Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

Joseph Rosenbaum, Ramsey Hanna and Joshua Marker posted an update on our sister blog, Legal Bytes, regarding how the Department of Justice reversed its position on the U.S. Wire Act's applicability to online gambling that does not involve sports betting. Our interdisciplinary team of privacy specialists, technologists and marketing - focused attorneys have their eye on this development. The DOJ's statement has the potential to rev the data-intensive, multi-billion dollar online gambling industry back up in the U.S. market.

For more information, please visit our Legal Bytes blog or read the issued Client Alert here:  U.S. Federal Government Reverses its Stance on Online Gaming.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Nick Tyler and Katalina Chin.

The new proposed EU Data Protection Framework looks set to implement dramatic changes to the landscape and to affect any organisation that does business in the EU or that handles the data of its citizens. It has the potential to create even more regulatory burdens on business despite promoting a more self-regulatory regime. Although the new Framework is in draft and is making its way through the legislative process, it makes for sobering reading because failure to comply could result in sanctions of up to 5 percent of an organisation's annual worldwide turnover.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

In a decision with potentially far-reaching consequences for the UK data protection regulator, a High Court Judge, Tugendhat J., questioned the legal basis upon which the Information Commissioner’s Office (ICO) declined to take action to stop the publication of defamatory and offensive material on the website solicitorsfromhell.co.uk. See, The Law Society and Others v Rick Kordowski [2011] EWHC 3185 (QB) (Judgment dated 7 December 2011).

The website was a forum for individuals to post comments about lawyers, most of which were libelous or defamatory, and could be posted anonymously without any moderation by the site’s publisher. The judge ordered that the site be taken down permanently and banned the web address from being transferred to anyone else.

Mr Kordowski failed to mount any credible defence to the raft of claims brought in the proceedings – the judge labelling him a “public nuisance”. The judge also highlighted the challenge faced by the administrative justice system by what he identified as a new breed of “vexatious litigant” – “defendants who mischievously provoke claims which they know they cannot defend”.

Tugendhat J. commented that he found it impossible reconcile the legal views of the ICO expressed in a letter to the Law Society with authoritative statements of the law, and found that the UK Data Protection Act 1998 (“DPA”) indeed envisages that the ICO should consider what is acceptable for one individual to say about another under the First Data Protection Principle since data must be processed lawfully.

The ICO based its position on the scope of the “domestic purposes” exemption in relation to individuals posting their views on third party websites. Section 36 of the DPA exempts all processing of personal data by an individual “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. Even though the ICO had recognized “a growing social problem in individuals posting offensive material about each other”, the view expressed to the Law Society was that the DPA was both “out of step with technology” and “simply not designed to deal with [this] sort of problem”.

While the court did not review the ICO’s decision, the clear implication was that the ICO could, and perhaps should, have taken a more active role in exercising its regulatory powers. The court acknowledged that the ICO may often find itself in the difficult position of being asked to referee legal disputes which might better be resolved in the courts. In a clear-cut case, however, “where there is no room for argument that processing is unlawful [in this case defamatory and amounting to harassment]”, it is difficult to argue that the processing was not within the ICO’s enforcement powers.

The challenges faced by those charged with regulating the Internet are significant, and the court’s judgment aligns with the limited scope of the “domestic purposes exemption” set out in the draft EC Data Protection Regulation, which specifically carves out of the domestic purposes exemption instances when an individual posts personal data on the Internet that is “accessible to an indefinite number of individuals”.

Following this judgment, it will be interesting to see if the ICO follows the court’s interpretation of its ability to take a more robust view of its powers in relation to “lawful processing”. The ICO will certainly have to think twice about what qualifies as a “domestic” exemption, and there is a message in here to web site operators as well: they can no longer rely on the “domestic” use exception and will have to increase web site moderation and taken down obviously unlawful postings.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

On Christmas Day, organisations operating in the UK will have just five months to get their act together and comply fully with the new EU-wide rules on cookies.

See earlier Client Alerts:

•  'What Cookies Are In Your Jar?' – ICO's guidance on compliance with new EU cookie law leaves industry something to chew on (and few crumbs of comfort!)
•  Prepare Now and Protect Your Cookie Jar (or those cookies may crumble)!

The 12-month lead-in period set by the UK data protection regulator, the Information Commissioner’s Office (ICO), expires on 25 May 2012. This period is a time for taking pro-active steps, with the Information Commissioner himself issuing a timely warning on his blog that not enough is being done to address compliance by too many.

