The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies. Continue Reading
HONG KONG – HONG KONG’s Privacy Commissioner addresses privacy compliance and best practice for BYOD
Written by Scott Thiel
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the “HKAB Guidelines“), the trend towards Bring Your Own Device (“BYOD“) has come to the attention of Hong Kong’s Privacy Commissioner. The Commissioner published an information leaflet on 31 August 2016 (the “Information Leaflet“), which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emails/systems, and suggests best practices for organisations allowing BYOD. Unlike previous industry-specific guidance, the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong. It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance“) and the Data Protection Principles (“DPPs“).
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorised disclosure. This reflects the approach taken in the HKAB Guidelines, which recommend specific and distinct practices which differ depending on whether or not the organisation’s data is stored on the personal devices or within a “sandbox”. The Commissioner has suggested as best practice that organisations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance. For instance, organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device, and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (e.g. sandboxing, password protection and independent encryption).
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme, and any practices implemented to manage employees’ BYOD devices should respect the employees’ private information.
For more information, the Information Leaflet is available here.
New York proposes cybersecurity regulation aiming to protect financial services companies from criminal enterprises
Written by Jim Halpert and Michael Schearer
The New York State Department of Financial Services (NYDFS) has set forth a proposed cybersecurity regulation for financial service companies. Announced this week by New York Governor Andrew M. Cuomo, the proposed rule seeks to protect both consumer data and financial systems from terrorist organizations and other criminal enterprises.
The proposed regulation would apply to all financial institutions licensed or regulated (or required to be licensed or regulated) by the NYDFS, including:
- Banks
- Insurance companies
- Trust companies
- Branch, agency and representative offices of foreign banks
- Money transmitters
- Credit unions
- Mortgage and other licensed lenders and loan brokers
The NYFDS proposal is far more prescriptive than comparable existing guidance from the Federal Financial Institutions Examination Council (FFIEC). In addition, it contains an extraordinarily short breach notice deadline of 72 hours. Finally, the regulation could prove to be a step toward a patchwork of conflicting state-by-state regulation.
Under the proposed regulation, covered entities would be required to:
- Establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of the institution’s information systems. Specifically, the regulation requires entities to identify internal and external cyber risks by identifying and classifying nonpublic information by sensitivity and appropriate level of access; policies and procedures designed to defend the institution’s infrastructure against unauthorized access or malicious acts; detect, respond to, and recover from cybersecurity events; and fulfill all regulatory reporting obligations.
- Adopt a cybersecurity policy, reviewed by the board of directors and approved by a senior officer. The cybersecurity policy shall address, at a minimum, the following areas:
- information security
- data governance and classification
- access controls and identity management
- business continuity and disaster recovery planning and resources
- capacity and performance planning
- systems operations and availability concerns
- systems and network security
- systems and network monitoring
- systems and application development and quality assurance
- physical security and environmental controls
- customer data privacy
- vendor and third-party service provider management
- risk assessment and
- incident response.
- Designate a Chief Information Security Officer with responsibility to oversee and implement the cybersecurity program. The proposed regulation requires the CISO to report, at least biannually, to the board of directors regarding the confidentiality, integrity and availability of information systems, appropriate exceptions to cybersecurity policies and procedures, identification of cyber-risks, assessment regarding the effectiveness of the cybersecurity program, proposed steps to remediate any inadequacies identified. Additionally, the CISO is required to include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
- Conduct penetration testing and vulnerability assessments on an annual basis (for penetration testing) and at least quarterly (for vulnerability assessments).
- Implement audit trails to track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the entity to detect and respond to a cybersecurity event. Additionally, such audit trails should permit the ability to track and maintain data logging of all privileged access to critical systems; protect the integrity of audit trails from alteration or tampering; protect the integrity of hardware from alteration or tampering; log system events, including access and alterations made to the audit trail systems; and maintain such audit trail records for at least six years.
- Ensure security of third-party service providers through identification and risk assessment. The proposed regulation does not include any specific requirements for third parties, but does mandate due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties within the entity’s cybersecurity policy.
