BLOGS: Privacy and Data Protection

Wednesday, July 27, 2016, 3:39 PM

A Fragile Shield? Managing the Risks of EU-U.S. Data Transfer

By Doug Bonner

Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.

Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.

Our Womble Carlyle Privacy and Data Protection Team experts have been discussing these issues with our counterparts in our U.K. strategic partner firm Bond Dickinson and highlight areas where specific, targeted advice and collaborative thinking will benefit our clients.

For the full version of this client alert please click here.

Labels: , , , ,

Tuesday, July 5, 2016, 5:34 PM

Future of U.K. Data Protection Regs Unclear

As incoming British Prime Minister Theresa May assembles her Cabinet, including a newly appointed Secretary of State for Exiting the European Union following the June 23, 2016 Brexit referendum outcome, the U.K.'s march forward to leave the EU does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the EU's new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated U.S./EU Privacy Shield, approved by the European Commission on July 12, 2016 as a replacement privacy regime for the EU-invalidated Safe Harbor, may face an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K. 

Read more »

Labels: , ,

Tuesday, March 29, 2016, 6:23 PM

Top Twelve TCPA DOs and DON’Ts for businesses doing outbound automated or prerecorded calling

We have assembled our “Top 12 TCPA Dos and Don’ts”.  We’re certain others exist that could be added to this list, but this is an introductory sanity check for a company’s outbound calling practices under TCPA laws and regulations.  (Of course, this is not intended as nor should be considered legal advice, and you should consult an attorney for specific legal advice involving your particular business practices.) 


(1)          Maintain an up-to-date, company-specific, written Do-Not-Call Policy to be produced on-demand?

(2)          Need to know the different requirements applicable to autodialed and prerecorded calls to wireless numbers and residential landlines, identify wireless numbers,  and ensure compliant call handling before dialing?

(3)          Treat autodialed texts the same as any autodialed call to a wireless number?

(4)          Keep records of “prior express written consent” to receive autodialed calls or texts, or prerecorded calls, with name and associated telephone number of consenting party, and consent language?

(5)          Incorporate prior express written consent language to receive telemarketing calls and texts in your standard contract for services?

(6)          Scrub your call list at least monthly against the National Do-Not-Call Registry?

(7)          Maintain a current Company-specific Do-Not-Call List?

(8)          Place a telemarketing call to someone on a Do-Not-Call list who contacts a customer service center and requests a call back?

(9)          Discontinue placing calls to a requesting party no later than 30 days after receiving a Do-Not-Call Request?

(10)          Okay to place autodialed or prerecorded debt collection calls to someone who leaves their cell phone number on an application for service or an admission form?

(11)          Avoid calls to reassigned wireless numbers once reassigned even if intending to call the person to whom it was once assigned? 

(12)      Know whether your dialing equipment has the “capacity” to store or produce numbers using a random or sequential number generator and to dial those numbers, even if capacity isn’t utilized?


BONUS vicarious liability points:  Manage your risk by outsourcing outbound telemarketing to an outside vendor and “lead generator” who guarantees TCPA compliance, works on a commission for sales basis, and will agree to indemnify for losses?


ANSWERS (We won't force you to turn to p. 73):

1.            DO

2.            DO

3.            DO

4.            DO

5.            DON’T

6.            DO, unless you have verified that calls are to someone with an established business relationship as defined in the TCPA Rules.

7.            DO

8.            DO (an express invitation under FCC rules).

9.            DO

10.          DO

11.          DO

12.          DO

BONUS:  DON’T (without more protection, including demanding proof of adequate liability coverage covering TCPA liability)

Labels: , , , , ,

Wednesday, March 2, 2016, 3:08 PM

Draft of Text of EU-U.S. Privacy Shield Released

The U.S. and EU are one step closer to implementing the new EU-U.S. Privacy Shield.  The European Commission and U.S. Department of Commerce yesterday announced the release of the legal texts that will put in place the EU-U.S. Privacy Shield, a new framework of rules governing transatlantic data flow.

Continue reading (

Labels: ,

Rebuilding Trust with the Europeans After Snowden: Obama Signs New Privacy Law

The U.S. and E.U. are one step closer to entering into a new data transfer agreement. On Wednesday President Barack Obama signed into legislation the Judicial Redress Act, giving citizens of certain allied countries, including E.U. countries, recourse in U.S. courts to protect their personal data.

The Act allows foreign citizens to take legal action against some U.S. government agencies if the agency misuses their personal information. The Act would give European citizens procedural privacy protections similar to those available to U.S. citizens under the Privacy Act of 1974 for personal information transferred to the U.S. through international law enforcement channels.

Keep reading on

Labels: , ,

Live From ‘Frisco…It’s Ted Claypoole!

Live before a studio audience” works well for “Jeopardy” and “Saturday Night Live.” Now, Womble Carlyle attorney Ted Claypoole is going to see how the concept works for Internet privacy law. Claypoole will discuss “The Gasping Death of the ‘Reasonable Expectation of Privacy’ Standard” at the upcoming RSA Conference in San Francisco. The presentation will take place in front of a live audience at the RSA on-site recording studio and the video subsequently will be published at

The presentation takes place Wednesday, March 2nd.

Labels: , ,

FDIC "Framework for Cybersecurity" Highlights How Financial Institution Information Security Programs Can Better Respond to Evolving Cyber Threats

Authored by Doug Bonner

Every regulated financial institution that needs to maintain an effective information security program under Gramm Leach Bliley should not only ensure that it is complying with all banking regulations, but regularly evaluating banking industry best practices for Cybersecurity.  The FDIC in February 2016 published a "Framework for Cybersecurity" that provides financial institutions a valuable sanity check about what best practices, from the FDIC's perspective, should be followed, and what government and industry resources are available for banks, both large and small to counter cyber threats.

Our linked client alert discusses highlights of the FDIC's recent "Framework for Cybersecurity".

Labels: , , ,

back to top