Part 2: The Intersection between U.S. Data Privacy & Securities Laws (European Union Roots)
U.S. data privacy laws have ties with the European Union (“EU”). As we mentioned in our last blog, with the rise of social media and e-commerce there is a heightened focus on data privacy. Users around the world are providing their personal data such as credit card numbers, real names, postal addresses, social security numbers, demographics, income, browsing history and search history, and age, in order to access, purchase, and communicate online. The U.S. has only recently begun to create data privacy laws, all of which vary by State. Currently, only California and Virginia have legislation signed into law with several States coming closely behind. These State laws are modeled after the comprehensive privacy laws from the European Union (EU). This blog will go in depth about the EU data compliance regulations as it regards U.S. companies raising capital and collecting data from European investors.
General Data Protection Regulation
In 2018, the EU adopted the General Data Protection Regulation (GDPR) which is one of the most stringent data privacy laws in the world. GDPR provides compliance regulations for the EU and companies that collect data or provide goods or services to people in the EU. This regulation was enacted in response to daily security breaches and the increase in cloud services use. Penalties for violating the GDPR can be very high. Ranging from a maximum amount of €20 million or 4% of global revenue, whichever amount is higher. The GDPR defines data processing as “any action performed on data, whether automated or manual.” Some examples include: collecting data, structuring data, storing data, using data, erasing data and more.
A data subject is the person whose data is being collected and/or processed. The GDPR also defines some common terms in data privacy such as data controller and data processor. A data controller is someone who decides how someone’s personal data will be processed. A data processor is generally a third party that processes the data for a data controller. The GDPR has specific rules for all parties.
There are seven unique “accountability” principles for data protection that the EU regulation has set forth:
Lawfulness, fairness and transparency--when processing consumer data, it must be done in a lawful, fair, and transparent manner.
Purpose limitation--the data can only be processed for the specified purpose given to the data subject.
Data minimization--Businesses can only collect and process as much data as necessary to achieve specified purpose.
Accuracy--Personal data must be kept accurate and up to date.
Storage limitation--Personal data can only be stored long enough to achieve specified purpose.
Integrity and confidentiality--Data processing must be done with integrity and confidentiality. It is imperative that businesses take appropriate security measures.
Accountability--The data controller has a responsibility to meet all of these principles to ensure GDPR compliance.
The GDPR requires companies to handle data with care by adopting appropriate security measures such as two-factor authentication for employee accounts and end-to-end encryption. Two-factor authentication is an additional security measure that is meant to prevent someone from logging into an account, even if they have the password.
For example, it might require the account holder to enter a four-digit code sent to a specific phone number each time someone attempts to log in the account. End-to-end encryption is a way to keep data “secret” until it gets to its intended recipient. Encryption scrambles the data ensuring that it cannot be read by everyone, only the intended recipient can unscramble the data and see the contents. Other measures businesses can take to ensure data security are: staff training, adding data privacy policies, and limiting the access of personal data with employees.
GDPR also prompts business owners to consider data protection in every aspect of the company, such as implementing new products or activities. In the U.S., rules similar to these are slowly but surely being adopted State-by-State. For instance, California and Virginia have modeled their legislation after the GDPR. You can learn more about the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) in our blog, PART 1: Investing & Raising Capital Online: But, At What Cost?
Standard Contractual Clauses
Not only does the GDPR set out compliance guidelines for regulating data, it also creates standard contractual clauses (SCCs) that must be used between EU data controllers/processors and non-EU data controllers/processors for data transfers. The European Commission pre-approved the SCCs. Third party countries such as the United States whose businesses conduct operations in the EU and collect data from EU citizens will need to include these provisions in their contracts. The SCCs are designed to address unanticipated transfers of data situations. There are also two different sets of SCCs: one to be used between controllers and processors, and the other to be used for the transfer of data to third businesses in other countries.
Based on the status of a party under the GDPR, they can use the SCCs for four different types of transfers: (1) controller to controller; (2) controller to processor; (3) processor to processor; and (4) processor to controller. When conducting data transfers, the SCCs require parties to be aware of: (1) data protection laws in the participating countries, (2) any obligations to respective governments, (3) liabilities of each party, (4) supervisory authorities, (5) obligations of each party, (6) termination of the contract provisions, (7) the applicable European jurisdiction that will govern the SCCs, and (8) jurisdiction determinations if a suit arises. It is imperative for companies to tailor their obligations to the particular type of data transfer.
Also included in the SCCs is an Appendix with three additions to the document, also known as annexes. The first annex is required to be completed by each party and includes three pieces of information: (1) a complete list of the parties to the SCCs; (2) a very detailed description of the transfers; and (3) the identification of the supervisory authority for each party. The second annex requires the party who is importing the personal information of users to describe the technical process of ensuring security of the data being transferred. Finally, the third annex is optional and only needed if there are sub-processors. If the processor is using any sub-processors then they must include that information as well. Due to the United Kingdom (UK) not being part of the EU, the SCCs are not required to be used for UK transfers. However, it is believed that similar data transfer clauses will be adopted in the UK in the near future.
Data Collection in Securities Transactions
As a result of the rising number of companies conducting business and raising funds online, States across the U.S. are using the GDPR as a model for their own data privacy laws. It is therefore important for business owners to understand both their data privacy and securities obligations. Specifically, business owners need to be aware of how they are processing, storing, sharing, and selling the data of their investors. Likewise, registered crowdfunding portals also need to be mindful of how they handle the data of both investors and business issuers that utilize their portals.
A regulation crowdfunding (Reg CF) issuer has to file a disclosure form called the Form C with both the SEC and registered crowdfunding portal. The SEC then publishes the Form C and any supporting documents on their EDGAR system. This Form C requires issuers to provide their personal data such as total assets, director/officer information, business experience, and information about financials. This information also gets stored on the regulated crowdfunding portal. As such, the portals are required to abide by both data privacy laws and securities laws when hosting crowdfunding offers by issuers on their platforms.
Furthermore, both the business issuer and registered crowdfunding portal who have investors from across the U.S. and the EU, will need to comply with both the GDPR and the data privacy laws of any applicable State. These parties should also consider taking on additional security practices such as two-factor authentication and end-to-end encryption to bolster legal compliance with the GDPR. In addition, they should include SCC provisions within their investment and onboarding agreements to ensure compliance with data privacy and securities disclosures.
Data privacy, although still being introduced in a number of States, has become a major topic of discussion regarding online transactions. It will not be long before the SEC mandates certain disclosures regarding data privacy risk factors. Also, venture capital firms and other investors may begin to assess how a business collects and processes consumer data as part of their due diligence process.. Now is a great time for issuers and regulated crowdfunding portals to stay ahead of the curve and be proactive with how they handle investor and other users' data. Contact us to get help with properly drafting and disclosing important risk factors relating to investor's data in your crowdfunding offer.
*co-authored by Elizabeth L. Carter, Esq., Managing Attorney