- Comply with the 72-hour notification requirement for any cybersecurity event of which notice is provided to any government or self-regulatory agency; or any cybersecurity event involving the actual or potential unauthorized tampering with, or access to or use of, nonpublic information.
Additional requirements include the use of multi-factor authentication for any individual accessing the entity’s internal systems or data from an external network or privileged access to database servers that allow access to nonpublic information; timely destruction of any nonpublic information that is no longer necessary for the provision of the products or services for which such information was provided; regular cybersecurity awareness training; encryption of all nonpublic information held or transmitted; and a written incident response plan to respond to, and recover from, any cybersecurity event.
The proposed regulation would take effect, if finalized, on January 1, 2017, with an additional 180-day transitional period for covered institutions to come into compliance. Final implementation of the proposed regulation is subject to a 45-day notice and public comment period, with comments due by October 28, 2016. DLA Piper’s Cybersecurity practice has extensive experience with cyber and information security regulatory proceedings and, with support from the firm’s financial services and insurance regulatory practices, would be happy to assist clients in filing comments.
CHINA: Yet more changes proposed to China cyber and data security laws
Written by Scott Thiel
China’s cybersecurity and data privacy frameworks are facing yet more significant changes, as in recent weeks the Chinese Government has announced two further initiatives. These are in addition to the significant legal developments that we highlighted in July 2016.
Strengthening the standardisation of national cyber security: The Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, Inspection and Quarantine of China and the Standardization Administration of China collectively issued an official comment, namely the Several Opinions on Strengthening the Standardization of National Cyber Security, on 22 August 2016, which demonstrates an intention towards standardising cybersecurity regulations and practices in China.
This is an interesting move away from the current patchwork of different cyber security (and data privacy) rules in China – with variations in standards applying as between different industries and regulators – towards a more comprehensive national framework. It appears that there is an intention towards mandatory national and industry standards in relation to network security, equipment and communications, but details have not yet been published.
The statement also indicates that there will be more of an alignment with international cybersecurity standards, perhaps demonstrating that China is keen to build influence over the development of international rules and standards for the Internet, and also that it is responsive to foreign concerns that have been expressed in recent months and years regarding China’s national focus on cyber security. Indeed, earlier this year, CAC for the first time opened up its Technical Committee 260, which was originally mainly composed of Chinese officials and domestic technology companies, to selected foreign companies including Microsoft and Cisco. International businesses will no doubt be hoping that harmonisation between national and international cybersecurity standards might afford them greater opportunities in the Chinese market.
Enhancements to data privacy laws applicable to personal data of consumers: The State Administration of Industry and Commerce published for public consultation the Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers (the Draft Regulations). The Draft Regulations propose strengthening the existing regime protecting personal data of consumers under the PRC Consumer Protection Law and associated measures. Proposed amendments in the Draft Regulations include:
- expanding the definition of personal data to include “identifying biological characteristics”;
- imposing a requirement for business operators to follow the principle of necessity when collecting and using consumers’ personal information, such that the information collected needs to be related to their business operations;
- requiring business operators to retain for at least five years supporting documents that can prove that they have fulfilled their obligations to inform and obtain consent from consumers regarding the collection and use of consumers’ personal information; and
- requiring business operators to notify consumers in a timely manner of, and take remedial measures in case of, any actual or anticipated loss or disclosure of consumers’ personal information.
In light of these and other recent developments, international organisations doing business in China are strongly advised to keep the rapidly evolving Chinese compliance environment under review.
DLA Piper’s Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe. To learn more please click here.
Singapore’s enforcement of data protection law on the rise
Written by: Scott Thiel and Carolyn Biggs
Singapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA). Following the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank. The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions:
- A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015. The enforcement decision was made even though there was no evidence that any personal data had actually been misused.
- A document processing company was fined SGD5,000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange.
- A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holder’s chiropractor) to obtain further medical information about the policy holder in September 2015. The PDPC found that the disclosure of the policy holder’s bank account details, being of a sensitive financial nature, was not for a reasonable purpose.
