Legal information related to PIPEDA

Recent Court Activity

Case No. 08-8003

IN THE UNITED STATES COURT OF APPEALS FOR THE TENTH CIRCUIT

ACCUSEARCH, INC., d/b/a Abika.com,
and JAY PATEL,

Defendants/Appellants

v.

FEDERAL TRADE COMMISSION,

Plaintiff/Appellee

Appeal from the United States District Court for the District of Wyoming
Case No. 06CV0105D
The Honorable Judge William F. Downes

BRIEF OF JENNIFER STODDART, PRIVACY COMMISSIONER OF CANADA AS AMICUS CURIAE IN SUPPORT OF APPELLEE AND AFFIRMANCE OF THE DISTRICT COURT DECISION

Edward R. McNicholas
SIDLEY AUSTIN LLP
1501 K Street, N.W.
Washington, DC 20005
Telephone: (202) 736-8010
eMcNicholas@sidley.com

United States Counsel for Amicus
Privacy Commissioner of Canada

Pursuant to Rule 26.1 of the Federal Rules of Appellate Procedure, counsel for Amicus Privacy Commissioner of Canada states that the Commissioner is an independent Officer of the Parliament of Canada.

Plaintiff-Appellee has consented to the filing of this brief. Defendants-Appellants oppose the filing of this brief.

Consistent with Fed. R. App. P. Rule 29, Amicus has filed a motion accompanying this brief seeking leave from this Court to file.

The brief was drafted by the Commissioner’s Canadian Legal Counsel Daniel Caron, Senior Legal Counsel Lisa Campbell, and General Counsel Patricia Kosseim, all of the Office of the Privacy Commissioner of Canada, in collaboration with the United States counsel for the Commissioner and counsel of record for this brief, Edward McNicholas, who is a member of the bar of this Court.

The Canadian attorneys are members in good standing of their respective provincial bars in Canada, but they are not admitted to practice before any court in the United States.

United States counsel of record for this brief recognizes and has assumed professional responsibility for this brief and has personally and substantially assisted in its preparation.

CORPORATE DISCLOSURE STATEMENT

STATEMENT REGARDING CONSENT

STATEMENT REGARDING CANADIAN CO-COUNSEL

TABLE OF AUTHORITIES

STATEMENT OF INTEREST OF THE AMICUS

BACKGROUND REGARDING THE COMMISSIONER’S INVESTIGATION OF ACCUSEARCH

ARGUMENT

  1. THE UNAUTHORIZED COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION CAUSES HARM
  2. THE UNAUTHORIZED COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION BY ORGANIZATIONS LOCATED IN THE UNITED STATES HAS EXTRATERRITORIAL EFFECTS ON INDIVIDUALS IN CANADA

