Home



Privacy, Data Protection & Information Management: Our Knowledge of the Law
U.S. Europe Asia Canada

U.S.

There are an expanding number of privacy and data protection laws, regulations and associated guidance — at the federal level and in all 50 states — that significantly impact the operations of businesses and other entities.

At the federal level, the Federal Trade Commission, has acted under its general power to regulate unfair acts or deceptive practices in order to (1) ensure that a company or other entity does what it says it will do with regard to privacy and security and (2) create general de facto standards of care for an entity collecting and using personal information.

There are additional specific and detailed federal statutes governing specific types of personal data and particular sectors.  These include, for example:

  • Gramm-Leach-Bliley Act
  • HIPAA
  • COPPA
  • Privacy Act
  • Bank Secrecy Act
  • Computer Fraud and Abuse Act
  • CANSPAM
  • Drivers Privacy Protection
  • Electronic Communications Privacy Act
  • Electronic Fund Transfer Act
  • Fair and Accurate Credit Transactions Act
  • Fair Credit Reporting Act
  • Federal Communications Act
  • Telephone Records and Privacy Protection Act of 2006

Meanwhile, businesses are still exposed under state tort doctrines as well as state statutes and constitutions.  For example, nearly three quarters of the states have enacted general information security or disposal statutes, especially governing security breach notifications and requirements for data disposal practices – and the number continues to increase.

Other Federal Privacy Statutes
There are many federal privacy statutes with which we have assisted clients, including:

Section 5 of the Federal Trade Commission Act — establishes consumer fair business practices.

  • We draft privacy policies and information security policies under FTC “Fair Information Practice Principles”.
  • We have counseled clients on how to avoid, through compliance efforts, becoming subject to FTC enforcement actions.

Privacy Act — applies to all government contractors involved in acquiring, storing, processing and disseminating personal information.

  • We advise large and small contractors on applicable rules and create policies and procedures to implement them.
  • We advise clients on contract negotiations.  We craft highly specialized solutions for each business’ unique operations and future expansion.

Bank Secrecy Act — governs collection, maintenance and disclosure of certain financial records.

  • We analyze coverage and exemption issues, including for issuers and redeemers of stored value products.
  • We assist covered financial institutions with “customer identification program” and other compliance issues.Computer Fraud and Abuse Act – although a criminal statute, provides a private litigant with a civil cause of action for any violation of its terms, including suits for unauthorized intentional access of, or transmission to, a computer causing damage – includes exceeding authorized access.
  • We analyze, and litigate for employers, actions regarding unauthorized acquisition of data or trade secrets by employees.
  • We draft internal privacy policies to position employers for coverage by CFAA and give advice regarding similar state statutes.

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CANSPAM) — regulates commercial e-mails.

  • We provide statutory analysis and assist clients with compliance.
  • We litigate anti-spam enforcement actions for Internet service providers or in cooperation with state attorneys general.
  • We advise clients on compliance with the Act as to the wording of e-mails and disclosures and operation of e-mail market programs.
  • We have developed and presented programs on compliance with the Act for the American Bar Association.

Drivers Privacy Protection Act — regulates the use and disclosure of information collected by state departments of motor vehicles.

  • We advise state contractors on what they can and cannot do with such information.

Electronic Communications Privacy Act — regulates access to stored electronic messages and information about customers’ use of e-mail and similar systems.

  • We provide clients with analysis and advice regarding coverage, exemptions and compliance issues.
  • We advise clients on the applicability of the Act to their call center operations and on the relation of ECPA to similar state statutes.

Electronic Fund Transfer Act — regulates debit and certain other payment methods and requires EFT contracts with consumers to include the circumstances under which a financial institution will disclose information about the consumer.

  • We draft Regulation E disclosure statements and compliance programs.
  • We advise clients using payment system services covered by Regulation E and/or NACHA rules, such as electronic check conversions, direct debits, access devices and ACH “ARC” and “PPD” transactions.
  • We analyze Regulation E relationships to stored value programs and non-traditional “accounts” and “access devices”.

Fair and Accurate Credit Transactions Act — focuses on dealing with identity theft.

  • We recommend supplemental provisions for website privacy policies regarding identity theft, assist clients with identity theft claim compliance programs, and draft and negotiate due diligence representations and warranties.
  • We advise clients on obligations under the Act regarding retention and destruction of reports subject to the Act with respect to decisions on prospective employees and transfer and promotion of existing employees.

