Note: This article is superseded by the more recent Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

Read more...

In late October 2011, the European Council of Ministers formally adopted the new EU Consumer Rights Directive. The new Directive will drastically affect the rules that apply to online shopping. Numerous provisions will also apply to both the online and the offline markets.

Scope of the Consumer Rights Directive

The Directive is intended to protect “consumers,” i.e., all natural persons who are acting for purposes that are outside

Read more...

While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 - the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

Read more...

Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?

Read more...

How to build cloud applications that anticipate your customers' legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

Read more...