Trade security Journal - Economic Laws Practice
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
trade
security
Journal
KYC: a
proCess
ripe for
automation
new anti-corruption legislation to impact corporates in ireland
talking trade security with the founder of China Labor Watch
How to address human rights risks in supply chains: new research
a guide to us data protection
1 Trade Security Journal Issue 6
understanding india’s offset policy
Issue 9. September 2018
IN THIS ISSUE
issue 9, septemBer 2018 from tHe editor
3 neWs round-up As we head into deep summer,
California’s data privacy there is (if this latest iteration of
clampdown: what it the Trade Security Journal is to be
means for businesses believed) no letting up in the
world of compliance. These pages
India’s corruption law a reveal that regulation and
‘game-changer’ enforcement remain vigorously
promulgated and enforced (if not
G20 aims for October always and everywhere with the
deadline on crypto anti- same energy, conviction or
money laundering capacity) – and that new frontiers
standard of technology create their own
challenges.
Uber appoints first data All readers will be aware of
protection and privacy the growing focus on human
chiefs rights issues attached to supply
chains. In this and recent issues,
Singapore data breach we can see that this is a truly
hits 1.5m victims global development.
Meanwhile, Gil Rosen’s article
EU-Japan deal ‘goes
on Israel’s data protection regime
beyond trade’ to include A guide to US data protection
is a reminder that while there are
reciprocal data 27 few in the world who aren’t
protection GDPR-aware, other jurisdictions
also possess laws that must be
Ireland, Greece and 9 data priVaCY 23 teCHnoLogY
respected and articles from
Romania face fines for Five questions you KYC: a process ripe for Canada and Russia and the UK
AML failings should ask about automation prove – if proof was ever needed
Bahrain’s new data – that CFIUS isn’t the only
UK to adopt fifth EU
anti-money laundering
protection law 31 anti-Corruption national security regime in play…
Second Circuit Curbs BREXIT, elusive though it may
directive in advance of
10 fraud FCPA application to be, is everywhere at the moment.
BREXIT
EU final guidelines on some foreign But as our interviewee Caroline
Facebook and Google fraud reporting under participants in bribery Barraclough explains, it has put
urged not to comply the Payment Services wider supply chain issues in the
limelight in a way that they
with ‘troubling’ Vietnam Directive 34 nationaL seCuritY haven’t hitherto enjoyed. Given
cybersecurity law Understanding India’s their increasingly mind-boggling
Cyber-crime a growing 11 LegaL priViLege offset policy complexity, that, perhaps is at
Common sense prevails least one good thing to have
threat to UK law firms,
report warns
in the UK’s battle over 38 nationaL seCuritY emerged from the triggering of
legal professional Tightening the screws on Article 50?
privilege FDIs: The Leifeld case Tom Blass
and projected July 2018
17 Human rigHts developments in foreign
How to address human direct investments in &
rights risks in supply Germany )& (+
chains: new research on $)&# !
current practices
21 anti-Corruption
New anti-corruption
legislation to impact
corporates operating in
Cover illustration by MeSamong
Ireland
TSJ meets Li Qiang, founder of * #(
! # (&
$&&)%( $# ! '! ( $# ($ "% ( $&%$& ( ' # & ! #
' )& (+ * ( ( $)# &$ # $& (
China Labor Watch $* ($ & '' )" # & (' & ' ' # ')%%!+ #' # * & ' &
12
) ($ ( %&$( ( $#
# &'( # # # ,' $-' ( %$! +
2 Trade Security Journal Issue 9
NEWS ROUND-UP
California’s data privacy clampdown: what it
means for businesses
Earlier this summer, California’s business that earns $25 million in
lawmakers unanimously passed a revenue per year, sells 50,000
bill on data privacy – the first of its consumer records per year, or
kind in the United States – derives 50 percent of its annual
affording residents of the state revenue from selling personal
unprecedented control over the information.’ However, SMEs are
way that third parties can use their still advised to review their
personal information (see Trade information security and data
Security Journal issue 8). processing measures.
The Consumer Privacy Act In a blog post, lawyers
(also known as AB 375) stipulates Courtney Bowman and Kristen
that: Mathews at the law firm
Proskauer, say the law ‘has the
l Californians may opt out of the potential to change the privacy law
SHUTTERSTOCK.COM
sale of their data and request landscape in the U.S. – not just
deletion from information California…The law’s protection
bases. of California-based “consumers”
l Data cannot be taken from means that many companies, even
minors (age 13-16) without their The law – dubbed ‘GDPR-lite’ by some – ‘has the potential to change the those based outside California and
explicit consent, or the consent privacy law landscape in the U.S. – not just California.’ even outside the U.S., will be
of their parents (under 13). subject to its requirements.
l Businesses must disclose, upon The inability to see exactly who Despited being outwardly Businesses will incur significant
request, how consumer data is is accessing data, and for what supportive of consumer rights on compliance costs in order to
being used. reasons are all causes for concern the surface, a number of well- update procedures, policies and
for big business, while new known tech companies are Web sites in accordance with the
The law – dubbed ‘GDPR-lite’ disclosure requirements and the understood to have helped fund new law. Additionally, the Act’s
by some – has already invited threat of penalties for opposition to the bill. grant of a private right of action
backlash from tech giants, despite noncompliance introduce a stream The law will have less of an means that companies will have to
being more than 12 months away of new responsibilities and impact on smaller businesses. AB anticipate a possible flood of
from implementation. limitations. 375 will only apply to ‘any consumer-driven litigation.’ n
India’s corruption law a ‘game-changer’
In July this year, India’s parliament the same footing as the UK Bribery and others to investigate senior
passed new anti-corruption Act – creating a kind of vicarious politicians and big companies and
legislation which campaigners say liability of the company for the has set the tone.’