If the ICO’s message wasn’t clear seven months ago, its latest reminder should be now:

“organisations will need to be able to demonstrate they have taken sensible measured action to move to compliance. If a website has not achieved full compliance at the end of the period the [ICO] will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.”

The ICO have helpfully taken the opportunity to update their guidance.This now includes a number of useful examples of what some organisations are doing to meet the new requirement for positive consent to cookies and other similar technologies.

The key first steps remain the same:

1. Cookie Audit,
2. User Impact Assessment, and
3. Action Plan.
 

At this stage of the lead-in period, the ICO expects organisations to have decided on the solutions appropriate to them and to have ready an

4. Implementation Plan – setting out the organisation’s activities to get into compliance between now and 25 May 2012. If you haven’t yet started this process, now is the time to start and to map out your chosen solutions!

The ICO emphasises that organisations must have in place “mechanisms for exercising user choice” to better educate consumers about the different cookies they use, what they are used for, and “making the case” about the undoubted benefits of cookies. The ICO’s guidance stems from UK Government-sponsored research revealing the general public’s limited understanding of cookies and how to manage them, including among more “internet-savvy” consumers.

While many view the new EU-wide requirement for positive consent to cookies as a legislative ‘sledgehammer to crack a nut’, the ICO’s position is that the more information given to consumers the better choice and control they are able to exercise.

The ICO’s view is the opposite of less is more in that greater information and choice will result in increased consumer confidence rather than resistance to cookies.

While the ICO recognises that technical solutions remain a “work in progress”, it also challenges the prevalent criticism and to the new rules highlighting some genuine ‘quick fixes’ which, while not perfect, seem to be good enough for them to accept as compliant.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Daniel Kadar.

In August, France implemented new rules governing the use of cookies as required under the ePrivacy Directive (Ordinance of 24 August 2011 number 2011-1012 relating to electronic communications ("the Ordinance")), and the CNIL has now issued guidance called the ‘Telecoms Package’ to help businesses comply with cookie legislation in France. The main aim of the guidance is to explain how users can be informed about and how consent can be obtained prior to the placement of cookies on an individual’s computer.

The guidance provides clarification on the following areas:

• The definition of "cookie" broadly includes other technology related to cookies, such as Flash cookies and local storage web.
• Users' consent to cookies must be specific. The setting of most browsers can, according to the CNIL, be changed so that the consent of the user will be demanded for each cookie. However, in the CNIL’s view, this solution raises a number of problems. As such, browsers in the current state do not meet the requirements of the Ordinance in obtaining user consent.
• No consent is needed for cookies that are used for the sole purpose of enabling or facilitating communication, such as session cookies, cookies related to language preferences, Flash cookies necessary for a media player to operate, cookies that contribute to the security of the user, or cookies used to remember a shopping basket.
• Third-Party cookies - it is the website operator’s responsibility when the site allows a third party to place a cookies on a user’s computer.

Website operators are liable for an administrative fine of up to EUR 300,000 for any breach of the new rules, and there is the possibility of criminal sanctions. Most importantly, the information and consent requirement applies regardless of whether cookies contain personal data or not.

The CNIL stated that methods for collecting user consent can take many forms (which are not exhaustive); for example, (i) a banner just like the one used on the webpage of the UK data protection regulator (ICO); (ii) an area of application for consent, or; (iii) tick boxes when registering for an online service.

Businesses with online operations are recommended to conduct an assessment of the nature of each cookie, how intrusive they are, decide if consent is needed, and think about how users could be provided with detailed information about the cookies. This is important because if a complaint is made against a website operator, the CNIL will review what the website operator has done to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Taiwanese Ministry of Justice recently concluded a public consultation on draft enforcement rules and proposed amendments to its primary data protection legislation, the Computer-Processed Personal Data Protection Act ("the Act").

The amendments are reportedly far-reaching. If the amendments are approved, some key changes to the Act would be:

• The law would apply to the private as well as public sector. The law would have extraterritorial effect and would apply to entities outside Taiwan if the data of Taiwanese residents is collected.
• Class actions would be possible.
• Administrative fines would increase from a minimum of NT$10,000 to NT$100,000 (approx. EUR 2,430), and a maximum of NT$20,000 to NT$500,000 (approx. EUR 12,000).
• Fines could be imposed both on the company and on the individual person responsible for data protection compliance.

