GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct. But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further.
GDPR, the General Data Protection Regulation, is an extensive and broad-reaching regulation issued by the European Union dealing with how companies (including U.S. companies) process the data of people living in the E.U. It replaces the E.U. Data Protection Directive and is slated to take effect May 25, 2018.
Companies that fall under the regulation’s requirements need to ensure (1) individuals’ data they are processing is secure in their hands, (2) that they have individuals’ consent to process it (or have an enumerated reason they don’t need consent), and (3) that they will keep individuals notified of individuals’ rights and developments surrounding the use of their data.
If you are a U.S.-based company, with little European presence, you may slough off the idea of getting into GDPR compliance. You may have analyzed the GDPR’s predecessor (the Data Protection Directive), decided that it didn’t implicate you, and assume the GDPR won’t implicate you either. Or you may have relied upon the Safe Harbor and assume you can continue to operate under that. Don’t draw assumptions. Don’t ignore the regulation. If you do, and you are ultimately found to have violated it, you could face some hefty penalties. Under the GDPR, there are two sets of thresholds for administrative fines:
- Up to €10million (almost US$ 12million) or up to 2% of global revenue, whichever is higher, for certain violations, including failure to implement data protection by design, failure to maintain written records, to report breaches when required; and
- Up to €20million (almost US$ 24million) or up to 4% of global revenue, whichever is higher, for other violations, including failure to adhere to basic processing principals such as consent, notification of individuals’ rights, and international transfers.
These fines are meant to catch attention. Hopefully, they caught yours. They may inspire you to do a double take to see whether or not your business will be subject to the GDPR. The GDPR has a broader reach than the earlier Data Protection Directive. Moreover, the Safe Harbor is no longer valid. It has been replaced by a “Privacy Shield” regime – which applies to data that companies transfer from the E.U. to the U.S. But even the Privacy Shield is on shaky ground and it may not be enough to shield companies (so to speak) from liability for GDPR violations. GDPR is broader, covering information on E.U. residents even if the data is not transferred across borders – and instituting stricter measures in terms of how data should be handled.
Here are some questions you should ask to help you determine whether you need to prepare for the GDPR:
- Do you have an E.U. office, or even a company representative who operates out of Europe?
If you have any real and effective European activity through stable arrangements (terms in italics represent terms used by E.U. courts to define implicated businesses), then you will be subject to the GDPR even if you do not process personal data in the E.U. So long as the data processed in the context of the European activities, the GDPR applies.
- Are you outside of the E.U., but process data about E.U.-based individuals in connection with offering goods or services?
It does not matter whether or not there is any payment involved in the offer. Your offers can be free of charge and you are still implicated by the rule. So long as your company anticipates activity directed at E.U. individuals (e.g., you suggest items in E.U. currency or pay a search engine to increase access to E.U.-based people), you are implicated.
- Are you outside of the E.U., but monitor the behavior of individuals in the E.U.?
If you track E.U.-based individuals online to create profiles, or to analyze or predict preferences, you are implicated.
The long and short is that, if you touch Europe, directly or remotely, in your operations and you process data that incorporates E.U. individuals, you should spend time assessing GDPR compliance.
- Review your E.U.-focused actual or directed information
- Review the type of information you collect/use
- Review the types of consent obtained and notifications on data usage provided
- Review your service contracts to determine your company’s role in data processing and follow-on companies’ roles in data processing
 We will treat the E.U.’s ability to enforce these penalties in a later post, but assume they will be able to reach your assets.
Data Privacy and Cyber Security
Every year, the Consumer Electronics Show in Las Vegas proves to be one of the more interesting conventions to attend. 2016 did not disappoint: companies showed off cool innovations in displays, robotics, and integrated smart technology across the consumer products platform.
Adding to the excitement at this year’s CES was the dramatic appearance of uniformed officers. We don’t mean the sultry high-heeled look-alikes you’d more likely expect at a Vegas show. These were U.S. Marshals and they were the real McCoys (although we are unsure of their actual names or heritage). The marshals were there to execute a court order and seize product from one of the convention’s participants, Changzhou First International Trade Company.
The China-based company had a booth at CES to promote its Surfing Electric Scooter, a one-wheeled hoverboard. The scooter might be considered a dream machine for many an adolescent skater. The only problem is that it is remarkably similar to Future Motion Inc.’s patented Onewheel (at only about a third the price).
Future Motion was granted a patent on Onewheel’s self-stabilizing technology only recently (within the last month), but it did not waste any time to defend its rights in U.S. District Court. Future Motion requested the federal court grant it a temporary restraining order to, among other things, seize Changzhou First International’s scooter from CES.
Two of the more interesting aspects of the district court’s actions in this matter are (1) the speed at which the judge granted the requested relief and (2) the extent of the relief that the judge granted. The court issued a TRO on the same day that Future Motion filed the request. The following day, the marshals were in the Vegas convention hall seizing scooters and generating a lot of attention.