CONCLUSION

CERTIFICATE OF DIGTIAL SUBMISSION COMPLIANCE

CERTIFICATE OF COMPLIANCE

CERTIFICATE OF SERVICE

CASES
  • Ben Ezra, Weinstein, & Co. v. America Online Inc.,
    206 F.3d 980 (10th Cir. 2000)
  • Chicago Lawyers' Committee. for Civil Rights Under Law, Inc. v. Craigslist,
    Inc., 519 F.3d 666 (7th Cir. 2008)
  • Conboy v. AT&T Corp.,
    241 F.3d 242 (2d Cir. 2001)
  • Doe v. MySpace, Inc.,
    ___ F.3d. ____ , 2008 WL 2068064 (5th Cir. May 16, 2008)
  • Fair Housing Council v. Roommates.Com, LLC,
    521 F.3d 1157 (9th Cir. 2008)
  • Lanphere & Urbaniak v. Colorado,
    21 F.3d. 1508 (10th Cir. 1994)
  • Preferred Nat’l Ins. Co. v. Docusearch, Inc.,
    149 N.H. 759, 829 A.2d 1068 (2003)
  • Randi A.J. v. Long Island Surgi-Center,
    842 N.Y.S.2d 558 (N.Y. App. Div. 2007)
  • Remsburg v. Docusearch, Inc.,
    149 N.H. 148, 816 A.2d 1001 (2003)
  • In re Trans Union Corp. v. FTC,
    245 F.3d 809 (D.C. Cir. 2001)
  • U.S. West, Inc. v. FCC,
    182 F.3d 1224 (10th Cir. 1999)
STATUTES
  • Communications Decency Act, 47 U.S.C. § 230(a)
  • Cal. Civil Code § 1798.81.5(c)
CANADIAN CASES
  • Lawson v. Accusearch Inc., [2007] 4 F.C.R. 314 F.C.)
  • Malcolm v. Fleming, [2000] B.C.J. No. 2400 (B.C.S.C.)
  • Poirier v. Wal-Mart Canada Corp., [2006] B.C.J. No. 1725 (B.C.S.C.) (QL)
  • R. v. Dyment, [1988] 2 S.C.R. 17
  • Srivastava v. Hindu Mission of Canada (Quebec) Inc., [2001] J.Q. no. 1913 (Q.C.A.)
CANADIAN STATUTES
  • Privacy Act (R.S., 1985, c. P-21)
  • Personal Information Protection and Electronic Documents Act
    (“PIPEDA”) (    S.C., 2000, c-5)
OTHER CANADIAN MATERIALS
SCHOLARLY AUTHORITY
  • Samuel D. Warren & Louis D. Brandeis, The Right to Privacy,
    4 Harv. L. Rev. 193 (1890)
OTHER AUTHORITIES
  • Directive 95/46/EC of the European Parliament and of the Council of 24
    October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L
    281, 23.11.1995, p. 31–50
  • Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
  • U.S. Dep't. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (1973)

Jennifer Stoddart, the Privacy Commissioner of Canada, is an independent Officer of the Parliament of Canada. This brief represents the views of her office, but not the official position of the Canadian Government.

The Privacy Commissioner of Canada oversees compliance with Canada’s Privacy Act (R.S., 1985, c. P-21) and the Personal Information Protection and Electronic Documents Act (S.C. 2000, c-5, hereinafter “PIPEDA”). These two federal statutes relate to the personal information handling practices of federal government institutions and a wide range of private sector organizations, respectively.

Of particular relevance for present purposes is PIPEDA. Under this law, the Privacy Commissioner of Canada seeks to protect personal information which is collected, used or disclosed in the course of commercial activity, including personal information that flows across provincial or national borders in the course of commercial transactions. As an advocate for privacy rights and in her role as ombudsperson, the Privacy Commissioner tries to resolve individual complaints as well as Commissioner-initiated complaints against private sector organizations. In so doing, she has a variety of tools at her disposal to promote compliance with privacy legislation, including public education, research, audits, investigations, and in certain circumstances, litigation. Four key points about PIPEDA are of particular relevance for United States law in general and the present case in particular:

  1. PIPEDA protects all individuals whose personal information is collected, used or disclosed by organizations subject to PIPEDA by virtue of their real and substantial links to Canada. This includes the personal information of not only Canadians, but also all individuals affected, including Americans and foreigners generally.
  2. PIPEDA reflects the standards in Canadian law and has been recognized as being comparable to European Union data protection standards. On December 20, 2001, the European Commission rendered a decision declaring that PIPEDA provides an adequate level of protection pursuant to Article 25(2) of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31–50, thereby allowing the transfer of personal information between European Member States and Canada for processing. Significantly, the European Union has not recognized the privacy laws in the United States as providing such an adequate level of protection with the result that United States companies must engage in sometimes elaborate compliance efforts regarding the flows of personal information between the European Economic Area and the United States.
  3. The legislative purpose of PIPEDA is to protect personal data in a manner that recognizes the reality of modern commerce, which is increasingly characterized by virtual, electronic transactions, enabled by rapid advances in information technology. More specifically, section 3 of PIPEDA states as its purpose “to establish, in an era in which technology increasingly facilitates the collection, use and disclosure of information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
  4. Built into PIPEDA is a further provision which allows organizations to transfer personal information to third parties for processing, including third parties in other jurisdictions, as long as the organization uses contractual or other means to ensure a comparable level of protection while the information is being processed by the third party (PIPEDA Principle 4.1.3).

A judgment of this Court confirming that United States organizations cannot freely trade in personal information without consent will substantially strengthen privacy protection in the United States. It will also provide Canadian-based organizations with the level of assurance they need to continue to outsource operations to, and otherwise conduct business with, United States organizations.

