MOFO SEMINAR SERIESmedia.mofo.com/files/uploads/Images/131112-Data...Aligning corporate ethics...

Data Protection Masterclass: Anti-Corruption Compliance and

European Data Protection

London 12 November 2013

MOFO SEMINAR SERIES

© 2013 Morrison & Foerster (UK) LLP | mofo.com

Data Protection Masterclass: Anti-Corruption Compliance and European Data Protection Table of Contents

Presentation ....................................................................... 1

Speaker Biographies ......................................................... 2

About Morrison & Foerster ............................................... 3

Selected Articles and Alerts ............................................. 4 What to Do When the Privacy Regulator Comes Knocking

on Your Door? - 16 September 2013 UK Bribery Act Comes to Life? - 15 August 2013 Brazil’s New Clean Companies Act Continues Global Fight

Against Corruption - 6 August 2013 Preventing Corruption While Protecting Personal

Information – 4 August 2013 Recent FCPA Enforcement Actions Show Increased

Security on Financial Services Sector – 20 June 2013 New FCPA Decision: The Battle Continues on the FCPA’s

Jurisdictional Reach – 25 February 2013 New FCPA Decision: How Long is the FCPA’s Reach? –

14 February 2013 Aligning corporate ethics compliance programs with data

protection – 6 January 2013 The Serious Fraud Office releases updated guidance on

key aspects of the UK Bribery Act 2010 and self-reporting – 11 October 2012.

MoFo Seminar.

Tab 1

Presentation

Data Protection Masterclass: Anti-Corruption Compliance and European Data Protection

11/12/2013

1

©20

13 M

orris

on &

Foe

rste

r LLP

| Al

l Rig

hts

Res

erve

d | m

ofo.

com

Data Protection Masterclass Anti-Corruption Compliance

and European Data Protection

November 12, 2013 Presented by

Keily Blair, Karin Retzer and Ruti Smithline

This is MoFo. 2

Overview• An introduction to: Anti-Corruption Requirements under the UK Bribery Act and the U.S.

Foreign Corrupt Practices Act (FCPA) Data Protection Rules

• Key Data Protection Hurdles in Anti-Corruption Compliance in the context of: Compliance Programs Third-Party Due Diligence Investigations & Data Collection Whistleblowing Disclosure to external parties (government, regulators and third parties)

11/12/2013

2

This is MoFo. 3

Introduction to the Bribery Act and the FCPA

This is MoFo. 4

The Bribery Act: Offences

• General Bribery Offences

• Section 1 “Active” bribery

• Section 2 “Passive” bribery

• Section 6 Bribing a foreign public official

• Section 7 Commercial organisation failing to prevent active bribery by employees, agents or subsidiaries

• Affirmative defence of “adequate procedures” to prevent bribery

11/12/2013

3

This is MoFo. 5

When Does the Bribery Act Apply?

• Applies to individuals, private organisations and public officials

• Applies if any act or omission takes place in the UK

• If no act or omission occurs in the UK, then such conduct is treated as taking place in the UK if that person has a close connection with the UK

• An offence of failure to prevent bribery (s.7) takes place irrespective of whether the conduct occurred in the UK or elsewhere

• Applies to “A relevant commercial organisation” if it carries on part of a business in the UK

This is MoFo. 6

Adequate Procedures DefenceMinistry of Justice Guidance (1)

• The procedures adopted by an organisation to prevent bribery by person associated with that organisation are proportionate to the bribery risks it faces and the nature of its business

Proportionate Procedures

• Top-level management establishing a culture across the organisation in which bribery is unacceptable

Top‐level Commitment

• Assessing and keeping up to date with the bribery risks faced in your sector and market

Risk Assessment

11/12/2013

4

This is MoFo. 7

Adequate Procedures DefenceMinistry of Justice Guidance (2)

• Knowing whom you do business with, knowing why, when and to whom you are releasing funds, seeking reciprocal anti-bribery agreements and being confident of transparency

Due Diligence

• Going beyond “paper compliance” to embed anti-bribery provisions into internal controls, recruitment, remuneration policies, etc., and training on the same

Communication

• Ensuring that audit and financial controls are sensitive to bribery and are transparent and regularly reviewed

Monitoring & Review

This is MoFo. 8

FCPA Basics

Three Primary Provisions:

• Anti-bribery provision

• Accounting requirements

• Internal control requirements

11/12/2013

5

This is MoFo. 9

FCPA Anti-Bribery Provision

Prohibits:• corruptly paying or offering to pay

• anything of value

• to a foreign official

• directly or indirectly

• to assist in obtaining or retaining business

This is MoFo. 10

FCPA: Foreign Official

• Government employee/party official Rank or position irrelevant Not just a Senator or Minister Employee of state-owned enterprise (“SOE”)

• Even if it is not a government agency or SOE, consider: UK Bribery Act Commercial bribery laws Company policy

11/12/2013

6

This is MoFo. 11

FCPA vs. Bribery Act

UK Bribery Act FCPA

Prohibited bribes Foreign officials and private actors

Foreign officials

Prohibited conduct Giving a bribe and accepting a bribe

Giving a bribe

Offence for failure to prevent bribery

Yes No

Exempt payments No*

No

Bona fide and reasonable expenditures for hospitality expenses

Small payments to expedite routine government action

*Ministry of Justice’s Guidance recognises that some entertainment—so long as it is reasonable and not lavish—will not be prosecuted. In respect of facilitation payments, the proposed changes are merely proposals at this stage and have been subject to considerable criticism. It is not certain that those changes will be implemented.

This is MoFo. 12

To Whom Does the FCPA Apply?

• U.S. person, U.S. company

• “Issuers” under the Securities Exchange Act

• Individuals and corporations if they authorize or assist someone else if they conspire to violate the FCPA if they commit part of violation in the U.S.

11/12/2013

7

This is MoFo. 13

Why Anti-Corruption Compliance Matters

• Huge fines• Costly investigation• Jail• Reputational damage

• International cooperation• Local laws• Corporate policies• Regulatory oversight

Basic Data Protection Rules and Principles

This is MoFo. 14

11/12/2013

8

This is MoFo. 15

European Data Protection Framework• Data Protection Directive 1995/46/EC provides general rules for

processing personal data Implementing laws differ across the EU/EEA member states Covers organisations established in the EU/EEA and non-EU/EEA

organisations if they use equipment in the EEA for collection and processing of personal data

• Draft General Data Protection Regulation Intended to replace the Directive and harmonise laws across the EEA New obligations for organisations and tighter enforcement;

higher monetary penalties Covers organisations and service providers established in the EEA as

well as non-EEA organisations if they offer products or services to or monitor individuals in the EU/EEA

Pending adoption

This is MoFo. 16

Key Terms• Personal data Any information relating to an identified or identifiable individual Expectation of privacy extends to the workplace

• Sensitive data Health information, sex life, racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade union membership Also criminal records in many jurisdictions Processing of sensitive information is usually prohibited, unless opt-in

consent is obtained from the individuals or narrow exceptions apply

• Processing Any operation involving personal data such as collection, use,

modification, storage, access, disclosure, transfer, deletion, etc.

11/12/2013

9

This is MoFo. 17

When Can You Process Personal Data? • General U.S. principle Personal data may be collected and used as long as organisations do not

violate a law or cause harm; focus is on misuse• General EU/EEA principle Personal data may be collected and used only where there is an applicable

“legal basis” Where the individual’s consent is obtained To fulfill a contractual duty with an employee or customer (e.g., to deliver a product

or service) For statutory local legal obligations (e.g., tax, social security) Where organization meets balance of interest test To protect an individual’s vital interest

(e.g., to protect life or health)

This is MoFo. 18

When Can You Transfer Personal Data?• Restrictions on data transfers “Transfer” means any sharing of or accessing personal data Data protection laws limit the transfer of personal data to third parties

(including affiliates) Sharing of data requires legal basis Transfers to non-EU/EEA countries is prohibited unless the country is deemed

adequate or narrow exceptions apply

• Cross-border transfer mechanisms Use of Standard Contractual Clauses U.S. Safe Harbor Framework Binding Corporate Rules (BCRs) Legal Claim Consent

11/12/2013

10

This is MoFo. 19

Individual Rights• All individuals must receive notice informing them about Types of personal data collected Purposes of the collection Any disclosures or recipients Access and correction rights Other information relevant to the circumstances

• All secondary uses/disclosures require additional notice and legal basis

• All individuals may request access to their personal data and must have the opportunity to correct information that is incorrect or incomplete

This is MoFo. 20

Other Requirements• Data retention. Personal data must not be retained for longer than is

necessary Personal data cannot be retained indefinitely for possible future foreign

litigation• Security. Appropriate security standards must be in place• Agreements with service providers. Whenever personal data are

shared with service providers, appropriate contracts should be in place Forensic firms, translation services, vetting companies,

copying services, etc.

