Privacy and data protection are among the most complex, dynamic, and rapidly changing areas of law. Practically every month, a new law adds another set of complicated and contradictory requirements. We help our clients to develop effective solutions for protecting and managing information assets and comply with the law while containing costs and maintaining operational efficiency. Our lawyers help clients to:
Our privacy, data protection, and information management practice benefits from our lawyers' experience with various technologies and methodologies. We have developed unique compliance techniques and approaches, including an industry-leading process-oriented approach to information management issues that assists our clients in making choices about how to use these technologies to achieve legal compliance. These techniques have been featured in testimony we were invited to provide to the U.S. National Computer Security and Privacy Advisory Board.
We also assist clients in negotiating agreements for technologies and related services to implement information management systems. In addition, our team employs substantive, lobbying, regulatory, and coalition-building skills to help businesses anticipate and shape changes to privacy and security laws and regulations.
K&L Gates’ privacy lawyers are knowledgeable in the highly varied data protection laws existing across the globe.
United States In the United States, an expanding number of privacy and data protection laws, regulations, and associated guidance — at the federal level and in all 50 states — significantly impact the operations of businesses and other entities. At the federal level, the Federal Trade Commission has acted under its general power to regulate unfair acts or deceptive practices in order to ensure that a company or other entity does what it says it will do with regard to privacy and security, and create general standards of care for an entity collecting and using personal information. Additional specific and detailed federal statutes govern specific types of personal data and particular sectors. Meanwhile, businesses are still exposed under state tort doctrines as well as state statutes and constitutions. Most states have enacted general information security or disposal statutes, particularly governing security breach notifications and requirements for data disposal practices. European Union In the European Union (EU), the Data Protection Directive, related Telecommunications and Electronic Commerce Directives, and the territory-specific laws and regulations that implement these directives create a comprehensive, complex, and expanding regime of privacy, data protection, and information management law with implications for any business doing business in the EU. These directives regulate all commercial use of personal information, whether relating to customers, prospects, business contacts, or employees, and require the establishment of systems for the updating, retention, and management of personal information. The EU Data Protection Directive generally prohibits the transfer of personal information from the EU to any non-EU country that does not provide similar legal protections for personal data. These limits on the export of personal information from the EU to the United States and other jurisdictions pose particular challenges to multinational companies. Our lawyers have a proven record of assisting companies with designing and implementing effective policies, systems, and processes to manage personal information in accordance with EU and U.S. law. The EU Data Protection Directive has also influenced the development of privacy and data protection laws in other countries. Several countries seeking EU membership have adopted the directive’s model. Non-EU countries have adopted the EU model because they perceive the directive’s otherwise applicable restrictions on cross-border transfers of personal data as a threat to their trade with the EU. United Kingdom In the United Kingdom, the EU Data Protection Directive is implemented by the Data Protection Act of 1998. Almost all organizations in the U.K. that hold information about individuals are subject to the data protection legislation, and organizations should be acutely aware of their data protection obligations because a breach of such obligations can result in civil and criminal liability. In addition, compliance with the act is enforced by the Information Commissioner, an independent, supervisory body that reports directly to the U.K. Parliament. Our privacy team has advised many global, U.S.-headquartered corporate entities on data protection obligations under the European and U.K. regime. Germany Germany had a strong privacy and data protection law even before the implementation of the EU Data Protection Directive. German data protection law focuses on data economy, data transparency, and control of data processing. Individual data may only be used for the intended purpose and in most cases the express consent of the data subject is required. Because of this, it is very important for a company in Germany to specify which data is collected, what it is used for, and why it is saved. Hong Kong In Hong Kong, the protection of personal data is largely governed by the Personal Data (Privacy) Ordinance. The ordinance covers any data relating directly or indirectly to a living individual where it is practicable to discover the individual’s identity. The ordinance applies to any data user that controls the collection, holding, processing, or use of personal data. Taiwan For organizations operating in Taiwan, the main legislation addressing the issues related to the protection of personal data is the Computer-Processed Personal Data Protection Law. Many types of computer-processed personal data are covered under the law, from name, date of birth, and marital state to fingerprints, medical history, and financial condition.
Financial institutions and their service providers are among the most heavily regulated businesses from a privacy, data protection, and information management perspective. New laws have fundamentally changed the way that many financial institutions gather, process, and use information about their customers. And many entities that might not consider themselves to be financial institutions are nevertheless covered. In different jurisdictions around the world, the definition of financial institution can cover not only core providers of financial services but also specified, related activities, from providing brokering or servicing loans and appraising real or personal property to printing and selling checks. In the United States, we advise clients on a broad array of compliance issues arising under the key U.S. law affecting financial institutions – the Gramm-Leach-Bliley Act. K&L Gates advises financial institutions on a range of information management issues, including:
Privacy and data protection laws complicate an employer’s legitimate business interest in collecting and using information about employees and applicants in order to make informed employment decisions. Privacy laws limit an employer’s ability to obtain, use, disclose, and transfer certain information throughout the entire employment process; at the same time, identity theft and other laws require employers to obtain certain information. K&L Gates privacy lawyers help clients blend traditional employment law restrictions with new privacy, data security, and identity theft rules. K&L Gates’ privacy and data protection team assists clients in:
The legal aspects of information management are complex. Both civil and criminal laws are relevant to how companies define and manage the security of their information systems. Federal regulations require certain businesses to have information security plans that involve administrative, technical, and physical safeguards. The transfer of information implicates laws requiring the use of encryption in some cases. K&L Gates lawyers help clients understand the law as it relates to technologies such as encryption, firewalls, access controls, authentication, digital signatures, and smartcards. We assist clients in:
K&L Gates is in the forefront of data protection issues in Washington, D.C. and is widely recognized for cyber-security policy experience. We are also experienced in assisting clients at the state legislative level on cyberspace, technology, contracting, and consumer protection legislation. Efforts for our clients include:
We regularly advise businesses in a variety of industries with respect to legal issues associated with data ownership, licensing, data, and information issues arising in restructurings, business reorganizations, company and asset acquisitions, asset transfers, and other operational contexts. This includes work relating to: