Despite not being explicitly mentioned in the Constitution, the Supreme Court has firmly held that a right to privacy for all Americans is found in several amendments to the Constitution, with almost 100 years of case law providing precedent for many personal privacy rights that have become a cornerstone of American culture. However, in this new digital age of rapid technology change, with real-time access to information and the global exchange of information at the push of a button, new privacy protection questions arise almost daily. The extent to which an individual’s private information shared online is subject to privacy protection varies depending on which side of the pond you stand.
European nations generally take a more restrictive approach than the U.S. as to how companies can use personal data. EU nations often go head-to-head with U.S. digital companies over differing interpretations of privacy rights. Both Google and Microsoft have faced multiple investigations outside the United States.
Facebook seems to be a particularly popular target. As the world’s largest social network with 1.6 billion monthly users, Facebook earns its revenues from advertising aimed at users, after gathering information from the users’ social connections and activities in their posts. Late last month, a German court fined Facebook 100,000 Euros for failing to follow an order issued by a German court four years ago that required the social media site to revise a clause in its terms regarding any intellectual property content posted by users on or in connection with Facebook. The German court had found that the clause in the terms violated consumer rights. While Facebook modified the wording slightly for German users, the German court found that the revised wording still maintains the same underlying message as the original wording. Europe’s highest court also recently successfully challenged Facebook as to the way that data was transferred between the European Union and the United States. And just yesterday, a German court ruled that domestic websites could not transfer user data to Facebook via its “like” button without the specific consent of the user.
In a novel link between privacy protection and antitrust, the German competition authority known as the Federal Cartel Office (BKA) opened an investigation on March 2 into whether Facebook abused its dominant position in social networking in order to collect its users’ digital information, including placing unfair constraints on the users, who were forced to sign complicated terms and conditions in order to use the network. The investigation seeks to discover whether Facebook users were properly informed about how their personal data would be obtained through the site, including the type of data collected, as well as the extent of the data collected.
One might ask why the BKA would get involved with this novel approach to linking privacy protection to antitrust law. First, under antitrust law, the maximum fines are much greater than those under privacy law. For a company tech giant like Facebook, the fines imposed by data protection authorities can seem negligible, even for the most egregious cases, while antitrust fines pose a much more significant deterrent. Second, Facebook has claimed that it falls only within the jurisdiction of the data protection authority in Ireland, where its international headquarters are situated. By bringing the investigation under the auspice of the antitrust authority, this argument is avoided. The President of the BKA, Andreas Mundt, remarked that, “[d]ominant companies are subject to special obligations,” and he went on to say that such obligations include adequate terms of service, as far as they are relevant to the market. He also noted the importance of user data where Internet services are financed by advertising. The BKA noted, “. . . if there is a connection between infringement and market dominance, it could constitute an abusive practice under competition law.”
While some question the BKA’s position as ambitious and vague, others fear that this case could open the door to other investigations and cases using data protection violations to claim antitrust violations. Whether the BKA is successful or not, this should be a forewarning to other big U.S. technology companies: it is probably not enough to rely on U.S. privacy rules when playing in a global arena.
In an important decision in a federal court case in New Jersey, In Re Nickelodeon Privacy Litigation, Google and Viacom obtained a dismissal of a claim against them under the Video Privacy Protection Act (“VPPA”). The decision narrows the scope of who can be liable under the VPPA and what information is within the scope of the statute.
Congress passed the VPPA in 1988 after Robert Bork, a nominee for the U.S. Supreme Court, had his video rental history published during the nomination process. While Judge Bork’s viewing habits were unremarkable, members of Congress became understandably concerned that any individual’s private viewing information could easily be made public. The VPPA makes any “video tape service provider” that discloses rental information outside the ordinary course of business liable for $2,500 in damages per person, in addition to attorneys’ fees and punitive damages. There is no cap on the damages that plaintiffs can be awarded under the statute and cases are typically brought as class actions with large groups of plaintiffs.
In 2013, Congress passed and President Obama signed the first major change to the VPPA since it was enacted, the Video Privacy Protection Act Amendments Act of 2012. These amendments made it easier for companies to obtain consent from consumers to share their video viewing history. The amendment removed the requirement that video service providers obtain written consent from users every time a user’s viewing choice is disclosed. Additionally, the amendment allowed for a provider to obtain a user’s consent online and that the consent can apply on an ongoing basis for two years as long as the user is given the opportunity to withdraw that consent. The amendments were enacted in response to the interest by consumers in sharing videos on social media platforms.
Viacom owns and operates three websites through which users can stream videos and play video games. The plaintiffs in the lawsuit were registered users of those websites. When a user registered with the site, that individual would be assigned a code name based on that user’s gender and age. The plaintiffs alleged that the user code name would be combined with a code that identified which videos the user watched and that code was disclosed by Viacom to Google. The plaintiffs sued Viacom and Google alleging among other things that this disclosure was a violation of the VPPA.
The VPPA claim against Google was dismissed because the court found that Google was not a “video tape service provider” (“VTSP”) as required for liability under the statute. The court reasoned that Google is not “engaged in the business of renting, selling, or delivering either video tapes or similar audio materials.” Some courts have shown a willingness to extend the definition of a VTSP to companies such as Hulu and Netflix that offer video-streaming services, but the court in this case stopped short of extending it to Google, a company that does not offer video services as its main business.
The VPPA claim against Viacom failed because the court found that, even if Viacom were a VTSP, an issue the court did not reach, Viacom did not release personally identifiable information to Google, which is required to have occurred under the VPPA. The court concluded that “anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” – even if disclosed by Viacom – were not personally identifiable information.
With its potential for large damages there has been a recent uptick in cases filed under the VPPA. Recently, plaintiffs have filed cases against well-known media companies including Hulu, Netflix, ESPN, the Cartoon Network, and The Wall Street Journal. These cases have started to show a trend in shifting away from the intended defendants, companies whose main line of business is renting and selling videos, and toward companies that provide streaming video as part of their business.
The line drawn by the court in this case of who can be considered a VTSP could be a significant win for companies that offer mobile apps with streaming video capabilities by limiting the definition of a VTSP to companies that are in the business of renting or selling videos. Such a limitation would be welcome by many operators of new technologies. Given the vast number of devices and platforms that deliver video content of some kind, an expansion of the definition of a VTSP could lead to a flood of litigation involving companies that are not in the business of renting or selling videos and were not the intended defendants under the statute.
While this decision will not stop the recent uptick in VPPA litigation, it will provide courts with guidance as how to determine who should be liable under the VPPA. The text of the VPPA was written in a way that did not anticipate the current environment where streaming video is available on a multitude of devices. As more cases are filed, the limits of the statute’s scope will be tested. However, this court’s decision provides precedent for a common sense approach to determining who should be held liable under the VPPA.