the U.S. entertainment and media sectors.  The letter cited the Wanda Group’s acquisitions of Legendary Entertainment and AMC, and voiced concerns of possible Chinese efforts to exert political influence on American media. Despite these concerns, in December 2016, the Justice Department approved AMC’s purchase of Carmike Cinemas for $1.2 billion.  As noted, AMC is owned by the Wanda Group and the merger will make the company the owner of the largest U.S. movie theater chain.  This acquisition will help further the Wanda Group’s goal of owning twenty percent of the global movie theater seats by 2020.  In order to receive approval, AMC had to agree to sell off some theaters and holdings in fifteen geographic areas that overlap with Carmike Cinemas.  Additionally, AMC must reduce its interest in National CineMedia since Carmike is a major backer of its competitor Screenvision Exhibition. Meanwhile, proponents of China’s investments in Hollywood welcome the influx of investments and the potential to reach the growing Chinese market that is controlled by that country’s revenue sharing program, which only permits thirty-four foreign films to reach its market a year.  The increase in Chinese-American co-productions, which can be exempted from the quota, is likely to continue in light of the importance of the Chinese market.   D.     Streaming Goes Global, Skinny, and Social (and Faces Some Resistance) Chinese companies and investors are not the only ones racing to establish themselves in the global entertainment and media market.  The competition between Netflix and Amazon has heated up in a competitive effort to reach foreign markets and expand their presence, while Hulu continues to carve out its own unique niche in the U.S. market. 1.     The Global Streaming Race   In January 2016, Netflix launched in over 130 countries, reaching more than 190 nations and territories, and was essentially the only major video streaming service operating worldwide, while Amazon Prime Video reached the U.K., Germany, Austria and Japan.  However, in December 2016, Amazon Prime Video launched in over 200 countries and territories at a lower monthly price than Netflix, bringing significant competition to the online streaming market.  For both companies, content selection, outside of their original content, will depend on securing global rights to licensed content.  In 2017, both companies are likely to focus on their new global audience by releasing content that reflects their widespread reach and providing more content in foreign languages. 2.     Hulu’s Skinny Bundle This year, Hulu released more details on its forthcoming internet TV streaming service, commonly referred to as the "Hulu Skinny Bundle," set for release in 2017.[14]  In a press release describing the forthcoming Hulu Skinny Bundle, Hulu executives stated that the streaming service will give its subscribers access to "more than 35 top networks" including various Fox and Disney channels (two of the companies jointly operating Hulu.)[15] More good news for potential Hulu Skinny Bundle subscribers came in August of 2016, when Time Warner announced that it would acquire 10% of Hulu for an estimated $583 million.[16]  As part of this deal, Hulu’s Skinny Bundle will carry all of Time Warner’s Turner cable networks (including TNT, with its live sports offerings such as NBA playoff games and March Madness).  Time Warner’s investment could also mean Hulu could potentially incorporate HBO into its streaming services.  3.     New Directions at Twitter  This past year, in an effort to broaden its user base, Twitter landed an exclusive deal with the National Football League to deliver a live OTT digital stream of the NFL’s Thursday Night games during the 2016 season.  For $10 million, the social media platform received the right to stream ten games, valuing each game at $1 million.  Twitter won the bid for the NFL package against Verizon, Yahoo!, and Amazon.  This deal reflects the NFL’s awareness in the growing number of cord-cutters and the trend toward streaming content over the internet, especially among its target demographic of 18-34 year olds.  Deals with social media networks give content producers who traditionally distribute through broadcast or cable another avenue to reach a younger demographic.  If this deal proves successful, we will likely see an increase in live-streaming deals between content producers and social media networks, particularly in sports, which continues to attract viewers for live broadcasts.  Notably, Twitter has already signed a series of live-streaming deals with Wimbledon, CBS News, the National Basketball Association, Major League Baseball, the National Hockey League and the Pac-12 Network. Additionally, in September 2016, news broke that Twitter might be up for sale, with speculation about potential buyers such as Google, Salesforce.com and The Walt Disney Company.  However, by October it appeared that all potential bidders had backed off, in part over concerns regarding Twitter’s approach toward ending user harassment and its ability to generate revenue.  Whether there is a new buyer for Twitter has yet to be seen. 4.     The Rise of the "Netflix Tax" State and local tax authorities appear eager to fill tax revenue gaps that have resulted from consumers trading in traditional sources of entertainment for online-only sources, such as Netflix, Hulu, Spotify and Xbox Live.  As a result, we have seen the rise of so-called "Netflix taxes," which are specifically designed to tax these digital entertainment services.  The most noteworthy examples so far have been implemented in Chicago, Pennsylvania, and Pasadena (California), each of which takes a unique approach on how the tax is implemented and to what services it applies.  For example, the Pennsylvania Netflix Tax, which passed in 2016, extends the state’s 6 percent sales tax to digital downloads, subscription services, music, e-books, apps and games, as well as any updates, maintenance or support of these items.  In contrast, Pasadena city officials announced their own plan to implement a new 9.4 percent tax focused only on paid video streaming services.  Pasadena officials confirmed that the new tax is intended to compensate for lost tax revenue resulting from falling cable TV subscriptions. On June 9, 2015, the city of Chicago’s Finance Department extended its 9 percent "Amusement tax" on entertainment to include all "electronically delivered amusements" and "nonpossessory computer leases."[17]  The Chicago tax is more expansive than its Pennsylvania and Pasadena counterparts, as it targets all paid-for digital media as well as any services utilizing cloud computing or storage.  However, the tax is being challenged by a group of Chicago residents in the Circuit Court of Cook County, Illinois, which alleges two bases for overturning the tax.[18]  First, the plaintiffs claim that the Chicago Finance Department’s decision to apply its Amusement tax to streaming services amounts to a new tax that must have been passed by a vote of city officials.[19]  Second, the plaintiffs claim the tax imposes a discriminatory tax on electronic commerce in violation of the Federal Internet Tax Freedom Act by granting tax exemptions to purveyors of live media and entertainment, such as live music and theater, and even Netflix’s own DVD delivery service.[20]  The case is still pending in the Circuit Court of Cook County, Illinois.[21] II.       Litigation Overview A.        First Amendment Takes Center Stage: Defamation, Privacy, and Publicity Rights First Amendment cases took center stage in 2016:  President Trump campaigned on, among other things, the promise to loosen libel laws, and threatened to sue several media organizations, including The New York Times, in response to the paper’s reporting on his tax returns and sexual assaults.  2016 also featured the first-ever trial pitting a celebrity against a media organization for the posting of a sex tape.  A Virginia jury determined that a news source (Rolling Stone) can be held liable for the republication of defamatory statements, but not necessarily for the original publication of those statements.  And the Ninth Circuit held that an anti-SLAPP motion may defeat a right of publicity claim, while another right of publicity case had the odd procedural posture of having its plaintiff pass away while litigation was pending. 1.       Hulk Hogan v. Gawker One of the most talked about lawsuits in the press this year was the culmination of Hulk Hogan’s four-year battle against Gawker, which ultimately led to the online media company’s demise.  In October 2012, Gawker published a less-than-two-minute excerpt of a 30-minute video showing the famous wrestler Hulk Hogan (né Terry Bollea) having sex with Heather Cole, the then-wife of his best friend, Tampa-area radio personality Bubba the Love Sponge (real name Todd Alan Clem).  