• Registration/Authorization. In certain countries, the local entity must register its processing of personal data with the data protection authority (DPA)

11/12/2013

11

Key Data Protection Hurdles in Anti-Corruption Compliance

Compliance

This is MoFo. 21

This is MoFo. 22

Data Protection & Compliance Programs • The importance of compliance programs

Under the Bribery Act, companies have an affirmative defence to an allegation that they failed to prevent bribery if they can demonstrate they had “adequate procedures” in place to prevent bribery

U.S. regulators consider the adequacy of a company’s compliance program when making charging decisions Impacts manner of resolution Affects penalty amount Influences whether monitor will be imposed

11/12/2013

12

This is MoFo. 23

Data Protection & Compliance Programs (cont’d.)

• There is no one-size-fits-all program

• Programs should be tailored and include

A code of conduct Oversight and resources Third-party due diligence Procedures for detecting and investigating potential violations Whistleblowing hotlines, employee monitoring, etc.

• All effective compliance programmes require the creation, collection and monitoring of data

This is MoFo. 24

Third-Party Due Diligence

“The fact that a bribe is paid by a third party does not eliminate the potential for criminal or civil liability.”

– A Resource Guide to the U.S. Foreign Corrupt Practices Act

11/12/2013

13

This is MoFo. 25

Third-Party Due Diligence

Third parties and intermediaries Agent Partner JV

Liability for third-party payments

No actual knowledge required

Know your third parties: due diligence

Consultant

Reseller

Distributor

This is MoFo. 26

Verify

CommunicationAnd

Training

RiskAssessment

Due Diligence

WrittenContract

Monitor

IdentifyAssess

Relationship

Third-Party Due Diligence: Mitigating Risk

11/12/2013

14

This is MoFo. 27

Third-Party Due Diligence: Data Protection

• Due diligence often requires the collection of personal data from principals and other key personnel Individuals’ financial accounts, history of bribery or related activities,

debarments, inclusion on a public watch list and business or personal relationships with government officials, etc.

Sensitive data, including political affiliation, criminal and judicial data• Many countries with data protection laws exclude or seriously limit

the collection of sensitive data • Tension between implementing one centralized and uniform system

and data protection limitations

This is MoFo. 28

Third-Party Due Diligence: Privacy Compliance

• Provide notice about data collection• Have a strategy for dealing with consent • Limit data collection to individuals in relevant positions• Formulate due diligence questions to comply with local

limitations, e.g., on sensitive data collection Aim to solicit answers that are proportionate to the purpose

of the due diligence Carefully phrase questions Avoid obtaining criminal and judicial data where feasible

• Limit access to due diligence results on a need-to-know basis and avoid further disclosure of personal data

11/12/2013

15

This is MoFo. 29

Investigations: Common Triggers

Whistleblower

Auditor Inquiry

Internal Inquiry

Civil Litigation

Government Investigation

Media Report

This is MoFo. 30

Investigations: The Benefits

• Regulators and law enforcement will consider whether the company’s response was comprehensive and rigorous In the U.S., the SEC’s and DOJ’s charging guidelines specifically

reference weighing the company’s response when considering leniency and charging decisions

• Investigations protect the company’s reputation and limit the business’s exposure

• Company must adhere to its own internal codes of conduct and compliance policies Investigating wrongdoing is the lynchpin of remediation

• Officer and Director obligations/certifications E.g., duty of care, Sarbanes-Oxley

11/12/2013

16

This is MoFo. 31

Investigations: Electronic Data Collection

• Often extremely costly with significant risks if not conducted properly• Consult with IT and electronic experts Importance of using forensically sound practices Must understand IT infrastructure and where data resides

• Similar practices to collecting hard copy documents Suspend electronic data destruction policies and preserve back-up

tapes Custodian interview/questionnaire Preservation log

• Large-scale document collections almost always go awry Take steps to minimize extent and cost of missteps

• Consider data protection limitations for collection, processing and review

This is MoFo. 32

Internal Investigations:Data Protection Requirements

• Approaches vary across the EEA• WP29 Working Document 55/2002 on the surveillance of electronic

communications in the workplace can be applied• WP29 permits monitoring, provided it is necessary and proportionate for the intended purposes the least intrusive methods are used all online communications in the workplace are subject to confidentiality

protections sensitive data are not collected prior notice is provided

11/12/2013

17

This is MoFo. 33

Internal Investigations: Ensuring Privacy Compliance

• Implement a comprehensive employee monitoring program: Consider local laws that may limit or regulate employee monitoring Inform employees not to expect (full) privacy, even if accounts are password-

protected Identify what types of conduct are prohibited Inform employees that the network is provided for work purposes and that

monitoring will occur Conduct regular training and refresher courses on appropriate

email and Internet usage in the workplace Obtain acknowledgment that an employee has received,

understands and will follow the requirements Consult with and get necessary approval from employee

representatives (works councils)

This is MoFo. 34

• Employees are a company’s best source of information about the organization itself

• Hotlines provide safe and secure form of communication• Having hotline is considered compliance “best practice”• Hallmarks of effective hotline Available 24/7 Available in relevant languages Escalation and follow-up Anonymity*

Whistleblowing

11/12/2013

18

This is MoFo. 35

Whistleblowing Hotlines• Sarbanes-Oxley Act (SOX) Requires Issuers to establish anonymous reporting procedures Provides that a U.S. parent can be held liable for its foreign

affiliates’ violations• Dodd-Frank Wall Street Reform and Consumer Protection

Act (Dodd-Frank Act) Creates incentives and financial rewards Strengthens internal controls and implements internal reporting

channels• Policies should be in place for whistleblowing under both

SOX and Dodd-Frank Act• While not required by FCPA or Bribery Act, whistleblowing

policies have become standard for compliance programs

This is MoFo. 36

Whistleblowing Hotlines: Data Protection Requirements

• WP29 Opinion 1/2006 on internal whistleblowing systems Hotlines are permitted if they are established to comply with (local) legal

requirements or where required under “foreign” legal obligations that fulfill a “legitimate purpose”

• Member State Guidance Austria, Denmark, Finland, France, Germany, Greece, Norway, Portugal,

Sweden and Spain • Specific laws Hungary and the United Kingdom

11/12/2013

19

This is MoFo. 37

Whistleblowing Hotlines: Ensuring Privacy Compliance

• Limit scope• Provide hotline as a voluntary alternative to other reporting

mechanisms • Allow but do not advertise anonymous reporting • Be transparent Provide up-front notice Send notice prior to report (landing page, telephone script) Give notice after report has been filed

• Provide access rights Delays are permitted if necessary for investigation

10

This is MoFo. 38

Whistleblowing Hotlines: Ensuring Privacy Compliance (cont’d.)

• Establish and train dedicated team • Conclude data processing agreements with vendor• Address cross-border transfer restrictions• Consult with works councils where required • Implement data retention and disposal policies • Ensure appropriate security standards • File local registrations and obtain necessary authorisations

10

11/12/2013

20

This is MoFo. 39

Regulators & Authorities

“[F]ederal prosecutors consider a company’s cooperation in determining how to resolve a corporate criminal case. Specifically, prosecutors consider . . . the company’s willingness to provide relevant information and evidence.”

– A Resource Guide to the U.S. Foreign Corrupt Practices Act

This is MoFo. 40

Jurisdictional Reach over Foreign Entities

• Entities conducting investigation in foreign jurisdictions may face limitations on their ability to reach evidence

• These limitations are not absolute

• Coordination of regulators and law enforcement

Growing trend for regulators and law enforcement in different countries to work together to obtain and share information

• Essential to comply with data protection and privacy laws when investigation or data crosses borders

11/12/2013

21

This is MoFo. 41

Disclosure Request• Conflicting demands exist between information requests and EEA

data protection requirements U.S. courts may overrule or disregard EEA data protection laws or

mechanisms designed to limit cross-border discovery U.S. courts and regulators can impose sanctions for failure to comply with

information requests EEA provides sanctions for violation of data protection laws

• No harmonised rules in the EEA Conflicting proposals for draft General Data Protection Regulation Blocking statutes (in France and Switzerland)

This is MoFo. 42

Disclosure Requirements (cont’d.)

