Global Regulatory Enforcement Law Blog

U.S. lawyers urge courts to respect EU data privacy laws - 'Hobson's Choice' just got harder!

Rosanne Kay — Wed, 08 Feb 2012 09:09:44 -0800

This post was written by Cynthia O’Donoghue, David Cohen, Nick Tyler, and Regis Stafford.

The American Bar Association (ABA) this week passed an important resolution urging all courts in the U.S. to:

“consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws, with regard to data that is subject to preservation, disclosure, or sought in discovery in civil litigation.”

The ABA journal describes the long-standing dilemma faced by litigators on both sides of the Atlantic as “Hobson’s Choice”. The ABA Section of the International Law Report to the House of Delegates further explains the choice too often faced by litigants: “violate foreign law and expose themselves to enforcement proceedings that have included criminal prosecution, or choose noncompliance with a U.S. discovery order and risk U.S. sanctions ranging from monetary costs to adverse inference jury instructions to default judgments.”

It is interesting to note the timing of the resolution, coming as it has less than two weeks after publication by the EU Commission of the long-awaited draft EU Data Protection regulation with its proposed new sanctions of up to 2 percent of annual worldwide turnover for serious breaches, which would include an unlawful data transfer to the U.S..

Such sanctions represent a ‘game-changer’ in the current risk profile and choices presented to multi-nationals faced with U.S. discovery requirements demanding the transfer of personal data held by EU affiliates in breach of EU data protection laws.

Current U.S. jurisprudence will now be tested – up until now the U.S. courts have tended to strike the balance in favour of compliance with U.S. rules on the basis that there is no realistic prospect of prosecution in Europe for an enterprise which breaches EU cross-border transfer restrictions. See In Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007).

However, as the report to the ABA House of Delegates regarding the resolution explains, there are other good reasons, in addition to the possibility of sanctions, for U.S. courts to respect Europe’s data privacy laws. If U.S. courts continue to favor broad discovery in violation of EU restrictions, U.S. litigants may face, “a similarly hardened view of U.S. laws and regulations to the detriment of U.S. litigants” in courts outside of the U.S.. Moreover, “[p]ermitting broad discovery in disregard or even defiance of foreign protective legislation can ultimately impede global commerce [and] harm the interests of U.S. parties in foreign courts and provoke retaliatory measures.”

The resolution has been diluted from that originally proposed, with the insertion of qualifying words such as “where possible in the context of the proceedings”. Nonetheless, the ABA have sent a clear signal that the time for a re-evaluation of the status quo is needed and U.S. Courts need to recognise the wider implications of cross-border litigation in the context of an increasingly globalised corporate and legal environment.

Reputation Protection and Its Ethical Limitations

Greg Jacobs — Fri, 03 Feb 2012 12:43:46 -0800

This post was written by John L. Hines, Jr.

On December 20, 2012, Reed Smith welcomed the founder and CEO of Reputation.com to discuss online reputation management. Mr. Fertik, who speaks regularly in the popular media, explained the particular reputational challenges presented by the online environment, how to take advantage of social media to control your reputation and how innovative software solutions are being used to help victims of harmful speech in situations where legal solutions may be impractical. The full presentation, which reviews the factors that make up an online reputation and how it is distinguished from your "brand", how to manage your online reputation: legal and technical tools, how to mitigate online reputation risk for yourself and your clients and ethical considerations can be found HERE.

For Government Contractors, Will 2012 Be the Rise of the "Past Performance Primary POC"?

Greg Jacobs — Thu, 02 Feb 2012 05:50:14 -0800

This post was written by Joelle E.K. Laszlo.

If you are a Federal government contractor, please take a moment to recall the name of your “Past Performance Primary POC,” or P4OC for short. [In the unlikely event that this acronym catches on, you saw it here first.] Don’t know who your P4OC is? Don’t have one? If not, remedy the situation promptly: starting this year, a good P4OC may be the only thing standing between you and unfavorable information posted by the government on the Internet for all to see.

P4OCs can attribute their recent surge in significance to the Final Rule on the Federal Awardee Performance and Integrity Information System (“FAPIIS”), which was published in the Federal Register just after the new year. Followers of this ’blog will be well-acquainted with FAPIIS by now [click here if not]. Mandated by the 2010 Supplemental Appropriations Act, FAPIIS is designed to be a one-stop-shop for information on Federal contractors – particularly information associated with contractor wrongdoing. Conceptually FAPIIS has been praised by advocates of transparency in government contracting, but it has not quite lived up to the hype in its initial months of existence.

