After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify


Continue Reading

Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution

Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.
Continue Reading

In a well-reasoned and encouraging decision to Internet businesses, the Northern District of Illinois recently found that even operating one of the largest, most popular websites in the world is not enough to create personal jurisdiction everywhere the site can be accessed. See Gullen v. Facebook, Inc., Case No. 15-cv-07681 (Jan. 21, 2016

By now, most attorneys who handle class action litigation are familiar with the defense strategy commonly known as “mooting.”(This terminology is, frankly, imprecise, but we will save the semantics discussion for another day.) The cautious plaintiffs’ attorney will file a cursory motion for class certification with the complaint to minimize the likelihood of mooting.The defense attorney will serve an offer of judgment for full relief as soon as possible and immediately move to dismiss. But in light of conflicting circuit court decisions, the legal landscape is unclear on the ultimate effect of these maneuvers. Luckily, we’re here to help.
Continue Reading

In a decision subject to surprisingly little commentary by TCPA pundits, the Illinois Court of Appeals handed a significant victory to TCPA defense lawyers in November 2014 on the issue of “mooting” a putative class representative’s individual claim. See Ballard RN Ctr., Inc. v. Kohll’s Pharm. & Homecare, Inc., 2014 IL App. (1st) 131543 (2014). Despite the fact that the plaintiff had filed a motion for class certification before an offer of full and complete individual relief by the defendant, the court found that the plaintiff’s individual TCPA claim was still “mooted” because the motion for class certification that the plaintiff had filed was cursory and devoid of facts.  Id. at P59.

According to the court, “[I]f a putative class action plaintiff could circumvent the holding of Barber merely by filing a contentless ‘shell’ motion for class certification contemporaneously with its complaint, then it would effectively eviscerate the Barber decision.” Id. (referring to Barber v. American Airlines, Inc., 241 Ill. 2d 450, 455 (2011) (holding that class representative’s claim is moot when defendant offers full and complete relief before filing of motion for class certification)).
Continue Reading