• Production only permitted where there is legal basis: Legal obligation is only sufficient for compliance with local laws Obligations imposed under foreign statutes are not sufficient to collect personal

data

• Consent is “neither sufficient nor recommended” Must be freely given, specific and informed and may be withdrawn at any

time Not always feasible to procure (e.g., from clients, suppliers, agents, etc.) Employee consent is typically challenged as it is usually not freely given

• Transfer only permitted where there is an adequacy mechanism: Safe Harbor, Model Clauses, BCRs

11/12/2013

22

This is MoFo. 43

Guidance from WP29 on Discovery in Civil Matters

• Recognizes legitimate interest in complying with U.S. litigation requirements Data must be “proportionate” (i.e., only for specific and imminent

proceedings and not at random for an unlimited time in anticipation of litigation)

Balance of interest test to bridge EEA privacy regime and U.S. discovery rules

• “Single” transfers outside the EEA permitted for establishment, exercise and defence of legal claim unless a “significant” amount of data is involved, keyword searches to limit data collection and transfer as opposed to wholesale data transfers

• Other alternatives: Safe Harbor, Model Clauses, BCRs• Does not cover criminal and regulatory investigations

This is MoFo. 44

Cooperation Across Borders

• Formal and informal cooperation among regulators and law enforcement is increasing International conventions MLATs MOUs between regulators

• Seek counsel from local attorneys who are familiar with practices, procedures and custom in foreign jurisdiction

11/12/2013

23

This is MoFo. 45

Disclosure Requests: Ensuring Privacy Compliance

• Raise issues in advance and communicate with the other party, court or regulator as soon as practicable

• Educate U.S. judges and regulators on EEA data protection laws and blocking statutes

• Negotiate terms on who may access data, purposes for which data may be used and security standards

• Work through issues creatively and show a willingness to cooperate Consider redacting or anonymizing data Consider screening data within the EEA Use protective orders Cooperate with EEA authorities Apply appropriate security standards

This is MoFo. 46

• Ensure compliance with general data protection requirements Transfer mechanism Notice Balancing transparency and non-disclosure obligations or detection of

criminal activities

Access and correction rights Security Processing agreement Registration/Authorization

Disclosure Requests: Ensuring Privacy Compliance (cont’d.)

11/12/2013

24

This is MoFo. 47

Reading Materials • EU Data Protection Directive 1995/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF

• Commission’s Proposal for Regulation http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

• Article 29 Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf

• Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf

• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf

• A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 2012) http://www.justice.gov/criminal/fraud/fcpa/guide.pdf

This is MoFo. 48

Reading Materials (cont’d.) • Karin Retzer and Michael Miller – Mind the Gap: U.S. Discovery Demands

versus EU Data Protection http://www.mofo.com/files/Uploads/Images/110601-US-Discovery-Demands-versus-EU-Data-

Protection.pdf

• Karin Retzer and Joanna Lopatowska – How to Monitor Workplace Email and Internet in Europe: The Polish Perspective http://www.mofo.com/files/Uploads/Images/110718-Privacy-and-Security-Law-Report.pdf

• Karin Retzer, Daniel Westman and Miriam Wugmeister – Between a Rock and a Hard Place: Whistleblowing Procedures under Sarbanes-Oxley and European Union Data Protection Laws http://www.mofo.com/Between-a-Rock-and-a-Hard-Place-Whistleblowing-Procedures-under-

Sarbanes-Oxley-and-European-Union-Data-Protection-Laws-04-05-2006/

11/12/2013

25

49

Questions?

Keily [email protected]

Karin [email protected]

Ruti Smithline1.212.336.4086 [email protected]

50

Forthcoming DP WebinarDate for your diaries:

• 21st January 2014 – Social Media

Tab 2

Speaker Biographies


Karin Retzer

Attorney Bio

Karin Retzer Partner Brussels 32 2 340 7364 [email protected]

Karin Retzer’s practice focuses on the legal aspects of data protection and security, direct marketing, and electronic commerce.

Ms. Retzer assists clients with privacy and data security compliance and risk management, involving both national and international multi-jurisdictional dimensions. She advises on questions regarding data transfers, the handling of information in shared service centers and sourcing transactions, e-discovery, breach notification, and the use of email and the Internet in the workplace. She has drafted privacy policies and guidelines, notices, agreements for data list management, and data transfer and processing contracts for dozens of multinational clients. She also assists clients in their dealings with data protection authorities, developing appropriate responses to requests for information and complaints, and provides legislative and policy advice to clients. Additionally, Ms. Retzer assists clients with privacy audits and data protection complaints and litigation.

Ms. Retzer has particular expertise regarding the implications of legislative restrictions for online tracking, analytics, personalization of Internet content, behavioral advertising, and direct marketing communications. She regularly advises clients on the use of location data gathered through smart phones and location-based services.

In addition, Ms. Retzer advises clients on issues relating to electronic commerce, such as online terms of use, the requirements for online contracts, disclosure obligations, liability for website content, and the legal aspects of online auction sites. She has developed template agreements and negotiated complex commercial agreements for many clients, counseling them not only with respect to legal ramifications, but also taking into account applicable business and technical considerations. Ms. Retzer is listed as a key individual in The International Who’s Who of Information Technology Lawyers 2013.

Her work spans a wide range of industry sectors. Clients include internationally renowned consumer product companies, financial services organizations, technology and telecommunications providers as well as clients in the advertising, hospitality, media and entertainment, healthcare, pharmaceutical, and retail industries.

Prior to joining Morrison & Foerster, Ms. Retzer worked in Paris at the European headquarters of Sterling Commerce, a U.S. supplier of e-commerce products. From 1997 to 1998, Ms. Retzer worked at the European Commission, where she was involved mainly with examining and monitoring Member States' implementation of European Community directives.

Ms. Retzer regularly writes for a wide variety of publications. She is a member of the IAPP Publications Advisory Board and a contributing author in the publication, Employee Privacy: Guide to US and International Law. She is a member of the Munich bar and the Brussels EU bar, after studies in Regensburg (Germany), Utrecht (The Netherlands), and Munich (Germany). Ms. Retzer is fluent in German, English, and French and has a working knowledge of Dutch. She is a member of the International Association of Privacy Professionals, the German Association for Data Protection and Data Security, the Licensing Executives Society, and the Association for Industrial Property and Copyright Law.

Ruti Smithline

Attorney Bio

Ruti Smithline Partner New York (212) 336-4086 [email protected]

Ruti Smithline is a partner in the Securities Litigation, Enforcement, and White-Collar Criminal Defense Group. Her practice focuses on complex litigation, with an emphasis on white-collar criminal defense, SEC enforcement, securities litigation, and corporate internal investigations.

Ms. Smithline is a member of the firm’s FCPA + Anti-Corruption Task Force. She regularly advises clients on cross-border investigations, global anti-corruption compliance programs and anti-corruption due diligence for acquisitions, joint ventures, and private equity transactions. Ms. Smithline has represented individual and corporate defendants in criminal investigations, SEC enforcement matters, and other regulatory proceedings, including matters related to trade sanctions and anti-money laundering. She has experience conducting corporate internal investigations both domestically and internationally, often advising clients on remedial measures responsive to the issues investigated.

Ms. Smithline was born and raised in Colombia and is fluent in Spanish. She has conducted investigations, seminars and anti-corruption training in Spanish in Central and South America.

Ms. Smithline has been selected to the 2013 New York Metro Rising Stars list by Super Lawyers based on peer recognition and professional achievement.

Ms. Smithline received her J.D. from The George Washington University School of Law, where she graduated with honors and as a member of the Order of the Coif. She received her B.A. degree, cum laude, from Cornell University. She serves on the Public Service Committee of the Federal Bar Council, and the Inter-American Affairs Committee for the New York City Bar Association. She is admitted to practice law in New York and New Jersey.

Keily Blair

Attorney Bio

Keily Blair Associate London 44 20 7920 4020 [email protected]

Keily Blair is an associate in Morrison & Foerster’s London office and a member of the Litigation Group. She advises on a wide range of disputes including securities litigation, banking disputes, civil fraud matters and cross-border insolvencies and has significant experience in disputes involving complex financial products and structures across a number of jurisdictions including Switzerland and the Cayman Islands. She has a particular interest in fraud matters which involve offshore trusts and is an associate member of ACTAPS.