Nevertheless, we and others have advised contractors to take FAPIIS seriously and proactively, something the new Final Rule more or less requires. The Final Rule creates a procedure under Federal Acquisition Regulation (“FAR”) clause 52.209-9 whereby a contractor’s P4OC will be notified whenever a Federal agency proposes to post new information about the contractor on FAPIIS. The contractor will have seven calendar days to review the information and object to the post under an exemption to the Freedom of Information Act (“FOIA”). If within the seven-day time frame the contractor asserts that any of the information proposed for posting is covered by a FOIA exemption, that information must be removed within another seven days and the issue must be resolved according to FOIA procedures. Importantly, and as clarified in a second Federal Register Notice, these new procedures for the review of information proposed for FAPIIS posting took effect on January 17, and apply to any government contract that contains FAR 52.209-9 (not just the January 2012 version of the clause).

Given these developments, the first step for any contractor is to ensure that its P4OC and other past performance contacts are included in the Central Contractor Registration database. Because of the short turn-around time for reviewing information proposed for posting to FAPIIS, every government contractor will want to make sure their P4OC is punctual. Even if information proposed for posting is not exempt from the FOIA, contractors will have the opportunity to comment on the data to be posted (in larger data fields than before). This means that a good P4OC will also be able to marshal the information needed to put unfavorable performance records into their proper context. So your P4OC could very well become an MVP.

Account Intruder Intrigue Obscures Real Market Threat

Greg Jacobs — Tue, 31 Jan 2012 10:39:37 -0800

This post was written by Amy J. Greer.

The latest account intrusion case brought by the SEC had all of the usual hallmarks: a foreign national; hacking into accounts; and trading long distance. But this newest case revealed a potentially more dangerous threat: unfettered and direct access to the markets by those out to commit fraud, whose identifies are hidden through omnibus trading accounts or sponsored market access arrangements. For the first time, the SEC has taken action to try to limit that threat.

Account intrusion cases are not new, unfortunately. The SEC brought the first of these cases when I was still at the agency, back in December 2006. And I was a part of the team that brought the case, against a Belize corporation, located in Estonia, run by a Russian national, which tells you everything you need to know about how difficult it was to effect service - but we did, eventually. In that case, known as Grand Logistic, S.A., which was the name of the company (seemed pretty apt), the SEC also froze some of the assets, since they remained in a US brokerage account, as well as working with foreign regulators to attempt repatriate some of the assets that had been moved out of those accounts. Much about this sounds too familiar to the case brought by the SEC last week against a Latvian national, Igor Nagaicevs, who appears to have gotten away with this conduct for over a year and to have absconded with the cash - $850,000.

For those unfamiliar with the account intrusion scheme, it's really just the latest incarnation of a pump-and-dump: a trader with a knack for hacking will buy or sell short, in his own account (preferably a rather secretive account where the trader's identity will not be obvious to snoopy regulators and SROs), a security that is generally relatively thinly traded; then our hacker will hack into a legitimate brokerage account (like yours or mine) and, using the assets in that account, either cash or cash created by selling holdings, will create movement in the security he already has purchased (the "pump") by buying or selling a lot more. Then, the fraudster dumps his own holdings, making a little killing, all artificially generated by his own actions.

Now, there are at least two other parties to this scheme that do not involve our trader/hacker guy: the trading firm that is giving him market access and the victim brokerage, where the accounts are getting hacked. Up until last week, neither of these had ever been charged by the SEC. In regard to the victim brokerage firms, they have been making their account holders whole, at rather significant cost. For that reason, and presumably because they are also taking whatever steps are humanly possible to prevent such activity, and also because, perhaps appropriately, the SEC rarely takes action against those viewed as victims, the SEC has never acted against these victim brokerage firms. But with this most recent Nagaicevs case, the SEC has decided that it is had enough with these omnibus trading accounts and sponsored market access arrangements that mask the identity of the actual traders, especially when those traders turn out to be committing frauds. Accordingly, the SEC has charged these various unregistered trading firms and their principals, and several of them have settled the charges, including Alchemy, KM, Zanshin, and Mercury, Richard V. Rizzo, and Mercury and Hyatt. Veiled, unfettered access by traders to the markets is potentially dangerous. The frailty of the markets was well demonstrated in the "flash crash" and many market participants are less than confident that the reasons for that were fully identified (and some think the reasons have yet to be identified at all). "Hidden" traders are also free to trade on material nonpublic information. The degree of potential mischief making is somewhat self-evident. Beginning to close off an avenue for such trouble-making seems like a really necessary first step.