is possibly a ‘game-changer’ in the action of its employees and of those As the legislation, though
fight against graft. The Prevention associated with the company passed, is yet to come into force,
of Corruption (Amendment) Act (including its subsidiaries and the response from businesses in
2018 has been some time in coming agents). Now the onus is on all the country has been varied. ‘We
– the amendments having first commercial organisations to have speak to a lot of companies,’ said
been introduced in 2013. anti-corruption compliance Banhatti, ‘and it’s clear that at
The original act is almost three procedures in place.’ senior levels [management] is
decades old but has long been in Prior to the legislation’s uncertain as to how the new law
need of a revamp to reflect global amendment, he said, the law had will be enforced or if put in place.
developments, say lawyers. been focused on punishing bribe- training sessions, and people are ‘Some companies, particularly
Anay Banhatti, a partner at the takers, not givers. ‘Someone giving surprised at the strength of the law. international companies, have
Mumbai office of Economic Laws a bribe was not specifically or Enforcement levels are stronger formal anti-corruption plans in
Practice, told TSJ that India had explicitly covered in the offence, than they have been in the past, place because they’re already
committed to changing the which was really targeted at when corruption was considered a regulated under the FCPA and
legislation in the light of its government officials, although cost of doing business.’ UKBA. Indian companies –
commitments under international bribe givers could be charged with Banhatti said that a series of without such documented systems
conventions. ‘The most important aiding and abetting…’ scandals in the past decade – – are more worried, and this will
change,’ said Banhatti, ‘is that India scores poorly in including a case which saw the mean a big shift in corporate
under the new legislation the Transparency International’s government undercharging mobile culture for them.’
company has committed an Corruption Perception index –at phone companies for frequency According to Banhatti, national
offence where anyone within the number 81 among 180 of the allocation licences – has been resources and the purchase of
organisation or associated with the countries rated. Nonetheless, says behind the change. ‘That matter defence equipment are likely to be
organisation is proven to have Banhatti, attitudes are changing, saw the courts directing the CBI particularly in the sights of
given a bribe – so that places it on albeit slowly. ‘Our firm holds (Central Bureau of Investigation) investigators. n
3 Trade Security Journal Issue 9
NEWS ROUND-UP
G20 aims for October deadline on crypto
anti-money laundering standard
G20 member countries are to The challenge regulatory
review the global anti-money authorities face with
laundering standard on crypto- cryptocurrencies is that – since
currency by no later than October, they are so new – many existing
according to a G20 statement. security laws do not accommodate
Finance ministers and central them. FATF is already working to
bank governors from the create binding rules for
organisation hosted a meeting in cryptocurrency exchanges that
Argentina on 22 July, resulting in comply with global AML
a deadline for the Financial Action regulations. Topics such as know
Task Force (‘FATF’) to explain how your customer (‘KYC’) norms are
its current AML standards will to be raised, along with
apply to crypto transactions. establishing licences for sellers.
Clarifications were originally Regulation will help provide
asked for by March, as a result of certainty in the cryptocurrency
Because cryptocurrencies are so new, many existing security laws do not
G20’s aim to enforce global market, director of competition at
accommodate them.
regulations on the subject. the Financial Conduct Authority
The statement recognises the Mary Starks hopes: ‘We need to
growing benefits of crypto-assets. laundering. The risks posed are surveillance. G20 continues to act ask ourselves as regulators what
However, it warns that they can not significant, the Financial against money laundering, with we should do so that we are not
cause problems regarding terrorist Security Board (‘FSB’) assures, but the expectation that FATF will inhibiting the benefits nor
financing, tax evasion, and money transactions require ‘vigilant’ provide insight promptly. overlooking the risks.’ n
Uber appoints first data protection and privacy chiefs
Between a series of scandals and an users in 2016, the US Federal Trade first time an expert has been hired
upcoming IPO, Uber is continuing Commission (‘FTC’) called for an to provide full responsibility.
to overhaul its approach to privacy improved privacy policy at the Zefo, who is also a member of
with the appointment of two new High-profile allegations of sexual the International Association of
officials. Ruby Zefo, former chief harassment at the company Privacy Professionals (‘IAPP’), will
security counsel at Intel, has been brought further discomfort, while be based in San Francisco. She will
announced as the first ever chief the threat of losing its licence to fill ‘a critical global role
privacy officer at the company. operate in London led to the responsible for the development
Simon Hania, joining from company committing to new and and implementation of privacy
TomTom, will take charge of data improved governance measures. standards, procedures, and
protection. Uber is currently managed by processes,’ says Uber’s chief legal
The changes come as a result of Dara Khosrowshahi, who says he Though privacy executives officer. Hania will be based in
a turbulent few years for the taxi wishes to ensure that the company have previously worked in Amsterdam, the Netherlands,
service. Following a breach that is ‘putting integrity at the core of individual departments such as overseeing compliance with the
exposed the data of 57 million every decision we make’. engineering and legal, this is the GDPR. n
Singapore data breach hits 1.5m victims
A quarter of Singapore’s and repeatedly targeted Prime Singapore’s data regulations accessed. Critical services,
population – including the island Minister Lee Hsien Loong's have been fortified in recent years, including energy, aviation, and
state’s prime minister – has been personal particulars and the most notable change being the media, as well as healthcare, are
affected in the island state’s single information on his outpatient Cybersecurity Act 2018. This new required by the government to
largest data breach to date. dispensed medicines.’ law calls for the appointment of a strengthen their network security
A statement issued by the The ‘attackers’ were said to Cybersecurity Commissioner to in response to possible attacks.
