Wednesday, May 9, 2018

GDPR Self-Assessment Checklist for Controllers

This article is intended for most of my US/international clients that are small e-commerce businesses that do not want to shut off their EU clients completely b/c of GDPR, massive intimidating e-privacy regulations about to come in effect in EU. Clients that only collect limited amount of non-sensitive info (no health, children, criminal info, life and death situations, etc.) from EU residents. Clients that have read about scary exorbitant fines and hundreds of pages that are basically synonyms of “be adequate,” “be reasonable,” “risk mitigation must be proportionate to the level of [undefined] threat” but without much concrete guidance.

Here is some guidance. Do not be scared. Be informed as to where you stand in the GDPR compliance. Then, make an informed decision as to whether GDPR compliance is worth the extra legal costs/efforts, or you're better off investing in software that automatically blocks EU users altogether. For many such small businesses that are still not sure, I have abridged the Information Commissioner Office’s basic requirements below.

Specifically, I have boiled down the basic issues you have to address. That does not mean that you have to write volumes of convoluted policies about every little aspect of the points below. The exact opposite is true. GDPR requires you to be concise, even though the EU regulators have themselves written hundreds of pages about the synonyms of the words like “concise,” “reasonable,” and “adequate” without offering much of concrete guidance. GDPR is untested but it does require you to think about, and have answers to, the following issues. The answers do not have to be as voluminous and convoluted as what the regulators have written themselves but, if you want any EU customers/subscribers, you do have to have the “concise, easy to understand” answers to the following questions.

The ICO’s compliance self-assessment questionnaire is broken down into four parts: 1) Lawful/Fair Basis; 2) Users’ Rights; 3) Accountability; and 4) Data Security & International Transfers. Take a look at the basic summary of those four parts.

Part 1: Lawful/Fair Basis for Collecting Personal Info

Have you mapped out data flows? Anybody with good understanding of your business should be able to answer where do you get the EU data from, where is it going to, for what purposes and on what legal grounds.  Mapping out your EU data flow will enable you to predict any legal/security risks.

Document your findings. If you have less than 250 employees, you only need to keep these records for processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data.

Can you show documented lawful bases for processing EU personal data? There are six lawful bases: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For most of my clients (my primary focus in this article), point (b) will give you a lawful basis for processing. E.g, you run a SaaS platform, or you sell to customers some of whom are in the EU, and you need their names and payment details in order to fulfill their subscriptions/orders. Processing their names and payment details for the purposes of fulfillment of their orders gives you lawful basis under GDPR. So, you can move on to reading the next sections.

How do you handle consent, if you need one?  EU standard for consent is much higher than that in the US but the good news is that you do not need EU consent if you have lawful basis described in the paragraph above. If you do not have lawful bases described above, then you will need EU users’ (reaffirmed) unambiguous consent to the exact specific usages of their private info. Not pre-ticked opt-in boxes, not some provisions buried in your Privacy Policy along the lines of “your visits to our Platform constitute your agreement to using your personal info for marketing purposes, advertising and sharing it with our affiliates.” No. Under GDPR, if you use EU residents’ personal info for such, and similar, extended purposes, then the privacy notice has to be in their faces with things like an un-ticked box, not any pre-selected options to opt-in. Keep records of what an individual has consented to.

Do you have systems to record and manage ongoing consent? Most of my US clients don’t need consent but, in case you do, keep in mind that your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals. Renew consent if anything changes. If your consent does not meet the high GDPR standards, then you’ll need to renew it. That’s why you’ve been receiving numerous notices from various of your online subscriptions reaffirming their “commitment” to your privacy.

Part 2: Users’ GDPR Rights

You have to provide GDPR-specific privacy information to individuals in the EU. I have covered a way to do it in the previous post about GDRP-compliant Privacy Policy.

Part 3: Accountability

Do you have an “appropriate” data protection policy? “Appropriate” means it is commensurate to the risks involved. For most of my clients, who do not deal with large volumes of high-risk EU information, that means they do not have to have large volumes of data protection policies. However, monitor your compliance with data protection principles, security protocols and policies. That’s common sense in the US and the EU.

