Information Law

Data Mining and GDPR Compliance: Dealing with Obtaining EU Personal Information from Third Parties Under the GDPR (Including a Notification Checklist!)

As the effective date of the General Data Protection Regulation (GDPR) draws near, companies that collect, process, and use data relating to EU citizens need to be thinking proactively about issues they will face under the new directive. This post summarizes the discrete issue of how companies should start to manage data mining and data usage activities. Stay tuned as we continue to keep you updated in this space.

As most are probably by now aware, the GDPR seeks to regulate the use and disclosure of the personal data of all individuals within the 28 EU member states. Though passed into law in May 2016, it does not become enforceable until May 25, 2018. Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).” This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.

To legally handle EU personal information harvested from third-party sources after May 25, … Keep reading

Test Your GDPR Preparedness: 7 Questions to Ask Your Team

With only 100 days to go until the General Data Protection Regulation becomes enforceable on May 25, it is increasingly imperative for organizations that process information relating to an identified/identifiable European person to have a firm grasp on what the regulation entails, as well as any associated impacts on business that can be reasonably expected. Here are seven key questions to ask yourself, your team, or your project manager, to gauge how prepared your organization is to meet the requirements under the GDPR.

  1. Has our data been inventoried and mapped, such that we have a complete understanding of our data flow?

An essential prerequisite to developing a GDPR compliance plan is to have a detailed understanding of the lifecycle of the personal data processed by the organization. It is impractical to implement a reasonable GDPR compliance plan if the organization does not thoroughly understand the personal information it processes, how it was collected, where it is stored, and where and to whom it is transferred. The GDPR identifies specific categories of information that it expects organizations to keep records on, with respect to data processing.

  1. When personal information about people is collected indirectly from third-party sources (e.g., public databases,

Keep reading

You Can Trademark That?  They Can Own What? Who Knew?

There are many reasons we have IP laws – but primary among them is to encourage creative types like artists and inventors to profit from their efforts by way of royalties or exclusive rights.  To encourage those efforts, the intellectual property laws give authors and creators a relative monopoly over something they’ve created – a trademark, an invention, a script, a computer program, etc.  It’s like society is saying “you made it, so you can own it – at least for a while…”

But a natural tension immediately presents itself when we grant these exclusive rights.  Our culture wants to embrace, use and assimilate all that is cutting edge and new without having to ask for permission.  We take – no, we borrow Pharrell Williams’  “Happy” riffs and make them background music to our YouTube® videos of our cats and our dogs.  We expropriate “just a” screen capture from the Godzilla movie and create e-cards or embed them on our Facebook® pages.  Our post-90s, crowd sourced, media-centered sensibility has created this “if it’s out there it must be free” (or “it wants to be free”) ethos … Keep reading

Why or what or who is Lex Indicium?  Roughly translated, and with apologies to the classical scholars who may happen upon this blog, Lex Indicium means “law of information,” or “law of data” in Latin.  In a broad sense, the “law” that applies to data, and/or rights in data or information is what this blog seeks to explore.  In my law practice, I might say that I am an “intellectual property lawyer, who specializes in trademarks, copyrights, and information law.”  But my passion and interest have been drawn to this craft by fundamental questions  – “who owns or should own information—any information, be it text, raw factual data, art, etc?  Should it be free or should it be exploitable and monopolized and monetized?  And which answers lead to the greatest good for society?”
Since I began practicing law almost 20 years ago these questions really have been asked repeatedly in the context of one burgeoning cultural phenomenon known as digital technology—which technology has had one primary (and largely freely available) medium– the internet.  But the questions themselves and the issues that flow from them are ancient, stretching back to ancient times.  This, combined with my own background in … Keep reading