Doing Online Business With Europe? New Shield to Replace Your Safe Harbor?

By: Robert Hawn

As a business attorney practicing in the San Francisco Bay Area working with start-up companies , I often represent companies which are pursuing market opportunities in the European Community. Many of these companies, especially “software as a service” companies, offer apps and other services which process data and personal information of individuals who live in Europe. As a result, these companies are required to comply with European Union directed privacy laws. Up until recently, complying with these laws was possible by taking advantage of a “safe harbor” that allowed US companies to process personal data of individuals in EU member countries.

Last October, a European Union Court threw into disarray this “safe harbor,” and invalidated this relatively long standing information sharing framework. Since then, many companies receiving information from EU country citizens have operated in an uncertain environment regarding privacy matters. A ray of hope arose, however, in the last few weeks with the adoption of a new approach to enable U.S. companies to gather European originated personal data.

A Little History

The European Community has traditionally been highly protective of the personal information of the citizens of its member states. This has often clashed with the relatively more business oriented approach taken in the United States. This conflict, and the highly protective privacy rules of the EU, made it almost impossible for US companies to comply with EU related rules when dealing with personal data of EU citizens. In the early 2000’s, the United States and the EU agreed on a self-certification framework, referred to as the “ Safe Harbor Privacy Principles,” to allow personal data to be transferred to US companies. The Safe Harbor allowed a U.S. company to self-certify that its privacy practices satisfied certain enumerated standards.

Last October, the European Court of Justice held that the Safe Harbor was invalid because, among other things, the revelations by former National Security Agency contractor Edward Snowden showed that U.S. authorities could access EU citizen data in the U.S., and that there was no means for redress. Without the Safe Harbor, only expensive and time-consuming approaches under the EU directives were available for those U.S. companies that wanted to comply. Most commentators believe these alternate approaches may be available to larger companies, but won’t be available, at least quickly and economically, to smaller emerging growth companies. They fear that lack of easy compliance will prevent small and emerging growth companies from expanding their operations into Europe.

On February 2, 2016, a new framework was announced by the U.S. and European Union to replace the Safe Harbor. The announcement released by the European Commission states that the new framework, referred to as the “EU-US Privacy Shield” will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans. It also requires stronger monitoring and enforcement by the U.S. and increased cooperation with European Data Protection Authorities. Access to European citizen data will be subject to clear conditions, limitations, and oversight to prevent “generalized access”, according to the announcement. The U.S. will also be required to appoint an Ombudsperson to receive inquiries or complaints from European citizens. Formal adoption by the EU, and implementation by the U.S., will likely occur over the next few months.


There are a number of implications, particularly for smaller companies. First, the Privacy Shield will likely be more difficult to comply with than the Safe Harbor, resulting in relatively more resources being devoted to protection of personal data from European citizens. Second, the trend of companies maintaining servers in the EU to manage European citizen data will probably continue, if not accelerate. Third, more companies will explore anonymizing their EU-originated data before it is transferred to the US. Fourth, until the Privacy Shield is implemented, there will continue to be a great deal of uncertainty over how personal data can be transferred to the U.S.

What’s a small U.S. company to do?

Pending clarification from our friends in the European Union, there are two actions that can be taken now. First, from a legal standpoint, make sure your privacy policy is updated, i.e., it reflects your current practices. Second, from a practical standpoint, make sure that you consider all of your privacy practices and ask yourself whether you would be irritated if your own personal information were treated in a similar manner.

The information appearing in this blog does not constitute legal advice or opinion. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. Specific questions relating to this article should be addressed directly to Strategy Law, LLP.

The LLC – The Right Choice For Your Business?

By: Serge Filatov

I’ve written previously about sole proprietorships and general partnerships as forms of businesses for the small business owner here in San Jose and Silicon Valley. However, as mentioned before, those forms of businesses are not ideal because they expose the business owner to unnecessary liability. Instead, a small business owner should consider starting a limited liability company.

LLC’ s are often a great choice for a business owner because they can be structured almost any way you want yet they still provide liability protection. Do you want to have one person control all of the power of the company? No problem. Do you want to have the company controlled by a board of directors? Great. How about every owner voting having an equal say in the management of the company? Ok (though I wouldn’t recommend it in many circumstances). Unlike a general partnership or a sole proprietorship, the LLC is a separate entity from its owners and, under most circumstances, will shield its owners from liability for business debts.

