What to make of the EU reaction to Google’s new privacy policy?

Yesterday’s letter from the French National Commission on Information Technology and Freedoms (CNIL) points out some very specific problems in Google’s widely publicized new privacy policy, which comes into effect 1 March.

While the new policy is exemplary in its clear language, the issues the CNIL enumerates are not so arcane as to concern only specialists in data privacy law.

In sum, the CNIL wants Google’s privacy policy to explain 1) which Google services will collect and/or process personal data, 2) the specific personal data which will be collected and/or processed by each service and 3) how Google will inform the individual of her/his rights regarding access, correction, etc. for the personal data held by each service.

While all this sounds like formalities, complying with EU data privacy law is all about formalities. Google should know this better than anyone today, especially considering the level of expertise they have in data privacy matters.

As it is, Google has (for simplicity’s sake, one would surmise) used a negative definition of what it will not do with an individual’s personal data. From a philosophical point of view, this is a bit like the difference between Civil and Common Law conceptions of liberty. For Civilists, a right doesn’t exist unless it is enumerated. Civilists like things written down.

I think that we’ll likely see more PR pushback from Google in the next few weeks until their global data privacy counsel can talk his colleagues and clients into conceding that their new policy could use a few links to deeper explanations to be compliant with EU law. Google wants to be a good European, after all.

The Opinion 10/2004 on More Harmonised Information Provisions is basic but useful guidance on how to draft a compliant privacy policy statement. Well worth looking at.


The human factor: Dassault nEUROn drone blueprints stolen.

In an incident right out of a Bond film, Le Parisien newspaper reported Wednesday that documents related to Dassault Aviations’s nEUROn stealth drone were stolen at Paris’ Gare du Nord train station.

The theft was carried out using a common pickpocket distraction technique where one of the executives carrying the documents quit a ticket queue (and left his briefcase) to come to the aid of his travelling companion who was being harassed by a vocal young man. When he returned, his briefcase was obviously gone, probably on its way to a competitor.

Dassault Aviation PR says no sensitive documents were taken.

This scenario is ripe for addition to a training deck on document management and how to behave in public. It’s a shame for Dassault but I’m sure their compliance department is having fun debriefing all concerned.

Photo: Dassault Aviation.

Lasers to Iran: U.S. Export Regulations are serious business.

According to Just Anti-Corruption, U.S.-based PRC Laser has been fined $42,000 by the U.S. Commerce Department for shipping an industrial laser to Iran through a 3rd party based in Dubai. The laser itself sold for $39,000.

If the material had been more sensitive, the company could have been banned from exporting its products and perhaps excluded from making any sales to the U.S. government.

As has been noted on previous occasions on this site, a terrifically weak link in regulatory compliance is a third party distributor. If PRC laser had ever visited Dubai, they would likely have noticed the huge amount of business that Iran does there and was likely doing with their “end customer”. Iran is in fact one of the UAE’s largest trading partners and Iranian-owned businesses dot the industrial zones around the city-states.

As an old law professor once put it to this writer, “before you make the deal, walk the land.”

Photo: PRC laser.

French Competition Authority will cut fines 10% for companies with compliance programs.

More recognition across Europe that a well-built and delivered compliance program is being taken into consideration by regulatory authorities comes from France today as the Competition Authority published notice that it would reduce fines for companies that put into place a competition law compliance program. They note and recommend that an “an efficient program” include the following basic elements:

  • The existence of a clear, firm and public position of support adopted by the company’s management bodies;
  • The commitment to appoint one or more persons responsible for the program’s development and operation;
  • Developing information tools, awareness raising measures and staff training;
  • Setting up management, audit and whistle blowing mechanisms;
  • Establishing a system for reviewing reports of misconduct and taking relevant followup actions.

It’s edifiying to witness the principal of reducing sanctions for companies with an effective compliance program spread out to other areas of corporations law. This is a very welcome development for compliance officers and legal departments who can leverage it to demonstrate the value of their programs.

Finally, it wouldn’t be a surprising to see 1) every market leader (or near-leader) in the EU adopt a compliance program and 2) compliance programs being considered in sanctions on in other aspects of corporate behavior, especially in the financial and energy sectors.


US DOJ brings in FBI to investigate News Corp bribes to Scotland Yard.

