Got EU Data?

Emerging tech companies take note – if you collect the personal data of European citizens from the United States, or otherwise transfer that data to the U.S., recent developments mean your legal obligations may change soon.

Background

Citizens of EU member states have an explicit right to privacy.  In practice, this means companies can transfer EU citizens’ personal data out of the EU only if the destination country has an adequate level of protection.

Historically, it has not been a problem to store EU citizen data in the United States.  Under an agreement between U.S. and EU regulators, which is often referred to as the “Safe Harbor,” a U.S. company could transfer that data to the U.S. by certifying to the U.S. Department of Commerce that it would adhere to European privacy principles.  The U.S. Federal Trade Commission, in turn, could bring enforcement actions against the company if it failed to comply.  More than 4,000 companies took advantage of the Safe Harbor to transfer data to the U.S., from Amazon and Google to emerging tech companies in the upper Midwest.

After Edward Snowden revealed that the US government may have indiscriminately conducted mass surveillance of EU citizens’ personal data, an Austrian Facebook user complained to EU authorities that the U.S. lacked adequate protections. On October 6, 2015, the Court of Justice of the European Union ultimately agreed and invalidated the Safe Harbor framework.

Bad Alternatives

The ruling had an immediate impact on businesses of all stripes that relied on the Safe Harbor, particularly emerging tech companies.  They were left with a handful of bad alternatives –

  • keep the data in the EU – potentially expensive or unworkable;
  • obtain user consent or use model contract provisions – also potentially expensive or unworkable, especially for companies already processing data on behalf of existing business customers with an EU presence; or
  • leverage binding corporate rules – a time-consuming process ultimately requiring approval of EU data authorities.

Worse still, the Court of Justice of the European Union ruling implicitly called into question some of these alternatives.  Recognizing the problem, EU regulators gave themselves and their U.S. counterparts until January 31, 2016 to find an alternative.  This set off intense negotiations among regulators.

Privacy Shield

On January 28, 2016 the U.S. Senate Judiciary Committee approved a bill that would allow EU citizens to sue the U.S. government for privacy violations.  Just a few days ago, on February 2, the European Commission and the U.S. Department of Commerce announced the outline of a potential Safe Harbor replacement, dubbed the “Privacy Shield.”  According to the releases:

  • U.S. companies will have stronger obligations to protect personal data of EU member state citizens. Among other things, they will be required to comply with the decisions of the EU data protection authorities regarding personnel data.
  • U.S. companies will remain subject to enforcement actions for privacy violations by the FTC, and EU privacy regulators will have the ability to refer complaints of EU member state citizens to the FTC.
  • If an EU citizen lodges a complaint regarding inappropriate activity by U.S. authorities, a new Ombudsperson at the U.S. State Department will review it.
  • Alternative dispute resolution for certain complaints will be made available for free.
  • The U.S. will commit not to indiscriminately conduct mass surveillance of EU citizens. S. guarantees regarding limits and oversight will be reviewed annually by the European Commission and the U.S. Department of Commerce.  U.S. national security agencies will be invited to participate in those reviews.

To Be Determined

The outline lacks many details that will prove vital to providing a meaningful and lasting legal alternative for U.S. technology companies.  Important outstanding questions include:

  • Will free alternative dispute resolution result in an increased number of complaints?
  • Will U.S. security agencies take up invitations to participate in annual reviews, and will those reviews be meaningful? If not, will the Court of Justice ultimately invalidate the Privacy Shield as it did the Safe Harbor?
  • Will the Privacy Shield be suspended if EU authorities conclude that the U.S. failed to comply with the Privacy Shield’s limits?
  • By when will the EU and U.S. finalize these and other Privacy Shield details? EU regulators suggested that final approval could take up to 3 months, but some EU lawmakers and privacy advocates are already arguing the Privacy Shield is not enough.

In The Meantime

While the Privacy Shield winds its way through the EU legislative process, the chair of the group composed of EU data protection agencies said the group will not take enforcement action against U.S. companies that continue to use existing legal alternatives like model contract clauses and binding corporate rules.  While these alternatives may be difficult for many emerging technology companies, they currently remain likely the only legal way to collect data from the U.S. of EU citizens or otherwise transfer EU personal data to the U.S.