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA. Although the PDPA does not have a separate definition of “sensitive personal data” which requires additional protection, the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions.
As recently noted by Mr. Leong Keng Thai, Chairman of the PDPC, the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data.
Investigation on a multinational bank’s data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bank’s disposal of client documents. In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bank’s headquarters in Singapore.
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customers’ data.
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests. Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.
Some interesting issues to note are:
- The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts. Such data protection clauses should contain specific security measures, a schedule containing the authorised personnel who are permitted to access the personal data on a ‘need to know’ basis, a requirement for a written undertaking about return or deletion of personal, as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA.
- The PDPC’s guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration, shredding or pulping. In relation to shredding, different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example, it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals).
SINGAPORE: Monetary Authority of Singapore outsourcing guidelines 2016
Written by Scott Thiel
The Monetary Authority of Singapore (MAS) has published its new and replacement Guidelines on Outsourcing on 27 July 2016. The Guidelines are intended to provide comprehensive guidance over the risk management practices that should be adopted by financial institutions in handling outsourcing arrangements. Businesses operating in Singapore that have entered into or wish to enter into outsourcing arrangements with third party providers are strongly advised to take careful note of the Guidelines and to consider adopting the appropriate measures.
Several key changes on the Guidelines are being introduced. Notably, the Guidelines have specifically included a section on cloud computing for the first time. It clarifies that cloud services are considered by MAS as a form of outsourcing arrangement. As such, the risk management practices in the Guidelines should also be applied by financial institutions in all cloud computing arrangements. The requirement to establish legal terms consistent with those set out in the Guidelines is likely to present a challenge given cloud services are commonly offered on a take it or leave it basis with legal provisions stacked in favour of the cloud service provider.
The other key change includes a revised definition of “material outsourcing arrangements” which we expect the MAS will now pay particular attention to. Essentially, the new definition includes arrangements that:- “involve customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers”.
While seemingly directed at the potential impact to customers, this fundamental change to the scope of the new Guidelines in part arises from increasing concern about cyber risk and the associated reputational damage that high profile cyber incidents could have on the integrity of the financial services sector in the Singapore market.
This new limb of the material outsourcing definition will again test financial institutions and their legal advisors to determine which service arrangements will be caught. How many customers would need to be impacted? Is the impact to be considered from an objective perspective or the subjective perspective of the impacted individual(s)? What probability threshold should be applied to the “may have a material impact” requirement? A conservative assessment of these variables would conclude that every service arrangement involving customer data will now be a material outsourcing. Although Annex 2 of the Guidelines provides guidance on the materiality test, it does not address how these new variables will be determined.
Perhaps surprisingly, there has also been a removal of the obligation for financial institutions to pre-notify MAS of any material outsourcing arrangements. This will come as a relief to those who are involved in the hectic pre-contract phase of outsourcings projects where pre-notification of yet to fully scoped projects has added an additional layer of complexity in the past. This relaxation of the notification rules perhaps reflects the practical challenge for MAS in being able to meaningfully assess and contribute to the negotiation phase of all proposed outsourcings which are brought to its attention.
As usual, the extensive Guidelines also set out the risk management practices which a financial institution should consider to adopt. These include a clear statement of the Board and Senior Management’s responsibility, which include evaluating the materiality of the outsourcing arrangements, and instituting proper safeguards for risk management. Institutions are also expected to undertake evaluations of risks, assessments of the service provider and to include proper terms in outsourcing agreements to address the potential risks.
These changes in the Guidelines highlight the interest of the Singapore authorities in strengthening regulation on the increasingly common practice of financial services businesses adopting cloud solutions and reflect heightened concerns about personal data risk and cyber security threats.
In light of the above, businesses are advised to undertake reviews of their existing and future outsourcing arrangements to ensure compliance with these new Guidelines.
DLA Piper’s Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe. Learn more
Learn more about DLA Pipers Technology and Sourcing practice here.