Are your processor contracts adequate? If you use third party (e.g. PayPal) to process EU users’ personal info, you are still liable for what happens to that info. To protect yourself, you need to have a contract that provides “sufficient guarantees” to protect EU users’ privacy right. Processors must only act on your documented instructions.

Does your management/staff understand the GDPR risks involved? At least have them read this article.

Have you conducted a Data Protection Impact Assessment (DPIA), if required? This should be a whole separate blog post but the basics of the DPIA are that you have to do it if you conduct any type of processing which is “likely to result in a high risk”. E.g., use systematic and extensive profiling with significant effects; process special category or criminal offence data on a large scale; systematically monitor publicly accessible places on a large scale; use new technologies; use profiling or special category data to decide on access to services; profile individuals on a large scale; process biometric/genetic data; match data or combine datasets from different sources; collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’); track individuals’ location or behavior; profile children or target marketing or online services at them; or process data that might endanger the individual’s physical health or safety in the event of a security breach.

Have you appointed a Data Protection Officer (DPO)? You must appoint a DPO if you:
- are a public authority (except for courts acting in the judicial capacity);
- carry out large scale regular and systematic monitoring of individuals (e.g. online behavior tracking);
- or carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Even if you are not required to appoint a DPO, it ay be a good idea to do so. It will make you look more professional and ,besides, even if you don’t appoint an official DPO, there still has to be somebody ready to respond to regulator’s privacy-related questions anyway. The DPO should be “independent” and report to the highest management level.

Do the decision makers and key people in your business “demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business”? At the minimum, have them read this article. GDPR requires your key personnel to be aware of the requirements under the GDPR.

Part 4: Data Security & International Transfers

Do you have “appropriate security measures” in place? “Appropriate” means adequate for the level of risk and sensitivity of the information you hold. ICO states that “[t]he measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.”

Are you aware of your obligation to inform users of personal data breaches?  You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

International transfers. This also deserves a separate blog post but the GDPR basic requirement is that you have to ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area. You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter 5 of the GDPR.

Tuesday, May 8, 2018

GDPR-Compliant Privacy Policy (Example)

1. GDPR: don’t be scared
There is no reason to fear GDPR for US/international businesses that only process limited amounts of non-sensitive personal information (e.g., no medical info) from EU. For example, let’s say you operate a website out of US and you have some EU subscribers, or you sell products to the EU. For those purposes, you collect users’ names, emails and payment details. You don’t sell otherwise disclose their info to any third parties. If that describes your business, then this article is to help you understand what is required and how to comply without unnecessary complexities.

2. What is required?
If you collect and use personal data from any residents of EU, that makes you a “controller” of personal information under the GDPR. Its Articles 13 and 14 require you to inform “data subjects” (users) of the following:
the purpose and legal basis for processing;
the data controller’s identity and contact details; 
recipients, or categories of recipients of the personal data;
how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.
the data subject rights.

3. How to comply?
You should address the above points in your Privacy Policy in a concise, easy to understand language. When you read hundreds of pages of regulations, guidelines and instructions about GDPR compliance, while drowning in the sea of privacy update notices, that can make you mistakenly assume that you also need to implement numerous convoluted policies and then send everybody notices about it. No. In fact the GDPR states the exact opposite – the privacy information you provide has to be concise. So, let’s go through the points listed in the above paragraph.
The purpose and legal basis for processing. If you only use EU personal info to fulfill a contract with your EU subscriber/buyer, that constitutes legal basis under Art. 6.
Your identity, contact details, recipients of the personal data. All of that should already be in your Privacy Policy regardless of GDPR.
How long the personal data will be retained. This has to be reasonable depending on the purposes for which you collect the data and how long you will need it for after the business relationship with the user is terminated.
If any automated decision making, for example, profiling, is being carried out and information about such automated decision making. This doesn’t apply to most of my clients described in paragraph 1, so they can address this by stating smth like, “as a responsible business, we do not rely on any automated decision making, such as profiling.”
Whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data. One of the most important points of the GDPR that ties directly to the next requirement about informing the EU data subjects about their rights. EU grants more rights to its residents’ personal info than US, and only allows for the transfer of EU personal info outside the EEA if adequate protections of those rights are in place. Procedures you can have “in place to safeguard the personal data” can be using SSL, storing data on a password-protected server accessible only by administrator, and, most importantly, the procedures designed to protect the GDPR-specific rights below.
So, GDPR requires you to inform EU users about their GDPR rights and your procedures to secure them. The eight main GDPR rights are: 1) to be informed; 2) to access; 3) to rectification; 4) to erasure; 5) to restrict processing; 6) to data portability; 7) to object; and 8) relating to automated decision-making and profiling.  GDPR requires you to be concise, especially if you business is like most of my clients that I’ve described in the first paragraph of this article. So, in the next paragraph I will give sample language that can be inserted in your Privacy Policy for GDPR compliance purposes. Of course, you will have to actually comply with what your Privacy Policy states; otherwise, it won’t protect you.

