Should My Company Have a Privacy Shield Certification?

This post was originally published on this site

We are now two months into Europe’s new General Data Protection Regulation (“GDPR”), which extends the jurisdictional scope of European data protection law. As a result, GDPR applies extraterritorially to any organization that can be reached by an EU citizen. GDPR imposes harsher data protection requirements that give way to substantial penalties for non-compliance, which include administrative fines up to 4% of annual worldwide revenue. These steep fines have forced businesses across the U.S. (and the world) to reconsider their EU business strategy. Additionally, many companies are compelled by their clients or partners to comply with GDPR. Fortunately, and for the time being, there is an alternative regulatory mechanism that allows U.S. businesses to conform to EU data transfer laws.

The EU-U.S. and Swiss-U.S. Privacy Shield

In July 2016, the U.S. Department of Commerce and the European Commission approved the EU-U.S. Privacy Shield Framework while the Swiss Administration approved the Swiss-U.S. Privacy Shield in July 2017 (collectively, the “Privacy Shield”). The Privacy Shield, which serves as an adequacy decision under GDPR, is a data protection framework that allows companies on both sides of the Atlantic to transfer personal data from the EU to the U.S. The Privacy Shield replaced the U.S.-EU Safe Harbor Framework (the “Safe Harbor”) after the Safe Harbor was struck down by the Court of Justice of the European Union in October 2015. The Privacy Shield’s purpose is to bridge the different privacy protections afforded to U.S. and EU citizens. The Privacy Shield Principles include the data subject’s right to be informed; limitations on the use of the data subject’s data for different purposes; obligations to secure the data subject’s data; obligations to protect the data subject’s data if transferred to another company; the data subject’s right to access and correct their data; the data subject’s right to file a complaint and obtain a remedy; and redress in case of access by U.S. public authorities. Companies may undertake Self-Certification (often with the assistance of counsel) and the U.S. Department of Commerce is in charge of issuing Self-Certification determinations. U.S. Participants in the Privacy Shield are subject to the Federal Trade Commission’s broad jurisdiction.

Should I Get Self-Certified?

In light of the stricter regulation of European data transfers to the U.S., not complying with the necessary data protection laws may impact your ability to adequately cater to European customers, or to partner with or provide services to other US entities that are subject to GDPR. Accordingly, for many businesses, there are significant motivators to comply.

A company may be eligible to certify to the Privacy Shield if it transfers EU or Swiss personal data to the U.S., or receives or accesses EU or Swiss personal data. At the core, seeking Privacy Shield Self-Certification is a business decision requiring an understanding of how and at what frequency your business interacts with EU data.

While thousands of companies are enjoying the benefits of the Privacy Shield, it is worth noting that on July 5, 2018, the members of European Parliament called for a suspension of the Privacy Shield unless the U.S. fully complies with GDPR by September. All eyes will be on the European Commission as the September Privacy Shield annual review approaches.

Compliance is a moving target. The regulatory framework for privacy worldwide is evolving. Numerous government and consumer agencies, as well as public advocacy groups, have called for new regulation coupled with changes in industry practices. Further, new laws and regulations will be adopted in and around the United States, as most recently seen in California, and existing laws and regulations may be interpreted in new ways. Navigating the data privacy regulatory landscape is complex and requires continual monitoring.

Contact the Authors at [email protected] and [email protected] to discuss these and other issued related to data privacy, intellectual property, and technology law.


What is the Howey Test? How To Tell if a Coin Passes The Test

This post was originally published on this site

In our last blog post, we discussed the SEC’s position that Ethereum was ‘not a security’. With the commentary from the SEC, it’s worth re-visiting the four-prongs of the Howey test and the meaning of a security. Section 2(a)(1) of the Securities Act of 1933 contains a statutory definition of the term “security”. The definition includes a non-exhaustive list of various financial instruments including many traditional financial interests and something nebulously called an “investment contract”.

If the financial instrument falls outside of the standard and commonly understood categorization of equity, debt, or derivatives instrument, then the analysis turns on whether or not an “investment contract” exists. As a result of the inherent uncertainty that accompanies this definition, a determination rubric was developed through the common law by the Supreme Court and has since become known as the “Howey Test”. Under the Howey Test, an investment contract is (1) an investment of money; (2) made in a common enterprise; (3) with an expectation of profits; (4) to be derived from the efforts of others. If these prongs are met, then, according to the Supreme Court “it is immaterial whether the enterprise is speculative or non-speculative or whether there is a sale of property with or without intrinsic value”.


What was Howey Doing?