The certainty and predictability of knowing that Canada and the United States share certain basic standards with respect to personal information protection helps to support and enable commercial trade relationships.

This issue is all the more significant because the Canada–United States border is particularly porous when it comes to the cross-border flow of personal data. Information technology is rapidly expanding and having a profound effect on an individual’s ability to control how others in other jurisdictions use his or her personal information. The borderless nature of the Internet has not only expanded the markets available to businesses, but has also allowed for the personal information of Canadians and Americans alike to be easily collected, used and disclosed by foreign organizations with or without consent. The proliferating trade in confidential telephone records is a vivid example of this growing phenomenon.

The Privacy Commissioner of Canada has herself been the victim of the improper collection, use and disclosure of personal information by a United States-based data broker. In November 2005, a Canadian magazine reporter purchased records of the Privacy Commissioner of Canada’s telephone calls from Locatecell.com which had, in turn, obtained this information unlawfully from Canadian-based sources – in that case, three of Canada’s largest telecommunications companies. At the time, Locatecell.com was owned by a Tennessee-based company, and operated out of Florida with a North Carolina phone number. Through its investigation of the three Canadian telecommunications companies involved, the Office of the Privacy Commissioner of Canada (the “OPC”) found that Locatecell was in the business of providing paying customers with access to personal information they requested about others, typically without the other person’s consent. See Privacy Commissioner of Canada, PIPEDA Case Summary #372, Disclosures To Data Brokers Expose Weaknesses In Telecoms’ Safeguards.

In that case, the United States databroker used social engineering, otherwise known as pretexting, to trick customer service representatives of three Canadian telecommunications companies into disclosing customer phone records on the mistaken belief that they were dealing with the true customers of the accounts in question, when in fact, they were not. Subsequent actions against the operators of LocateCell.com by both telecommunications companies and state law enforcement resulted in both fines and injunctions prohibiting it from further attempting to obtain the private information of the customers of telecommunications companies. See, e.g., Cingular Wireless, LLC, v. Data Find Solutions, Inc., No. 1:05-CV-03269 (N.D. Ga. 2007) (Order of Nov. 9, 2006 awarding damages); Cellco Partnership v. Data Find Solutions, Inc., No. 3:06-CV- 00 326 (D.N.J. 2007) (Order of Apr. 20, 2007 consent judgment and permanent injunction); Attorney General v. Data Finds Solutions, Inc., 06AC-CC00067 (Cole Cty. Mo. Cir. Ct. 2007) (Order of July 23, 2007 awarding damages).

The Commissioner submits this brief because this Court’s decision will have direct impact not only on the privacy rights of individuals protected by Canadian law, be they Canadians, Americans or other foreigners, but also on the business reputation of Canadian organizations that fall prey to these improper tactics. This Court’s recognition of the illegality of such practices and the resulting harms will also support international cooperation between Canadian and United States regulators by enhancing the consistency in approach between our neighboring jurisdictions. Common basic standards and consistent approaches in enforcing these standards will ultimately facilitate the trans-border flow of personal data in connection with commercial trade that is essential to the North American information economy. They will provide the necessary assurance to organizations that contemplate outsourcing data processing functions south of the border and will boost the confidence that individuals need in conducting business over the Internet.

In June 2004, the Office of the Privacy Commissioner of Canada (“OPC”) received a complaint from the Director of the Canadian Internet Policy and Public Interest Clinic alleging that Accusearch, Inc. (“Accusearch”) collected, used, and disclosed the personal information of Canadians without their knowledge and consent, and that it collected, used and disclosed personal information about Canadians for inappropriate purposes. The individual based the complaint on evidence she obtained when she ordered two searches on herself from Abika.com: a criminal record search and a psychological profile, for which the individual was charged approximately US $100 and was not asked for any proof of identity to ascertain who she was and/or whether consent had been obtained.

The complaint against Accusearch, which OPC is investigating, alleges that Accusearch collects, uses and discloses personal information for inappropriate purposes, without the knowledge or consent of the individual affected and/or without verifying the identity of the requestor. Some of the information collected is highly sensitive personal information, such as medical records, police reports and telephone records. Disclosure of this type of personal information to paying clients without the knowledge and consent of the individual to whom it relates may violate Canadian law as it may United States law.

