Personal Data

On the Fifth Day of Data… Reflections and Compliance Advice on the DOJ’s Data Security Program

By Jake Barr & Fran Faircloth on December 18, 2025

As compliance professionals reflect upon the past year, many will look back with frustration on efforts taken to comply with the Department of Justice’s Data Security Program (the “DSP” or “Rule”). Not because the efforts taken were in vain, but because the DSP is one of the most complicated, amorphous, far-reaching, yet impactful U.S. government regulations in recent memory. Any organization that collects or has access to U.S. sensitive personal data—regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted—should be assessing its compliance with the DSP. In other words, nearly every organization in the U.S. and many outside the U.S. fall under the Rule.Continue Reading On the Fifth Day of Data… Reflections and Compliance Advice on the DOJ’s Data Security Program

In Bloomberg Law, David Peloquin Discusses Bulk Data Transfer Rule Enforcement

By Fran Faircloth & David Peloquin on April 18, 2025

Ropes & Gray’s health care partner, David Peloquin, spoke with Bloomberg Law on the additional DOJ instructions regarding the Biden-era Executive Order 14117. DOJ has provided clarity surrounding the effective date for enforcement, with a promise to delay any enforcement efforts until July 8 for companies that show “good faith efforts to comply.” David…

DOJ Issues Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and Other Countries of Concern

By Edward McNicholas, David Peloquin & Jake Barr on January 9, 2025

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024…

DOJ Issues Notice of Proposed Rulemaking to Restrict Flow of Bulk Sensitive Personal Data to China and other Countries of Concern

By Fran Faircloth, Edward McNicholas, David Peloquin & Jake Barr on November 4, 2024

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. …

U.S. Enacts Sweeping Legislation to Restrict Flows of Sensitive Data to the People’s Republic of China and Other Foreign Adversaries

By David Peloquin, Fran Faircloth, Edward McNicholas & Jake Barr on April 26, 2024

On April 24, President Biden signed a sweeping foreign aid bill into law, which included a critical provision covering privacy and data transfers known as the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”). This Act is separate from the TikTok divestment portion of the legislation, which has received far greater attention in the press. …

Increased EU Scrutiny of US Data Transfers Through Cookie Use

By Ropes & Gray on February 7, 2022

Global,Communication,Network,Around,Planet,Earth,In,Space,,Worldwide,Exchange

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

Closing out the 12 Days of Data: What to Expect in 2022

By Edward McNicholas & Fran Faircloth on December 31, 2021

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.
Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

By Fran Faircloth on August 2, 2021

Lock The FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

De-stressing Distress Disputes

By Edward Machin on August 2, 2021

There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.

In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes

Best Practices to Avoid Tax-Related Identity Theft

By Elizabeth Julia Smith on August 2, 2021

What Is Tax-Related Identity Theft?

Fraudulent tax refunds issued as a result of identity theft occur when an individual steals a victim’s personally identifiable information (PII), such as a Social Security number (SSN), and files a tax return claiming to be the victim. More than 89,000 Americans filed complaints with the Federal Trade Commission (FTC) reporting tax fraud linked to identity theft in 2020. Similarly, businesses may also fall victim to tax fraud, where an individual steals a business’s employer identification number (EIN) to file fraudulent returns. In both scenarios, the victims usually discover they have fallen victim to such fraud when their tax returns are rejected, or when the business receives notice about Forms W-2 they didn’t file with the Social Security Administration or notices for balances due to the Internal Revenue Service (IRS) that are not owed. Most frequently, neither businesses nor individuals will have any reliable information as to how their information has been exposed. The IRS has noted such tax fraud tends to increase during tax season and time of crisis, and cybercriminals have undeniably taken advantage of the COVID-19 pandemic to unleash an unprecedented number of tax fraud schemes to steal information from taxpayers.
Continue Reading Best Practices to Avoid Tax-Related Identity Theft

MENU

RopesDataPhiles