Global Compliance News

What to Watch: Draft Export Control Law of China

The Ministry of Commerce (“MOFCOM“) of the People’s Republic of China (“China“) published the draft Export Control Law (“ECL“) for public comments via a circular on 16 June 2017. If enacted, the ECL will be the first set of comprehensive and unified export control legislation in China, which is aimed at upgrading the country’s existing regime consisting of various administrative regulations and rules. The ECL is still in the draft form and no further update has been announced since its publication last year, but it is widely expected to be introduced in the National People’s Congress within 2018.

1. Controlled Items, Blacklists and Embargoes

The draft ECL sets forth four categories of controlled items (“Control Lists“), including dual-use items which may be used for civilian and military purposes, military items, nuclear items, as well as other goods, technologies, services and items that are related to national security. Items outside the Control Lists could also be temporarily controlled for up to two years, subject to the approval of the State Council, the Central Military Commission and their designated authorities (“Competent Authorities“). In addition, activities subject to ECL control need not involve items on the Control Lists as long as the exporter knows or should know that the export may give rise to national security and terrorism concerns.

The Competent Authorities may also maintain blacklists of foreign importers and end-users that breach the ECL, and may prohibit the export of controlled items to such persons

Furthermore, the draft ECL provides that if China is subject to any discriminatory export control measures by any country, the State may adopt retaliatory measures against such country. The State may also put in place any necessary controls over the export of any goods, technologies and services in order to safeguard security and interests during wartime or urgent situations concerning international relations.

If the draft ECL is passed in its current form, companies must be prepared to regularly monitor dynamic updates to the scope of controlled items, countries and persons in order to ensure full compliance with the law.

2. Controlled Activities and Licensing

The draft ECL introduces the concepts of deemed export and re-export in China, which will bring China’s system many steps closer to the export control regimes in western countries. Deemed exports include the provision of controlled items by a citizen, legal person or other organization in China to any foreign person; the item need not be physically exported from China. Re-export controls cover the export of controlled items (i.e. items comprising a prescribed amount of content controlled by China) from one overseas jurisdiction to another.

It remains unclear whether or precisely how China will implement provisions controlling deemed export and re-export transactions. Given their potentially extra-territorial reach, there may be practical challenges in enforcing such requirements. Furthermore, if ultimately adopted, the deemed export provisions may significantly impact multinational corporations with a presence in China or with access to Chinese controlled items and technology outside of China. In view of the breadth of the draft legislation, even the sharing of information related to controlled items between colleagues (one of whom is employed by a Chinese subsidiary) may be included within the scope of the ECL’s control regardless of whether there is actual cross-border transfer.

The ECL requires licences (categorized into General Licences and Individual Licences) to be obtained from the Competent Authorities for carrying out controlled activities. Additionally, exporters may also be subject to recordkeeping and monopoly qualification requirements.

3. End-Use Requirements

The Competent Authorities may request the exporters to submit end-use certificates or documents issued by the importers or the relevant agencies in the countries of import. The exporters are also under a positive obligation to review the end-users and uses of the exported items, and to immediately report to the Competent Authorities of any change in end-users or uses. Further , the importers shall undertake not to alter the ultimate uses of the imported items, or transfer the imported items to any third parties other than the end-users, without the approval of the Competent Authorities. In this regard, the Competent Authorities are empowered under the ECL to conduct on-site verifications on the end-users and end uses.

4. Enforcement and Penalties

The draft ECL grants Competent Authorities broad investigative powers. They may, for example, enter the business premises of parties under investigation, conduct interviews with relevant parties, access and copy relevant documents, examine the conveyance used for export, seize items and even freeze bank account of the export operators.

The draft ECL prescribes the following key penalties:

  • Export without a Permit – The operator may receive a warning from the Competent Authorities, as well as administrative penalty of not more than 10 times the illegal business revenues and confiscation of any illegal gains derived from such activity. Persons directly in charge and other persons directly held liable (not expressly defined, but may include employees or agents of the exporter) may also be given a warning and fined up to CNY 300,000.
  • Fraudulent Acquisition or Trading of a Permit – In addition to the above penalties, the Competent Authorities may withdraw the licence of any party that obtains it by fraud, bribery or other illegal means, or falsifies, alters, leases, lends, or trades a licence for the export of controlled items.
5. Implications

The ECL is still in the draft form and it remains to be seen how the legislative provisions will be enforced, whether any exemptions will be introduced, and if there will be any meaningful updates to the draft before it is introduced to the National People’s Congress. Given the potentially wide-sweeping impact, multinationals that may be affected are well advised to start early to understand the implications of the new law on their compliance obligations, supply chains, and business operations.

The post What to Watch: Draft Export Control Law of China appeared first on Global Compliance News.

Legal Privilege in Internal Investigations: an Update from Switzerland

As previously reported (link), the Swiss Federal Supreme Court in a 2016 decision (1B_85/2016) took a rather narrow approach to the scope of legal privilege in connection with anti-money laundering investigations, suggesting that no privilege could be claimed with respect to a bank’s internal monitoring, controlling and documentation duties arising as a matter of prudential regulation, namely in relation to politically exposed persons (“PEPs”). To the extent that external lawyers are instructed to carry out such investigations on behalf of a bank, they are, according to the 2016 decision, deemed to exercise an “atypical” activity which, like asset management activities or director roles, is not protected by legal privilege. In passing, the Federal Supreme Court also suggested that pure fact-finding activities should anyway not qualify as legal advice covered by legal privilege. The latter observations in particular caused a bit of a stir in the legal and compliance community in Switzerland, as it is generally considered that fact-finding activities required to identify and analyze potential breaches of law must be, and are according to established practice in fact, fully protected by legal privilege.

This traditional understanding has now been confirmed by the Appeals Chamber of the Swiss Federal Criminal Court, i.e. by the judicial body in charge of appeals against procedural decisions and coercive measures (cf. Decision of September 4, 2017, BE.2017.2). In this case, the Federal Department of Finance had opened an administrative investigation based on suspicions that a bank had failed to make an anti-money laundering notification in connection with a potential fraud case involving an external asset manager. In the context of this investigation, the Federal Department of Finance requested the disclosure of an internal investigation report, which the bank had commissioned from a law firm. The bank objected to the disclosure request, arguing that the investigation report and the supporting documentation were protected by legal privilege.

The Federal Criminal Court shared the bank’s argumentation, holding in essence that the report was the basis for, and included, legal advice rendered by external lawyers. Referring to the prior decision of the Federal Supreme Court, the Federal Criminal Court noted that the investigation in question was aimed at obtaining an ex-post legal analysis of whether the bank had met its statutory compliance obligations . Unlike in the previous case, there was no suggestion that the bank had outsourced the execution of compliance measures that it had been required to apply at the outset, and in the course, of the client relationship. The Court also clarified that fact-finding activities for purposes of obtaining legal advice are generally covered by privilege, as they constitute a necessary prerequisite for any legal analysis by external lawyers.

While being in line with established Swiss case law on the scope of legal privilege, this new decision provides a welcome clarification, confirming that legal privilege is as a matter of principle available to lawyers admitted to practice in Switzerland in investigations concerning suspected breaches of law. As results from the Federal Supreme Court’s 2016 decision, exceptions may apply with respect to the specific due diligence obligations which banks have to undertake when engaging in a client relationship with PEPs, but these exceptions are to be understood narrowly. In any case, as regulators or prosecutors today regularly try to rely on internal investigations to collect information for administrative or criminal proceedings, it is strongly recommended to carefully define the investigation mandate in accordance with the specific requirements of the jurisdictions in which such proceedings are likely to take place.

The post Legal Privilege in Internal Investigations: an Update from Switzerland appeared first on Global Compliance News.

Italy adopts whistleblowing law in the private sector

On November 15, 2017, the Italian Parliament approved a new law extending to the private sector the protection of employees who report unlawful behaviors of which they became aware during their work activities (so-called “Whistleblowers”). In this respect, Section 2 of the law states that Organization, Management and Control Models pursuant to Decree No. 231/2001 (“Law 231 Models”) shall provide for a whistleblowing system establishing (i) one or more channels for reporting unlawful conducts which may trigger the company’s liability pursuant to Decree No. 231/2001 and/or violations of the Law 231 Model and which must ensure the confidentiality of the whistleblower’s identity, and (ii) at least one alternative channel which shall also ensure, by electronic methods, the confidentiality of the whistleblower’s identity. Moreover, Law 231 Models shall prohibit any retaliatory or discriminatory actions against the whistleblower and provide for specific sanctions for the violation of such prohibition and for those individuals who report, with intent or gross negligence, untrue allegations. In view of the forthcoming entry into force of the above-mentioned provisions, all companies operating in sectors particularly exposed to legality distortive events, such as the pharmaceutical and the biomedical ones, should proceed with the update of their Law 231 Models.