Looking into the Defense Industry Glass Ball for 2013 ... and Beyond

Greg Jacobs — Tue, 31 Jan 2012 06:07:01 -0800

This post was written by Lorraine Mullings Campos.

Last Thursday, Defense Secretary Leon Panetta outlined the Pentagon’s plan to change the priorities of the American military and implement budget cuts accordingly. This follows from last year’s Budget Control Act, which automatically cut $1.2 trillion of defense and non-defense spending when Congress did not pass legislation to reduce the budget. The Pentagon is now undertaking half a trillion dollars in cuts through its proposed budget. Although the budget is not final until February 13, Panetta’s remarks reveal two things: the pace of these cuts, and which industries will win and lose.

For FY2013, the pace is relatively slow—the Pentagon aims to cut $6 billion from its budget, down $531 billion to $525 billion. Over the long term, the Pentagon budget is expected to shrink by $487 billion over ten years, with $259 billion of cuts taking place in the next five years. However, commentators like former director of the Office of Management and Budget, Peter Orszag, note that the anticipated budget cuts are larger than what would likely be implemented.

If implemented, however, the Pentagon’s new priorities give some idea as to which industries will win and lose. On one hand, the proposed budget favors makers of unmanned aerial systems, along with cybersecurity, surveillance, and intelligence contractors. On the other hand, makers of certain weapons systems will likely feel some contraction. The proposed budget discards 108 to 144 fighter aircraft, reduces the number of littoral combat ships by two, and retires seven cruisers earlier than scheduled, affecting a number of well-established defense companies.

Although defense contractors have had an opportunity to prepare for the Pentagon’s budget cuts since August of 2011, this year’s reductions might give some indication of which companies and industries will successfully weather nine more years of increasingly aggressive cuts.

Markey Releases Discussion Draft of the Mobile Device Privacy Act

Greg Jacobs — Mon, 30 Jan 2012 11:46:01 -0800

This post was written by Amy S. Mushahwar.

Today, in response to the controversy surrounding cellphone tracking software from Carrier IQ, U.S. Representative Edward Markey (D-MA) released a draft of a cellphone privacy bill.

As background, the Carrier IQ software first made headlines in November, when a researcher posted a YouTube video claiming to show that the Carrier IQ software records users' every keystroke, including the websites they visit, the contents of their text messages and their location. Carrier IQ, a California-based software company, says its software is installed on 140 million phones, but the company does not track keystrokes or user's locations. Carrier IQ now faces a federal investigation and multiple lawsuits on this matter.

The Markey legislation aims to remedy the perceived privacy deficiencies. In its present form, the Markey discussion draft would require companies to:

Disclose any mobile tracking software when a consumer buys a device (or after sale if it is later installed by a carrier or placed within a mobile application downloaded).
Notify consumers what information may be collected, any third parties to which the information would be disclosed and how such information will be used.
Obtain express consent before the tracking software collects or transmits information.
Require any third party receiving collected personal information to have policies in place to secure the information.
Require any third parties to prepare and file agreements on information with the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).

Additionally, the legislation contemplates outlining an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. Representative Markey is the co-chair of the Bi-Partisan Congressional Privacy Caucus, and he has previously investigated the privacy and data security practices of Google, Apple, Facebook, Amazon, and others.

The EU's New Defense and Security Procurement Regime: Market Opportunity or Illusion?

Greg Jacobs — Mon, 30 Jan 2012 07:31:47 -0800

This post was written by Peter Teare, Lorraine Mullings Campos and Alexandra A. Nelson.

In an effort to open up the European market for defense and sensitive security products to greater international competition and transparency in its contracting processes, the EU member states have recently adopted a series of measures including the EU Directive on Defense and Sensitive Security Procurement (Directive 2009/81).

The European market for defense and security products is currently worth more than $220 billion. But historically less than 25% of that value is awarded through a public tender process, and 75% of the defense spending of national governments within the EU goes to domestic suppliers. This new law aims to mandate the greater use of public tendering procedures in defense and security programs and reduce the ‘national preference’ that often prevails in Europe. The aim is also to introduce, for the first time, an effective system for bid protests in defense and security procurement. The legality of imposing off-sets and other discriminatory requirements as a condition of contract awards has also been placed into question.