Gawker posted the sex tape alongside an essay by then-editor-in-chief A.J. Daulerio musing about celebrity sex.  Eleven days later after Gawker posted the video, Hogan filed two lawsuits for invasion of privacy, illegal wiretapping, violation of right of publicity, and intentional infliction of emotional distress–one in federal suit in the Middle District of Florida against Gawker Media, its founder and CEO Nick Denton, and Daulerio;[22] and one in Florida state court against the Clems, who had recorded the video without his knowledge.[23]  After the federal court declined to grant a temporary injunction on grounds that it would constitute a prior restraint on free speech,[24] Hogan dismissed the federal action[25] and amended his state court complaint in December 2012 to add the Gawker defendants.[26]  Florida State Court Judge Pamela Campbell granted Hogan a temporary injunction in 2013,[27] but  Gawker refused to remove the post from its website, arguing that the order "is risible and contemptuous of centuries of First Amendment jurisprudence."[28]  The injunction was stayed on appeal,[29] and then denied in 2015 by the appeals court.[30]  The District Court of Appeal of Florida found that it was an unconstitutional prior restraint under the First Amendment.[31]  At trial, the case became an implicit battle between the First Amendment, which guarantees freedom of the press and freedom of speech, against a citizen’s Fourteenth Amendment right to privacy under equal protection of life, liberty, and property.  While Gawker argued that it was within its First Amendment right to determine what was newsworthy, Hogan claimed that the video violated his privacy rights as Terry Bollea, a private citizen untethered from his celebrity wrestling persona as Hulk Hogan.  In March 2016, after a two-week trial, the Florida state jury determined that privacy rights outweighed the right to make speech.  It found Gawker Media liable and awarded Hogan $115 million in compensatory damages and $25 million in punitive damages.[32] Unbeknownst to Gawker until after the trial had concluded, Silicon Valley billionaire Peter Thiel, who had been outed as gay by a Gawker blog in 2007, secretly provided financial backing for Hogan’s lawsuit and others suing the company.  Gawker considered pursuing legal action against Thiel, but three months after the verdict the company filed for Chapter 11 bankruptcy protection and its assets (not including the main Gawker blog) later sold to Univision.  Days later, the Gawker blog announced that it would entirely shutter its operations.  First Amendment advocates saw Thiel’s actions as setting a dangerous precedent that could encourage other deep-pocketed individuals or entities to fund lawsuits again media organizations that are critical of them or against which they seek revenge, in effort to put them out of business. In November 2016, the parties reached a settlement.  Hogan will receive $31 million plus a share of the distributions from a contingent proceeds creditor account in exchange for Gawker forgoing its appeal.  Hogan’s lawsuit will unquestionably encourage other celebrities to pursue legal recourse against clickbait news outlets in similar situations.  For instance, in June 2016, Michael Jackson’s nephews filed a $100 million defamation suit against Radar Online over multiple decades-old stories alleging that they were sexually abused by their uncle and accepted gifts to cover it up.[33]  The complaint alleges that "Radar has tried to profit by launching a vicious and unrelenting attack on [Jackson] based on claims that, years ago, he was guilty of sexual abuse, even though, at that time, he was found ‘not guilty of that very charge.’"[34]  Radar Online filed an answer in September 2016 and litigation remains ongoing. 2.       Eramo v. Rolling Stone Media companies are also concerned with the potentially chilling impact of a jury verdict finding that the magazine Rolling Stone was liable for defamatory statements stemming not from the original publication of those statements, but in the republication of them in an editor’s note. The magazine published a controversial article, "A Rape on Campus" in its November 19, 2014 issue describing a brutal gang rape of a freshman identified as "Jackie" at a University of Virginia campus fraternity.  Immediately following publication, The Washington Post identified major gaps in the magazine’s reporting, which led to Rolling Stone issuing a formal apology for failing to thoroughly fact-check the article.  Following an independent report by the Columbia School of Journalism that faulted the publisher for gross reporting errors, Rolling Strone retracted the story and removed it from the website in April 2015. A month later, Nicole Eramo, the university’s former associate dean, sued the publication, the parent company Wenner Media and the writer Sabrina Rudin Erdely for casting her as the "chief villain" who "silenced" Jackie or "discouraged" her from reporting the alleged gang rape to the police.[35]  The suit survived the summary judgment stage in September 2016 and proceeded to trial.[36] In November 2016, after a two-week trial, a federal jury decided in less than two hours that the defendants were liable on multiple counts of defamation and awarded $3 million in damages.[37]  The jury, however, did not find actual malice when Rolling Stone published the story.  It was only afterwards–when Rolling Stone republished the assertions in an editor’s note the following week and made several other public statements–that the jury held the publication acted with actual malice. In the immediate aftermath of the verdict, media companies are worried that apologizing or simply refusing to immediately retract a story may expose them to significant legal liability.[38]  As a result, eight media groups including The Washington Post, Associated Press, Gannet Co. and others asked the judge in an amicus brief to overrule the jury as a matter of law.[39]  They argue that "[t]he Court’s decision to have the jury determine whether the defamatory information was ‘republished’ when an editor’s note was attached would be harmful for news organizations and those who rely upon them for accurate news reports.  Upholding the current verdict would discourage the news media from correcting errors in their stories, particularly because not mentioning a particular fact from a story in the note constitutes ‘republishing’ it.  The only recourse available would be to require new sites to completely remove stories when any question of credibility is raised.  Neither choice . . . would serve the interests of the public."[40] In February 2017, the court heard oral argument regarding Rolling Stone‘s motion for judgment notwithstanding the verdict, motion to reconsider sanctions, and the bill of costs.  The case remains pending at the post-trial briefing stage. 3.       Sarver v. Chartier  This year, the Ninth Circuit considered whether an anti-SLAPP motion can be used to successfully defend against a right of publicity lawsuit.  In March 2010, Army Sergeant Jeffrey Sarver sued the creators of the Oscar-winning film, The Hurt Locker, claiming that the film’s protagonist was based on his experiences as a U.S. Army explosive ordnance disposal technician in Iraq; that he did not consent to such use; and that some scenes in the film falsely portrayed him in a way that harmed his reputation.  He brought multiple state law claims, including misappropriation of his likeness and right of publicity.  The defendants successfully transferred the case from New Jersey to California, and then moved to strike Sarver’s complaint under California’s anti-SLAPP statute–a powerful law that forces a plaintiff in a case seeking to punish another for invoking their speech rights (e.g., for defamation) to come forth with evidence to substantiate the claim at the very outset of the litigation.  The district court dismissed Sarver’s lawsuit in its entirety in October 2011, finding that the anti-SLAPP statute applied because the defendants were engaged in the exercise of free speech (the film) in connection with a public issue, and that the film’s use of Sarver’s identity was transformative.[41]  In February 2016, the Ninth Circuit affirmed the lower court’s dismissal.[42]  It first held that California law was properly applied, instead of New Jersey law, because California had the most significant relationship to the litigation.[43]  On the merits, the Ninth Circuit applied the anti-SLAPP statute’s two-prong analysis.  First, the film and its central character spoke directly to issues of a public nature, specifically the Iraq War and the use of improvised explosive devices.[44]  Second, the film was speech fully protected by the First Amendment because the creators had sufficiently "transformed" the material into art.