If you choose to create an LLC, the first major issue you will have to deal with is determining the management structure of the LLC. Will it be member (i.e. owner) managed or manager-managed? A member-managed LLC is where all of the members of the LLC participate in the management of the LLC. A manager-managed LLC, on the other hand, is a situation where the members turn over the right to manage the company to one or more managers which they appoint. The manager(s) is then provided full power to run the company while the members are merely passive investors (similar to shareholders of a corporation).

A common question asked by first time clients is whether they should choose a member or manager-managed LLC. The answer to this depends heavily on the situation of the client. As a general guideline, however, one should consider a manager-managed LLC if you answer yes to any of the following questions:

Investors and Passive Owners. Will the entity have any owners who you do not want to manage the company? Will it have investors?

Size. Will the entity be too large, diverse, or complex to efficiently be able to run the business with every member having management rights?

Structure. Do you want the entity to look and feel more like a corporation or more like a general partnership or limited partnership?

On the other hand, if the LLC is only going to have a couple of members who are capable of management, then you may want to consider having a member-managed LLC. A member-managed LLC is simpler to document because, in general, you do not have to deal with determining all of the management rights and duties of the managers.

In any event, the operating agreement for an LLC, which is the operating document for the entity, needs to clearly set out the structure of the entity and how it will operate. A seasoned attorney can help you create the operating agreement and make sure that it is properly tailored for your situation.

The information appearing in this blog does not constitute legal advice or opinion. Such advice and opinions are provided by the firm only upon engagement. Specific questions relating to this article should be addressed directly to Strategy Law, LLP.

Lenders and Licensing and Exemptions: The World According to the California Finance Lenders Law

By: Jack Easterbrook

Many of our clients, at one time or another, get involved in private loan activities in California as a lender. It may be to help finance a business, purchase or improve real estate around San Jose, Silicon Valley or elsewhere in California, or just to provide funds for a family member. Although most lending has been and continues to be done by regulated financial institutions, opportunities abound for private lenders and many people are attracted to the market, whether for economic gain, to participate in a start-up idea or to just help out family or friends. The purpose of this article is to alert private lenders that California has established licensing rules to govern this lending activity, and to protect them from the risk of fines or even criminal charges for failing to follow these rules.

The California Finance Lenders Law (CFLL) is the name commonly given to the body of statutes imbedded in the California Finance Code addressing most lending activity in California. The CFLL governs the activities of both brokers and lenders engaged in the business of negotiating or making “commercial loans” or “consumer loans,” which broadly covers most lending activity in the state. Essentially, the CFLL requires any person participating as a lender or broker of commercial or consumer loans in California to obtain a license from the California Commissioner of Business Oversight unless the person qualifies for an exemption. Getting the license can easily take over six months to complete and involves a number of requirements, such as making numerous disclosures, paying fees, obtaining a surety bond and demonstrating financial wherewithal. Violations may result in fines of up to $10,000 and possibly imprisonment.

The CFLL, as mentioned, contains numerous exemptions to the licensing requirement and these can become very important to persons or entities involved in lending activity. Banks, credit unions and most institutional lenders qualify for an exemption. Exemptions exist, as well, for many other persons and entities involved in certain kinds of loans. A few of the most significant exemptions are: (a) loans by persons or entities making no more than five commercial loans in a twelve month period so long as such loans are “incidental” to the primary business of the person seeking the exemption; (b) loans made or arranged by licensed real estate brokers when the loan is secured by a lien on real property; and (c) commercial bridge loans made by venture capital companies to an operating company. Numerous other unique exemptions also exist.

The situation can be complicated by the use of intermediaries or separate business entities as the actual lender. The lending entity itself must qualify for the exemption. For example, a loan may be an incidental activity for an individual but not for an LLC actually making the loan.

If you are entering into a transaction in California in which you will be lending money, whether to an entity or a person, one item of due diligence not to overlook is whether you, or the affiliated entity in which you have an interest (if it is going to act as the lender) qualify for an exemption under the California Lender Finance Law. If you identify early the fact that the lender is not licensed and the proposed loan may not qualify for an exemption, it may be possible to develop a way of accomplishing your business objectives by revising some aspect of the proposed deal. Alternatively, the licensing requirement can be included in the checklist and factored into the timeline for making the loan. In any event, a private lender will want to handle the matter in a fashion that eliminates the risk of fines or worse.