Ms. Blair also acts for organizations and individuals in connection with regulatory compliance and corruption investigations including white-collar defense work. As part of this practice she advises clients in connection with investigations and enforcement actions by domestic and international regulators and agencies, including the UK’s Financial Conduct Authority. Ms Blair also advises clients in relation to appearances before Parliamentary Select Committees. In addition, she regularly provides advice and training in relation to issues arising under the UK Bribery Act.

After obtaining a B.A. (Hons) in Law & Politics in 2003 from Oxford Brookes University, Ms. Blair completed the Legal Practice Course at BPP London. Prior to joining Morrison & Foerster, Ms Blair was a litigation associate at Allen & Overy LLP.

Ms. Blair is admitted to practice in England & Wales and serves as the acting co-chair of MoWomen London. She is also a member of the European Criminal Bar Association.

Tab 3

About Morrison & Foerster


Firm Overview l 1

Firm Overview

Firm Overview

Founded in 1883, Morrison & Foerster is now a preeminent global law firm dedicated to delivering business-oriented results to clients around the world. Dynamic technology and life science companies, large financial institutions, leading consumer product companies, and other market leaders come to MoFo for legal knowledge, innovation, and business aptitude. With over 1,000 lawyers spread across 17 offices in the world’s key financial and technology centers, MoFo handles some of the world’s largest cross-border transactions and resolves major disputes across multiple jurisdictions. The firm’s open culture provides every client with access to cross-disciplinary experts across the firm’s offices.

Our attorneys share high standards and a commitment to excellence. Our dedication to serving client needs has resulted in enduring relationships and a record of high achievement. We are a leader in each of our practice areas, including litigation, financial services, intellectual property and technology, tax, and transactional work, such as corporate, M&A/private equity, capital markets, and real estate finance.

Our achievements have not gone unnoticed. Chambers Global has named Morrison & Foerster its 2013 USA Law Firm of the Year. Law360 selected seven MoFo practices as Practice Groups of the Year – more than any other firm. And we have been named to the coveted American Lawyer A-List for ten straight years. Of all the Am Law 100 firms on the list with $1 billion or more in revenue, we have the highest combined score in diversity and pro bono. We believe that this demonstrates that MoFo has succeeded financially not despite our cultural values, but because of them.

A MoFo lawyer is something special – a creative and innovative lawyer focused on real-world business results. MoFo lawyers do not dispassionately dispense legal advice. We are in the trenches instead, tirelessly advocating for our clients. It’s where we prefer to be.

2013 USA Law Firm of the Year

Among Top 10 firms nationwide based on number of first-tier national rankings

Honored with seven Practice Group of the Year Awards – more than any other firm

Appellate Bankruptcy Employment Intellectual Property Mergers & Acquisitions Privacy & Consumer Protection Project Finance

Firm Overview l 2

Firm Overview

MoFo’s International Platform

Over the past three decades, MoFo has developed a world-class international practice – leaving us well-positioned to serve clients across the rapidly expanding global economy. Our international service platform features expertise in M&A, securities, finance and trade, and dispute resolution and includes complex global tax structuring, counsel on foreign workforces, the navigation of regulatory bottlenecks in multiple jurisdictions, and antitrust, environmental, and litigation risk analyses throughout the world.

We enjoy unrivaled reach around the Pacific Rim with nearly 200 lawyers in Asia teamed with more than 500 lawyers in California.

We are the largest U.S. law firm in Japan, with more than 120 attorneys in Tokyo, including nearly 50 bengoshi admitted to practice in Japan. With our partners, Ito & Mitomi, we are widely recognized as having Japan’s leading corporate practice.

Our nearly 30-year presence in China has produced a strong platform of more than 70 multilingual U.S.-, PRC-, and/or Hong Kong-qualified professionals.

Our newest office in Berlin provides substantial resources to clients in Germany, across Europe, and throughout the world, and has a particular focus on the TMT sector.

With an established presence in the UK for more than 30 years, we have over 50 lawyers qualified in the UK offering expertise across all major disciplines.

Through our Brussels office we assist clients that have European Union antitrust and competition issues, including clearance of cross-border mergers and acquisitions, as well as privacy and trans-border data protection matters that affect global companies.

FCPA Backgrounder | 1

FCPA + Anti-Corruption

FCPA Backgrounder: What You Need to Know About the Foreign Corrupt Practices Act (“FCPA”)

What is the FCPA? The FCPA prohibits paying – or promising to pay – anything of value to a

foreign government official where the purpose is to obtain or retain business.

The FCPA also requires publicly traded companies to keep accurate books and records and implement appropriate internal controls.

Why is the FCPA Important to You? FCPA applies to all U.S. nationals (companies or individuals) and any foreign

company listed on a U.S. exchange or that submits reports to the SEC as result of capital raising activities (including trading American Depository Receipts).

Companies can be held responsible for FCPA violations by agents and joint venture partners.

Increasing number and size of FCPA cases: In 2002, there were zero criminal prosecutions. In 2004, there were only 2. By 2012, there were more than 10, with an estimated 150 open U.S. Department of Justice (“DOJ”) investigations.

Growing trend to aggressively enforce the FCPA both by DOJ and U.S. Securities and Exchange Commission (“SEC”), with an increasing number of tag-along civil litigations.

o Enforcement priority with increasing dedicated resources.

o Steep financial penalties (e.g., Siemens was fined $800 million in U.S.; KBR/Halliburton was fined $579 million; and BAE was fined $400 million).

o Four letter word: J-A-I-L (increased enforcement against individuals).

o Essentially strict liability for parent company for FCPA books and records violations of its wholly-owned subsidiaries.

o Relevant to all industries: not just oil or pharmaceutical. Additional target industries include: technology, financial services, telecom.

o Relevant to many geographies: China, Russia, Latin America, and many other countries/regions where emerging economies are deemed “high risk.”

FCPA TASK FORCE

Paul T. Friedman San Francisco (415) 268-7444 [email protected] Timothy Blakely Hong Kong 852-2585-0870 [email protected] Randall J. Fons Denver (303) 592-2257 [email protected] Adam S. Hoffinger Washington, D.C. (202) 887-6924 [email protected] James E. Hough Tokyo 81-3-3214-6522 [email protected] Daniel P. Levison Tokyo 81-3-3214-6522 [email protected] Carl H. Loewenson, Jr. New York (212) 468-8128 [email protected] Kevin Roberts London 020-7920-4160 [email protected] Robert A. Salerno Washington, D.C. (202) 887-6930 [email protected] Ruti Smithline New York (212) 336-4086 [email protected] Sherry Xiaowei Yin Beijing 86-10-5909-3566 [email protected]



o Collateral consequences, including debarment from government contracts and reputational harm.

o Growing global patchwork of anti-corruption laws and multi-national cooperation (i.e., OECD Convention, UK Bribery Act 2010, 8th Amendments to the PRC Criminal Law).

How Can Morrison & Foerster Help? Our domestic and international offices advise on and investigate FCPA

matters. Offices in key financial and technology centers around the world provide us with global reach and geographic diversity.

We have a deep bench, and work seamlessly across our offices. Our Securities Litigation, Enforcement, and White Collar Defense practice group includes more than 125 attorneys in our 16 offices worldwide, with more than 20 former federal and state criminal prosecutors, former SEC enforcement attorneys, as well as in-house accounting experts.

Been there, done that: We have performed dozens of corruption-related investigations -- large and small -- in China, Japan, Korea, Thailand, Indonesia, other Asian countries, Europe and Latin America.

We have vast experience in scores of FCPA matters for major companies and individuals, across a wide range of FCPA issues:

o Diligence: conducted due diligence reviews for potential M&A transactions (both buy and sell side), prospective agents, distributors, consultants and joint venture partners, and in other contexts, in Asia-Pacific, Europe, Middle East, South America, and North America.

o Counseling: advised on anti-corruption compliance policies and procedures, including real-time counseling to legal and compliance departments when problematic facts emerge.

o Compliance Programs/Training: designed, reviewed, and provided anti-corruption compliance training (in numerous languages including English, Japanese, Mandarin and Spanish).

o Investigations: conducted scores of cross-border internal investigations on behalf of companies and boards of directors; represented companies and individuals in investigations by DOJ and SEC.

o Remediation: when anti-corruption problems are detected, we help companies fix those problems.

We are well-equipped to represent companies and individuals in parallel criminal, SEC and civil proceedings, as well as with related government contracts issues.



Largest investigation practice among international firms in Asia, including more than 30 litigators in Japan and more than 20 Chinese-trained lawyers in Beijing, Shanghai, and Hong Kong offices. Dozens of our litigators in Asia specialize in the skills and techniques necessary to effectively conduct internal investigations.