[45]  Because Sarver could not show a compelling state interest in preventing the defendants’ speech, applying California’s right of publicity law against that speech would violate the First Amendment.  The Ninth Circuit concluded that Sarver had not built up any economic value in a marketable performance of identity to warrant protection under right of publicity.  As a result, the district court did not err in granting defendant’s anti-SLAPP motion.[46]  The Ninth Circuit’s ruling will not only make it easier for entertainment companies to create stories ripped from the headlines so long as they sufficiently "transform" the material into art, but also empower them to use anti-SLAPP statutes to defend against future lawsuits.  4.       The Straight Outta Compton Case Last year, former N.W.A. manager Jerry Heller filed a defamation suit against the producers of the hit film Straight Outta Compton, along with Legendary Pictures, Compton Records, director F. Gary Gray, and others, claiming that the film falsely portrayed him as responsible for instigating the breakup of N.W.A.[47]  In June 2016, the Court granted defendants’ motion to strike as to all the allegedly defamatory scenes listed in the amended complaint, except for two scenes stating or implying that Heller discouraged the rapper Ice Cube from retaining an attorney during contract negotiations.[48]  The litigation took an unexpected twist in early September 2016 when Heller passed away from a heart attack.  He was set to be deposed in August, but his attorneys canceled the day prior citing an unspecified conflict of interest.  As of January 2017, Heller’s nephew was named executor of his uncle’s will and in that capacity filed a motion to continue the lawsuit on the estate’s behalf.[49]  Should the court permit this case to proceed with Heller’s estate as the plaintiff, it will set up an unusual situation where a defamation case is litigated past the death of the plaintiff. B.        Copyright Litigation 1.       The DMCA and Pre-1972 Sound Recordings In a decision with far-reaching impact for online hosts, the Second Circuit in Capital Records v. Vimeo ruled that the Digital Millennium Copyright Act’s (DMCA) safe harbor provisions protect online hosts, such as Vimeo, from copyright liability for musical recordings that predate 1972, despite the fact that these recordings are not covered by federal copyright law.[50] The decision also clarified the meaning of "red flag knowledge" and willful blindness in the context of the DMCA.[51]  In doing so, the Second Circuit reversed the lower court’s decision categorically excluding any copyright claims based on pre-1972 songs from the DMCA safe harbor, thus becoming the first federal appeals court to rule on this issue. The DMCA contains safe harbor provisions, which shield qualifying Internet Service Providers (ISPs) from liability for copyright infringement when their users upload infringing material on the ISP’s site and the ISP is unaware of the infringement.[52]  So long as the ISP responds to the copyright holder’s takedown request by promptly investigating and removing the offending content, the ISP is shielded from liability pursuant to the safe harbor provisions.  These provisions were enacted to shield the still-nascent Internet industry from the potentially crushing burden of copyright liability for sites that host third-party content by shifting the burden of actively monitoring these sites for copyright violations to the copyright-holder herself. However, it had long been unclear whether this federal safe harbor scheme covered pre-1972 recordings.  This uncertainty stemmed from the fact that Congress created federal copyright protection for recorded sounds in 1972, but did not make this protection retroactive, leaving pre-1972 recorded songs covered by a patchwork system of state-level quasi-copyright laws.[53]  In the past few years, record labels have been somewhat successful in advancing the argument that the DMCA’s safe harbor provisions do not, in fact, shield sites from liability for hosting pre-1972 songs.  In a case filed by UMG Recordings against the now-defunct online streaming service Grooveshark, a New York appellate court ruled that the provision did not protect Grooveshark against pre-1972 claims.[54]  The Copyright Office has also endorsed that view.[55]  This position, however, ran directly contrary to an earlier decision by a New York federal judge that found the safe harbor protected online music storage service MP3tunes from state-law copyright claims.[56] With this backdrop of relative uncertainty, in the Capitol Records case, plaintiffs filed suit against Vimeo, alleging that Vimeo was liable for copyright infringement because it hosted 199 user-generated "lip dub" videos, featuring songs from the Beatles, Jay-Z, Radiohead, Lady Gaga and others.  The plaintiffs further argued that Vimeo had forfeited its protection under the DMCA’s safe harbor provisions because it had "red flag" knowledge of the infringement, or was willfully blind to it, because some Vimeo employees had viewed, commented, and "liked" the infringing videos. With respect to the videos that used pre-1972 songs, District Judge Abrams granted summary judgment to the plaintiffs, holding that "[I]t is for Congress, not the courts, to extend the Copyright Act to pre-1972 sound recordings."[57]  She also held that Vimeo did not void its safe harbor immunity by "willfully blinding" itself to infringement by its users.[58]  Following this decision, Vimeo moved for certification of an interlocutory appeal to the Second Circuit on the pre-1972 sound recordings issue, which was granted.[59]  In its appeal, Vimeo and other web hosts argued that they cannot police their sites for copyright infringement of only pre-1972 recordings without affirmatively monitoring everything that crosses their networks, which would negate the very purpose of the DMCA’s safe harbors. The Second Circuit’s ruling, written by Judge Pierre Leval, was a clear victory for online service hosts such as Vimeo and YouTube.  The Court ruled that the DMCA’s safe harbors protect online hosts like Vimeo from liability even for pre-1972 recordings that are not covered by federal law, because a ruling to the contrary would "defeat the very purpose Congress sought to achieve in passing the statute."[60]  The Court’s opinion largely endorsed Vimeo’s concerns, saying that Capitol’s position would force ISPs to either "incur heavy costs of monitoring every posting to be sure it did not contain infringing pre-1972 recordings" or face "potentially crushing liabilities under state copyright laws."[61] In addition to the issue of pre-1972 recordings, the Second Circuit’s decision clarified the meaning of the "red flag awareness" and "willful blindness" doctrines related to the DMCA’s safe harbors.  The Court resolved both of these issues strongly in favor of Vimeo and other ISPs. First, the Court overturned the district court’s ruling that Vimeo might have had "red flag awareness" of the infringement because its employees viewed, commented, and "liked" them.  "A showing by plaintiffs of no more than that some employee of Vimeo had some contact with a user-posted video . . . is not sufficient."[62]  Citing its prior decision in Viacom International, Inc. v. YouTube, Inc.,[63] the court held that in order to make out "red flag" knowledge, Capitol Records needed to present evidence showing that "Vimeo personnel either knew the video was infringing or knew facts making that conclusion obvious to an ordinary person."[64]  Second, the Court rejected Capitol’s claim that Vimeo "willfully blinded" itself to infringement by its users by encouraging them to post infringing videos and then looking the other way.  "[A] handful of sporadic instances . . . in which Vimeo employees inappropriately encouraged users to post videos that infringed music cannot support a finding of the sort of generalized encouragement of infringement supposed by their legal theory . . . [and does not] suffice to justify stripping Vimeo completely of the protection of [the DMCA’s safe harbor]."[65] Following the panel’s decision, Capitol Records and the Recording Industry Association of America both filed briefs urging the Second Circuit to reconsider, or rehear en banc the panel’s ruling.  They argued that the decision had ignored decades of precedent separating federal copyright law from state-level protections, and that it represented "a slippery slope" about what other aspects of federal copyright law might now be applied to pre-1972 recordings.  However, the Second Circuit denied their petition for rehearing en banc.[66]  On December 16, 2016, Capitol Records filed a petition for certiorari with the Supreme Court.[67] 2.       