Ministry of Communications and have illegally copied the names, oversee the protection of critical The Personal Data Protection
Information and the Ministry of addresses, and outpatient information infrastructure (‘CII’) – Commission, Singapore’s privacy
Health described a ‘deliberate, dispensed medicines of 1.5 million any information which could watchdog, will investigate the
targeted, and well-planned’ cyber- Singaporean residents. Officials cause harm to the state if wrongly attack. n
attack on SingHealth, one of believe that an advanced persistent
Singapore’s major healthcare threat (‘APT’) group – described as for further information on singapore’s Cybersecurity regime, see:
organisations. ‘It was not the work an organisation that commits ‘Draft Cybersecurity Bill introduced in Singapore – five key takeaways for your organisation,’
of casual hackers or criminal careful, premeditated cyber attacks Trade Security Journal, issue 3, September 2017
gangs. The attackers specifically – carried out the hack.
4 Trade Security Journal Issue 9
NEWS ROUND-UP
EU-Japan deal ‘goes beyond trade’ to
include reciprocal data protection
A third of the global economy and
about 600 million people will
benefit from what has been called
‘the largest bilateral trade deal
ever.’ So says the European
Council, after council president
Donald Tusk signed a bilateral
economic partnership agreement
with Japan’s prime minister Shinzō
Abe, which, the European Union
says, ‘goes beyond trade deals
only’.
Key elements of the deal
include:
l Tariffs on more than 90% of the ‘The mutual adequacy finding marks the first reciprocal recognition of data privacy equivalency between the EU
EU’s exports to Japan will be and a third country.’
eliminated. Over time around
85% of EU agri-food products necessary to ensure ‘the world’s Protection Regulation (“GDPR”) – They predict that the ability to
will be allowed to enter Japan largest area of safe data and Japan have prohibited, with freely transfer data between the EU
entirely duty-free. transfers’. certain exceptions, cross-border and Japan ‘should make business
l Reciprocal data adequacy, transfers of personal data unless transactions within the combined
meaning that information such In a briefing, lawyers at the data recipient is located in a area more cost- and time-efficient,
as credit card details and Debevoise & Plimpton noted: ‘The country designated as providing bolstering the impact of the
browsing habits can be EU Commission and Japan’s an adequate level of protection. reduced and eliminated tariffs
accessible between Japan and central data protection authority – The Commission and the PPC are agreed to under the trade deal.
the EU. Currently, only 12 the Personal Information now to begin the internal However, they warned: ‘Until the
nations are permitted to store Protection Commission (“PPC”) – procedures necessary to formally adequacy decisions are fully
European persons’ information have been discussing a mutual designate the data protection adopted, businesses exporting data
on their servers. A joint adequacy finding since January regimes of the other as adequate – from Japan to the EU or vice versa
statement, issued to ease 2017. Since recent reforms to the EU by formal adoption of an should remain vigilant to ensure
concern about data safety, Japan’s Act on the Protection of “adequacy decision” with regard that cross-border transfers are
maintains that the EU and Personal Information (“APPI”), the to Japan, and the PPC by conducted with advance consent or
Japan would adhere to the data protection regimes of both the designating the EU’s data in compliance with GDPR- or
‘relevant internal procedures’ EU – the EU General Data protection system as “equivalent”.’ APPI-approved mechanisms.’ n
Ireland, Greece and Romania face fines for AML failings
The European Commission has let any EU country be the weakest According to The Irish place in 2017, has since been
referred Ireland, Greece and link. Money laundered in one Examiner, a spokesman for replaced. ‘The fifth addresses
Romania to the European Court of country can and often will support Ireland’s ‘Justice Minister, Charlie issues of tax evasion and fraud,
Justice ‘for failing to implement crime in another country. This is Flanagan, said most of the exposing the names of trust
the 4th Anti-Money Laundering why we require that all Member provisions of the directive would beneficiaries and extending
Directive into their national law’. States take the necessary steps to be transposed by the Criminal customer verification require-
The Commission has fight money laundering, and Justice Money Laundering and ments, and must be followed by all
‘proposed that the Court charges a thereby also dry up criminal and Terrorist Financing Amendment) EU member states by 2020,’ notes
lump sum and daily penalties until terrorist funds. We will continue to Bill, which has already passed all the Commission. ‘These new rules
the three countries take the follow implementation of these EU stages in the Dáil [lower house of aim at ensuring a high level of
necessary action.’ It is understood rules by Member States very the Irish parliament] and is due to safeguards for financial flows from
that this means that Ireland, which closely and as a matter of priority." come before the Seanad [upper high-risk third countries,
the Commission said EU Member States had till 26 house] after the summer recess, enhancing the access of Financial
‘implemented only a very limited June 2017 to transpose the 4th with all required measures due to Intelligence Units to information,
part of the rules’ faces a €1.7 Anti-Money Laundering Directive be in place before the end of the creating centralised bank account
million fine, plus additional daily into national legislation. The year.’ registers, and tackling terrorist
penalties. directive aims to strengthen the The fourth anti-money financing risks linked to virtual
Věra Jourová, Commissioner risk-assessment obligations of laundering directive, put into currencies and pre-paid cards.’ n
for Justice, Consumers and Gender banks, lawyers, and accountants
Equality said: ‘Money laundering and improve transparency in the the Commission’s announcement can be seen at:
and terrorist financing affect the beneficial ownership of http://europa.eu/rapid/press-release_IP-18-4491_en.htm
EU as a whole. We cannot afford to companies.