The legal complexities of late stage tech deals
Written by Dylan Kennet and Louis Lehot
Valuations of double digit multiples are often no surprise when it comes to technology companies, whether in Silicon Valley or here in the UK. Commonly known as “unicorns,” they are often defined as private companies valued at over $1bn. There are currently 169 unicorns globally with a cumulative valuation of $609bn and whilst they remain a somewhat exclusive club, they are frequently associated with technology startups – and by extension, deep pocketed investors. This is not another article about unicorns and the ‘inevitable’ pop of the tech bubble, rather, how some tech investors in the private markets in 2016 are showing discipline and proposing ‘downside’ legal protections in deals.
Investor appetite is evolving and the bar has risen for quality. Over the course of the last year deal volume has dropped significantly and funds invested have reduced rather modestly. Global economic and political uncertainties partly explain the change (and it is currently unclear how the UK’s recent vote for to leave Europe will impact VC activity, both in the UK and in the US), but our experience shows a theme of disciplined and more measured approach to investing. The money remains out there and despite investors deploying their capital into fewer deals, the initial view on 1H 2016 is that we are going to be seeing some big valuations and large sums of money invested, especially at the Series C and D rounds.
Evolution
Where investors previously valued tech companies that championed, in the words of venture capitalist Bill Gurley, ‘growth at all costs’ to take market share, this ethos may not have necessarily delivered the companies they had hoped in the longer term. Having watched growth vectors maturing among the big tech stars, or having felt the impact directly through portfolio write-downs, we are seeing investors in both the US, UK and Europe becoming more reserved and seeking greater downside protections attached to their money. Adding to the mix, we are seeing strategic corporate venturers and non-traditional tech investors (so-called ‘crossover investors’) such as sovereign wealth funds and mutual funds, who perhaps have less risk appetite and therefore also assign more demands to their money, contribute to this environment.
Lofty private valuations are therefore at greater risk , as complex legal protections in shareholders’ agreements aim to ground them in reality. This is not necessarily a bad thing, as it focuses the mind of the investee company’s main decision makers – the board, as well as its shareholders – about what they truly value.
Conceivably many late stage tech companies are remaining private for much longer, possibly in fear of the IPO (and its heightened legal and financial scrutiny) lifting the veil and thus acting as an unfortunate down-round.
The rise of investor protection mechanisms
Although more common in the US, similar protections are becoming the norm in British venture deals, especially at the late stage, as investors with deep pockets arrive later to the party.
The legal toolbox available for investors varies; here, we offer a non-exhaustive list of some common terms that are often found in tech deals:
- senior liquidation preference: this protects investors when a company goes bust, as it essentially provides a means of ensuring the latest investors’ money comes out first;
- preferential, guaranteed or exponential returns for the investor on exit events (such as a trade sale);
- veto/blocking rights over when the company can IPO may be introduced into a shareholders’ agreement or
- a ratchet: a type of downside protection mechanism that ensures that certain shareholders – usually, the latest investor are protected from a fall in valuation on an initial raise. This may come at the expense of the earlier round investors.
As companies go deeper and deeper into private rounds of funding and delay the once inevitable IPO, these mechanisms become increasingly commonplace and necessary to attract new rounds. They are serving as a means to protect investors, by asking serious questions of the company and its current shareholders.
Understanding how to manage the deal
There are a number of practical ways in which all parties can manage the legal agreements, to deal with the realities described above. First and foremost, understanding what is making the investor tick is crucial – what are their motives for investing? This will dictate the type of deal terms they may want to focus on. It is important for the parties to be clear if the investor is looking purely for economic returns or, say, if they’re a corporate venturer and their modus operandi is strategic partnering with the investee company. The corporate venturer may allow push back on potentially onerous liquidation preferences, if they’re guaranteed locked-in exclusivity period on product or a right of first refusal. Depending on their reason for investing, a path to control may be more in focus to a corporate venturer at the entry point than the actual exit price.
