Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Cynthia O’Donoghue, David Cohen, Nick Tyler, and Regis Stafford.

The American Bar Association (ABA) this week passed an important resolution urging all courts in the U.S. to:

“consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws, with regard to data that is subject to preservation, disclosure, or sought in discovery in civil litigation.”

The ABA journal describes the long-standing dilemma faced by litigators on both sides of the Atlantic as “Hobson’s Choice”. The ABA Section of the International Law Report to the House of Delegates further explains the choice too often faced by litigants: “violate foreign law and expose themselves to enforcement proceedings that have included criminal prosecution, or choose noncompliance with a U.S. discovery order and risk U.S. sanctions ranging from monetary costs to adverse inference jury instructions to default judgments.”

It is interesting to note the timing of the resolution, coming as it has less than two weeks after publication by the EU Commission of the long-awaited draft EU Data Protection regulation with its proposed new sanctions of up to 2 percent of annual worldwide turnover for serious breaches, which would include an unlawful data transfer to the U.S..

Such sanctions represent a ‘game-changer’ in the current risk profile and choices presented to multi-nationals faced with U.S. discovery requirements demanding the transfer of personal data held by EU affiliates in breach of EU data protection laws.

Current U.S. jurisprudence will now be tested – up until now the U.S. courts have tended to strike the balance in favour of compliance with U.S. rules on the basis that there is no realistic prospect of prosecution in Europe for an enterprise which breaches EU cross-border transfer restrictions. See In Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007).

However, as the report to the ABA House of Delegates regarding the resolution explains, there are other good reasons, in addition to the possibility of sanctions, for U.S. courts to respect Europe’s data privacy laws. If U.S. courts continue to favor broad discovery in violation of EU restrictions, U.S. litigants may face, “a similarly hardened view of U.S. laws and regulations to the detriment of U.S. litigants” in courts outside of the U.S.. Moreover, “[p]ermitting broad discovery in disregard or even defiance of foreign protective legislation can ultimately impede global commerce [and] harm the interests of U.S. parties in foreign courts and provoke retaliatory measures.”

The resolution has been diluted from that originally proposed, with the insertion of qualifying words such as “where possible in the context of the proceedings”. Nonetheless, the ABA have sent a clear signal that the time for a re-evaluation of the status quo is needed and U.S. Courts need to recognise the wider implications of cross-border litigation in the context of an increasingly globalised corporate and legal environment.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler. 

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler. 

The U.S. Federal Trade Commission (FTC) has waded into the political debate with an Informal Note on the draft EU Data Protection Regulation as reported by Statewatch. In addition, Digital Civil Rights in Europe has reported that the U.S. Department of Commerce engaged in significant lobbying of the European Commission in response to the leaked draft Regulation.

The FTC’s Informal Note, provided to the EC in December 2011, focused on “two overarching concerns”:

• “potential adverse effect on the global interoperability of privacy frameworks” – resulting in divergence rather than convergence of data privacy standards globally; and
• “serious implications for regulatory enforcement activities involving third countries” such as the U.S. – resulting in EU data protection laws presenting a significant obstacle to international enforcement cooperation.

In both respects, the Informal Note portrays the draft Regulation as a backward step that would have an adverse effect on the global interoperability of privacy regimes due to it increasing differences rather than promoting convergence. The FTC also raised concerns about the draft Regulation’s potential to adversely impact international investigations, hinder information sharing between regulatory agencies and undercut enforcement cooperation between the EU data protection authorities and similar privacy enforcement agencies round the world.

In doing so, the FTC’s Informal Note emphasises many of the issues highlighted in our two blogs and Client Alert following the leak of the draft Regulation. In particular, the following themes are highlighted:

• Data breach notification – criticising the Regulation’s “focus on process, instead of on improving security practices”, the note concludes that this “may…dilute the effectiveness and credibility of all such notices.” This echoes a concern first raised by the UK Information Commissioner’s Office during the IAPP Summit in November 2011, relating to notification of all data breaches regardless of seriousness or number of persons affected.
• The “right to be forgotten” – the FTC’s concern relates to a chilling effect on rights to free speech and intimates that a right to be forgotten is little more than a pipe-dream fraught with legal and practical obstacles that render it unfeasible. Basically, the ubiquity of the Internet means that the cat’s out of the bag and any attempt to put it back is doomed to fail.
• The definition of “child” – the EU’s definition of child being anyone under the age of 18 runs counter to the U.S.’s longstanding regulation of children’s privacy (defined as under-13 in the Children’s Online Privacy Protection Act (COPPA)). The FTC refers the EC to its recent review of the COPPA Rule¹suggesting it take a more modern and less paternalistic view by recognising:

“…it would be difficult to require parental permission for teenagers because they’re independent, more sophisticated with new technologies than their parents are, and have access to computers outside the home, particularly with the increasing proliferation of mobile devices.”