 

The post Italy adopts whistleblowing law in the private sector appeared first on Global Compliance News.

UN votes to impose new sanctions against North Korea

On 22 December 2017, the UN Security Council (UNSC) unanimously voted to imposed new sanctions on North Korea following its intercontinental ballistic missile test in November. The UNSC adopted Resolution 2397 (2017), which seeks to limit North Korea’s access to refined petroleum products and crude oil, and its earnings from workers abroad. The measures involve the following:

  1. North Korea’s imports of refined petroleum have been capped to 500,000 barrels for 12 months starting on 1 January 2018;
  2. North Korea’s imports of crude oil have been capped at 4 million barrels for 12 months as of 22 December 2017;
  3. Expansion of sectoral sanctions by introducing a ban on the export of food and agricultural products, machinery, electrical equipment, earth and stone, wood and vessels from North Korea;
  4. A ban on the supply, sale or transfer to North Korea of all industrial machinery, transportation vehicles, iron, steel and other metals (except spare parts to maintain North Korean commercial civilian passenger aircraft currently in use);
  5. Requirement for Member States to repatriate all North Korean nationals earning income within 24 months from 22 December 2017;
  6. Authorisation for Member States to seize, inspect, freeze and impound any vessel in their territorial waters found to be illicitly providing oil to North Korea through ship‑to‑ship transfers, or smuggling coal and other prohibited commodities from the country; and
  7. Designation of an additional 16 individuals (mainly banking officials – asset freezes and travel bans imposed), and 1 entity (‘Ministry of the People’s Armed Forces’ – asset freeze imposed).

The UNSC stated that additional tests of nuclear weapons or long‑range ballistic missiles by North Korea would result in further restrictions on its import of petroleum.

Following the adoption of Resolution 2397 (2017), OFAC also designated as SDNs two individuals, listed in said resolution, pursuant to Executive Order 13687. Kim Jong Sik and Rik Pyong Chol are senior officials in the Workers’ Party of Korea Munitions Industry Department and both are said to be key figures in North Korea’s ballistic missile development. As a result of the SDN designations, any property or interests in property of these SDNs (as well as any entities 50% or more owned by them) that come within the possession or control of a US person are blocked, and transactions by US persons involving the designated persons are generally prohibited.

The EU has also aligned its list of sanctioned parties with Resolution 2397 (2017); the 16 individuals and 1 entity stated in point 7 above have been transposed into the EU sanctioned parties list for North Korea.

The post UN votes to impose new sanctions against North Korea appeared first on Global Compliance News.

Latin America: FCPA Corporate Enforcement Policy

FCPA Corporate Enforcement Policy

On November 29, 2017, in his speech at the 34th International Conference on the FCPA in the Washington, DC metropolitan area, Deputy Attorney General Rod J. Rosenstein announced a new FCPA Corporate Enforcement Policy that replaced the FCPA Pilot Program of April 2016. This new policy was made a permanent part of the United States Attorneys’ Manual (Title 9-47.120), assuring more uniformity in its application by US prosecutors.

The new policy is an improvement as compared to the FCPA Pilot Program that had already shown positive results, according to the DOJ. In fact, as Mr. Rosenstein stated, during the 18 months in which the FCPA Pilot Program was in effect, there were 30 voluntary disclosures to the DOJ’s FCPA Unit compared to only 18 disclosures in the 18 months before the program had been put in place.

Most notably, the new policy provides for a presumption of declination for companies that voluntarily disclose misconduct in FCPA matters, fully cooperate, and appropriately remediate, absent aggravating circumstances. The new policy also provides additional credits to companies that self-disclose and cooperate with the US government, as explained below.

 

Credits

Along with the requirements of self-disclosure, cooperation and remediation, the new policy sets forth rules about credits in two scenarios.

The first scenario relates to a company that voluntarily self-disclosed, fully cooperated with the authorities and timely and appropriately remediated the deficiencies found. In this case, there are two possibilities:

(1) Absent any aggravating circumstances related to the seriousness of the offense or the nature of the offender (as specified below), there will be a presumption that the company that fulfills the requirements of the new policy will receive a declination, which will be made public;

(2) If there are aggravating circumstances (such as involvement by executive management of the company in the misconduct, a significant profit to the company from the misconduct, pervasiveness of the misconduct within the company or criminal recidivism):

(i) The DOJ will accord or recommend a 50% reduction off of the low end of the US Sentencing Guidelines (U.S.S.G.) fine range, except in the case of a criminal recidivist.

(ii) Generally, the DOJ will not require the appointment of a monitor, as long as the company has implemented an effective compliance program at the time of the resolution.

The second scenario refers to a limited credit if the company did not voluntarily self-disclose but, once the investigation was ongoing, fully cooperated and timely and appropriately remediated. In that situation, the company will receive or the DOJ will recommend up to a 25% reduction off of the low end of the U.S.S.G. fine range.

Finally, the new policy includes definitions and comments on key concepts such as cooperation, thus allowing for more objectivity and consistency in its application and more transparency in the Department’s decisions, which helps to eliminate uncertainties and to avoid an excessively discretionary enforcement.

It is still unknown how this new policy will affect the decisions taken by the DOJ to address specific violations. However, the rules in the new policy bring more clarity and guidance and should definitely be taken into consideration when companies decide how to approach the DOJ.

Useful links: Deputy Attorney General Rosenstein’s speech: https://www.justice.gov/opa/speech/deputy-attorney-general- rosenstein-delivers-remarks-34th-international-conference-foreign FCPA Corporate Enforcement Policy: https://www.justice.gov/criminal-fraud/file/838416/download United States Attorneys’ Manual: https://www.justice.gov/usam/united-states-attorneys-manual US Sentencing Guidelines: https://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2016/GLMFull.pdf

The post Latin America: FCPA Corporate Enforcement Policy appeared first on Global Compliance News.

Data Protection Officers Must Not Have a Conflict of Interest – Part 2

For part 1 click here.

Under the European General Data Protection Regulation (GDPR), which will start to apply on 25 May 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to EUR 10 million or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO?

Companies may choose to appoint an employee of the company as an internal DPO or a professional data privacy advisor as an external DPO. The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. When is a DPO reliable and independent? This is not always a straightforward question in practice and it makes sense to look at how this requirement is interpreted to date in Germany, where companies have long been required to appoint a DPO.

According to the current interpretation of the existing German data protection law, the DPO must not have any duties which conflict with the monitoring obligations of the DPO. The Bavarian Data Protection Authority (BayLDA) takes the position in its recent activity report (German only) that members of the legal department may in certain cases have a conflict of interest which disqualifies those individuals from acting as DPO. In particular, if the legal counsel may represent the company in a legal proceeding (especially with regard to legal actions against employees or customers, which may include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent. This may reduce the potential internal candidates for the role of the DPO significantly: The Art. 29 Working Party stated recently that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments can have a conflict of interest and are therefore not suitable candidates for the DPO position (also supported by the BayLDA: read more).

In principle, a member of the company’s internal legal counsel team would be a suitable candidate for the DPO, especially if such legal counsel has data privacy experience. Moreover, the skills of a lawyer can be helpful when dealing with the Data Protection Authorities, which will be a core aspect of the DPO’s responsibilities. A company contemplating appointing a member of the legal department as DPO must ensure that this internal legal counsel is excluded from representing the company in any legal proceedings which may cause a potential conflict of interest. The position of the BayLDA goes beyond the position of the Art. 29 Working Party which states that an external DPO has a conflict of interest if this DPO represents the company in legal actions relating to data privacy issues before the courts.

When considering potential internal candidates for the position of the DPO, amongst other things, companies will therefore need to pay attention to potential conflicts of interest.

Contacts for further information: Julia Kaufmann LL.M., Partner, Baker McKenzie Munich
Prof. Dr. Michael Schmidl LL.M., Partner, Baker McKenzie Munich
Dr. Holger Lutz LL.M., Partner, Baker McKenzie Frankfurt

 

The post Data Protection Officers Must Not Have a Conflict of Interest – Part 2 appeared first on Global Compliance News.