In 1946, the Howey Company came up with an interesting scheme to profit from its citrus grove (yes, this all started over oranges). The Company planted the oranges on the property, kept half of the property for itself, and sold interests in the other half to the public to fund additional company development. Howey’s service company then offered the land purchasers a service contract to maintain the land they bought. Thus, the purchasers could simply be passive investors in the growth of the citrus grove while Howey did all the work to grow the value of the grove. Even though some purchasers chose not to accept Howey’s full offer to enter into a service contract too, the Court said that the mere offer was enough to constitute an unregistered, non-exempt securities offer as an “investment contract”. (So, what about token airdrops? That’s a story for future blog post…)


Pulling Apart the Prongs


The first prong of the test – an investment of money – is fairly straightforward. Under Howey and succeeding case law, an investment of money may be deemed to include capital, assets, cash, goods, services, or promissory notes (or, presumably, anything of value).

The second prong – a common enterprise – is, however, not as straightforward. The Supreme Court has yet to define a “common enterprise”. Consequently, federal courts of appeal have varying interpretations of the term. In total, we have three approaches that exist to examine the term under Howey. The first approach is horizontal commonality. Here, a common enterprise exists where multiple investors pool funds and the profits of each investor correlates with the other investors. As the case law has developed, it appears that there is no common enterprise where there is no sharing of profits or pooling of funds. The second approach is narrow vertical commonality, which finds a common enterprise if there is a correlation between the investor’s profits and the promoter’s. Finally, broad vertical commonality finds a common enterprise where “the investors are dependent upon the expertise or efforts of the investment promoter for their returns”.

The vertical approach is relatively easy to satisfy as we are only concerned with the fact that the investor depends on the promotor because the promoter often has more knowledge about the project than the investor and stands to benefit (in some sense) based off of their expertise putting them in alignment with the investors’ profit seeking goals. The horizontal approach is slightly more difficult to apply, as it depends on the coordination of multiple investors; however, for token sales (to refer to a modern and hot topic), it depends on the distributions of the tokens and who or what is receiving any proceeds from sale of tokens.

As to the third prong – an expectation of profits – the Supreme Court, in United Housing Foundation, Inc. v. Forman, stated that profits were “capital appreciation resulting from the development of the initial investment…or a participation in earnings resulting from the use of investors’ funds”. It is the return an investor seeks on their investment. In looking at the meaning of investment, the Forman Court determined that an investment depended on the investor. The Court differentiated between “consumption” and “investment” noting that an investment occurs when “the investor is ‘attracted solely by the prospects of a return on investment’” (emphasis added). Therefore, an investment exists if the investor decided to invest not for use but some return on investment.

The third prong is meant to be read together with the fourth prong – derived solely from the efforts of others. Under this prong, the success or failure of the enterprise must be significantly correlated with the efforts of the promoters. While the word “solely” seems to limit the breadth of possibilities, courts have broadened it to include essential or significant managerial or other efforts that are necessary for the enterprise to succeed. As the case law has developed, the simple four-pronged approach quickly becomes very intricate and nuanced.


Re-Examining the Test


The Howey Court’s definition of a security “embodies a flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits”. Further keeping with such a broad definition, form over substance with an emphasis on the economic realities of the transaction, is stressed. This principal has been evident in the SEC’s approach to regulation, across a broad spectrum of policy areas, since its establishment.

The SEC’s analytical approach is clearly on a case by case basis. Applying these lessons in the modern context, in the decade since the launch of Bitcoin, for example, only two cryptocurrencies have been declared not securities: Bitcoin and Ethereum (Note: do not neglect the CFTC, FINRA, other federal or state regulatory bodies).

To date, it is easy to conclude that a majority of Initial Coin Offerings (ICOs) are securities simply by saying that:  the investor invested Bitcoin or Ethereum into an entity formed to develop the promised platform that is not yet operational at the time of “investment” and the investor is relying on the development team of the entity to develop the platform; and, therefore, the investor is investing in a security. Thusly, each of the prongs of the Howey test could be concluded to apply. However, nuance matters, and never more so than in the increasingly complex world of digital currency adjacent offerings. If, for example, projects are open source and available on GitHub, then, in theory, anyone can comment or contribute to the project moving them from passive to more active investors. Of course, not every cryptocurrency purchaser knows how to code or has used GitHub. Nonetheless, it is clear to see that cracks can be formed in the SEC’s rather narrow approach to its “broad” securities test.

Further, the governance models used in Bitcoin and Ethereum are simply two governance models at the protocol level in an ecosystem which is still rapidly developing and iterating (for example, EOS, DFINITY, Augur, and other structural considerations like on-chain versus off-chain governance, Proof-of-Work, Proof-of-Stake, Delegated Proof-of-Stake, etc.). Further, the governance models for various projects are going to adapt if the project is to survive over time. The initial design of the network is important but is subject to change. After all, software is not static.

