Data Retention under the GDPR

The impact of the GDPR on US companies will be significant. One of the most difficult issues to overcome will be handling data retention. Creating a data retention policy is easy, implementing it will be significantly more difficult. Article 5 sets forth the principle that personal data may be maintained for no longer than is necessary for the purposes for which personal data is collected. While prolonged storage is permitted if the data is anonymized, no longer allowing identification of the data subject, failure to delete and/or anonymize data could trigger significant administrative fines for noncompliance.

Personal information is collected through external processes for example, lead generation, consumer profiling, media pitching and database management; and internal processes, for example, recruitment, hiring, and vendor relationships. The GDPR requires companies maintain higher standards of transparency, security and accountability when it comes to the way they collect, use, and store data. Preparation of a case study for each class of data collected (customers, employees, etc) and compilation of support for maintenance of the data for a set period of time after which it will be deleted is essential. Fines are steep.

Understanding what data may be maintained and what data must be deleted and when is one of the biggest hurdles to ensuring compliance. Many companies have maintained a central database and allowed data to be stored on employee laptops. This practice must now be replaced with strict policies creating a central repository with easily identifiable categories of data with varying deletion deadlines.

Let us help you with this hurdle to GDPR compliance.


Notifiable Data Breach Scheme goes Live in Australia

The Notifiable Data Breaches (NDB) scheme went into effect February 22, 2018. This requires agencies and organizations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches. The link provided here sends the reader to the Office of the Australian Information Commissioner and the online form to be used to notify the Australian Information Commissioner.

When a breach occurs the organization is tasked with conducting a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm to any individual affected and thus notification. ‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms, however the Office of the Australian Information Commissioner provide some guidance through examples.


Global business means global contracts.  Each of the parties are resident or domiciled in different countries.  As laws and legal language differs from country to country contracts need to reflect language that accommodates and clarifies provisions that might not be familiar in that foreign jurisdiction.  In addition, the cost of litigating in a foreign jurisdiction can exceed all expectations and thus is difficult to quantify.

The choice of law can be dictated by the contract itself, yet the choice of law can also be different than the place chosen for resolution of the dispute.  Thus, a foreign court could be in the position of, for example, an English court interpreting U.S. law.  In this example, parties before an English court are permitted to present experts to assist the court in interpreting U.S. law.  This can become a battle of the experts. 

Where a standard form is used, which is meant to provide a uniform interpretation providing some certainty, however, foreign courts are not necessarily familiar with such universal interpretation and may alter the operation and effect of the underlying agreement.

Contracts provide certainty in business.  Such potential alteration eliminates this certainty and creates risk that is difficult to quantify.  With regard to specific provisions, U.S. courts generally takes a broad view and interpretation of contract provisions and are willing to imply provisions, for example, good faith.  Yet courts in other jurisdictions are not willing to imply what is not spelled out by specific language.  Interpretations also varying with regard to specific legal concepts.  “Gross negligence” is a well-recognized legal concept in U.S. law, however, in England for example, there is no concept of gross negligence, rather this concept is replaced by a notion of serious error or conduct falling significantly short of expectations. 

Whenever possible, check with a lawyer in the foreign jurisdiction to ensure the differences are fully understood and clarified wherever possible.  If possible carefully draft provisions keeping in mind a foreign court may be interpreting the terms should a dispute arise.

EU-US Privacy Shield: Legal Certainty for US Companies

A new data privacy protection agreement has been tentatively reached between the U.S. and the EU. This new agreement to be called the “EU-US Privacy Shield” replaces the 15 year old EU-US Safe Harbor Program that US companies have relied on to ensure legal certainty when personal data from the EU to the US.  The EU-US Safe Harbor was struck down late last year as not providing sufficient protection of personal information.

One of the most difficult obstacles to overcome in reaching this new agreement was the scope of access and transfer by U.S. government intelligence agencies. This new agreement should replace current uncertainty with clearer limitations and robust oversight and enforcement powers given to the Federal Trade Commission.  US companies will be subjected to vigorous obligations on data processing guaranteeing individual rights.   The new agreement also provides new redress options to any citizen who believes their personal information has been misused.

The EU-US Privacy Shield must now be approved by the European Union’s 28 member states. There will be both detractors and advocates, but it is nevertheless expected to pass muster.  Details of the new agreement should be drafted over the next two weeks and if approved it would be effective from early April.


Non-disclosure, confidentiality, and/or proprietary information agreements are one of the most frequently used agreements in business today.  Businesses entering into a new relationship or extending the scope of an ongoing relationship with clients, vendors or customers will often require a formal agreement between the parties outlining the use and further disclosure of confidential information.

Confidential information can include a myriad of information from intellectual property, source code, financial information, trade secrets, employee names and/or salary data, client names, methodologies or any information which is not publicly available.  These agreements are widely required prior to the disclosure of such information by a disclosing party, and can be one-sided or mutual.   The term usually extends for some period of years beyond the end of the relationship.

