Scherzer Blog

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Educational Series, International, Legislation, Social Media|

The legalities of monitoring employees online

As a general principle, employers are legally permitted to monitor their employees online during business hours. Keeping a close eye on workers can help maintain company confidentiality, limit workers from surfing the web on company time and ensure the prevention of harassment.

But such monitoring does come with caveats, as well as risks.

For example, screening employee email on the employer’s network may be permissible but may require advance notice. In states such as Connecticut and Delaware, laws are in place that require employers to provide prior notice before electronically monitoring employees. A union contract may also place certain limits on monitoring and public-sector employees may have some rights under the Fourth Amendment with regard to unreasonable search and seizure.

Federal law can also come into play. Although the Electronic Communications Privacy Act (ECPA) generally prohibits the monitoring of electronic communications, it contains a “business purpose exception” that permits employers to monitor the electronic communications of workers if the company has a “legitimate business purpose.” The statute also allows monitoring with consent and many companies do this by including such permission as part of the onboarding process for new employees before granting access to the company’s networks or systems.

Another wrinkle: third-party communications. States such as California and Illinois mandate that all parties to a communication provide consent to its interception in transit. For employers, that means providing notice to recipients of employee emails and obtaining their consent before scanning a message from a friend or third party. Many companies post a notice on the company’s website and/or include a statement in employee emails that all messages are subject to monitoring and any response implies consent with the employer’s practices.

Even with all these issues, monitoring emails may be more straightforward than focusing on employee social media accounts. The Stored Communications Act (SCA) addresses the situation of accessing electronic communications stored by a provider (such as Gmail or Microsoft), as distinct from an employer accessing emails on its own system. Under the SCA, employers can be liable for the unauthorized access and disclosure of electronic communications in storage on corporate servers of a provider.

Further, roughly half the states ban employers from either requiring or requesting a worker to verify a personal online account like a Facebook profile, blog or Instagram or to log on to their social media account. While technology is available for employers to get around these laws (using keystroke logging software, for example, or taking screenshots), some of the information being monitored by an employer could itself be protected – such as union organizing activities under the National Labor Relations Act, attorney-client communications or in some states, geolocation data.

Mobile devices add another layer to the analysis. For workers using employer-provided mobile phones or devices, the employer has the right to legally monitor use from contact lists to photos and videos to Internet visits and emails. As for bring-your-own-device (BYOD) situations, the terms are generally dictated by the employer’s BYOD policy, but this is an emerging area of law and therefore murky.

All of these legal considerations are centered in the United States. Companies that operate outside the U.S. borders will have international law to contend with as well, notably the European Union General Data Protection Regulation (GDPR) and regulations found in its member states. As a general matter, EU law and the GDPR offer employees a greater level of privacy than that found in the United States. Last year, the EU’s highest court did rule that companies can monitor employee email – if workers are notified in advance.

Perhaps most importantly, employers should recognize that like all things related to technology, the legalities of monitoring employees online are constantly evolving. Being able to adapt to changing laws, regulation and technology will keep employers on their toes.

May 4th, 2018|Educational Series, Security|

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Criminal Activity, Fraud, Security|

All judgments and tax liens to be removed from consumer credit reports

As reported last year, Equifax, Experian and TransUnion (the “NCRAs”) implemented enhanced standards for the collection and timely updating of public record data as part of the requirements of the National Consumer Assistance Plan (the “NCAP”) and accordingly, effective July 1, 2017, removed all civil judgments and the majority of tax liens from their databases.

The NCRAs are now going a step further to comply with the NCAP’s standards and to resolve pending litigation by removing all tax liens from consumer credit reports effective April 16, 2018. Bankruptcy records will continue to be reported.

March 22nd, 2018|Judgment, Legislation|

We Continue to Jingle!

Arthritis is a serious and growing health crisis – impacting one in every five adults and an estimated 300,000 children. It’s America’s #1 cause of disability. The Arthritis Foundation’s Annual Jingle Bell Run aims to change those numbers. At Scherzer International we are continuing our efforts to raise funds for those affected by Arthritis.

This past Thursday, November 16, we had our first fundraiser for the 2017 Jingle Bell Run at The Stand. SI employees, their families and friends made their way over to The Stand and enjoyed some delicious items. From every purchase, 20% of the proceeds went to support SI’s fundraising goal which aims to raise funds and awareness for Arthritis.  Thank you to The Stand Northridge and Woodland Hills location for the wonderful food and for supporting local community fundraiser’s like ours.

Everyone’s efforts are greatly appreciated. Thank you to anyone who has donated or maybe shared a social media post.  If you would like to see us reach our fundraising goal and get a head start on your New Year’s Resolution by participating in The Jingle Bell Run just click here!