The amendments were to be finalised by the end of November 2011 and are expected to be sent to the Cabinet for approval this month. If approved, the new law, the “Personal Information Protection Act”, should come into force by November 2012.

Businesses established in Taiwan and non-Taiwanese businesses conducting business in Taiwan should consider undertaking a review of their personal data collecting procedures, technical & security measures, and other company data protection policies in preparation for the new data protection rules to ensure compliance. This is especially pertinent, given the more severe criminal sanctions proposed by the amendments of up to five years in prison, and increased fines of up to NT$1 million.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue & Daniel Kadar.

Earlier this month, the CNIL announced that CNIL labels would now be available for two categories with respect to processing of personal data:

i) data privacy audit procedures, and
ii) data privacy professional training.

The labels signify to the public that the product or process offered meets the requirements of the CNIL in terms of quality and compliance.

The CNIL had the possibility of issuing labels on products or procedures to mark their compliance with the Data Protection Act as far back as 2004. However, because of logistical problems, the CNIL was not able to deliver such labels. The law of 13 May 2009 removed such barriers.  Moreover, Decision 2011-249 of 8 September 2011 modified the CNIL's internal regulations and paved the way for products and procedures to receive a label as a seal of approval.

The process for obtaining the label involves setting up an application file evidencing compliance with a full set of specifications ranging from knowledge and capacity to comply with the French Data Protection Act, to high-quality standards.

As a result, the CNIL has worked, for data privacy audit procedures, on the ISO 19011 Norm.

The CNIL will have two months to consider an application for a label. The cost of the application and any amendments are not known yet.

If awarded, the label will be valid for three years and the company can display the label logo.

Refusal to issue or withdrawal of the label does not mean that the applicant is in breach of the Data Protection Act. It just means that the product or process does not accord with the requirements of the CNIL in order to obtain a label.

As data security and data protection compliance becomes more prominent, the CNIL label could be seen as a notable competitive advantage in the market in these two areas.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Commission’s new draft data protection regulation was leaked to the press earlier this month. The proposal includes repeal of the present EU Data Protection Directive 95/46 and recommends a General Data Protection Regulation, as well as a Police and Criminal Justice Data Protection Directive.

The Commission appears to have made good its threats to increase enforcement to make U.S. and other companies outside the EEA comply. Some of the ground-breaking proposals include a harmonised enforcement and sanctions mechanism which include penalties of 1%, 3% or 5% of a enterprise's annual worldwide turnover for intentional or negligent breaches of various data protection obligations. Those penalties will certainly force organisations to sit up and take notice of their data protection obligations.

As suspected, the draft regulation includes new elements in relation to the principles of transparency and data minimisation, as well as a new principle of accountability for data controllers. Built into the new principle is an obligation for Privacy by Design “and by default”.

In addition, the right to be forgotten shifts the burden from individuals to organisations by requiring organisations that seek to continue to process personal data to demonstrate compelling legitimate grounds for the processing which override the interests or fundamental rights of the individual. This new right to be forgotten extends to erasure of information in the public domain available via the Internet or other communication service, and links to a new right to have the data restricted.

The draft Regulation also includes an obligation on large enterprises to appoint a data protection officer for both data controllers and data processors, where the processing of personal data requires regular and systematic monitoring.

The draft Regulation further proposes a new ‘super’ regulator, a European Data Protection Board to consist of the heads of each of the Member States’ Data Protection Authorities to replace the Article 29 Working Party. This new ‘super’ regulator will have the power to review and opine on measures at the national level relating to cross-border data processing whether within the European Union or outside of it, including approvals of data transfer agreements and binding corporate rules.

As we recently saw with France’s implementation of a data protection label, the proposed Regulation encourages the use of data protection certifications, such as seals and marks, for data controllers, aimed at helping individuals assess an organisation’s privacy practices.

Unless organisations raise data privacy and protection up the priority list of importance, they would be sitting on a time bomb. The issue is not whether this proposal will come into force, but when, and while there may be some changes while the proposal makes its way through the European Parliament, the way forward for organisations is now clear, and organisations will have at least two years to bolster their processes and procedures and get ready for the new horizon.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher L. Rissetto and Robert Helland.  

