Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Nick Tyler and Moritz Wagner.

The German data protection authorities (DPAs) have recently passed a resolution setting minimum requirements for the competency and independence of company data protection officers (DPOs).

This initiative follows inspections carried out within companies that revealed a generally insufficient level of competency among DPOs, as well as of data controllers’ organizational framework and resources for data protection compliance, in particular given the ever-increasing complexities of automated processing of personal data and the requirements of the Federal Data Protection Act.

The resolution should be read as a warning from the DPAs that companies must not view the appointment of a DPO as a mere formality, but must ensure that the DPO has sufficient competency and independence and is provided with the necessary support and resources to do his or her job effectively. The resolution also shows that DPAs will increasingly monitor compliance with these requirements.

We have published a Client Alert which provides more detail about the new requirements and the consequences of non-compliance.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler and Cynthia O'Donoghue.

With so much consultation activity going on in the United States on the future of privacy regulation and enforcement, initiated by the FTC and US Department of Commerce, we should not lose sight of parallel developments and consultation activity going on in Europe following a recent Communication from the European Commission.

Now seems to be an appropriate time of year to take stock and highlight the key themes of that Communication and what it might mean for clients as they look to address and/or progress their data privacy compliance programmes in the year(s) ahead. We have therefore published a Client Alert which takes a closer look at the emerging themes and what lies ahead in 2011. 

Read the full Client Alert here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joelle E.K. Laszlo.

While it’s usually good to be the first to do something in Hollywood, it is decidedly not good when that something is violate the Foreign Corrupt Practices Act (“FCPA”). Former power couple Gerald and Patricia Green are learning that lesson the hard way, as they spend the holidays and beyond in Federal prison. Though the Greens and the Government are appealing the six-month sentences handed down in August, it’s safe to say the Greens’ post-conviction lifestyle won’t come close to matching what it was before.

The Greens were originally indicted in January 2008 for bribing the former governor of the Tourism Authority of Thailand (“TAT”) in exchange for contracts to operate and manage the annual Bangkok International Film Festival (“BIFF”) from 2002 through 2007. In October 2008 the plot thickened as a superseding indictment added bribery charges related to several other TAT tourism programs. In all, and among other things, the Greens were accused of violating the FCPA ten times, ultimately paying out $1.8 million to generate nearly $14 million in revenue. In September 2009 a Los Angeles jury found the Greens guilty of nine FCPA violations and nearly all of the other charges against them.

Sentencing of the Greens was postponed numerous times over several months, as both sides battled to sway the court’s final act. The Justice Department, arguing that FCPA defendants who do not plead guilty or otherwise cooperate with the Government generally receive stricter sentences, asked for ten years in prison for each Green. Defense counsel requested five years’ probation, noting both that Mr. Green suffers from emphysema and that the BIFF generated substantial revenue for Thailand and its people, and thus there were no real victims from the Greens’ actions. After a final lengthy hearing, in August 2010 the Greens were sentenced to six months in prison each, followed by six months of home confinement.

Though the Greens’ prison sentences are some of the lightest ever received by FCPA defendants, there is no Hollywood ending to their story. Under a forfeiture agreement approved along with their sentences, each Green personally owes the Government nearly $1.05 million and any amount of their production company’s pension that can be traced to their offenses. The Justice Department intends to seize and sell a home owned by Mrs. Green to satisfy the judgment. And unable to muster any more funds for his defense, Mr. Green will be represented in his sentencing appeal by a court-appointed attorney. Thus the Greens’ saga is not really fodder for a future blockbuster, or even a movie of the week, though it may make for a good public service announcement on complying with the FCPA.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy Mushahwar.

As promised in our teleseminar last week, we have digested the Department of Commerce Privacy green paper, entitled, "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework". The green paper will kick start an ongoing discussion of privacy and we encourage organizations to undertake some cost-benefit analysis now for the best outcome in 2011. Time is of the essence and comments to this green paper are due on January 28, 2011. To learn more about this important release, please read our recent client alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Judy Harris, Chris Cwalina, Paul Bond, and Amy Mushahwar.

We've been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the releases and providing prompt insights for your review.  Below, please find a link to the reports, our most recent digests and our aptly timed teleseminar that occurred on the very day that the Department of Commerce released its privacy green paper.

On December 1, 2010, the Federal Trade Commission issued its long-awaited 123-page preliminary report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. The report is the most important and comprehensive guidance the FTC has ever issued in the privacy arena, and it has the potential to dramatically overhaul the way businesses think about privacy. More importantly, the document sets the stage, potentially, for a very different regulatory framework in Washington. For more detailed information on the FTC Report click here.  Comments are due on this report by January 31, 2011.

On December 16, 2010, the U.S. Department of Commerce issued its initial policy recommendation in a green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework .  The Commerce green paper issued by the specially established Internet Task Force at the Department of Commerce lends another voice to the privacy debate and attempts to create a universal privacy baseline. While the report makes no recommendations to cover specific industry sectors that are addressed by existing privacy regulations, such as, healthcare, financial services and education, it is clear that the Department of Commerce would like to lead the regulatory agenda in the online privacy overhaul that is expected in 2011.  Check back here over the next few days for a more detailed look into the report.  Comments are due on this report by January 28, 2011. 

