Privacy, Data Protection and Information Management

K&L Gates’ privacy lawyers are knowledgeable in the highly varied data protection laws existing across the globe.

United States
In the United States, an expanding number of privacy and data protection laws, regulations, and associated guidance — at the federal level and in all 50 states — significantly impact the operations of businesses and other entities. At the federal level, the Federal Trade Commission has acted under its general power to regulate unfair acts or deceptive practices in order to ensure that a company or other entity does what it says it will do with regard to privacy and security, and create general standards of care for an entity collecting and using personal information. Additional specific and detailed federal statutes govern specific types of personal data and particular sectors. Meanwhile, businesses are still exposed under state tort doctrines as well as state statutes and constitutions. Most states have enacted general information security or disposal statutes, particularly governing security breach notifications and requirements for data disposal practices.

European Union
In the European Union (EU), the Data Protection Directive, related Telecommunications and Electronic Commerce Directives, and the territory-specific laws and regulations that implement these directives create a comprehensive, complex, and expanding regime of privacy, data protection, and information management law with implications for any business doing business in the EU. These directives regulate all commercial use of personal information, whether relating to customers, prospects, business contacts, or employees, and require the establishment of systems for the updating, retention, and management of personal information.

The EU Data Protection Directive generally prohibits the transfer of personal information from the EU to any non-EU country that does not provide similar legal protections for personal data. These limits on the export of personal information from the EU to the United States and other jurisdictions pose particular challenges to multinational companies. Our lawyers have a proven record of assisting companies with designing and implementing effective policies, systems, and processes to manage personal information in accordance with EU and U.S. law. The EU Data Protection Directive has also influenced the development of privacy and data protection laws in other countries. Several countries seeking EU membership have adopted the directive’s model. Non-EU countries have adopted the EU model because they perceive the directive’s otherwise applicable restrictions on cross-border transfers of personal data as a threat to their trade with the EU.

United Kingdom
In the United Kingdom, the EU Data Protection Directive is implemented by the Data Protection Act of 1998. Almost all organizations in the U.K. that hold information about individuals are subject to the data protection legislation, and organizations should be acutely aware of their data protection obligations because a breach of such obligations can result in civil and criminal liability. In addition, compliance with the act is enforced by the Information Commissioner, an independent, supervisory body that reports directly to the U.K. Parliament. Our privacy team has advised many global, U.S.-headquartered corporate entities on data protection obligations under the European and U.K. regime.

Germany
Germany had a strong privacy and data protection law even before the implementation of the EU Data Protection Directive. German data protection law focuses on data economy, data transparency, and control of data processing. Individual data may only be used for the intended purpose and in most cases the express consent of the data subject is required. Because of this, it is very important for a company in Germany to specify which data is collected, what it is used for, and why it is saved.

Hong Kong
In Hong Kong, the protection of personal data is largely governed by the Personal Data (Privacy) Ordinance. The ordinance covers any data relating directly or indirectly to a living individual where it is practicable to discover the individual’s identity. The ordinance applies to any data user that controls the collection, holding, processing, or use of personal data.

Taiwan
For organizations operating in Taiwan, the main legislation addressing the issues related to the protection of personal data is the Computer-Processed Personal Data Protection Law. Many types of computer-processed personal data are covered under the law, from name, date of birth, and marital state to fingerprints, medical history, and financial condition.

Financial institutions and their service providers are among the most heavily regulated businesses from a privacy, data protection, and information management perspective. New laws have fundamentally changed the way that many financial institutions gather, process, and use information about their customers. And many entities that might not consider themselves to be financial institutions are nevertheless covered. In different jurisdictions around the world, the definition of financial institution can cover not only core providers of financial services but also specified, related activities, from providing brokering or servicing loans and appraising real or personal property to printing and selling checks. In the United States, we advise clients on a broad array of compliance issues arising under the key U.S. law affecting financial institutions – the Gramm-Leach-Bliley Act.

K&L Gates advises financial institutions on a range of information management issues, including:

• Developing opt-in and opt-out programs for clients' marketing and data sharing activities;
• Drafting privacy and data protection policies and notices;
• Analyzing information sharing arrangements;
• Drafting compliance guides for financial institutions and trade associations;
• Establishing comprehensive information security programs;
• Preparing employee policies, training materials, and presentations;
• Drafting privacy and confidentiality agreements between financial institutions, their service providers, and other third parties;
• Representing clients in enforcement proceedings involving alleged violations of privacy and data protection law; and
• Monitoring financial privacy and data protection developments and helping our clients adjust their programs and practices to those developments.