The Defense and Sensitive Security Procurement Directive forms a part of a package of new legislative measures known as the “European Defense Package” which aims both to promote competition, eliminate discriminatory obligations such as off-sets, and to simplify the current national licensing systems for cross-border transfers of military equipment and technology. Each EU member state was required to transpose its terms into the national law by 21 August 2011.

Reed Smith is holding a roundtable seminar at its Washington DC office on Tuesday, February 7, 2012 from 3:00 pm to 5:30 pm to discuss these legislative developments.

Please click here for more information.

Proposals for the Modernisation of European Public Procurement: Progress or Hindrance?

Greg Jacobs — Thu, 26 Jan 2012 13:19:55 -0800

This post was written by Edward S. Miller, Marjorie C. Holmes, Katherine Holmes and Angela Gregson.

Background

The current European public procurement rules, intended to ensure open EU-wide competition for public contracts are contained in two directives:

The Public Sector Directive (Directive 2004/18) sets out the rules that apply to contracts awarded by public sector bodies (e.g. government, schools, and health authorities).
The Utilities Directive (Directive 2004/17) sets out a parallel set of rules that apply to contracts awarded by public utilities (or private utilities that have the benefit of special or exclusive rights) operating in the water, energy, transport and postal sectors.

The current rules have been criticised for their lack of clarity and efficiency and case law has substantially developed our understanding of the rules as set out in the directives. These factors, in combination with the developing public policy objectives of the European Commission (the "Commission") relating to the promotion of electronic communication, the development of small and medium sized enterprises (SMEs), and social, environmental and employment considerations, have prompted the Commission to embark on simplifying, codifying and modernising procurement regulation. As a result, the Commission launched a review of the procurement rules in April 2010 and a consultation followed.

Click here to read our recent client alert.

EU Commission sends draft EU General Data Protection Regulation and Directive on Criminal Investigations and Judicial Proceedings to the European Parliament

Greg Jacobs — Wed, 25 Jan 2012 14:23:26 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.

Federal Trade Commission Announces Adjusted HSR Thresholds for 2012

Greg Jacobs — Wed, 25 Jan 2012 13:38:22 -0800

This post was written by Debra H. Dermody, Gavin P. Eastgate and Michelle Mantine.

On January 24, 2012, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification with respect to both the size-of-transaction and size-of-person tests.

The revised HSR thresholds will apply to all transactions that close on or after the effective date, which is 30 calendar days following publication of the adjusted thresholds in the Federal Register. Publication will occur shortly, and the effective date will be in late February. Click here to learn more about the Adjusted HSR Thresholds for 2012.

Another Bankruptcy Asset Sale Put On Hold Due to Privacy Concerns

Rosanne Kay — Tue, 24 Jan 2012 05:40:13 -0800

This post was written by Kurt Gwynne, Mark Melodia and Frederick Lah.

Last year, we wrote a post about how a New York bankruptcy judge delayed the approval of Barnes and Noble's acquisition of Borders' database of customer information amid privacy concerns. The court later approved the transaction, requiring that Barnes and Noble give customers 15 days to opt out of the transfer by responding to an email that was sent when the deal closed. A copy of that email can be found here.

Those same privacy concerns are re-surfacing in another bankruptcy asset sale. Real Mex Restaurants Inc. ("Real Mex"), the operator of Chevys Fresh Mex and other Mexican restaurants, filed for Chapter 11 bankruptcy protection back in October 2011. In November, Real Mex received tentative court approval to auction off its assets. Last week, though, the U.S. Trustee, the administrative agency charged with enforcing the country's bankruptcy laws, asked the Delaware bankruptcy court to block the proposed sale of Real Mex's assets until privacy concerns were addressed.

The U.S. Trustee objected to the sale based on its opinion that it violated section 363(b)(1) of the Bankruptcy Code because no consumer privacy ombudsman had been appointed to protect individuals' personally identifiable information ("PII"). Section 363 permits the sale or lease of PII only when either (1) such a sale or lease is made consistent with the debtor's policy prohibiting the transfer of PII to persons that are not affiliated with the debtor or (2) the court appoints a consumer privacy ombudsman and, thereafter, approves the sale or lease after giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

As we reported in our last post, this is not the first time that would-be buyers of databases have faced judicial or regulatory scrutiny about privacy concerns. See, e.g., In re: Peter Ian Cummings and FTC v. Toysmart.com, LLC and Toysmart.com, Inc. Still, though, the Real Mex case serves as an important reminder: Companies looking to acquire or transfer assets containing customer information need to address the associated privacy risks with those transactions, ideally before the government raises the issue first.

