Privacy Shield

EU-US Privacy Shield Now in Effect

On July 12, the European Commission formally adopted the EU-US Privacy Shield, a bilateral data privacy agreement hastily assembled from the wreckage of the Safe Harbor Framework, which was invalidated by the European Court of Justice in 2015. U.S. companies immediately lined up to apply the new framework, with tech giants like Google, Salesforce and Microsoft broadcasting their willingness to abide by the deal’s strictures. As of August 26th, over two hundred companies had adopted Privacy Shield, and the list is growing. Read more

Data Transfer

Update: EU-US Privacy Shield

UPDATE: Since this article was drafted, Privacy Shield has been formally adopted and is now in effect. Please see this article for more information.

After four months of frantic negotiations, the U.S. and the European Union have a new deal on cross-border data transfer. The agreement, dubbed the “Privacy Shield,”replaces the Safe Harbor Framework, a bilateral agreement governing transfer of personal information that was struck down by the European Court of Justice in October of last year. News of the detente was greeted with a mixture of skepticism and relieved adulation, tempered with a dash of confusion. What do you need to know about Privacy Shield?  Read more

ECJ Strikes Down US-EU Safe Harbor for transfer of personal data

Not So Safe: The ECJ Strikes Down U.S.-EU Safe Harbor

The Safe Harbor Framework governing transfer of personal information from the European Union to the United States is no more. On October 6, 2015, the European Court of Justice (ECJ) struck down the vaunted bilateral data protection and transfer agreement, impacting over 4,700 companies that relied on the Safe Harbor for transporting and storing European data overseas. The decision, which took effect immediately and left no grace period for international organizations to make alternative arrangements, vigorously reinforces European legal protections for data privacy while leaving a broad swath of data-related commercial activity on tenuous legal ground.

Read more

ftc v wyndham

FTC v. Wyndham: The FTC Has Authority to Regulate Cybersecurity Breaches

In an historic decision with wide-reaching ramifications for data privacy and security, the Third Circuit Court of Appeals has affirmed the Federal Trade Commission’s authority to regulate cyberspace under the “unfair and deceptive acts” provision in § 5 of the FTC Act (FTC v. Wyndham).  Read more

hipaa compliant apps

HIPAA Compliant App (Part 3)

The healthcare industry is primed to benefit mightily from the ever-expanding influx of medical apps, transforming areas such as personal fitness, information storage, and even complex medical procedures. However, many app developers fail to realize the the role of the Health Insurance Portability And Accountability Act (HIPAA) and the full extent of HIPAA’s applicability to their activities. This article aims to provide app developers with information on how to develop a HIPAA compliant app and related products.  Read more

HIPAA Requirements

HIPAA Requirements (Part 2)

This is the second in a series of three posts that cover the background of the Health Insurance Portability and Accountability Act (HIPAA), HIPAA requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses. In our previous post, we provided an overview of HIPAA and the type of entities and information covered by its rules. Please read that post to become familiar with the general concepts and terminology used here. In this second post, we discuss HIPAA requirements that startups and small businesses must know.  Read more

hipaa background

HIPAA Basics (Part I)

Whether dealing with simple applications or constructing complex medical treatment tools, businesses looking to enter the burgeoning market of health care services will need to become familiar with the Health Insurance Portability and Accountability Act (HIPAA). The law has wrought transformative change in the U.S. healthcare market, but its labyrinthine strictures can prove difficult to navigate. This is the first in a series of 3 posts that cover HIPAA’s background, its requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses.  Read more

federal trade commission data privacy

Demystifying Privacy Law: FTC Data Privacy Enforcement

Unlike many countries in the world, the United States does not have one regulatory agency with authority to monitor and enforce data privacy violations. The U.S. uses a sectoral model of data privacy protection, using a variety of enforcement mechanisms. One of those enforcement mechanisms–and perhaps the predominant one–is the Federal Trade Commission, or the FTC, which acts as a watchdog to protect against data privacy violations. It can bring lawsuits for “unfair practices” or “deceptive practices” for many violations, including breaches of a data controller’s privacy policy. What is the source of FTC data privacy enforcement, and how does it go about enforcing data privacy? This article provides an overview of FTC’s power, contemporary issues of FTC enforcement, and potential hotspots for data privacy-related government litigation.  Read more

drafting privacy policy

Demystifying Privacy Law: Drafting a Privacy Policy

If your business collects personally identifiable information (or PII) about your customers, you will need a privacy policy to let them know how you plan to collect, use, share and secure information about them. In an increasingly digitalized world, privacy policies command nearly the same level of respect as mission statements. Privacy policies set out an organization’s first principles of consumer protection and provide a roadmap of how sensitive issues such as PII are handled. This article describes some of the factors that go into a well-drafted privacy policy–and the factors that we advise our clients to think through.  Read more

personally identifiable information

Demystifying Privacy Law: Personally Identifiable Information (PII)

Nearly every organization collects personally identifiable information, or PII. Because of the sensitive nature of many different types of PII, its collection can pose an array of unique challenges, especially for younger or smaller organizations without a dedicated privacy department. The unwarranted release of such information can ravage people’s lives and forever destroy any modicum of trust an organization may enjoy with its customers and with the general public. One of the most fundamental privacy questions an organization may face is: what does “personally identifiable information” mean? Given the differing responsibilities that an organization has with respect to PII versus non-PII, the answer to this question is critical. This article is designed to help you flesh out the concept of personally identifiable information and begin to think about the ways your company should handle PII-related issues. Read more