Understanding how a waterfall works is also imperative. If there are many classes of shares due to the late stage nature of the company (i.e – Ordinary (UK)/Common(US), A Preference, B Preference, etc.), most likely the investors who invested last, will get their money out first on: a) an exit event; or b) a liquidation of the company. How it is proposed that the money is returned among investors in triggered situations and in what proportions, helps better understand the investor. This same principle applies to any readjustments granted to an investor on an IPO, as highlighted above. If the price per share valuation in the financing round is arbitrarily high, this will have a diluting effect for all shareholders other than the last round investors who will be effectively issued free shares on a listing, should the company list lower than the last round.
Issues around class consents also play an important part in negotiating later stage deals. If there is a varied group of investors, some may have a different pre-conceived path to liquidity compared to their counterparts. Managing competing interests to strike a proper balance among the parties is a difficult task (one we lawyers are always up for!), especially when the late round investors are bringing big cheques. The Seed or Series A investor may have already waited many years (not to mention the early stage employees), but the new investor is may require a veto on any IPO until some years have passed, post-investment. A possible work-through is agreeing that a certain proportion of each class (or overall percentage of investors) must vote to approve an IPO, thus creating a situation in the future which the views of the investors align with that of the best interest of the company and a majority of investors. Also, the fresh funding round may present an opportunity for employees and early investors, who have been with the company from the beginning, to take money off the table, rather than locking them in even longer. Be mindful of these early champions of the late stage tech company: data suggests the average time to reach a liquidity event in Europe ranges anywhere from 6-10 years.
Natural change
Perhaps unsurprisingly following the performance (and dearth) of tech company floatations in recent months, companies continue to stay private for longer. However, this doesn’t mean that they have completely fallen out of favour.
Investors are focusing on companies with strong balance sheets or business models that show a robust plan to achieve profitability. It is becoming less about growing market share at all costs and taking advantage of short-term peak valuations and more about the long-term return that these investments offer. To wit: recent tech IPOs on NYSE, NASDAQ and elsewhere perhaps have investors and late stage companies breathing a sigh of relief with the normal path to realizing their investments shooting up green sprouts.
Nonetheless, greater investor demands, such as some of the protections mentioned above, while casting a more detailed eye over the financials and assessing the long term prospects of companies is ultimately a positive for the future of the tech industry.
The future of tech
The US has encouraged a new way to approach tech investments, embedding different legal concepts to UK investors. Silicon Valley is now a global phenomenon, and its markets reach well beyond the 101 and the 280. We believe fast-growing companies should expect to see a more disciplined and measured approach from the investment community in 2016, wherever they may be.
Dylan Kennett is an Associate at DLA Piper & Louis Lehot is a Partner at DLA Piper
You can’t do I(o)T alone!
The strength of the Internet of Things (IoT) is in creating a connected ecosystem of different suppliers, but partnerships cannot be afforded ignoring the potential risks. Continue Reading
At The Intersection of Business, Law and Technology: A Q&A on the DLA Piper Global Technology Summit
Written by Ben Goodall
The pace of innovation and adoption in technology – fast and getting faster – has long presented a stark contrast to the deliberate pace of change in the law. That contrast is greater than ever today, as entrepreneurs and established tech companies alike accelerate the time to market and the speed of global expansion. With that as a backdrop, DLA Piper’s Global Technology Summit, scheduled for September 27-28, 2016, at the Rosewood Sand Hill in Menlo Park, California, is expecting record attendance, and representatives from major tech players such as Cisco, DocuSign and LinkedIn have all signed on as speakers.
Victoria Lee, a partner with DLA Piper in Silicon Valley and Co-Chair of the firm’s Global Technology Sector, recently spoke about the genesis of the summit.
What would you point to as the value of the DLA Piper Global Technology Summit?
It is one of the premier events for both business and legal leaders at the world’s fastest-growing and most dynamic technology companies. It always features discussions by global business, technology and legal leaders, and attendees always get actionable intelligence on how to overcome challenges – and optimize opportunities – resulting from evolutions in technology and the law. In that way, attendees come away with a competitive advantage. It’s also a great networking opportunity.
This year’s summit is a little different than summits past. We’ve split it into two days, one day for C-level executives, entrepreneurs and investors who can talk about the perspectives of venture-backed and emerging growth companies – and a second day for in-house counsel from established technology companies, who can learn about emerging legal issues relevant to technology companies.