ZIP Code Privacy Litigation Update: Massachusetts

Greg Jacobs — Mon, 23 Jan 2012 12:51:53 -0800

As part of a growing national trend, a Federal Court in Massachusetts recently held that ZIP codes are protected personally identifiable information, and therefore, retailers may not request a customer's ZIP code at the point of sale.

For more information, please read the issued Client Alert here.

Equality for Women: Amending the Women-Owned Small Business Program to Ensure Consistency with the Other Small Business Administration Program

Greg Jacobs — Mon, 23 Jan 2012 05:50:20 -0800

This post was written by Leslie A. Monahan.

On January 12, 2012, the Small Business Administration (“SBA”) issued an interim final rule amending certain regulations governing the Women-Owned Small Business (“WOSB”) Program. These amendments to threshold amounts and protest procedures make the WOSB Program more consistent with other SBA government contracting programs. Given the public benefit of consistency in small business programs, SBA found good cause to publish the changes in an interim final rule, as opposed to a proposed rule, and made the rule effective from the date of publication.

The WOSB Program, which was established by a final rule issued on October 7, 2010, authorizes contracting officers to set aside contracts for WOSBs and economically disadvantage women-owned small businesses (“EDWOSBs”) in certain industries where such concerns are shown to be underrepresented. To qualify as a WOSB, a business concern must be at least 51 percent unconditionally and directly owned by at least one woman who is a U.S. citizen. WOSB qualifications also require one or more women to control the management and daily business operations of the business concern. To qualify as an EDWOSB, a business concern must meet the same requirements as a WOSB and demonstrate that the owner or owners’ ability to compete in business has been impaired due to diminished capital and credit opportunities. Further, an EDWOSB owner’s personal net worth, adjusted gross yearly income averaged over the three years, and asset fair market value cannot exceed $750,000, $350,000, and $6 million, respectively.

Originally, under the WOSB Program, contracting officers could restrict competition for federal contracts not exceeding $5 million for manufacturing contracts and $3 million for all other contracts. The interim final rule changed those amounts to $6.5 million and $4 million, respectively, to be consistent with other SBA regulations. In addition, the interim final rule acknowledges the Federal Acquisition Regulation Council’s authority to adjust competitive thresholds for inflationary adjustments. These changes allow WOSBs and EDWSOBs to obtain larger contracts to grow their businesses.

In addition, under the interim final rule, contracting officers may now proceed with a contract award during the course of a protest, if necessary to protect the public interest, without having to make such a determination in writing. It also allows contracting officers to move forward with contract awards if the SBA does not respond concerning the status determination of the WOSB or EDWSOB filing the protest within 15 days from receipt of the protest. These changes allow contracting officers to award contracts more easily in protest situations.

Comments on the interim final rule are due by February 13, 2012.

US wades into debate on revision to EU Data Protection Directive

Rosanne Kay — Tue, 17 Jan 2012 13:04:19 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

The U.S. Federal Trade Commission (FTC) has waded into the political debate with an Informal Note on the draft EU Data Protection Regulation as reported by Statewatch. In addition, Digital Civil Rights in Europe has reported that the U.S. Department of Commerce engaged in significant lobbying of the European Commission in response to the leaked draft Regulation.

The FTC’s Informal Note, provided to the EC in December 2011, focused on “two overarching concerns”:

“potential adverse effect on the global interoperability of privacy frameworks” – resulting in divergence rather than convergence of data privacy standards globally; and
“serious implications for regulatory enforcement activities involving third countries” such as the U.S. – resulting in EU data protection laws presenting a significant obstacle to international enforcement cooperation.

In both respects, the Informal Note portrays the draft Regulation as a backward step that would have an adverse effect on the global interoperability of privacy regimes due to it increasing differences rather than promoting convergence. The FTC also raised concerns about the draft Regulation’s potential to adversely impact international investigations, hinder information sharing between regulatory agencies and undercut enforcement cooperation between the EU data protection authorities and similar privacy enforcement agencies round the world.

