Data Transfer

Update: EU-US Privacy Shield

UPDATE: Since this article was drafted, Privacy Shield has been formally adopted and is now in effect. Please see this article for more information.

After four months of frantic negotiations, the U.S. and the European Union have a new deal on cross-border data transfer. The agreement, dubbed the “Privacy Shield,”replaces the Safe Harbor Framework, a bilateral agreement governing transfer of personal information that was struck down by the European Court of Justice in October of last year. News of the detente was greeted with a mixture of skepticism and relieved adulation, tempered with a dash of confusion. What do you need to know about Privacy Shield?  Read more

ECJ Strikes Down US-EU Safe Harbor for transfer of personal data

Not So Safe: The ECJ Strikes Down U.S.-EU Safe Harbor

The Safe Harbor Framework governing transfer of personal information from the European Union to the United States is no more. On October 6, 2015, the European Court of Justice (ECJ) struck down the vaunted bilateral data protection and transfer agreement, impacting over 4,700 companies that relied on the Safe Harbor for transporting and storing European data overseas. The decision, which took effect immediately and left no grace period for international organizations to make alternative arrangements, vigorously reinforces European legal protections for data privacy while leaving a broad swath of data-related commercial activity on tenuous legal ground.

Read more

ftc v wyndham

FTC v. Wyndham: The FTC Has Authority to Regulate Cybersecurity Breaches

In an historic decision with wide-reaching ramifications for data privacy and security, the Third Circuit Court of Appeals has affirmed the Federal Trade Commission’s authority to regulate cyberspace under the “unfair and deceptive acts” provision in § 5 of the FTC Act (FTC v. Wyndham).  Read more

hipaa background

HIPAA Basics (Part I)

Whether dealing with simple applications or constructing complex medical treatment tools, businesses looking to enter the burgeoning market of health care services will need to become familiar with the Health Insurance Portability and Accountability Act (HIPAA). The law has wrought transformative change in the U.S. healthcare market, but its labyrinthine strictures can prove difficult to navigate. This is the first in a series of 3 posts that cover HIPAA’s background, its requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses.  Read more

federal trade commission data privacy

Demystifying Privacy Law: FTC Data Privacy Enforcement

Unlike many countries in the world, the United States does not have one regulatory agency with authority to monitor and enforce data privacy violations. The U.S. uses a sectoral model of data privacy protection, using a variety of enforcement mechanisms. One of those enforcement mechanisms–and perhaps the predominant one–is the Federal Trade Commission, or the FTC, which acts as a watchdog to protect against data privacy violations. It can bring lawsuits for “unfair practices” or “deceptive practices” for many violations, including breaches of a data controller’s privacy policy. What is the source of FTC data privacy enforcement, and how does it go about enforcing data privacy? This article provides an overview of FTC’s power, contemporary issues of FTC enforcement, and potential hotspots for data privacy-related government litigation.  Read more

drafting privacy policy

Demystifying Privacy Law: Drafting a Privacy Policy

If your business collects personally identifiable information (or PII) about your customers, you will need a privacy policy to let them know how you plan to collect, use, share and secure information about them. In an increasingly digitalized world, privacy policies command nearly the same level of respect as mission statements. Privacy policies set out an organization’s first principles of consumer protection and provide a roadmap of how sensitive issues such as PII are handled. This article describes some of the factors that go into a well-drafted privacy policy–and the factors that we advise our clients to think through.  Read more

personally identifiable information

Demystifying Privacy Law: Personally Identifiable Information (PII)

Nearly every organization collects personally identifiable information, or PII. Because of the sensitive nature of many different types of PII, its collection can pose an array of unique challenges, especially for younger or smaller organizations without a dedicated privacy department. The unwarranted release of such information can ravage people’s lives and forever destroy any modicum of trust an organization may enjoy with its customers and with the general public. One of the most fundamental privacy questions an organization may face is: what does “personally identifiable information” mean? Given the differing responsibilities that an organization has with respect to PII versus non-PII, the answer to this question is critical. This article is designed to help you flesh out the concept of personally identifiable information and begin to think about the ways your company should handle PII-related issues. Read more

us eu safe harbor

Demystifing Privacy Law: Making Sense of the U.S-EU Safe Harbor

UPDATE: Since this article was drafted, the US-EU Safe Harbor program has been shut down. There is now a new regime in place named Privacy Shield. Please see this article for more information.

Any company looking to transfer data about users from the European Union region to the United States will likely need to familiarize itself with the U.S.-EU Safe Harbor Framework. This article covers three topics: what is the U.S.-EU Safe Harbor, what are its advantages and disadvantages, and how to comply with the Safe Harbor. Read more

Terms of Use Legally Binding

When Are Terms of Use Legally Binding?

You’ve done it many times before… you click the box that says “click to agree to our Terms of Use” (and let’s be real – you didn’t read it). Does that check box create a legally binding agreement? What about when companies just post a terms of use and you never click on the link for those “agreements”? This article discusses the question: “when are terms of use legally binding agreements?” The short answer is that terms of use are legally binding when the user has sufficient notice of the fact that he/she is agreeing to the terms of use. Read more

privacy policy template

Dangers of Using a Privacy Policy Template

As a technology company that collects personal information from customers, the temptations for using a privacy policy template that you find online is understandable. You need a privacy policy to communicate to your users that you are committed to their privacy, you need it fast, and you’re worried that hiring a lawyer would cost you too much at this early stage of your company. The truth is, using a privacy policy template from a similar company carries more risk than benefits.

Read more