FOXNews Headquarters

When details emerged last July that employees of News International (the press arm of News Corp) had possibly bribed 5 Scotland Yard police officers, the FCPA red alert must surely have sounded in News Corp’s legal department. Since then, News has brought in a number of heavy hitters to cover them, including immediately hiring Mark Mendelsohn from Paul Weiss Rifkind (a former deputy chief of the Fraud Section in the DOJ’s Criminal Division –  who helped devise the FCPA enforcement program) and the D.C. firm of Williams & Connolly, specialists in corporate compliance matters.

That the US DOJ has been working closely with UK investigators should come as no surprise to anyone following this matter and last month’s arrest of five alleged bribery scheme participants on criminal charges likely gave the signal to make public FBI involvement in the investigation.

Legal coverage for a necessarily international internal compliance investigation and evidence gathering (as well as putting together multiple defenses) will obviously generate considerable business for all the firms involved.

Since News earned over $30 billion last year, it can probably afford the attorney fees and any fines it will incur. However, facing criminal charges is a different ballgame and News would be remiss to not leverage its populist news media outlets to portray the investigation as politically motivated. Serving time in prison is an incredible motivator.

If you are interested in delving into the details of the UK Leveson Inquiry and its rogues gallery of hackers, hacked and outright despicable characters, the Guardian (which broke the story) does it very well.

Photo: Jim Henderson

$16.8M fine for European device maker in FCPA settlement.





The US DOJ announced today that Smith & Nephew has admitted to and settled claims related to an offshore kickback scheme with a Greek distributor. Smith & Nephew also settled today with the US SEC, paying $5.4 million in disgorgement of profits, including interest.

This is one more in a line of FCPA cases where the weak link in a company’s compliance program turns out to be 3rd party distributors and pressure to bring in revenue.

A recurring motif in communications with resellers is a version of “all the other resellers are doing it, if I don’t, I can’t compete”.  It seems to be a trap that is too easy to fall into for some executives.

The DOJ noted that it will seek to have the original charges dismissed if Smith & Nephew abides by the terms of its settlement agreement.

P.I.P. Implants: French Health Authorities aware in 1996.

According to French daily Libération, a report delivered this morning to the French Ministry of Labor and Health confirms that P.I.P. implants were tested by independent physicians in 1996 who reported that they found leakage issues.

Moreover, the report cites 41 reported P.I.P. implant malfunctions that year (note that these were saline implants since silicone was banned at the time in France). French inspectors sent to P.I.P. HQ in 1996 noted in their file that “further investigations by qualified physicians would be needed” but the case was then dropped. No explanation as to why.

For those who are not aware, in 2000, the F.D.A. sent a letter to P.I.P. refusing to permit the marketing and sales of its implants in the U.S.

As noted in an earlier post on this subject, a change in device regulations is not the problem here. This is an issue of application of existing rules and better communication between health authorities, physicians and device manufacturers.


US F.D.A. Approves Ivacaftor

Bravo to Vertex for bringing this to market. Molecules to address the genetic basis of a disease are incredibly expensive to develop and market.

Even though this only addresses one of the mutated genes (G551D) that cause Cystic Fibrosis, it brings hope. Respiratory illnesses are horribly painful and I hope that the relief this provides brings happiness to patients, their families and loved ones.

I’m sure that EMA approval is not far behind.

F.D.A. Approves Cystic Fibrosis Drug – NYTimes.com.

Don’t touch that. Dawn raids and the EU seal.

A costly mistake.

While reading a Bloomberg news story on the EU probe into possible collusion between Veolia, Suez and Saur to fix French water services prices, I was reminded that last year Suez’s subsidiary Lyonnaise des Eaux stumbled across one of EU Competition law’s most onerous and unusual provisions.

Suez was fined €8 million for opening a door.

Unless you have actually been raided, you probably are not aware that the Commission’s inspectors often seal rooms when carrying out dawn raids at corporations suspected of violating Competition law. In the Suez case, when the EU team returned the day after the initial raid to continue its search, it found that a seal on an office door had been removed.

Under EU regulations, the Commission can fine a company up to 1% of its total turnover (worldwide) for a seal broken either intentionally or negligently. You basically have no excuse.

Since Suez cooperated with the Commission, the fine is much lower than 1% of their global turnover. Still, I’m not sure their CFO was impressed with the savings.

This is not the first time a seal has been broken. In an even more costly “seal case”, the EU fined E.ON Energie €38 million. E.ON challenged the fine and lost on appeal.

The moral of the story?

Competition law compliance training should be adapted to each employee and contractor in your organization. In this case, a short and frank discussion with the administrative and cleaning staff would have been worth say, €8 million. These discussions should be renewed any time there is a change in staff or service providers.

Photo: European Union © 2012