Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Online retailers often learn information about a consumer that may be used by them to help identify other products, services, or companies that may be of interest to the consumer. For example, if a person purchases an airplane ticket to Washington DC, the person may want information about hotels, popular restaurants, or amenities at the airport. …

passing

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example, there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US. In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. …

eu-binding

A Side-by-Side Comparison of “Privacy Shield” and the “Safe Harbor”

More than 5,000 companies had taken advantage of the now defunct U.S.-EU Safe Harbor Framework. Those companies are now considering whether to join the newly approved “Privacy Shield,” and are trying to understand the difference between the old and new framework. As they do, these companies are faced with many questions: How does the Privacy Shield differ from Safe Harbor? Can you rely on the Model Clauses? Or would it make more sense to join the Privacy Shield? If so, what do you need to do to join?

To supplement our earlier publication, we have prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. Over the next week, we will be publishing similar comparisons between Privacy Shield and other adequacy methods including the model controller-controller clauses and the model controller-processor clauses. If you would like to receive those comparisons, please register at www.bryancavedatamatters.com.

Click here to view the side-by-side comparison of the Safe Harbor and the Privacy Shield.

sidebyside

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

Data Privacy and Security: A Practical Guide for In-House Counsel (2016)

David Zetoony’s Data Privacy and Security: A Practical Guide for In-House Counsel was published May 27 by Washington Legal Foundation (WLF) as part of its Contemporary Legal Note Series. WLF describes the publication as “a concise but comprehensive guidebook for navigating the daunting challenge of managing data-privacy and security compliance in today’s high-risk legal environment.” Members of Bryan Cave’s Data Privacy and Security Team contributed to this publication. Michael Kaplan, senior vice president, chief legal officer and chief compliance officer of Red Robin Gourmet Burgers, Inc., authored the foreword. Click here to view the guidebook.

contemporarylegalnotes

How to Pass Data Between Retailers to Facilitate Transactions

Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer. For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant…passingdata

Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield

How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)

The following provides background concerning the approved Binding Corporate Rules (“BCR”) procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company’s privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group…bcr

Privacy Shield: Safe Harbor 2.0? (2016)

As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.

Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..privacyshield

How to Use the EU Model Clauses (2016)

The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.

The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract…

eumodel

Webinar: What In-House Counsel Need to Know about Data Privacy in the Sharing Economy

April 21, 2016 at 12 p.m. EDT 

Sharing Economy companies have unleashed new technologies to reduce barriers to economic participation, giving millions of would-be entrepreneurs the tools to share their time, vehicles, homes and other assets to help cover expenses. Many of these tools also give sharing economy companies access to sensitive personal data regarding their users, including GPS coordinates, driving records, criminal history information and more. However, because these industries tend to be highly regulated, many companies are required by regulation to collect and store this data beyond the period dictated by business necessity. Join San Francisco Partner Daniel Rockey as he discusses some of the key privacy issues facing sharing economy companies and strategies to reduce the legal risks inherent in collecting and storing sensitive personal data. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Webinar: Life After the Safe Harbor Under the “Privacy Shield”

March 3, 2016 at 12 p.m. EST

Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.