Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Daniel Kadar.

In probably one the longest-awaited decrees in recent French regulation, the French Ministry of Health published on 22 May 2013, the application decree to the French Sunshine Act (dated 29 December 2011) implementing the specific ways and means that health care companies must disclose agreements with health care practitioners (“HCPs”), a term that includes medical students, as well as so-called “advantages” paid to HCPs. Under French Public Health Law, the term “advantage” encompasses any form of payment or hospitality, including payment of a contractual fee.

The Decree sets forth the threshold for disclosure at 10 euros (VAT included), but also seems to make a distinction between contractual remunerations and any other form of payment to HCPs. For agreements with HCPs, whereby the health care company enters into a consultancy/research agreement or into a contract to finance the HCP to participate in medical congresses/trainings, the Decree does not seem to require the health care company to disclose the amount it is paying.

However, for other payments – including hospitality and meals – every amount at or above 10 euros, rounded up to the nearest euro, must be disclosed.

The industry has shown surprise that the Decree requires disclosure of the amount of an invitation for lunch, but does not require disclosure of a contractual remuneration. It is foreseeable that the French Ministry of Health, given this interpretation, may shortly take position on that point.

A particularly severe measure is that this disclosure obligation applies to every payment and contract issued from 01 January 2012 onward. This seems to mean that health care companies look back into 18 months of activity to comply.

Disclosure is to be made to a unique website that has yet to be implemented. Nonetheless, the decree foresees an eventual transition to this unique website. For now, the French National Medical Association is to receive the relevant data, and the disclosures will also mandatorily have to be posted on the health care company’s website, or a joint website where different health care companies are involved.

Even though it took 18 months for the successive governments to get the application decree published and the unique portal is still not set up, the regulator seems to have concluded that health care companies should be able to comply within … a week. The Decree sets forth that the complete set of information be available to the French National Medical Association by 01 June 2013.

However, as this date is not realistic and different Health Care Industry associations have raised its impracticability, a second date, 01 October 2013, has been recommended for the publication of these disclosures on the National Medical Association and companies’ websites.

Going forward, disclosure of “advantages” to HCPs will have to be made on a semestrial basis, while the disclosure of contracts with HCPs will have to be made, at the latest, two weeks after the signature of the contract.

As mentioned in one of our previous blogs, and still remains true, the cosmetics industry, which is subject to these new disclosure requirements, is concerned by this disclosure obligation even though in a slightly reduced scope.

Last but not least, the Decree recognizes that the disclosure obligation implicates the processing and publishing of HCP personal data, and health care companies have expressed concern about posting this information on their websites. For those reasons, the Decree mandates that the disclosures must be done through appropriate notification to the French Data Protection Authority, the CNIL, and by providing each HCP with adequate information about their access, modification and removal rights.

No doubt that implementation of this regulation will raise a lot of questions and will require further clarification.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time. During the meeting on May 6, LIBE decided to delay the vote even further, but did not provide a new date. It is most likely to be held before the summer break, which takes place in mid-July. Given the volume of suggested amendments to the EU draft Data Protection Framework, this is hardly a surprising outcome.

Jan Philipp Albrecht, a German MEP and LIBE’s rapporteur for the Regulation, received 3,133 proposed amendments to the proposed Data Protection Regulation, and confirmed that both postponements stemmed from the volume of contested areas. At the same time, four other parliamentary committees prepared non-binding opinions that proposed numerous changes. The same was done by a number of EU Member States.

The lively discussion results from the fact that the Regulation will not allow Member States to tailor any provisions they disapprove. Aspects of the draft that have been criticised include the “explicit” consent requirement, introduction of the right to be forgotten and the right of portability, the requirement for data protection officers, and the treatment of smaller companies, as well as the punitive sanction regime of 2% of worldwide annual revenue for a specified list of compliance failures (see also our blog about EU Member States arguing for watering down the Proposed Regulation). There were also calls for increasing the clarity of numerous provisions. The lively discussion is understandable, given the move from a directive to a regulation that provides no scope for national variations, and the overly prescriptive nature of the draft Regulation.

