Menu
Jan 30, 2018

General Data Protection Regulation (GDPR): Frequently Asked Questions

GDPR Compliance

What is the General Data Protection Regulation? The General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) is a European Union regulation intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens.  The GDPR was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome of the Directive. The result was a… Read more


Jan 23, 2018

Cybersecurity in M&A Transactions: Frequently Asked Questions

Cybersecurity and Data Privacy

1. What types of transactions implicate cybersecurity and data privacy concerns? Cybersecurity and data privacy concerns arise in many different types of M&A transactions, but greater focus on potential cybersecurity and data privacy issues should be directed toward transactions involving (a) a target company that operates in certain highly-regulated industries, (b) the acquisition of sensitive information and data, and/or (c) the transfer of sensitive information and data across national borders. Target companies that operate in the financial services and healthcare industries, for example, are subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, respectively…. Read more


Jun 20, 2017

A Primer on the EU’s General Data Protection Regulation

Data Protection

Overview Over four years in the making, the General Data Protection Regulation (the “GDPR”) was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. In the wake of ever-increasing cyber security and data privacy threats across the globe, the GDPR is intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome… Read more


Apr 14, 2015

Can’t Just Phone In U.S.-E.U. Safe Harbor Compliance

Recent civil actions this month brought by the Federal Trade Commission (FTC) against two companies that allowed their certification under the U.S.-E.U. Safe Harbor Framework to lapse while still claiming to be compliant is a timely reminder that the Framework requires annual re-certification. The FTC cited this lapse as a deceptive trade practice by each of TES Franchising, LLC and American International Mailing, Inc.  By way of background, shortly after the European Union’s Data Privacy Directive (the Privacy Directive) became effective in 1998, the U.S. Department of Commerce worked with European Union data protection authorities to develop the U.S.-E.U. Safe Harbor… Read more


Apr 13, 2015

Canada’s CRTC Levies Fines in Two Email Spam Actions

On July 1, 2014, Canada’s anti-spam legislation (commonly referred to as CASL) came into effect with a focus on uninvited commercial electronic messages (CEMs), including commercial-related emails.  While aspects of the Canadian law are similar to the U.S. CAN-SPAM Act, which sets forth specific compliance requirements for unsolicited commercial email messages sent within the U.S., CASL is arguably stricter in that it requires affirmative consent by the recipient. The Canadian Radio-Television and Telecommunications Commission (CRTC) has lost no time in enforcing the new CASL requirements. On March 5, 2015, the CRTC announced a Notice of Violation along with a proposed… Read more


Apr 12, 2015

FTC Cautions on Use of Consumer Data Following Business Acquisitions

The Federal Trade Commission (FTC) has long been aggressive in holding businesses accountable for the commitments made to consumers in online privacy policies. Among the related issues that the FTC has revisited over the years is the validity of changing data use practices after a business acquisition or merger. As early as 2000 in the Toysmart bankruptcy case, the FTC adopted a strict view that an acquirer — even one in a bankruptcy setting — could either not acquire (depending on the transaction structure) or undertake new uses of consumer data collected by an acquired company if the acquired company’s privacy policy… Read more


Apr 9, 2015

FCC Steps Up Data Enforcement Role With $25 Million Fine

The Federal Communications Commission (FCC) announced yesterday that it has entered into a settlement with AT&T Services, Inc. as a result of the FCC’s investigation of a series of data breaches during 2013 and 2014 at AT&T call centers in Mexico, Colombia, and the Philippines. As part of the settlement, AT&T must pay a $25 million civil money penalty — the largest data enforcement ever imposed by the FCC for data privacy and security concerns — provide data breach notification to affected customers and offer those customers credit monitoring services. The data breaches involved over 40 employees who stole sensitive… Read more