Customary provisions include:

  1. the purpose of the disclosure of confidential information;
  2. the type of information being disclosed;
  3. restrictions regarding onward disclosures;
  4. permitted use of information disclosed;
  5. restatement of ownership and whether disclosure grants a license;
  6. standard of care;
  7. disclaimer as to the accuracy;
  8. term and termination;
  9. return or destruction of confidential information in tangible form; and deletion if disclosure was in intangible form;
  10. consequences for breach;
  11. general clauses regarding assignment, choice of law etc.

Among the most controversial provisions is what happens in the event of a breach.  What happens when, for example, confidential information is made public or misused by a receiving company?  First, here’s an example of a typical provision regarding breach:

  ” A breach of any of the promises or agreements contained herein will result in  irreparable and continuing damage to Discloser for which there will be no adequate remedy at law, and Discloser shall be entitled to injunctive relief and/or a decree for specific performance, and such other relief as may be proper (including monetary damages if appropriate).”[1]

The purpose of injunctive relief and/or specific performance is to halt further disclosures or misuse of confidential information.  Monetary damages, on the other hand, go to the heart of the harm, the purpose of which is to compensate the disclosing company for the loss suffered by any prohibited disclosure.  There are two types of monetary damages, direct and indirect.  Direct damages are reasonable and ordinary damages that may be expected from a breach; while indirect damages compensates for the unexpected damages, including lost profits, lost use, reduction in value of the confidential information, loss of goodwill or customer business.  The indirect or consequential damages represents a much higher value damage since they are difficult to predict and, more importantly, to quantify.

Disclosing parties want to keep indirect damage provisions in the non-disclosure agreement and receiving parties want them out.  Best practice would be to define “direct damages” to include some of the types of damages that a disclosing party might expect from a prohibited disclosure or misuse.  This way some indirect damages might be re-characterized as direct damages.  The more closely damages can be quantified the more likely an agreement will be reached.  In addition, a receiving party may insist on a shorter term by which it is bound to hold the information confidential, or waive the need for a bond if seeking injunctive relief.

In the current business climate, non-disclosure agreements are frequently used, but standard versions no longer adequately protect both parties, each use should be reviewed and tweaked to suit the purpose.  As this is one of the most important agreements used every day by many businesses it deserves a bit more attention to the detail.


[1] This is a very general example, and the language will vary depending on the parties, the information disclosed and a number of other factors.

How changes to UK Consumer Law affects ecommerce businesses?

Effective earlier this year, the UK Consumer Contract Regulations came into force replacing the prior law on distance selling. Ecommerce businesses selling to UK customers will now need to review and update their sales process, terms and conditions of sales and refund policies to comply with the new regulations.

The Regulations were designed to implement the specific provisions of the EU Consumer Rights Directive (Directive 2011./83/EU). The directive applies to all consumer contracts for goods and services, including most particularly, online sales. The new regulations set out the information that must be provided to customers before the goods or services are purchased:

1. A specific description of the goods or services and the length of time any commitment on the part of the customer will last.

2. The total price of the goods or services, or manner in which the price will be calculated.

3. The cost of delivery and if the customer returns items, who will be responsible for the price of any return shipment.

4. Order cancellation details. Pursuant to the new rules the customer has no less than 14 days following receipt of the goods in which to cancel, this is an increase from prior law which mandated only 7 days.. There are exceptions to the 14 day right to cancel, including CDs, DVDs, or software if the wrapping seal is broken, the goods are perishable, tailor-made or personalized.

5. Information about the seller of the goods or services must be provided, including geographical location address and telephone number.

6. If the product is digital content, then the seller must provide information on the compatibility of the content with hardware and other software.

Sellers will no longer be able to charge a customer for an item that is selected for the customer as a pre-ticked box, rather the customer must actively tick the box. Finally, premium rate telephone numbers for help lines or other customer contact during the sales and return periods are no longer permitted.

Bottom line is that ecommerce companies selling to UK customers should review and revise, if necessary the terms and conditions of sale to ensure compliance with the new regulations. Failure to comply may result in contracts being unenforceable and criminal penalties may be imposed. Please let us know if you need any assistance or would like to discuss these new regulations to ensure your compliance.

CYBERSECURITY The EU Network and Information Security Directive: U.S. Companies Take Note


Preventing or minimizing business risks should result in maximizing profits, but unexpected losses due to cyber security incidents can be costly to both businesses and affected consumers. The European Commission has finally addressed this rising issue with the new draft Directive, the Network and Information Security Directive (“NIS Directive”).  The intent behind the Directive is to create a higher level of network and information security across the EU by mandating that Member States by requiring essential services suppliers and digital network providers adopt higher standards to manage and report cyber security incidents.

The NIS Directive requires Member States to establish national network and information security strategy and implementation of regulations to ensure a high level of network security, create a national competent authority to monitor and enforce such regulations as adopted. Member States are mandated to engage in cooperative measures and information sharing between the Member States.