Sophie in ’t Veld, a Dutch MEP and LIBE’s vice-chair, expressed concerns about excluding anonymised data from the Regulation, claiming she does “not believe in anonymous data anymore,” given the risk of re-identification. She also criticised the exclusion of the public sector and law enforcement from the scope of the Regulation. The draft Data Protection Directive on the processing of personal data by law enforcement authorities attracted 673 proposed amendments.

The UK Ministry of Justice published an impact assessment in November 2012, arguing that the costs of the new data protection regime would outweigh its benefits, and accused the EU Commission of over-estimating the cost savings to organisations under the proposed Data Protection Framework.

It is unclear whether this further postponement will have an impact on the overall timeline, but the postponed LIBE vote is only one step in a lengthy legislative process. Once LIBE formally adopts its position on the draft, it will begin negotiations with the Council of Ministers. The representative of the Irish Presidency confirmed that the Council plans to debate some key issues in advance of the negotiations with LIBE, but some matters, including the treatment of the public sector, are expected to remain undecided until after 30 June. Lastly, the Regulation will need to be approved by the European Parliament. The second delay shows that unless compromises are negotiated quickly, it may be difficult to complete the initial plan and adopt the Regulation before the European Parliament is re-appointed in 2014.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 24 April 2013, the EU Presidency, currently held by Ireland, prepared a Note to the Committee of Permanent Representatives (COREPER) regarding the proposed General Data Protection Regulation (Regulation). The Note was leaked and published on Statewatch’s website. Statewatch is a civil liberties organisation. In the Note, the Presidency discusses “pivotal issues, the resolution of which requires political guidance,” including the scope of the Regulation and the requirement for “explicit”’ consent. The Annex to the Note proposes specific drafting amendments.

The Note focusses on five key issues:

• Material scope
• Territorial scope (or jurisdiction)
• Consent
• Data processing principles
• Freedom of expression and access to public documents

The proposed Regulation excludes data processing where the activity is outside the scope of EU law, and processing by EU institutions and law enforcement, both of which are considered problematic. Concern was also raised about the exclusion of household uses, which as drafted would exempt processing” by a natural person without any gainful interest in the course of its own exclusively personal or household activity.” Most delegations wanted the scope of the household exemption clarified, and the Presidency proposed a compromise extending the provision to all social networking and online activities carried on in the context of personal and household activity.
The Note acknowledged that the territorial scope of the Regulation is ambitious by seeking to govern “the offering of goods or services (…) to data subjects in the Union,” or “the monitoring of their behaviour as far as their behaviour takes place within the European Union.” The Presidency suggested setting out factors that can indicate whether a particular offer is aimed towards EU residents, even though many delegations questioned the practicality of such a wide jurisdictional scope, doubting whether non-EU controllers will be aware of and willing to comply with the Regulation.

The Presidency acknowledged that the proposed definition of consent is beyond that required under the 1995 Data Protection Directive, and many delegations view the new requirement for explicit consent as unrealistic and of little value, especially on the Internet. The Presidency proposed replacing “explicit” with “unambiguous” for all non-sensitive personal data, and removing the exclusion of consent obtained in relationships with an imbalance of power, because it would lead to legal uncertainty.

While the Presidency noted that the data protection principles are largely the same as those within the 1995 Directive, a new principle of data security and confidentiality was added, and consequently there should be further discussion in light of processing of data for historic, statistical, or scientific or archiving purposes.

Lastly, the Presidency suggested adding articles enabling Member States to reconcile the right of data protection with the other fundamental rights of freedom of expression and freedom of information.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 19 March 2013, by 14 votes to 6, the European Parliament's Legal Affairs Committee (JURI) adopted an opinion on the proposed General Data Protection Regulation (Regulation). It is the fourth and the final committee to adopt a non-binding opinion before the Civil Liberties Committee (LIBE) is due to vote on the Regulation, expected sometime in July. The amendments proposed by the JURI reflect some of the common concerns regarding the new framework.

