Kolvin Stone is a partner in the Technology Companies Group in London and global co-chair of the firm's Cybersecurity & Data Privacy team which is ranked by Legal 500 and known for being "excellent" and "extremely responsive and client focused, succeeding at meeting the needs of both in-house counsel and tech-savvy business clients." Kolvin earned particular praise from The Legal 500 for "providing sensible, balanced advice."

He practices at the intersection of technology, intellectual property and data for leading public and private companies in high growth innovation driven markets. Kolvin assists technology led, fast-growing companies and multinational corporations on their most important, strategic transactions. His work regularly involves complex, cross-border matters that raise multi-faceted intellectual property, data privacy, consumer protection, and Internet regulatory issues.

Kolvin has significant experience advising on the legal issues related to the internalization of technology and internet enabled services including e-commerce, social media, big data, digital marketing and advertising. He has worked extensively with clients who are both providers and users of cloud software, data analytics platforms, IT infrastructure services, and mobile applications, in Europe, Asia and in the United States.

On data privacy matters, Kolvin regularly partners with multi-national clients on the design, development and implementation of enterprise wide global compliance programs and risk mitigation strategies in relation to the use or deployment of privacy impacting technology. He has extensive expertise in all areas relevant to the European data protection regime, including applied practices pursuant to the new General Data Protection Regulation (GDPR):

  • Privacy readiness and assessment audits and projects

  • Third party vendor assessments and agreements

  • Preparation of employee and consumer-facing data protection policies and procedures, and implementation of global data privacy governance frameworks

  • Privacy diligence and counseling in the context of mergers and acquisitions, joint ventures and other strategic transactions

  • International and cross-border data transfer mechanisms, including global framework agreements, Model Contracts, safe harbor regimes and binding corporate rules (BCRs)

  • Cookie and tracking technology rules and compliance methodologies

  • “Big Data” analytics and applications

  • Privacy by design (PbD) and privacy impact assessment (PIAs) design and implementation in connection with B2C and B2B products and services

  • Security incident response planning and data breach response

  • Regulatory investigations and enforcement actions

  • Records retention and information management


Representative clients that Kolvin has assisted include leading players such as Baidu, NVIDIA, Facebook, Instagram, Levi’s, Neiman Marcus, Intuit, Made.com, WNS, Skimlinks, Qubit, 23andMe and Zoosk, Telenor and W.W. Grainger, Thread.com and Depop.

Array

Posts by: Kolvin Stone

EU Proposes Overhaul to Privacy and Electronic Communications

NIS Directive

January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.

The draft Regulation, which goes beyond the scope of the current e-Privacy Directive in significant ways, would apply directly without the need for Member States to implement local law in the same way as the General Data Protection Regulation (“GDPR”). Like the e-Privacy Directive, the Regulation sets out rules on, among others, the use and confidentiality of electronic communications and metadata, use of cookies and direct marketing by electronic means.

The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).

READ MORE

Is Your Data Safe? National Cybersecurity Awareness Month

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.

Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.

READ MORE

EU-U.S. Privacy Shield: Companies Can Now Certify

Privacy Shield

As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.

This post gives a high level summary of what companies should consider with the Privacy Shield.

Background:

On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law.  The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.

READ MORE

European Parliament Passes Long-Anticipated Network and Information Security Directive

NIS Directive

On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed.  The Directive will enter into force in August 2016.  EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.

READ MORE

EU-U.S. Privacy Shield launched by European Commission

EU-US Privacy Shield

After receiving the approval of the EU Member States, through the Article 31 Committee, last Friday, the European Commission has today, July 12th, 2016, formally adopted the Adequacy Decision necessary to implement the EU-U.S. Privacy Shield (the Decision).

The Decision will be notified to Member States today and, as such, will be effective immediately.

The adoption process had stalled in recent months due to ongoing concerns about the access to personal data by public authorities in the U.S.  You can read about some of these concerns in our previous blog post.

The European Commission has received further commitments from the U.S. and has agreed clarifications and improvements on the bulk collection of data, strengthening the Ombudsperson mechanism and more explicit obligations on companies as regards limits on retention and onward transfers.  Those commitments and clarifications have been sufficient to allay the EU member states, at least for now.

The Privacy Shield is subject to an annual review mechanism.

READ MORE

EU-U.S. Privacy Shield Approved by EU Member States

safe harbor

Today the EU-U.S. Privacy Shield was approved by the EU Member States, which sets the stage for the European Commission to grant final approval to the Privacy Shield as a basis for EU-U.S. transfers of personal data.

This development follows criticisms of the Privacy Shield this past April from the Article 29 Working Party, an advisory group comprised of the EU privacy regulators. We summarized the primary criticisms in a prior blog post.  The Working Party was responding to the draft adequacy decision that was released by the European Commission on February 29, 2016, which we summarized here. The revisions to the Privacy Shield are intended to address the criticisms of the Working Party but it is not yet clear if the criticisms have been fully reflected.

READ MORE

IP Addresses as Personal Data – Website Providers To Come Under Even More Scrutiny With EU Data Privacy Law

IP address

Website providers that collect dynamic Internet Protocol addresses (“IP address”) from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.

Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, “ECJ”) released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.

READ MORE

Two Years to Get Ready – GDPR Adopted

data protection

After 4 years of negotiation, today the European Parliament adopted the General Data Protection Regulation (“GDPR“). In doing so, it signaled the end of the EU approval process and put businesses on alert that they now have two years to prepare for compliance.

The finalization of the GDPR has implications not only in the EU but globally. Businesses around the world that wish to operate in the EU, provide services and goods to residents in the EU, or monitor the behavior of residents in the EU, will need to comply with the new laws.

The GDPR builds on existing EU privacy laws but includes significant changes which increase the protections already afforded to personal data.

READ MORE

EU-US Privacy Shield may not be up after all

data privacy

Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the “EU-U.S. Privacy Shield” as a replacement to the Safe Harbor Framework and a potential solution.

READ MORE

EU-U.S. Privacy Shield is Go…nearly

Privacy Shield

On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.

In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.

READ MORE