Privacy and data protection laws complicate an employer’s legitimate business interest in collecting and using information about employees and applicants in order to make informed employment decisions. Privacy laws limit an employer’s ability to obtain, use, disclose, and transfer certain information throughout the entire employment process; at the same time, identity theft and other laws require employers to obtain certain information. K&L Gates privacy lawyers help clients blend traditional employment law restrictions with new privacy, data security, and identity theft rules.

K&L Gates’ privacy and data protection team assists clients in:

• Counseling on employee privacy and data protection issues;
• Developing and drafting employee privacy and data protection policies and procedures; 
•  Analyzing employers’ existing policies and procedures for compliance with privacy and data protection requirements;
• Updating these policies and procedures in consideration of new employer defenses under new laws;
• Assisting employers in establishing appropriate procedures, consent forms, and vendor contract arrangements for collection and use of employees' genetic information in connection with legitimate business activity; and
• Preparing employee training materials and presentations.

The legal aspects of information management are complex. Both civil and criminal laws are relevant to how companies define and manage the security of their information systems. Federal regulations require certain businesses to have information security plans that involve administrative, technical, and physical safeguards. The transfer of information implicates laws requiring the use of encryption in some cases.

K&L Gates lawyers help clients understand the law as it relates to technologies such as encryption, firewalls, access controls, authentication, digital signatures, and smartcards. We assist clients in:

• Negotiating the acquisition of digital signature technologies and structuring use in producing electronic documents;
• Designing security incident response plans, which define how companies respond to computer attacks, viruses, hackers, and similar incidents;
• Negotiating and revising merchant payment system agreements and other processing agreements on behalf of retailers, clients who accept credit cards or debit cards, and clients who engage in electronic transactions like ACH or electronic check conversions;
• Evaluating and negotiating proposed insurance coverage for cyber-losses, and assisting clients in preparing or litigating claims for recovery of insurance proceeds;
• Investigating possible criminal actions against computer systems and computer assets, including assisting in the performance of internal investigations; and
• Advising clients subject to hacking incidents on obtaining and preserving evidence of incidents and whether evidence so obtained was sufficient to pursue civil claims against possible perpetrators or to refer such perpetrators to the relevant authorities for prosecution.

K&L Gates is in the forefront of data protection issues in Washington, D.C. and is widely recognized for cyber-security policy experience. We are also experienced in assisting clients at the state legislative level on cyberspace, technology, contracting, and consumer protection legislation. Efforts for our clients include:

• Leading the endeavor to liberalize export controls on American encryption products and to prevent domestic limitations on the use of encryption;
• Preventing government designed technological mandates in broad anti-terrorism legislation (the Patriot Act) and obtaining a provision specifically stating that the bill did not require companies to develop new technologies or design new systems to facilitate government access to electronic information;
• Representing the leading software trade association to ensure that efforts to promote cyber security and protect critical information infrastructure are market-driven and industry-led;
• Lobbying successfully for legislation to protect against the disclosure of voluntarily submitted corporate cyber security information; and
• Working on federal data breach legislation that would establish a reasonable national procedure for notification, while recognizing corporate efforts to protect data.

We regularly advise businesses in a variety of industries with respect to legal issues associated with data ownership, licensing, data, and information issues arising in restructurings, business reorganizations, company and asset acquisitions, asset transfers, and other operational contexts. This includes work relating to:

• Selling or licensing consumer information;
• Structuring of affiliate data and IP licensing relationships to address business and strategic objectives;
• Advising clients during bankruptcy proceedings in connection with any sale of assets that may contravene privacy and data protection policies and applicable regulations;
• Advising clients regarding the Federal Rules of Civil Procedure for electronic records and document retention plans and procedures, and utilizing specialized software to make document production cost effective and efficient;
• Advising clients regarding the ownership or transfer of personally identifiable information in connection with mergers and acquisitions and corporate restructurings; and
• Using the rights of data access under the U.K. Data Protection Act of 1998 in connection with court disclosure proceedings.