Based on a preliminary inquiry, the OPC learned that Abika.com offers a number of services for profit, including: (i) background checks such as criminal records, court records, education, rumors, current address and 20 year address history, police reports, property ownership, employment status, tax liens, civil judgments, driving history and telephone or cell phone records; (ii) psychological profiles including personality traits, consumer preferences and romantic preferences; (iii) matching of email or instant message to address or phone number, and of new email addresses to old ones; (iv) unlisted numbers and cell phone numbers; (v) details of incoming or outgoing calls from any phone number; and (vi) license plate searches leading to name, address, driving history and insurance status.

In conducting this preliminary inquiry, the OPC contacted Accusearch for the names and identities of its Canadian-based sources, which it refused to reveal. Without the cooperation of Accusearch in the United States and without the ability to exercise her authority to compel the production of evidence outside Canada, the Assistant Privacy Commissioner could not gather the necessary information to support any real and substantial links to Canada. As a result, the Assistant Commissioner closed the investigation file on the grounds that she lacked jurisdiction to continue. See Letter from the Assistant Privacy Commissioner of Canada (PIPEDA), Key Issues: On-Line Data Brokers, dated Nov. 18, 2005.

The Complainant, however, sought judicial review of this decision to close the investigation file (which is allowed under Canadian law, although not allowed under United States law). The Federal Court of Canada in Lawson v. Accusearch Inc., [2007] 4 F.C.R. 314 (F.C.), held that, despite the practical difficulties, the Commissioner does have jurisdiction to investigate a foreign based organization where that organization has a real and substantial connection to Canada, which the Court found was indeed the situation here. In this case, the individual complainant was a Canadian citizen who resides and works in Canada, the transmission and reception of personal information took place back and forth between the United States and Canada, and even though the data in question could not be traced back to Canadian-based sources, the Court concluded that much of the information had to have come from Canada. Accordingly, the complaint against Accusearch was referred back to the OPC for investigation, which it is presently pursuing.

The right to privacy in Canada is grounded in the fundamental concept that individuals deserve some measure of control over how organizations collect, use or disclose their personal information. This concept of a right to privacy, which is grounded in the fundamental right to autonomy and which goes to the heart of liberty in a modern state, was inspired by United States doctrine and adopted by the Supreme Court of Canada. (R. v. Dyment, [1988] 2 S.C.R. 417, Justice Lamer at para. 17 (paraphrasing Alan F. Westin, Privacy and Freedom (1970) at 349-50)).

The same widely accepted Fair Information Principles form the core of the privacy laws of both Canada and the United States, as well as Europe, Australia, and many other parts of the world. These Principles were first expressed by the U. S. Department of Health, Education and Welfare in 1973,1 and now find expression in the Organization for Economic Cooperation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.2

Regardless of how the specific legal regime conceptualizes privacy and expresses specific guarantees, it must be beyond reasonable dispute that the non-consensual collection, use or disclosure of an individual’s personal information can have tangible, detrimental effects, particularly given the increasingly prevalent risks of identity theft and fraud.

Accusearch’s contention that individuals suffered no injury when it provided phone records fails to recognize the seriousness of the harms suffered by the victims of identity theft and fraud. Indeed, Accusearch suggests that it should enjoy both immunity and free speech protections for its actions. Acceptance of these arguments, however, would create serious discrepancy between the level of privacy protection in Canada and the United States, and could have significant detrimental effects on the transborder data flows essential to Internet commerce.

This case involves more than the determination of whether Accusearch was engaged in unfair business practices. At its core, it is a case revolving around the ability of Canadians and Americans alike to protect their identities and be afforded respect with regard to how organizations in Canada and the United States collect, use and/or disclose their personal information, including confidential telephone records.

I. THE UNAUTHORIZED COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION CAUSES HARM.

Tangible harm can result from the misuse of personal information, and regulatory agencies must be able to prevent these harms in order to protect consumers. Given the modern ability of so-called “infomediaries” to correlate information from numerous disparate sources and the multiplicity of organizations that use such data brokers, personal information – whether it be accurate or inaccurate – can make its way into a series of other databases accessible to others without authorization, which can have deeply harmful effects.