• Transfers to third countries – criticising the increased complexity in determining adequacy for transferring data outside the EU, the FTC believes that the draft Regulation only makes the process more burdensome, opaque and indeterminate rather than the EC achieving its stated objective of clarifying it. There is undoubtedly a degree of self interest in the FTC’s alarm at the possibility that a U.S. Safe Harbor certification may no longer be recognised (at least in its current form) as a lawful basis for transfers of personal information from the EU to the U.S., as we previously highlighted. The prospect that present lawful trans-border dataflow mechanisms will need to be replaced by new or re-vamped versions, including through the use of binding corporate rules, will alarm every U.S. organisation that has invested significantly in putting legal mechanisms in place to transfer data from the EU to the U.S.
• International Investigations – the FTC raises concerns about the effect on international regulatory enforcement, effectively calling the draft Regulation a ‘blocking statute’, because data controllers will have to notify and receive prior authorisation from a data protection authority before disclosing personal data to any non-EU governmental or regulatory authorities or private litigants outside the EU. The FTC highlights the conflicts as well as perils such provisions will create for U.S. companies with a presence in the EU, especially if an investigation relates to anti-competitive activities, financial or consumer fraud. The FTC suggests that the draft Regulation incentivises “offshoring” evidence, resulting in untimely delays and potentially damaging the interests of consumers, including in the EU.

The FTC’s Informal Note, along with other voices loudly debating the draft Regulation, advocates a more balanced and proportional approach to privacy and data protection. 

Whether this US intervention will contribute to a delay in the EC publishing the draft Regulation, or whether, as recently restated by Ms. Reding’s office, publication will still take place on Data Protection Day on 28 January, we don’t have long to find out.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Edward S. Miller, Marjorie C. Holmes, Richard J. Waite, and Susan Riitala.

The UK Government recently announced proposals to merge the UK’s two main competition bodies, the Office of Fair Trading (OFT) and the Competition Commission, to create a single competition regulator. Currently the OFT, as well as being responsible for conducting antitrust and cartel investigations, also conducts initial merger reviews and market studies. The Competition Commission acts as a second phase review body, conducting more in-depth reviews of those mergers or markets referred to it by the OFT (or, in some case, concurrent regulators) that appear to give rise to more significant competition issues.

The move comes as part of the UK Coalition Government's plans to simplify the work of public bodies, with the creation of a single competition authority intended to streamline procedures and create a stronger enforcement authority. The new body would be responsible for all merger reviews, market investigations, and cartel and antitrust cases. A public consultation on the options for creating the new competition and markets authority is planned for 2011.

Some commentators have raised concerns that the merger would damage the objectivity and independence from political pressures offered by the current system. However, without having the detail of how the new body would operate, the risk of increased political interference in practice would seem relatively low and it is likely that measures could be put in place to protect objectivity in the two-stage review process, which it appears will be retained. Such issues will undoubtedly be addressed in next year’s public consultation process.

On the whole, the announcement is positive and should be welcomed. Frustrations with the existing system include that the Competition Commission begins investigations from scratch once the OFT has already been working on the same case. The proposal should not only cut down the overall timetable of investigations, but should also reduce the time spent by companies providing information to the different authorities when under scrutiny. In a statement issued by the OFT, Chief Executive John Fingleton confirmed that the OFT had advocated the merger for some time and highlighted its potential benefits, pointing to the ability to deliver “better, faster results for consumers and the economy, and greater consistency for businesses".

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Diane Bettino and Paul Bond.

Nearly every state in the U.S. has a statute requiring notifications upon discovery of a data security breach.  Most of these laws do not mandate notification to any state authority. T hose few state laws that compel governmental notice are usually satisfied with contemporaneous notice, or notice after the fact.

That all may change, at least for entities licensed or directly regulated by state agencies.  The State of Connecticut’s Department of Insurance has issued a bulletin, Bulletin IC-25.

Bulletin IC-25 envisions a much more active government role whenever a company licensed or regulated by the Department has an “information security incident”.  This Bulletin applies to a variety of regulated entities, from insurers to appraisers, from bail bond agents to pharmacy benefit managers to medical discount plans.

The Bulletin requires that the business send notice of an “information security incident” no later than five calendar days after the incident is identified.  As businesses who have suffered from data security breaches know, it will often take more than five calendar days to know even the basics about a potential incident.

This lightening-quick notification to the Department should include as much as possible about 15 categories of information, including the results of internal reviews and copies of the business’s privacy policies and data breach policies.  If regulated companies did not have adequate incentive to have such policies in place before, they surely do now.

“The Department will want to review, in draft form, any communications proposed to be made” regarding the breach.  Additionally, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time” (emphasis added).  Businesses used to drafting their own communications and selecting their own remedies to offer will now be negotiating those points post-breach with a government agency.

In addition, the Department will set up a “monitoring process,” unique to each incident, to keep abreast of “activities associated with any information security incident”.

It remains to be seen whether other state regulatory agencies adopt a similar approach.  However, for those who fall under the ambit of this Bulletin, it represents a sea change in the allocation of authority between government and business in the period between breach and notification.

• Email This
• Print
• Comments
• Trackbacks
• Share Link