Had a great workshop alongside Justin Hughes, Professor of Law, Loyola Law School; and Shannon Trevino, Business Law Practicum Director, Loyola Law School. We shared our insights on the”Top 10 Legal Mistakes of Startups and How to Avoid Them” with the to Loyola Marymount University entrepreneurship students. Thank you to Professor David Y Choi for organizing the event!
NEW EUROPEAN REGULATIONS REGARDING DATA PRIVACY WILL IMPACT HOW U.S. BUSINESSES COLLECT AND USE PERSONAL DATA
February 12, 2018
By: Angela Bandich, Esq.
The European Union’s (“EU”) new data privacy rules, called the General Data Protection Regulation (“GDPR”), will become effective on May 25, 2018 and will impact how U.S. businesses collect and use personal data.
1. Geographical Scope of the GDPR
Despite being a European regulation, the scope of the GDPR reaches far beyond just the EU. In fact, any company that (i) offers goods and/or services to individuals (called “Data Subjects”) who are located in the EU (even if there’s no payment involved) or (ii) monitors the behavior of Data Subjects in the EU will be subject to the GDPR if the company collects and processes their Personal Data. This means the GDPR rules will apply to companies even if the companies are not located in the EU.
“Personal Data” is defined in the GDPR as any information relating to an identified or identifiable natural person (someone who can be identified, directly or indirectly, by reference to data such as name, an identification number, location, an online identifier, or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
The GDPR will therefore likely apply to most companies, particularly those in e-commerce, travel, software or media industries that are global in their reach. For example, in response to the GDPR, Facebook recently notified its users that it will be updating its data policies and procedures (https://newsroom.fb.com/news/2018/01/control-privacy-principles/).
2. Obligations of Companies
As a result of the GDPR, companies now need to ensure that Personal Data of Data Subjects is (i) collected for specified, explicit, and legitimate purposes, (ii) limited to what is necessary in relation to those purposes, (iii) accurate and up to date, (iv) kept no longer than necessary for the purposes, and (v) processed in a secure manner.
Furthermore, the collection and processing of Personal Data is only lawful under the GDPR if the company satisfies one or more of the following:
- The Data Subject has given consent to the processing of his personal data for the specific purpose(s); or
- Processing is necessary:
- for the performance of a contract for which the Data Subject is a party;
- for compliance with a legal obligation;
- to protect the vital interests of a Data Subject or other natural person;
- for the performance of a task carried out in the public interest or under official authority; or
- for purposes of legitimate interests, except where such interests overridden by the fundamental rights and freedoms of a Data Subject that requires protection of his or her Personal Data.
Consent. If a company claims that the Personal Data was collected and processed based on consent from the Data Subject, the company must be able to prove it. If a request for consent is included in a written document with other matters, the request must be clearly distinguishable from the other matters and presented intelligibly and in clear and plain language. The Data Subject also has the right to withdraw his or her consent at any time and the Data Subject must be informed of such right prior to giving consent. Finally, the GDPR states that consent must be freely given, particularly in situations where the performance of a contract, including providing services, is conditional on the Data Subject giving consent to the collection and processing his or her Personal Data which is not necessary for the performance of the contract.
There are also specific rules in the GDPR related to the collection and processing of data of children (Article 8) and special categories of Personal Data (Articles 9 and 10).
Article 30 also requires that each company and any third party representatives that assist with the processing of Personal Data maintain records of processing activities, unless the company qualifies for exemption. Designating a Data Protection Officer may also be required under Articles 37-39 if the company’s processing activities require regular and systematic monitoring of Data Subjects on a large scale or of special categories of Personal Data.
Security Measures and Breaches. Companies must implement technical and organizational measures to “ensure a level of security appropriate to the risk” associated with the likelihood and severity of impact to the rights and freedoms of Data Subjects upon a breach (Article 32).
If there is a breach of Personal Data, a company is required to notify an appropriate EU supervisory authority within seventy-two (72) hours after becoming aware of the breach, unless the Personal Data involved in the breach is unlikely to result in a “risk to the rights and freedoms” of the Data Subject or other natural persons. If the security breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the company must notify also the Data Subject of the breach without “undue delay” (Articles 33 and 34). This means that companies and their IT teams must be able to evaluate every breach to determine which level of notice is required, if any.
3. Rights of Data Subjects
Data Subjects have specific rights under the GDPR, including but not limited to:
- Access to Data (Articles 12 – 15): the right to obtain information about their Personal Data, free of charge (with exceptions), if requested. Companies should also be aware that some information should also be provided to the Data Subject at the time when the Personal Data is collected, such as: the identity and the contact details of the controller of the Personal Data, contact details of the data protection officer, if applicable, the purposes of the Personal Data processing; the recipients of the Personal Data, if any, and whether the Personal Data is to be transferred to another country.
- Right to rectify (Article 16): the right to have companies rectify any inaccurate Personal Data that is collected without undue delay.
- Right to be Forgotten (Article 17): the right to request that Personal Data be erased, without undue delay.
- Right to Restrict (Article 18): the right to restrict the processing of their Personal Data in the future.
- Data Portability (Article 20): the right to receive the Personal Data collected about the Data Subject in a commonly used, machine readable format to transmit the Personal Data elsewhere.
