The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Data Transfers

  • From Vol. 4 No.7 (Apr. 11, 2018)

    Breaking the Cloud: CLOUD Act Brings Data Held Overseas Under U.S. Jurisdiction

    On the heels of Supreme Court oral arguments in a case that brought the data issues of international law enforcement front and center, Congress passed the CLOUD Act, a major step by the U.S. in extending the reach of law enforcement where electronic content is concerned. The law is controversial, but its significance is not in dispute – “it purports to resolve the question of whether and how the federal government can compel service providers that are within the jurisdiction of the U.S. courts to produce data stored abroad,” Paul Hastings partner Behnam Dayanim told The Cybersecurity Law Report. In this article, we analyze the law and its implications. See “Managing Data Privacy Across Multiple Jurisdictions” (Nov. 8, 2017); and “Navigating Data Privacy Laws in Cross-Border Investigations” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Singapore Focuses on Critical Infrastructure With New Cybersecurity Law

    Singapore recently passed a new cybersecurity law that focuses on critical internet infrastructure and services. Our sister publication, PaRR, spoke with experts regarding the new law, how it compares to Singapore’s other relevant laws as well as to other regulatory regimes in its region and what it means for multinational companies. See also “Understanding Australia’s Strengthened Breach Notification Scheme” (Mar. 18, 2018).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Reconciling Data Localization Laws and the Global Flow of Information

    Data localization is the most contentious issue for privacy regulators and the increasingly data-driven global business community, data privacy professionals said in Hong Kong at the Conference of Data Protection and Privacy Commissioners. Our sister publication PaRR provides insights from Apple and Microsoft executives, as well as Chinese data privacy experts, on the state of “data nationalism” in the global business place. See “The Sword of Damocles in the Information Age: How to Face the New Challenges Under the Chinese Cybersecurity Law” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    FTC Settlements in Privacy Shield Cases and With Lenovo Over Use of “Man-in-the-Middle” Software Highlight Vigorous Enforcement Efforts

    Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Implications and Analysis of the E.U.-Canada Data Sharing Agreement Rejection

    The Court of Justice of the European Union has struck down a major air passenger data sharing agreement between the E.U. and Canada. In a guest article, John Magee, a partner at William Fry, and Alex Cameron, a partner at Fasken Martineau, discuss the ruling and its potential repercussions, including the impact on similar agreements with Australia and the U.S., post-Brexit E.U data transfer, as well as on Canadian data protection laws. See also “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    International Law Playing Cybersecurity Catch-Up (Part Two of Two)

    Cybersecurity threats are global, and both public- and private-sector cybersecurity efforts require international coordination. Despite an acute need for cybersecurity-specific laws and treaties, these have been slow to develop, and in this vacuum, most countries are trying to adapt and apply existing legal frameworks to combat and address cybersecurity threats. In this second part of a two-part guest article series addressing the intersection of cybersecurity and international law, Hughes Hubbard attorneys Seth Rothman and Andreas Baum explore laws related to cyber crimes and international laws that regulate business activities, including recent E.U. legislative efforts. Part one provided insight on cyber warfare and the relevant laws and treaties that address the shifting threats. See also “Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    European Data Protection Supervisor Offers Advice on Privacy Shield Review and GDPR Preparation

    With the first annual E.U.-U.S. joint review of the Privacy Shield scheduled for September and the sweeping GDPR legislation coming in May 2018, Europe is looking to the U.S. for signals that government and company data practices meet the requirements and expectations of both regimes. Giovanni Buttarelli, the European Data Protection Supervisor, spoke to The Cybersecurity Law Report about lingering concerns European institutions have about U.S. practices, and steps that the U.S. government and companies should take to comply with these new laws. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Practical and Innovative Permissioning Within the Framework of Europe’s Upcoming Data Protection Regulations

    Securing customers’ permission to collect and use their data can be challenging, and it will become all the more important with the GDPR and the ePrivacy Directive, set to come into effect in the E.U. in May 2018. The laws will focus on how consumer data is collected and transferred, with steep fines for noncompliance. At a recent conference in Prague, Robert Bond, a partner at Bristows, along with Michael Bond, glh Hotels’ data protection officer, discussed the current E.U. regulatory landscape and its compliance issues, and advised on practical ways companies can approach compliance with these new regulations to not only save money, but also to generate profits. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Navigating Data Privacy Laws in Cross-Border Investigations

    Conducting a cross-border investigation or performing global due diligence each has its own set of unique challenges, which only become more formidable when coupled with a government inquiry. In the E.U. in particular, issues range from confusing and often conflicting privacy laws, to language and cultural barriers, to custodian access and local coordination. According to more than half of those who responded to a recent BDO survey, disparate data privacy laws are the biggest challenge to managing cross-border e-discovery. In a guest article, Deena Coffman and Nina Gross, managing directors at BDO, provide insight on the data privacy landscape in the E.U. and how to comply with competing demands during a cross-border investigation. See also “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty

    Over two hundred companies have become Privacy Shield-certified and hundreds more have begun the process. Others are taking their time and weighing their options, particularly because a challenge to the Privacy Shield has already been filed in Europe. “This is a serious privacy program . . . that we intend to have implemented and administered in a way that maintains the confidence of data protection authorities and stakeholders in Europe,” Ted Dean, Assistant Secretary for Services at the Department of Commerce said. During a recent webinar hosted by Data Guidance, Dean and attorneys at Sidley Austin discussed how to approach the self-certification process and whether this mechanism for transatlantic data transfer is the right choice for all companies. For more on the Privacy Shield’s specific requirements, see “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Second Circuit Quashes Warrant for Microsoft to Produce Email Content Stored Overseas 

