New SRA regime
Crime prevention
Business activities
GDPR & data protection
Additional Risk & Compliance updates this month
RIP SRA Handbook 2011. Long live the StaRs. After years of planning, the SRA Standards and Regulations (or the StaRs, as they are also known) came into force on 25 November 2019.
The new SRA regime brings with it a host of important changes for in-house lawyers, including:
• new, slimmed-down SRA Principles
• two new Codes of Conduct, one for solicitors, RELs and RFLs which applies directly to in-house lawyers (and one for SRA-regulated firms)
• new authorisation and practising requirements—and new flexibility in the ways solicitors (including in-house lawyers) can practise
See subtopic including Practice Notes:
•
The Financial Action Task Force (FATF) has published a keynote speech by its executive secretary, David Lewis, who set out FATF’s role in anti-money laundering and countering terrorist financing (AML/CTF). Lewis called for action after FATF evaluations found nearly 100 countries needed fundamental or major improvements in the preventive measures taken by banks, money service businesses, lawyers, accountants, company formation agents, real estate agents, casinos and others. See: .
Following a meeting held on 5 December 2019, the Council of the EU has published its conclusions on strategic priorities on AML/CTF. The Council welcomes the work being done by various EU bodies to tackle the issue, and recognises the need for stronger co-ordination between financial intelligence units. It urges Member States to swiftly complete the transposition of all relevant Union legislation in this area and strengthen its implementation and application. See: .
The US Securities and Exchange Commission (SEC) has announced that Telefonaktiebolaget LM Ericsson (Ericsson) has been charged with engaging in a large-scale bribery scheme. The US Department of Justice (DoJ) has announced that Ericsson has agreed to pay over $1bn for Foreign Corrupt Practice Act violations and entered into a deferred prosecution agreement—this includes a criminal penalty of over $520m and approximately $540m to be paid to SEC in parallel civil proceedings. The scheme involved the use of fake consultants to secretly funnel money to government officials in multiple countries. The bribes allowed Ericsson profits to increase by hundreds of millions. See: .
A senior US DOJ official has said that despite winning a recent trial against a former Alstom executive, bribery prosecutors will need to change their strategy in light of a far-reaching Second Circuit ruling requiring proof that foreigners alleged to have stewarded bribes were ‘agents’ of a US-domiciled company. See News Analysis: .
A former Alstom sales director, Nicholas Reynolds, lost his appeal against his conviction for conspiring to bribe Lithuanian officials after a court ruled that questionable remarks made by the trial judge did not undermine the case. See News Analysis: .
Dr Eike W Grunert and Dr Jochen Pörtge, partners at Pinsent Masons, explain why businesses operating in Germany should begin updating and documenting their compliance risk assessments and measures in preparation for stricter corporate sanctions laws being introduced in the country. See News Analysis: .
Two Serco directors have been charged with fraud and false accounting which took place between 2011 and 2013. The charges followed scrutiny by the Serious Fraud Office of a contract between Serco and the Ministry of Justice. See: .
Principal deputy assistant attorney general at the US DoJ, David Burns, has announced new export controls and sanctions enforcement policy for business organisations. The policy revises the 2016 voluntary self-disclosure policy for US sanctions and export control breaches. Under the revised policy, the default position will be a non-prosecution agreement where a company voluntarily self-discloses export control or sanctions violations, fully co-operates and makes timely and appropriate remediation. See: .
Regulation of economic sanctions in the US continued at a breakneck pace this year, with new rules targeting Venezuela, Cuba, Turkey and Iran, expanded guidance from the Office of Foreign Assets Control (OFAC), and one of the most active enforcement years on record, say attorneys at Ropes & Gray. See News Analysis: .
UK Finance has published a blog on the Information Commissioner’s proposals to extend its enforcement powers, including allowing it to recover profits from the criminal misuse of data under the . The authors note that such an extension is likely to be of interest to organisations that hold large volumes of data, such as banks, and is a further example of wider trends of regulators extending their enforcement powers, using dual-track criminal and regulatory investigations, and seeking parallel redress from individuals and corporates. See: .