Harms to privacy have in fact always been subject to damages remedies and were intended to be so. Even in Warren & Brandeis’ seminal article, there was the express observation that

[t]he remedies for an invasion of the right of privacy are also suggested by those administered in the law of defamation, and in the law of literary and artistic property, namely: 1. An action of tort for damages in all cases. Even in the absence of special damages, substantial compensation could be allowed for injury to feelings as in the action of slander and libel. 2. An injunction, in perhaps a very limited class of cases.

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 219 (1890) (footnote omitted). That is, the availability of a remedy for harms to privacy is entirely consistent with the even then long-established common law torts. Indeed, the core privacy tort of intrusion upon seclusion fundamentally depends upon the idea that the breach of seclusion is itself actionable, and hence the law recognizes the protection of the very basic form of privacy present in seclusion. The harms experienced by violations of privacy, however, have only increased with the advent of new forms of identity theft harm unknown at common law.3

In these circumstances, Accusearch’s plea that it was merely providing harmless information smacks of unreality. One case which provides a particularly stark example of the very real harms at issue involves Docusearch, Inc., a Florida information broker, which sold personal information, acquired through a subcontractor by pretexting, to an individual who subsequently used the information to murder a woman. As a result, the New Hampshire Supreme Court held in Remsburg v. Docusearch, Inc., 149 N.H. 148, 816 A.2d 1001 (2003), that information brokers and private investigators can be liable for the harms caused by selling personal information, and noted two particular risks of unauthorized information disclosure: stalking and identity theft. As that court recognized:

The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person's personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client's purpose in seeking the information.

Remsburg, 149 N.H. at 155, 816 A.2d. at 1008.

In several recent cases, Canadian courts have likewise awarded damages to individuals whose privacy was violated in recognition of the tangible nature of the harms suffered despite the difficulties in monetizing such harms. For example, in Malcolm v. Fleming, a plaintiff was awarded $15,000 in general damages for an invasion of privacy occasioned by surreptitious video recording in several rooms of a dwelling house, including the bathroom, as well $35,000 in punitive damages. See Malcolm v. Fleming, [2000] B.C.J. No. 2400 (B.C.S.C.). In Srivastava v. Hindu Mission of Canada (Quebec) Inc., the surreptitious wiretapping of a Temple’s telephone in order to record the conversations of its priest was remedied by an award of $15,000 in damages for breach of privacy and an additional $5,000 in exemplary damages. See Srivastava v. Hindu Mission of Canada (Quebec) Inc., [2001] J.Q. no. 1913 (Q.C.A.). In Poirier v. Wal-Mart Canada Corp., Arnold-Bailey J. reviewed jurisprudence respecting provincial torts of invasion of privacy and analogous common law torts and identified a range of damages for violations of privacy between $300 to $35,000. See Poirier v. Wal- Mart Canada Corp., [2006] B.C.J. No. 1725 at para. 105 (B.C.S.C.) (QL).

Accusearch purports to rely on cases that it reads as holding that private parties seeking monetary damages cannot, in general, presume the existence of compensable damages from the unauthorized transfer of personal information. See, e.g., Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001). The FTC, however, does not rest this action on such presumptions of harm. Identity theft is a growing fraudulent activity that is increasingly lucrative, easily crosses borders and claims many victims. These include the individuals who suffer financial and dignitary harms when their identities and personal data are stolen without consent; the businesses that suffer harm to their reputation resulting from the theft of customer data; the commercial and financial institutions that are responsible for mitigating the risks and/or compensating for the resulting losses; and, the taxpayers whose level of confidence in their governments is adversely affected whenever false identities are used to obtain government documents or benefits.