Licensing and Sampling: UMG Recordings v. Global Eagle Entertainment In a closely watched case involving licenses to stream music as in-flight entertainment, Universal Music Group and Global Eagle Entertainment settled in August 2016, with Global Eagle’s payout to Universal valued at almost $30 million.[68]  Universal had sued Global Eagle back in 2014, alleging that Global Eagle and its subsidiaries provided airline passengers with unauthorized access to works by Taylor Swift, Katy Perry, Elton John, Paul Simon, Eminem, and others.  The district court rejected Global Eagle’s argument that the parties had reached an oral licensing agreement, stating that "[t]here is ample evidence that IFP knew it had no licenses from plaintiffs" and yet was "repeatedly making the business decision to continue its unauthorized use" of the songs.[69]  The district court granted Universal’s motion for summary judgment, finding that Global Eagle willfully infringed more than 4,500 works owned by Universal and other related publishers.  Statutory damages for willful infringement under the Copyright Act can reach up to $150,000 per track.  A trial to determine damages was scheduled, but Global Eagle, facing a potential payout of $675 million, signaled its intent to settle.[70]  Commentators have noted that this litigation, and others like it, is a reflection of the music industry’s decision to crack down on the "murky environment" surrounding in-flight streaming services.  However, facing such substantial penalties, some in-flight entertainment companies have elected to err on the side of safety, and have suspended music streaming services until formal licensing requirements have been satisfied.[71] 3.       VMG Salsoul LLC v. Ciccone This past year, the Ninth Circuit shot down a copyright lawsuit against Madonna over a split-second music sample she used in her 1990 smash hit "Vogue," and in doing so, set up a circuit split on the important issue of whether a very small amount of music sampling constitutes copyright infringement.[72]  The decision was the first by a federal appeals court to directly reject the Sixth Circuit’s controversial 2005 ruling in in Bridgeport Music, Inc. v. Dimension Films, which held that the de minimis defense to copyright infringement does not apply to sound recording copyrights.[73]  That decision has been controversial in the musical community, since it effectively turned any amount of sampling into copyright infringement, opening up sampling musicians to liability and rendering the Sixth District a plaintiff-friendly jurisdiction in song-theft cases.[74] The Ninth Circuit’s decision affirmed the district judge’s 2013 ruling that Madonna’s use of a 0.23-second "horn hit" from the Salsoul Orchestra’s song "Love Break" was de minimis, and thus did not constitute copyright infringement.  The court noted the "consistent application of the de minimis exception across centuries of jurisprudence," including other artistic works (visual art, photography), and saw "no principled reason" to carve out an exception for sound recordings.[75]  Therefore, until and unless the Supreme Court grants certiorari on the issue, this decision affords musical artists a bit more room to experiment with sampling, so long as they are confident that any claims will be litigated in the Ninth Circuit, and remain conscious of the fact that other circuits, such as the Sixth Circuit, may look less favorably upon the de minimis defense. 4.       Discipline and Attorneys’ Fees: Kirtsaeng v. John Wiley & Sons The Supreme Court handed down a significant ruling in June 2016, clarifying when judges should award attorneys’ fees to successful copyright litigants under the Copyright Act’s discretionary fee-shifting provision, 17 U.S.C. § 505.  The Court held that the "objective reasonableness" of a losing party’s position should be given "substantial weight" – but not necessarily control –the outcome of a fee petition.[76] In a 1994 decision, Fogerty v. Fantasy Inc., the Supreme Court said that fees should be equally available to victorious plaintiffs and defendants, but did not establish a "precise rule or formula" for when they should be awarded.[77]  Rather, the Court handed down four "non-exclusive" factors for lower courts to consider – the frivolousness of the case, the losing party’s motivation, objective unreasonableness, and considerations of compensation and deterrence.  Given the relative lack of guidance, lower courts began to diverge in how they weighed these factors.  Some weighed them evenly, others tried to serve "the purposes of the Copyright Act," and others, like the Second Circuit, placed a strong emphasis on the "objective unreasonableness" factor. In this case, Supap Kirtsaeng attempted to recover more than $2 million in attorneys’ fees after prevailing in a copyright infringement case brought against him by textbook giant John Wiley & Sons.  Kirtsaeng had been buying cheap foreign editions of Wiley’s textbooks, and then reselling them in the United States.  However, in 2012, the Supreme Court ruled that the first-sale doctrine applies to works sold overseas, meaning that Kirtsaeng’s scheme was lawful and did not violate Wiley’s copyright.[78]  When Kirtsaeng sought attorneys’ fees, both the district court and Second Circuit refused on the ground that Wiley’s position in a difficult, unresolved issue of first impression – that the first sale doctrine did not apply to works sold abroad – had been objectively reasonable.[79] In its decision, a unanimous Supreme Court largely endorsed the approach of the Second Circuit, writing that "a district court should give substantial weight to the objective unreasonableness of the losing party’s position, while still taking into account all other circumstances relevant to granting fees."[80]  However, the Court nonetheless vacated the Second Circuit’s decision, saying that it had perhaps placed too much emphasis on the reasonableness question.[81]  Thus, moving forward, the Court’s opinion emphasizes that reasonableness is an important factor; however, it should not be a controlling one.  For example, the Court specifically mentioned two situations that could weigh in favor of granting attorneys’ fees in cases other than ones involving unreasonable legal positions: one involved litigation misconduct, and the other "overaggressive assertions of copyright" in which a copyright holder filed hundreds of suits on an overbroad legal theory, many of which were reasonable, but which still led to fee awards for the other side.  In future cases, therefore, courts should weigh the reasonableness of the parties’ positions, but also take into account factors such as misconduct or improper litigation strategies.   The Court described fee awards as "a double-edged sword" that both "increase the reward for a victory–but also enhance the penalty for a defeat."[82]  Therefore, the Court concluded that favoring awards in close cases, as Kirtsaeng had urged, would likely discourage parties from litigating those cases to completion by raising the stakes in suits where the outcome was already uncertain.  Rather, the Court reasoned that giving substantial weight to the "objective reasonableness" of the losing party’s position "both encourages parties with strong legal positions to stand on their rights and deters those with weak ones from proceeding."[83]  Lastly, the Court noted that the "objective reasonableness" standard is an "administrable" one that the district courts can easily assess, having litigated the merits of the case.[84] 5.       Copyrightable Subject Matter There were a few interesting developments in the area of copyrightable subject matter during the latter half of 2016.  In Solid Oak Sketches, LLC v Visual Concepts, Inc. (the "NBA 2K tattoo" case), a federal judge threw out claims for statutory damages by tattoo artist shop Solid Oak Sketches in its lawsuit against the maker of the popular NBA 2K video game series.[85]  Solid Oak had alleged that its designs–inked into the skins of NBA stars Kobe Bryant, LeBron James, DeAndre Jordan, and others–were used in the video game without permission and violated their copyrights.  The judge ruled that statutory damages were not available because the designs were registered with the U.S. Copyright Office in 2015, after the alleged infringement occurred.[86]  However, the judge ruled that Solid Oak may pursue actual damages related to lost income for the tattoos’ appearances in the NBA 2K series.   A federal judge in Atlanta allowed a suit by 54 Sudanese refugees who say that their interviews with a screenwriter about their persecution in Darfur and ultimate journey to America are subject to copyright protection, and that they are entitled to joint authorship of the taped interviews.[87]  The refugees’ interviews formed the basis of The Good Lie, a 2014 film starring Reese Witherspoon.  