Articles Posted in Regulatory and Compliance

In case you missed it, the Great British public caught the world off guard when, on 23 June 2016, a small but significant majority voted in favour of the UK withdrawing from the European Union. Much like the termination of an outsourcing agreement without detailed exit provisions and a well worked out plan, the decision has sparked political and economic chaos, as the UK is plunged into a period of prolonged uncertainty with much wider ramifications for political stability and economic growth across the EU and beyond.

What does this all mean?

From a UK-based outsourcing lawyer’s perspective, it is very much a case of wait and see. The English law regime applicable to outsourcing and procurement remains, for the time being, “as is”. Until parliament moves to repeal or amend the European Communities Act 1972, UK laws, which include the application of the EU Treaties, remain unchanged. Moreover, laws and regulations which have been transposed into English law in response to EU Directives in diverse areas such as working time, agency workers, data protection and TUPE laws will continue until further notice.

The ERISA Advisory Council¹ recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. To read what our attorneys have to say about this click here.

Brian Wainwright • Robert S. Logan

The Protecting Americans from Tax Hikes Act of 2015 (the “PATH Act,” Division Q of the Consolidated Appropriations Act, 2016, P.L. 114-113, enacted December 18, 2015) made some important changes to the U.S. federal income tax treatment of U.S. real estate investments by non-U.S. persons under the Foreign Investment in Real Property Tax Act of 1980 (“FIRPTA”).

Increased Withholding

The Court of Justice of the European Union (CJEU) has been very busy in recent weeks re-shaping EU privacy laws. In addition to the much-anticipated decision in “Schrems” (Case C-362/14), which essentially rules the US-EU Safe Harbor invalid, the CJEU has also considered the key issue of “establishment” in another landmark case, namely “Weltimmo” (Case C-230/14).

In particular, it has ruled that businesses with only very minimal operations in an EU Member State can nevertheless be subject to the data protection laws of that Member State, where they process personal data in the context of activities directed towards that Member State. This effectively widens the scope of “establishment” and creates additional headaches for those with European operations.

The action point for companies with a European footprint is therefore to review their European processing activities, re-think where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.

Yesterday was a big day for the Court of Justice of the European Union!  The fifteen-year-old regime governing EU-U.S. data transfers has been struck down. Specifically, the CJEU declared invalid the safe harbour framework (the “Safe Harbor Framework” or the “Framework”) that thousands of U.S. companies have relied upon to facilitate data transfers from the EU to the United States. To read the entire article published by our Pillsbury London and U.S. teams click here.

Last year we wrote about the EU’s adoption of an individual’s “right to be forgotten”, which gives Europeans the right to require search engines to remove information about them from search results for their own names, if the information is inaccurate, inadequate, irrelevant or excessive. We also wrote that neither Congress nor the U.S. courts have shown much of an appetite for adopting a stance similar to the EU, so there was little chance that the right to be forgotten would be established in the United States. This is still the case, but there appears to be some (albeit small) momentum building among consumer groups and companies to take steps toward the EU approach.

On July 7th, a consumer advocacy group, Consumer Watchdog, filed a formal complaint with the Federal Trade Commission, arguing that Internet users in the United States should also have a similar right as EU citizens have available to them. Consumer Watchdog argues that Google’s current practices are both “unfair and deceptive, violating Section 5 of the Federal Trade Commission Act.” The letter urges the FTC to “investigate and act” on Google’s practices.

Separately, Google already has taken steps in the U.S. to remove certain types of information at the request of users. However, the types of information are fairly limited and in most cases it is very clear when the information should be removed in compliance with Google’s policies. For example, social security numbers can be removed. Google also has a policy that permits the removal of offensive images, which is more subjective but it is set at such a base level of “offensive” that it still offers a fairly bright line test (e.g., child sexual abuse imagery and, more recently, “revenge porn”). At the time of our post last year, Google had received 91,000 requests to remove links in the EU. Since then Google has evaluated over 1,000,000 URLs, which does not include the number of requests from individuals that require more information in order for Google to even perform the evaluation. The volume of links that Google is evaluating is not slowing down, and it would no doubt spike tremendously if the “right to be forgotten” was implemented in the United States.

A recent survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) has found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.

In addition, 43% failed in their obligation to tailor privacy notices to smaller screens and almost 30% unlawfully requested excessive personal data from users.

Concerns for users are compounded given the lightning speed at which new apps are hitting the market.  Last year, for example, in excess of 1 million apps were reported to be available via Apple’s iOS App Store.

Should developers care about these findings?

In short, yes, especially given that the UK privacy regulator, the Information Commissioner’s Office (“ICO”), has recently conducted research that demonstrates that around half of app users have decided against downloading an app due to privacy concerns at some point in time.

Risk for developers does not stop there either.

Continue reading