This being said, the harms of misappropriation of personal information are not necessarily contingent upon certain consequences – the breach of privacy itself can be considered a harm worthy of compensation in certain circumstances. See Randi A.J. v. Long Island Surgi-Center, 842 N.Y.S.2d 558, 566-67 (N.Y. App. Div. 2007) (holding that a medical center's releasing confidential information regarding an abortion to a patient's mother after the patient specifically requested not to be contacted at home supports a punitive damages award). As the New Hampshire Supreme Court similarly recognized in collateral litigation to the Docusearch dispute, some of the long-standing common law privacy torts do not require evidence of harm beyond the bare invasion of privacy itself. Preferred Nat’l Ins. Co. v. Docusearch, Inc., 149 N.H. 759, 766- 767, 829 A.2d 1068, 1075 (2003). For instance, an “action for intrusion upon seclusion does not require a claimant to prove any harm beyond the intrusion itself.” Id.(citing Restatement (Second) of Torts § 652H cmt. a at 402 (1977) (“[O]ne who suffers an intrusion upon his solitude or seclusion . . . may recover damages for the deprivation of his seclusion.”)). And as these authorities make clear, fraud is not a necessary component of a violation of an individual’s right to privacy. The individual right to privacy can be harmed whenever an individual’s personal information is collected, used or disclosed without that individual’s knowledge and consent, and/or without the exceptional legal authorization to do so.

II. THE UNAUTHORIZED COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION BY ORGANIZATIONS LOCATED IN THE UNITED STATES HAS EXTRATERRITORIAL EFFECTS ON INDIVIDUALS IN CANADA.

Harm can result from the non-consensual collection, use and disclosure of personal information by American organizations that actively sell personal information pertaining to individuals in Canada. The effect on privacy rights is particularly difficult for Canadian authorities to address when data-brokers sell this information to other persons via the Internet.

Accusearch’s attempt to suggest that protection of its actions is necessary “to promote free speech and commerce on the Internet,” Br. at 16, belies the fact that how they obtain the information of which they “speak” is unlawful in the first place. The actions of United States organizations that sell or disclose personal information can harm not only American citizens, but individuals from other countries including Canada, and ultimately undermine the trust that consumers place in the Internet. Companies that use fraud in order to access personal records not only violate the law, they also undermine consumers’ confidence in the legal Internet marketplace and in the security of their sensitive data.

This Court should reject any suggestion that it interpret the Communications Decency Act, 47 U.S.C. § 230(a), to shield Accusearch’s conduct and, thereby, transform the United States into a lawless region where infomediaries are exempt from responsibility for the foreseeable consequences of their actions.

Other United States courts have recently made clear that such lawlessness was not the intention of Congress. In Fair Housing Council v. Roommates.Com, LLC, 521 F.3d 1157, 1169-72 (9th Cir. 2008) (en banc), the court rejected precisely the sort of blanket immunity interpretation urged by Accusearch. Instead, that court held that the Communications Decency Act was no bar to an action against an online site that designed forms which allowed for and facilitated potentially discriminatory roommate searches, e.g. allowing searches by particular race. Id. In doing so, the Ninth Circuit noted that its reading of the Communications Decency Act was entirely consistent with this Court’s decision in Ben Ezra, Weinstein, & Co. v. America Online Inc., 206 F.3d 980 (10th Cir. 2000), which recognized immunity for merely relaying inaccurate stock prices, when the defendant “did not cause the errors in the stock data, nor did it encourage or solicit others to provide inaccurate data.” Fair Housing Council, 521 F.3d at 1172 n.33 (explaining Ben Ezra, 206 F.3d. at 985 n.5). Recognition that CDA immunity has limits in cases of inherently criminal activity is entirely consistent with a full respect for CDA immunity in the far more common circumstances in which there was a predominant legal use of the web-service, such as posting information on MySpace. See Doe v. MySpace, Inc., ___ F.3d. ____, 2008 WL 2068064 (5th Cir.

May 16, 2008) (holding that the CDA immunity precludes a negligence action based on false information available on MySpace); see also Chicago Lawyers' Committee for Civil Rights Under Law, Inc. v. Craigslist, Inc., 519 F.3d 666, 671- 72 (7th Cir. 2008) (recognizing Communications Decency Act immunity where Craigslist did nothing to support or induce illegal behavior). In this case, however, the only ways in which third parties could obtain telephone records was to deceive and defraud against the telecommunications companies.

