Certified to the Privacy Shield? Great! So you’re done in terms of GDPR compliance, right? Think again.

As we have discussed in previous newsletters, no matter where you are in the world, the General Data Protection Regulation (GDPR) applies to you if you are collecting or processing personal data of any EU individual. The law goes into effect in May.

The Privacy Shield is one of the GDPR’s mechanisms to overcome the US being an “inadequate jurisdiction” with respect to handling of personal data. While the Privacy Shield sets out a long list of principles to which participants must adhere, that list does not quite match up with those of the GDPR, requiring even Privacy Shield participants to take additional steps before May. Among those steps are giving attention to the following: 

Your privacy policy. The Privacy Shield and the GDPR both have requirements for the privacy notice. Some are the same, such as requiring a description of the types of data collected, the purposes for which it is collected, to whom the data may be disclosed, the right of data subjects to access their data, and the rights of individuals to lodge complaints. The GDPR’s particular requirements include, inter alia, statements about how long data is held, a data subject’s right to “be forgotten” (or have their data deleted), the legal basis and legitimate interests for the data processing, whether the data will be transferred out of the EU and, if so, the corresponding transfer mechanisms, and whether any profiling or automated decision-making takes place. The Privacy Shield’s particular requirements include having a statement about the entity’s participation in the Privacy Shield and a link to the Privacy Shield participant list. 

Your vendor/service provider contracts. The Privacy Shield and the GDPR both have requirements for data processing contracts as well. For example, both the Privacy Shield and GDPR require that a processor implement appropriate technical and organizational safeguards. In many other situations, however, the GDPR’s contract requirements are broader than those of the Privacy Shield, such as requiring that every contract specify the subject matter of processing, duration of the processing, nature and purpose of processing, type of personal data to be processed, and categories of data subjects about which the data relates. 

Among other examples of where the GDPR and the Privacy Shield are aligned in spirit but not in the letter are the GDPR requirement that a processor act only on controller’s written instructions, compared with the Privacy Shield’s reference to “instructions.” These differences necessitate professional guidance regarding your specific situation.

Short-Term To-Do’s

Whether or not you have obtained Privacy Shield certification, there are a number of steps you should consider in the near future to bolster your GDPR compliance position: 

  • Determine if GDPR applies to you; it usually does if your business has any material contact with the EU;
  • Determine if a Privacy Shield filing would be beneficial to you;
  • Inquire of counterparties regarding their GDPR compliance efforts, including Privacy Shield filings;
  • Update privacy policies to reflect GDPR requirements for disclosure of intended use of information; and
  • Designate responsible senior staff as responsible for compliance. 

Compliance must be viewed as a business necessity in that penalties may be as much as 4% of annual revenue (turnover). Contact any of us in the Privacy and Data Security practice group to assist with your compliance efforts.

The Ever-Changing Bankruptcy Landscape for Trademark Licenses

In our Intellectual Property Law Update of December 2016 we advised you of the recent decision of the Bankruptcy Appellate Panel for the First Circuit Court of Appeals (the “BAP”) in Mission Products Holdings, Inc. v. Tempnology (In re Tempnology, LLC) upholding the rights of a licensee of trademarks to continue use of trademarks after the debtor’s rejection of the trademark license. As set forth below, the First Circuit recently reversed that decision. 

In 1988, Congress amended the Bankruptcy Code to add section 365(n) and a definition of “intellectual property” to protect licensees of intellectual property in response to a decision of the Fourth Circuit Court of Appeals in Lubrizol Enterprises, Inc. v. Richmond Metal Finishers Inc. The Fourth Circuit in Lubrizol held that the rejection of an intellectual property license by a bankrupt licensor terminated the licensee’s rights, even where doing so drastically disrupted the licensee’s operation. 

Section 365(n) of the Bankruptcy Code provides that a licensee of “intellectual property” (notably, not including trademarks) has two options when a debtor seeks to reject an intellectual property license: the licensee may either (i) treat the agreement as terminated and assert a claim for damages; or (ii) retain the right to use the licensed IP for the duration of the license, subject to certain requirements (including payment of all royalties under the terms of the contract and that the licensee will be deemed to have waived certain rights of setoff and any allowable postpetition claim arising from its performance of the contract). 

The BAP’s decision in Tempnology reversed in part the decision of the Bankruptcy Court below. The BAP agreed with the Bankruptcy Court that section 365(n) did not apply to trademarks but held that the licensee’s rights in trademarks and logos continued under the license agreement and applicable nonbankruptcy law. In doing so the BAP followed the decision of the Seventh Circuit Court of Appeals in Sunbeam Products, Inc. v. Chicago American Manufacturing, LLC in which the Seventh Circuit concluded that section 365(a) of the Bankruptcy Code, which applies to executory contracts generally, only terminates the obligation of the debtor to perform under the license agreement but does not strip away the licensee’s rights to use the trademark.

The First Circuit reversed the holding of the BAP, and came to the same conclusion as the Lubrizol court, rejecting the rationale of Sunbeam and concluding that a trademark licensee had no right to continue to use the trademarks after the license was rejected. The rationale for the First Circuit’s conclusion was that effective licensing of a trademark required the owner to monitor and exercise control over the quality of the goods sold to the public or else the licensor would be creating a “naked license” which could result in the licensor risking the permanent loss of its trademark. The First Circuit decided that the licensor should not have that burden.

Thus, the First Circuit’s decision in Tempnology places the risk on the solvent trademark licensee that in a bankruptcy it will lose the benefit of the license. Given the split among the First and Fourth Circuits versus that of the Seventh Circuit it is possible that the Supreme Court will be petitioned to resolve the issue. Meanwhile licensees will be well-advised to contact counsel to assess what their rights may be if a licensor were to reject a trademark license depending upon the venue in which a licensor may file for bankruptcy.