Strong presence in the UK.

Follow the money: we have an in-house Forensic Accounting Services Group which specializes in cases involving the securities laws and provides assistance with internal investigations.

Our Privacy + Data Security Group assists in cross-border investigations.

Expertise Based on Handling Scores of FCPA Matters Represented many global companies in internal investigations, government

investigations, compliance reviews and training programs. Our experience crosses an array of sectors that include aerospace, biotechnology, defense, information technology, telecommunications, healthcare, consumer products and services, and transportation.

Where necessary, we can field a team in multiple countries simultaneously.

Following is a representative sample of our work:

o Conducting a cross-border internal investigation into potential violations of anti-corruption laws at several European affiliates of one of the largest companies in Asia.

o Represented the Audit Committee of an international fertilizer company in its internal investigation resulting from a whistleblower complaint alleging violations of the FCPA in the Middle East. After we completed the investigation and reported the results to the SEC, it declined to conduct an investigation of its own and closed the file.

o Conducting an anti-corruption compliance review in Mexico for a leading international energy corporation, as well as numerous additional anti-corruption matters in Mexico and Latin America.

o Conducting an internal investigation into potential violations of anti-corruption laws at Chinese and Korean subsidiaries of a leading international high-technology equipment manufacturer, as well as potential revenue recognition and financial reporting issues.

o Representing a senior executive of a global retailer in connection with an investigation by the DOJ, SEC and other agencies into possible violations of the FCPA in Mexico, Brazil and other countries.



o Conducting anti-corruption compliance review for a global company regarding its operations in India.

o Represented a Fortune 50 multinationalcompany in an internal investigation of whistleblower allegations of violations of the FCPA and self-dealing in China and other Asian countries, with interviews and forensic activities in seven countries.

o Represented senior executives of multinational corporations in investigations by the DOJ and the SEC into allegations of illegal payments to government officials in Nigeria, Angola, Kazakhstan, and Thailand.

o Conducted an internal investigation of possible FCPA violations involving a telecom company in Venezuela.

UK Bribery Act 2010 As of July 2011, companies doing business in the UK are subject to this new

law globally.

It is broader than the FCPA in important respects. We advise companies on exposure to and compliance with this new law.

Contact Kevin Roberts in the firm’s London office for more information at [email protected] or 020-7920-4160.

Privacy + Data Security | 1

Practice Group Description

Privacy + Data Security

Morrison & Foerster has a world-class privacy and information security practice with more than 60 lawyers from across our global offices actively counseling, litigating cases, and representing clients before regulators around the world on privacy and security of information issues.

Our practical approach to privacy and data security challenges is what truly distinguishes our practice. We believe that it is our job to find innovative and realistic solutions for clients that balance legal compliance with the commercial realities of running their businesses.

We have been recognized by Chambers and Legal 500 as one of the best domestic and global practices in this area. We were winners of Chambers USA’saward for excellence in the field of Privacy and Data Security 2008 and were named Privacy & Consumer Protection Practice Group of the Year by Law360.Chambers Global ranks the practice Tier 1 in its “Data Protection: Global” category. Clients have commented that our group comprises: “incredibly thoughtful, smart and responsive lawyers, who work seamlessly across different continents,” Chambers Global; and is “the best at giving practical advice by applying the law to the situation at issue,” Legal 500 US.

Our approach has made us the privacy counsel of choice for some of the world’s largest and best-known corporations, as well as a host of smaller organizations. Our skills are particularly valued by companies that operate in highly regulated sectors (such as financial services, healthcare, and pharmaceuticals), those with an online presence, those operating internationally and companies facing regulatory scrutiny or litigation. Our clients face multiple layers of regulation and appreciate the timely, knowledgeable, and realistic advice our attorneys are trained to provide.

We take a big picture view of how organizations handle information during its life cycle and help our clients find practical solutions to seemingly complex problems. From big data to cybersecurity to online behavior advertising, our lawyers work on cutting-edge issues that cover every aspect of privacy and data security.

We Advise On: U.S. and international privacy compliance

Privacy litigation

Regulatory investigations and inquiries

Cross-border data transfers

Cybersecurity and information security

PRACTICE GROUP CHAIR

Miriam H. Wugmeister 1290 Avenue of the Americas New York, NY 10104-0050 (212) 506-7213 [email protected]

“Incredibly thoughtful, smart and responsive lawyers, who work seamlessly across different continents.”

– Chambers Global



Data breach notification globally

Healthcare privacy

Privacy and data security issues in commercial transactions

Online privacy and behavioral advertising

Employee/HR privacy, including employee monitoring

Cloud Computing deals

Data protection and privacy policies, procedures, and training

E-discovery and disclosure issues in internal investigations and litigation

The changing nature of technology has been a driving factor in data protection regulation in recent years, including issues such as the increased emphasis on technological means to secure data, how we use social media, user-generated content, the adoption of Cloud Computing, and sophisticated advertising and marketing techniques, including behavioral targeting. Our privacy and data security lawyers are as comfortable with technological innovation as they are with complex and evolving regulation. Because of wide experience with technology, we are at ease speaking with the general counsel, the chief privacy officer or the chief information officer regarding technical and non-technical issues relating to privacy and data security.

In addition to our transactional, regulatory and counseling practice, our lawyers are just as much at ease in the court room or with regulatory authorities in contentious situations. Our global team is able to help with virtually any privacy or data security issue anywhere in the world.

ResourcesWe offer important resources to support our clients in their privacy compliance and data security efforts.

Legal Resources: The privacy team writes extensively on privacy and data security matters, including Global Employee Privacy and Data Security Law,setting out the U.S. and international legal landscape related to workplace privacy and data security; Information Security and Privacy: A Guide to Federal and State Law and Compliance and Information Security and Privacy: A Guide to International Law and Compliance, which compose a 4,300-page, three-volume treatise that examines all aspects of privacy and security laws, published by Thomson-West; and The Law of Financial Privacy, covering the Fair Credit Reporting Act, Financial Privacy Act, Bank Secrecy Act, and Internal Revenue Code requirements, including discussions of state financial privacy laws, use of technology, and use and protection of confidential information. The team has also written Health Care Privacy and Security, West’s Corporate Counsel’s Primer on International Privacy and Security and Internet Marketing and Consumer Protection.

“The work quality is exceptional, they are incredibly responsive, and they know about all the hottest issues in data privacy.”

– Chambers Global



Privacy Library: Our Privacy Library (www.mofoprivacy.com) is an online resource which provides links to privacy laws, regulations, reports, multilateral agreements, and government authorities of more than 90 countries around the world, including the United States. The Privacy Library is the most comprehensive collection of privacy laws and regulations ever assembled—the result of years of research and experience working with clients around the world.

MoFoNotes: Morrison & Foerster provides content to Nymity (www.nymity.com) for its MoFoNotes product, a subscription-based database that helps organizations determine local compliance requirements in jurisdictions around the world, spot potential compliance issues, and simplify the development of global privacy approaches.

1


Privacy + Data Security

EUROPEAN DATA PROTECTION We help our clients navigate Europe’s complex patchwork of data protection laws at the EU and individual country level, providing advice on international data transfers and processing of personal data in the employment context and online. We bring years of experience to the complex jurisdictional issues encountered by multinational companies operating in Europe and work with our long-established network of privacy experts to provide in-depth, tailored advice. In particular, we provide advice on the implementation of EU laws in the individual EU Member States, and provide our clients with regular updates, analysis, and practical compliance solutions.

Our privacy group consults and negotiates extensively with European data protection authorities, such as the French Commission Nationale de l’Informatique et des Libertés, the various German Länder Data Protection Commissioners and the UK Information Commissioner’s Office, as well as the European Commission. Our work handling both compliance and advocacy projects gives us an advantage. We are able to translate and clarify high-level policy guidance into concrete compliance actions and, at the same time, use our practical compliance experience to advise government policymakers on how to craft policy in ways that can be translated into sensible compliance actions.

Recent Representative Engagements

Consumer Products Company. We provided advice on global whistleblowing hotlines and codes of conduct, including registration obligations across the EU. We also drafted appropriate communications with employees, internal protocols and procedures, and crafted language to include in contracts with service providers.

Several clients – Implementation of ePrivacy Directive. We have assisted a number of clients in comprehensively tracking and analyzing implementation of the EU ePrivacy Directive in all 30 EEA Member States. The ePrivacy Directive introduced new requirements for data security breach notification, spam and electronic marketing, and the use of cookies and online tracking technologies. We provided and continue to provide our clients with practical advice on how to deal with these legal changes cost effectively across the jurisdictions.