What excites you the most about this year’s event?
I’m very excited about the new structure. The first day of the conference, Garage2Global, will, as the title suggests, provide insights and strategies for building and growing a business globally at rapid scale.
The keynote speakers are also very exciting. Alec Ross, one of America’s leading experts on innovation and an advisor to political and technological elite to help them better understand the implication of factors emerging at the intersection of geopolitics, technology, and innovation will discuss themes from his new book, The Industries of the Future, as well as the impact of Brexit and the coming presidential election on the technology sector and innovation. Michelle Zatlyn who is co-founder and head of User Experience at Cloudflare and will share her insights on how she and her co-founders took an idea and built a global business that for two years running was named the “Most Innovative Network & Internet Technology Company” by The Wall Street Journal.
The rest of the sessions and panel discussions are also filled with well-known entrepreneurs and investors. They’ll cover a wide array of topics, including early-stage financing, corporate structure and scaling internationally, and M&A and exits. It’ll give founders and entrepreneurs a much better understanding of what investors are looking for – and help investors better understand developments in the startup world. A Tech Summit wouldn’t be complete without some discussion of technology and so of course we’ll also have panels discussing innovation and developments in currently trending technology areas. It was difficult to decide on those panels because there are so many emerging areas of technology development right now: AI, virtual or augmented reality, drones and fintech, among others. We landed on panels focused on the Internet of Things and healthcare IT and we’re really excited about the speakers that we have for those panels.
We’re calling day two TechLaw. Some well-known general counsels are set to speak – including keynotes by Mark Chandler, GC at Cisco, Mike Callahan of LinkedIn and Hillary Smith of Zenefits. Session topics will include common concerns for corporate counsel at companies going global, best practices in patent litigation, international taxation and structuring, employment issues globally and M&A trends and projections.
At DLA Piper, we work with in-house counsel every day, so we knew attendees would see value in these topics. It’s a unique opportunity for our clients to get together and provide in-house lawyers the opportunity to hear from other in-house lawyers all while offering CLE credit.
What are some of the challenges today in driving sustainable growth and taking a company from garage to global? Which of these issues will be discussed at the Summit?
We actually have a panel dedicated to that question. Jonathan Axelrad, a corporate partner in our San Francisco office, will moderate it, with a focus on what companies need to do to scale internationally.
Every company starting out these days has an online presence, so they can essentially be global from day one. With cloud computing and other innovations, businesses can expand more quickly than ever. But with that, there are challenges. What makes sense from an international tax-structure perspective? Or for payment collection from customers overseas? How do companies position themselves for taking overseas investments? Ever-smaller companies are dealing with these issues, which were historically for larger companies – and they’re compelled to do so earlier in their development. The panelists will discuss how they deal with these issues and how they’ve successfully navigated global expansion.
One of the panelists is Reggie Davis of DocuSign, a general counsel who used to work at Zynga. The other panelists are Jonathan Ebinger of Blue Run Ventures and Santi Subotovsky of Emergence Capital.
What are some of the trends that legal departments at well-established technology companies are wrestling with?
At established companies with larger legal departments, the question seems to constantly be how to do more with less. Legal departments are increasingly trying to innovate and find efficiencies, even in their work with outside law firms. We’re starting to see a trend where a larger legal department will hire a legal operations staff member, sometimes a non-practicing lawyer, as the legal department’s chief operating officer. Those COOs look at what the companies can do to become more efficient. That usually trickles down to law firms.
The topic of efficiency and innovation is a passion of Mark Chandler of Cisco, who will give one of the keynotes at TechLaw. He’s got a great reputation in the industry, and I’m looking forward to hearing about what he’s done in this area.
What are some of the hot-button issues that you believe will shape technology innovation – and its intersection with business and the law over the next 12-months?