- Right to Object (Article 21): the right to object to the processing of Personal Data, particularly if profiling is based on the automatic processing of the Personal Data under Article 6(1)(e) or (f).
4. Penalties for non-compliance
Data Subjects have the right to file complaints with supervisory authorities in the EU, as well as right to receive compensation for damages suffered as a result of non-compliance with the GDPR (Article 82).
Administrative fines are also possible, depending on the specific circumstances of each individual case. Depending on the type and severity of the non-compliance, the fine can be as much as 20,000 EUR or four percent (4%) of the company’s total worldwide annual revenue, whichever is higher. How the EU plans to enforce such penalties against non-EU companies, however, is not clear.
As a result of the GDPR, companies should implement changes to their data collection and data privacy policies that allow for enough flexibility to be able to analyze and report security breaches, as well as respond to requests by Data Subjects. Companies should also understand what types of Personal Data is being collected from Data Subjects, where the Personal Data is being stored, what the security measures are in place around the Personal Data and who has access to the Personal Data.
Click here for the full GDPR text: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Photographs by: Miyoshi Grant, Angela Bandich, and Linda Mejia
We had such an amazing evening preparing 150 meals as part of the Downtown Women’s Center’s cooking club. Thank you to all our fantastic volunteers once again for all the help. This time we made beef enchiladas, Spanish rice, a nutritious green salad and a berries, apple, pineapple and melon fruit salad.
For more information on volunteer opportunities at the Downtown Women’s Center, please visit:
- Group Volunteering: http://www.downtownwomenscenter.org/support-us/volunteer/group-volunteer-opportunities/
- Individual volunteering: http://www.downtownwomenscenter.org/support-us/volunteer/individual-volunteer-opportunities/
We are pleased to announce that Rob Vickery founder of Stage Venture Partners will be joining us at our FTE Workshop on FEBRUARY 17th, 2018! Click here to sign up
Stage Venture Partners is a seed venture capital fund that invests in emerging technology for B2B markets.
Founded in 2015 by two entrepreneurial partners, Stage is designed to deliver active and thoughtful investment. One of us is a successful international operator who has built global businesses. The other an experienced angel investor and venture capitalist with a strong track record.
Stage invests in Founders building frontier technology for enterprise clients. We offer access, services, and expertise that are unique in our market, leading to remarkable results for our portfolio.
We are not thesis, geographic or sector focused, but instead business model focused. We invest only in software companies that solve problems for companies, monetizing either through SAAS or transaction fees.
Before founding Stage with Alex Rubalcava, Rob created the Entertainment and Technology Division for BNY Mellon and was the North America Director for Lloyds International, one of the world’s leading financial institutions, focusing on major corporate entertainment-related investments. He has also spent a number of years working and advising a range of international music and film talent on embracing with new forms of technology.
Rob is also on the board of the British Academy of Film Television Arts (BAFTA) LA Games, British American Business Council, South Central Scholars and the Chairman of the School of Business & Entrepreneurship at Dorsey High School.
Rob graduated from the University of Gloucestershire, UK, in 2003. In his downtime, Rob is an amateur paleontologist, snowboarder and gaming addict (come and find me on PSN (BeverlyHillsBrit) or Xbox Live (saasfundr)
January 20th, 2018
Thank you Gurvey’s Law for having me on your show!
I had such a blast recording this interview, and sharing my knowledge on cryptocurrency!
Click here to listen to the show. Alongside other cryptocurrency experts, entrepreneur Cameron Chell and Harvard University economics professor Jeffrey Miron, we discuss the answers to the following questions on this popular topic:
What is the future of #Bitcoin and other cryptocurrencies? As the price of Bitcoin continues to cause awe with dramatic swings, is this the beginning or the end of the cryptocurrency “bubble”? What are the telltale signs that you should be looking at when considering your options? Will governments intervene with regulatory measures? How will regulation affect the prices of cryptocurrencies?
On January 18th, the Securities and Exchange Commission (SEC) released a Staff Letter addressed to the Investment Company Institute and the Asset Management Group of the Securities Industry and Financial Markets Association (SIFMA).
The letter outlined the SEC’s concerns about cryptocurrency exchange-traded funds (ETFs). Specifically, the letter stated that there are “significant outstanding questions concerning how funds holding substantial amounts of cryptocurrencies and related products would satisfy the requirements of the [Investment Company Act of 1940] and its rules.”
The letter identified 5 specific areas of concern:
- Potential manipulation and other risks
The letter posed several questions under each area of concern, some of which are: (i) What are the policies and procedures to determine the fair value of cryptocurrency related products? (ii) How would funds classify the liquidity of cryptocurrencies and cryptocurrency related products? (iii) How would the custody requirements be satisfied for cryptocurrency holdings? (iv) How would the fragmented, volatile and high-volume trading characteristics of cryptocurrencies allow ETFs to comply with market price requirements? and (v) How will ETFs ensure investor protection with cryptocurrencies that have a higher opportunity for fraud and manipulation than traditional securities?
The letter concluded by saying the SEC does “not believe that it is appropriate for fund sponsors to initiate registration of funds that intend to invest substantially in cryptocurrency and related products” until the questions in the letter are satisfactorily addressed. The SEC also stated that it has requested that sponsors withdraw registration statements that have already been filed for such products.
The full letter can be found here:
Staff Letter: Engaging on Fund Innovation and Cryptocurrency-related Holdings