Accusearch also attempts to rely upon U.S. West, Inc. v. FCC, 182 F.3d 1224, 1235 (10th Cir. 1999), for the idea that its free speech rights are implicated. In U.S. West, this Court recognized that federal regulation may not unnecessarily burden a telephone company’s free speech right to speak in a truthful, non-misleading manner to its own customers. Id.While dicta from U.S. West, Inc. suggest that some “general level of discomfort from knowing that people can readily access information about us does not necessarily rise to the level of a substantial state interest,” U.S. West, Inc., 182 F.3d at 1235, the FTC here presented substantial evidence of actual consumer harms which far exceeds those present in U.S. West, Inc. And this Court has recognized the substantial governmental interest in protecting privacy from such tangible harms. See Lanphere & Urbaniak v. Colorado, 21 F.3d. 1508, 1514-15 (10th Cir. 1994). Similarly, the D.C. court of appeals has found that the protection of the privacy of personal information does not necessarily compromise the freedom of speech. See, e.g., In re: Trans Union Corp. v. FTC, 245 F.3d 809 (D.C. Cir. 2001) (upholding limited restrictions on the use of credit files in the Fair Credit Reporting Act against First Amendment challenges).

The confirmation that databrokers have no immunity or constitutional right to profit – directly or indirectly – from pretexting and other illicit uses of personal data would lead to a proper deterrence, while leaving intact the immunity of companies that merely relay data for others, such as Internet Service Providers.

Respect for consumer privacy will enhance, not burden, Internet information flows. In particular, this result would thereby make it easier for lawabiding Canadian companies to outsource data processing functions and generally conduct on-line business with such organizations. Under PIPEDA, organizations are accountable for the personal information under their control and remain accountable even in respect of personal information which they transfer to third parties for processing, regardless of the jurisdiction in which those third parties operate. Organizations must ensure, through contractual or other means, a comparable level of protection is offered by the third party before they can even contemplate transferring personal data. Such norms are likewise reflected in laws in the United States. See, e.g., Cal. Civil Code § 1798.81.5(c) (“A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”)

The sound information principles shared by both Canadian and United States law thus dictate that organizations be aware of the data sharing practices of the companies with which they do business and of the laws and policies of the jurisdiction in which they operate. Judicial approval of vigorous FTC enforcement to protect personal information would raise the level of assurance needed by Canadian companies doing business with the United States. This serves the public interest of both countries by facilitating international data flows, promoting consistent approaches and predictable standards, as well as facilitating collaborations between regulators.

Canada and the United States indeed have between them the largest volume of international trade in goods of any two countries in the world.4 Trade liberalization has greatly increased the flow of goods and services between the United States and Canada. As a result, the cross-border flow of personal information has also greatly increased. Between the two countries, and indeed internationally, the scale and speed and number of entities having access to personal information is growing at an unprecedented rate that shows no sign of decreasing. Even though companies may be physically situated in Canada or the United States, the need to access personal information from either country has become much more prevalent. Globalization, outsourcing, technological advances and economic integration all contribute to the ease with which personal information now flows between the United States and Canada. As such, privacy protection in the collection, use and disclosure of an individual’s personal information is a shared, significant concern of the legal systems of both the United States and Canada.

The protection of privacy, like other public policy issues, is being transformed by globalization. Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. Like the Federal Trade Commission, the Privacy Commissioner of Canada has grave concerns with the privacy implications arising from the indiscriminate, nonconsensual and sometimes fraudulent collection, use, and disclosure of personal information by profiling and data broker organizations. When personal information moves across borders, individuals may lose control over their personal data and regulators may lose the ability to enforce national protection standards with respect to that data. This convergence of issues suggests that it is mutually advantageous for jurisdictions attempting to regulate personal data flows to adopt common approaches, exchange information and share expertise in enforcing laws across borders. Data protection offices and other agencies are struggling with complaints and investigations that are triggered by the activities of organizations outside our borders but that affect the personal information of individuals within our respective jurisdictions. To be effective in the face of global data flows, regulators need to provide individuals with meaningful redress mechanisms and pursue organizations that violate very basic privacy and data protection principles no matter where they operate.

Affirming the District Court’s ruling in this case will send a clear message that illicit trafficking in personal information will not be tolerated. As a result, the rights of individuals in the protection of their personal information held by companies with which they choose to do business and by the governments that serve them will be more respected. Legitimate organizations will be better protected against illegal attempts by third parties to infiltrate their personal data holdings, along with the resulting financial costs and damage to their reputations.

The benefits of trade relations between Canada and the United States will continue with confidence in the certainty and predictability of basic data protection standards they hold in common and the mutually reinforcing approaches to their respective enforcement.