In doing so, the FTC’s Informal Note emphasises many of the issues highlighted in our two blogs and Client Alert following the leak of the draft Regulation. In particular, the following themes are highlighted:

Data breach notification – criticising the Regulation’s “focus on process, instead of on improving security practices”, the note concludes that this “may…dilute the effectiveness and credibility of all such notices.” This echoes a concern first raised by the UK Information Commissioner’s Office during the IAPP Summit in November 2011, relating to notification of all data breaches regardless of seriousness or number of persons affected.
The “right to be forgotten” – the FTC’s concern relates to a chilling effect on rights to free speech and intimates that a right to be forgotten is little more than a pipe-dream fraught with legal and practical obstacles that render it unfeasible. Basically, the ubiquity of the Internet means that the cat’s out of the bag and any attempt to put it back is doomed to fail.
The definition of “child” – the EU’s definition of child being anyone under the age of 18 runs counter to the U.S.’s longstanding regulation of children’s privacy (defined as under-13 in the Children’s Online Privacy Protection Act (COPPA)). The FTC refers the EC to its recent review of the COPPA Rule¹suggesting it take a more modern and less paternalistic view by recognising:

“…it would be difficult to require parental permission for teenagers because they’re independent, more sophisticated with new technologies than their parents are, and have access to computers outside the home, particularly with the increasing proliferation of mobile devices.”

Transfers to third countries – criticising the increased complexity in determining adequacy for transferring data outside the EU, the FTC believes that the draft Regulation only makes the process more burdensome, opaque and indeterminate rather than the EC achieving its stated objective of clarifying it. There is undoubtedly a degree of self interest in the FTC’s alarm at the possibility that a U.S. Safe Harbor certification may no longer be recognised (at least in its current form) as a lawful basis for transfers of personal information from the EU to the U.S., as we previously highlighted. The prospect that present lawful trans-border dataflow mechanisms will need to be replaced by new or re-vamped versions, including through the use of binding corporate rules, will alarm every U.S. organisation that has invested significantly in putting legal mechanisms in place to transfer data from the EU to the U.S.
International Investigations – the FTC raises concerns about the effect on international regulatory enforcement, effectively calling the draft Regulation a ‘blocking statute’, because data controllers will have to notify and receive prior authorisation from a data protection authority before disclosing personal data to any non-EU governmental or regulatory authorities or private litigants outside the EU. The FTC highlights the conflicts as well as perils such provisions will create for U.S. companies with a presence in the EU, especially if an investigation relates to anti-competitive activities, financial or consumer fraud. The FTC suggests that the draft Regulation incentivises “offshoring” evidence, resulting in untimely delays and potentially damaging the interests of consumers, including in the EU.

The FTC’s Informal Note, along with other voices loudly debating the draft Regulation, advocates a more balanced and proportional approach to privacy and data protection.

Whether this US intervention will contribute to a delay in the EC publishing the draft Regulation, or whether, as recently restated by Ms. Reding’s office, publication will still take place on Data Protection Day on 28 January, we don’t have long to find out.

¹ COPPA Rule Review Request for Comment, Fed. Reg. Vol. 76, No. 187, Sept 27 2011 at 5905, available at: http://www.ftc.gov/os/2011/09/110915coppa.pdf.

In an Olympic year the draft EU data protection regulation lacks "2020 vision" and stumbles at the first hurdle - publication postponed until the Spring (at least!)

Rosanne Kay — Fri, 13 Jan 2012 08:59:11 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

As reported yesterday by DataGuidance, it’s back to the drawing board for the Directorate-General for Justice (Justice) responsible for EU data protection law after they received strong “unfavourable” opinions from two key Directorates-General in response to the European Commission’s mandatory inter-service consultation process.

Publication of the draft EU Data Protection Regulation had been expected at the end of this month but has now been delayed until late February/March. The nature of the concerns raised by the Information Society and Media Directorate General (INFSO) and Directorate General for Trade (D-G Trade) mirror many of those highlighted in our earlier blog post and Client Alert following the leak of the draft Regulation last month.

INFSO’s concerns run to 22 pages and invoke some harsh criticism of the proposals and a perceived lack of openness and flexibility on the part of Justice. INFSO’s concerns include:

The broad scope of personal data, including geo-location data and online identifiers, without qualification;
The onerous requirements of proposed new data breach notification obligations;
The definition of “child” (under-18 threshold proposed) – unworkable in the online world;
The burdensome nature of the proposed new “right to be forgotten”;
A failure by Justice to take account of concerns about the continued burdens relating to data transfers, in particular those transfers described as “massive, frequent or structural”;
An increased risk of interference, contradiction and confusion within the draft regulation as a result of its addressing areas already covered by the ePrivacy Directive;
The proposed new sanctions regime.

