Numerous laws and regulations, in the United States and abroad, restrict or regulate personal data transfers to, or sharing with a third party. These transfers or sharing may require the prior consent of the individual data subject or the prior approval of the regulators. In most cases, they also require the negotiation of data transfer agreements or data use agreements that set the limits on the permitted uses, and include stringent requirements for confidentiality and security.
US State Attorneys General and foreign Data Protection Supervisory Authorities are diligently prosecuting companies for their aggressive data transfer or data sharing practices. Numerous companies have been exposed to significant liability as the result of illegal transfer or sharing of personal data, which violated pre-existing contracts or applicable laws.
Some cases require only the structure and drafting of a service agreement, while others require putting together a more complex web of contracts, policies, and procedures, in order to ensure compliance with different applicable laws.
We assist companies in:
- Evaluating the applicable legal or contractual restrictions that apply to their proposed data transfers or data sharing;
- Performing the related due diligence;
- Structuring and negotiating the applicable contracts;
- Filing the appropriate documentation with the regulatory agencies;
- Preparing the relevant written records needed to show their compliance with applicable laws.
Examples of assignments on which we have worked include:
- Sharing of personal data between affiliate companies regulated under the Gramm Leach Bliley Act;
- Drafting contracts and policies for third party access to a global database, whether the third parties where located throughout the world;
- Transfer of employee personal data in connection with mergers and acquisitions;
- Business associate agreements under HIPAA and HITECH Act;
- Addressing the restrictions to data transfers under the laws of several EU countries, where the service provider and the clients were located in different countries;
- Preparation of joint marketing and promotion campaigns where personal data are shared with affiliated entities of regulated companies;
- Preparation of marketing and promotion campaigns where personal data are shared with a sweepstakes provider.