GKG Law's Steve Fellman, a member of the firm's Association Practice Group, led a table discussion at ASAE's Associations @ Work Business Conference on October 29th in Washington, DC. At the request of ASAE, Steve facilitated the topic of Antitrust.
More information on this event can be found here.
As many organizations have learned, on May 25, 2018, the EU implemented the General Data Protection Regulation (“GDPR”), which imposes obligations and liability on U.S. organizations that have control over EU residents’ personal data (“Controllers”) or that process EU residents’ personal data on behalf of other companies (“Processors”). The GDPR regulates how companies collect, use, and transfer the personal data of individuals located in the EU. The GDPR also imposes obligations on U.S. Controllers and Processors that either do business in the EU through local establishments or otherwise offer products and services to individuals in the EU.
Among these obligations, Controllers and Processors are required to set forth certain provisions, procedures, and allocation of responsibilities in a written agreement between the Controller and Processor. See Article 28, GDPR. If your association acts as a Controller or Processor under the GDPR, then you have likely seen or participated in the execution of “Data Protection Addendums” that address these GDPR-related contractual requirements.
According to the GDPR and supported by recent EU court decisions, there are also instances where two or more organizations may be acting as “Joint Controllers,” i.e., instances “[w]here two or more controllers jointly determine the purposes and means of processing.” Article 26, GDPR. In these situations, the GDPR requires Joint Controllers to “determine their respective responsibilities for compliance under [the GDPR] . . . by means of an arrangement between them.” Article 26(1), GDPR. This arrangement should “reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.” Article 26(2), GDPR.
For associations subject to the GDPR, this issue may arise in a number of circumstances, including, among others: social media pages, events or projects organized by multiple parties, or projects undertaken on another party’s behalf. The primary test is whether two or more organizations jointly determine the purposes and means of processing subject to the GDPR.
On June 5, 2018, the Court of Justice of the European Union (“CJEU”) upheld a lower court ruling that a German company with a fan page hosted on Facebook was a joint controller with Facebook regarding page-visitor’s personal data processed by Facebook. Both this and the initial ruling by the German supervisory authority, Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany (the “Supervisory Authority”), in November 3, 2011, were pursuant to Directive 95/46/EC (the “Directive”), the precursor to the GDPR. As the Directive had already imposed many obligations similar to the GDPR’s on Controllers and Processors located in the EU, authoritative interpretations of the Directive are applicable to the GDPR where, in cases such as this one, the underlying obligations are the same. The most relevant difference between the GDPR and Directive for U.S. associations is that the GDPR now includes some non-EU organizations within its scope.
In this case, the German company hosted a fan page on Facebook. As part of the terms of service with Facebook, the German company agreed for Facebook to use cookies that track and collect personal data from fan-page visitors. While the German company did not have access to this raw personal data, Facebook was required to provide to the German company, upon request, aggregate anonymized data on visitors “including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.” Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, para. 37 (CJEU June 8, 2018). Incidentally, Facebook’s practices at the time for collecting this data (even from visitors without Facebook accounts) were found to violate the Directive’s data privacy rules.
The German company argued that Facebook was the sole Controller of the personal data collected by Facebook’s cookies. Ultimately, the Supervisory Authority and the CJEU found that the German company was a Joint Controller because its contractual right to request demographic data was tantamount to taking part in the determination of the purposes and means of processing visitors’ personal data. Id. at para. 75(1). Put differently, as the German company could ask for Facebook to process the visitors’ data in certain ways, the German company had some joint control over the data processing.
Parenthetically, it appears that the Supervisory Authority’s real target was Facebook, but the Supervisory Authority in Germany was not clear on whether it could proceed against Facebook’s Ireland office. While Facebook had an office in Germany, Facebook’s Germany office apparently was not involved in collecting data from the fan page’s visitors. Facebook’s Ireland office was the culprit, in the Supervisory Authority’s eyes, but also possibly outside the Supervisory Authority’s jurisdiction under the Directive. Accordingly, the EUCJ also held that the Supervisory Authority could proceed in a case directly against Facebook in Ireland, notwithstanding the fact that Facebook Ireland is regulated under Ireland’s data privacy agency.
Since 2011, Facebook and other social media companies have changed their data privacy practices, particularly in light of the GDPR. Nonetheless, U.S. associations may be deemed to be Joint Controllers of personal data collected by social media companies where:
This decision also has applicability to how associations may be treated as Joint Controllers in other contexts, such as events and joint projects.
When EU-based event attendees provide information for an event hosted by multiple organizations, the hosting organizations may be treated as Joint Controllers. For example, assuming that the data collection is subject to the GDPR, which is an issue unto itself:
First, the rules for Joint Controllers in non-event projects would be analogous to the examples for events above. If two or more organizations are jointly collecting and sharing personal data for their respective benefits and use, then they would likely be deemed Joint Controllers under the GDPR.