The Information Commissioner’s Office (ICO) has launched a campaign aimed at contacting all registered UK companies to remind them of the legal responsibility they have to pay a data protection fee, as part of a wider programme to ensure the data protection fee is paid by everyone required to do so. Under the organisations that process personal data are obliged to pay the fee, unless exempt. See: .
On 20 November 2019 the European Data Protection Board (EDPB) published its draft guidelines on the principles of Data Protection by Design and Default (the Guidelines) under Article 25 of the General Data Protection Regulation ((GDPR). The Guidelines give general guidance on the interpretation of the obligations of data protection by design and by default. In addition to covering these principles, the Guidelines also cover certification mechanisms for demonstrating compliance with Article 25 of the GDPR and enforcement by supervisory authorities. Matthew Buckwell, Ruth Boardman and Ariane Mole of Bird & Bird LLP explain the latest developments. See News Analysis: .
The ten largest fines levied in 2019 for breaches of the GDPR totalled €402m, figures released show, but few companies, if any, have been covered by cyber-insurance. See News Analysis: .
How does Article 71 of the draft agreement on the withdrawal of the UK from the EU (Withdrawal Agreement) ensure the personal data of non-UK data subjects is processed in the UK in accordance with EU law? Eleonor Duhs, director and barrister at Fieldfisher, considers the implications of the provisions in Article 71 for UK controllers. See News Analysis: .
The final text of the Danish standard contractual clauses, as adopted by the Danish supervisory authority, has been published in the EDPB)’s Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. See: .
The ICO has opened a consultation on its new guidance in relation to the right of access (often known as subject access), which is outlined in the GDPR. The right allows individuals ‘to find out what personal data is held about them and to obtain a copy of that data’. In April 2018, the ICO published its initial guidance on the right of access. It has now drafted more comprehensive guidance on the subject, ‘which explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers’. See: .
The EDPB has published its adopted draft guidelines on the criteria of the right to be forgotten in the search engine cases under the GDPR for public consultation. The guidelines provide an interpretation of Article 17 of the GDPR with regard to the grounds and exceptions for delisting requests directed to search engine providers and are an update of 2014 guidelines issued by the Article 29 Working Party. These guidelines will ultimately be complemented by another set of guidelines on the criteria for handling complaints for refusals of delisting. See: .
The European Union Agency for Cybersecurity (ENISA) has published a new report on pseudonymisation techniques and best practices that looks at the basic notions of pseudonymisation and technical solutions that may be able to support implementation in practice. See: .
MLex: Big Tech and European telecom companies like Telefónica, Orange and Vodafone are scratching their heads about what lies ahead for EU rules aimed at protecting the privacy and security of communications over their networks. The new European Commission, which will take office next week, will have to decide whether to scrap the proposal, amend it, or allow EU governments to have another crack at a compromise. See News Analysis:
The State Opening of Parliament and Queen’s Speech marks the formal commencement of the new parliamentary year and is a chance for the newly formed government to set out its revised policy agenda following the 2019 general election. See: .
The government has announced its intention to introduce the European Union (Withdrawal Agreement) Bill. The purpose of the Bill is to implement the Withdrawal Agreement that has been agreed between the UK and the EU in domestic law and recognise the government’s promise to deliver Brexit by 31 January 2020 and subsequently secure a future relationship with the EU ‘based on a free trade agreement that benefits the whole of the United Kingdom’. See: .
Our new Risk & Compliance forecast (as at 11 December 2019) is live. This month, we report on issues including (1) AML and CTF; (2) crime prevention; (3) whistleblowing; (4) competition law compliance; (5) data protection; (6) modern slavery; (7) employment and (8) regulation of legal services. You can rest assured we're tracking forthcoming regulatory changes so you can plan ahead. See: .
Baker McKenzie has released its 2019 Data and Cloud Survey results, which provides insights relating to data, including who owns it, where it resides and how it is protected. Peter George and Adam Aft, partners at Baker McKenzie, discuss the key trends that emerged from survey, as well as what the survey revealed about data protection, cloud terms, liability and cyber insurance. See News Analysis: .
MLex: The UK’s competition, procurement, State aid and digital regulations are in line for revision following the Conservative Party’s victory in the general election. See News Analysis: .
* denotes a required field
0330 161 1234