Ready for Cookie Sweep Day?

Cookie Sweep Day is coming!

The French data protection authority CNIL will conduct a “cookie sweep” this coming September 15 to verify compliance with its recommendations on cookies and tracers used to collect and store personal user information on websites. These audits will be both on-site and remote inspections, meaning that as a website owner, your premises could be subject to a visit by the authorities for non-compliance.

Continued below…

Oreo

The CNIL will feed the data crumbs it gathers into a program of website audits it will conduct in October.

The cookie sweep is not limited to France – all other EU national data protection authorities will be conducting their own sweeps as well across the Member States, to inspect and monitor cookie compliance with the ePrivacy Directive.

Should you be concerned?

To be clear, under the regulations, only certain cookies require a user’s prior consent –  in general, cookies set by third party advertising networks. In a word, if you’re monetizing your site with third party ads, you must ask users for their consent to those cookies (if you’re not already asking for prior consent for these, you should really do it, er, now).

If you’re not already aware of how it works, a user can consent by clicking a banner explaining that the site uses cookies for tracking/advertising purposes or more simply, if the user continues through deeper links within the site and the banner remains persistent.

Users must be able to withdraw consent at any time, and cookies and consents must be reset at a minimum every 13 months. The CNIL holds sites and third party advertising networks jointly liable for compliance.

What’s the risk?

If you’re running a business through ads or tracking via your site, the financial risk is moderate, depending on your size. This past January the CNIL fined Google €150,000 for having cookies set while the banner was loading instead of after consent was given. Clever folks, Google. Anyway, the risk is there.

Nota bene…

Functional cookies and web analytics cookies do not require prior consent but users must have clear and user-friendly information regarding these cookies, including information on how to opt-out.

Another important note is that sites cannot deny users access if they choose to block advertising cookies and cannot make acceptance of advertising cookies a condition of using the service.  Where a business model depends on making content or services freely available in exchange for targeted advertising via cookies, the regulations are…highly disruptive.

The CNIL has also put up an app (“CookieViz”) for users to verify cookies on their Mac, Windows or Linux device.

 

 

 

French whistleblowers get new legal protections

Palais de Justice, Nice

As of 1 February, the new French whistleblower protection law is in effect. Its provisions protects French employees of private companies from sanction or dismissal “for having reported or testified in good faith, facts constituting an offense or a crime of which he was aware in the exercise of its functions”.

A similar provision took effect to protect civil servants in France’s considerable public sector from retaliation after reporting illegal activities.

Under both laws a whistleblower who took part in any alleged offenses is  granted immunity from prosecution so long the whistleblower’s actions only amounted to an attempted offense or if the whistleblowing action prevented the crime from actually occurring. Where the whistleblower has actively taken part in some of the criminal actions but acts in time to stop the commission of the final criminal act, any sentence  decided by a court will be halved.

Why is this a landmark for France when whistleblower status has existed for decades in other countries and in the US since 1778?

Firstly, compliance with international accounting, money laundering, anti-terror laws and banking regulations — and cross-border enforcement of them — means that New York or London listed companies located in France had to find a legal way to implement a whistleblowing policy for French employees, this in spite of the lack of a local legal regime and the protestations of the CNIL, the national data privacy authority.

Secondly, it should be understood that France has a culture in which reporting of “private affairs”  to authorities is highly taboo. The chastening World War II experience (laws requiring citizen cooperation and informing to fascist Vichy and Occupation forces) meant that any institution of a new legal frame for anonymous reporting to the authorities carried a heavy burden of proving its usefulness versus possible abuse.

Thirdly, this was also an excellent opportunity for the Ecologists, part of the governing coalition to extend whistleblowing protection for environmental law violations – perhaps the most satisfying result of the change for ordinary citizens.

Unlike the US whistleblowing provisions, the new French law does not provide for pecuniary rewards for whistleblowers and the immunity from prosecution provisions only apply to to natural persons. It also allows associations to join criminal proceedings as civil parties – another advantage for environmentalists that has not existed in the past.

In any case, it is a step forward for revealing corrupt practices and protecting honest citizens.

Not so Safe Harbor: EU-US data protection cooperation on the rocks.

cameraAfter the Snowden relevations, the European Union is finally getting its data privacy act together and it looks like a brutal fight is ahead, possibly leaving global corporations’ reliance on the longstanding safe harbor provisions, standard clauses and consents listing somewhere mid-Atlantic.