The full text of the opinion became available in April, but the press release and notes, released in March, indicated that JURI supports the structure and fundamental elements of the Regulation, while still seeking amendments to specific provisions. JURI backed requiring "explicit" consent for data processing, but highlighted that such consent was capable of being sought electronically. It also supported the right to be forgotten, which would force data controllers, including social networks and e-retailers, to delete information about the individual. However, JURI argued that for public interest reasons, this should not apply to health data.Internal Market and Consumer Protection (IMCO) Committee opinion, which deleted all the safeguards relating to profiling. Nonetheless, European Digital Rights (EDRI) publication on this issue argues that JURI’s amendments are unacceptable and break the European Charter of Fundamental Rights. EDRI strongly criticised JURI’s proposal that businesses could rely on a "legitimate interest" analysis to justify profiling and data processing for incompatible purposes.

JURI’s draft opinion had proposed deleting the right to data portability, but this proposal was removed from the final version of the opinion after strong criticism. The adopted opinion does include a recommendation to limit restrictions on "profiling" to situations when it is based on ethnicity, religious beliefs or sexuality. This is not as radical as the

While the JURI’s opinion appears to aim for compromise on a number of contested issues, it is likely to spark further debate, as is clear from the mixed reviews the opinion received.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Rob Jackson.

The U.S. District Court for the Southern District of Florida recently released a decision in a TCPA suit brought by a man seeking damages in connection with a series of autodialed telephone calls made to his mobile phone. In his decision on cross motions for summary judgment, the judge rejected conclusions reached by the FCC in a 2008 order interpreting the TCPA, most notably on: (1) what constitutes "prior express consent" to receive calls on one's mobile phone; and (2) vicarious liability for TCPA violations committed by outside debt collectors. Mais v. Gulf Coast Collection Bureau, et al.

Click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Union (EU) data protection body, the Article 29 Working Party (A29WP), in April adopted new guidance on Binding Corporate Rules for Processors (BCPRs). The document supplements the opinion from June 2012, which listed elements required for valid BCPRs, by further clarifying what provisions and mechanisms must be included before BCPRs can be authorised. The BCPR process has been developed by the A29WP in response to a request from outsourcing providers to create a new legal instrument to legitimise international data transfers.

The new guidance emphasises that BCPRs are the preferred method for transfers of personal data from the EU to countries without “adequate levels of protection,” over other methods, such as the EU standard contractual clauses. BCPRs are preferred when transfers are voluminous and frequent between the primary data processor and sub-processors in the same organisation. BCPRs are also recognised within the mutual recognition scheme, such that authorisation of BCPRs by one EU member state will result in automatic authorisation in other participating EU member states.

Data controllers will remain responsible for ensuring that service providers only process data under their instructions, and that sufficient guarantees are in place to protect the personal data being transferred to a service provider and within that service provider group, even where BCPRs have been authorised.

The A29WP emphasises that the BCPRs must be binding both internally and externally, and recommends service providers implement strict and punitive policies or codes of conduct supported by intra-group agreements. For third-party sub-processors, service providers are required to enter into agreements requiring sub-processors to respect the same obligations as the processor group. The sub-processor agreement will need third-party beneficiary rights for the data controller and for data subjects. Service providers seeking authorisation for BCPRs will need to include extracts of relevant clauses in their authorisation application.

The guidance also specifies the limits imposed on the requirements for modifying authorised BCPRs and lists other compulsory clauses, such as provisions ensuring compliance, audit mechanisms and complaint handling, and a duty to cooperate with both the controller and the relevant data protection authority. The BCPRs must also designate a corporate member within the EU that will be liable for breaches of the BCPRs by members of the group outside the EU.

While this new tool was developed in response to calls from the outsourcing community, no BCPRs have been authorised to date, although the French authority, the CNIL, has admitted to having several applications pending.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (A29WP) adopted the Opinion on Data Protection Impact Template Assessment for Smart Grid and Smart Metering Systems (Opinion), which evaluates the Privacy Impact Assessment (PIA) template that the member states intend to adopt. The PIA, which was prepared by industry representatives, seeks to ensure that smart-meter operators comply with data protection rules; however, the A29WP pointed out a number of inadequacies in the template.

