Choose Site
TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Please join us on September 17 for a webinar discussing GDPR issues. This webinar is part of our 2020 Data Privacy and Protection Boot Camp series.

Morgan Lewis partners Pulina Whitaker and Andrew J. Gray IV and Morgan Lewis special legal consultant Dr. Axel Spies will be the speakers at the event. Discussion topics will include hot issues in GDPR such as cookies, data transfers, and enforcement trends.

We hope you'll join us on Thursday, September 17, 2020, from 12:00 to 1:30 pm ET.

Register for the webinar now >>

A recent Court of Justice of the European Union (CJEU) ruling—Schrems II—could lead to significant changes for companies that rely on the EU-US Privacy Shield for transferring personal data from the European Economic Area (EEA) to the United States, including increased due diligence on the part of data exporters.

Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.

Read the full article.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.

In this month’s Contract Corner, we are highlighting considerations for drafting an up-to-date privacy policy. In Part 1 of this series, we provided background on the general legal landscape for privacy policies in the United States and general issues that need to be addressed for an up-to-date policy. In this Part 2, we will provide some specific pointers on drafting, updating, and disclosing such policies.

Additional Information to Include

In addition to the list of items that should generally be covered in every privacy policy we provided in Part 1, the following are additional items you may need to set out in your specific privacy policy:

  • Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
  • Contact details or other means of reaching persons in your organization that can address user queries or concerns
  • Information regarding notifications when the privacy policy is updated (see below for considerations when reviewing and updating your policy)
  • Mechanisms for users to agree to and accept the terms of the privacy policy, as well as means for users to opt out

Drafting and posting a clear, concise, and accurate privacy policy is one of the most important tasks when creating a company’s website, particularly given today’s legal and regulatory environment. Privacy policy legal requirements are becoming more stringent and shortcomings less tolerated, and consumer sensitivity to privacy concerns are at an all-time high.

Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.

In this month’s Contract Corner, we will highlight considerations for drafting an up-to-date privacy policy. Part 1 of this month’s Contract Corner will provide background on the current legal landscape for privacy policies in the United States and general issues that need to be addressed.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).