United Kingdom: The Morrisons Data Breach Judgment

Various Claimants v Wm Morrisons Supermarket PLC is an important decision about how and when an employer can be liable to its employees for data protection law breaches caused by a rogue employee. The judgment is mammoth and has received a lot of press attention. We have distilled the case and its implications into five key points:

  1. Group Litigation: This is one of the first class-action type claims for data protection law breaches in the UK. The rogue employees’ actions impacted almost 100,000 employees, and 5,518 joined together under a ‘group litigation order’ to bring this claim. Whilst it might be one of the first, it won’t be the last. Data breaches are business as usual, and the forthcoming GDPR will raise awareness of data protection rights to another level.
  2. Vicarious liability but not primary liability: Morrisons were held vicariously liable for the criminal actions of its rogue employee, who released payroll related data of almost 100k employees. This is perhaps unsurprising given the Supreme Court’s decision in Mohamud v Morrisons, and the approach to assessing the connection between the rogue employee’s employment and his wrongful conduct. The Court did acknowledge that this is a difficult issue, and gave leave to appeal. Importantly though, other than breach of the seventh data protection principle (see below) Morrisons did not have primary liability for breach of the Data Protection Act 1998 (DPA) or breach of confidence – that would only be the case if they authorised or permitted the misconduct.
  3. Appropriate technical and organisational security measures including retention: The employees claimed Morrisons were liable for breaches of several of the DPA’s principles. The only principle they were found to have breached was the seventh principle – the requirement to ensure appropriate technical and organisation security measures to protect the data. Retention of the data, and a lack of clear procedure to address data deletion in this case, was a significant issue and Morrisons should have addressed it. On the facts, however, it was found not to have caused the unauthorised disclosure.
  4. Damages: This decision dealt with liability only so remedy awaits to another day. But importantly it does not matter if any of the impacted employees have suffered financial loss as a result of the breach. They can be awarded damages for the distress caused by the breach, and the loss of control over their personal data.
  5. Litigation strategy for data breach: If your business is subject to a data breach that results in a notification to Information Commissioner’s Office (the ICO), the police, some other authority or regulator, and/or data subjects, you will need to be strategic in how you address your obligations towards those people, whilst protecting your position in the event of litigation by the data subjects themselves. It highlights the needs for a well rehearsed data security breach incident response plan. Morrisons brought a successful claim for damages against the rogue employee – but their evidence in that claim (including the potential distress caused to the affected employees by the breach) is likely to raise its head in the remedies hearing in this current claim.

Take a deeper dive into each of the five points below, but first, here are some of the facts giving rise to the judgment (because they’re relevant, and quite interesting):

Facts

The rogue employee was Andrew Skelton, a Senior IT Auditor at Morrisons. In 2013, he had received a verbal warning for a matter unrelated to the present case. Skelton did not agree with the level of sanction he received and resolved to damage Morrisons. In November 2013, KPMG were carrying out an audit of Morrisons payroll data. Skelton did not normally have access to payroll data, which was limited to a handful of “super-users” and ordinarily stored on a secure internal environment created by proprietary software known as “Peoplesoft”. However, to facilitate KPMG’s work, the IT internal audit team was charged with responsibility for collating all the data requested by KPMG, which was assigned to Skelton. Accordingly, the payroll data was therefore extracted from Peoplesoft and transferred to Skelton’s laptop via a USB drive. Skelton provided KPMG with the information they had requested, but retained a copy.

On 12 January 2014, a file containing personal details of nearly 100,000 Morrisons employees was posted on a file sharing website. Shortly afterwards, links to the website were placed elsewhere on the web. The data consisted of personal data (e.g. names, addresses, dates of birth, salaries, bank details etc.). On 13 March 2014, a CD containing a copy of the data was received by various newspapers in the UK. The newspapers did not publish the data and Morrisons was informed of the data breach. Within a few hours Morrisons had taken steps to ensure the website had been taken down. It also alerted the police.

On 19 March 2014, Skelton was arrested. He was later sentenced to 8 years in prison for offences arising from disclosing Morrisons’ employees’ personal data. At Skelton’s criminal trial, the Recorder of Bradford had no doubt that it was the previous verbal warning that caused Andrew Skelton to act as he did.

Subsequently 5,518 Morrisons’ employees, whose data was disclosed, brought claims for compensation under the DPA, under common law for the misuse of private information and in equity for breach of confidence. These claims were made on the basis that Morrisons was primarily liable for its own acts and omissions, and vicariously liable for the actions of Skelton that harmed his fellow workers.

Five key takeaways from the High Court decision:

1. Group Litigation: the group litigation issue had in fact been dealt with in earlier proceedings. The claimant lawyer, originally representing 2000 claimants, sought permission for time to allow other potential claimants to join the litigation. The court granted a Group Litigation Order (GLO), and set a long stop date by which the impacted employees could join, so that the number of claimants for the liability hearing was 5,518.

Comment: We believe this is one of the first, if not the first, GLO for a data protection / misuse of private information / breach of confidence claim. The future potential impact is significant – as both awareness of data protection law increases (particularly in the run up to May 2018 and the GDPR becoming live) and the frequency of material data breaches rises. As had long been feared, the establishment of liability in respect of a large group of data subjects for a security failure opens the door to potentially enormous liabilities of employers / data controllers, even if each individual loss is low.

2. Vicarious Liability but not primary liability: The claimants alleged breaches of the following of the DPA’s data protection principles (DPPs), and related rules in relation to misuse of private information and breach of confidence:

DPP1 (fair and lawful processing) on the basis that none of the claimants had consented to Skelton processing their data by copying the payroll data, making an extract of that data and then sending that extract to the file sharing website.

DPP2 (purpose limitation) on the basis that the payroll data was processed in a manner incompatible with the purpose for which it was obtained (i.e. it was processed not only for administration, payroll and audit purposes but was also processed for criminal purposes).

DPP3 (the requirement for the personal data to be adequate, relevant and not excessive) and DPP5 (the requirement for personal data not to be kept longer than necessary) which the claimants claimed had been breached but did not elaborate on how it had been breached.

DPP7 (the requirement to have appropriate technical and organisational measures to protect personal data) on the basis of the alleged failures described in point 3 below, which largely relate to the fact Skelton was entrusted with handling the payroll data, and his actions in relation to the data wasn’t monitored, nor was the data promptly deleted.

The court had to decide three things:

A. whether Morrisons itself had breached any of the DPPs

B. whether Morrisons had primary liability for breach of the DPPs in relation to actions which it had not authorised i.e. the actions of Skelton

C. whether it had vicarious liability for Skelton’s actions.

In relation to A (breach of the DPPs by Morrisons themselves), the Court found that Morrisons had not breached DPPs 1, 2, 3 or 5 as Morrisons were not the data controller at the time of these breaches (KPMG, the auditor, and Skelton himself, were) and as Morrisons were not the data controller, they did not owe a duty to the claimants in respect of those breaches.

In relation to DPP7 (requirement to have appropriate technical and organisational measures) the Court found that Morrisons were in breach in one respect by failing to have an organised system for the deletion of data that is temporarily held outside its usual secure repository i.e. the payroll data on Skelton’s work laptop. The Court noted that a practice of checking that employees had performed a process such as deletion may in some circumstances lead to the employee thinking that their employer mistrusted him/her. However, it considered that this could be mitigated by having a clear understanding amongst employees, created from top down, that it would be part of usual routine for managers to check that sensitive data had been deleted. That said, the Court considered that Morrisons’ breach did not cause the unauthorised disclosure, and therefore did not cause the damage to the claimants – (see further at paragraph 3 below).

In relation to B (primary liability for breach of DPPs in relation to the unauthorised acts), Morrisons could not have primary liability for the breaches of DPPs 1, 2, 3 or 5 or the related alleged breaches of confidence or misuse of private information, as Morrisons did not disclose the information or misuse it – it was Skelton, acting without authority and criminally.

In relation to C (vicarious liability), the Court held that Morrisons were vicariously liable for the actions of Skelton. The test, as set out in the Supreme Court’s decision in Mohamud v Morrisons is:

  • What is the function or field of activities that had been entrusted to the employee, or in other words, what is the nature of his/her job?
  • Is there a sufficient connection between the nature of the employee’s job and the wrongdoing to make it right for the employer to be held vicariously liable?

In Mohamud, the Supreme Court found that an employee’s physical attack on a customer was so closely connected with his employment that Morrisons was vicariously liable for the customer’s injuries. For more information, click here for our client alert on this case.

In this case, the Court relied on the following findings of fact to find that Skelton’s criminal act of disclosing the payroll data was sufficiently closely connected to his employment so as to make Morrisons vicariously liable:

In this case, the Court relied on the following findings of fact to find that Skelton’s criminal act of disclosing the payroll data was sufficiently closely connected to his employment so as to make Morrisons vicariously liable:

i. There was an unbroken thread that linked Skelton’s work to the unauthorised disclosure and what happened was a seamless and continuous sequence of events. Skelton had formed his plan when he knew he was to be the go-between Morrisons and KPMG, even before his first unlawful act of transferring the data from his work laptop to personal USB stick;

ii. Morrisons had deliberately entrusted Skelton with the payroll data – this was not a case where his work merely gave him access to that data but he was chosen as the assigned person to send that data to KPMG. Morrisons therefore bore the risk that their trust may be displaced.

iii. Skelton’s task was to receive the payroll data, store it and then transfer it to KPMG. The fact that he chose to disclose it to others was closely related to the task he had been given, even it if had not been authorised.

iv. Skelton was acting in the course of his employment when he received the payroll data – the chain of events then leading to its disclosure was unbroken and the fact that the disclosures were made some time later, from home, by use of his personal equipment, on a non-working day, did not disengage them from his employment.