Here’s the EU Commission VP & Commissioner for Justice, Fundamental Rights and Citizenship Reding on Safe Harbor at the Vilnius Informal Justice Council 19 July 2013:

The Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.

The Safe Harbor agreement enables data to be transferred from the EU to the US. The Safe Harbor framework was developed by the US Department of Commerce, in consultation with the Commission, industry and non-governmental organisations to provide US organizations with a streamlined means of satisfying the Directive’s “adequate protection” requirement.

The Commission is working on an assessment which it will present before the end of the year. We can only hope that the US realizes what a hole it’s dug for its tech companies before then. Quick and decisive action is needed but nothing is coming from either the Obama Administration or the US Congress.

Next step for Samsung after losing v. Apple? Take it to D.C.

Samsung has a very low legal barrier to overcome to challenge the Apple victory in the District Court of Northern California: it needs to show “substantial evidence” that the decision was incorrect. Substantial evidence is evidence that a reasonable person could accept as adequate to support the appellant’s conclusion.  This is lower than the civil standard for a verdict and is famously defined as “more than a scintilla but less than preponderance.” Basically, if you’ve got some evidence that you think the court didn’t give adequate hearing to, you’re in.

On August 1st Samsung lawyers Quinn Emmanuel released to the media further supporting evidence which the District Court judge had refused, thereby cementing a case for appeal on substantial evidence while making an arguably effective appeal for public sympathy as an underdog versus colossus Apple. Not bad for a huge Korean conglomerate with the world’s 2nd largest patent portfolio.

What do I think of the ruling? (the jury verdict is here)

For one, I’m not a fan of competition through litigation and moreover, a lot of questionable “soft” patents (design, software functionalities, business processes) were granted over the past 10-15 years—at least before Dave Kappos took the helm at USPTO and repaired a dysfunctional and understaffed agency.

That said, I think that both Apple and Samsung have a case to make. Samsung has patents (notably the ‘460 patent) that look like they may have been infringed and that the jury simply decided to ignore. Moreover, they checked “Y” next to every Samsung smartphone variant on the list they were submitted.

I find it hard to believe that the jury could have tested each of the phones versus an iPhone. For example, if you look at the functionality of the Nexus S 4G, it is completely different from an iPhone. No central home button, widgetized homescreens, an app list that has to be called up specifically to be accessed and a notification bar that Apple arguably copped for iOS 5. However, the Galaxy S, with its Samsung TouchWiz layer on the Android and the central home button is arguably very similar to iPhones 1-3.

So what do I think Samsung will do? I think it needs to immediately appeal to the Court of Appeals for the Federal Circuit in Washington. Nothing against Judge Koh or the 9th District, but I don’t think that Samsung ultimately got a fair hearing or a fair verdict with this particular court and jury (which apparently included some people familiar with  engineering and design). The case should be retried by a court with a stronger expertise in patent cases.

Updated: Apple v. Samsung jury foreman and others speak out on how they reached the ruling. The pitiful level of analysis is breathtaking. Great reporting from FoxNews.

Updated 2: Keith Sawyer’s Innovation & Creativity blog has a great post expanding on some of the points raised here.

Is Google Analytics Illegal?

Today the Norwegian data privacy authority declared that it considers the use of the Google Analytics tool by the national tax administration and the educational loan fund illegal.

Their argument is relatively clear. The public agencies apparently accepted Google’s standard terms of service which allows it to use IP addresses of tax and education fund users to provide other services. Moreover, if the user is logged into a Google services at the time, Google will also be able to identify the user.

While Norway is not an EU Member, it is a member of the European Free Trade Area and its data protection legislation closely tracks the EU’s, which makes this finding somewhat disconcerting. In fact, since IP addresses collected the agencies are sent to Google for processing, Google becomes an undeclared “data processor”, in clear violation of the law.

I can understand how this might happen since Google makes it simple (and tempting) to adopt Analytics to follow traffic on your site and people in the agencies’ IT departments therefore had a free alternative to going through a public procurement process to acquire a similar service that would properly treat the personal data.

Bottom line, there’s no free software out there. Second bottom line, hire a lawyer to train your IT department in the basics of data protection law.

What you don’t know about EU DATA PRIVACY law and why you need to know it today.

Outside a select group of specialists in IT law (and the even more limited and select group of data privacy law specialists), few company advisors or corporate legal departments truly understand how to be in perfect compliance with European Union data privacy regulations.