The EU initiative to roll out smart gas and electricity meters, which can send usage data via remote communications, underpins the desire for a more effective and efficient energy supply. In the Opinion, the A29WP points out the risk that smart-meter usage data may be used to infer information about “consumers’ use of specific goods or devices, daily routines, living arrangements, activities, lifestyles and behaviour.”

The energy supply industry expert group developed the PIA to ensure that smart-meter operators comply with data protection rules, and to facilitate compliance assessments by Data Protection Authorities, as well as to provide information to consumers.

The PIA template contains an eight-step impact assessment and provides step-by-step guidance on how to carry it out. The A29WP admitted the proposed template contains useful elements, but criticised the failure to include any method of directly assessing the foreseeable impacts on the data subjects, including the risk of price discrimination or criminal acts facilitated by unauthorised profiling. The A29WP also felt the PIA template confused risks and threats, and failed to match specific risks to controls based on best practice. Other criticism included that the PIA template lacked sufficient guidance on the concepts of vulnerability, calculating and prioritising risks, choosing appropriate mitigating controls, and appropriately allocating data protection responsibilities between the different stakeholders. The A29WP also recommended including an analysis of industry-specific risks and relevant controls.

The A29WP acknowledged that the industry expert group is preparing ‘best available techniques’ that may address some of the criticisms, but it would wait to see the techniques included within the PIA template before it is resubmitted for a further opinion.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Efrem M. Grail, Shannon Voll Poliziani and Kyle R. Bahr.

A crucial decision in most federal “white collar” criminal investigations is whether to “proffer” to the government – to engage in an off-the-record, question-and-answer session with the prosecutor and investigating agent in the hopes of getting immunity, a plea deal, or no charge at all. Because of the risks involved, the decision must be carefully weighed with the assistance of knowledgeable criminal defense counsel. Those risks recently increased in the Western District of Pennsylvania. On April 11, 2013, the Pittsburgh U.S. Attorney’s Office added language to its standard proffer agreement – a contract signed between the government and the interviewee setting how the government can use the information gained in the proffer – that broadens a prosecutor’s ability to use proffer statements in subsequent legal proceedings in the Western District of Pennsylvania.

Click here to read the issued Client Alert that describes how the new language changes the proffer calculation for clients and their lawyers.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Sarah Woo, Lisa B. Kim and Joshua B. Marker.

The California legislature is determined to be at the forefront in the development of data privacy law by drafting a number of data privacy protection bills that will impact companies’ obligations with respect to the disclosure, compilation, removal, or sharing of consumers’ personal information.

Click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Rosanne M. Kay and Kimberley Davies.

Following on from our posts in 2012 (UK Ministry of Justice Launches Consultation on Deferred Prosecution Agreements and UK Government unveils deferred prosecution agreements as a new enforcement tool), we can now report that on 25 April 2013, the Crime and Courts Act 2013 (the “Act”) was passed. The Act introduces deferred prosecution agreements into UK law for the first time.

The Act will allow the UK Serious Fraud Office and the Crown Prosecution Service to enter into deferred prosecution agreements to deal with economic crimes such as bribery, fraud and money laundering.

The Act is not expected to come into force before February 2014, and in the meantime, a Code for Prosecutors containing further guidance from the Serious Fraud Office and the Director of Public Prosecutions will be published.

We will keep you posted on any future developments.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven Boranian, Joshua B. Marker, Lisa B. Kim, and Tyler M. Layton.

In a significant victory, Delta Airlines’ demurrer to the enforcement action filed by the state of California was sustained without leave to amend. We previously wrote about the case here. California alleged that Delta’s mobile application was in violation of CalOPPA because its privacy policy was not reasonably available within the application itself, and because the privacy policy on the Delta website did not accurately describe the information-collection practices of the mobile application.