Operators of essential services, including energy, transport, finance, health, drinking water and digital infrastructure operations will be obliged to take measures to prevent and minimize any impact of cyber security attacks on their network and information systems.  This will also apply to many third party digital service providers that are used in the provision of services by identified essential services.  The affected service providers must have a sufficient incident management process to report, monitor, audit and conduct ongoing testing and to ensure continuity of the services provided.  Sanctions must be put in place to promote compliance, although its yet unknown what those sanctions might be.

So, why should U.S. companies take any notice of the NIS Directive? With the recent erosion of the EU – U.S. Safe Harbor the lack of a clear cut solution, U.S. companies doing business, whether ecommerce or more traditional, would be wise to take steps to ensure compliance with the minimum thresholds set by the Member States enacting regulations to comply with the NIS Directive.  Any EU legislation setting minimum thresholds, for data privacy or security will likely replace the requirements for self-certification in the EU-U.S. Safe Harbor.

If you would like further information, have any questions or concerns please contact us.

Data Privacy and Security: The Demise of the EU-U.S. Safe Harbor

The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce.  Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations).  Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid.  This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor.  Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.

In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action.  Approximately one third of all data transfers of personal information is between the U.S. and the EU.  The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints.  The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.

Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.

Don’t be left behind and leave your company exposed.



U.S. citizens and permanent residents are required to report all income wherever earned together with the existence of foreign accounts and certain investments. In an effort to prevent U.S. citizens and permanent residents from avoiding taxation of foreign held assets, the U.S. government has obtained the agreement of many foreign governments to require local financial institutions to report account existence and activity.  FATCA, the Foreign Account Tax Compliance Act requires financial institutions that offer accounts to U.S. citizens and permanent residents identify and report account information to the Internal Revenue Service.  As a result, FATCA has made it increasingly more difficult to open a foreign account since it requires foreign financial institutions to undertake these reporting efforts, at their own expense, effectively making opening such an account extremely difficult and, often, those accounts are now unavailable.

Financial institutions, including, banks, stock brokers, insurance companies, mutual fund companies, are now required to report the following assets owned by U.S. citizens and permanent residents: cash accounts, stocks, bonds, options, derivatives, mutual funds, interests in foreign partnerships, pension plans and any financial instrument that has a foreign issuer, and real estate held by a foreign entity.  Financial institutions that do not participate in will be penalized by a withholding tax of an additional 30% on all U.S. source fixed and determinable, annual or periodic income. Other penalties may also apply making foreign financial institutions shy away from offering accounts to U.S. citizens and permanent residents.

There foreign assets that are exempt from the FATCA reporting requirements. Cash accounts with less than $10,000, gold, silver or other tangible assets held in foreign safety deposit boxes, real estate held in the name of the individual, personal property located in foreign countries provided these are owned directly in the individual’s name and some foreign investments held by a retirement plan, IRA, SEP or 401(k).

Investments in foreign countries are a very good way to diversify your portfolio and can provide excellent returns. If this strategy is attractive to you, consider investing in real estate or obtaining a safety deposit box where you can accumulate gold, silver or other tangible asset, such as diamonds or other gems. Please contact us if you have any questions or would like to discuss your options to discover great returns through foreign investment.


Tips For Drafting Enforceable Contracts

Ensuring your Contracts are Enforceable.

Often when negotiating a contract the parties are on friendly terms and understand the intention behind each provision whether express or implied. The difficulty lies somewhere down the road should the parties dispute the meaning of one or more of those terms.  When drafting a contract you should be keenly aware that it will likely be construed by a court who has little knowledge of the party’s intentions and will have to assess the contractual language objectively, setting aside any subjective notion of the party’s intention.

Although the court is entitled to consider the objective commercial purpose, the origin of the transaction, and often its context in the marketplace. But it is prevented from looking at prior drafts, notes, emails, or other indicia of the negotiations.  The court interprets the contractual language in a clear and natural meaning of the language used.  The court will rely on the express terms, as drafted, providing clarity to those terms that are, perhaps less clear resulting in the dispute.

There is some precedence that the court may recognize implied terms in very specific and highly restrictive circumstances. The court will not conclude a term is implied unless a reasonable reader would consider the term to be so obvious as to go without saying or be necessary for business efficacy.  It seems the reasonableness standard is not applied lightly, rather the exercise of construction applying traditional notions of interpretation.

Thus when drafting a contract you should keep in mind the importance of the language used as well as what might be interpreted by a reasonable reader as obvious and necessary to fulfill the terms of the contract. One example of this might be, termination fees for early termination of a contract.

Here are a few tips:

  • Draft clearly using plain language and eliminate any ambiguity
  • Address issues that may be implied by the circumstances
  • Define the meaning of specific words to avoid confusion later
  • Use recitals to outline the background the more detail set out the more information the court has to determine relevant circumstances
  • When using dates, monetary payments, cure periods etc be very specific rather than language such as “On or before” or “commencing on”
  • When reviewing make certain there are no conflicts between the various provisions
  • Ensure all section/provision number references are correct

Please contact us if you would like any assistance with drafting your contracts, we would be happy to help.