Yet nearly every company doing business in the EU has to comply.

If you’re reading this, you have probably been frustrated by the complexity of the requirements, provisions such as Safe Harbor, Model Contractual Clauses, whether to appoint a Data Privacy Officer, etc.

Some of that is about to change.  Basic compliance could soon be achieved by simply amending your company’s internal policy documents.

How? By adopting Binding Corporate Rules, aka “BCRs”.

BCRs are internal policies that any company controlling data can adopt and apply to its entire group, wherever it is doing business, and be compliant with EU Data Privacy regulations, once and for all.

Until now, BCRs were only an option for ‘controllers’ – but the European Commission’s Article 29 Working Party has adopted a document (WP195) on BCRs for data ‘processors’ (the vast majority of companies are processors, not controllers; if you have to ask, you’re most likely a processor).

Why do you need to know this today?

Because the rules the Working Party published are essentially the same as those already in effect for data controllers – meaning that you can start drafting your BCRs today and ready them for submission. As soon as we are clear that the currently non-binding document is acceptable to EU Member State data authorities, you’re good to go.

Given the pressure from the private sector to simplify data privacy compliance, I think that we’ll soon have a win-win here.

If you need more information or would like help working on your data privacy issues, click the feedback button (on the left).

 

Collateral bribery damages: NYC now 3rd fund to file suit v. Wal-Mart.

Buy easy
Wal-Mex

In another of what will likely be many such lawsuits by pension funds, New York City Pension Funds filed a shareholder derivative action against Wal-Mart over the bribery and corruption scandal involving Wal-Mart’s Mexican subsidiary, Wal-Mex. This follows the California State Teachers retirement systems’s similar filing in late May.

The New York City complaint similarly alleges that Wal-Mart’s officers and directors breached their fiduciary duty to the company and its shareholders by failing to properly handle credible claims of the bribery allegations and attempting to cover up details of the scandal, reducing the value of the company by their actions.

For anyone not familiar with a derivative suit, the principal is that the shareholders of a corporation seek damages from directors to reimburse losses to the corporation for which the directors can be held personally responsible, as an exception to the “business judgment rule“.

A key aspect of evidence for plaintiffs in a derivative suit is finding a direct causal link between the directors’ actions (or inaction) and the eventual loss sustained by the corporation. In this case, it’s relatively simple to show that 1) Wal-Mart’s stock price took a big hit on the bribery news and 2) Wal-mart’s goodwill and market position has (again) been damaged. Now, the plaintiffs have to show the link.

A related suit, based on securities fraud, was filed by the City of Pontiac General Employees Retirement System in Tennessee. According to Reuters, a total of  11 derivative suits have been filed against Wal-Mart since the New York Times story ran.

It is imperative for board members and executives to realize that when they are made aware of corruption allegations that they follow advice of counsel and comply fully with internal audit procedures. In this case, it is up to Wal-Mart to show they did. If not, there will be not only the DOJ and SEC to deal with, but many angry pension fund managers and likely other shareholders brought together as a class by the many American law firms specializing in such matters. This story will continue until Wal-Mart manages to come to terms with what actually happened in Mexico (and elsewhere, depending on findings).

Donald Trump on bribery scandals: US “crazy” to enforce FCPA.

On CNBC’s Squawk Box, tycoon, occasional presidential candidate, Reality TV star and bottled water purveyor Donald Trump was asked about Wal-Mart’s allegedly widespread bribery in Mexico. Having obviously thought through the arguments for and against FCPA reform, he provided the following insights:

If you want to operate in Mexico, you have to pay bribes.

This is how business is done.

This country is absolutely crazy. Every other country goes into these places and they do what they have to do. It’s a horrible law and it should be changed. We are like the policeman for the world. It’s ridiculous.

The world is laughing at us.

Let’s parse this.

1. Operating in Mexico requires paying bribes.

According to Transparency International, Mexico scores 3/10 on the bribery index (10/10 meaning little or no bribery). Empirically, Trump is 70% right. Unless a company has chosen to adhere to OECD conventions and applicable anti-corruption laws, it would likely do more business in Mexico by greasing the right hands.

2. This is how business is done. Every other country goes into “these places” (countries with high levels of corruption) and does business according to local mores, in violation of the FCPA.