5 Trade Security Journal Issue 9
NEWS ROUND-UP
UK to adopt fifth EU anti-money laundering
directive in advance of BREXIT
The UK is likely to enforce an EU Channel Islands or to offshore
law that is expected to expose financial centres such as Bermuda
thousands of tax evaders. The fifth and the Cayman Islands.
anti-money laundering directive However, a Labour Party
came into effect in the EU early in amendment to the sanctions and
July and EU Member States have anti-money laundering bill already
to until 10 January 2020 to requires such territories to declare
transpose it into national public registers of company
legislation – a deadline roughly ownership.
nine months after that currently Brexit does not officially take
set for the UK to leave the EU. place until next March 2019, and
According to the UK’s the UK is required to adhere to all
Department for Business, Energy European Union laws until then.
and Industrial Strategy (‘BEIS’), Nonetheless, the choice to adopt
the fifth directive should be the fifth directive outside of the EU
implemented into national would signal motion towards an
legislation shortly. A response to international clampdown on
the Panama Papers investigation, financial secrecy.
the fifth directive seeks to combat BEIS: ‘These proposals will ensure we have the appropriate safeguards to ‘These proposals will ensure
terrorism, corruption, and anti- protect our national security.’ we have the appropriate
money laundering. Notable safeguards to protect our national
elements include: l Access to the names of bank l A right for the government to security,’ said Greg Clark BEIS
account holders for national ‘call in’ large transactions that business secretary, whilst ensuring
l Public registers of company financial intelligence units; cause a national security threat. the economy stays ‘open to high
owners in every EU Member l Access to the names of the levels of foreign investment in the
State; beneficiaries of trusts; The law does not apply to the future.’ n
Business and Human Rights
Customs and Import Trade “The firm is absolutely superior. It always
Defense Trade and National Security provides a rapid response and represents
Export Controls and Economic Sanctions great value for money. In addition, it has
FCPA and International Anti-Corruption a pragmatic outlook that translates to a
Internal Investigations very business-friendly approach.”
International Trade Remedies - Chambers and Partners
Trade Policy
White Collar Defense
Miller & Chevalier Chartered . 900 16th Street NW . Washington, DC 20006 . millerchevalier.com
6 Trade Security Journal Issue 9
NEWS ROUND-UP
Facebook and Google urged not to comply
with ‘troubling’ Vietnam cybersecurity law
A group of US lawmakers has vital sources of the country’s
urged Facebook and Google not to income. However, the head of the
comply with Vietnam’s new committee which drafted the law
cybersecurity law amid concerns maintained that its requests for the
about storing users’ personal data social media sites were reasonable:
within the countryand threatening ‘Placing data centres in Vietnam
human rights. increases costs for businesses but
‘This broad and vaguely is a necessary requirement to meet
worded law would allow the the cybersecurity need of the
communist authorities to access country.’
private data, spy on users, and Writing in issue 8 of Trade
further restrict the limited online Security Journal, lawyers from
speech freedoms enjoyed by Baker McKenzie noted: ‘The Draft
Vietnamese citizens.’ So wrote 17 Law changes the scope of data
bipartisan members of the US subjects from “Vietnamese users”,
Congress in a letter to Google CEO US lawmakers are concerned about the implications of the new legislation. which includes users with
Sundar Pichai and Facebook chief Vietnamese nationality only, to
Mark Zuckerberg. A similar letter sites to locally store important user more weapon for the government “users in Vietnam”, which
from senators is expected. data, as well as opening offices in against dissenting voices,’ said includes all users of any
According to the Vietnamese Vietnam. Article 15 outlines illegal Brad Adams, Asia director of nationality who use services
authorities, the 16th draft of the cyber activities including ‘anti- Human Rights Watch. ‘It is no within Vietnam.