Numerous press reports indicate that House Oversight and Government Reform Chairman Darrell Issa (R-CA-41) intends a broad investigation of the federal grant and loan application process, in the wake of the recent bankruptcy of the solar company, Solyndra. Up until now, the primary committee in the House investigating and holding hearings on the decision to award $535 million in loan guarantees to Solyndra has been the House Energy and Commerce, Subcommittee on Oversight and Investigations, chaired by Rep. Cliff Stearns (R-FL-6). It held a recent hearing with Energy Secretary Steven Chu, where committee members grilled the Secretary on the Department’s decision to restructure the terms of the loan guarantee to favor private investors, and whether that was influenced by political considerations. As a result of that hearing, Chairman Stearns has called for Secretary Chu’s resignation. And as investigation continues, both Chairman Stearns and full committee Chairman Fred Upton (R-MI-6) are pressing the White House for additional documents on the loan guarantee, as well as the testimony of senior White House staff.

But what Chairman Issa promises is a broader investigation – not just into Solyndra, but also into the federal investment in renewable energy, and possibly beyond. We have seen evidence of this broader line of inquiry in a recent hearing by Oversight and Government Reform into possible politicization of grants at the Department of Health and Human Services Office of Refugee Resettlement. In fact, it seems as if Mr. Issa is planning on looking at the entire Federal assistance apparatus, to determine if merit, and not politics, count for final award decisions. As a result, all loan guarantees and grants could come up for review, especially those to entities facing financial difficulties. Administration officials, and executives, should be ready for the subpoenas.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Leslie A. Monahan.

To mandate or not to mandate the use of suspension and debarment - that is the current question up for debate among federal agencies and government officials. As criticism of agencies for failure to utilize or enforce suspension and debarment procedures continues, the idea of mandating the use of these procedures as punishment for indictments and convictions related to federal contracts is gaining momentum. Interest in this idea reached a high point in recent weeks with issuance of a memorandum from the Office of Management and Budget (“OMB”) and agency testimony before the Senate on the matter.

The OMB memorandum identifies the use of suspension and debarment a “powerful tool” for protecting taxpayer resources and the integrity of federal government processes from government contractors who “lack business integrity because they have engaged in dishonest or illegal conduct or are otherwise unable to satisfactorily perform their responsibilities.” The memorandum, which was issued in response to an August 2011 Government Accountability Office (“GAO”) report, found that more than half of the ten agencies it reviewed lacked characteristics common among active and effective suspension and debarment programs. In particular, the GAO discovered that the agencies investigated did not have: (i) sufficient dedicated staff resources, (ii) well developed internal guidance, and (iii) processes for referring cases to officials.

To remedy the issues addressed in the GAO report, the OMB set forth a new set of directives that apply to agencies and departments subject to the Chief Financial Officers Act. These directives include the following: (1) appointing senior accountable officials to assess agency suspension and debarment programs; (2) reviewing internal policies and procedures to ensure effective use of suspension and debarment tools; and (3) checking federal databases to guarantee that only responsible contractors receive federal awards. The OMB tasked the Interagency Suspension and Debarment Committee (“ISDC”) to serve as support structure by helping agencies develop trainings and share best practices related to suspension and debarment tools.

The OMB issued its memorandum one day before the Senate Committee on Homeland Security and Government Affairs (“Committee”) held a hearing on the matter. The Committee obtained testimonies from agency heads and officials, including Daniel Gordon, outgoing OMB procurement chief, and Steven Shaw, deputy general counsel of the U.S. Air Force. While committee members, including Senators Susan Collins and Joseph Lieberman, support implementing mandatory suspension and debarment, agency officials advocated against mandating such procedures. Mr. Gordon stated that the current regulations provide the necessary authority and discretion to combat dishonest or incompetent federal contractors. Mr. Shaw argued against taking away agency discretion and stated that automatic suspensions and debarments would remove contractor incentive to work in creative ways to benefit the government.

Although the question concerning mandatory suspensions and debarments is still up for debate, contractors should use this time to ensure that they and their businesses would not fall prey to the proposed automatic measures if they became law. Accordingly, contractors need to take an internal look at their compliance policies and procedures to make certain they meet all federal contract requirements. By taking advantage of the opportunity to “clean house” concerning contract provisions and ethical regulations, contractors can obtain a clear conscience about their compliance and prevent any violations that could potentially lead to suspensions and debarments.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link