Here is a list of the 10 largest FCPA fines and settlements 1977-2012:

  1. Siemens (Germany) $800 million
  2. KBR/Halliburton (US) $579 million
  3. BAE (UK) $400 million
  4. Snamprogetti (Netherlands/Italy) $365 million
  5. Technip (France) $338 million
  6. JGC Corporation (Japan) $218.8 million
  7. Daimler (Germany) $185 million
  8. Alcatel-Lucent (France) $137 million
  9. Magyar Telekom (Hungary) $95 million
  10. Panalpina (Switzerland) $81.80 million

If FCPA prosecutions are an accurate statistical measure of the willingness of foreign businesses to participate in corruption, Trump is mostly correct. Only one US company makes the list. Moreover, with nine foreign corporations on the list, it does appear that the US is the “policeman for the world” (see DOJ site for the complete list).

3. The US is crazy.

That’s probably a matter of opinion. Watching CNBC for a few days straight might make one conclude that yes, it is crazy.

4. The world laughing at the US [for enforcing the FCPA].

Foreign companies might find the US’s anti-corruption stance risible (until they find themselves caught up in it). For example, Siemens had no compunction about including bribery in its budgets, despite the fact that they were directly subject to the law.

Criminal penalties, disgorgements, fines and consent orders levied against FCPA violators are tragicomically invisible to the vast majority of the world’s population which suffers through the indignity of having to live and do business within highly corrupt economies. Monies collected by the US government or the SEC never make it back to these individuals. 

His personal life, histrionics and buffoonery aside, Trump is a strategic thinker. Perhaps his frank talk isn’t surprising given that apart from a dust-up with the SEC over financial reporting about 10 years ago (settled out of court), he has not had any notable legal troubles over a long career in real estate and the gaming industry.

In my opinion, Trump runs a tight ship, otherwise there would be more blips on the map; his views on how to do business in China, India, Mexico or other ethically-challenged countries likely have nothing to do with how deals are finally done by the Trump Organization. But he would certainly appreciate being able to compete on a level field with foreign businesses for whom bribery is simply another accounting line item.

As an aside, perhaps Trump is engaged in a bit of spin in light of his competitor and onetime enemy Steve Wynn’s unlikely use of the statute internally to oust business partner Kazuo Okada?

69 Questions: EU quizes the G on its new privacy policy.

France’s data privacy authority CNIL (acting under EU mandate) sent Google the following questionnaire in order to clarify a number of concerns on the policy’s implementation, Google’s due diligence vis-a-vis its users and compliance of the policy with EU regulations.

The EU’s Article 29 Working Party (grouping Member State data protection authorities) stated that it further needs to clarify the consequences of the policy for users; specifically different levels of users, such as whether or not they have a Google Account, are non-authenticated, or simply passive users of Google’s services through Google APIs via other websites and/or applications (advertising, analytics, etc.).

Many of the questions seem to point in the direction of Competition Law concerns. It’s hard to imagine that the EU would be posing the same questions about Yahoo!’s privacy policy (which to my eyes, looks compliant).

The CNIL asked Google to provide written responses by April 5. Under EU law, responses are confidential unless Google consents to their release.

 

NGO on FCPA reform: fines should compensate victims.

The SERAP (Socio-Economic Rights and Accountability Project) has added its voice to the calls for FCPA reform.

In a press release, the Nigerian NGO proposes that the US DOJ and SEC allocate a percentage of funds from fines exacted on corporations to aide the actual victims of corrupt government officials and agencies.

SERAP argues that since the FCPA and other anti-corruption laws do not provide for civil actions (apart from under the the Alien Torts Act) and moreover since there is little possibility of recovering damages in the country where the corruption occurred, the US government should share civil penalty and disgorgement proceeds with the victims.

Last week the DOJ replied to the US Chamber of Commerce’s reasonable pleas to “restore balance” and provide clarity on the law (their letter is here) by agreeing to discussions. The DOJ owes a similar response to SERAP. While the NGO lacks the backing of the hundreds of large corporations represented by the USCC, its argument is one that needs to be taken seriously.

SERAP provides some guidance on how civil penalty and disgorgement proceeds should be distributed in a systematic and fair manner to NGOs and the US Congress should invite them to testify in hearings on FCPA reform. That’s probably unlikely though since we probably won’t see any substantial progress on the issue until after the US presidential elections this November.

Updated: The FCPA Professor blog examines this issue in further depth.

 Photo: Rory Mullholland