For the foregoing reasons, Amicus respectfully urges this Court to affirm the judgment of the District Court.

Respectfully submitted,

/s/ Edward R. McNicholas

_______________________________

Edward R. McNicholas
SIDLEY AUSTIN LLP
1501 K Street, N.W.
Washington, DC 20005
Telephone: (202) 736-8010
eMcNicholas@sidley.com

United States Counsel for Amicus Curiae
Privacy Commissioner of Canada

Pursuant to the General Order of this Court filed August 10, 2007, In re:

Electronic Submission of Documents and Conversion to an Electronic Case Management System, No. 95-01, the foregoing Brief of the Privacy Commissioner of Canada as Amicus Curiae was submitted to this Court via email to esubmission@ca10.uscourts.gov in a native Portable Document Format (PDF) format, along with the motion for leave to file. An original and seven (7) hard copies of the brief were also sent to the Clerk of this Court via overnight express United States mail, along with the hard copy motion for leave to file.

Pursuant to that order, undersigned counsel hereby certifies that no privacy redactions were required and that every document submitted digitally is an exact copy of the written document filed with the Clerk. It is also certified that the digital submissions have been scanned for viruses with the most recent version of a commercial virus scanning program McAfee Viruscan, using version 5316.0000, updated June 12, 2008, and, according to the program, are free of viruses.

/s/ Edward R. McNicholas

_______________________________

Edward R. McNicholas
SIDLEY AUSTIN LLP
1501 K Street, N.W.
Washington, DC 20005
Telephone: (202) 736-8010
eMcNicholas@sidley.com

This brief complies with the type-face limitations because it is printed in 14-point Times New Roman. See Fed. R. App. P. 32(a)(5); 10th Cir. R. 32.1.

As required by Fed. R. App. P. 32(a)(7)(C), I certify that this brief is proportionately spaced and contains 5,078 words, excluding those portions of the brief exempted by Fed. R. App. P. 32(a)(6). I relied on my Microsoft Word 2003 word processor to obtain the word count.

/s/ Edward R. McNicholas

_______________________________

Edward R. McNicholas
SIDLEY AUSTIN LLP
1501 K Street, N.W.
Washington, DC 20005
Telephone: (202) 736-8010
eMcNicholas@sidley.com

Pursuant to Fed. R. App. P. 25, I hereby certify that on June 13, 2008, that I caused two true and correct copies of the foregoing Brief of the Privacy Commissioner of Canada as Amicus Curiae, along with the related Motion for Leave to File, to be sent via email to lWagman@ftc.gov and GayWoodhouseLaw@aol.com and via First Class United States mail to these addresses:

Counsel for Appellants

GAY WOODHOUSE
DEBORAH L. RODEN
Gay Woodhouse Law Office, P.C.
P.O. Box 1888
Cheyenne, Wyoming 82003
(307) 432-9399

Counsel for Appellee

LAWRENCE De-MILLE WAGMAN
Attorney
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
(202) 326-2448

/s/ Edward R. McNicholas

_______________________________

Edward R. McNicholas
SIDLEY AUSTIN LLP
1501 K Street, N.W.
Washington, DC 20005
Telephone: (202) 736-8010
eMcNicholas@sidley.com

1 U.S. Dep't. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens viii (1973).

2 Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

3 In 2006, almost 8000 victims reported losses of $16 million to PhoneBusters, the official Canadian Anti-fraud Call Centre, http://www.phonebusters.com/. Citing statistics from the Canadian Council of Better Business Bureaus, the Canadian government stated that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually. In an attempt to curb this growing threat, the Government of Canada has recently proposed legislation to address the problem of identity theft. See Canadian Department of Justice, Identity Theft Backgrounder. Indeed, there is a growing trend in both Canada and the United States towards the use of identity theft as a means of furthering other types of crime, from fraud to organized criminal activity.

4 Statistics Canada records indicate that, in 2007, Canada’s exports and imports to the United States were valued at CAD 355 billion and CAD 220 billion, respectively. The figures indicate that 76% of all Canadian exports are destined for the United States and 65% of all Canadian imports come from the United States.
See Statistics Canada, Imports, Exports And Trade Balance Of Goods On A Balance-Of-Payments Basis, By Country Or Country Grouping.