Fair Credit Reporting Act — regulates the use, disclosure and disposal of consumer reports (i.e. credit reports) and consumer information and the purposes for which reports can be obtained; FCRA also requires certain disclosures and other actions by consumer report users and governs consumer reporting agencies.

  • We analyze coverage and compliance issues for: employers obtaining background checks and investigative consumer reports; business users of consumer reports; companies sharing consumer reports; and other companies that have potential exposure to treatment as “consumer reporting agencies”.

Federal Communications Act of 1934, as amended — Section 222 regulates use, disclosure and retention by telecommunications carriers of “CPNI”, customer proprietary network information.

  • We advise telecommunications carriers on applicability of and compliance with the CPNI provision and associated FCC regulations.
  • We represent clients in FCC enforcement proceedings involving the CPNI provision.
  • We advise clients on the CPNI provision in connection with M&A activities, including handling due diligence and drafting appropriate representations and warranties.

Telephone Records and Privacy Protection Act of 2006 — criminalizes the practice of obtaining “confidential phone records information” (CPRI) through “pretexting”; also criminalizes the sale, transfer, purchase or receipt of CPRI without customer consent.

  • We advise clients on applicability of TRAPPA to particular activities and TRAPPA compliance matters.
  • We advise clients on TRAPPA in connection with M&A activities, including handling due diligence and drafting appropriate representations and warranties.
  • We authored a leading article on TRAPPA.

State Laws and Regulation
We provide clients in many industries with advice relating to the U.S. state laws that relate to privacy, data protection and information management.

Most U.S. states have passed data breach notification statutes that require data owners to notify data subjects of a breach or other unauthorized access.  Many states have also passed legislation that provides specific limitations on the manner in which data is disposed and several states have passed legislation imposing a general security requirement on companies.

These laws are in addition to the many consumer protection laws and industry-specific privacy and information security laws that must be considered.

Europe

Among K&L Gates’ 150 lawyers in its London office, and 20 lawyers in its Berlin office, are a number with expertise and experience in European data privacy and security issues.

European Union Data Protection Directive and the “Safe Harbor”
The European Union ("EU") Data Protection Directive, related Telecommunications and Electronic Commerce Directives, and the territory-specific laws and regulations that implement these Directives, create a comprehensive, complex and expanding regime of privacy, data protection and information management law throughout Europe, with implications for any business doing business in the EU.

These Directives regulate all commercial use of personal information, whether relating to customers, prospects, business contacts, or employees, and require the establishment of systems for the updating, retention and management of personal information (including the security, destruction and de-identification of such information and rights of access to it).

The EU Data Protection Directive generally prohibits the transfer of personal information from the EU to any non-EU country that does not provide similar legal protections for personal data.  These limits on the export of personal information from the EU to the United States and other jurisdictions pose particular challenges to multinational companies.  K&L Gates has a proven record of assisting companies with designing and implementing effective policies, systems and processes to manage personal information in accordance with EU and US law.

The EU Data Protection Directive has influenced the development of privacy and data protection laws in an increasing number of countries.  Several countries in Eastern Europe seeking EU membership have adopted the Directive’s model.  In addition, an increasing number of non-EU countries have adopted the EU model because they perceive the Directive’s otherwise applicable restrictions on cross-border transfers of personal data as a threat to their trade with the EU.  However, variations among these laws mean that companies cannot simply follow the EU model; rather, legal compliance must consider the particulars of each national law.

K&L Gates has assisted its clients with the following specific products and services relating to compliance with European privacy, data protection and information security:

  • Registration/notification with the national and other Data Protection Authorities in the EU;
  • In-depth analysis of, and response to, EU Model Data Transfer Clauses;
  • Questionnaires on existing personal data practices;
  • Data protection audits;
  • “Safe Harbor” compliance capability;
  • Self certification programs for “Safe Harbor” compliance;
  • Awareness and training presentations and materials;
  • Corporate privacy and data protection policies;
  • Compliance matrices (analyzing multi-jurisdictional requirements to support IT-management design decisions);
  • Privacy office business plans;
  • Web-based privacy, data protection and information security statements;
  • Third-party data transfer agreements (model and negotiated);
  • Business and in-house legal guides for the handling and management of personal data;
  • Compliance of corporate “whistleblowing” policies with EU data protection laws and U.S. Sarbanes-Oxley requirements;
  • Regulatory and licensing applications;
  • Counseling regarding related cybersecurity standards and practices;
  • Monitoring and analysis of new developments (legislative, regulatory, trade practices);
  • Requests for access to personal data, both those made by individuals and those received by businesses;
  • Advice on the data protection implications of the U.K. Court of Appeal decision Durant v. FSA;
  • Agreements on commissioned data processing;
  • Advice on requirements concerning data protection officers, compulsory registration and employee’s declaration of data secrecy;
  • Customer consent forms for data processing, e.g., for marketing purposes; and
  • Counsel regarding summary and criminal proceedings.