The comments by INFSO represent a significant setback in the EU Commission’s attempts to re-shape European data protection law for the next generation. With the long-term future of enterprise and society in mind, INFSO rejects the draft regulation as:

“…an overly cumbersome legal framework which places new burdens and costs upon data controllers and processors, thereby acting as a deterrent for the development of new business models. INFSO is concerned that the proposal does not sufficiently take account of the economic climate and is at odds with the vision of Europe 2020.”

It’s not the first time (and won’t be the last) that data protection regulation has been blamed for standing in the way of progress but this opinion presents a significant challenge to the EU Commission’s efforts to complete the race to revise the EU Data Protection Directive.

'Sunshine Act' à la française adopted on 29 December 2011. Healthcare and cosmetics companies will be subject to a tough transparency regulation in France

Rosanne Kay — Thu, 12 Jan 2012 08:09:07 -0800

This post was written by Daniel Kadar.

A new rule, adopted on 29 December 2011 and published on 30 December 2011 after an unusually expedited procedure due to strong government pressure, will heavily modify the regulatory framework in which healthcare companies, but also to some extent cosmetics companies, operate in France.

Besides replacing (next August, but the law has immediately been enforced) the current government healthcare agency (AFSSAPS) with a new ‘National Agency for the Security of Drugs’ / ‘Agence Nationale de Sécurité des Médicaments’ (ANSM) which will have more control powers and will be able to fine non compliant actors, the new law sets out transparency requirements for healthcare and cosmetics companies that are comparable to those provided by the US ‘Sunshine Act’.

The new article L 1453-1 of the French Public Health Code imposes a general disclosure obligation on any company manufacturing or commercializing products with a medical or cosmetic purpose. The obligation concerns all agreements such companies may have with healthcare professionals, students of medicine and other healthcare related studies, clinics and hospitals, foundations, press and communication agencies/companies, software editors of drug prescription related softwares, as well as with educational companies in the healthcare area.

The obligation will require disclosure of any advantages in kind or in payment provided by the companies to such persons mentioned above (the threshold amount triggering this disclosure obligation is to be fixed by decree).

The law provides for fines for infringing the obligation of up to 45,000 Euros in respect of physical persons and up to 225,000 Euros in respect of legal persons.

In addition, the law requires the disclosure by those holding regulatory powers devolved to them by the French Ministry of Health, cabinet members and members of the new ANSM of any conflicts of interests when taking on their functions.

The new law also sets forth new pharmacovigilance requirements and provides more stringent rules concerning the advertisement of drugs as well as – this is new – medical and diagnostics devices.

More details will be provided in follow-up decrees to be made in the coming weeks. In many cases, this new regulation sets very stringent standards which will require all healthcare companies, but also to some extent (in particular in terms of the transparency requirements) all cosmetics companies, to restructure their businesses in France.

For more information, please read the issued Client Alert here.

ICO Information Rights Strategy 2012 - UK regulator identifies information security as continuing priority while targeting Financial Services, Health and Telecoms/New Media for close attention

Rosanne Kay — Wed, 11 Jan 2012 06:20:00 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

The Information Commissioner’s Office (ICO), the UK’s data protection and freedom of information regulator, has launched a high level “Information Rights Strategy”.

In it, the ICO identifies the following priority areas: Internet and mobile services; health; credit and finance; criminal justice; and information security.

The ICO will focus on outcomes in the above areas that reduce risks to information rights (both data protection and freedom of information). The outcomes are aimed at raising the awareness and understanding of information rights and risks. The ICO seeks to raise awareness among individuals as well as those organisations responsible for meeting obligations under information rights law.

The ICO’s strategy applies internationally and recognises the pervasive risks arising from “global data flows and universal deployment of new technologies”. The ICO seeks to work with and influence fellow regulators at EU and global level in an effort to achieve a consistent and harmonised approach.

The ultimate objective of “good information rights practice” will depend in part on the ICO’s use of its enforcement powers. In identifying the five priority areas, the ICO clearly signals which industry sectors and compliance issues will receive “particular regulatory attention”.

While the area of information security will continue to be a priority compliance risk for all, organisations in the telecommunications/new media, health sector and financial services will fall under the regulator’s microscope.

