Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.
Continue Reading Privacy Shield Offers Hope on EU-U.S. Data Transfer—For Now

In a well-reasoned and encouraging decision to Internet businesses, the Northern District of Illinois recently found that even operating one of the largest, most popular websites in the world is not enough to create personal jurisdiction everywhere the site can be accessed. See Gullen v. Facebook, Inc., Case No. 15-cv-07681 (Jan. 21, 2016

President Obama signed an executive order enabling the administration to mete out harsh penalties against foreigners who perpetuate malicious cyberattacks that significantly threaten the national security, foreign policy, economic health or financial stability of the United States.

After a marked increase in the frequency and sophistication of high-profile foreign cyberattacks targeting U.S. businesses, companies have requested the U.S. government to strengthen its deterrents for cyberattacks, especially for those that are state-sponsored.  The order expands the set of tools available to the government by declaring “significant malicious cyber-enabled activities” a “national emergency” and empowering the Treasury Department to freeze assets and impose other sanctions on foreigners participating in cyberattacks.  These sanctions are calculated to deter cyberattacks by removing attackers’ economic incentives.Continue Reading United States Establishes Sanctions Program to Combat Foreign Cyberattacks