Home Practice Areas Data protection & Privacy

DATA PROTECTION

Data Protection & Privacy

Our firm offers privacy, data breach services in the U.S. and Internet law

Navigation of national and international data breach and securities laws and Federal Trade Commission guidelines to ensure compliance, to protect against a data breach or “security incident”, and to ensure confidentiality and security of consumer, medical, financial, educational and employee information, including the following:

  •  Data security audits
  • Ensuring compliance with state and federal confidentiality and security requirements including the Fair Credit Reporting Act, HIPAA, FERPA, and Gramm-Leach-Bliley
  • Compliance with data breach laws
  • Drafting data breach notifications
  • Drafting privacy policies for customers, employees, and students
  • FTC best practices
  • Protection against identity theft and solutions for compromised personal information
  • Information Governance for Big Data — drafting or evaluating policies for collecting and maintaining big data throughout its life cycle

Privacy and Internet Law:

Advice on a range of privacy and internet issues including privacy torts, media law, online defamation, trademark and copyright issues, internet jurisdiction and choice of law, and restrictions on internet marketing, file sharing, piracy and online bullying. Specific services include:

  • Representation in all stages of privacy litigation
  • Compliance with privacy regulations and internet laws
  • Audits of privacy law compliance and proper treatment of personal information
  • Advice for employers regarding workplace searches and surveillance
  • Advice for internet companies wishing to limit jurisdictional liability
  • Strategic considerations for filing and defending against litigation implicating multiple jurisdictions
  • Protection of children online and compliance with COPPA
  • Avoiding legal pitfalls in online marketing campaigns and sweepstakes
  • Compliance with online intellectual property laws

Our law firm can  advise on European data protection and the GDPR [1].

American-based organizations need to consider the applicability of the European GDPR (General Data Protection Regulation) in three situations:

 First, if your organization processes personal data in the context of the activities of a EU establishment -in other words, if your organization has “stable arrangements” in the EU through which it performs an activity there, such as by having  an office or subsidiary (whether or not with legal personality).

Second, if your organization targets “data subjects” who are in the EU (not only European citizens) by offering services in one of the EU languages, accepting payment in Euros,  mentioning of consumers in the EU and/or others ways.

Third, if you monitor individuals in the EU –through cookies or other types of network or technology such as wearable and other smart devices.

Lastly, if you are a processor for a EU organization, consider that, unless you comply with the requirements that the GDPR imposes on processors, your EU client will not be able to continue to use your services.

Our firm can also advise clients and attorneys on the privacy implications (and problems) of  e-discovery.

As for the privacy law of other countries, we can refer clients to – and then help coordinate with“ local counsel.

We can advise multi-jurisdictional law firms and other organizations on ethical and privacy aspects of the adoption of cloud.[2]

For more information on EU data protection: Francesca Giannoni-Crystal.

For our American privacy and data breach services: Allyson Haynes Stuart

For ethical implication of privacy in law firms: Nathan M. Crystal

 

 


[1] US and EU privacy approaches dramatically diverges. While Europe has developed a general data protection law, which comprehensively regulates the collection, processing, transfer, and deletion of data, the U.S. does not. At the federal level, the approach to data protection is “sectorial” and concerns only certain industries, while at a state level, even if most states have enacted some form of privacy legislation, this legislation is generally limited to data breach.

The EU current framework for the protection and processing of personal data is since May 2018 the “Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, commonly known as the GDPR, which – for several reasons – contains dramatic innovations (e.g., data breach notification, data portability, impact assessment obligations) in comparison with the older Directive 95/46/EC

Under the GDPR, any organization (independently from where it is based) “targeting” Europe (i.e., offering products or services to EU citizens through a website) or monitoring EU citizens’ behavior will be subject to EU Data Protection law. Article 3 GDPR.

[2] Nathan M. Crystal & Francesca Giannoni-Crystal, Reconciling US and EU Approaches to Cloud Contracts, 22 PL&B International, October 2014, Issue 131, www.privacylaw.com; Nathan M. Crystal & Francesca Giannoni-Crystal, “Something’s got to give” –Cloud Computing, as Applied to lawyers – Comparative Approach US and EU and practical proposals to Overcome Differences, Opinion Juris in Comparatione, Vol. I, n.I, 2014 (available at http:// opinionjurisincomparatione.org).