Stubbs Alderton & Markiles Partner Heather Antoine will be featured as the moderator for a panel at the 2019 World Technology Law Conference on "GDPR and its Progeny: Lessons Learned and What to Expect Globally." It has been a year since GDPR went into effect. Was it the start of a data protection revolution or a data protection catastrophe? How have data and security practices changed, and what have we learned? How are data protection laws are changing around the globe? Join as Heather poses these questions and learn how these laws affect clients, how to comply, and how to survive.

The event will be May 17th, 2019 in Boston, Massachusetts.

For more information about the event visit here.

Heather Antoine is a Partner and Chair of the Firm’s Trademark & Brand Protection practice and Co-Chair of the Privacy & Data Security practice group. Heather’s practice focuses on protecting a company’s intellectual property; a fundamental feature of every business. Heather’s practice includes trademark clearance and selection, domestic and foreign trademark prosecution, enforcement, proceedings before the Trademark Trial and Appeal Board (TTAB), licensing, trade secret protection, copyright, rights of publicity, domain names disputes, and general client counseling.  Heather believes in supporting companies at each stage – from due diligence when choosing a name, to ongoing brand management, to ensuring portfolios are safeguarded and ready for sale. Heather is also focused on guiding businesses through the ever-expanding maze of privacy laws, both domestically and internationally.  This includes drafting website policies, compliance with specific privacy laws (such as the General Data Protection Regulation (GDPR), the Children’s Online Privacy and Protection Act (COPPA), and the California Consumer Privacy Act (CCPA)).  Heather works with companies to design and strengthen their privacy and data security policies and practices, to help them prevent data security breaches, and to minimize the risks associated therein. Heather serves as Vice Chair of the California Lawyers Association Intellectual Property Section.  Heather frequently speaks and writes about IP, Internet, tech, and privacy issues.  She has been quoted in publications such as the Los Angeles Times and CNBC.  Heather has been recognized by her peers for excellence in her practice, having been selected as Southern California Super Lawyers Rising Star® multiple times.

For more information about our Trademark & Brand Protection Practice contact Heather Antoine at 

Effective as of May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) imposes strict regulations on the way companies collect, record, organize, store or disclose (collectively, “process”) certain personally identifiable information (“Personal Information”) that is received in the US from the European Economic Area (“EEA”).  Any business that provides goods or services, regardless of whether there is a payment for such goods or services and regardless of where such business is geographically located, and that collects Personal Information of an EU resident who is physically located in the EU at the time of collection, must be GDPR compliant.  Collection of information relating to an EU citizen who is outside of the EU when the Personal Information is collected does not subject a business to GDPR. Listed below are GDPR’s major initiatives that data processors—including American companies—should be particularly mindful of when adhering to the new legislation:

Informed Consent
In order to process Personal Information, the collector must obtain valid consent. In order to be valid under GDPR, consent must be freely given, specific, informed and unambiguous. Consent may not be a prior condition to using the website or services. If the user is to sign or assent to a written declaration, the terms must be in clear and plain language and easily accessible. Further, the user should have the right to withdraw their consent at any time.

Consent can be achieved by acceptance of a Privacy Policy or Terms of Service; however, these agreements require “active opt-ins”. The pre-selected opt-in boxes are invalid and there must also exist a clear separate consent for every use of data. For example, consent for the service provider’s cookies and consent for another third-party’s cookies must be displayed independently in a discernible manner.

Notification of Data Breach
Data processors must report data breaches to a supervisory authority within 72 hours of learning of the breach. The report must include what data was impacted, the likely consequences to follow and how the issue will be addressed moving forward.

Access and the Right to be Forgotten
EU residents may have the right to request a copy of their personal data held by a data processor. Additionally, EU residents can request their data be deleted without undue delay if they meet one of the requirements listed in Article 17. These requirements include, but are not limited to, personal data that is processed but is no longer necessary in relation to the purposes for which they were processed, consent was not initially provided to process the data, the personal data was unlawfully processed, or the data processor has no legitimate grounds for processing the data. Further, in some cases, companies may be obligated to take steps to get third parties or other processors to erase the data as well.

Third Parties and Parties
If a company transfers Personal Data to third-party agents or service providers, or if its website, mobile application or service uses plug-ins or connects to any third-party services, those third parties must be GDPR compliant. Under certain circumstances, companies may remain liable for the acts of its third-party agents or service providers for their handling of EEA Personal Data that the company transfers to them.

Data Protection Officer
Certain data processors will need to appoint a Data Protection Officer (“DPO”) if they are a public body or if they monitor certain data subjects on a large scale, which can include tracking user behavior. DPO’s must advise data processors and employees of their obligations with respect to GDPR and also understand the inherent risks associated with data processing operations. Further they must maintain an expertise with respect to the protection of personal data, be reachable by data users, fully cooperate with supervisory authority and have the necessary resources to carry out the job.

Parental Consent
The Children’s Online Privacy Protection Rule (“COPPA”), imposes requirements on websites that collect information on children that are under 13 years of age. COPPA specifically requires that parental consent be given for the collection or use of any personal information from children under the age of 13. Consent can be achieved through many methods such as a personal video conference, by postal mail or electronic signature via email. Similarly, GDPR has an expanded requirement whereby parental consent is necessary to collect personal information from children up to age 16. However, member states may provide by their state law for a lower age as long as the age is not lower than 13. The controller of the online service or site is also required to make viable efforts to receive parental consent.

Penalties
The consequences of GDPR non-compliance can be significant, with financial penalties of up to the greater of 20 million Euros or 4% of the company’s revenues.

Privacy Shield
Fortunately, the European Commission and the US Department of Commerce have reached an agreement on a framework for transfers of Personal Information to the United States from the European Union. The EU-US Privacy Shield does not guarantee GDPR compliance, but it does provide a framework to facilitate transfers that would otherwise not be permitted under applicable EU law.  The EU-US Privacy Shield is voluntary and is not a requirement of GDRP compliance.

Compliance
It is vital for every US business that is or may be collecting data in European markets to understand and address GDPR compliance—and ensure all of its employees are engaged participants in the compliance strategy. Only time will tell how strict regulators will be, but knowledge of your data, where it is going, and what is required will equip companies to navigate the new and significant EU regulations.