We addressed both reports in yesterday's teleseminar by privacy counsel Mark Melodia, Chris Cwalina, Paul Bond and Amy Mushahwar,  even though our team was still digesting the Commerce item that was released only hours before the teleseminar.  Our team described how the reports may apply to your business and provided a view from Washington regarding the complex regulatory and legislative road that may lie ahead for data privacy and cyber security issues. Feel free to listen to an audio recording of the event while watching the slide show.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Around this time of year many people look forward to the ringing of bells. Bryan Rahija wants your help in ensuring that we have year-round blowing of the whistles.

If the estate tax was called the death tax, would we all try to live a little healthier? (It’s the holidays – I'll make and break my resolutions in a few weeks). Regardless of its title, the tax is on the table. So what should congress do about it?

As a child, my parents coerced my siblings and I to get along through the promise of presents from Santa. Turns out FCPA violators who play nice with the DOJ may be able to secure a present of their own: a Non-Prosecution Agreement.

Holiday takeaways: good = presents; bad = coal; Microsoft engineer who attempts to export ITAR controlled goods to China  = criminal complaint.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Stephen P. Murphy.

On December 7, 2010 the Antitrust Division of the Department of Justice announced that for the first time it was requiring actual restitution by a company as a condition of the company's participation in the Division's Corporate Leniency Program. Bank of America was the first and only company to approach the Division about its bid rigging in the sale of tax-exempt municipal bond derivatives contracts. These disclosures led the Division to open an investigation which to date has resulted in guilty pleas by eight executives, and additional charges being filed against seven executives and one company. The investigation is ongoing.

The Division's Corporate Leniency Program calls for restitution to injured parties "where possible." We are not aware of any prior case where the Division made it a condition of admission to the Leniency Program. The requirement for restitution in this case likely flows from the fact that a number of federal and state agencies were involved in the settlement (SEC, IRS, Office of the Comptroller of the Currency and 20 State Attorneys General) and that the IRS and a number of municipalities will be the beneficiaries of the $137.3 million that the Bank of America has agreed to pay in "full restitution."

Whether this settlement signals a new development in the Division's implementation of the Leniency Program is subject to future developments but it would not be surprising to see restitution required in future Leniency Programs applications, particularly from larger companies whose conduct effected public entities. The fact that Christine Varney, Assistant Attorney General in charge of the Antitrust Division, was liberally quoted in the Press Release certainly indicates the importance the Division attaches to this settlement, and perhaps to the role of restitution in future Leniency Program applications.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, December 6, in an effort to run some names against the SDN list, I headed over to OFAC’s website. Much to my surprise I discovered that the Treasury Department had unveiled its newly designed website.  To make things even more serendipitous, I stumbled across the Treasury blog.  The first post is penned by the one and only Tim Geithner, with the second post highlighting some of the new features. One of the features is the highly anticipated automated Trade Sanctions Reform Act application (commonly referred to as Ag-Med) for licensing exports of agricultural and medical goods to Iran and Sudan. OFAC indicated at BIS Update that they invested significant amounts of time into the process and we hope it will help speed up the application review times.

Rest assured loyal OFAC fans, you can still find all the same information as before but now in a more “user friendly” format. Spend a few minutes learning your way around. If nothing else, the government will like the increased traffic.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Thomas Fischl and Katharina A. Weimer.

On November 23, 2010, the data protection authority (the “DPA”) of the German federal state of Hamburg fined regional financial institution Hamburger Sparkasse AG (“Haspa”) €200,000 for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers and also granting the representatives access to such profiles. The bank cooperated with the DPA and immediately discontinued the illegal practices.

From the end of 2005 until August 2010, Haspa allowed its self-employed, external customer service representatives access to customer bank data, often without having first obtained the customers’ consent. According to the DPA, the number of bank accounts accessed is not clear. The bank was aware of this practice through reviews of log files that detailed the representatives’ access.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, "Industry must do better."

• Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible".
• The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one's information "out there," and/or "fear of being monitored". The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
• Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

• The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is "of decreasing relevance". Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device."
• The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
• The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
• The report distinguished between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not "commonly accepted data practices". Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company's privacy policy that would apply to data collected under a prior policy.
• The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with "reasonable access" to their data.
• Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
• The report also endorses a "Do Not Track" mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services".

The FTC's full report is available here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• It seems that the business sector finds the requirements of regulatory compliance to be burdensome. Who knew?
• Ezra Klein gets two-thirds of the way to a Clint Eastwood analysis of the financial commission's final report. Make sure to check out his summary before Friday's vote.
• I've stressed the importance of the Davis Bacon Act on these pages before. In case you thought I was kidding, I'm not: check our Mike Purdy's blog for a reminder of the importance.
• Ineffective assistance of counsel. Need I say more? Read it.
• I know there's a clever line in here about students becoming the teacher or vice versa, but it isn't coming to me. Check out Dick Cassin's piece at thebriberyact.com on what the UK can learn from the FCPA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link