The Court also considered that it would be right for Morrisons to be held vicariously liable under the principle of social justice as Morrisons were more likely to have the means to compensate the claimants than Skelton and can be expected to have insurance against such liability.

It was clear, however, that the Court was uncomfortable with the outcome of its decision on vicarious liability as it recognised that its decision might render the Court an accessory in furthering Skelton’s criminal aims. It therefore granted permission to appeal the vicarious liability decision.

Comment

If the ruling on vicarious liability stands, the case shows that for employers, avoiding liability is not simply a case of demonstrating that appropriate measures have been implemented in accordance with data protection legislation. For employee driven “inside jobs”, they will want to consider even stricter measures to limit risk, as they may be liable for employee criminal behaviour regardless.

The post United Kingdom: The Morrisons Data Breach Judgment appeared first on Global Compliance News.

Malaysia: MyEG’s penalty for abuse of dominant position

On 28 December 2017, the Competition Appeal Tribunal (“CAT“) upheld the Malaysian Competition Commission’s (“MyCC“) decision on 24 June 2016 that My E.G. Services Berhad (“MyEG“) and its wholly-owned subsidiary, My E.G Commerce Sdn. Bhd. (“MyEG Commerce“) have abused their dominant position in the provision and management of online Foreign Workers Permit (“PLKS“) renewals.

Brief Facts and MyCC Decision

In 2012, MyEG signed an agreement with the Malaysian government to provide an online system for PLKS renewals. In order for a PLKS renewal application to be successful, an employer of foreign workers has to fulfil several conditions including the purchase of three mandatory policies for the foreign workers (“Mandatory Insurance“). MyEG Commerce is an agent for several insurance companies for the sale of the Mandatory Insurance.

The MyCC found that MyEG has abused its dominant position by engaging in various conduct, including:

  1. MyEG, being the only platform for provision and management of online PLSK renewals had in effect made it compulsory for the employers of foreign workers to purchase the Mandatory Insurance from MyEG Commerce;
  2. MyEG had induced the employers of foreign workers to purchase the Mandatory Insurance from MyEG Commerce by implementing additional verification steps for employers who purchase these policies from other insurance companies for which MyEG Commerce was not an agent; and
  3. MyEG had leveraged its dominance in the upstream market of online PLKS renewal service, in the downstream market of sale of Mandatory Insurance.

cease and desist immediately from imposing different conditions to the equivalent transaction in the processing of Mandatory Insurances for PLKS renewals;The MyCC imposed a total financial penalty of RM2,272,200.00 on MyEG (“Initial Penalty“).

Decision

On 28 December 2017, the CAT upheld MyCC’s decision and imposed a financial penalty of RM6,412,000 on MyEG and MyEG Commerce (comprising the Initial Penalty and a daily penalty of RM7,500 from 25 June 2016 to 28 December 2017, amounting to RM4,140,000). Further, the CAT ordered MyEG and MyEG Commerce to comply with the following directions:

  1. to provide an efficient gateway for all its competitors and potential new entrants in the relevant market for the sale of the Mandatory Insurances and allow the other competitors to compete at the same level within sixty (60) days from the date of CAT’s decision i.e. 28th December 2017; and
  2. in the event of non-compliance of the aforesaid directions, MyCC is at liberty to impose a daily penalty of RM7,500 (instead of higher penalty) for the subsequent period of non-compliance.

MyCC’s decision against MyEG and MyEG Commerce was the first infringement decision for abuse of dominance since its establishment in 2012. The CAT’s decision to uphold the fine imposed by MyCC is a reminder to companies with significant market power to conduct themselves cautiously, and lends support to MyCC’s continuing vigilance in monitoring dominant players and other infringements under the Competition Act.The CAT also reiterated that being in a dominant position by itself is not a breach of the Malaysian Competition Act (“Act“). However, as MyEG is a sole concession holder, there is a higher burden on MyEG to comply with Malaysia’s competition laws, and to grant market players equal access to its facilities.

Conclusion

MyCC’s decision against MyEG and MyEG Commerce was the first infringement decision for abuse of dominance since its establishment in 2012. The CAT’s decision to uphold the fine imposed by MyCC is a reminder to companies with significant market power to conduct themselves cautiously, and lends support to MyCC’s continuing vigilance in monitoring dominant players and other infringements under the Competition Act.

The post Malaysia: MyEG’s penalty for abuse of dominant position appeared first on Global Compliance News.

US Government Implements the Global Magnitsky Act and Publishes Magnitsky Act Sanctions Regulations and Related Designations

On December 20, 2017, President Trump signed Executive Order (“Order”) 13818 titled “Blocking the Property of Persons Involved in Serious Human Rights Abuses or Corruption”.  The Order implements the Global Magnitsky Human Rights Accountability Act (“Global Magnitsky Act”), which was signed into law on December 23, 2016 and which targets human rights abusers and corrupt actors globally.  This is to be contrasted with the Sergei Magnitsky Rule of Law Accountability Act of 2012 (“Magnitsky Act”) targeting human rights abusers in Russia, with respect to which the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) published regulations on December 21, 2017.  In addition, OFAC designated a number of individuals and entities as Specially Designated Nationals (“SDNs”) under the Magnitsky Act on December 20, 2017 and under the Global Magnitsky Act on December 21, 2017.

The Global Magnitsky Act authorizes the President to impose sanctions on any party (individual or entity) who:

  • is responsible for extrajudicial killings, torture, or other gross violations of internationally recognized human rights committed against individuals in any non-US country seeking to expose illegal activity carried out by government officials, or to obtain, exercise, or promote human rights and freedoms;
  • acted as an agent of or on behalf of a non-US person in such activities;
  • is a government official, or a senior associate of such an official, that is responsible for, or complicit in, ordering, controlling, or otherwise directing, acts of significant corruption, including the expropriation of private or public assets for personal gain, corruption related to government contracts or the extraction of natural resources, bribery, or the facilitation or transfer of the proceeds of corruption to non-US jurisdictions; or
  • has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, such activities.

OFAC designated 52 parties (15 individuals and 37 entities) as SDNs pursuant to the Global Magnitsky Act and the Order. This includes parties in a number of countries, including, among others, The Gambia, South Sudan, Russia, Nicaragua, China, Pakistan, Democratic Republic of the Congo, Dominican Republic, Uzbekistan, and Ukraine. These are the first designations under the Global Magnitsky Act. OFAC has issued new FAQs regarding the Order and these designations.

Though both the Global Magnitsky Act and the Magnitsky Act provide OFAC with the authority to designate SDNs, they are different statutes. The Magnitsky Act targets parties for certain actions related to the death of Russian lawyer Sergei Magnitsky, who died in 2009 after being arrested and tortured in custody by officers of the Russian government, or for involvement in human rights violations in Russia more generally. By contrast, the Global Magnitsky Act targets parties involved not only in human rights violations but also corruption and applies globally, not only to activities related to Russia. Our previous blog post about the Magnitsky Act-related sanctions can be found here. On December 20, 2017, OFAC designated five individuals in Russia under the Magnitsky Act and announced the issuance of the Magnitsky Act Sanctions Regulations, which were published on December 21, 2017.

As a result of the OFAC designations, all of the property and interests in property within US jurisdiction of the designated individuals and entities are blocked, and “US Persons” are generally prohibited from engaging in transactions with these SDNs and any entities 50% or more owned by these SDNs.  “US Persons” include (i) entities organized under US laws and their non-US branches, (ii) individuals or entities in the United States, or (iii) US citizens or permanent resident aliens (“Green Card” holders) wherever located or employed.  Non-US Persons, including separately incorporated non-US subsidiaries of US companies, may be subject to US jurisdiction if they cause any SDN-related transactions to occur in whole or in part in the United States.

The post US Government Implements the Global Magnitsky Act and Publishes Magnitsky Act Sanctions Regulations and Related Designations appeared first on Global Compliance News.

Brazil publishes new resolution on Politically Exposed Persons

The Brazilian Control Council for Financial Activities (COAF) published on December 9 a new resolution on Politically Exposed Persons (PEP). Resolution No. 29/2017 will enter into force within 90 days after its publication, revoking the previous resolution regarding the matter (Resolution No. 16/2007).

The new resolution foresees the expansion of the list of people defined as PEP, including mayors from all cities (the previous resolution considered only the mayors of capitals as PEPs), councilors (previously limited to the president of the city council), state representatives, national presidents and treasurers, or equivalent, of political parties, presidents of courts and councils of municipal auditors, among others.

