Skip to content
Photo of David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
  • Background. Company A transmits personal data to its processor Company Z, and then instructs its processor to onward transfer the personal

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to

On July 8, 2022, the California Privacy Protection Agency (“CPPA”) released proposed regulations to implement the California Privacy Rights Act (“CPRA”). The new proposals would dramatically change the existing regulations that apply to organizations that do business in California.

Click here to read the full article, published by the Washington Legal Foundation Aug. 19, 2022.

Some modern data privacy statutes mandate that organizations allow third parties – who are authorized by a data subject – to submit access, deletion, correction, or other requests on behalf of a consumer. Such third parties are sometimes referred to as “authorized agents” – a term created by the regulations implementing the CCPA. The following

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A-1 (EEA) → Controller A-2 (Non-EEA)

Visual Description and Implications
  • Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA)  → Controller B (EEA) → Controller C (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Controller B (EEA) → Processor Z (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to

Several modern state data privacy statutes refer to precise geolocation information as a “sensitive” category of personal information. What constitutes precise geolocation information differs slightly between and among states. The following table provides a side-by-side comparison of the how the states have defined the term.

Click here for a side-by-side comparison of the how the

Most modern state data privacy laws exempt from their definition of personal information “publicly available information.” What constitutes publicly available information differs between state privacy laws and may not correlate to the lay definition understood by many businesses and individuals. For example, while some businesses may consider information available on the internet “publicly available information