The Internet of Things (IoT) is becoming really interesting, which is one of the reasons we have a panel focused on IoT at the summit. From a consumer prospective, connected cars, smart cities and connected homes will all be big, as will industrial IoT. I think we’re going to be hearing more about all of those things as those technologies mature. The evolution of technology in healthcare and finance are something to always keep an eye on – as is data analytics, which is increasingly impacting businesses.
Is there something specific, timing-wise, that makes this year’s summit special or different?
World events will certainly will be in the backdrop when we get together in September. We hold a summit every other year and 2016, of course, happens to be a presidential-election year in the United States. So that and the UK exit from the EU – especially as they relate to global expansion and regulation for established and emerging tech companies – will be on a lot of minds and widely discussed at the summit.
Victoria Lee became global co-chair of the firm’s Technology Sector in June 2015. With nearly two decades of experience, Lee has been named one of the 50 Women Leaders in Tech Law by The Recorder.
Final Privacy Shield: How it Changed and What It Means for Businesses
On August 1st, the U.S. Department of Commerce will begin accepting applications for Privacy Shield certifications.
For US organizations collecting employee and customer data from the EU, the past year has been an anxious one, as the European Court of Justice invalidated the EU-US Safe Harbor program in October 2015 and the terms of a far-reaching General Data Protection Regulation (GDPR) have been finalized as a replacement of the European Data Protection Directive. Among other things, one of the major impacts of the GDPR – when it takes effect in May 2018 – is that it will apply to U.S. businesses who have no operations or entities in the EU, if they sell to, make services available to, or somehow target data subjects in the EU. So, with the GDPR looming, the issue of cross border data transfers and the significance of the Privacy Shield program for US businesses are likely to become even more relevant.
On July 12, the European Commission and the US Department of Commerce issued the final text of the replacement for the defunct Safe Harbor program. The new program, dubbed Privacy Shield, is effective immediately but will not become truly operational until the Commerce Department starts accepting certifications on August 1, 2016. The new program is also almost certain to be subject to a challenge before the European Court of Justice, and so the long-term viability of Privacy Shield is somewhat uncertain.
The main questions for US-based organizations are: first, how does this final version of Privacy Shield differ from the initial version; second, what practical steps can companies take to prepare for certification; and third, should companies certify to Privacy Shield or rely on an alternative data transfer mechanism, such as standard contractual clauses.
Key Differences Between Privacy Shield and Safe Harbor
As discussed in our prior blog posts about the new program, there are several ways in which Privacy Shield is more than simply an updated version of Safe Harbor.
First, the public-facing statements that companies must make (e.g., in their website privacy policy) must be significantly more detailed. No longer will a simple statement of participation be acceptable. Instead the statement must include clear explanation of compliance with the Privacy Shield principles. In these privacy statements, a company also must describe an individual’s rights under the program, such as how the enforcement body functions, a new arbitration right, and the company’s liability for non-compliant onward transfers.
Second, with respect to onward transfers, the conditions for such data sharing have been tightened. A company only will be able to transfer personal data to a third party for limited, specified purposes consistent with the purposes for collection that the company provided to the individual. Thus, companies will need to include more specific contractual obligations than required under Safe Harbor in their contracts with service providers and other third parties to whom they disclose or transfer personal data. The Commerce Department also has the right to require a company to provide for the Department’s review a summary of the company’s onward transfer contractual provisions. As an incentive to early adopters, those joining Privacy Shield within the first two months will have nine months from certification to bring their partner contracts into compliance.
Third, the Commerce Department and Federal Trade Commission will have greater vetting obligations for applicants, ongoing audit rights, and an FTC ‘wall of shame’ identifying those subject to Privacy Shield violations. This will also include continuing obligations for former Privacy Shield participants, as Commerce and the FTC will continue to monitor the compliant handling of data collected under the program, even after they withdraw from the program.
And fourth, there are new redress avenues for individuals complaining about either a company’s misuse of data collected under Privacy Shield or the US government’s access to or surveillance of personal data.