The resolution also stipulates that COAF-regulated persons should dedicate special attention to family members to the second degree, as well as “closest collaborators” who have a straight connection of  public knowledge with a politically exposed person, or have business partnership or arrangement, or that participate in legal entities for the benefit of a PEP.

With the new resolution, COAF aims to change the approach to money laundering risk, focusing on operations rather than on individuals.

The post Brazil publishes new resolution on Politically Exposed Persons appeared first on Global Compliance News.

Latest Developments on the Qatar Diplomatic Crisis

The political and economic boycott of Qatar, which began on 5 June 2017 when Saudi Arabia, the United Arab Emirates, Bahrain and Egypt cut diplomatic ties with Qatar and moved to close off access to the Gulf country, continue to have a significant impact on international trade in the Middle East.  The indications are that the dispute is unlikely to be resolved in the short term and will continue to be even more disruptive. Businesses with a nexus to Qatar will have to take a commercial decision on whether their operations are viable as they stand and are sustainable going forward. Practical observations that we have witnessed over the past few months are set out in our most recent alert, highlighting the impact in respect of:

  • the supply of goods;
  • the movement of people;
  • finance;
  • contractual disputes; and
  • US Anti-boycott laws and international claims.

Please click here to see the full December 2017 Overview alert. The situation is dynamic and continues to evolve, and we will continue to monitor developments and provide updates from time to time. You can read our previous alerts on the Qatar Diplomatic Crisis on our dedicated website: http://www.bakermckenzie.com/en/insight/publications/2017/07/qatar-diplomatic-crisis

  1. 8 June 2017 l Update: Qatar Diplomatic Crisis – How it may impact you
  2. 12 June 2017 l Update: Qatar Diplomatic Crisis – How it may impact you in Saudi Arabia, the UAE and Egypt
  3. 13 July 2017 l Update: Qatar Diplomatic Crisis – The Continuing Impact
  4. 19 July 2017 l Qatar Diplomatic Crisis Webinar – Navigating the uncertainty of doing business with Qatar

The post Latest Developments on the Qatar Diplomatic Crisis appeared first on Global Compliance News.

EU agrees six-month extension to Russia sectoral sanctions

European Union Leaders have collectively agreed to extend economic sanctions against Russia until July 2018. These measures target the financial, energy and defence industries and would have otherwise expired at the end of January 2018. Angela Merkel has said that the European Union Leaders have prevented an escalation, but do not consider that enough progress has been made to remove the current sanctions. The EU, along with the United States, initially imposed these sanctions in the summer of 2014 over Moscow’s actions in Ukraine and these have been extended every 6 months since then. The sanctions are due for a further renewal in July 2018.

The post EU agrees six-month extension to Russia sectoral sanctions appeared first on Global Compliance News.

Australia: Whistleblowing and Foreign Bribery Bills introduced into Senate

The Australian Government has introduced two new Bills into the Senate on the last sitting week of 2017 which, if passed, will increase companies’ corporate compliance requirements. Although we will not know the final form of this legislation until next year, companies should anticipate there will be a need to update policies, review their procedures and run additional training for their staff and agents and plan accordingly.

A key aspect of the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 (Corporate Crime Bill) is the introduction of an offence of corporate criminal liability in relation to foreign bribery unless a company can establish that it had “adequate procedures” in place to prevent such misconduct. Although there is no Australian guidance available yet in relation to what will constitute “adequate procedures,” there have been some developments overseas which will assist companies to begin devising their procedures.

In relation to the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017 (the Whistleblowing Bill) legal and compliance teams should be communicating with their HR teams to consider the practical implications of the new regime on running internal investigations, particularly where whistleblowers would, under the proposed legislation, be permitted to make reports anonymously and still be entitled to the protections set out in the proposed legislation.

Corporate Crime Bill

The Corporate Crime Bill:

  • expands and clarifies the scope of Australia’s foreign bribery offences (including relating to the scope of what will constitute bribery, the intention behind illegitimate payments or offers of payments, and what matters a court should and should not take into account when determining if an offence is made out);
  • introduces the offence of corporate criminal liability in relation to foreign bribery unless the company can establish that it had “adequate procedures” in place; and
  • introduces a proposed Deferred Prosecution Agreement Scheme (DPA) which would apply not only to foreign bribery but also bribery of Commonwealth public officials and other identified Commonwealth crimes.

These proposed changes were discussed in our April 2017 alert, although one significant change is that the Corporate Crime Bill no longer seeks to introduce a separate foreign bribery offence based on reckless behaviour.

In relation to the “adequate procedures offence” the Explanatory Memorandum states:

“What constitutes ‘adequate procedures’ would be determined by the courts on a case by case basis. It is envisaged that this concept would be scalable, depending on the relevant circumstance including the size and nature of the body corporate. As noted below, proposed new section 70.5B also provides that the Minister must publish guidance on the steps that body corporates can take to prevent an associate from bribing foreign public officials.”

Whilst we wait for guidance from the Minister in relation to this defence, there are a number of overseas sources companies can consult when devising their compliance programs. The most widely-known guidelines are the UK Ministry of Justice’s Guidance to help commercial organisations prevent bribery and the US Department of Justice’s Evaluation of Corporate Compliance Programs (discussed by our US colleagues here). Additionally, the US Department of Justice’s recently-issued FCPA Corporate Enforcement Policy contains details about how it will evaluate companies’ compliance programs. While that Policy indicates that the criteria will vary based on the size and resources of each organisation, it also includes examples of some of the elements that may be considered, including the effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment, the company’s culture of compliance, and the resources the company has dedicated to compliance.

Other countries have also introduced similar provisions which may be utilised by the Minister in preparing the Australian guidance. For example, in 2015, Spain introduced amendments to its Criminal Code exempting companies from criminal liability if employees or officers of a company engage in criminal conduct in breach of a compliance program in circumstances where the company has implemented a compliance program that meets Spanish legal requirements, and the supervision of the compliance program was entrusted to an independent body or individual (the “Compliance Body”) which has not neglected its duties of supervision, oversight or control. Similar to the UK guidance, the Spanish guidance (discussed by our US and Spanish colleagues here) identifies risk mapping or risk assessment as the initial step in setting up a corporate compliance program.

While waiting for the Australian guidance, conducting a risk assessment has business and compliance benefits for companies that go beyond the desire to protect against potential corporate criminal liability, and would be a practical first step for companies to take at this stage.

Whistleblowing Bill

On 7 December 2017 the Whistleblowing Bill was introduced in the Senate which, if enacted, will consolidate and expand the existing private sector whistleblowing regime in Australia. The Whistleblowing Bill follows the Report by the Parliamentary Joint Committee on Corporations and Financial Services (discussed in our September 2017 alert) but does not include all of the Report’s recommendations, such as a monetary reward scheme for whistleblowers. Some of those recommendations are still being considered and may be introduced at a later stage. The Whistleblowing Bill strengthens protections for private sector whistleblowers by creating corresponding requirements for companies. In particular:

  • by 1 January 2019, all public companies will be required to have an internal whistleblower policy. “Large proprietary companies” (as defined in the Corporations Act 2001) and proprietary companies that are trustees of registrable superannuation entities will have a longer period to comply with this requirement;
  • from 1 July 2018, all eligible recipients of qualifying disclosures from eligible whistleblowers will, where such confidentiality is sought and unless subject to exceptions outlined in the Bill, be required to protect from disclosure the identity of the discloser and information that is likely to lead to the identification of the discloser; and
  • from 1 July 2018, all regulated entities receiving qualifying disclosures from eligible whistleblowers will be required to protect eligible whistleblowers from retaliation. Unlike the existing whistleblower protections under the Corporations Act 2001, there is no requirement for whistleblowers to identify themselves in order to receive those protections.

Our experience working with clients in jurisdictions that have implemented similar regimes is that such changes have the capacity to assist companies to investigate and internally remediate  issues before employees decide to take their concerns to a regulator or the media.

However, the challenge for companies will be to ensure that their policies and procedures are not only consistent with the new regime’s requirements but also that they work with companies’ existing procedures in relation to undertaking investigations and disciplinary measures.

To ensure the company can respond quickly and effectively when potential issues arise, companies need to encourage and make it simple for whistleblowers to disclose their concerns to the company at first instance, and not to regulators so that the company can control any such disclosure. They also need to ensure that their procedures allow whistleblowing complaints to be investigated promptly, particularly as under the proposed Whistleblowing Bill, a whistleblower would be entitled to take their report to the media if, after a “reasonable period” following their internal report, the whistleblower has “reasonable grounds to believe that there is an imminent risk of serious harm or danger to public health or safety, or to the financial system” if the information they disclosed is not acted on immediately.