Second, if an association engages in a project that involves the processing of personal data subject to the GDPR, it may be deemed a Joint Controller with sponsors or inactive partners of the project. For example: An association engages in a project involving research, surveys, or other collection and processing of Personal Data. The association is supported or sponsored by an organization that takes no active role in the project. As part of the agreement between the association and the organization, the organization has the right to request for the association to process project participants’ personal data to generate aggregate anonymized statistics. Based on the EUCJ decision summarized above, the organization may be deemed to take part in determining how and why the association processes the project participants’ data. Accordingly, the organization and association may be deemed Joint Controllers.
The GDPR does not explicitly require Joint Controllers to enter into a written agreement addressing Joint Controller responsibilities. Instead, the GDPR requires Joint Controllers to clearly allocate their respective responsibilities “by means of an arrangement between them.” Article 26(1), GDPR; see also Recital 79, GDPR. The GDPR also requires the Joint Controllers to make “[t]he essence of the arrangement . . . available to the data subject.” Article 26(2), GDPR.
Nonetheless, under the GDPR’s general principle of “Accountability,” Controllers must be able to demonstrate compliance with the GDPR. See Article 5(2), GDPR. Accordingly, Joint Controllers must be able to demonstrate to supervisory authorities that they entered into an arrangement clearly allocating their respective Controller responsibilities. Controller responsibilities would include, inter alia, communicating data breaches to supervisory authorities and affected data subjects, responding to data privacy requests, maintaining compliant arrangements with Processors, disclosing appropriate data privacy information to data subjects, and ensuring adequate safeguards for the transfer of data outside the European Economic Area (“EEA”). In light of this burden to demonstrate compliance, it may be prudent for Joint Controllers to address the allocation of responsibilities in writing.
If the Joint Controllers do not allocate their respective controller responsibilities, this may constitute noncompliance with the GDPR. Furthermore, in the event that one Joint Controller violates the GDPR, other Joint Controllers may be subject to the full range of obligations and liabilities. If the Joint Controllers maintain a clear written arrangement of their respective responsibilities, then it is more likely that a supervisory authority would address a particular issue of noncompliance with the responsible Joint Controller rather other Joint Controllers who may not have been involved. Remember, in the Facebook fan page decision discussed above, the Supervisory Authority was ultimately seeking approval to proceed against Facebook’s Ireland office.
With respect to communicating the “essence of the arrangement,” information on the joint controllers involved and their general level of involvement could be included in privacy policies or project/event-specific materials distributed to data subjects.
If you have any questions regarding Joint Controller responsibilities or GDPR compliance, please feel free to contact GKG Law at (202) 342-5266 or okrischik@gkglaw.com.
GKG Law’s Rich Bar, principal in the firm’s Association Practice Group, spoke at Association TRENDS' 2018 Learnapalooza in Washington, DC on October 17, 2018. Rich’s topic, “Credentialing: Ethics Standards & Enforcement,” focused on proper rules & procedures and code of ethics related to the credentialing of Association members, including the drafting, application, and enforcement of these standards.
Attendees will:
More information can be found here.
Keith Swirsky, President of GKG Law, will give a presentation entitled “Bonus Depreciation” at the 2018 NBAA Tax, Regulatory & Risk Management Conference to be held October 14 – 15, 2018 in Orlando, FL. Keith's educational session will cover the rules regarding aircraft depreciation deductions, including the new bonus depreciation rules, the mechanics under Section 280F for determining eligibility for MACRS deprecation, the so-called “leasing company trap” and how to avoid it, and other relevant planning considerations
Find more information on the NBAA Tax, Regulatory & Risk Management Conference here.
Keith Swirsky, President of GKG Law, gave a presentation entitled “Bonus Depreciation” at the 2018 NBAA Tax, Regulatory & Risk Management Conference held October 14 – 15, 2018 in Orlando, FL. Keith's educational session covered the rules regarding aircraft depreciation deductions, including the new bonus depreciation rules, the mechanics under Section 280F for determining eligibility for MACRS depreciation, the so-called “leasing company trap” and how to avoid it, and other relevant planning considerations
Find more information on the NBAA Tax, Regulatory & Risk Management Conference here.
GKG Law’s Tom Wilcox, a member of the firm's Transportation, Trade & Logistics Practice, was a luncheon speaker at the National Coal Transportation Association’s Board of Directors roundtable luncheon in Washington D.C. on October 4, 2018. Tom provided his insights on current rail transportation regulatory and policy issues affecting the railroad transportation of coal.
The NBAA Annual Convention to be held October 16-18, 2018 in Orlando, Florida, will definitely have a buzz concerning 100% Bonus Depreciation. Immediately following Labor Day 2018, GKG Law’s phone has literally been ringing off the hook with clients calling about purchasing an aircraft in order to get the 100% write off. The stock market has done well this year, businesses have record earnings, and prospective aircraft owners are compelled by the opportunity for a very large write off on their 2018 tax return.
But, the big question is “Can I get the 100% deduction on my tax return?” The threshold consideration for all prospective purchasers is whether or not the aircraft is an “ordinary, necessary and reasonable” business tool for the business to acquire. While it is likely that anyone looking to acquire, for example, a $10,000,000 aircraft, can afford to purchase the aircraft, it is not clear that such aircraft will meet the ordinary, necessary reasonable tests set forth in the Internal Revenue Code and case law. Moreover, when a big write off such as bonus depreciation is placed on a tax return, it heightens the IRS scrutiny on that tax return, increasing the likelihood of a tax audit.
