LOGM 2017 Annual Report

Evolving regulations and legal obligations related to data privacy, data protection and information security and our actual or perceived failure to comply with such obligations, could have an adverse effect on our business. Our handling of the data we collect from our customers, as further described in our privacy policy, and our proc- essing of personally identifiable information and data of our customers’ customers through the services we pro- vide, is subject to a variety of laws and regulations, which have been adopted by various federal, state and foreign governments to regulate the collection, distribution, use and storage of personal information of individuals. Several foreign countries in which we conduct business, including the European Economic Area, or EEA, and Canada, currently have in place, or have recently proposed, laws or regulations concerning privacy, data protection and information security, which are more restrictive than those imposed in the United States. Some of these laws are in their early stages and we cannot yet determine the impact these revised laws and regu- lations, if implemented, may have on our business. However, any failure or perceived failure by us to comply with these privacy laws, regulations, policies or obligations or any security incident that results in the unauthorized release or transfer of personally identifiable information or other customer data in our possession, could result in government enforcement actions, litigation, fines and penalties and/or adverse publicity, all of which could have an adverse effect on our reputation and business. For example, the new EEA-wide General Data Protection Regulation, or GDPR, entered into force in May 2016 and will become applicable on May 25, 2018, replacing the data protection laws of each EEA member state. The GDPR will implement more stringent operational requirements for processors and controllers of personal data, including, for example, expanded disclosures about how personal information is to be used, limitations on retention of information, increased requirements to erase an individual’s information upon request, mandatory data breach notification requirements and higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. It also significantly increases penalties for non-compliance, including where we act as a service provider (e.g. data processor). If our privacy or data security measures fail to comply with applicable current or future laws and regulations, we may be subject to litigation, regulatory investigations, enforcement notices requiring us to change the way we use personal data or our marketing practices, fines, for example, of up to 20 million Euros or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) under the GDPR, or other liabilities, as well as negative publicity and a potential loss of business. We are also subject to evolving EEA laws on data export, as we may transfer personal data from the EEA to other jurisdictions. We currently rely upon the EU-U.S. Privacy Shield Framework and Swiss Privacy Shield as a means for legitimizing the transfer of personally identifiable information from the EEA to the United States. However, there is currently litigation against this framework as well as litigation challenging other EU mecha- nisms for adequate data transfers (e.g. the standard contractual clauses), and it is uncertain whether the Privacy Shield framework and/or the standard contractual clauses will be similarly invalidated by the European courts. We rely on a mixture of mechanisms to transfer data to from the EEA to the U.S., and could be impacted by changes in law as a result of the current challenges to these mechanisms in the European courts which may lead to governmental enforcement actions, litigation, fines and penalties or adverse publicity which could have an adverse effect on our reputation and business. Data protection regulation remains an area of increased focus in all jurisdictions and data protection regulations continue to evolve. There is no assurance that we will be able to meet new requirements that may be imposed on the transfer of personally identifiable information from the EU to the United States without incurring substantial expense or at all. European and/or multi-national customers may be reluctant to purchase or continue to use our services due to concerns regarding their data protection obligations. In addition, we may be subject to claims, legal proceedings or other actions by individuals or governmental authorities if they have reason to believe that our data privacy or security measures fail to comply with current or future laws and regulations. 19