Multinational Pharmaceuticals Company. We advised our client on the choice, adoption, and implementation of Binding Corporate Rules as the global cross-border data handling strategy. We drafted the BCRs, inter-affiliate agreement, and provided comprehensive assistance and advice

PARTNER

Karin Retzer Boulevard Louis Schmidt 29 1040 Brussels, Belgium +322 340 7364 [email protected]

Clients value our “extensive network of attorneys around the world since privacy legal issues are becoming more global every day.”

- Legal 500 US

2


including preparing presentations to management, drafting communications, and establishing standard operating procedures and complaint handling procedures.

Global Health Care Company. We advised on the adoption and implementation of a global framework agreement. We advised on the approach to consultations with works councils, drafted communications to management, human resources, sales, marketing and clinical research departments, conducted training for the procurement and legal functions globally, and prepared employee notice and consent forms. We also advised on and handled registration requirements in all EEA countries and relevant Latin-American countries, and handled all aspects of data transfer authorizations with regulatory authorities.

Tab 4

Articles and Alerts


Reproduced with permission from Privacy & Security Law Report, 12 PVLR 1565, 09/16/2013. Copyright � 2013by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

What to Do When the Privacy Regulator Comes Knocking on Your Door?A Short Guide to Handling Inspections and Data Protection Audits in Europe

BY KARIN RETZER AND JOANNA LOPATOWSKA

I nspections and data protection audits from regula-tors are on the rise across Europe, and this trend islikely to continue. The latest figures for 2012 showthat the French data protection authority (CommissionNationale de l’Informatique et des Libertés or CNIL)completed 458 inspections, a 19 percent increase from2011.1 The number of inspections has been steadily ris-ing since 2004, when CNIL’s enforcement powers—andlater on, its budget—were significantly increased. TheBavarian data protection authority conducted 13,404off-site audits and 20 on-site inspections in 2012, com-pared to 50 off-site audits and 12 on-site inspectionsduring the previous year.2 Perhaps not surprisingly, the

number of sanctions imposed has quadrupled over thelast five years. The Polish Inspector General for the Pro-tection of Personal Data(GIODO) conducted 199 in-spections in 2011,3 and the U.K.’s Information Commis-sioner’s Office (ICO) completed 58 audits in 2012/2013,and 42 audits in 2011/2012, compared to only 26 in theprevious year.4

Companies need be proactive and take steps to deal-ing with a data protection audit. Any regulatory inspec-tion is a burdensome undertaking, and inspectionscarry the risk of noncompliance being exposed, sanc-tions, adverse media attention and damage to reputa-tion. Sometimes noncompliance is only identified afteran inspection has been carried out. Even for fully com-pliant organizations, inspections bring disruption to theconduct of normal business.

This article provides organizations with recommen-dations on how to handle privacy inspections when thelocal data protection authority (DPA) comes knocking,and how to establish best practices to prepare for suchchecks and audits. It focuses specifically on on-site in-spections, and describes the various steps, from the de-cision to inspect an organization to the final statementdrawn at the end of an inspection.

I. Why Is an Organization Audited?Organizations are usually selected for privacy audits

for one or more of the following reasons:

s The organization or industry is identified for in-spection as part of the DPA’s routine (planned)compliance monitoring. This approach is oftenseen in France, Germany and Northern Europe,5

where the DPAs annually publish a program indi-cating the sectors and data processing activitiesthat are due for inspection in the coming year. Forexample, in the 2012 audit program, CNIL planned450 inspections that focused on how telecommuni-

1 CNIL, Commission Nationale de l’Informatique et desLibertés: Rapport d’activité 2012 (2013), available in French athttp://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_RA2012_web.pdf (12 PVLR 793, 5/6/13).

2 Bayerisches Landesamt für Datenschutzaufsicht (Bavar-ian data protection authority), Tätigkeitsbericht 2011/2012(March 2013), available in German at http://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/dsa_Taetigkeitsbericht20112012.pdf (12 PVLR 617, 4/8/13).

3 GIODO, Sprawozdanie–Z Dzialalności Generalnego Ins-pektora Ochrony Danych Osobowych w roku 2011 (June2012), available in Polish at http://www.giodo.gov.pl/data/filemanager_pl/sprawozdaniaroczne/2011.pdf.

4 ICO, Annual Report and Financial Statements 2011/12(July 2012), available at http://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_2012.ashx (11 PVLR 1114, 7/9/12).

5 The Nordic countries include Denmark, Finland, Iceland,Norway and Sweden.

Karin Retzer is a partner at Morrison & Foer-ster LLP, in Brussels, where her practicefocuses on electronic commerce and data pro-tection, technology licensing and intellectualproperty law.

Joanna Lopatowska is an associate in the Pri-vacy and Data Security Group in Morrison &Foerster’s Brussels office.

COPYRIGHT � 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1538-3423

Privacy and Security Law Report®

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_RA2012_web.pdfhttp://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_RA2012_web.pdfhttp://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/dsa_Taetigkeitsbericht20112012.pdfhttp://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/dsa_Taetigkeitsbericht20112012.pdfhttp://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/dsa_Taetigkeitsbericht20112012.pdfhttp://www.giodo.gov.pl/data/filemanager_pl/sprawozdaniaroczne/2011.pdfhttp://www.giodo.gov.pl/data/filemanager_pl/sprawozdaniaroczne/2011.pdfhttp://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_2012.ashxhttp://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_2012.ashxhttp://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_2012.ashx

cations operators and application developers usepersonal data collected from smartphones, as wellas the processing of online health data (11 PVLR709, 4/23/12). Sweden’s Data Inspection Board an-nounced in 2012 that it would monitor how localmunicipalities use tablet computers and e-readersto store and share official documents (11 PVLR737, 4/30/12).

s An individual has filed a complaint with the DPA.In recent years, there has been an increase in com-plaints from individuals, which can be attributedto increased public awareness of privacy rights (inparticular, the European Commission activelyworks on strategies to raise citizens’ awareness ofprivacy and data protection issues). For example,in Bavaria, one of the 16 German Länder or states,there were 719 complaints in 2012 alone,6 andthere are similar figures for other countries.7 Usu-ally, when a DPA receives a complaint from an in-dividual, it first reviews it, alerts the organization,and then requests explanations and information.Following this phase, the DPA may decide tolaunch an on-site inspection.

s Another public authority has alerted the DPA to anorganization’s suspected noncompliance (nationalauthorities or those based in other countries, in-cluding public prosecutors, other DPAs or labor orconsumer protection associations). Some DPAshave developed formal partnerships with otherpublic authorities regarding privacy compliancecooperation. For example, based on an agreementsigned in 2012, the Polish Labour Inspectoratemust inform the GIODO about any privacy viola-tions identified during a labor inspection. InFrance, based on a 2011 cooperation protocol,CNIL must be informed of privacy violations iden-tified during inspections by the Directorate Gen-eral for Competition, Consumption and the Pre-vention of Fraud.

s The inspection is voluntary, performed at the re-quest of (or in agreement with) the organization.In the U.K., the ICO carries out consensual audits,i.e., with the full agreement of the organization inquestion. The ICO can also perform compulsoryinspections at central government departmentsand, as of 2011, telecommunications and Internetservice providers.8 In the latter case, the ICO’s ap-proach is to first seek agreement to a consensualaudit. The audit will become mandatory if the ser-

vice provider fails to agree to an audit ‘‘without ad-equate reasons.’’9

s Adverse media attention involving the organiza-tion, for example, when a major data breach oc-curs that has been made public.

s The inspection follows up on a registration or re-quest for approval. Some DPAs also initiate an in-vestigation after receiving requests for registra-tions or authorizations that reveal noncompliancein specific areas.

s Adverse findings from a privacy inspection of theorganization’s affiliate or at another (separate) or-ganization in the same sector.