K&L Gates also has assisted companies to coordinate responses to regulatory developments with national and international trade groups and the U.S. Government, and to build trans-Atlantic relationships to facilitate understanding, awareness and the development of private-public cooperation.

U.K.
In the U.K., the EU Data Protection Directive is implemented by the Data Protection Act of 1998.  The Act regulates the “processing” of “personal data”, including obtaining, using, holding, or disclosing such data.  “Processing” and “personal data” are widely defined in the Act and, therefore, almost all organizations in the U.K. that hold information about individuals are subject to the data protection legislation.  Such organizations should be acutely aware of their data protection obligations because a breach of such obligations can result in civil and criminal liability.  In addition, compliance with the Act is enforced by the Information Commissioner, an independent, supervisory body that reports directly to the U.K. Parliament.

K&L Gates’ office has advised many global U.S.-headquartered corporate entities on data protection obligations under the European regime.  In doing so, the U.K. has been used as the primary jurisdiction.  The London office then coordinates with Berlin and other key jurisdictions to provide pan-European compliance advice and strategies.

The London office has also assisted many clients with implementation of their devised global data protection strategy. This has ranged from working with HR departments to assisting in-house lawyers with creation of in-house training programmes on data protection compliance.

Some examples of recent data protection and information management work include:

  • advising a global accounting firm on establishment of a centralised data processing centre in the United States checking audit clients and partners' personal stockholdings;
  • advising a provider of global information management solutions on international data transfer agreements and data protection compliance strategies;
  • advising an international cruise company on information security strategy following a serious alleged data security breach;
  • advising a Japanese company on data protection issues in connection with its public listing on the AIM market; and
  • advising on data protection issues in corporate M&A deals.

Germany
Germany had a strong privacy and data protection law even before the implementation of the Directive.  German data protection law focuses on data economy, data transparency and control of data processing. The main focus lies on the protection of individual rights of privacy. Individual data may only be used for the intended purpose and in most cases the express consent of the data subject is required.  Thus, it is very important for a company in Germany to specify which data is collected, what it is used for, and why it is saved.  K&L Gates has often assisted companies in determining the best way to comply with these strict German rules.

Asia

Among K&L Gates 70 lawyers in our offices in Hong Kong, Taipei and Beijing, are several who have expertise in and closely follow privacy and data security issues.

Hong Kong
In Hong Kong, the protection of personal data is largely governed by the Personal Data (Privacy) Ordinance (the “Ordinance”), which came into force on 20th December 1996

The Ordinance covers any data relating directly or indirectly to a living individual from which it is practicable to ascertain that individual’s identity, provided that the data is in a form in which access or processing is practicable.   The Ordinance applies to any data user that controls the collection, holding, processing or use of personal data.

K&L Gates lawyers have experience in:

  • advising data user clients on compliance issues related to the “fair information practices,” as stipulated in the data protection principles in Schedule 1 of the Ordinance;
  • advising clients on rights of data subjects under the Ordinance (such as the right to confirm with data users whether their personal data is being held, to obtain a copy of such data, and to have such data corrected);
  • assisting clients in making complaints to the Privacy Commissioner for Personal Data regarding a suspected breach of the Ordinance; and
  • assisting clients in civil damage claims resulting from contravention of the Ordinance.

Taiwan
In Taiwan, the main legislation addressing the issues related to the protection of personal data is the Computer-Processed Personal Data Protection Law (the “Law”), which was promulgated on August 1, 1995.

The “computer-processed personal data” covered under the Law include the name, date of birth, I.D. card number, characteristics, fingerprints, marital state, family, education, occupation, health, medical history, financial conditions, social activities of a person and any other data that may identify a specific person, which are input, stored, edited, modified, searched, deleted, output transmitted or processed otherwise using a computer or automatic machinery.