“Jingle Bell, Jingle Bell, Jingle all the way 
Oh what fun it is to run with the Scherzer Fam today!”
 

 

November 20th, 2017|Scherzer Giving Back|

Scherzer International Hosts C5LA Executive Leadership Lunch

C5LA Youth Leaders with SI employees on March 28th, 2017

On March 28th, Scherzer International had the pleasure of hosting an amazing group of students from the C5LA Youth Foundation. The students began their visit in the company’s conference room, where managers and executives gave presentations describing their duties, their department’s role in the company, and their personal academic and career paths. The session wrapped up with a lively discussion driven by the C5LA students’ questions about background checks, running a business and innovation.

Afterwards, students and staff gathered in the break room for a social lunch to get a sense of the company’s culture and work environment.  After filling up on lunch and conversation, the students were given a tour of SI’s office to see what happens “behind the scenes” when preparing background reports.

Our C5LA guests wrapped up their visit by hearing from our HR manager who described SI’s summer internship program, which has included C5LA students in past years, some of whom have chosen to return to SI as full time employees. Everyone at SI agrees that any one of the students who visited us in March would be a great asset to the team!

Larry and Carole Scherzer both serve on the C5LA foundation’s Board of Directors and are strong supporters of the organization’s mission and programs. C5LA aims to provide underserved adolescents throughout the Los Angeles area with the resources and opportunities necessary for them to successfully pursue a college education and lead in their communities.

About the C5LA visit, Larry Scherzer said, “It was very moving to see such bright, ambitious students engaging with SI’s employees and taking such interest in our business. I keep thinking about one of C5LA’s theme songs, Ain’t No Mountain High Enough.”

Scherzer International makes a conscious effort to give back to the community as much as possible. The company regularly participates in fundraisers and toy drives benefiting organizations such as the Arthritis Foundation and Child and Family Guidance Center.

April 11th, 2017|Educational Series, Press Release, SI Information|

The Swiss-U.S. Privacy Shield Framework is approved

The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.

February 2nd, 2017|Business Transactions, European Union, International, Legislation, Privacy, Risk Management|

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

What this is about 
On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview: The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program: 
The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:
The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.
Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.
For further information, please contact us at 1-866-723-2287.
July 14th, 2016|Business Transactions, European Union, Security|

The EU-US Privacy Shield Framework text is now available

U.S. Secretary of Commerce Penny Pritzker released a statement regarding the historic agreement, noting that the “EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”

The EU-US Privacy Shield Framework (the “Framework”) was designed by the U.S. Department of Commerce (the “DOC”) and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Framework provides robust and enforceable protections for the personal data of EU individuals, mandating transparency for participating companies, strong U.S. government oversight, and increased cooperation with EU data protection authorities. Offering EU individuals access to multiple avenues to address concerns regarding participants’ compliance and a free dispute resolution, the Framework makes it easier for EU individuals to understand and exercise their rights.

The European Commission proposed that the Framework be deemed adequate to enable data transfers under EU law, which is now in the approval process. Once an adequacy determination is made, the DOC will begin accepting certifications under the Framework. Similar to the certification process of the now invalid Safe Harbor, if a U.S. based-company wishes to join the Framework, it will be required to self-certify to the DOC and publicly commit to comply with the Framework’s requirements. While joining the Framework will be voluntary, once an eligible company certifies compliance, the commitment will become enforceable under U.S. law.

Read the fact-sheet about the EU-US Privacy Shield Framework here.

Read the full text of the EU-US Privacy Shield Framework here.

February 29th, 2016|European Union|

Judicial Redress Act of 2015 signed into law

On February 24, 2016, President Obama signed the Judicial Redress Act of 2015 (“the Act”) into law, a major step toward formalizing the recently announced privacy framework, the EU-U.S. Privacy Shield, which will replace the Safe Harbor program that was declared invalid by the European Court of Justice in October 2015. The Act’s intent, as explained by House Judiciary Committee Chairman Bob Goodlatte (R-VA), is to reestablish the United States’ credibility with the European Union following the highly-publicized leaks of classified information in the recent years.

The Act extends to the citizens of EU countries that permit commercial transfers of personal data

[to the United States] similar rights to those enjoyed by US citizens under the Privacy Act of 1974, which established a code of fair information practices that govern the federal government’s collection, maintenance, use, and dissemination of information about individuals. The citizens of these EU countries will now be allowed to sue the United States for unlawful disclosure of their personal information obtained in connection with international law enforcement efforts. Under current law, only US citizens and legal residents can bring such claims against the federal government.

Read the text of the Act here.

February 28th, 2016|European Union, Legislation|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top