In a stark warning to any who may be complacent about compliance, the ICO states: “We will actively seek out situations where organisations significantly fail to live up to their information rights responsibilities and use the full range of our powers to address these”.

When might a private email account become 'public property'? Freedom of information guidance may lead to erosion of privacy for employees

Rosanne Kay — Tue, 10 Jan 2012 05:38:07 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance ¹ was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector.

¹ “Official information held in private email accounts”, ICO, dated 15 December 2011

The European Court of Justice rules twice in one day on data protection issues: Emerging clarity and consistency is in everyone's interests.

Rosanne Kay — Fri, 06 Jan 2012 06:01:12 -0800

This post was written by Cynthia O'Donoghue and Nick Tyler.

“You wait for ages for one and then two turn up at the same time!” The European Court of Justice issued two significant rulings this past November.

The first addressed the manner in which Spain enacted the Data Protection Directive. In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v Administración del Estado (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado (C-469/10), the claimants challenged Spain’s national data protection law (Organic Law 15/1999) which imposed the extra condition that personal data must be in the public domain when processed, based upon a data controller’s legitimate interests. The ECJ ruled that Article 7(f) of the Data Protection Directive 95/46/EC was sufficiently precise to have direct effect in member states’ national laws because it sets out an exhaustive list of conditions to the processing of personal data and as such member states may not impose additional conditions.

The surprising aspect of this case, in our view, is that it has taken until now to gain a degree of consistency of interpretation for what is a relatively straightforward provision of EU data protection law. In our experience the misinterpretation of this provision in Spanish law has presented real practical difficulties to clients implementing run-of-the-mill applications involving non-sensitive personal data. The resulting emphasis in Spain on the need to gather consent has inevitably introduced increased bureaucracy and associated costs.

The other case, Scarlet Extended SA (Scarlet) v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10), stemmed from a referral to the ECJ by the Belgian court and has important implications for the practical enforcement of copyright infringement cases. SABAM, a management company representing owners of copyright-protected works, took legal action against Scarlet, an Internet Service Provider (ISP), because Scarlet’s users were downloading works in SABAM’s catalogue through peer-to-peer networks/file sharing and so infringing copyright.

In the legal proceedings SABAM asked the Belgian courts to make an order requiring the ISP to stop such infringements “by blocking, or making it impossible for its customers to send or receive in any way files containing a musical work using peer-to-peer software without permission”. The technical solution would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content was sent, which may also result in the blocking of lawful content. The local Belgian court granted SABAM’s request for an injunction.

Scarlet appealed, claiming that the injunction would be unlawful on several grounds, most notably in the context of data protection and privacy by breaching Belgian laws implementing Directive 2000/31, prohibiting the monitoring of communications and the general surveillance of all communications passing through the ISP’s network, and Directive 95/46/EC because the filtering system would involve the processing of IP addresses, which are personal data.

The ECJ ruled that the technical solution did not strike a fair or proportionate balance between the protection of the intellectual property right holders and the freedom to conduct a business, such as ISPs, nor was a fair balance struck between the protection of copyright and the fundamental rights of individuals, in this case the ISP’s customers.

Crucially, the ECJ noted the impact on the ISP’s customers and the infringement of their fundamental right to protection of their personal data (Article 8 of the Charter of Fundamental Rights of the EU) and their freedom to receive or impart information (Article 11 of the Charter).

This ruling essentially validates the Art. 29 Working Party’s opinion that in the hands of ISPs, IP addresses are personal data because “they allow those users to be precisely identified.” What is unclear from the ruling is whether IP addresses are also considered to be personal data when processed by organizations that would not have access to names and account information that would enable such precise identification.

U.S. Federal Government Reverses its Stance on Online Gaming

Rosanne Kay — Fri, 30 Dec 2011 08:16:24 -0800

Joseph Rosenbaum, Ramsey Hanna and Joshua Marker posted an update on our sister blog, Legal Bytes, regarding how the Department of Justice reversed its position on the U.S. Wire Act's applicability to online gambling that does not involve sports betting. Our interdisciplinary team of privacy specialists, technologists and marketing - focused attorneys have their eye on this development. The DOJ's statement has the potential to rev the data-intensive, multi-billion dollar online gambling industry back up in the U.S. market.

For more information, please visit our Legal Bytes blog or read the issued Client Alert here: U.S. Federal Government Reverses its Stance on Online Gaming.