In our February edition of Risk and Compliance highlights, we cover Brexit, anti-bribery & corruption; AML & counter-terrorist financing, and GDPR, and data protection - information management & security.
Brexit
Anti-bribery & corruption
AML & counter-terrorist financing
GDPR & data protection
Information management & security
As of 31 January 2020, the UK ceases to be an EU Member State and will no longer participate in the political institutions and governance structures of the EU. However, in accordance with the transitional arrangements provided in Part 4 of the Withdrawal Agreement, exit day marks the commencement of an 11-month implementation period (IP) during which the UK will continue to be treated by the EU as a Member State for many purposes.
Under the current terms, the IP will run from 11pm on 31 January 2020 (exit day) until 11pm on 31 December 2020 (IP completion day). During this period, the UK must continue to adhere to its obligations under EU law (including EU treaties, legislation, principles and international agreements), and submit to the continuing jurisdiction of the Court of Justice of the European Union in accordance with the Withdrawal Agreement.
Exit day is still key in terms of being the date the UK ceases to be an EU Member State, but in terms of the legal impact, IP completion day is the date that the majority of key legal changes associated with Brexit will take effect, including the full repeal of the incorporation of retained EU law into the domestic legal regime and commencement of associated Brexit legislation, including Brexit SIs.
The () implements the Withdrawal Agreement into UK domestic law and includes a range of interpretation and consequential provisions in order to effect this change in the timing. IP completion day replaces exit day for many purposes throughout the and related Brexit legislation, including specific provisions to defer the commencement of Brexit SIs and related enactments.
Notwithstanding the terms of the the SRA is currently saying it will not be accepting new applications for Registered European Lawyer (REL) status after 31 January 2020. It is unclear on what basis this decision has been made. We have raised this with the SRA and hope they will review the end date for REL applications in the light of the deferment of substantive changes to UK law until the end of the Withdrawal Agreement implementation period.
For more information on the Withdrawal Agreement, see Practice Note: .
As MEPs gathered in Brussels to approve the Withdrawal Agreement on 29 January 2020, the UK introduced Commencement Orders to bring into force relevant provisions of the legislation implementing and giving effect to the Withdrawal Agreement in domestic law, in preparation for exit day on 31 January 2020. Kieran Laird, partner and head of constitutional affairs in the Gowling WLG Brexit Unit, comments on the final stages of the Withdrawal Agreement ratification and the associated legislation. See: .
The European Union (Withdrawal Agreement) Bill received Royal Assent on 23 January 2020, becoming the . The passage of this legislation confirms the UK Parliament’s approval of the Withdrawal Agreement in accordance with domestic constitutional arrangements (as amended). See: .
Graeme Cowie, Senior Library Clerk (Constitutional Law) at House of Commons Library, examines the government’s new EU (Withdrawal Agreement) Bill (the WAB). It sets out the background to the Bill and identifies the key differences between this Bill and the earlier European Union (Withdrawal Agreement) Bill introduced to Parliament in October 2019. See News Analysis:
The Serious Fraud Office (SFO) has confirmed that a DPA, subject to court approval, has been reached between the SFO and Airbus. A public hearing will take place on 31 January 2020, before the President of the Queens Bench Division. See: and News Analysis: .
Southwark Crown Court has approved a DPA requiring Guralp Systems Ltd, which had been charged with conspiracy to make corrupt payments and failing to prevent bribery by employees, to disgorge within five years its profit attributable to the corruption. The court found the DPA was likely to be in the interests of justice and its proposed terms were fair, reasonable and proportionate. Quinton Newcomb, barrister and director, and Blake Woodfield, solicitor, at Fulcrum Chambers Ltd, examine the judgment and the DPA, which has some unusual features. See News Analysis: .
The founder and a former executive of a scientific instruments manufacturer has been acquitted of conspiracy to make corrupt payments to a South Korean official, after the company made a deal with the SFO to pay £2.1m (US$2.7m) under a DPA. See News Analysis: .
While DPA’s can seem attractive, the recent acquittal of Guralp executives accused of conspiracy to make corrupt payments shows that such deals may not always be in a company’s best interests, says Aziz Rahman of Rahman Ravelli. See News Analysis: .
The year ahead will see the conclusion of the SFO’s long-running case against senior Barclays bankers and critical guidance from the UK Supreme Court that will shape a growing queue of price-fixing damages suits. See News Analysis: .
The past year saw long-running SFO investigations conclude with mixed results for the white-collar crime agency, while a ruling by the Court of Appeal reinforced the duty banks owe to corporate clients to help protect against fraud. See News Analysis: .
The SFO has updated its Operational Handbook with new guidance on ‘Evaluating a compliance programme.’ The guidance is designed to assist SFO personnel investigating companies for corporate criminal wrongdoing. This will be either in the context of having received a self-report or where the SFO initiates an external criminal investigation. Companies and their legal advisors should take note of the guidance as it will feed into the decisions about the resolutions that are available, including any potential DPA and charging decisions. See: .
The International Bar Association (IBA) has reported that a lack of convictions for financial crime and delayed investigations has prompted some to question the UK’s appetite for tackling corruption. For the SFO, convictions secured by the organisation fell to 53 percent in 2018–19—the lowest level since 2015–16. In addition, a freedom of information request from law firm Fieldfisher revealed that the SFO has ‘secured only seven convictions against five corporates since April 2013’ and that ‘32 of the 43 criminal investigations opened during this period have not reached a conclusion’. See: .
Following a banner year for Foreign Corrupt Practices Act (FCPA) enforcement in the US during 2019, with individual prosecutions surging and combined corporate penalties reaching new heights, it is now more important than ever for companies to have a strong, properly tailored, proactive compliance programme and vigilant compliance officers, says Martin Bloor of Cozen O’Connor. See News Analysis: .