Moving past the ordinary, necessary and reasonable tests, the 100% write off is somewhat elusive, because the Jobs Act has a myriad of stop signs in the road, generally effective January 1, 2018. The stop signs include rules limiting business losses to the extent of business income, plus $500,000 for a joint tax return filer. Losses that are capped by such limit get carried forward into future tax years, subject to differing limitation rules. Other stop signs include the requirement to utilize an aircraft more than 50% of the time for qualified business use every year of the applicable depreciation schedule. There are also passive activity loss issues, with respect to the classification of the write-off as passive versus non-passive. And finally, there are issues relative to “disallowed uses” of the aircraft, primarily related to use of the aircraft for entertainment or commuting purposes.
These are complex issues requiring analysis by an experienced aviation tax advisor. To a greater extent, it generally requires a team effort, to include the tax return preparer and the company’s chief financial officer, if available. The good news is that while these stop signs may limit the magnitude of the write off in the year of acquisition of the aircraft, the write offs may nonetheless be available in an accelerated format over the next succeeding one or two years after acquisition.
Please contact Keith Swirsky at GKG Law if you’d like to discuss a prospective acquisition with bonus depreciation. Keith may be reached at 202-342-5251 or by email at kswirsky@gkglaw.com.
In September 2018, the Federal Trade Commission (FTC) published a policy statement addressing antitrust concerns related to limitations on occupation license portability (FTC Report). The FTC Report reflected a long-term enforcement policy involving challenges to decisions by state licensure boards that the FTC believed took anticompetitive positions in an effort to restrict qualified practitioners from obtaining licensure. The FTC Report indicated that in many instances, limitations on licensing portability curtails price competition among licensed professionals and adversely affects both consumers and qualified service providers.
The FTC cited the problems reported by spouses of military personnel as an example of why license portability is needed. Military personnel are typically transferred from one location to another every two to four years. A military spouse may have a valid occupational license in one state and then move to another state with similar licensure requirements. However, the military spouse will have to apply for and obtain a license in the second state in order to practice his or her profession. Although some state licensure boards have assisted professionals with existing licenses in other states by adopting temporary or expedited licensing procedures, this is not typical. When a licensed professional moves to a new state, the licensure procedure is often lengthy, time-consuming and expensive. Additional course taking and or testing may be required even though the applicant has completed similar courses and tests in another jurisdiction.
The FTC recognizes that states have the right to establish occupational licensure requirements, but urged state licensure boards, legislators and organizations such as trade association and professional societies, to work together and establish joint programs to enhance occupational licensure portability. The FTC noted that using model laws and interstate compacts as a basis for licensure are available options but cited the nursing and accounting professions as examples where national professional organizations and national organizations of state licensing boards worked together and developed programs which enhanced licensing portability and at the same time enabled the state licensure boards to maintain the ability to sanction practitioners who engage in unethical or deceptive practices.
Trade associations and professional societies which have occupational certification programs should review the FTC Report “Policy Perspectives Options to Enhance Occupational License Portability" and consider adopting an affirmative action program to enhance license portability. If there are multiple certification programs currently in use within a given occupation, the push for portability will result in an effort to harmonize the existing programs and establish a unified program. If your program is one of the multiple programs competing in the same profession, you need to get involved in the harmonization movement from the outset or face the prospect that harmonization will cause your program to fall by the wayside. Technological advances, changes in consumer demand requirements and a continued push by the FTC and consumer groups will result in greater emphasis on occupational license portability. The continued viability of an association’s or professional societies certification program may well be dependent on how that program recognizes the need for flexibility and meets occupational certification portability requirements.
For further information, please contact Steve Fellman at sfellman@gkglaw.com.
Also published on the National Aircraft Finance Association's website at www.nafa.org.
In August 2018, GKG Law reported on the risks posed by service providers filing liens on aircraft for amounts owed for storage, repairs, maintenance or other services relating to an aircraft. In that article, we noted precautionary measures that can be taken to minimize the risks posed by such liens, and that defenses may exist to such liens. GKG Law recently was successful in vacating such liens in a case filed in the United States District Court for the Eastern District of Virginia. In the case, the service provider filed two separate liens with the Federal Aviation Administration (FAA) and with Florida regulatory authorities asserting liens for approximately $450,000. We were successful in not only having both liens vacated, but our client also was awarded almost $50,000 in damages resulting from the invalid lien filings. The result highlights the fact that although lien statues may serve a valid purpose, such as ensuring that mechanics and other aircraft service providers are compensated for services they performed at the request of the aircraft owner or operator, aircraft owners are not defenseless when such liens do not have a valid basis or when the lien filings fail to comply with statutory requirements.
GKG Law’s extensive experience in all aspects of the business aviation marketplace makes it particularly suited to aggressively protect your rights in such commercial disputes. Please contact Brendan Collins at GKG Law if you would like to discuss any potential aircraft related disputes. Brendan may be reached by telephone at (202) 342-6793 or by email at bcollins@gkglaw.com.