But the court didn’t limit its TRO to seizing product locally. It granted Future Motion’s request to halt manufacture and sales. The court also ordered web hosts and domain name registrars to “take any and all action necessary to remove the infringing products from websites having content controlled by Defendant, or alternatively to disable access to the website.” Halting sales and manufacture and seizing the company domain name is a pretty impressive order to execute on an expedited basis, and based exclusively on arguments presented by plaintiffs. It’s further impressive considering that the scooter is Changzhou First International’s only advertised product on its website. Closing down this channel is effectively closing down the company’s operations. Is Future Motion’s patented technology really the heart of Changzhou First International’s scooter? A cursory review might suggest yes, but it’s a complex question that should be decided after a proper hearing. Granting a TRO to make a point at the CES convention is one thing, shuttering a business is another.
It doesn’t appear that the part of the order requiring domain name seizure has been executed yet. As of January 14, 2016, Changzhou First International’s website is still active, full of images of its Surfing Electric Scooter. Moreover, the product appears to continue to be sold on Alibaba. This may be because parties have ten days from notice to comply, which isn’t yet up. It may also be based upon some subsequent stipulation by the parties: it is possible that Future Motion does not want to be on the hook financially should the court ultimately find against it (as the order in the case acknowledges, Future Motion would be responsible for damages, i.e. economic loss, for any wrongful seizure).
We shall see in the coming weeks what’s to become of the Surfing Electric Scooter. The next hearing (for preliminary injunction) is scheduled for mid-February. At that hearing, Changzhou First International will have the opportunity to present its arguments demonstrating why its scooter does not infringe on Future Motion’s patents. Although, who would be surprised if a U.S. district court found that a Chinese product infringed on someone else’s intellectual property?
If you didn’t know any better, you might have gotten pretty fiery over for-profit education after reading one of the front page stories of Tuesday’s New York Times. The lengthy article titled “For-Profit Colleges Fail Standards, but Get Billions” is all about accusations of greedy institutions bilking taxpayers and taking advantage of students through fraud and other deceptive practices. Why the story ran on page one of the paper is anybody’s guess: the only timely element in the piece appeared toward the end of the article, where the author mentioned the Defense Department’s recent decision to bar the University of Phoenix from its tuition assistance program. By the time you got to that part of the article, you might have cheered the DOD’s decision to cut the educator off, despite the fact that the decision appears premature, based on allegations as opposed to findings (meaning they are meting out punishment before a full investigation or review).
The New York Times piece seems narrowly focused on denigrating an industry that has become the bastard-stepchild of higher education. Ever since U.S. Sen. Tom Harkin decided to take on for-profit education, the industry has been under intense scrutiny from state and federal regulators as well as partisan research and advocacy groups. The article would have readers believe that all the negative attention is the equivalent of substantiated claims that for-profit education is a fraud on federal student loan programs. Thirty-seven state attorneys general, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, the Department of Justice, and the Federal Trade Commission are all investigating for-profit schools. These schools must be horrible, right? But what the article lacks are legal holdings or findings of fact.
That several agencies are investigating industry participants is not tantamount to guilt: it is more reflective of the fact that regulators take their cues from other regulators. Once an industry becomes unpopular, everyone wants to jump in and get their piece of the pie … or the felled lion. For-profit education is now an obvious target. But, again, that does not make the industry per se bad.
Nor does the fact that many for-profit educators have settled with regulators mean they are guilty: people and companies alike perform a cost-benefit analysis when it comes to whether to fight or stand down. It often makes economic sense to settle out with regulators rather than stay the course through potentially lengthy costly litigation.
What is troubling is the undercurrent – and application – of guilt before innocence, both by the New York Times article and by regulators. What is missing is a comparison of how much for-profit education costs per student versus how much other schools cost, or what dropout rates and post-graduation employment rates look like across schools for single parents and the poor (the types of individuals typically enrolled in for-profit colleges). For instance, studies have shown that community colleges are costing taxpayers billions of dollars for uncomfortably high drop out rates. Other studies identify taxpayer subsidies covering significant amounts of college operating costs.
One of the major reasons why for-profit education has high drop-out rates and poor post-grad employment rates is that they are reaching individuals who otherwise may not have access to degree programs, such as single parents or people in economically depressed areas. These individuals have other complications in their lives that can make completing a degree or finding gainful employment more challenging (e.g., scheduling, transportation). These challenges are not the schools’ fault, but a reflection of external factors. Punishing the schools and taking away educational opportunities does not seem like the most thoughtful decision, but it’s the one that partisan groups, partisan journalists, and regulators seem to be angling for.
Instead of celebrating the Defense Department’s decision to cut off the University of Phoenix from its tuition assistance program, we should be troubled that it is doing so before completing an investigation. In a statement, the University noted that: “It is troubling that DoD has used requests for information from other governmental agencies as grounds for placing the university’s DoD MOU in a probationary status.”
For-profit education does have, and has had, its bad actors… as does every industry. But the all-out slam against the sector, the fight for its demise, is unfair and shortsighted. In the end, the greatest losers will be historically underserved populations who will be denied education opportunities.