The judge ruled that the interviews were a "creative process designed to create material for a screenplay and film," and that this "likely includes enough creativity to render the Interviews an original work of authorship" under the Copyright Act.[88]  The case has proceeded to the discovery phase, and may impact the way that interviews and narratives are collected from real-life participants, and how those interviews are used in or form the basis of films or television programs.[89] Late in 2015, Paramount Pictures and CBS Studios filed a lawsuit against the makers of a crowd-funded Star Trek inspired fan film ("Axanar"), accusing them of copyright infringement over various concepts in the Star Trek universe, including the Klingon language.[90]  Despite director J.J. Abrams’ assurances at a Star Trek fan event that the case would soon be over, the movie studios were not prepared to give up.[91]  Studios have long tolerated, and sometimes even supported, fan-made films so long as they did not attempt to capitalize financially on copyrighted material.  While most fan-made films are modest, humble affairs, "Axanar" raised over $1.2 million through a crowd-funding campaign.  However, the producer of "Axanar" insists that this project was never about making money or competing with the official Star Trek movies.  After all, no one could "mistake it [Axanar] for an officially released ‘Star Trek’ movie that costs $150 million."[92]  Regardless, the movie studios refused to drop the suit, and both sides filed dueling summary judgment motions in federal court in Los Angeles in November 2016.  In early January 2017, a federal judge granted partial summary judgment for the plaintiffs, rejecting Axanar’s claims that the project fell "squarely within the protection of fair use" and that it would not have "any negative impact on plaintiffs’ market."  Rather, the judge held that "[t]he Axanar works are rightfully considered derivative works of the Star Trek copyrighted works," that Axanar "evidently intend[ed] for their work to effectively function as a market substitution to the Star Trek copyrighted works," and that "there is little doubt that unrestricted and widespread conduct of the sort engaged in by defendants would result in a substantially adverse impact of market substitution for the Star Trek copyrighted works."[93]  This decision set the stage for trial, scheduled for late January 2017.  Two weeks later, however, the parties reached a settlement in which Axanar acknowledged that its film had "crossed boundaries acceptable to CBS and Paramount" and "agreed to make substantial changes" to the film and follow new Star Trek fan fiction guidelines released as part of the settlement for future films.[94] 6.       Other Copyright Developments  a.        GS Media v. Sanoma Media In a case with implications for companies that operate abroad, in September 2016, the European Court of Justice issued a decision in GS Media v. Sanoma Media, holding that for-profit websites that hyperlink to unauthorized works are liable for copyright infringement.[95]  This decision was greatly praised by copyright holders, and heavily criticized by Internet companies.  In 2011, the popular Danish news website Geenstijl published multiple stories containing hyperlinks to various third-party sites where users could view and download nude photos of Dutch Playboy model Britt Decker.  Sanoma Media, which publishes the Dutch version of Playboy, complained to the third party websites, most of which took down the offending photos.  However, GS Media continued to thumb its nose at Sanoma by posting more hyperlinks to other third party site that had the photos.[96] Sanoma Media initiated legal proceedings against GS Media in the Netherlands, where the Dutch Supreme Court referred the case to the European Court of Justice. EU law states that "Member States shall provide authors with the exclusive right to authorize or prohibit any communication to the public of their works . . . ."  At issue in the case was whether posting a hyperlink to infringing conduct qualified as a "communication with the public."  The court determined that in the case of a for-profit website like GeenStijl, it did.[97]  Practically speaking, this ruling means that commercial websites in the EU will have to conduct some due diligence to check whether the publication of content on another’s website is made with or without the copyright owner’s consent.  Not-for-profit websites, however, are under no such burden and can wait until they receive a takedown request. b.        Fox v. FilmOn & Fox v. Aerokiller The Ninth and DC Circuits are poised to issue decisions in 2017 in dueling cases on whether streaming services are eligible for a compulsory license to stream copyrighted television content, potentially setting the stage for a trip to the Supreme Court.  Section 111 of the Copyright Act gives cable companies automatic access to broadcasters’ content, and the question in these cases is whether this compulsory license provision is limited to traditional cable companies, or applies to online streaming services as well.  In the past, web-based television services have generally been considered ineligible for the license, but in July 2015, a federal judge in Los Angeles ruled that FilmOn, a web-based streaming service, was eligible.[98]  The plaintiff in the case, Fox Television Studios, appealed to the Ninth Circuit.  Then, a few months later, a federal judge in Washington D.C. said the opposite – that Section 111 was intended only for traditional cable companies, and web-based streaming services did not qualify.[99]  Both cases have been appealed to their respective circuits, and a decision in both cases seems likely to come down in 2017.  The dueling cases have big implications for the growing Internet streaming industry and for the statutory license at issue. C.        Agency Wars Competition between the major talent agencies including WME, CAA, UTA, and ICM Partners is, as it has always been, fierce in Hollywood.  However, in March 2015, one of the largest mass migrations from one agency to another occurred when ten CAA comedy department agents departed to UTA, taking many of their clients along with them. Two days after the agents left, CAA filed suit against UTA and the former agents who were not under contract, alleging multiple causes of action including intentional interference with contractual relations, international interference with prospective economic advantage, and breach of fiduciary duty, among others.[100]  Some agents were under employment contracts when they quit and those agreements demanded that any disputes be handled in arbitration, whereas others were not under contract, but could be sued for helping others break their contract.  After CAA amended their complaint twice, UTA fired back in its response, claiming that the former CAA agents were within their rights to make a move because the employment agreements only bound them to employment with CAA for a seven year period, and the agents at issue had exceeded that threshold.[101]  CAA sought to stay the proceedings pending a separate arbitration for the former agents under employment contracts, which the Court granted in September 2016 and remains pending.  D.        Video Games:  Original Madden Creator Loses Big on Royalties The Ninth Circuit recently affirmed a district court ruling wiping out a large copyright infringement jury verdict against the developer of the "Madden NFL" franchise.  In 2011, a software developer brought an action against Electronic Arts ("EA") seeking contact damages for unpaid royalties.  Robin Antonick was originally hired by EA in 1984 to develop what later became the first game in the popular Madden series.[102]  At the time, his employment contract gave him the right to royalties on "Derivative Works," defined as "any computer software program or electronic game which . . . constitutes a derivative work of the Work within the meaning of the United States Copyright law."[103]  Antonick sought royalties for subsequent versions of the Madden game he did not work on, but which he alleged utilized his intellectual property.[104]  In 2013, Antonick secured a jury verdict in his favor.[105]  The successful verdict stood to be valued in the "tens of millions of dollars" in light of the $4 billion in sales Madden Football has generated.[106]  But in 2014, the district court overturned the verdict in favor of the video game developer.  The Court granted EA’s motion for judgment as a matter of law.[107]  In accordance with Ninth Circuit law, the court found that Antonick’s Madden game must be compared against the allegedly copied Madden games as a whole to determine whether "they are sufficiently similar to support a finding of illicit copying."[108]  The Court found that they were not.[109]  At trial and on motion, Antonick argued that his original work and EA’s allegedly derivative works were similar "to their counterparts," using an element-by-element comparison.