Judge Marla Miller of San Francisco Superior Court sided with Delta and sustained its demurrer to the complaint without leave to amend. Despite the defense win, however, the decision provides little guidance regarding CalOPPA and its remedies, because the court did not address the substance of the statute. Rather, the court found that the claims against Delta were entirely preempted by the Airline Deregulation Act, which preempts any state “law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” The court declined to rule on the arguments pertaining to the substantive reach of CalOPPA.

In short, the precedential value of this decision outside of the airline industry is up in the air. While the decision may set the groundwork for preemption arguments that can be made in other federally regulated industries, the decision itself provides little guidance on CalOPPA specifically. With the potential for hefty statutory penalties, CalOPPA is still a privacy statute that requires careful consideration with regard to every company’s mobile applications.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Rosanne M. Kay and Kimberley Davies.

On 23 April 2013, Mr Yang Li was the third individual to be convicted under the UK Bribery Act 2010 after he attempted to bribe his tutor.

Mr Li, a student at the University of Bath, offered his tutor £5,000 to amend his dissertation grade, which was 3% short of a pass mark. The tutor rejected the offer, and as Mr Li put his money away, a replica air pistol fell out of his pocket and onto the floor.

Mr Li pleaded guilty in Bristol Crown Court to charges of bribery (under Section 1 of the Bribery Act 2010) and possession of an imitation firearm. He was sentenced to 12 months in prison and ordered to pay £4,880 in costs. Judge Michael Longman stated that “any form of corruption or incitement to a person in any manner amounts to a serious offence which must be taken seriously by the court.”

This is the third conviction under the Bribery Act 2010 in just under two years, so far all involving individuals. There has yet to be any corporate convictions, or any cases offering guidance on the corporate offence under Section 7, in particular on the meaning of “carrying on business” in the United Kingdom.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Permanent Representatives Committee (otherwise known as ‘Coreper,’ consisting of representatives from the Member States and responsible for preparing the work of the Council of the EU) has expressed support for the European Commission’s plans through legislative changes to open up public sector data for re-use across Europe.

The initiative, which is part of the pending update to the 2003 Public Sector Information Directive, would make all generally accessible (i.e., non-personal) public sector information available for re-use across all Member States. Developers, programmers, businesses and citizens will be able to access and re-use public sector data at low cost, and this is predicted to result in a significant boost to the European economy.

Through proposed revisions to the 2003 Directive, a new genuine right to re-use public information would be introduced, including access to information stored by libraries, museums and archives. The revised Directive would allow such bodies to charge at maximum the marginal cost for reproduction, provision and dissemination of the information, so as to ensure the recovery of costs or a reasonable return on investment in exceptional cases. The revisions would also encourage public sector bodies to make data available in open machine-readable formats. The programme would include geographical, health care, transport and statistical information, and through this wider availability of public data could potentially enable economic growth, bringing tens of billions of euros per year across the EU. Neelie Kroes, Vice-President of the European Commission, said: "Opening up public data means opening up business opportunities, creating jobs and building communities.”

The initiative would apply to non-personal public information only, but some privacy groups have already expressed concerns, stating that the open availability of data must be scrutinised to avoid the so-called ‘jigsaw effect,’ whereby large quantities of non-personal data can be used to re-identify anonymous data or to profile individuals.

While Coreper’s support for the initiative is noteworthy, the proposed new rules still need to be formally approved by the European Parliament.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Caroline Klocko.

Earlier this week, the Federal Trade Commission (FTC) issued Frequently Asked Questions for complying with the Children's Online Privacy Protection Act (COPPA). The FAQs are intended as a supplement to the already issued compliance materials. As we previously reported, the revised COPPA Rule is set to go into effect on July 1, 2013. For companies running websites that collect information from children under 13, COPPA compliance will be critical. The FAQs will provide helpful guidance to reach that goal.

To learn more please visit our sister blog, AdLaw By Request.

• Print
• Comments
• Trackbacks
• Share Link