With the explosion of varying governance and economic models at the protocol level, is “common enterprise” and “derived solely from the effort of others” relevant? Is the Howey test really malleable enough to consider the governance and economic designs that are coming? We will be following these issues closely as we continue to see new projects emerge and existing models iterate.

Coupled with the SEC’s remarks, Justice Breyer’s remarks are a giant step forward for the crypto community. While these remarks are not binding law, it does show a shift in the regulators’ and justice department’s sympathies toward cryptocurrency as a legitimate form of value.

Commentary by Stan Sater  & 
Yuri Eliezer, Esq. & Jeffrey Bekiares, Esq.  Jeff is a securities lawyer with over 8+ years of experience, and is co-founder at both Founders Legal and SparkMarket. He can be reached at [email protected]


Is Ethereum a Security according to the SEC?

This post was originally published on this site

One day after the SEC town hall in Atlanta, Georgia, William Hinman, Director for the Division of Corporation Finance of the SEC, gave a landmark speech declaring that Ethereum was ‘not a security’. These important statements follow on previous statements from SEC Chairman Jay Clayton, whose comments at a hearing in front of the House Appropriations Committee on April 26, 2018, gave the crypto community some relief by declaring that Bitcoin was ‘not a security’. With his recent comments, Director Hinman expressly answered another key question for the community. While his remarks are not law, they came with much needed insight into how regulators are continuing to evaluate crypto.

Perhaps not surprisingly, at least to those who follow such matters in the community, Hinman’s remarks about Ethereum seemed to run right through the Howey Test. For those unfamiliar, the Howey test is a four-pronged test long used by the SEC that contemplates whether or not a particular instrument constitutes an “investment contract”, which is a type of security. Under the four-pronged test, an investment contract is (1) an investment of money; (2) made in a common enterprise; (3) with an expectation of profits; (4) to be derived from the efforts of others. Using this test (reaffirmed by Hinman), it does not matter if the token is labeled as a “utility token”, as the analysis relies on ‘substance over form’ and the economic realities underlying a transaction.


  1. The classification of a digital token is not static. A token’s treatment under US law may change over time.
  2. “[I]f the network on which the token or coin is to function is sufficiently decentralized – where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts – the assets may not represent an investment contract.”. Note, although the SEC calls it “decentralized”, most may otherwise refer to this as “functionality”. Accordingly, Network Decentralization does not equal SEC Decentralization.
  3. As most knowledgeable lawyers in the space do (like us!), separate the sale of the token from the token itself. Apply securities laws when it fits.
  4. Hinman’s remarks pose some interesting questions for industry participants. One thing is clear, you cannot go this process alone. Engage with experienced lawyers in the space who truly understand (and care) about the technology and are capable of navigating the applicable laws.


Still Left with Questions

How do we know if a network is sufficiently decentralized? The answer, as with many aspects of this area of the law, at least for now, is that we do not exactly know, and facts and circumstances always matter. However, it would probably not be difficult to start by weighing the differences between the promises made in any particular white paper and the parts of the platform that are already functional. The existing consumptive purpose for a token should reduce if not take away any speculative purpose for the token.

The SEC has yet to address whether or not a digital token can change to a ‘non-security’ during a pre-sale phase, if some functionality of the ultimate underlying platform is built. This point is particularly important because purchasers of digital tokens under the guise of securities laws subject to securities lock-ups need to know if they can use securities protections or if the sale (or use!) of their token ceases to be a sale of securities. The SEC stated concerns in its Atlanta town hall event about flowbacks (in the Reg S context) and complying with other requirements of private placement offerings. Again, Director Hinman’s remarks are directly related to federal securities laws. He did not address the need to understand or comply with other federal, state, and non-US laws and regulation related to money transmissions, banking, commodities, and tax.


Bonus! Bitcoin and Cryptocurrency Get Referenced by SCOTUS

Now, after Director Hinman’s remarks, Supreme Court Justice Stephen Breyer, albeit in a dissenting opinion, gave the first Supreme Court opinion reference to Bitcoin and cryptocurrency. Breyer wrote: “Moreover, what we view as money has changed over time. Cowrie shells once were such a medium but no longer are…our currency originally included gold coins and bullion, but, after 1934, gold could not be used as a medium of exchange…[P]erhaps one day employees will be paid in Bitcoin or some other type of cryptocurrency.”.

Coupled with the SEC’s remarks, Justice Breyer’s remarks are a giant step forward for the crypto community. While these remarks are not binding law, it does show a shift in the regulators’ and justice department’s sympathies toward cryptocurrency as a legitimate form of value.


Commentary by Stan Sater  & Jeffrey Bekiares, Esq.  Jeff is a securities lawyer with over 8+ years of experience, and is co-founder at both Founders Legal and SparkMarket. He can be reached at [email protected]