II. General Legal Framework and JurisdictionThe enforcement powers of the DPAs are currently

regulated in European Economic Area (EEA) memberstate laws implementing the EU Data Protection Direc-tive (95/46/EC) (‘‘Directive’’).10 These laws differ acrossthe EEA, which consists of the 28 European Unionmember states and Iceland, Liechtenstein and Norway.Although this article will not discuss this in depth, wenote that this diversity of law may change in a fewyears’ time. The proposal for a draft ‘‘General Data Pro-tection Regulation’’ published by the European Com-mission in January 2012 (‘‘draft Regulation’’)11, andcurrently under the review of the European Parliament,harmonizes and strengthens sanctions and rules on en-forcement.12

The Directive sets out that each DPA is competent toexercise its powers on the territory of its own memberstate. However, each DPA may be requested to exerciseits powers by a DPA from another member state. Fur-thermore, the DPAs must cooperate with one another to

6 See Bavarian DPA, supra note 2.7 In 2011 there were 5,738 complaints in France and 114

complaints in Poland, and in the 2011–2012 period there were12,985 complaints in the U.K. See CNIL, GIODO and ICO, su-pra notes 1, 3–4. There were 1,161 complaints in Ireland and3,668 complaints in Italy. See Irish Data Protection Commis-sioner, Twenty-Third Annual Report of the Data ProtectionCommissioner 2011 (Apr. 2012), available at http://www.dataprotection.ie/documents/annualreports/AnnualReport2011.pdf; Garante per la Protezione dei Dati Per-sonali (Italian DPA), Annual Report For 2011—Summary (Dec.2012), available at http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/export/2148370.

8 The ICO’s powers to conduct mandatory audits of provid-ers of electronic communications services were introduced un-der the U.K. Privacy and Electronic Communications (EC Di-rective) Regulations (PECR) 2011, which transposed the 2009

amendments to the European Union e-Privacy Directive (2009/136/EC).

9 ICO, Audit: A Guide to ICO Privacy and Electronic Com-munications Regulations Audits 4 (Aug. 2012) [hereinafterICO PECR Audits], available at http://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Detailed_specialist_guides/guide_to_ico_pecr_audits.ashx.

10 Directive 95/46/EC of Oct. 24, 1995 on the Protection ofIndividuals with Regard to the Processing of Personal Dataand on Free Movement of Such Data, 1995 O.J. (L 281), 31,available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. The Direc-tive is applicable to the EEA countries based on the Decisionof the EEA Joint Committee No 83/1999 of 25 June 1999Amending Protocol 37 and Annex XI (Telecommunication Ser-vices) to the EEA Agreement, 2000 O.J. (L 296), 41, availableat http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:296:0041:0043:EN:PDF.

11 Proposal for a Regulation of the European Parliamentand of the Council on the Protection of Individuals with Regardto the Processing of Personal Data and on the Free Movementof Such Data (General Data Protection Regulation),COM(2012) 11 final (Jan. 25, 2012), available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (11 PVLR 178, 1/30/12).

12 For example, the draft Regulation provides for the abilityto impose a fine for privacy violations of up to 2 percent of theorganization’s global turnover. Id. at Article 79(6). Sanctionsimposed in one country will be enforceable across the EEA,and organizations operating in multiple countries will be sub-ject to the supervision of one DPA in the country where thecompany has its main establishment. Id. at Article 79(1), Re-cital 98.

2

9-16-13 COPYRIGHT � 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423

http://www.dataprotection.ie/documents/annualreports/AnnualReport2011.pdfhttp://www.dataprotection.ie/documents/annualreports/AnnualReport2011.pdfhttp://www.dataprotection.ie/documents/annualreports/AnnualReport2011.pdfhttp://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/export/2148370http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/export/2148370http://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Detailed_specialist_guides/guide_to_ico_pecr_audits.ashxhttp://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Detailed_specialist_guides/guide_to_ico_pecr_audits.ashxhttp://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Detailed_specialist_guides/guide_to_ico_pecr_audits.ashxhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:296:0041:0043:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:296:0041:0043:EN:PDFhttp://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdfhttp://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdfhttp://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

the extent necessary for the performance of their du-ties. For example, in 2012 the Estonian and LatvianDPAs published joint recommendations to an organiza-tion after they cooperated in inspecting the organiza-tion’s employee and customer data practices in the twocountries.

Despite the cooperation efforts, however, the DPAs’powers are still limited in territorial scope and do notextend beyond the territory of a member state.

Organizations that have executed Standard Contrac-tual Clauses for transfers of personal data from control-lers to processors outside the EEA,13 or those that haveadopted Binding Corporate Rules (BCRs), must alsoagree to submit their operations to a European DPA forinspection. The U.S.-EU Safe Harbor Framework man-dates such cooperation for human resources data. How-ever, even in such cases, the DPAs do not have suffi-cient resources to conduct on-site inspections of non-EEA parties. Therefore, even when there is a theoreticalrisk of an inspection under these transfer mechanisms,in practice, we see little to no foreign inspections. Forexample, in 2011, the Italian DPA, the Garante per laProtezione dei Dati Personali (‘‘Garante’’), decided thatnon-Italian call centers that collect information fromItalian residents on behalf of Italian entities are subjectto the same rules that apply to Italian call centers (10PVLR 1160, 8/15/11). However, in practice these over-seas call centers were not inspected by the DPA; theGarante officials said that the inspections should becarried out at the Italian company that contracted theoffshore call center. Even if, in practice, the DPAs donot have jurisdiction to inspect the non-EEA organiza-tions, they may—and do—inspect the EEA affiliates.

In light of increasing DPA powers, the rising numberof inspections, and the risks of sanctions that may fol-low, organizations operating in the EEA are advised notonly to prepare for a planned, notified inspection, but toestablish best practices, policies and procedures on howto handle all inspections.

Below we provide guidance on what organizationscan do when faced with an inspection, and we set outsome best practices.

III. How to Prepare for and Handle anInspection

Data protection audits are intended to evaluatewhether an organization complies with local data pro-tection laws and standards, including:

s registrations and authorizations;

s notice requirements;

s purpose limitations;

s transfer mechanisms for transfers outside theEEA;

s management of vendor relationships;

s adequate security measures and the establishmentof privacy policies and procedures;

s access and correction policies;

s employee monitoring activities; and

s direct marketing.Most local data protection laws only contain general

provisions on the DPA’s inspection powers, but someDPAs—for example in Ireland, the U.K. and Poland—have published guidance on procedures, sample ques-tions and template documents and reports.14

A. Before the Inspection Takes PlaceAn organization’s existing privacy measures and

standards are key factors in handling the inspection it-self. Organizations that are aware of inspection risksand are prepared for them will be able to undergo in-spections with less disruption and better results.

Conduct an assessment. Knowing the status of yourorganization’s compliance with local laws and imple-menting any necessary changes are the first steps. Ba-sic compliance involves: providing privacy notices to in-dividuals whose personal data are collected and pro-cessed; completing database registrations;implementing written policies and procedures (e.g., ondata security, data retention and access and correction);and where required, appointing data protection or datasecurity officers. Most of these requirements take time,and cannot be implemented in a hurry right when theorganization receives a notice of an inspection.

Therefore, it is prudent to regularly perform ananalysis identifying and addressing any gaps in compli-ance as early as possible. In addition, it is useful tomonitor the DPA’s enforcement trends, especially insimilar industries.

The DPA inspectors often run a preliminary inspec-tion of an organization without actually visiting thepremises. For example:

s In Ireland, inspectors will first: review case studiesin annual reports and previous audit reports, fo-cusing on organizations operating within the samesector; check the organization’s existing registra-tions; review media articles and published reports;and check the organization’s website to see whatpersonal data are being collected online.

s In the Netherlands (College bescherming per-soonsgegevens or the CBP) , the DPA will review

13 Commission Decision of 5 Feb. 2010 on Standard Con-tractual Clauses for the Transfer of Personal Data to Proces-sors Established in Third Countries Under Directive 95/46/ECof the European Parliament and of the Council, 2010 O.J. (L39), 5, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF (9PVLR 253, 2/15/10).

14 See guidance on inspection and enforcement: Irish Officeof the Data Protection Commissioner, Data Protection AuditResource (Jan. 2009), available at http://www.dataprotection.ie/documents/enforcement/AuditResource.pdf; Irish Office of the Data Protection Com-missioner, Offences and Penalties, http://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4e.htm&CatID=23&m=e (last visited Sept. 11, 2013); ICO,Information Commissioner’s Guidance About the Issue ofMonetary Penalties Prepared and Issued Under Section 55C(1) of the Data Protection Act 1998 (Jan. 2012), available athttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/ico_guidance_on_monetary_penalties.pdf (11 PVLR248, 2/6/12); ICO, Auditing Data Protection: A Guide to ICOData Protection Audits (Aug. 2013) [hereinafter ICO AuditingData Protection], available at http://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdf; GIODO, ABC zasad kontroli przetwarzaniadanych osobowych (Dec. 2011), available in Polish at http://www.giodo.gov.pl/plik/id_p/1053/j/pl/.