[110]  The court noted that because the jury had no evidence of Antonick’s or EA’s allegedly derivative works "as a whole," it could not make a subjective comparison that the works were "virtually identical."[111]  The Court also found that "because copyright law protects only similarity in protectable expression," similarities in the look of the game–that is, "unprotectable ideas"–will not be protected by copyright law.[112]  In November 2016, the Ninth Circuit agreed that the video game developer was not entitled to royalties for games created for different Madden platforms under his contract with the game manufacturer.[113] E.        Music:  Mo’ Streamers, Mo’ Problems? 2016 was the year in which streaming became the primary mode of music consumption, with more than 251 billion on-demand streams, which accounted for 38% of the entire music-listening market, passing total digital sales for the first time.[114]  With its success, streaming has become a target of lawsuits.  Recently, several musicians have attempted to wield class actions as a sword in the ongoing battle between musicians and online streaming music services.  At the end of 2015, an independent rock musician filed a $150 million putative class action against Spotify, accusing the music streaming service of conducting an egregious and ongoing campaign of copyright infringement.[115]  The musician, David Lowery, alleges that Spotify is knowingly and willfully infringing on his rights to his music, and is wrongfully withholding royalty payments.[116]  According to the complaint, Spotify has publicly admitted to its failure to obtain licenses for some of the music it distributes or pay royalties to the copyright owners.[117] A wave of class action suits against online streaming services followed.  In January 2016, Melissa Ferrick filed a similar suit against Spotify alleging copyright infringement.[118]  Then, in February 2016, the band The American Dollar filed a similar suit against Jay Z and his Tidal streaming service.  The suit alleged that Tidal failed to properly pay mechanical royalties, which go to songwriters when their compositions are recorded or reproduced.[119]  While streaming services can pay mechanical royalties either through direct deals with copyright holders or through a compulsory license from the Copyright Office, here, Tidal allegedly did neither.  And later, one of the bands Lowery performs with–Camper Van Beethoven–launched a class action against Rhapsody International Inc., seeking $150 million for alleged copyright infringement. In the Spotify action, Lowery sought to obtain and review all of Spotify’s communications with class members in its National Music Publishers Association (NMPA) settlement, one condition of which was that its members would waive their ability to participate in any legal action against Spotify, including Lowery’s class action.[120]  Lowery was concerned Spotify might not be informing publishers and songwriters they are entitled to the settlement royalty payments and do not need to waive any claims to get them.  The district judge, however, denied Lowery’s request because he did not name the NMPA in his suit.  Ultimately, the large percentage of the NMPA’s members opting in to the settlement may imperil or at least significantly weaken Lowery’s suit. F.        A Banner Year in Art Litigation  1.        The Battle Over VARA’s Scope Continues In 2016, courts limited the Visual Artists Rights Act of 1990’s ("VARA") already narrow protections.  While VARA was designed to protect the moral rights of artists, the statute explicitly limits its protection to works of "visual art."[121]  The definition of "visual art" is "a critical underpinning of the limited scope of the [Act]."[122]  And because "applied art" does not receive VARA protections, the distinction between visual and applied art is important.  In June, the Ninth Circuit weighed in on the battle, attempting to draw the line between visual and applied art: "an object constitutes a piece of ‘applied art’–as opposed to a ‘work of visual art’–where the object initially served a utilitarian function and the object continues to serve such a function after the artist made embellishments or alterations to it."[123]  In essence, the Ninth Circuit limited what can be considered "visual art."  In following the Second Circuit, the Ninth Circuit considered the purpose of the art to be determinative in its analysis.[124]  The Court ruled that a replica 16th Century Spanish galleon created out of a school bus for the Burning Man counterculture festival was not "visual art" and thus is not protected under VARA.[125]  Two artists, Simon Cheffins and Gregory Jones, created the galleon, "La Contessa," by adding a façade, hull, decking, and masts to a school bus.[126]  While the structure was being stored on private property, the landowner of the property burned La Contessa so that a scrap metal dealer could remove the underlying school bus.[127]  The artists sued for damages under VARA, with the Ninth Circuit holding that the artists could not recover because the structure "began as a rudimentary utilitarian object, and despite being visually transformed through elaborate artistry, it continued to serve a significant utilitarian function upon its completion."[128]  The structure was used at Burning Man as a vehicle providing rides, as a venue for hosting weddings, as a stage for poetry shows, and as a centerpiece for a children’s treasure hunt.[129]  In short, because the bus retained a largely practical function, it was not deserving of VARA protections. Despite the limitations on VARA, artists continue to attempt to utilize its protections to obtain damages awards.  In January 2016, a Detroit artist asked a district court for VARA protection for her mural on a brick building on one of Detroit’s main thoroughfares.[130]  The court’s ruling is anticipated this coming year. 2.        Authentication Triumph for Peter Doig In a case that had potential far-reaching consequences for artists in the market and courts dealing with art law, a district court judge ruled in favor of an artist in a bizarre suit that sought to determine the legitimacy of a painting where the alleged artist denied ever having painted it.  A private owner and art dealer filed an action against artist Peter Doig requesting a determination that a disputed work in their possession be ruled as an authentic Peter Doig painting, which would have rendered it very valuable (worth approximately $10 million, according to the complaint).[131]  The district judge, after a bench trial, however, found in favor of Doig.[132]  In a ruling that had the potential to significantly increase the courts’ power over the art market, the judge declined to find in favor of the owner of the disputed work where a living artist himself contested the authenticity of his alleged painting and the evidence did not establish otherwise. 3.        California Resale Royalty Act Preempted by Copyright Law In April 2016, a federal district judge ruled that the California Resale Royalty Act (CRRA) is preempted by federal copyright law.[133]  The CRRA requires the seller of fine art to pay the artist a five percent royalty as long as "the seller resides in California or the sale takes place in California."[134]  The act also applies to art agents, such as art galleries.[135]  In a long-running class action saga, plaintiff artists in several related suits have alleged that two auction houses and an online retailer failed to comply with the CRRA by selling art without paying royalties.[136]  In 2015, the Ninth Circuit held that the CRRA violated the dormant commerce clause, but that act could be saved because the offending provision was severable.[137]  The district court’s April ruling finding copyright preemption, however, may eviscerate the CRRA.  An appeal to the Ninth Circuit is again pending. 4.        Fair Use and Richard Prince Go Another Round As we recognized in our 2016 Mid-Year update, fair use issues in the copyright context have been front and center of late.  Blockbuster cases–Authors Guild v. Google, Inc. and Fox News Network, LLC v. TVEyes, Inc.–have set the stage for a continuing battle in 2017 over the scope of the fair use protection.  Although codified in the Copyright Act, the fair use defense remains an intensely factual issue making the application of the defense to different fact patterns through case law especially important. In August 2016, Richard Prince, the successful appropriation artist who has long pushed the boundaries of copyright law, was sued (along with the Gagosian Gallery) for his Instagram-based "New Portraits" series in which he created enlarged photographs of other users’ Instagram posts that he had commented on.  