The FirmAttorneysPracticesRecruiting
Willkie Farr & Gallagher LLP
New YorkWashingtonParisLondonMilanRomeFrankfurtBrussels
alliance Dickson Minto W.S.

Print PageEmail Page

Communications & Media | Data Privacy & Security

Data Privacy & Security

Our Data Privacy & Security practice includes partners, counsel, and associates in our Washington, DC, New York, and European offices with expertise in all aspects of U.S. and international data privacy, data security, and data breach law. Our attorneys represent a broad range of longstanding and new clients in various industries to assist with their privacy compliance, security breach, internal investigation, and enforcement matters. We have longstanding relationships with privacy law experts in all countries of the world, and we are often called on to manage local counsel in various countries for clients seeking global privacy and/or marketing compliance solutions.

Our Clients

Privacy and data security are essential elements of corporate risk management for companies in all industries. Our Data Privacy & Security Group has a long and successful history representing a diverse set of small, medium-sized, and large clients, including financial institutions, cable operators, cloud computing vendors, telecommunications providers, mutual funds and hedge funds, information services providers, software developers, hardware manufacturers, video programming networks and other media organizations, accounting firms, publishers, retailers, insurance companies, and industry trade associations.

Our Expertise

We offer our clients a wide array of privacy and data security counseling services, as well as transactional and litigation expertise. For example, we have:

  • provided opinions on whether certain privacy and data security laws apply to a particular client given its business focus;

  • developed comprehensive strategies and policies for ongoing compliance with various state, federal, and international privacy and data security requirements;

  • managed large multi-jurisdiction analyses involving local counsel from over 100 countries regarding various data privacy, data security, electronic contracting, electronic marketing, and digital signature issues;

  • counseled companies that have experienced data security breaches, and prepared appropriate notifications to customers and to the relevant regulators and law enforcement agencies, to ensure compliance with all applicable requirements and avoid litigation and enforcement actions;

  • negotiated complex privacy and data security agreements between Fortune 100 companies;

  • updated clients’ privacy policies, customer agreements, terms of service, service provider contracts, employee manuals, and other key documents, to afford them greater flexibility to use personal information in new ways, consistent with U.S. and foreign data privacy laws, including key requirements and precedent regarding "material changes" to such documents;

  • counseled clients regarding data privacy risks and blocking statute restrictions that must be addressed and navigated in connection with reviewing and transferring personal and other data from the EU to the U.S.;

  • designed appropriate client procedures for responding to government subpoenas and other requests for customer or employee data;

  • guided clients through regulatory approval procedures in connection with M&A transactions, and advised these clients on the impact of privacy and data security issues that increasingly arise in complex deal negotiations;

  • represented clients in investigations, enforcement actions, and litigation at the federal and state level, including before the Department of Justice (DOJ), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), the Federal Reserve Board, and the Office of Foreign Assets Control (OFAC);

  • developed user notices and consent forms regarding the use of biometric data and the monitoring of customer and employee communications and online activity (e.g., for purposes of network management or detecting unlawful activity); and

  • assisted entities involved in transactions subject to the Exon-Florio law, including both foreign acquirers and domestic targets, that go through the Committee on Foreign Investment in the United States (CFIUS) national security clearance process. Notably, we have represented data-sensitive companies before CFIUS and in particular in the negotiation of mitigation agreements to address national security concerns, including significant provisions regarding government access to personal data and security incident reports.

We also offer expertise on numerous U.S. federal statutes covering privacy and data security issues, including the following:

  • Children’s Online Privacy Protection Act (COPPA)

  • Communications Act (including cable privacy and telecommunications privacy provisions in Sections 631 and 222)

  • Communications Assistance for Law Enforcement Act (CALEA)

  • Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act

  • Electronic Communications Privacy Act (ECPA) (including wiretapping and Stored Communications Act (SCA) issues)

  • Fair and Accurate Credit Transactions (FACT) Act

  • Fair Credit Reporting Act (FCRA)

  • Foreign Corrupt Practices Act (FCPA)

  • Foreign Intelligence Surveillance Act (FISA)

  • Gramm-Leach-Bliley (GLB) Financial Services Modernization Act

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Right to Financial Privacy Act (RFPA)

  • Sarbanes-Oxley (SOX) Act

Our Data Privacy & Security Group also has experience in analyzing and advising on state laws regarding data breach notification, information security, identity theft, and related issues. We closely monitor proposed and newly enacted state and federal privacy legislation to determine any potential impact on our clients.

Our attorneys have participated in, or advised on, federal and state proceedings regarding numerous issues related to privacy and data security, including:

  • Cloud computing

  • Data brokers

  • GPS user tracking and mobile marketing

  • Identity theft

  • Online tracking and behavioral advertising

  • Opt-in and opt-out choice mechanisms

  • Phishing

  • Product promotions via e-mail, direct mail, and/or telemarketing, including Do-Not-Call registry issues

  • Record retention

  • Spyware
Our International Data Privacy & Security Expertise

Our attorneys also have extensive international privacy and data security expertise through our work with data protection laws and authorities in over 70 countries. We have developed a network of privacy and data security lawyers around the world that allows us to (1) provide our multinational clients with comprehensive advice regarding the collection, storage, processing, safeguarding, and cross-border transfer of personal data and (2) create practical and effective multi-jurisdictional privacy and data security policies and compliance programs.

We have extensive experience analyzing and applying the EU Directives on Data Protection, Electronic Commerce, Privacy and Electronic Communications, and Data Retention, and have registered client databases with data protection authorities in the EU, Africa, Asia, and Central and South America.

We have assisted our clients in obtaining certifications pursuant to the U.S.-EU and U.S.-Switzerland Safe Harbor privacy programs, have drafted EU model data protection contracts, and have analyzed the benefits and drawbacks of binding corporate rules (BCRs) as an alternative way to permit the transfer of personal data from the EU to the United States and other countries.

We have negotiated complex outsourcing agreements involving entities in different countries, including key provisions on the protection of customer and employee data. Our attorneys have represented clients in privacy and data security complaint actions brought by customers or employees, as well as investigations by EU data protection authorities.

In connection with Foreign Corrupt Practices Act (FCPA) and other internal and government-related investigations that we routinely handle, we are increasingly called upon to resolve various privacy and data security issues that arise, typically when the demands of the investigation or the requests and expectations of U.S. regulators conflict with non-U.S. laws, such as data protection laws or blocking statutes that restrict the transfer of personal and other data outside the EU or other countries.