Changes in the Final Version of Privacy Shield
The European Commission and the Commerce Department negotiated several substantive changes to the Privacy Shield program in response to comments and feedback on the initial version. From a business perspective, some of the more notable changes are the following:
– The Privacy Shield principles have been expanded in some significant ways. For example, while the Data Integrity/Purpose Limitation principles now include details for data retention and compatible uses, the Accountability principle now makes sure that if a third party is unable to apply the same level of protection that the Privacy Shield certified organization has promised, that organization must provide notice of that fact to affected individuals.
– The Privacy Shield, like Safe Harbor before it, applies only to data transfers from the EU to the US and does not affect processing in the EU. This is important because of the 2018 implementation of the GDPR, as that rule will govern data processing within the EU. More to the point, an organization participating in Privacy Shield will still need to conduct a separate analysis of how its operations conform to the GDPR – especially with respect to the processing and transfer of employee data.
– The redress process has been explained in greater detail such that even though there are different avenues for an individual to initiate a complaint, the text makes clear that there is a certain logical order and individuals cannot simply bypass an initial approach to the company itself to discuss concerns.
– The Commerce Department’s role has been expanded, as discussed above, and key to this will be the ability to conduct ongoing audits of program participants. These reviews will typically be via questionnaires, although Commerce will also be able to audit on the basis of specific complaints or other evidence of non-compliance.
Steps to Take in Preparation for Privacy Shield
For Safe Harbor participants that truly treated the program as intended, there will be less proverbial heavy lifting than for those that had a “file it and forget it” mentality. But all companies considering Privacy Shield will benefit from the following steps:
– Develop, maintain and follow a meaningful and compliant privacy policy. The seven privacy principles are largely the same as under Safe Harbor, while the level of detail and content requirements of Privacy Shield will require operational attention to ensure consistency with the promises.
– Secure personal data and ensure the ability to restrict secondary uses. While Privacy Shield does not provide great detail on administrative, technical, or physical safeguards, there are numerous internationally recognized frameworks for doing this. The secondary use restrictions in Privacy Shield will require additional consideration, as any such information would need to be reasonably de-identified before being subject to data analytics or other secondary uses.
– Confirm that existing data sharing agreements with vendors, ecosystem partners and third parties limit data uses to specified purposes.
– Review internal training content to ensure that it reflects updated policy and procedures under the Privacy Shield program.
– Collect the full set of program documentation in preparation for a Privacy Shield application. Contrary to the Safe Harbor program in which application-stage vetting was quite limited, Commerce has committed that it will be significantly more involved to ensure that applicants not only have documentation fulfilling the requirements, but that the applicant properly applies those policies and procedures.
Potential Challenges and Momentum
As discussed in prior blog posts, the Schrems case not only struck down the validity of the European Commission’s adequacy determination approving Safe Harbor, but also bolstered the standing of EU DPAs to challenge the basis of other such mechanisms to transfer personal data from the EU. . In the preamble to the the Commission’s adequacy determination, the Commission made clear that its decisions are as a matter of law binding upon the EU member states, while acknowledging the role that DPAs can play in identifying imperfect implementation by Privacy Shield certificants.
Litigation challenging Privacy Shield is all but certain. Later this month, the Working Party 29 is expected to release its opinion on the final Privacy Shield Program.
But even if the Article 29 group’s issues a positive review, several DPAs – particularly in Germany – are likely to criticize the arrangement and might even argue in favor of invalidation in an ECJ hearing, as they did against the Safe Harbor. Furthermore, Mr. Schrems himself will likely initiate proceedings again.
Some organizations will find this uncertainty about the fate or validity of Privacy Shield to counsel in favor of a wait and see approach. They may, for example, prefer to adopt or continue to use model clauses (for example) over Privacy Shield. However, model clauses must still continue to be submitted to many EU DPAs for prior approval, slowing down their use, and require applying signatures of all affected parties (which can be operationally difficult in some circumstances). Privacy Shield, like Safe Harbor, will reduce this paperwork burden.
Several high-profile companies have already announced their support of and participation in Privacy Shield once it is operational. In the end, we expect that Privacy Shield will be successful if the Commission and the various DPAs work together with the Commerce Department toward the operational effectiveness of the program.