Law on Cybersecurity is intended state information’ – meaning that coincidence that it was drafted by ‘In sum, a plain reading of the
to combat defamation, protect users could be banned from the country’s Ministry of Public law suggests that the scope of this
minors, and uphold cybersecurity expressing dissent online. Under Security, notorious for human requirement has been broadened,
standards within the country. the law, offending content must be rights violations.’ which in effect would mean that it
However, there are concerns removed within 24 hours of Within Vietnam, there has been is easier for overseas
among observers regarding certain receiving a request from the some push back against the law telecommunications and Internet
obligations. Ministry of Public Security. amid worries that it will impact service providers to fall within the
The law would require global ‘This bill will provide yet one foreign trade and investment – purview of this provision.’ n
Cyber-crime a growing threat to UK law firms, report warns
The United Kingdom’s National UK legal sector’, was created in international corporate firms,’ view and understanding of cyber
Cyber Security Centre (‘NCSC’) conjunction with the Law Society reads the report. threats and their impact. It’s a
has published its first report of England and Wales and other Despite the warnings, Law positive step to help our members
highlighting the growing cyber major law firms involved in Society president Christina spot vulnerabilities and put
threat to the legal sector. It says Industry 100, a scheme developed Blacklaws sees the report as an relevant safeguards and
that due to the nature of the by the NCSC to enable a wider opportunity for awareness rather protections in place,’ she said.
information they typically deal understanding of cyber security. than fear. ‘As data controllers, law Last year, DLA Piper, one of the
with (sensitive client information, The report discusses the firms handle significant volumes of largest law firms in the world, fell
sizeable funds, etc.), law firms are ‘strategic necessity’ of cybercrime confidential and sensitive victim to a sustained cyber attack
becoming a prime target for cyber awareness post-GDPR, as well as information and client monies as across multiple offices, leaving
criminals. The frequency of online advising law firms on the best part of their daily work. In the phone and IT systems down and
attacks is increasing exponentially, ways to protect their information. post-GDPR world and as the sector its reputation somewhat
with 60% of firms affected in 2018, Findings indicate that the primary delivers and transacts more online, compromised as operations
compared to 42% in 2014. It’s threats are phishing, data breaches, it’s vital that we get a common ground to a halt. n
estimated that £11 million of funds and ransomware. ‘The cyber threat
have been stolen by cybercriminals applies to law firms of all sizes and
from firms in the UK in the past 12 practice, from sole practitioners, download 'the cyber threat to uK legal sector' here:
months. high street and mid-size firms, in- https://www.ncsc.gov.uk/legalthreat
The report, ‘The cyber threat to house legal departments up to
trade security Journal welcomes your news
and comment. Contact the editor at
tom@tradesecurityjournal.com
7 Trade Security Journal Issue 9
NIN
G...
TRA
INI
N G..N
OV EMB
ER
15-
16.
Export controls, ICPs and good practice .
A 2-day training programme, with Strong & Herd
in association with WorldECR
Award-winning Export Controls Consultancy
strong & Herd, in association with WorldeCr, outcomes and benefits of attending
the journal of export controls and sanctions, Attendees of this intensive, two-day training can look forward
to leaving with greater confidence that they understand, and
is delighted to present this two-day, in-depth can apply within their own organisations, key concepts and
training on export controls and creating an requirements of export control compliance, and generate a
checklist of best practice requirements relevant to their own
Internal Compliance Plan which is practical, company needs.
fit for purpose, and tailored to your
All attendees will receive a certificate of attendance.
company’s specific needs.
While eminently suitable for those new to
export controls, established professionals preparing for BreXit
will find it a stimulating refresher – and a In the light of the UK’s intended departure
rare opportunity to share ideas. from the European Union, it is imperative for
EU and UK companies to understand:
• New licensing requirements for UK exports
The course will cover: to the EU and vice versa
• Implications of Brexit for controlled goods
the Basics supply chains and intra-company transfers
• An introduction to export controls – • Potential for further divergence as EU
looking at the UK export control system in export controls evolve
global perspective
• Military Goods and Dual-Use goods – how export controls and my company
do they differ in law? How do I distinguish • Where should responsibility for compliance
between them? ‘sit’ in your company?
• Who, in my company, is responsible for • Who should be trained in export controls?
compliance? • Ensuring export control awareness
• How is the transfer of intangible company-wide
technology controlled and why? • Record-keeping and preparing for an audit
• Record-keeping and technical information
Case studies presented on the course will
the anatomy of export Controls – an explore situations such as
introduction to • The classification of goods in different
• Licensing scenarios
• End-users, end-user statements and • Impact of supplying the same goods to
undertakings different markets (assessing need for end-
• Catch-all use statements or undertakings)
• Sanctions • Sending equipment for repairs or
temporarily, for marketing purposes
export controls in the united Kingdom • How US controls apply in the United
• The Export Control Joint Unit (ECJU) – its Kingdom/European Union
role and function
• Licensing applications – getting started the training will include break-out, industry-
with SPIRE specific sessions for representatives from
• Knowing your OIELS from your OGELs: • Oil/ gas/ energy • Aerospace
distinguishing between types of licence • Vehicles • Chemical industries
and their application requirements • Technology – IT/ encryption
w Export controls, ICPs and good practice, a 2-day training event, will take place on
15-16 November 2018 at The Strand Palace Hotel, 372 Strand, London WC2R 0JJ
w Attendance costs £945 (+VAT where appropriate) and includes 2 days of training,
breakfast, lunch and morning and afternoon refreshments. Special rates are available
for organisations wishing to send 3 or more delegates.
w For further information or to reserve your place, email mark.cusick@worldecr.com
BULLETINS
Five questions you should ask
about Bahrain’s new data
protection law
By Dino Wilkinson, Clyde & Co.
www.clydeco.com
t
he Kingdom of Bahrain has become personal or family affairs or processing subject) unless it falls within one of the
the second country in the GCC to that relates to national security five grounds for processing in Article 4 of
issue a national data protection undertaken by security authorities in the the Law.