4. Sample GDPR-compliance Privacy Policy verbiage

EU Users’ Rights. 
This section of our Privacy Policy applies to the users of our platform in EU. We would like to inform you about your GDPR rights and how we safeguard them.

a. Your GDPR rights to be informed, to access, rectify, erase or restrict the processing of your personal information. Our Privacy Policy enumerates the types of personal (and other) data we collect about our users in Section ___ above. You have the right to obtain free information about what personal data we have obtained about you, where it is stored, for how long, for what purposes it is used, to whom it was disclosed. You have the right to have us, without undue delay, rectify of inaccurate personal data concerning you. That means you can request we change your personal data in our records, or have you incomplete personal data completed. You have the “right to be forgotten,” i.e. to have us delete your personal information, without undue delay, if the data is no longer necessary in relation to the purposes for which it was collected. However, GDPR gives us the right to refuse erasure if we can demonstrate compelling legitimate grounds for keeping it.

b. GDPR gives you the right to restrict processing if any of the following applies:

i. If you contest the accuracy of your personal data, we will restrict processing it for a period enabling us to verify its accuracy.
ii. The processing is unlawful and you oppose its erasure and request instead the restriction of its use.
iii. We no longer need your personal data for the purposes of the processing, but you require us to restrict processing for the establishment, exercise or defence of legal claims.
iv. You have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override yours.

c. Right to data portability. Upon request, we will provide you your personal data in our possession, in a structured, commonly used and machine-readable format. You have the right to transmit that data to another controller if doing so does not adversely affect the rights and freedoms of others.

d. Right to object. You can object, on grounds relating your particular situation, at any time, to processing of your personal information, if based on point (e) or (f) of Article 6(1) of the GDPR.  We will then have to stop processing, unless we can demonstrate compelling legitimate grounds for the processing. If you object to the processing for direct marketing purposes, we will have to stop processing for these purposes.

e. Right to withdraw consent. GDPR grants you the right to withdraw your erlier given consent, if any, to processing of your personal data at any time.

f. Rights related to automated decision making. As a responsible business, we do not rely on any automated decision making, such as profiling.

How to exercise your GDPR rights?

If you need to contact us in order to exercise or discuss any of your GDPR rights under this Privacy Policy, you can contact our Data Protection Officer at:  [Name, contact info]

5. Conclusion
It can be possible to comply with GDPR without undue burden.

Thursday, March 8, 2018

SEC Issues Another Warning on Cryptocurrencies

The U.S. Securities and Exchange Commission has issued yet another warning that cryptocurrencies can be securities and some cryptocurrency exchanges can be illegal. For investors, that means that you should be cautious when investing in cryptocurrencies. For operators of exchanges, expect more regulations and/or a crackdown.

The SEC reiterated that, if tokens and cryptocurrencies offered through ICOs, fall within the "securities" definition, then the exchanges should follow the same rules as every other exchange. That means registering through the SEC as a national securities exchange, an alternative trading system (ATS) or a broker-dealer.

The SEC described the current state of affairs in the crypto space as misrepresentation.Specifically, “[t]he SEC staff has concerns that many online trading platforms appear to investors as SEC-registered and regulated marketplaces when they are not... Many platforms refer to themselves as ‘exchanges,’ which can give the misimpression to investors that they are regulated or meet the regulatory standards of a national securities exchange.”

