17
may seek damages.
Member states may individually impose additional requirements
and penalties regarding
certain limited matters (for which the GDPR let some room of flexibility),
such as employee personal data.
With
respect to the personal data it protects, the GDPR requires, among other things,
controller accountability, consents
from Data Subjects or another acceptable legal basis to process the
personal data, notification within 72 hours of a
personal data breach where required, data integrity and security, and fairness and transparency regarding the
storage, use or other processing of the personal data.
The GDPR also provides rights to Data Subjects relating
notably to information, access, rectification, erasure of the personal
data and
the right to object to the processing.
On August 20, 2021, China promulgated the PRC Personal Information
Protection Law (“PIPL”), which took effect
on November 1, 2021.
The PIPL imposes specific rules for processing personal information
and it also specifies
that the law shall also apply to personal information activities carried out
outside China but for the purpose of
providing products or services to PRC citizens.
Any non-compliance with these laws and regulations may
subject
us to fines, orders to rectify or terminate any actions that are deemed
illegal by regulatory authorities, other
penalties, as well as reputational damage or legal proceedings against us,
which may affect our business, financial
condition or results of operations.
The PIPL carries maximum penalties of CNY50 million or 5% of the
annual
revenue of entities that process personal data.
In the United States, the CCPA, which increases the privacy protections afforded California residents, became
effective January 1, 2020.
The CCPA generally requires companies, such as us, to institute additional protections
regarding the collection, use and disclosure of certain personal information
of California residents.
Compliance
with the obligations imposed by the CCPA depends in part on how particular regulators interpret and apply them.
Regulations were released in August of 2020, but there remains some
uncertainty about how the CCPA will be
interpreted by the courts and enforced by the regulators.
If we fail to comply with the CCPA or if regulators assert
that we have failed to comply with the CCPA, we may be subject to certain fines or other penalties and litigation,
any of which may negatively impact our reputation, require us to expend
significant resources, and harm our
business.
Furthermore, California voters approved the CPRA on November 3,
2020, which amends and expands
the CCPA, including by providing consumers with additional rights with respect to their personal information, and
creating a new state agency, the California Privacy Protection Agency, to enforce the CCPA
and the CPRA.
The
CPRA came into effect on January 1, 2023, applying to information collected by
businesses on or after January 1,
Other states, as well as the federal government, have increasingly
considered the adoption of similarly expansive
personal privacy laws, backed by significant civil penalties for non-compliance.
Virginia and Colorado were both
successful in passing privacy legislation in 2021, becoming effective on January
1, 2023 and July 1, 2023,
respectively.
In 2022, privacy legislation passed in Connecticut, effective July 1, 2023, and
Utah, effective
December 31, 2023.
While we believe we have substantially compliant programs
and controls in place to comply
with the GDPR, CCPA, PIPL, CPRA and state law requirements, our compliance with data privacy and
cybersecurity laws is likely to impose additional costs on us, and we cannot
predict whether the interpretations of
the requirements, or changes in our practices in response to new requirements
or interpretations of the
requirements, could have a material adverse effect on our business.
We
also sell products and services that health care providers, such as physicians
and dentists, use to store and
manage patient medical or dental records.
These customers, and we, are subject to laws, regulations and industry
standards, such as HIPAA and the Payment Card Industry Data Security Standards, which require the protection of
the privacy and security of those records, and our products may also be
used as part of these customers’
comprehensive data security programs, including in connection with their efforts to comply with
applicable privacy
and security laws.
Perceived or actual security vulnerabilities in our products or services,
or the perceived or actual
failure by us or our customers
who use our products or services to comply with applicable legal or
contractual data
privacy and security requirements, may not only cause us significant reputational
harm, but may also lead to claims
against us by our customers and/or governmental agencies and involve substantial
fines, penalties and other
liabilities and expenses and costs for remediation.
Various
federal initiatives involve the adoption and use by health care
providers of certain electronic health care
records systems and processes.
The initiatives include, among others, programs that incentivize
physicians and
dentists, through MIPS, to use EHR technology in accordance with certain
evolving requirements, including
regarding quality, promoting interoperability, cost and improvement activities.
Qualification for the MIPS