AlphaTakes – The Basics of Capitalization Tables

In this AlphaTakes video, paralegal Macy Stoneback provides a brief summary of the capitalization table (“cap table”) for an emerging technology.

Here are the key takeaways from this video:

    (1) The cap table shows the outstanding equity of the company as of a given date, broken down by shareholder and equity type.

    (2) Officers refer to cap tables often when considering issuing equity to employees, advisors, and others.

    (3) A pro forma cap table can be prepared to see how shareholders and option holders are affected by actions like adding shares to the stock incentive pool, raising a round of financing

AlphaTakes – Most Common Types of Securities Issued in Investor Financings

In this AlphaTakes video, Matt Storms discusses the most common types of securities issued in investor financing of privately held emerging technology companies. Since most emerging technology companies are organized as corporations due to investor requirements, he is going to focus on the types of securities issued by corporations.

Here are the key takeaways from this video:

    (1) Common stock is the base form of security issued and is typically sold to founders and friends and family.

    (2) Convertible debt is the most frequently used security in between priced financing rounds.

    (3) Convertible preferred stock is the security of choice for angels and institutional investors.

    (4) Other forms of securities include convertible equity and preferred stock without a conversion feature.

AlphaTakes – Anti-Dilution Provisions

In this AlphaTakes video, Matt Storms discusses anti-dilution provisions in investor transactions involving an emerging company.  He outlines the different types of anti-dilution protection provisions that are typically negotiated and how they commonly impact the company.

Here are the key takeaways from this video:

    (1) Anti-dilution provisions contain rights in which the company provides some level of downward price adjustment to the holders of the rights in the event that the company sells securities at a lower price

    (2) The two most common types of anti-dilution provisions are full ratchet and weighted average, with weighted average being used in the overwhelming majority of circumstances

    (3) The exceptions or carveouts to the anti-dilution adjustments can be important in negotiating anti-dilution provisions

AlphaTakes – Determining the Size of the Stock Option Pool

In this AlphaTakes video, Meechie Pietruczak discusses calculating the number of shares in an emerging technology company’s option pool.

Here are the key takeaways from this video:

  1. Emerging technology companies usually create stock option pools to compensate and incentivize employees, directors, consultants and other independent contractors.
  2. The size of the option pool is typically calculated as a percentage of all capital stock, which is often in the range of 10 to 20%.
  3. The size of the option pool may have a significant impact on the price per share paid by an investor.

AlphaTakes – Series A Preferred Stock Term Sheet (part two)

In this second of a two part AlphaTakes video series, Matt Storms discusses the second half of the Series A Preferred Stock term sheet for an emerging technology company, using the Series A term sheet published by the National Venture Capital Association.

Here are the key takeaways from this video:

  1. The three most common alternatives to anti-dilution provisions:
    • Weighted average
    • Full ratchet
    • No anti-dilution provisions
  2. Several provisions are not typically heavily negotiated in Series A financings:
    • Pay to play requirements
    • Attorneys’ Fees
    • Registration rights
    • Participation rights
    • Drag-along rights
    • No shop requirements
  3. Keep an eye on the big picture

AlphaTakes – Series A Preferred Stock Term Sheet (part one)

In this first of a two part AlphaTakes video series, Matt Storms discusses the first half of the Series A Preferred Stock term sheet for an emerging technology company.  He provides a summary of some of the key terms of the Series A term sheet, using National Venture Capital Association (“NVCA”) model document.

Here are the key takeaways from this video:

  1. The NVCA documents are great resources for understanding the Series A financing, but are fairly investor friendly.
  2. Typical preferred stock dividend provisions alternatives include the following:
    • If and when paid to the common stock
    • Accruing and cumulative
    • If and when declared by the board
  3. Most common preferred stock liquidation preferences alternatives include the following:
    • Non-participating preferred
    • Participating preferred
    • Participating preferred with a cap
  4. Preferred stock typically includes special voting rights, such as designating one or more members to the company’s board of directors and veto rights over certain company actions.