law. Organisations operating in Bahrain Kingdom. These grounds include the
or processing the personal data of performance of contracts or legal
consumers from Bahrain should be What data is protected? obligations, protecting the data subject’s
aware of the new obligations and The Law defines personal data as vital interests, and safeguarding the data
sanctions in the legislation that will information relating to an identified or controller's legitimate interests. There are
become effective in 2019. Here are the identifiable individual. This is largely derogations for the processing of
five questions you should be asking to consistent with European and similar personal data for journalistic, artistic or
understand how the new law will impact international definitions of personal data literary purposes and more stringent
you. or personally identifying information rules applying to the processing of
Bahrain’s Personal Data Protection (‘PII’) under equivalent legislation, ‘sensitive personal data’ (i.e., personal
Law No. 30 of 2018 (‘the Law’) has been although there is express reference to data that directly or indirectly reveals
published in the Official Gazette on 19 identification of an individual via their racial or ethnic origin, political or
July 2018. The Law aims to be consistent philosophical views, religious beliefs,
with international practices in the trade union membership, criminal
protection of personal data and to The Law aims to be record, health or sexual condition).
enhance the attractiveness of Bahrain to consistent with international One interesting feature of Bahrain’s
foreign investors by providing a clear legislation is the role of the ‘Data
framework for processing personal data.
practices in the protection of Protection Supervisor’. This is an
It is anticipated to be supplemented by personal data and to accredited third party that may be
resolutions that are due to be issued by 1
enhance the attractiveness of appointed by data controllers at their
February 2019. discretion or, in some cases, at the
Bahrain to foreign investors. direction of the data protection authority.
Who is affected? The Data Protection Supervisor must
The Law will apply to any processing of Personal ID Card in addition to other exercise its role in an ‘independent and
personal data wholly or partly by factors specific to the individual's neutral manner’ (unlike, for example, the
automated means or the manual physical, mental, cultural, economic or data protection officer appointed by
processing of personal data that will social identity. Data subjects will have European entities under the GDPR).
form part of an organised filing system. rights of access to personal data and to Its responsibilities include monitoring
The Law is stated to apply to information concerning the processing of and verifying the data controller’s
individual residents or workers in their personal data, as well as the right to compliance with the law, supporting the
Bahrain, locally established businesses object to processing for direct marketing data controller in exercising its rights and
and any businesses outside Bahrain that or automated decision making. performing its obligations, maintaining a
process personal data ‘by means register of processing, and coordinating
available within the Kingdom’ other than What are the key obligations? between the data protection authority
for purely transitory purposes. Many of the obligations placed on ‘data and the data controller.
This means that non-Bahraini managers’ (controllers) will be familiar to The Law prohibits the transfer of
businesses operating data centres or organisations that operate under data personal data outside Bahrain to
using third-party data processors in protection laws in other parts of the jurisdictions that are not approved by the
Bahrain will be caught by the Law. Any world, including requirements to process data protection authority unless the data
non-resident person or business that is data fairly and lawfully, to collect subject provides consent or the transfer
subject to the Law must appoint an personal data for legitimate, specific and falls under a specific derogation,
authorised representative in the clear purposes, and to ensure that data is including transfers necessary for the
Kingdom to perform its local legal adequate, relevant and not excessive as performance of contracts, protection of
obligations. to the purpose for which it was collected. the data subject’s vital interests or
The Law does not apply to processing Data cannot be processed without the preparing, pursuing or defending a legal
of personal data within the context of consent of the relevant individual (data claim. The Law also requires data
9 Trade Security Journal Issue 9
BULLETINS
controllers to enter written contracts with statements concerning established violat- have to notify the authority prior to
third parties that process personal data ions and referring potential crimes to the conducting any data processing unless
on their behalf (data processors). public prosecutor. Individuals may claim they appoint a Data Protection
However, there is no mandatory data compensation for damage suffered due to Supervisor or the processing is limited to
breach notification provision in the Law. any processing of their personal data by certain activities set out in Article 14 of
a data controller in breach of the Law. the Law.