3

PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 9-16-13

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDFhttp://www.dataprotection.ie/documents/enforcement/AuditResource.pdfhttp://www.dataprotection.ie/documents/enforcement/AuditResource.pdfhttp://www.dataprotection.ie/documents/enforcement/AuditResource.pdfhttp://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4e.htm&CatID=23&m=ehttp://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4e.htm&CatID=23&m=ehttp://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4e.htm&CatID=23&m=ehttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/ico_guidance_on_monetary_penalties.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/ico_guidance_on_monetary_penalties.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/ico_guidance_on_monetary_penalties.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdfhttp://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdfhttp://www.giodo.gov.pl/plik/id_p/1053/j/pl/http://www.giodo.gov.pl/plik/id_p/1053/j/pl/

any notices, privacy policies, registrations or otherinformation that was made public by the company,and take into account in its ultimate findings theextent to which the company complies with thesestatements.

s In Bavaria in 2011, the DPA reviewed more than2,000 websites via an online tool to ensure compli-ance with German tracking restrictions.

A good level of privacy compliance will help prepareorganizations and employees for investigations. In par-ticular, regular training and awareness on general pri-vacy obligations and employees’ duties will minimizeany compliance gaps.

Prepare a plan and organize training. Organizationsmay consider developing a plan that sets out how to re-act in an organized way to the DPA’s visit. The planmay determine who should be notified about the in-spection, establish an internal inspection or audit team,provide guidelines on handling the DPA’s questions andrequests for documents and set out procedures for ac-tions during an inspection. It is helpful if the plan setsout the basic logistics, such as what offices and re-sources will be made available to the inspectors. Staffshould be briefed on the role they may play during aninspection. For example:

s Employees should be trained on the role and pow-ers of the DPA in order to know what to expectfrom them. The training may include topics suchas: how to answer questions and provide docu-ments, and the risks of obstructing the investiga-tion, giving false or misleading information ormaking false statements.

s Receptionists and security guards should bebriefed on how to greet inspectors and whom toinform about their arrival; they should contact thein-house counsel and privacy officerimmediately—even if that means interrupting ameeting—and instruct inspectors to wait in a lobbyor a conference room until a representative ar-rives.

Form an inspection team. Organizations may considercreating an inspection team that includes key individu-als responsible for handling the inspection (e.g., thedata protection officer, the head of legal, the head of in-formation technology (IT) and the heads of main de-partments such as human resources (HR) and market-ing). It may be helpful to draft rules of procedure, in-cluding the composition of the team, their duties andresponsibilities and the procedures that must be fol-lowed. These may include receiving and accompanyingthe inspectors throughout their inspection, respondingto their questions, coordinating with other employees,attending interviews and coordinating daily meetings.

Members of the team should be informed immedi-ately about the DPA’s visit. Therefore, their phone num-bers should be readily available to the front office incase the team members are out of the office when anunannounced inspection takes place.

Raise awareness among employees. An organizationshould ensure proper awareness amongst its staff aboutthe likelihood of privacy inspections. Employees shouldbe informed of such a possibility so that they knowwhat to expect. When no inspections have occurred inthe past, employees may not be familiar with the proce-dure, or may not be at ease when interviewed by the au-

thorities. Therefore, prior notice helps to make themaware of the inspection process and its potential impacton the organization. Prepared employees are betterable to respond to the DPA’s questions and to locate therequested documents.

B. During the InspectionNotice of the inspection. While some DPAs provide ad-

vance notice, others provide little or no warning of theirintention to conduct an inspection. The notification pe-riod may be greater if the inspection is routine, as op-posed to complaint- or inquiry-driven. For example:

s In France, before 2011, on-site inspections couldbe conducted without prior warning and withoutthe opportunity to object. As of 2011, CNIL mustnow inform the organization of its visit and of theright to object.15 The notice is usually served sev-eral days in advance, or on the morning of, the in-spection. If the organization objects, the visit mayonly take place upon authorization granted by ajudge. The approval must be rendered within 48hours.16 If justified by the urgency or seriousnessof the relevant facts or by a risk of destruction ofevidence, the visit may take place without warning(but only upon prior judicial authorization) andcannot be opposed.

s In the U.K. and Ireland, the majority of inspectionsare scheduled and dates are agreed in advance, of-ten with several weeks’ notice. Usually the organi-zation will receive a letter providing a general out-line of the inspection’s purpose and the requesteddocuments. Before the inspection, the ICO re-quests documents such as: data protection policydocuments; operational guidance or manuals forstaff processing sensitive data; data protectiontraining modules; risk registers; information assetregisters or information on governance and othersimilar structures.

s In Germany and the Netherlands it has been thepractice of the DPAs in recent years to first sendout to the company a written questionnaire, whichthe organization has to answer truthfully and com-pletely within a certain time period. The DPA maythereafter follow up with an on-site inspection toreview the accuracy of the answers provided, andto further investigate the organization’s compli-ance with privacy law.

Authorization. Upon the inspectors’ arrival, the firstaction should be to verify their identity and their spe-cific accreditation to conduct the inspection. The ac-creditation should specify the subject matter and pur-pose of the inspection, and the inspectors will usuallyproduce an explanatory note. The representative of theorganization should determine the scope of inspection,in particular whether there is any particular area of con-cern (customer service, HR, etc.), whether the inspec-

15 Article 44 of the Law on Processing Data Files and Pub-lic Liberty was amended by Law No. 2011-334 of March 29,2011 (10 PVLR 521, 4/4/11).

16 In 2011, three organizations objected to CNIL’s on-siteinspections. In each case, the judge authorized the CNIL in-spection. CNIL, Rapport d’activité 2011 71 (July 2012), avail-able in French at http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/Cnil-RA2011/index.html#/71/zoomed (11PVLR 1148, 7/16/12).

4

9-16-13 COPYRIGHT � 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/Cnil-RA2011/index.html#/71/zoomedhttp://www.cnil.fr/fileadmin/documents/La_CNIL/publications/Cnil-RA2011/index.html#/71/zoomed

tion is the result of an infringement or planned with re-gard to a specific industry, what the nature of the in-fringement is and the planned duration of theinspection.

Duration and timing of the inspection. The duration ofthe inspection can be a few days to several weeks, de-pending on its type, the size of the organization and thecountry.17 Even routine inspections can take severalweeks or more.

In general, the inspectors’ agenda will govern thevisit. The inspectors will indicate what they would liketo do and when. It is helpful to discuss the agenda withthem in advance because it allows the organization tobetter manage the resources necessary to gather the in-formation and to schedule employees for interviews.Planning ahead will also help to minimize disruption tobusiness activities, and allow employees needed for in-terviews to reschedule other meetings.

Generally, inspectors will arrive at the organization’spremises during normal business hours. However,some laws allow inspections outside of business hours.In Poland, inspectors can enter the organization’spremises between 6 a.m. and 10 p.m. and in France be-tween 6 a.m. and 9 p.m.

The logistics. Once the inspectors have arrived, theyshould be shown to a room where they can work, butthey should not be left out of sight. The room should beable to accommodate the inspectors as well as a simi-larly sized organization team; it should also have aworktable for the documents under review, as well as atelephone, paper and pens, etc. In addition to the actualinspection room, adequate work areas for copying andstamping documents (e.g., date provided, confidential-ity, etc.) should be provided.

It is also best to notify selected staff that the inspec-tors are on the premises, and that their assistance maybe requested at short notice. It may also be useful to re-mind employees that they should not write any e-mails,memos or other documents about the inspection, unlessasked to do so by their managers, the legal team or theinspection team.

Inspectors’ powers. The DPAs have broad authority tocarry out inspections. Generally, most laws specify thatthe inspectors may access any place, premises, sur-roundings, equipment or buildings that are used to pro-cess personal data for professional purposes, andspecify that they are allowed to: look at and requestcopies of the documents, interview staff; review andprint out data that are stored electronically; perform in-spection of any devices, data carriers or computer sys-tems used for data processing; and demand written ororal explanations.

Document requests. Many laws specifically provide forthe ability to request access to the organization’s docu-ments. Requested documents might include a list ofprocessing activities, the structure of the IT applica-tions, a list of databases, screenshots from applicationsand software, extracts from data files, copies of internalpolicies (e.g., privacy policy, data retention, technologyuse policy, IT security

MOFO SEMINAR SERIESmedia.mofo.com/files/uploads/Images/131112-Data...Aligning corporate ethics...

Documents

Transcript of MOFO SEMINAR SERIESmedia.mofo.com/files/uploads/Images/131112-Data...Aligning corporate ethics...