Next steps

Although companies that already have robust whistleblowing and anti-corruption policies and associated procedures may wish to wait to see the final legislation before making any adaptations to their compliance programme, companies that do not already have an effective regime in place should consider developing and implementing one now. The legislative requirements are unlikely to alter significantly, and even without the legislative requirements, these are measures that can mitigate a company’s risk of reputational damage, regulatory enforcement and litigation. When establishing effective and risk-based corporate compliance programs, companies can consider Baker McKenzie’s distillation of guidance from several jurisdictions into a framework of 5 Essential Elements of Corporate Compliance: Leadership, Risk Assessment, Standards and Controls, Training, and Oversight. For those companies uncertain of where to start the process, a risk assessment or risk-mapping exercise is usually the most effective first step, and we can offer templates and guidance in relation to that process.

The post Australia: Whistleblowing and Foreign Bribery Bills introduced into Senate appeared first on Global Compliance News.

Pharmaceutical Sector in Malaysia under Market Review of the Malaysian Competition Commission

The Malaysian Competition Commission (“MyCC“) has commissioned Third World Network (“TWN“), an independent non-profit international research and advocacy organisation, to conduct a market review on the pharmaceutical sector in Malaysia (the “Review“). The market review is being conducted by the MyCC pursuant to powers under Chapter 3 of the Competition Act 2010 (“MCA“).

The Review is being commissioned with a view to determining the pharmaceutical sector’s market profile and TWN has examined industry issues such as:

  •  market structure and supply chain issues;
  •  the level of competition among players at different levels of the supply chain;
  •  identification of anti-competitive practices; and
  •  whether governmental intervention in the industry would be necessary.

As part of the Review, TWN has prepared a draft final report on the outcome of the Review. The draft is currently available on MyCC’s website (http://www.mycc.gov.my/market-review-on-pharmaceutical-sector).

The draft report has identified certain potential anti-competitive conduct including:

  • the use of patent strategies and product life-cycle management measures to maintain dominance and delay the entry of generic medicines;
  •  intervention before regulators which determine marketing authorization;
  •  pricing and reimbursement of generic products and price discrimination.

TWN has recommended that the Malaysian government take action to revise existing regulations and policies which it believes facilitates anti-competitive conduct. Among other measures, TWN has suggested the regulation of mark-ups in the distribution chain and the introduction of rules to ensure increased transparency in pricing policies of industry players.

Pharmaceutical companies and other relevant stakeholders should take this opportunity to provide feedback especially if there are any discrepancies or inaccuracies in the draft report. MyCC has set a deadline of 9 am on 7 December 2017 for the submission of feedback.

The finalised report, which will be issued after the public feedback sessions, may ultimately be used by the MyCC as the basis for its analysis and findings of anti-competitive practices by pharmaceutical companies in Malaysia.

The post Pharmaceutical Sector in Malaysia under Market Review of the Malaysian Competition Commission appeared first on Global Compliance News.

Steps to Liberalize Uzbekistan’s Export – Import Regime

The President of Uzbekistan, Shavkat Mirziyoyev has signed two decrees intended to liberalize the country’s export and import regime:

  • the Foreign Trade Decree1 which will become effective 1 December 2017, and
  • the Export-Import Contract Decree,2 which became effective on 10 November 2017 (together, the Decrees).

The Decrees represent a further step towards liberalization of Uzbekistan’s economy following the President’s earlier measures to improve the country’s currency regime.3

The principal provisions of the Decrees are summarized below.

Foreign Trade Decree Relief from Payment Security Requirement

Uzbek companies wishing to export goods and services previously were required to obtain from the purchaser one of several types of security for payment of the purchase price: an advance payment, a letter of credit, a bank guarantee or an export insurance policy. Failure to obtain such security would subject the Uzbek exporter to investigation by Uzbek authorities under the applicable currency monitoring regulations, resulting in sanctions for any breaches discovered.4

The Foreign Trade Decree eliminates the payment security requirement for most types of goods and services, provided that the Uzbek exporter has no overdue receivables under previous export operations. The payment security requirement, however, continues to apply to the export of fresh fruits and vegetables and certain other products listed in the Foreign Trade Decree.

Export without an Export Contract

The Foreign Trade Decree states that Uzbek companies will be entitled to export goods (except fresh produce) and services without an export contract, on the basis of an invoice, provided that the following conditions are met: (i) the export operation is reflected in the Unified Electronic System5 for currency control purposes, and (ii) 100% prepayment is received in the Uzbek bank account of the exporter. The previous legislation required a contract for all export operations.

Unification of Currency Repatriation Period

Like most countries of the former Soviet Union, Uzbekistan requires exporters to ensure that proceeds from their export operations be received in Uzbekistan within a certain period of time. Such time period was variable and ranged from 60 days to 180 days, depending on the circumstances of the export operation.

The Foreign Trade Decree, while retaining the requirement that exporters must ensure that the export proceeds are repatriated to Uzbekistan, abolishes the variable time periods for repatriation and instead provides for a unified, 120-day term for all export operations, with limited exceptions.

Following expiration of the 120-day term an exporter will be deemed to have overdue receivables in which case it may be subject to financial sanctions (generally ranging from 10% to 70% of the export proceeds that were not repatriated to Uzbekistan).

The Foreign Trade Decree clarifies that the 120-day period will be suspended in case of force-majeure events. Also, if the exporter receives compensation for any loss under an insurance policy, the amount of overdue receivables will be reduced by the amount of compensation for purposes of calculating the financial sanctions on the exporter.

Other Relief for Exporters and Importers

The Foreign Trade Decree also provides for the following relief and exemptions in respect of export and import operations:

  • re-export of goods previously imported into Uzbekistan under the “temporary import” regime no longer requires permission from the Uzbek customs authorities;
  • importers are no longer obligated to submit to the customs authorities an export cargo customs declaration in order to confirm the customs value of goods imported into Uzbekistan with customs exemptions and benefits; and
  • export customs clearance of products (except types of fresh produce indicated in the decree) may be carried out without obtaining a certificate on payments from the Unified Electronic System; similarly,no certificate from the Unified Electronic System is required for customs clearance of products exported based upon an invoice, without an export contract (see Export without an Export Contract above).
Export-Import Contract Decree

The Export-Import Contract Decree states that licensing of export and import of certain products (listed in the decree) should be carried out by the Cabinet of Ministers of Uzbekistan. Previously, the Ministry of Foreign Trade licensed such operations.

Under the decree, the Ministry of Foreign Trade will be responsible for registration (not licensing) of export contracts (except contracts made on a stock exchange) (a) made pursuant to the decision of the Government of Uzbekistan or intergovernmental treaties, and (b) for goods and services indicated in the decree.

In addition, the decree authorizes the State Committee for Investments to carry out an examination of certain import contracts financed out of the proceeds of the state budget or state-controlled companies.

1 Decree of the President of the Republic of Uzbekistan On Measures of Further Liberalization of Foreign Trade Activity and Support of Subjects of Entrepreneurship dated 3 November 2017 (the Foreign Trade Decree).
2 Decree of the President of the Republic of Uzbekistan On Measures to Streamline Licensing of Export and Import of Specific Goods and Registration of Export Contracts and Examination of Import Contracts dated 3 November 2017 (the Decree on Export-Import Contracts).
3 See Baker McKenzie’s Legal Alert Steps to Liberalize Uzbekistan’s Currency Regime dated 15 September 2017.
4 Clause 24 of Regulations On Procedure of Carrying Out Monitoring of Foreign Trade Operations approved by the Cabinet of Ministers of Uzbekistan on 30 September 2003 No. 416.
5 The Unified Electronic Information System of Foreign Trade Operations (the Unified Electronic System) is a centralized electronic system used by the Central Bank of Uzbekistan, local commercial banks and Uzbek authorities to monitor foreign trade operations.

The post Steps to Liberalize Uzbekistan’s Export – Import Regime appeared first on Global Compliance News.

Pharmaceutical Sector in Malaysia under Market Review of the Malaysian Competition Commission

The Malaysian Competition Commission (MyCC) has commissioned Third World Network (TWN), an independent non-profit international research and advocacy organisation, to conduct a market review on the pharmaceutical sector in Malaysia (the Review). The market review is being conducted by the MyCC pursuant to powers under Chapter 3 of the Competition Act 2010 (MCA).

The Review is being commissioned with a view to determining the pharmaceutical sector’s market profile and TWN has examined industry issues such as:

  • market structure and supply chain issues;
  • the level of competition among players at different levels of the supply chain;
  • identification of anti-competitive practices; and
  • whether governmental intervention in the industry would be necessary.

As part of the Review, TWN has prepared a draft final report on the outcome of the Review. The draft is currently available on MyCC’s website.

