New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Educational Series, International, Legislation, Social Media|

Scherzer International Joins the National Wear Red Day Movement

     

 

The Scherzer International offices were bright red on Friday, February 2 to show support in the fight against cardiovascular disease. Employees at SI joined the National Wear Red Day movement to raise awareness about living healthier. The pictures above show Daisy (SI’s mascot) and employees from both the Woodland Hills and Rocky River offices wearing red as a visual reminder to us all to continue the fight against heart disease.

SI’s participation in National Wear Red Day follows on the company-wide fundraiser for the American Heart Association held at SI over the summer. Employees in Woodland Hills and Rocky River competed against each other in a penny drive that raised $1634.48 for the AHA in one month!  Nicole Stevenson, Administrative Assistant at SI, shared her thoughts on SI’s involvement, ” My coworkers know the importance of heart health and we’re more than happy to raise awareness for national heart month. This month we’re taking the steps to be proactive in our everyday lives, whether it has to do with exercise tips, stress relief, or just creating an enjoyable work atmosphere that everyone can benefit from.”

With February being Heart Month, SI employees are staying active throughout the workday by taking walks, opting for the stairs instead of the elevator or joining other SI employees for the 7-minute group workout of the day! Cardiovascular disease is largely preventable and “risks can be lowered by adhering to what we call Life’s Simple 7: not smoking, being physically active, maintaining a healthy body weight, eating a healthy diet, controlling blood pressure, controlling cholesterol and controlling blood sugar.”

National Wear Red Day and fundraisers like the penny drive raise awareness and funds to discover critical advancements in treatment and prevention of cardiovascular disease, teach our nation’s kids how to live healthy lives and train community members on heart attack and stroke detection. Follow SI on our social media accounts throughout the month of February to see how employees at SI, “raise awareness about cardiovascular disease and save lives. Because when we come together, there’s nothing we can’t do.”

 

February 6th, 2018|Community Service, Social Media|

SEC gives conditional okay for company announcements on social media

Last month, the SEC issued a report that makes it clear that companies can use social media outlets such as Facebook and Twitter to announce key information in compliance with Regulation Fair Disclosure (“Regulation FD”) as long as investors have been alerted about which social media will be used to disseminate the information.

May 6th, 2013|Social Media|

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

January 7th, 2013|Educational Series, Employment Decisions, Social Media|

Social media evolving as new platform for investment scams

The Securities and Exchange Commission (SEC) today charged an Illinois-based investment adviser with offering to sell fictitious securities through social media sites. According to the SEC’s Division of Enforcement, Anthony Fields of Lyons, IL, offered more than $500 billion in fictitious securities, and in some instances, used LinkedIn discussions to promote fraudulent “bank guarantees” and “medium-term notes.”

The SEC’s order instituting administrative proceedings against Fields charges that he made multiple fraudulent offers through his two sole proprietorships – Anthony Fields & Associates (AFA) and Platinum Securities Brokers. Fields allegedly provided false and misleading information concerning AFA’s assets under management, clients, and operational history to the public through its website and in SEC filings. Fields also failed to maintain required books and records, did not implement adequate compliance policies and procedures, and promoted himself as a broker-dealer while he was not registered with the SEC.
Also today, in recognition that fraudsters are now turning to new and evolving platforms to peddle their scams, the SEC issued two alerts to highlight the risks investors and advisory firms face when using social media.

One of these alerts, a National Examination Risk Alert titled “Investment Adviser Use of Social Media,” provides staff observations based on reviews of investment advisers of varying sizes and strategies that use social media. The bulletin addresses issues that may arise from social media usage by firms and their associated persons, and offers suggestions for managing the antifraud, compliance, and recordkeeping provisions of the federal securities laws. The alert notes that firms need to consider how to implement new compliance programs or revisit their existing ones to align with the rapidly changing technology.

In the SEC’s second bulletin, an Investor Alert titled “Social Media and Investing: Avoiding Fraud” prepared by the Office of Investor Education and Advocacy, the aim is to help investors be aware of fraudulent investment schemes that use social media, and provide tips for checking the backgrounds of advisers and brokers.

January 4th, 2012|Fraud, Social Media|

More on legal troubles from employer misuse of social media information

Legal experts say that litigation resulting from employer misuse of social media information is likely to rise, at least until more case law is established. And even if the company prevails in such lawsuits, there may be reputational risks as the cases grab national spotlight.

Media sources reported that next week, for example, a National Labor Relations Board judge will rule whether American Medical Response of Connecticut illegally fired a worker after she criticized her boss on
Facebook. In what labor officials and lawyers view as a ground-breaking case involving employees and social media, the NLRB stepped in to argue that workers’ criticisms of their supervisors or companies on social networking sites are generally a protected activity and
that employers are violating the law by punishing workers for such statements. According to media reports, American Medical denied the board’s allegations, stating they are without merit, and that “the
employee was discharged based on multiple, serious complaints about her behavior.” The company added that “the employee was also held accountable for negative personal attacks against a coworker posted publicly on Facebook…”

Media sources reported on another pending case, filed in Georgia against a school district, a former high school teacher is claiming that she was essentially forced to resign over Facebook photos that
showed her drinking alcohol during a European vacation.

And in a case settled in 2009, two workers in New Jersey sued their employer, Hillstone Restaurant Group, after they were fired for violating the company’s core values. According to court documents, their supervisors gained access to postings on a password-protected
Myspace page meant for employees but not managers. The jury found that the employer violated the federal Stored Communications Act and the equivalent New Jersey law, and awarded the employees $3,403 in back pay and $13,600 in punitive damages. Hillstone appealed before the parties reached an undisclosed settlement.

Labor relations pros caution that before taking any adverse action based on social media postings, the employer should consider whether the information could be construed as a complaint or report of inappropriate or unlawful behavior. This includes, but is not limited
to discrimination, harassment, unpaid overtime and other wage violations, or any activities that may trigger an employee’s whistleblower protection.

January 23rd, 2011|Educational Series, Employment Decisions, Judgment, Lawsuit, Social Media|