U.S. data privacy laws have ties with the European Union (“EU”). As we mentioned in our last blog, with the rise of social media and e-commerce there is a heightened focus on data privacy. Users around the world are providing their personal data such as credit card numbers, real names, postal addresses, social security numbers, demographics, income, browsing history and search history, and age, in order to access, purchase, and communicate online. The U.S. has only recently begun to create data privacy laws, all of which vary by State. Currently, only California and Virginia have legislation signed into law with several States coming closely behind. These State laws are modeled after the comprehensive privacy laws from the European Union (EU). This blog will go in depth about the EU data compliance regulations as it regards U.S. companies raising capital and collecting data from European investors.

General Data Protection Regulation

In 2018, the EU adopted the General Data Protection Regulation (GDPR) which is one of the most stringent data privacy laws in the world. GDPR provides compliance regulations for the EU and companies that collect data or provide goods or services to people in the EU. This regulation was enacted in response to daily security breaches and the increase in cloud services use. Penalties for violating the GDPR can be very high. Ranging from a maximum amount of €20 million or 4% of global revenue, whichever amount is higher. The GDPR defines data processing as “any action performed on data, whether automated or manual.” Some examples include: collecting data, structuring data, storing data, using data, erasing data and more. A data subject is the person whose data is being collected and/or processed. The GDPR also defines some common terms in data privacy such as data controller and data processor. A data controller is someone who decides how someone’s personal data will be processed. A data processor is generally a third party that processes the data for a data controller. The GDPR has specific rules for all parties.

There are seven unique “accountability” principles for data protection that the EU regulation has set forth:

  1. Lawfulness, fairness and transparency–when processing consumer data, it must be done in a lawful, fair, and transparent manner.
  2. Purpose limitation–the data can only be processed for the specified purpose given to the data subject.
  3. Data minimization–Businesses can only collect and process as much data as necessary to achieve specified purpose.
  4. Accuracy–Personal data must be kept accurate and up to date.
  5. Storage limitation–Personal data can only be stored long enough to achieve specified purpose.
  6. Integrity and confidentiality–Data processing must be done with integrity and confidentiality. It is imperative that businesses take appropriate security measures.
  7. Accountability–The data controller has a responsibility to meet all of these principles to ensure GDPR compliance.

The GDPR requires companies to handle data with care by adopting appropriate security measures such as two-factor authentication for employee accounts and end-to-end encryption. Two-factor authentication is an additional security measure that is meant to prevent someone from logging into an account, even if they have the password. For example, it might require the account holder to enter a four-digit code sent to a specific phone number each time someone attempts to log in the account. End-to-end encryption is a way to keep data “secret” until it gets to its intended recipient. Encryption scrambles the data ensuring that it cannot be read by everyone, only the intended recipient can unscramble the data and see the contents. Other measures businesses can take to ensure data security are: staff training, adding data privacy policies, and limiting the access of personal data with employees.

GDPR also prompts business owners to consider data protection in every aspect of the company, such as implementing new products or activities. In the U.S., rules similar to these are slowly but surely being adopted State-by-State. For instance,, California and Virginia have modeled their legislation after the GDPR. You can learn more about the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) in our blog .

Not only does the GDPR set out compliance guidelines for regulating data, it also creates standard contractual clauses (SCCs) that can be used between EU data controllers/processors and non-EU data controllers/processors for data transfers. The European Commission pre-approved the SCCs. Third party businesses such as United States-based businesses who conduct operations in the EU and collect data from EU citizens will need to include these provisions in their contracts. The SCCs are designed to address unanticipated transfers of data situations that the draft failed to include. There are also two different sets of SCCs: one to be used between controllers and processors, and the other to be used for the transfer of data to third businesses in other countries.

Based on the status of a party under the GDPR, they can use the SCCs for four different types of transfers: (1) controller to controller; (2) controller to processor; (3) processor to processor; and (4) processor to controller. When conducting data transfers, the SCCs require parties to be aware of: (1) data protection laws in the participating countries, (2) any obligations to respective governments, (3) liabilities of each party, (4) supervisory authorities, (5) obligations of each party, (6) termination of the contract provisions, (7) the applicable European jurisdiction that will govern the SCCs, and (8) jurisdiction determinations if a suit arises. It is imperative for companies to tailor their obligations with their particular roles in the corresponding transfers.

Also included in the SCCs is an Appendix with three additions to the document, also known as annexes. The first annex is required to be completed by each party and includes three pieces of information: (1) a complete list of the parties to the SCCs; (2) a very detailed description of the transfers; and (3) the identification of the supervisory authority for each party. The second annex requires the party who is importing the personal information of users to describe the technical process of ensuring security of the data being transferred. Finally, the third annex is optional and only needed if there are sub-processors. If the processor is using any sub-processors then they must include that information as well. Due to the United Kingdom (UK) not being part of the EU, the SCCs are not required to be used for UK transfers. However, it is believed that similar data transfer clauses will be adopted in the UK within the near future.

Securities Data Collection

So why as a securities law firm are we discussing the topic of European data privacy laws? It is because States across the U.S. are using the GDPR as a model for their own data privacy laws and as a result of the rising number of companies conducting business and raising funds online. It is therefore important to understand both data privacy laws and securities laws. Business owners need to be aware of how they are processing, storing, sharing, and selling data of Investors, and registered crowdfunding portals also need to take care of how they handle the data of both Investors and Business Issuers. For instance, to qualify for an exemption under regulation crowdfunding (Reg CF), an issuer has to file a disclosure form called the Form C with both the SEC and registered crowdfunding portal. The SEC publishes this information on their EDGAR system. The Form C requires business issuers to provide their personal data such as total assets, director/officer information, business experience, and information about financials. This information also gets stored on the regulated crowdfunding portal.

Furthermore, both the business issuer and registered crowdfunding portal who have investors deriving from across the U.S. and the EU, will need to comply with the GDPR and the data privacy laws of the applicable States. As such, it is important that these issuers and portals follow the seven accountability principles of the GDPR that were discussed above. These parties should also consider taking on additional security practices such as two-factor authentication and end-to-end encryption in order to ensure legal compliance of the GDPR and to avoid costly penalties. Likewise these issuers and portals should apply SCC provisions to their investment and onboarding/user in order to comply with EU data privacy safeguards.

Consumer data protection, although still being introduced in a number of States, has become a major topic of discussion regarding online transactions It will not be long before the SEC mandates certain disclosures regarding data privacy risk factors and/or before venture capital firms and other investors start inquiring about how a business plans to collect and process consumer data before they agree to invest. Now is a great time for issuers and regulated crowdfunding portals to stay ahead of the curve and be proactive with how they handle Investor and other users’ data. Contact us to get help with properly drafting and disclosing important risk factors relating to Investor’s data in your crowdfunding offer.

*with contributions and additions by Elizabeth L. Carter, Esq., Managing Attorney