The SEC never reviews trading tools on cryptocurrency exchanges. For instance, if you submit a limit order on an exchange, you have to trust the exchange that it’ll strictly follow your order. The exchange could give priority to bigger investors or screw up the order book without any consequence.

The SEC offered a list of questions investors should ask before they decide to trade digital assets on an online trading platform: 

- Do you trade securities on this platform? If so, is the platform registered as a national securities exchange (see our link to the list below)?
- Does the platform operate as an ATS? If so, is the ATS registered as a broker-dealer and has it filed a Form ATS with the SEC (see our link to the list below)?
- Is there information in FINRA's BrokerCheck ® about any individuals or firms operating the platform?
- How does the platform select digital assets for trading?
- Who can trade on the platform?
- What are the trading protocols?
- How are prices set on the platform?
- Are platform users treated equally?
- What are the platform's fees?
- How does the platform safeguard users' trading and personally identifying information?
- What are the platform's protections against cybersecurity threats, such as hacking or intrusions?
- What other services does the platform provide? Is the platform registered with the SEC for these services?
- Does the platform hold users' assets? If so, how are these assets safeguarded?
- Do you trade securities on this platform? If so, is the platform registered as a national securities exchange (see our link to the list below)? 
- Does the platform operate as an ATS? If so, is the ATS registered as a broker-dealer and has it filed a Form ATS with the SEC (see our link to the list below)?
- Is there information in FINRA’s BrokerCheck ® about any individuals or firms operating the platform?
- How does the platform select digital assets for trading?
- Who can trade on the platform?
- What are the trading protocols?
- How are prices set on the platform?
- Are platform users treated equally?
- What are the platform’s fees?
- How does the platform safeguard users’ trading and personally identifying information?
- What are the platform’s protections against cybersecurity threats, such as hacking or intrusions?
- What other services does the platform provide? Is the platform registered with the SEC for these services?
- Does the platform hold users’ assets? If so, how are these assets safeguarded?

Tuesday, February 27, 2018

EU Is Preparing Law to Seize Overseas Personal Data

The European Union is working on a new law that will allow EU law enforcement to obtain customer’s personal data even when it is stored outside the EU. The draft legislation is supposed to be presented to lawmakers and member states at the end of March. Any (tech) company doing business in the EU will be subject to this law, regardless of the nationality of those whose personal data is being sought.

The planned law seems to run contrary to the EU's usual position of siding with privacy advocates who try to limit government's reach into people's privacy. Enacting a law that gives EU extra-territorial powers can also result in conflict laws in countries that do not allow sharing of personal data overseas. For example, in the United States certain companies are prohibited from disclosing information to foreign governments. Europe itself is very restrictive on how companies can transfer data outside the EU.

The planned law comes at a time when a similar landmark court case nears resolution in the US. It began in 2013 when the US government tried to force Microsoft to hand over emails that were stored on its servers located in Ireland. Microsoft refused and in that it was supported by its fellow tech rivals such as Apple, Amazon, Salesforce and eBay. In 2016 an appeals court ruled that the United States government could not force Microsoft to hand over emails and communications stored in servers outside of the US. But the Trump administration has called for the US Supreme Court to decide the issue. Its decision is expected by the end of June.

Sunday, February 25, 2018

Artificial Intelligence Evaluates Contracts Better Than Lawyers

Legal AI platform LawGeex, in cooperation with law professors from Stanford University, Duke University School of Law, and University of Southern California, just published a study of AI vs. lawyers.  Specifically, twenty experienced lawyers were given the same task as AI: four hours to review five non-disclosure agreements (NDAs) and identify 30 legal issues, such as arbitration, confidentiality of relationship, and indemnification.

Lawyers lost. They scored an average of 85 percent accuracy, while the AI scored 95 percent accuracy. The AI also completed the task in 26 minutes, while the human lawyers took 92 minutes on average.