Below is an excerpt of Exhibit B to the latest lawsuit, Graham v. Prince et al., which centers around an Instagram post by an anonymous user containing a photograph that was taken by Donald Graham, on which Prince had commented and then enlarged into an artwork.  Prince previously secured a victory in a similar case by arguing that the fair use doctrine protects his work.  In 2013, the Second Circuit ruled in Prince’s favor finding that because the defense is based on an analysis of several factors, the application of one factor is not dispositive: "the law does not require that a secondary use comment on the original artist or work, or popular culture."[138]  At issue in that suit was Prince’s work based on photographs of another artist, Patrick Cariou.[139]  On appeal, the Second Circuit concluded that twenty-five of the thirty pieces of art at issue "make fair use Cariou’s copyrighted photographs."[140]  Prince has since been sued four times, three times in 2016 alone, over his appropriation of other artists’ works.[141]    Given the differences between the specific works and posts at issue, it remains unclear whether Prince’s fair use defense will be as successful as it was in the Cariou case.   In Cariou, Prince was sued over works where "the entire source photograph is used but is also heavily obscured and altered to the point that Cariou’s original is barely recognizable."[142]  But in Prince’s subsequent suits, he often does little to alter the allegedly appropriated work, including in the "New Portrait" series.[143]  Whether or not Prince’s latest works are protected fair use, they will continue to be featured in the age-old debate, "what is art?"    [1]   Brent Lang and Cynthia Littleton, NBCUniversal to Acquire DreamWorks Animation for $3.8 Billion, (Apr. 28, 2016), available at http://variety.com/2016/biz/news/dreamworks-animation-3-8-billion-nbcuniversal-comcast-1201762634/.    [2]   Borys Kit, Jeffrey Katzenberg Bids Farewell to DreamWorks Animation Staff as Comcast’s $3.8B Deal Closes, (Aug 22, 2016), available at http://www.hollywoodreporter.com/news/jeffrey-katzenberg-bids-farewell-dreamworks-921895.    [3]   Frank Pallotta and Matt Egan Comcast Buys DreamWorks Animation in $3.8 Billion Deal, (Apr. 28, 2016), available at http://money.cnn.com/2016/04/28/media/comcast-dreamworks-nbcuniversal/.    [4]   Etan Vlessing and Georg Szalai, Hollywood Feeding Frenzy: How DreamWorks Deal Could Impact Paramount, Lionsgate (April 28, 2016), available at http://www.hollywoodreporter.com/news/hollywood-feeding-frenzy-how-dreamworks-888597.    [5]   Oriana Schwindt, Lionsgate, Starz Close $4.4 Billion Acquisition, (Dec. 8, 2016), available at http://variety.com/2016/biz/news/starz-lionsgate-close-acquisition-1201937471/.    [6]   Anousha Sakoui & Alex Sherman, Lions Gate Buys Starz for $4.4 Billion in Premium Cable Push, (June 30, 2016), available at https://www.bloomberg.com/news/articles/2016-06-30/lions-gate-buys-starz-for-4-4-billion-for-premium-cable-outlet.    [7]   Chad Bray, 21st Century Fox Reaches $14.8 Billion Deal for Remainder of Sky, (Dec. 15, 2016), available at http://www.nytimes.com/2016/12/15/business/dealbook/21st-century-fox-reaches-14-8-billion-deal-for-remainder-of-sky.html?_r=1.    [8]   Sky and 21st Century Fox Agree 18.5bn Takeover Deal, (Dec. 15, 2016), available at http://www.bbc.com/news/business-38326530.    [9]   Georg Szalai, Europe’s Altice Closes Cablevision Acquisition, Expanding U.S. Presence, (June 21, 2016), available at http://www.hollywoodreporter.com/news/europes-altice-closes-cablevision-acquisition-889911. [10]   Nick Kostov, Altice Closes Buy of Cablevision, (June 21, 2016), available at http://www.wsj.com/articles/altice-closes-buy-of-cablevision-1466515394. [11]   Marie Mawad, Elco van Groningen and Gerry Smith, Altice to Acquire Suddenlink Stake in $9.1 Billion U.S. Deal, (May 19, 2015), available at https://www.bloomberg.com/news/articles/2015-05-19/altice-said-to-seek-purchase-of-suddenlink-in-u-s-expansion. [12]   Kostov, supra note 10. [13]   Paul Bond, DirecTV Exec Promises Return to Growth "Soon", (Mar. 2, 2016), available at http://www.hollywoodreporter.com/news/directv-executive-promises-return-growth-872122. [14]   Jason Lynch, AT&T and Hulu Share More Details About Their Upcoming Skinny Bundle Streaming Offerings Time Inc. Says Its New OTT platform is Off to a ‘Fantastic’ Start, (Sept. 28, 2016), available at http://www.adweek.com/news/television/att-and-hulu-share-more-details-about-their-upcoming-skinny-bundle-streaming-offerings-173786. [15]   Peter Kafka, How Skinny will Hulu’s New Bundle be?, (Nov. 1 2016), available at http://www.recode.net/2016/11/1/13490026/hulu-disney-fox-espn-fox-sports-streaming-tv. [16]   Matt Pressberg, Time Warner Just Made Hulu the Skinny Bundle to Beat, (Aug. 3, 2016), available at http://www.thewrap.com/time-warner-just-made-hulu-the-skinny-bundle-to-beat/. [17]   Kele Bigknife, Customers are NOT "Amused" by Chicago’s New 9% Streaming Tax, Michigan Business & Entrepreneurial Law Review, (Oct. 1, 2015), available at http://mbelr.org/consumers-are-not-amused-by-chicagos-new-9-streaming-tax/;  Chicago Provides Cloud Computing, Software, and Related Guidance on Nonpossessory Lease Tax Exemptions and Sourcing, PricewaterhouseCoopers LLP, (June 30, 2015), available at https://www.pwc.com/us/en/state-local-tax/newsletters/salt-insights/assets/pwc-chicago-provides-guidance-cloud-computing-software-lease-tax.pdf. [18]   Complaint for Declaratory and Injunctive Relief at 1, Labell v. City of Chicago, No. 2015-CH-13399 (Ill. Cir. Ct. Sept. 9, 2015). [19]   Id. [20]   Id. [21]   Id. [22] Bollea v. Gawker Media, LLC, No. 8:12-cv-02348-JDW-TBM (M.D. Fla. Oct. 16, 2012), Dkt. 1. [23] Bollea v. Clem, Case No. 12012447-CI-011 (Fla. 6th Cir. Ct. Oct. 15, 2012). [24] Bollea v. Gawker Media, LLC, No. 8:12-cv-02348-JDW-TBM (M.D. Fla. Nov. 14, 2012), Dkt. 47. [25] Bollea v. Gawker Media, LLC, No. 8:12-cv-02348-JDW-TBM (M.D. Fla. Jan. 4, 2013), Dkt. 70. [26] Bollea v. Clem, Case No. 12012447-CI-011 (Fla. 6th Cir. Ct. Dec. 28, 2012). [27] Bollea v. Clem, Case No. 12012447-CI-011 (Fla. 6th Cir. Ct. Apr. 25, 2013). [28] John Cook, A Judge Told Us to Take Down Our Hulk Hogan Sex Tape. We Won’t., available at https://web.archive.org/web/20130428130143/http://gawker.com/a-judge-told-us-to-take-down-our-hulk-hogan-sex-tape-po-481328088. [29] Bollea v. Clem, Case No. 12012447-CI-011 (Fla. 6th Cir. Ct. May 2, 2013). [30] Gawker Media, LLC v. Bollea, 129 So. 3d 1196 (Fla. Dist. Ct. App. Jan. 17, 2014).  [31] Id. at 1202. [32] Bolea v. Gawker Media, LLC, Case No. 12012447-CI-011 (Fla. 6th Cir. Ct. June 8, 2016). [33] Jackson v. Radar Online LLC, Case No. BC628510 (LA Sup. Ct. July 27, 2016). [34] Id. at 1-2. [35] Eramo v. Rolling Stone, LLC, Case No. 3:15-CV-00023-GEC, at ECF 1 (W.D.Va. May 29, 2015). [36] Eramo v. Rolling Stone, LLC, Case No. 3:15-CV-00023-GEC, at ECF 189 (W.D.Va. Sept. 22, 2016). [37] Eramo v. Rolling Stone, LLC, Case No. 3:15-CV-00023-GEC, at ECF 366 (W.D.Va. Nov. 4, 2016). [38] Ashley Cullins, Why the Defamation Verdict Against Rolling Stone Could Chill Media Apologies, (Nov. 7, 2016), available at http://www.hollywoodreporter.com/thr-esq/why-defamation-verdict-rolling-stone-could-chill-media-apologies-944393. [39] Eramo v. Rolling Stone, LLC, Case No. 3:15-CV-00023-GEC, at ECF 400 (W.D.Va. Dec. 8, 2016). [40] Id. at 7-8. [41] Sarver v. Hurt Locker LLC, Case No. 2:10-cv-09034-JHN-JCx, 2011 WL 11574477 (C.D. Cal. Oct. 13, 2011). [42] Sarver v. Hurt Locker LLC, 813 F.3d 891 (9th Cir. 2016). [43] Id. at 899. [44] Id. at 902. [45] Id. at 903-07. [46] Id. [47] Heller v. NBCUniversal, Inc., Case No. 2:15-cv-09631, at ECF 1 (C.D. Cal. Dec. 15, 2015). [48] Heller v. NBCUniversal, Inc., Case No. 2:15-cv-09631, at ECF 54 (C.D. Cal. June 29, 2016). [49]  Heller v. NBCUniversal, Inc., Case No. 2:15-cv-09631, at ECF 65 (C.D. Cal. Jan. 4, 2017). [50]  Capitol Records LLC v. Vimeo, LLC, 826 F.3d 78, 93 (2d Cir. 2016). [51] Id. at 97-99. [52] 17 U.S.C. § 512(c) (1998). [53] Sound Recording Act of 1971, Pub. L. No. 92-140, 85 Stat. 391 (1971), amended by Pub. L. No. 93-573, 88 Stat. 1873 (1974) (codified as amended at 17 U.S.C. § 102). [54] UMG Recordings, Inc. v. Escape Media Group Inc., 964 N.Y.S.2d 106 (N.Y. App. Div. 2013). [55] See Federal Copyright Protection for Pre–1972 Sound Recordings, (Dec. 2011), available at http://www. copyright.gov/docs/sound/pre–72–report.pdf.  