Fara Cohen Addresses Updates to Title IX and the Impact on Campus Assault in The Legal Intelligencer
Fara Cohen, an Associate in the Firm’s Commercial Litigation practice group, published an article in The Legal Intelligencer entitled, “College, the Culture of Assault and Changes to Title IX”. She discusses recent assault-related scandals in college sports and guidelines for schools to consider to combat these trends in the wake of upcoming changes to Title IX.
Jessica Mazzeo, Co-Founder and Chief Operating Officer at the Firm, published an article in The Legal Intelligencer on how law firm employee wellness programs can improve employee engagement and satisfaction and the types of initiatives firms can implement to encourage health and wellness in their organizations.
The Legal Intelligencer – What US Construction Companies Need to Know About the GDPR to Avoid Fines By Julie Negovan
What US Construction Companies Need To Know About the GDPR To Avoid Fines
By Julie Negovan
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) took effect. This law makes significant changes to European data privacy and security requirements for companies dealing with individuals located in the EU (whether they are citizens, immigrants, or visitors at the time their data is collected). So what? How would such a technical EU regulation effect a US-based construction company?
The EU has always had a different take on the protection of personal information than the US. GDPR was implemented because, essentially, the EU’s old data protection laws that were first enacted (way back in 1995) were perceived to be inadequate to keep up with the explosive growth in data and the technology surrounding it. According to the GPDR website, the new regulation was designed to “to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
What information is involved?
GDPR aims to protect the “personal data” of EU residents– including how the data is collected, stored, processed and destroyed. Importantly, the meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the US. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.
While that information is not generally the target of collection by US construction firms, some such information is routinely provided by subcontractors, consultants, and vendors during the contracting process. It is particularly likely that such information is collected where the team members are participating in a project using Building Information Management (“BIM”) protocols.
How does the EU Regulation Reach the US?
A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
Under Article 3 of the GDPR, your company may be subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of goods or services or the monitoring of behavior that takes place in the EU.
Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR. Particularly, if your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company.
Since this is a brand-new law, and the application of the language concerning the scope of the prohibitions has never been tested, it is important for all US companies to be aware of the possibility of the law’s enforcement against them.
What should I do?
For U.S. companies, interactions with those situated in the EU will have to be adjusted to obtain explicit consumer consent to collect personal information. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
For example, say a New Jersey-based company is looking to run a campaign to advertise for partners for a project (vendors, subcontractors, consultants) in France and has set up a webpage to collect email addresses. At the very least, the company will need a checkbox — without a default “x” in it — accompanied by clear language about what it will be doing with these email addresses. And it’s not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
Once the data is collected, US companies will then have to protect it under the GDPR’s rules. In particular, the tough new GDPR 72-hour breach notification rule will certainly require special attention. When there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then your firm will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU citizens.
The GDPR gives some leeway in weighing the risks, but inadvertent exposure of email addresses or personal data that contains sensitive information, would require notification to an EU regulator or “supervising authority” within 72 hours. Where there’s “high risk” to fundamental property and privacy rights — typically, exposure of credit card numbers or account passwords — then the EU citizens affected will also have to be notified.
There are still many questions of how the EU will enforce these actions against US and other multinational companies. What we do know is that the EU is serious about a uniform data and privacy law and major US companies have changed their practices as a result.
What happens if I don’t?
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.
There are reports predicting that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018, even though the deadline of May, 2018 has passed. Considering that one of the main objectives of the GDPR was to expand the territorial scope of protection, companies based outside the EU should not be surprised to find that they are a particular target of EU data regulators.
As a precaution, US construction companies should evaluate their communications with their EU partners to determine whether they may be subject to regulation under the GDPR, and if so, how to structure those communications to protect against any possible violation.
Reprinted with permission from the August 6, 2018 edition of The Legal Intelligencer. © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
Francine Griesing, Founder and Managing Member of the Firm, was recently selected as a finalist for the 2018 Woman Business Owner of Year by the National Association of Women Business Owners (NAWBO) and Bank of America. As a result, NAWBO profiled each of the finalists on their professional backgrounds and history with NAWBO. Fran shares her experience as a NAWBO member over the past eight years and how the organization has helped her to connect with other like-minded business leaders.
Jessica Mazzeo, Co-Founder and Chief Operating Officer at the Firm, shared her insights with Legal Management for their September 2018 issue on how law firms can effectively make diversity and inclusion a part of their culture, ensuring that everyone at the table has a voice.
Francine Griesing, Founder and Managing Member of the Firm, accepts the 2018 Woman Business Owner of the Year Award given by the National Association of Women Business Owners (NAWBO) and Bank of America. Fran was honored at the NAWBO Awards Gala during the National Women’s Business Conference from September 23-25, 2018 in Spokane, Washington.
Contact Us | P 215.618.3720 | F 215.814.9049
1880 John F. Kennedy Boulevard
Philadelphia, PA 19103
195 Montague Street, 14th Floor
Brooklyn, NY 11201
11 Garfield Place Cincinnati, OH 45202
Contact Us P 215.618.3720 F 215.814.9049
Philadelphia 1880 John F. Kennedy Boulevard, Suite 1800 | Philadelphia, PA 19103
New York 195 Montague St, 14th Floor | Brooklyn, NY 11201
Cincinnati 11 Garfield Place | Cincinnati, OH 45202