    A federal appeals court recently ruled that the U.S. government could not force a company to turn over third-party communications content stored outside the country. The Second Circuit Court of Appeals agreed with Microsoft that a request to produce customer content held in Ireland was beyond the scope of the Stored Communications Act. “It’s an extremely significant decision [that the Act] does not authorize a U.S. district court to issue a search warrant to seize data being held by ISPs or remote computing services (cloud services) outside the territorial U.S.,” Edward McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. “It is the first ruling of its kind on that issue from a U.S. Court of Appeals.” We analyze the case and its implications. See also “Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Key Requirements of the Newly Approved Privacy Shield

    The European Union formally adopted the long-awaited Privacy Shield last week, which replaces the Safe Harbor framework as a mechanism to comply with E.U. data protection requirements for the E.U.-U.S. transfer of personal data. Companies can begin to self-certify compliance with the framework on August 1, 2016. “Companies cannot take the Privacy Shield lightly. It’s a much more detailed framework with more accountability” than Safe Harbor, Sidley Austin senior counsel Cam Kerry told The Cybersecurity Law Report. We review the Privacy Shield’s background, its key requirements and examine whether, when and how to join. See also “Deal Struck to Maintain the Transatlantic Data Flow” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Challenges Facing Chief Privacy Officers

    Constantly evolving data privacy laws and heightened cyber threats place a large burden on the shoulders of chief privacy officers (CPOs). At a recent PLI panel, Keith Enright, the legal director of privacy at Google; Lauren Shy, the CPO of Pepsico; and Zoe Strickland, the global CPO at JP Morgan Chase, shared their thoughts on some of the recent challenges facing CPOs, including how to work with different departments, the CPO’s role in incident prevention and response, and the pros and cons of different cross-border data transfer mechanisms. The panel was moderated by Lisa J. Sotto, a partner at Hunton & Williams. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    How Will Brexit Affect U.K. Data Protection and Privacy Laws?

    The U.K.’s historic vote to exit the E.U. – the Brexit – raises a myriad of legal and business questions. Among those is whether the U.K. will adopt the E.U.’s General Data Protection Regulation. The law takes effect in May 2018 and will usher in a host of regulatory changes. The Cybersecurity Law Report spoke to Eduardo Ustaran, a partner in the London office of Hogan Lovells, about how Brexit may impact how certain companies handle their data. See also “Making Sense of Cybersecurity and Privacy Developments in the E.U.” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Deal Struck to Maintain the Transatlantic Data Flow 

    Two days after the expiration of a deadline set by Europe’s data protection authorities, and after months of negotiations, the European Commission and U.S. Department of Commerce reached an understanding that intends to allow transatlantic transfer of digital data by thousands of companies to continue. With data flows impacting billions of dollars in bilateral trade at stake, the so-called “privacy shield” agreement “makes existing cooperation between the FTC and E.U. DPAs [data protection authorities] more robust, with better enforcement mechanisms and means of redress for E.U. citizens whose privacy rights may have been infringed by E.U.-U.S. cross border transfers,” Davina Garrod, a London-based Akin Gump partner told The Cybersecurity Law Report. However, she added that “the shield is by no means a panacea, and does not fix all of the problems identified by the [E.U. Court of Justice] in the Schrems judgment” that invalidated the previous safe harbor data transfer pact. We discuss the agreement, the important steps that remain before the privacy shield can be finalized, and the immediate impact on companies. See also “Dangerous Harbor: Analyzing the European Court of Justice Ruling” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Safe Harbor 2.0 Agreement Reached

    The European Commission has announced a new agreement with the U.S. for the transfer of data to replace the invalidated Safe Harbor pact. “For the first time ever, the United States has given the E.U. binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms,” E.U. Commissioner for Justice VÄ›ra Jourová said in a press release. We share an article from our sister publication, Policy and Regulatory Report (PaRR).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016

    The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues.  During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Keeping Up with Technology and Regulatory Changes in Online Advertising to Mitigate Risks

    The advertising and marketing industries are continually transforming the ways they reach and track consumers.  These changes bring with them a moving target of privacy challenges as companies try to ensure security of the data they collect as well as legal and regulatory compliance.  At a recent PLI program, Joseph J. Lewczak, a Davis & Gilbert partner, and Matthew Haies, general counsel at global digital media platform Xaxis, analyzed the current state of consumer data collection and privacy issues in a discussion of technological, regulatory and legal developments.  See also “The Tension Between Interest-Based Advertising and Data Privacy” (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Dangerous Harbor: Analyzing the European Court of Justice Ruling

    An Austrian graduate student’s lawsuit against Facebook has resulted in the invalidation of a 15-year old data privacy treaty relied upon by thousands of multi-national companies.  On October 6, 2015, the Court of Justice of the European Union (ECJ), the highest court in the E.U., held that the Safe Harbor framework that allowed companies to transfer personal data from the E.U. to the U.S., including data for cross-border investigations and discovery, is invalid.  The ECJ found that the U.S. does not ensure adequate protection for personal data, primarily because of the access rights that the ECJ said U.S. agencies have.  Although the ruling is immediate, the “sky is not falling,” said Harriet Pearson, a partner at Hogan Lovells.  On October 16, 2015, a group of E.U. member state privacy regulators, the Article 29 Working Party, called for renewed negotiations on a treaty and recommended interim actions for companies.  There will need to be a “transition to a more complex and perhaps a more work-intensive compliance strategy than Safe Harbor had previously afforded companies,” Pearson said.  See also “ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions

    When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities.  In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC.  The SEC is a more recent entrant into the cybersecurity enforcement arena.  It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts.  This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies.  In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.

    Read Full Article …