How will the law be enforced? Some types of data processing
A range of criminal and administrative What should organisations do now? (including automated processing of
fines may be imposed under the Law. The Law will become effective from 1 sensitive personal data, biometric data
Criminal offences – including the August 2019, but any organisations that for identification purposes, genetic
processing of sensitive personal data or are involved in processing personal data information and video monitoring) will
transfer of personal data outside the in Bahrain should start conducting an require the express prior approval of the
Kingdom in violation of the Law or assessment of their processing activities authority. Ongoing awareness and
failure to notify as required by the Law – at the earliest opportunity in order to training in data protection is likely to
may attract fines of up to BD 20,000 understand the implications of the Law become a more commonplace feature for
(US$ 53,200) or imprisonment for up to and implement appropriate compliance companies in Bahrain and we would
one year. measures. This process would typically expect to see organisations adopting data
Administrative fines for other offences start with a due diligence exercise to governance policies, procedures and
may be imposed on a scale up to BD understand the flows of data around the practices in line with international
20,000 (US$ 53,200) for one-off fines or organisation. Contracts with third parties standards. Processes will need to be in
daily penalties of up to BD 1,000 will also need to be reviewed along with place to ensure that organisations can
(US$ 2,650), which may be increased for privacy policies, consent forms and comply with their obligations and
repeat offences. Other sanctions available employment agreements. Once the law respect the new rights afforded to data
to the regulator include publishing comes into effect, data controllers will subjects. n
EU final guidelines on fraud
reporting under the Payment
Services Directive
By Thomas Donegan, Shearman & Sterling LLP
www.shearman.com
o
n 18 July 2018, the European the European Central Bank. Existing data consultation last year on proposed
Banking Authority published final reporting practices vary across the EU. guidelines, a number of changes have
guidelines on fraud reporting The EBA has worked with the ECB to been made, including aligning the
under the revised Payment Services develop these Guidelines to ensure that requirements with those in the ECB
Directive. PSD2 aims to increase the data is reported consistently and that the Regulation on payment statistics
security of electronic payments and data is comparable and reliable. (ECB/2013/43). The main changes are:
decrease the risk of fraud. The Directive, The final Guidelines are addressed to
which has applied since 13 January 2018, PSPs, except account information service l It had been proposed that quarterly
requires payment service providers to providers, and to their national reporting of high-level data would be
provide, at least on annual basis, data on regulators. The guidelines cover required with a more detailed set of
fraud relating to different means of payment transactions that have been data on a yearly basis. Instead, the
payment to their national regulator. The initiated and executed, including the final guidelines impose one uniform
regulators must in turn provide such acquiring of payment transactions for set of reporting requirements on a
data in aggregated form to the EBA and card payments, identified by reference semi-annual basis;
to: (a) fraudulent payment transactions l Country-by-country data breakdowns
data over a defined period of time; and are no longer required; and
the final guidelines are available at: (b) payment transactions over the same l Fraudulent transactions where the
http://www.eba.europa.eu/documents/10180/2281937/G defined period. The guidelines also set payer is the fraudster are no longer
uidelines+on+fraud+reporting+under+Article+96%286
%29%20PSD2+%28EBA-GL-2018-
out how national regulators should within the scope of the guidelines.
05%29.pdf/5653b876-90c9-476f-9f44-507f5f3e0a1e. aggregate the data.
Following the feedback to the EBA’s The guidelines apply from 1 January
10 Trade Security Journal Issue 9BULLETINS
2019, except for the reporting of data authentication provided for in the (Commission Delegated Regulation (EU)
linked to the exemptions from the Regulatory Technical Standards on 2018/389), which will apply from 14
requirement to use strong customer strong customer authentication September 2019. n
Common sense prevails in the
UK’s battle over legal
professional privilege
By Amanda Seddon, Matthew Burn, Amanda Raad
and Sarah Lambert-Porter, Ropes & Gray
www.ropesgray.com
C
ompanies around the world can so-called ‘Code tests’ and is set to The Court of Appeal rejected the first
finally breathe a sigh of relief today bring charges. instance judge’s conclusion that litigation
with respect to the UK’s position on On the facts of this case, the Court privilege could not apply to this material
privilege in criminal investigations. In a of Appeal found that the advice of on the basis that if ENRC had chosen to
much-anticipated judgment on the ENRC ENRC’s external counsel that the co-operate with the SFO, much of this
case (Serious Fraud Office (SFO) v Eurasian evidence unearthed by their internal material would have been handed over.
Natural Resources Corp. Ltd [2018] EWCA investigation meant that there was ’a As a result of this decision, English
Civ 2006), the English Court of Appeal real and serious risk of law law in relation to privilege is now far
has clarified the boundaries of legal enforcement and/or regulatory more closely aligned to that in the US.
professional privilege. The judgment intervention, including criminal The Court of Appeal explicitly
realigns the UK’s position on privilege in prosecution’ was sufficient basis to acknowledged in its judgment that it was
criminal investigations with that of other conclude that litigation – in the form advantageous to multinational
common law jurisdictions by taking a of a criminal prosecution – was in companies for there to be some
common sense approach and more ‘commonality’ in privilege law across
readily protecting the work of lawyers common law countries.
