AUTHOR ARCHIVES: Michael Young

Michael Young

Michael Young’s practice focuses primarily on data privacy and security as a member of the firm’s Technology, Privacy & IP Transactions Group. Read more→

In Order, FTC Recognizes Lower Notice Requirements for “Consumer-Expected” Data Collection

Posted on: 05 Mar 2018

Last week, the Federal Trade Commission granted a petition by Sears Holding Management seeking modification of a 2009 Commission Order. The notable 2009 Order settled allegations that Sears had improperly failed to provide notice regarding data collection by certain software the company offered to consumers. Sears argued that the 2009 Order placed it at a “competitive disadvantage” in the mobile application marketplace. The now-modified Order enables Sears to conduct certain “consumer-expected” forms of data collection and use without requiring heightened notice or consent under the 2009 […] Read more

EU DPAs and the Future of Privacy Shield

Posted on: 14 Dec 2017

The Article 29 Working Party group (WP29) of European data protection authorities recently announced that they will legally challenge the adequacy of the Privacy Shield Framework unless the U.S. government addresses certain “prioritized concerns” by May 25, 2018. Privacy Shield provides a framework which helps over 2500+ participating U.S. companies legally transfer EU personal data to the United States. The WP29 announcement follows a report and press release from the European Commission in October which stated that “the Privacy shield continues to ensure an adequate level of protection.” […] Read more

FTC Announces First Privacy Shield Enforcement Actions

Posted on: 15 Sep 2017

The Federal Trade Commission recently announced that it had settled charges against three companies alleged to have falsely claimed participation in Privacy Shield. Privacy Shield supports EU – U.S. transfers of personal data by helping U.S. companies demonstrate compliance with European Union data transfer rules. Companies participating in the program commit to meet specific program requirements designed to protect and limit use of personal data. These requirements include notice, choice, controls on onward transfers of data, independent recourse, and data security. Privacy Shield also requires […] Read more

FTC Updates Data Security Guidance for Businesses

Posted on: 02 Aug 2017

In June, the Federal Trade Commission released a new guide for businesses on implementing sound data security protections and procedures. In “Protecting Personal Information: A Guide For Business,” the FTC offers “10 practical lessons” based on the numerous enforcement actions brought by the FTC. The guide offers insight into the thinking of this key federal regulator. Key points from the guide: “Start with Security.” Build information security considerations into business processes so that they are part of “the decisionmaking in every department of your business.” The FTC […] Read more

AG Empowers EU Privacy Suits with Redress Act Designations

Posted on: 19 Jan 2017

Earlier this week, the U.S. Attorney General designated 26 countries and the European Union as “covered countr[ies]” under the Judicial Redress Act. The Attorney General has simultaneously designated 13 “Federal agenc[ies] or component[s]” under the Act. These designations enable citizens of the “covered countr[ies]” to sue and seek remedies in U.S. court if one of the designated “Federal agenc[ies] or component[s]” violates the Privacy Act of 1974. The Privacy Act protects against intentional or willful unlawful disclosure of covered records containing personal information and […] Read more

Swiss-U.S. Privacy Shield Finalized

Posted on: 16 Jan 2017

On January 11, U.S. and Swiss authorities announced final agreement on the Swiss-U.S. Privacy Shield Framework. The Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland. The Framework is a successor to the former Swiss-U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of Safe Harbor by the European Court of Justice.   U.S. companies may participate in the Framework […] Read more

Alston & Bird Issues Advisory on Six Myths of Breach Response

Posted on: 13 Jul 2016

Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness […] Read more

Turkey’s New Data Protection Law

Posted on: 14 Apr 2016

Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week.  The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. This blog post examines the law and highlights certain important provisions. Scope The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic […] Read more

CFPB Brings First Enforcement Action on Data Security

Posted on: 04 Mar 2016

On March 2, the federal Consumer Financial Protection Bureau (CFPB) for the first time brought an enforcement action related to data security. The CFPB consent order imposes a $100,000 fine and five years of regulatory oversight for online payments provider Dwolla. The action sends a clear message that the CFPB intends to actively regulate the data security representations of consumer finance service providers. The CFP Act, passed in 2010 as part of the Dodd-Frank Act, grants the CFPB authority to take action to prevent “a covered person or service provider from committing or engaging in an […] Read more

Judicial Redress Act Enacted

Posted on: 25 Feb 2016

Yesterday evening, President Obama signed the Judicial Redress Act (“the Act”) into law. The Act extends the 1974 “Privacy Act” and provides qualifying non-U.S. individuals with limited rights to review, copy, and request amendments to records about themselves maintained by federal government agencies. We previously examined a draft of the bill on this blog here. As previously explained, the Act only extends Privacy Act protections to citizens of “covered countries” which have “effectively shared” information with the U.S. for law enforcement purposes. The Act signed by President […] Read more