On or about 7/5/2022, Falcon Rappaport & Berkman PLLC (FRB) and Metaverse Law Corporation (Metaverse Law) have agreed to resolve their dispute in the United States District Court for the Southern District of New York. As part of a global resolution, the parties have agreed that FRB can refer to itself as a metaverse law firm in a descriptive manner, given the proliferation and greater accessibility of the public into metaverse, Web 3.0, and virtual reality spaces. Nevertheless, the parties agree that METAVERSE LAW remains Metaverse Laws trademark and Metaverse Law maintains the right to prosecute any non-descriptive infringement of the marks use.
FRB is a full-service business law firm that combines the deep knowledge and understanding of attorneys who proudly advise clients seeking solutions to their most complex matters, including businesses and individuals working in cryptocurrency and NFTs. FRB has led the charge into the metaverse and opened a law office in Decentraland in August 2021 (located at Parcel 25, -125). FRB differentiates itself by approaching matters with a level of depth and variety of skills unmatched by typical advisors, following through on a firm-wide commitment to excellent service, offering access to thought leaders in numerous areas of professional practice, and engaging in a partnership with clients to develop and achieve legal, business, and personal objectives.
Metaverse Law launched in 2018 and is a California-based privacy, AI, and cybersecurity law firm. Metaverse Law assists startups to multinationals with their CCPA, GDPR, and other data privacy obligations. Metaverse Law is a proponent of decentralized virtual reality spaces (as opposed to the panopticon of a singular dystopian metaverse) and advises tech companies and law firms alike on consumer privacy, ethics, and good governance inside and outside of their metaverses.
The General Data Protection Regulation (GDPR) is a law that protects the privacy of most Europeans. The GDPR protects in part by imposing limitations on the free movement of personal data between the European Union (EU) and other countries. It took effect in May 2018.
This ground-breaking data protection and privacy regulation goes well beyond the boundaries of the European Union’s physical borders. Furthermore, it requires companies based outside of the EU to safeguard the personal data of their people.
Extra-Territorial Scope of GDPR
The GDPR’s scope goes beyond the boundaries of the EU. That means that websites outside the EU that handle personal data about EU citizens are also obliged to comply with the GDPR’s requirements.
The text of the General Data Protection Regulation (GDPR) provides an essential compliance checklist that companies should follow if they are subject to GDPR. This “checklist” contains particular requirements that are unique to countries outside of the EU, such as American companies and organizations.
You may be wondering how the laws of the European Union might be enforced in an area over which the EU supervisory authorities have no jurisdiction. The reality is complicated, but in short, there are avenues in which United States (US) courts might enforce agreements referencing GDPR and apply guidance of the EU Commission or EU supervisory authorities.
Enforcement of GDPR in the US
The General Data Protection Regulation (GDPR) is being implemented in the EU and EEA by the many supervisory authorities situated across the region. The GDPR does, however, apply to companies situated outside of Europe.
Businesses subject to GDPR that do not have a physical presence or establishment in any EU member-states may need to have a physical representative located inside the region to comply with the GDPR. For those who have violated the General Data Protection Regulation, EU supervisory authorities may address this representative for complaints or for levying fines.
EU enforcement agencies may take disciplinary actions against those who violate the rules. These organizations are likely to get support from government officials in the country where the company is based. Noncompliance may be pursued by EU enforcement agencies, especially against multinational or large corporations, by stop processing orders or regulatory investigations Furthermore, EU data protection authorities may fine companies that continue to do business with US organizations that violate GDPR, effectively preventing US companies from getting customers in the EU.
Finally, EU and US companies may pursue US companies for breach of contract, if GDPR compliance is written into the underlying agreement. These contractual claims may be adjudicated in US courts, depending on the contract, even if they relate to EU compliance.
GDPR and US-EU Data Sharing
The General Data Protection Regulation (GDPR) defines, in Article 45, the circumstances under which personal data may be transferred outside of the EU. It states that data transfers beyond the EU are permitted if the receiving country has an adequacy agreement with the EU. It is also applicable if the data processor or controller demonstrates an adequate level of data privacy safeguards inside the EU. The EU previously acknowledged the EU-US Privacy Shield as an acceptable mechanism for transfer; however, with the recent “Schrems II” decision from the Court of Justice of the European Union, the Privacy Shield framework has been invalidated for data transfers.
Since the US as a whole does not feature on the European Union’s list of countries with a sufficient level of data protection law, businesses should consult with their privacy counsel as to the best alternative mechanisms for international data transfers
GDPR Compliance Requirements for US Companies
Any US company obliged to comply with the GDPR may be subject to strict requirements as companies located in the EU.
Suppose your website collects or processes personally identifiable information (PII) of EU citizens. In that case, you should do so based on a lawful basis. The following is a checklist that companies in the United States may use as a starting point toward compliance with the General Data Protection Regulation, subject to the advice of their local privacy counsel:
- Identify and appoint a data protection officer to oversee the processing of EU personal data;
- Inform your customers about the reasons for which you are processing their data;
- Make sure you have a data processing agreement in place with your suppliers;
- Evaluate your data processing operations and improve the level of protection;
- Determine what to do in the case of a data breach in your organization;
- Comply with all applicable rules governing cross-border data transfers; and
- Designate a representative in the European Union;
With the GDPR compliance checklist and retention of local privacy counsel, you may be able to mitigate the risk of enforcement actions brought by EU regulatory authorities. Moreover, a consent management platform (often referred to as a CMP) may help you make your website GDPR compliant.
GDPR Fines for US Companies
The General Data Protection Regulation (GDPR) has significant enforcement penalties to incentivize compliance. There is the possibility of substantial fines for noncompliance with the law, which may reach 4 percent of global sales or €20 million, depending on the severity and circumstances of the violation.
As reported by the US International Trade Commission, since May 2018, data protection authorities in EU member states have collectively penalized US companies for more than $417 million under the General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) is applicable based on the location of the data subject when their data is processed, not on their citizenship or country. Any company in the United States that provides services or monitors customers in the European Union (EU) should determine their obligations under GDPR, if any apply, and how to comply with the GDPR.
All companies based in the United States should work toward complying with the guidelines of GDPR, if they are subject to it. It is not just to protect the data being transferred and to avoid being fined. But, it is also to protect companies’ integrity and the US in dealing with data protection.
Learn more about the General Data Protection Regulation (GDPR) implications for your business’s marketing strategies. Metaverse Law specializes in data privacy, data protection, and cybersecurity laws. It continues to provide practical solutions for today’s online businesses, including GDPR compliance. To learn more about our services, please contact us now!