The Taipei office has experience in:

  • advising clients on the rights of data owners pursuant to the Law, and the remedies such owners are entitled to in case of breach of the Law;
  • advising non-government sector clients in compliance issues related to the Law, especially with regard to the collection, use, computer-processing and transmission of the data; and
  • advising clients on the collection and use of the data through on-line promotional competition.

China
Although there are no current China laws or regulations specifically addressing privacy protection, provisions of several laws and regulations are potentially applicable.

Chinese Constitution — There are limited rights to privacy in the Chinese Constitution.  Article 38 provides that the personal dignity of citizens of the People's Republic of China is inviolable and further, that insult, libel, false accusation or false incrimination directed against citizens by any means is prohibited.  Articles 37 and 39 define, respectively, the protection of freedom of the person and the residence. Article 40 of the Constitution provides for the freedom and privacy of correspondence of the citizen.

General Privacy Law — Laws such as Criminal law, General Principles of Civil Law, etc. provide protection for privacy.  For example, Article 246 of the General Principles of Criminal Law (1997) (GPCL) provides a further basis for the protection of the right, stating “ those openly insulting others using force or other methods or those fabricating stories to slander others, if the case is serious, are to be sentenced to three years or fewer in prison, put under criminal detention or surveillance, or deprived of their political rights.”

Internet Information Services Regulations — In October 2000, the Ministry of Information Industry (MII) promulgated these regulations aimed at controlling Internet usage.   Promoting “evil cults” was prohibited, as was providing information that “disturbs social order or undermines social stability.” 

Measures for the Administration of Internet E-mail Services — These regulations, effective February 21, 2006,include provisions on the obligations of ISPs to protect privacy.  Article 9 provides that an Internet e-mail service provider shall have the obligations of keeping confidential the users’ personal registered information and Internet e-mail addresses.

Importantly, the issue of privacy is gaining increasing attention within China among scholars and commentators.  It is likely that more advanced laws or regulations regarding privacy protection will be enacted or promulgated in the near future.

Canada

Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) is, in the words of the Privacy Commissioner of Canada, “not unfailingly simple and straightforward”.  This new law is being phased in over the next two years and is already broadly applicable as a matter of law, prudent practice and market expectations.

PIPEDA, like EU privacy, data protection and information security law, regulates all uses of personal information by the private sector in Canada, whether relating to customers, prospects, employees or others. U.S. businesses operating or selling in Canada face significant compliance hurdles as the Act is phased in.

This is particularly true now that Canadian and EU privacy and data protection law is becoming more tightly integrated following the January 2002 determination by the EU that Canadian law (along with Swiss and Hungarian law) offers “an adequate level” of data protection rights for the individuals in the EU whose data is being exported to the recipient country.

In addition, the Canadian provinces have become increasingly active in pursuing their own privacy laws, and, in some instances, privacy regulation on the provincial level must be addressed. The body of Canadian privacy law has also become more developed and specific as the Privacy Commissioner of Canada has begun releasing his opinions as well as comprehensive public reports.

K&L Gates, working with Canadian counsel, has provided its clients with the following specific products and services relating to compliance with Canada’s federal privacy law:

  • Analyzing the applicability of Canada’s federal privacy law to various operations;
  • Developing compliance notices, policies and other materials; and
  • Comparing the requirements of the federal law with the privacy statute of Québec.

Return to Privacy, Data Protection & Information Management home


Terms and Conditions of UsePrivacy PolicyCopyright and Trademark NoticeUse of CookiesRSS 
©1996-2010 K&L Gates LLP. All Rights Reserved.

K&L Gates is comprised of multiple affiliated entities: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the United States, in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in Dubai, U.A.E., in Shanghai (K&L Gates LLP Shanghai Representative Office), in Tokyo, and in Singapore; a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining offices in London and Paris; a Taiwan general partnership (K&L Gates) maintaining an office in Taipei; a Hong Kong general partnership (K&L Gates, Solicitors) maintaining an office in Hong Kong; a Polish limited partnership (K&L Gates Jamka sp. k.) maintaining an office in Warsaw; and a Delaware limited liability company (K&L Gates Holdings, LLC) maintaining an office in Moscow. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners or members in each entity is available for inspection at any K&L Gates office.