After a year that set a record for US corporate settlements of FCPA violations, the US is preparing new laws and regulations that would increase corporate transparency in a push to reduce corruption. See News Analysis: .
Uber Technologies, the transportation company, won't face a US Justice Department (DOJ) prosecution over alleged payments made to foreign officials, the company announced last week. The news came from the company alone, with the DOJ staying mum, a move in line with a trend towards handling declinations outside public glare. The new DOJ practice offers some privacy to companies that are resolving prosecutions—a boon as they fight potential challenges from shareholders and seek to rebuild their reputations. For observers, though, the DOJ's reasoning on declinations has become more obscure. See News Analysis: .
The Money Laundering and Terrorist Financing (Amendment) Regulations 2019, came into force on 10 January 2020, bringing new requirements for financial service providers and others in ‘the regulated sector’ in preventing money laundering and terrorist financing. John Binns, partner at BCL Solicitors LLP, considers the impact of on the day-to-day activities of affected businesses and how Brexit will impact the UK’s future transpositions of EU anti-money-laundering (AML) directives. See News Analysis: .
The government has pledged to reform suspicious activity reports (SARs) to ensure UK enforcement agencies and IT systems are prepared to effectively prevent and tackle money laundering and terrorist financing. Max Hobbs, solicitor, and Neill Blundell, head of corporate crime and investigations practice at Macfarlanes, consider the strength of the UK’s existing SAR regime and suggest what changes can be expected from the reform programme. See News Analysis: .
The ICO has issued a statement on the implications of Brexit on the UK data protection regime. The ICO stated that EU data protection laws, such as the GDPR, will continue to apply in the UK during the transition period until December 2020. Companies and organisations offering goods or services to the EU will not be required to appoint a European representative. See: .
While businesses in the UK that handle personal data do not face immediate disruption, the Information Commissioner’s Office (ICO) is bracing itself for an increasingly diminished role on the umbrella group for national EU regulators, the European Data Protection Board (EDPB). See News Analysis: .
The ICO’s position as a regulator is uncertain in light of Brexit and the ever–changing landscape of data protection. Going into 2020, James McGachie, legal director, and Sami Qureshi, associate at DLA Piper, consider the ICO’s focuses, neutrality and how it will position itself as a regulator outside of the EU. See News Analysis: .
The ICO has issued a consultation on new, draft guidance on dealing with subject access requests (SARs). Stephanie Creed and Ruth Boardman of Bird & Bird LLP explain the latest developments. See News Analysis: .
The Advocate General has opined that the Court of Justice should rule that the EU standard contractual clauses (SCCs), which are one of a limited number of mechanisms by which organisations in the EU can transfer personal data to countries outside of the EU, remain a valid data transfer mechanism. In particular, the Advocate General found that, notwithstanding any local law or practices in the recipient country, the SCCs ensure an adequate level of protection for personal data transferred because they require the organisation transferring personal data to suspend such transfers in the event that the protections provided by the SCCs cannot be met. Furthermore, EU data protection supervisory authorities have the power to suspend transfers of personal data when that is the case. Written by Bridget Treacy, partner, and James Henderson, senior associate, at Hunton Andrews Kurth. See News Analysis: .
The first standard contractual clauses for contracts between controllers and processors of personal data have been adopted by the Danish supervisory authority for data protection. Bridget Treacy, partner at Hunton Andrews Kurth LLP, considers how these standard clauses will be applied in practice, and challenges arising from liability alongside wording revisions in commercially negotiated personal data processing agreements. See News Analysis: .
The ICO has published a draft Code of Practice on Direct Marketing, which is now out for consultation—see: . Elle Todd of ReedSmith LLP explains the latest developments, the context and key takeaway points from its 120+ pages. See News Analysis: .
The ICO has released a Code of Practice to protect children’s privacy online. The Code of Practice, coined the Age Appropriate Design Code, sets out 15 standards that those designing, developing or providing online services are expected to meet in order to protect the privacy of children. The code requires that children be provided ‘with a built-in baseline of data protection whenever they download a new app, game or visit a website’. Claire Williams, principal associate, at Mills & Reeve encourages providers to rethink and tweak their approach to data protection in light of the new code. She notes that the new code emphasises that privacy should be built directly in to online products. Lorna Cropper, director of privacy and information at Fieldfisher, agrees that the code will require a baseline of privacy by default and that it will be important for providers to identify their users. See: .
Data-protection regulators across Europe have hit businesses with fines totaling €114m (US$126m) for mishandling customer information since the bloc’s tough privacy rules came into force in 2018, DLA Piper said on 20 January 2020. See News Analysis: .
The ICO has fined the national retailer DSG Retail Ltd £500,000 after a cyber-attack rendered its point of sale computer system compromised, resulting in unauthorised access to at least 14 million customers’ personal details between July 2017 and April 2018. See: .
Business leaders and risk experts have said for the first time that the threat of cyber incidents is their number one concern, according to a survey by German insurer Allianz AG. See News Analysis: .
Britain’s cybercrime laws need to be brought into the 21st century, according to a legal report that warns outdated rules could lead to courts prosecuting professionals who have ethical motives for accessing company data. See News Analysis: .
Guidance has been published by the National Cyber Security Centre (NCSS) for businesses on making security decisions when selecting the products and services that provide secure communications in the workplace. The guidance includes a set of principles to guide businesses on assessing the security of voice, video and messaging communication services to help risk owners and security professionals ‘achieve the right balance of functionality, security and privacy’. See: and .
Big Tech and European telecom companies such as Telefónica, Orange and Vodafone are still likely to face EU rules aimed at protecting privacy and security over communication networks as the EU executive is unlikely to withdraw the draft bill, See News Analysis: .
* denotes a required field
0330 161 1234