The draft report has identified certain potential anti-competitive conduct including:

  • the use of patent strategies and product life-cycle management measures to maintain dominance and delay the entry of generic medicines;
  • intervention before regulators which determine marketing authorization;
  • pricing and reimbursement of generic products and price discrimination.

TWN has recommended that the Malaysian government take action to revise existing regulations and policies which it believes facilitates anti-competitive conduct. Among other measures, TWN has suggested the regulation of mark-ups in the distribution chain and the introduction of rules to ensure increased transparency in pricing policies of industry players.

Pharmaceutical companies and other relevant stakeholders should take this opportunity to provide feedback especially if there are any discrepancies or inaccuracies in the draft report. MyCC has set a deadline of 9 am on 7 December 2017 for the submission of feedback.

The finalised report, which will be issued after the public feedback sessions, may ultimately be used by the MyCC as the basis for its analysis and findings of anti-competitive practices by pharmaceutical companies in Malaysia.

The post Pharmaceutical Sector in Malaysia under Market Review of the Malaysian Competition Commission appeared first on Global Compliance News.

Brazil: New mandatory compliance programs between companies and Rio de Janeiro State

The Rio de Janeiro State Government published Law nº 7753/17, determining that companies entering into contracts with the public administration of the state of Rio de Janeiro, directly or indirectly, will be mandated to have an Integrity Program (or “compliance program”) implemented.

Unlike the Brazilian Anti-Bribery Law (Law 12.846/13), which establishes the existence of a compliance program only as a factor to be considered when applying sanctions, the state law makes it mandatory for companies that contract with the State Government of Rio de Janeiro. It also establishes a fine for companies which enter into contracts with the state and do not have an implemented compliance program.

The law sets forth that its goal is to protect the public administration from irregularities, guarantee that the contracts are executed in compliance with the applicable laws, minimize risks, bring more transparency to contracts and improve the quality of contractual relations.

The Law’s Main Provisions Who is subject to the law

The law mandates the existence of a compliance program in companies which enter into contracts, partnerships, concessions, or public-private partnerships, with the public administration of the state of Rio de Janeiro, in amounts higher than the legal threshold for the public tender category of competitive tender: R$ 1,500,000.00 (one million and five hundred thousand Reais) for construction and engineering services and R$ 650,000.00 (six hundred and fifty thousand Reais) for purchases and services, even in the electronic reverse auction category, and for contract terms equal to or over 180 days.

Following the Brazilian Anti-Bribery Law, the State Law sets forth that it is applicable to:

  • Business organizations and sole proprietorships, incorporated or not, regardless of the type of organization or the corporate model adopted.
  • Foundations, associations of entities or persons.
  • Foreign companies with headquarters, branch or representation in the Brazilian territory,incorporated legally or not, even if temporarily.

The State Law also establishes the liability of the legal entity in the event of amendments to the articles of association, transformations, merger, acquisition or a spin-off of the company. Successor companies will also be subject to the law and to the penalties set forth in it.

Implementation of the Compliance Program

The State Law sets forth that companies must implement their compliance program within 180 days from the day the company entered into a contract with the Public Administration. Companies which already have a compliance program in place must present a certification of its existence at the time of the contract’s execution.

Compliance Program Parameters

The law establishes that the compliance program has to be structured according to the characteristics of each legal entity, taking into consideration the risks related to its activities – that is, merely having a compliance program will not be enough, as it must meet the needs and realities of each company.

The Article 4 of the law has sixteen items which sets forth the evaluation parameters for the compliance programs, including almost all of the parameters already established on Decree n.8.420/15, which regulates the Brazilian Anti-Bribery Law.

Whilst the Decree establishes as a parameter the company’s transparency when making political donations, in a context in which political donations by companies were still permitted, the State Law excluded this and included as an evaluation parameters any actions from companies that promote its compliance culture.

The parameters for the evaluation of compliance programs are:

I. commitment of the legal entity’s senior management, includ ing board members, demonstrated by clear and unequivocal support for the program;

II. standards of conduct, code of ethics, policies, and integrity procedures that are applied to all employees and administrators, regardless of their position or role;

III. standards of conduct, code of ethics and integrity policies that are extended, when necessary, to third parties, such as suppliers, service providers, intermediaries, and other associates;

IV. periodic training on the integrity program;

V. periodic analysis of risks in order to implement necessary adjustments to the integrity program;

VI. accounting records that precisely and completely reflect the transactions of the legal entity;

VII. internal controls that assure that reports and financial statements of the legal entity are readily prepared and trustworthy;

VIII. specific procedures to prevent frauds and illicit acts within tender processes, in the execution of administrative contracts or in any interaction with the public sector, even if intermediated by third parties, such as the payment of taxes, subjection to inspections, or obtainment of authorizations, licenses, permits and certificates;

IX. independence, in structure and authority, of the internal department that is responsible for enforcing the integrity program and monitoring its compliance;

X. channels to report irregularities openly and broadly disseminated among employees and third parties, and mechanisms to protect good faith whistleblowers;

XI. disciplinary measures enforced against those found to have violated the integrity program;

XII. procedures that assure the immediate suspension of irregularities or detected infractions and the timely remediation of the damages caused;

XIII. proper due diligence conducted prior to engage, and depending on the circumstances, to monitor third parties, such as suppliers, service providers, intermediaries, and other associates;

XIV. verification, during a merger, acquisition, or other corporate restructuring, of the occurrence of irregularities or illicit acts, or the existence of vulnerabilities in the legal entities involved;

XV. continuous monitoring of the integrity program to ensure it remains effective at preventing, detecting and otherwise addressing the wrongful acts set forth in article 5 of the Anticorruption Law; and

XVI. proven actions which promotes ethical and integrity culture through lectures, seminars, workshops, debates and events of similar nature.

Sanctions

Companies that enter into contracts with Rio de Janeiro’s State Government and do not have a compliance program will be subject to a fine of 0,02% on the amount of their contract per day, being limited to 10% on the amount of the contract.

The implementation of a compliance program interrupts the incidence of fines, but fines that were already imposed will not be refunded.

The non-existence of a compliance program during the term of the contract will entail the prohibition of the company to enter into contracts with the State of Rio de Janeiro until a compliance program is implemented.

How to prepare

When the Brazilian Anti-Corruption Law (E-Alert) and Decree 8.420/15 (E-Alert) were approved, we published Legal Alerts suggesting measures to be taken by companies to be prepared.

The new law makes it mandatory for companies that wish to enter into contracts with the Government of the State of Rio de Janeiro to have a compliance program in place. Compliance programs are essential for companies to prevent and detect potential misconducts (also allowing the company to decide on the convenience of making a voluntary report to the authorities), as well as to mitigate possible sanctions, based on the Brazilian Anti-Bribery Law.

Compliance programs must be created and reviewed regularly, based on the main areas of risks that companies can be subject to, which will vary depending on the size of the company, the amount and nature of the business transactions, the place where the company conducts its activities and business and risk perception. However, it is not enough to merely have a compliance program and review it. It is very important that the compliance program is “tailor-made” so that it is adequate to prevent and mitigate risks considering the company’s day to day.

Additionally, under the law it is important to note that even companies with a robust complianceprogram must re-evaluate it and update it, when necessary, considering the parameters set by the law. Such parameters were mostly already listed in the Decree that regulates the Brazilian Anti-Bribery Law, and they bring some specific points which are not always part of previously established compliance programs.

 

The post Brazil: New mandatory compliance programs between companies and Rio de Janeiro State appeared first on Global Compliance News.

EU: Corporate group companies tendering separately in public tenders may need to prove absence of collusion

In an opinion issued on 22 November 2017, EU-Advocate General Manuel Campos Sánchez-Bordona confirmed that the EU competition law provisions do not apply to companies that are part of the same corporate group. However, in case those companies submit separate bids in a public tender, the contracting authority might have to seek assurances from those companies that their simultaneous participation in the public tendering process were not to jeopardize the free and fair competition between all tenderers.

The Advocate General’s opinion was released in relation to a case currently heard by the EU Court of Justice (Case C-531/16 – Ecoservice projektai UAB). The case arose from a dispute in Lithuania over a local waste-disposal tender. While two companies of the same corporate group had submitted separate bids, this was challenged by a subsequently unsuccessful bidder, claiming that the two group companies infringed public procurement and competition rules by submitting separate bids. In the course of the national proceedings, the Lithuanian court referred to the EU Court of Justice the question of whether the free movement of persons and services (Articles 45 and 56 TFEU), the principles of equality of tenderers and of transparency (Article 2 of Directive 2004/18) and the principle of free and fair competition meant that related tenderers submitting separate bids in a public tender were under a duty to disclose the corporate links between them to the contracting authority, irrespective of whether or not the national laws provided for such a duty.