Thursday, February 8, 2018

FTC Affiliate Disclosure Requirements & Samples for Blogs, Websites

The FTC Endorsement Guides require any affiliate who uses reviews, rankings or testimonials for product promotion to clearly disclose the fact that they receive compensation for doing so. The FTC usually focuses its attention “on advertisers or their ad agencies and public relations firms,” not so much on individual endorsers such as bloggers. The FTC says it does not generally monitor bloggers but, nevertheless, may take action against a blogger who was reported to the FTC but fails “to make required disclosures despite warnings.” So, it's better to be safe than sorry.

When exactly do you have to disclose?
You have to disclose if you:

- received money or anything of value (discounts, credit, special access, affiliate commissions etc.) to promote a product.

- received the product for free with the expectation that you will review it.

Friday, February 2, 2018

What's the Difference Between Trademark, Patent and Copyright?


Trademark protects the words, phrases and logos used to identify the source of goods or services. Patent protects inventions. Copyright protects literary and artistic works of authorship. We will discuss all three in more detail below.

Trademark is a brand name. You can register your business name, logo, and your product names. For example, McDonald's, the double arched "M" symbol, and Big Mac are all trademarks. Trademark/service mark may include words, names, symbols used, or intended to be used, in commerce to distinguish your goods or services from goods or services of others. The terms “trademark” and “service marks” are often used interchangeably, and both offer the same protections. If you use your trademark or service mark in interstate commerce (you do business with customers in other states or internationally) you can register your mark both at the federal and state level. If you do business exclusively within your state, you can register at the state level.

In US, trademark rights come from actual use in commerce and do not have to be registered to be valid. "Common law" trademark rights can last forever - as long as you continue to use the TM in commerce to indicate the source of services or goods. A trademark registration can also last forever as well - as long as you file specific documents and pay fees at regular intervals.

Wednesday, January 31, 2018

Australia's New Mandatory Data Breach Notification Law

On February 22, the mandatory data breach notification law comes into effect in Australia. It applies to private entities subject to the Australian Privacy Act including entities with an annual turnover of more than $3 million, businesses that provide a health service, disclose personal information as well as federal government agencies and those that contract with them.

Company that suspects it may have suffered a data breach capable of causing "serious harm" to any relevant data subjects will have 30 days to investigate and conclude whether in fact an eligible data breach occurred. The law does not define "serious harm" but we can assume it involves a degree of significant emotional, physical, reputational or financial damage.

The new law requires the notification statement to be prepared as soon as practicable and delivered to the Privacy Commissioner, as well as the individuals to whom the relevant information relates or who are at risk from the breach. If individual notification is not practicable, the statement must be posted on the organisation's website and its content must be publicised. Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner via the Notifiable Data Breach statement — Form. Here is a  flowchart that lists the steps to take following a potential data breach. 

US already has a data breach notification law on books. The GDPR will implement it across the EU in May 2018.

Friday, January 26, 2018

Russia's New Bill on Regulating Cryptocurrencies

On Thursday, the Russian Finance Ministry has published on its official website a new draft law "On Digital Financial Assets." It is a legislative proposal to strictly regulate cryptocurrencies and ICOs. The main points are:

- all trading to be done only via cryptocurrency exchanges that are registered in Russia.

- cryptocurrencies cannot be used as means of payment for goods or services.They can only be converted into money or other digital assets.

- no anonymity.

- smart contracts will be recognized as being legally binding and Initial Coin Offerings (ICOs) will be strictly controlled with only businesses registered in Russia allowed to issue them.

- individual unaccredited investors cannot purchase more than 50,000 rubles ($898) worth of ICO tokens per each issue.

- digital wallets are subject to registration in the real name of their respective owners in accordance with the federal law against money laundering.

Thursday, January 25, 2018

Expanding Overseas: Indonesia

Why Indonesia?

There is a lot of room for growth in Indonesia due to it still being in the early stages of the digital economy implementation. Here is why Indonesia can be an attractive market to expand to:

- The largest economy in Southeast Asia, USD 1 trillion GDP.
- Population 261 million People – 4th largest in the world, 40% of Southeast Asia.
- 173 million mobile phone users, 87% of households.

What entity type?

Representative office or a limited liability company are the two main structures that allow foreign participation. Generally speaking, a representative office is a good temporary solution to “test the waters.” Serious and more permanent solution would be to form a limited liability company, PT PMA.