Although the Copyright Office Report notes that there is "no reason" why DMCA safe harbors should not apply to the use of pre–1972 recordings, based on a reading of the statute it concludes that "it is for Congress, not the courts, to extend the Copyright Act to pre–1972 sound recordings." Id. at 130, 132. [56] Capitol Records Inc. v. MP3tunes, LLC, 821 F.Supp.2d 627 (S.D.N.Y. 2011). [57] Capitol Records, LLC v. Vimeo, LLC, 972 F.Supp.2d 500, 537 (S.D.N.Y. 2013). [58] Id. at 524-525. [59] Capitol Records, LLC v. Vimeo, LLC, 972 F.Supp.2d 537, 552 (S.D.N.Y. 2013) ("This issue is a question of first impression in the Second Circuit, and aside from these two decisions [Grooveshark and MP3tunes] no other federal court appears to have addressed the issue."). [60] Capitol Records v. Vimeo, 826 F.3d at 90. [61] Id. [62] Id. at 97. [63] 676 F.3d 19 (2012). [64] Capitol Records v. Vimeo, 826 F.3d at 98. [65] Id. at 99. [66] Petition for Reh’g en banc, Capitol Records v. Vimeo, 826 F.3d 78 (2d Cir. 2016), denied. [67] Petition for Writ of Certiorari, Capitol Records v. Vimeo, 826 F.3d 78 (2d Cir. 2016) (No. 14-1048). [68] Andy, Universal Music Settles In-Flight Music Lawsuit for $30m+, (Aug. 17, 2016), available at https://torrentfreak.com/universal-music-settles-in-flight-music-lawsuit-for-30m-160817/. [69] UMG Recordings, Inc. v. Global Eagle Entm’t, Inc., Case No. 14-cv-3466-MMM, 2015 U.S. Dist. LEXIS 102659, at *26 (C.D. Cal. Jun. 22, 2015). [70] Daniel Siegal, UMG, Media Co. Delay In-Flight IP Trial to Try and Settle, (Apr. 28, 2016), available at http://www.law360.com/articles/790409/umg-media-co-delay-in-flight-ip-trial-to-try-and-settle?article_related_content=1. [71] Kaveh Waddell, Why In-Flight Music Is In Trouble, (July 9, 2015), available at http://www.theatlantic.com/politics/archive/2015/07/why-in-flight-music-is-in-trouble/458478/. [72] VMG Salsoul, LLC v. Ciccone, 824 F.3d 871 (9th Cir. 2016). [73] 410 F.3d 792, 801 (6th Cir. 2005) ("Get a license or do not sample. We do not see this as stifling creativity in any significant way."). [74] Colin Stutz, Justin Bieber & Skrillex Sued Over ‘Sorry’: Report, (May 26, 2016), available at http://www.billboard.com/articles/columns/pop/7385928/justin-bieber-skrillex-sued-sorry-white-hinterland-dance. [75] VMG Salsoul  v. Ciccone, 824 F.3d at 883, 885. [76] 136 S. Ct. 1979, 1986-87 (2016). [77] 510 U.S. 517 (1994). [78] Kirtsaeng v. John Wiley & Sons, Inc.,133 S.Ct. 1351, 1356 (2013). [79] John Wiley & Sons, Inc. v. Kirtsaeng, No. 08-cv-07834 (DCP), 2013 WL 6722887, at *2-3 (S.D.N.Y. Dec. 20, 2013); John Wiley & Sons, Inc. v. Kirtsaeng, 605 Fed.Appx 48, 49 (2d Cir. 2015). [80] 136 S.Ct. at 1981-82. [81] Id. at 1983 ("Its language at times suggests that a finding of reasonableness raises a presumption against granting fees, and that goes too far in cabining the district court’s analysis."). [82] Id. at 1987. [83] Id. at 1986. [84] Id. at 1988. [85] Solid Oak Sketches, LLC v. 2K Games, Inc., No. 16CV724-LTS, 2016 WL 4126543, at *4 (S.D.N.Y. Aug. 2, 2016). [86] Id. at *3. [87] Found. for Lost Boys and Girls of Sudan, Inc. v. Alcon Entm’t, LLC, No. 1:15-cv-00509-LMM (N.D. Ga. Mar. 22, 2016). [88] Id. at *21. [89] Eriq Gardner, Judge Lets 54 Sudanese Refugees Pursue Copyright and Fraud Claims Over Reese Witherspoon Film, (Mar. 24, 2016), available at http://www.hollywoodreporter.com/thr-esq/judge-lets-54-sudanese-refugees-878021. [90] Complaint, Paramount Pictures Corp. v. Axanar Prods., Inc., No. 2:15-cv-09938-RGK-E (C.D. Cal. Dec. 29, 2015). [91] Josh Rottenberg, Remember How J.J. Abrams Said the Lawsuit Against the ‘Star Trek: Axanar’ Fan Film Had Been Dropped? Not Quite., (June 20, 2016), available at http://www.latimes.com/entertainment/movies/la-et-mn-star-trek-axanar-lawsuit-update-20160617-snap-story.html. [92] Id.. [93] Paramount Pictures Corp. v. Axanar Prods., Inc., Order Re: Plaintiffs’ Motion for Partial Summary Judgment and Defendants’ Motion for Summary Judgment, Case No. 2:15-CV-09938-RGK-E (C.D. Cal. January 3, 2017), at 13. [94] Bill Donahue, Paramount Settles ‘Star Trek’ Fan Film Copyright Suit (January 20, 2017), available at https://www.law360.com/articles/883119/paramount-settles-star-trek-fan-film-copyright-suit. [95] Case C-160/15, GS Media BV v. Sanoma Media Netherlands BV, 2016 http://curia.europa.eu (Sept. 8, 2016). [96] Court of Justice of the European Union Press Release No 92/16, Judgment in Case C-160/15 GS Media BV v. Sanoma Media Netherlands BV (Sept. 8, 2016). [97] Case C-160/15, GS Media BV v. Sanoma Media Netherlands BV, 2016 http://curia.europa.eu (Sept. 8, 2016). [98] Bill Donahue, FilmOn Wins Big Ruling on Compulsory Copyright License, (July 16, 2015), available at http://www.law360.com/articles/680282. [99] Bill Donahue, FilmOn Can’t Use Compulsory Copyright License, Judge Says, (Nov. 12, 2015), available at http://www.law360.com/articles/726444. [100] Creative Artists Agency, Inc. v. United Talent Agency, LLC, Case No. SC123994 (LA Sup. Ct. Apr. 2, 2015). [101] Creative Artists Agency, Inc. v. United Talent Agency, LLC, Case No. SC123994 (LA Sup. Ct. May 31, 2016). [102] See Antonick v. Elec. Arts Inc., No. C-11-1543-CRB, 2014 WL 245018, at *1 (N.D. Cal. Jan. 22, 2014), aff’d, 841 F.3d 1062 (9th Cir. 2016). [103] Id. [104] Compl., Antonick v. Electronic Arts, Inc., 2011 WL 7942206 , (No. CV-11-1548-EDL) (N.D. Cal. Mar. 30, 2011). [105] Appellant’s Br., Antonick v. Electronic Arts, Inc., 2014 WL 3909266, at *20 (No. 14-15298) (9th Cir. Aug. 1, 2014). [106] Compl., Antonick, 2011 WL 7942206. [107] Antonick, 2014 WL 245018, at *1. [108] Id. at *6 (citing Mattel, Inc. v. MGA Entm’t, Inc., 616 F.3d 904, 913–14 (9th Cir.2010)). [109] Id. [110] Id. at *7. [111]   Id. at *6, *7. [112] Id. at *12. [113] Antonick v. Elec. Arts, Inc., 841 F.3d 1062, 1066, 1069 (9th Cir. 2016). [114]   Matthew Strauss, Streaming Now Officially the Number One Way We Listen to Music in America, (Jan. 6, 2017), available at http://pitchfork.com/news/70724-streaming-now-officially-the-number-one-way-we-listen-to-music-in-america/. [115] Class Action Compl. for Damages and Injunctive Relief at 8, Lowery v. Spotify USA Inc., (No. 2:15-cv-09929-BRO-RAO) (C.D. Cal. Dec. 28, 2015). [116] Id. [117] Id. [118] Ryan Faughnder, Spotify Hit with Second Songwriter Lawsuit in Two Weeks, (Jan. 8, 2016), available at http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-spotify-songwriter-lawsuits-20160108-story.html. [119] See Kia Kokalitcheva, Jay-Z’s Tidal Music Streaming Service Hit with $5 Million Copyright Lawsuit, (Feb. 29, 2016), available at http://fortune.com/2016/02/29/tidal-copyright-lawsuit/. [120] Plaintiffs’ Notice of Mtn and Mtn for Corrective Action to Prevent Misrepresentations to Putative Class Members, Case No. 2:15-cv-09929-BRO-RAO, (C.D. Cal. Apr. 18, 2016). [121] 17 U.S.C. § 106A(a)(3). [122] Pollara v. Seymour, 344 F.3d 265, 269 (2d Cir. 2003) (quoting H.R.Rep. No. 101–514, at 1990 U.S.C.C.A.N. 6915, 6920–21) (internal quotations omitted). [123] Cheffins v. Stewart, 825 F.3d 588, 593 (9th Cir. 2016). [124] Id. at 593. [125] Id. at 595. [126] Id. at 591. [127] Id. [128] Id. at 595. [129] Id. [130] Compl. at 1-2, Katherine Craig v. Princeton Enterprises LLC, (No. 2:16-cv-10027) (E.D. Mich. Jan. 5, 2016). [131] Verified Compl. for Declaratory and Other Relief, Robert Fletcher v. Peter Doig, 2013 WL 3058713, (No. 1:13-cv-03270) (N.D.Ill. Apr. 30, 2013). [132] J. in a Civil Case, Robert Fletcher v. Peter Doig, 2016 WL 4708999, (No. 1:13-cv-03270) (N.D.Ill. Aug. 23, 2016). [133] Estate of Graham v. Sotheby’s, Inc., 178 F. Supp. 3d 974, 991 (C.D. Cal. 2016). [134] Cal. Civ. Code § 986(a). [135] Id. [136] Graham, 178 F. Supp. 3d at 980. [137] Sam Francis Found. v. Christies, Inc., 784 F.3d 1320, 1326 (9th Cir. 2015), cert. denied, 136 S. Ct. 795 (2016). [138] Cariou v. Prince, 714 F.3d 694, 698–99 (2d Cir. 2013), cert. denied, 134 S. Ct. 618 (2013). [139] Id. at 697. [140] Id. at 698-99. [141] Compl., Donald Graham v. Richard Prince, (No. 1:15-cv-10160-SAS), (S.D.N.Y. Dec. 30, 2015); Compl. for Copyright Infringement, Dennis Morris v. Richard Prince (No. 2:16-cv-03924) (C.D. Cal. June 3, 2016); Compl., Ashley Salazar v. Richard Prince, (No. 2:16-cv-04282) (C.D. Cal. June 15, 2016); Compl., Eric McNatt v. Richard Prince, No. 1:16-cv-08896 (S.D.N.Y. Nov. 16, 2016). [142] Cariou, 713 F.3d at 710. [143] See, e.g., Compl., Ashley Salazar v. Richard Prince, (No . 2:16-cv-04282). The following Gibson Dunn lawyers assisted in the preparation of this client update:  Scott Edelman, Ruth Fisher, Howard Hogan, Nathaniel Bach, Corey Singer, Colleen Kenny, Sean O’Neill, Sara Ciccolari-Micaldi and Lauryn Togioka. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Media, Entertainment & Technology Practice Group: Scott A. Edelman – Co-Chair, Los Angeles (+1 310-557-8061, sedelman@gibsondunn.com)Ruth E. Fisher – Co-Chair, Los Angeles (+1 310-557-8057, rfisher@gibsondunn.com)Orin Snyder – Co-Chair, New York (+1 212-351-2400, osnyder@gibsondunn.com)Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Ari Lanin – Los Angeles (+1 310-552-8581, alanin@gibsondunn.com)Benyamin S. Ross – Los Angeles (+1 213-229-7048, bross@gibsondunn.com)Helgi C. Walker – Washington, D.C. (+1 202-887-3599, hwalker@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.