In its opinion, the Advocate General first confirmed that two companies belonging to the same corporate group may not be prevented from submitting separate bids in the same tendering procedure. In addition, the Advocate General found that none of the EU laws referred to by the Lithuanian court could be interpreted in such a way as to oblige related tenderers to disclose their corporate links to the contracting authority.

However, according to the Advocate General, the contracting authority itself might be under a duty to ask related tenderers to provide evidence that their situation does not run counter to the principle of competition. Even though, the Advocate General confirmed that the EU competition law provisions as enshrined in Article 101 TFEU do not apply to companies of the same corporate group, this fact did not absolve the contracting authority of the need to ensure a truly competitive process operating in procedures for the award of public contracts. Where related companies simultaneously participated in a public tender, the Advocate General found that the suspicion might arise that these companies acted in a coordinated or even collusive way to the detriment of such competitive process. As a consequence, he concluded that it was for the contracting authority to ensure that the simultaneous participation of related companies were not to jeopardize the free and fair competition between tenderers.

It follows from this that, at least where the contracting authority is aware of the fact that two or more tenderers from the same corporate group participate in the tender process, it has to play an active role in ensuring that their tenders are separate and genuinely different. In case, based on the evidence available in the procedure, the contracting authority harbors doubts that the simultaneous participation of those tenderers might undermine transparency and distort competition within the tendering process, the authority will be obliged to request from those tenderers all information it considers necessary to assess the situation. If the authority does not comply with this duty, tenderers losing out may then well have grounds to attack the authority’s decision before national courts.

Advocate Generals are members of the EU Court of Justice who provide legally non-binding opinions on cases prior to the final ruling of the Court. In the past, the Court’s judgments frequently followed the opinions of the Advocate Generals, however. The EU Court of Justice will issue its final ruling in the Lithuanian case in the upcoming months.

The post EU: Corporate group companies tendering separately in public tenders may need to prove absence of collusion appeared first on Global Compliance News.

Ireland: What Now For Mandatory Reporting of White Collar Offences?

Section 19 of the Criminal Justice Act 2011 sets out the offence of “withholding information” and with it widespread mandatory reporting obligations in respect of many white collar offences with consequent liabilities for failure to do so. However, the constitutionality of aspects of the provision must now be in question given a recent High Court judgment.

Section 19(1) provides that:

“A person shall be guilty of an offence if he or she has information which he or she knows or believes might be of material assistance in –

a) preventing the commission by any other person of a relevant offence, or

b) securing the apprehension, prosecution or conviction of any other person for a relevant offence, and fails without reasonable excuse to disclose that information as soon as it is practicable to do so to a member of the Garda Síochána.”

The maximum penalty for the offence of withholding information is an unlimited fine and imprisonment for up to 5 years or both.

This provision was introduced to facilitate the investigation of white collar offences generally. While the bulk of the crimes to which section 19 applies are related to the provision of financial services, the scope of the obligation is not limited and extends to areas such as company law; money laundering and terrorism; theft and fraud; bribery and corruption; consumer protection; criminal damage to property, including information systems; and competition.

However, in the recent judgment of Sweeney v Ireland1, the High Court has upheld a challenge to the constitutionality of another offence of withholding information, namely, section 9(1)(b) of the Offences Against the State (Amendment) Act 1998 (“1998 Act”). That offence is in almost identical terms to section 19(1)(b) of the Criminal Justice Act 2011.2

In that case, Mr Sweeney was questioned in relation to a murder in which he was originally a suspect. He was not charged in relation to that murder but now faced prosecution for failing to disclose, without reasonable excuse, information which he knew or believed might be of material assistance in securing the apprehension, prosecution or conviction of another person for the offence. He had never been informed that his failure to respond to questioning could lead to an alternative charge being levied under section 9(1)(b) of the 1998 Act.

He argued that the section 9(1)(b) offence breached his constitutional right to silence and had the effect that an accused might be prosecuted for exercising this right. He also argued that the offence was impermissibly and unconstitutionally vague and uncertain.

Baker J agreed. She observed that, in essence, the provision made silence of itself an offence. She said that the dilemma created by the offence was apparent. A suspect must be told of the right to remain silent but there was no statutory or regulatory requirement that he also be told that by exercising that right, a crime might then be committed under section 9(1)(b).

There was also no provision for a person to be advised that he had a right to obtain legal advice. Thus, a person might not know that there was a real risk that the exercise of the established right to remain silent, of which he was expressly required to be informed, could result in this separate prosecution. The legislation did not temper or modify the way in which questioning could occur. There was nothing to advise a person as to the possible effect of section 9(1)(b) where the evidence might be either wholly or partially related to a time when the accused was himself a suspect and under questioning.

Section 9(1)(b) provided that silence in itself could form the basis of a conviction, and the section did not permit a nuanced or careful approach by the trial judge with regard to whether the fact of that silence once accepted could lead to conviction. The prosecution of a person under the provisions of section 9(1)(b) did not engage questions of the admissibility of evidence, or of the weight of such evidence. A person could not legitimately challenge the admissibility of evidence of the fact that he remained silent. There was no structure for protection of an accused.

Baker J also held that whilst section 9(1)(b) required that the information concerned be of objectively material assistance and the essential mens rea in the offence meant that the offence was committed only when the accused person knew or believed the information might be of material assistance, the offence was impermissibly uncertain as, in the absence of statutory protection, it could result in a person being unable to discern the relationship between the right to remain silent and the consequences of so doing.

Comment

The criticisms of section 9(1)(b) of the 1998 Act are equally applicable to section 19 of the Criminal Justice Act 2011. However, it is likely the State will appeal this decision. In the meantime, uncertainty will remain as to the legal effectiveness of section 19 on mandatory reporting of white collar crime.

  1. Sweeney v Ireland [2017] IEHC 702
  2. The formulation of the substantive withholding offence differs only by reference to the potential range of offences within scope.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

The post Ireland: What Now For Mandatory Reporting of White Collar Offences? appeared first on Global Compliance News.

Baker McKenzie releases Global Corporate Liability Handbook

Building on the success of 2016’s “EMEA Corporate Liability Handbook,” we are pleased to present you with the first Global Corporate Liability Handbook that collates and describes in detail the corporate liability and corporate crime regimes of countries in Asia, EMEA and the Americas. With increased enforcement, international regulatory cooperation, economic activity on a global scale, and countries such as China and France passing their own laws, we felt that a global overview of the laws that affect corporations and their employees was both timely and required.

Corporate liability can be established and sanctioned at various levels — criminal, quasi-criminal (administrative) and civil — and be associated or derive from the liability of individuals who have acted in the name or on behalf of the company. Likewise, corporate liability can be established as an independent law violation or even as a crime, regardless of the commission of a separate crime by the individual.

In addition, corporate liability is a growing threat to the reputation, profit and business image of global corporations. The adoption of adequate measures to prevent corporate liability has progressively become a legal and ethical duty, similar to corporate social responsibility, which corporations are expected to assume for the benefit of their stakeholders, customers and employees.

In our Handbook, you will find detailed descriptions of the nature of liability in various jurisdictions, the consequences of breach by a company of the relevant legal provisions, and the remedies and measures that a company can adopt to limit or even exclude such liability. We have also addressed corporate liability in multinational groups and the basis for the extension of the liability to the ultimate parent company.

Follow this link to explore our brand new handbook.

The post Baker McKenzie releases Global Corporate Liability Handbook appeared first on Global Compliance News.

Pages

HKLPA (@the_hklpa) Tweets

RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… https://t.co/iZMjIPsBhs 3 weeks 16 hours ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry https://t.co/IuMnS7mtgd 1 month 1 day ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf https://t.co/ukjVe2Lqti "This is the time for the business… https://t.co/jUSNcY4gco 1 month 3 days ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence https://t.co/uKa3rYTJX0 https://t.co/EBXi6aBsW5 1 month 3 days ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System https://t.co/FcQa8nRGWm https://t.co/Ru1oVnJelN 1 month 2 weeks ago
RT @ComplianceXprts: Our focus is on what people don't want to do. #ce https://t.co/H8vN1euuAr 1 month 2 weeks ago
RT @mikevolkov20: ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V) - https://t.co/WyuoQi5RS3 3 months 6 days ago
RT @RSAFraud: 1 in 4 retailers state loyalty #fraud is one of the most detrimental threats to their e-commerce business… https://t.co/jfkD0QFcRW 4 months 11 hours ago
RT @ComplianceXprts: FTAs, Risk Management and The Transport Industry #riskmanagement https://t.co/zLp4vMSNno 4 months 11 hours ago
RT @ComplianceXprts: How To Navigate Audit Road Blocks : Part II Avoid Challenges To The Audit Scope https://t.co/JBDaI1gyEM 4 months 6 days ago