and other advisors. This decision will be As a result of this decision, In addition, the Court of Appeal
of great interest to companies who deal English law in relation to commented on one of the thornier
regularly with regulators and questions of English law on privilege:
prosecutors in the UK (such as the FCA privilege is now far more who is the client? In a case known as
and SFO) or are involved in multi- closely aligned to that Three Rivers (5), the House of Lords had
jurisdictional investigations. held that, in companies, the client was
The key elements of the judgment are
in the US. whoever was instructed to give or receive
as follows: legal advice. The Court of Appeal noted
reasonable contemplation, notwith- that while it did not have grounds to
1. The test for the application of standing that the SFO had not yet depart from a decision of the House of
litigation privilege in English law is commenced a criminal investigation, Lords, it was of the view that the rule in
whether or not litigation is in let alone a prosecution. Three Rivers (5) was more appropriate to
reasonable contemplation. In criminal 2. Litigation privilege applies to: the 19th Century. In this regard, the
proceedings (as has long been a. Notes of interviews. Court of Appeal acknowledged that in
acknowledged to be the case in civil b. Documents containing the factual large, complex, multinational companies
proceedings) whether or not litigation evidence presented by a company’s the information needed to seek legal
is in reasonable contemplation is a external lawyers to the company’s advice is not often in the hands of the
question of fact. The Court of Appeal board. board or those who are specifically
explicitly rejected the first instance c. Reports created by an external firm authorised to seek legal advice (e.g., the
judge’s proposition that in criminal of forensic accountants. general counsel). Accordingly, if a
proceedings litigation can only be said multinational company cannot ask its
to be in reasonable contemplation The Court of Appeal considered that lawyers to obtain the information needed
once the prosecutor has satisfied the the above-listed material was created at a to give advice (including from employees
time when litigation was reasonably in with the relevant first-hand knowledge)
contemplation and that the documents knowing that it is protected by legal
the enrC decision can be located at: had been brought into existence for the privilege, then multinational companies
https://www.bailii.org/ew/cases/EWCA/Civ/2018/2006.html dominant purpose of resisting or will be in a less advantageous position
avoiding criminal proceedings. than smaller, less complex ones. n
11 Trade Security Journal Issue 9TALKING TRADE SECURITY
ROBERT ESSEL
Look, listen and learn
An increased awareness of potential liabilities for human rights violations in international supply
chains, means companies are well advised to have a good understanding of suppliers’ practices and
worker treatment. Trade Security Journal meets Li Qiang, founder of China Labor Watch, to find out
what questions companies with manufacturing operations in China should be asking.
12 Trade Security Journal Issue 9TALKING TRADE SECURITY
e
arlier this summer, Trade Security glen Kelley (‘gnK’): I’ve read your bio on
Journal editorial board member the CLW website. Could you tell me a about China Labor Watch
Glen Kelley visited the offices of little more about how you decided to
CLW views Chinese workers’ rights as
fellow New Yorker Li Qiang to discuss focus full time on shining a spotlight on
inalienable human rights and is
working conditions and the role of labour conditions and labour rights in
dedicated to workers’ fair share of
multinationals in China. China?
economic development under
These are, of course, interesting times LI QIANG (‘LQ’): Earlier in life I was a
globalization.
for US-Chinese relations: indeed, they worker at a state-owned enterprise
CLW increases transparency of
verge on the acrimonious, with the US (‘SOE’) in China. I had a licence to
supply chains and factory labor
government alleging that China is in practise as an attorney. I felt that the
conditions, advocates for workers’
breach of WTO rules – and looking to SOEs were treating workers unfairly – for
rights, and supports the Chinese labor
plunder US technological advances for example, only the leadership received
movement.
the country’s own gain. Meanwhile, housing benefits.
Founded in 2000, China Labor
many US companies say they can keep In 1997 I was almost detained in
Watch (CLW) is an independent not-
up with consumer demand only by Sichuan by Chinese officials, for activities
for-profit 501(c)(3) organization. Over
taking advantage of China’s cheap including giving legal advice to laid off
the past 17 years, CLW has
labour supply. And in so doing, say workers. I fled to Guangdong and found
collaborated with unions, labor
campaigners like Mr Li, they may well conditions for workers were even worse
organizations, and the media to
find themselves complicit with a mode in privately-owned companies that had
conduct in-depth assessments of
of production that disregards worker received foreign investment than in the
factories in China that produce toys,
rights in favour of profit. SOE factories.
bikes, shoes, furniture, clothing, and
Mr Li is the founder of the advocacy Since then we have sent people into
electronics for some of the largest
group China Labor Watch (‘CLW’). He factories producing goods for many
multinational brand companies. CLW’s
moved to the United States in 2000. Prior major MNCs (multinational companies)
New York office creates reports from
to that time, Li Qiang played a leading including Nike, Walmart and Toys R Us,
these investigations, educates the
role in organiSing networks of labour to work and research the conditions
international community on supply
activists, researching factory labour there. People from many of the Fortune
chain labor issues, and pressures
conditions, and conducting worker 500 companies have visited our offices
corporations to improve conditions for
education and legal assistance over the years, to discuss labour issues in
workers.
programmes in China. Since then, CLW their factories in China.
has conducted over 400 assessments of
source: http://chinalaborwatch.org
labour conditions in Chinese factories gK: What do you consider to be the main
making products for multinational labour and related civil rights concerns in
companies across industries ranging China today? A lot of officials in the Communist party
from furniture to shoes, stationary to LQ: One of our first and main concerns is have strong interests in the way factories
toys, and garment to electronics. The that the factories are violating Chinese in China are functioning. Multi-national
assessments typically use a combination labour laws, for example the working companies and Chinese factories have
of undercover investigation and off-site hours. Another primary concern is that very strong economic interests in how the
worker interviews. In some cases, CLW’s workers still do not have real freedom of factories are functioning.
efforts have resulted in workers being association. Workers have to put in a lot Given these strong countervailing
paid substantial amounts of owed back of overtime now just for a sustainable interests, because workers don’t have the
pay or other significant improvements in standard of living. freedom of association, the ability to
workers’ rights and working conditions. organise to protect their rights, it means
Glen Kelley is partner at the gnK: So it seems that it’s a problem with it’s hard to implement the labour laws
international trade law firm Jacobson Chinese laws not being followed, but also that do exist in China. Factories take a
Burton Kelley PLLC, based in New York. it seems the laws are not set up well to more targeted (reactive) approach when
His practice focuses on economic and it comes to rights.
trade sanctions, export controls, anti-
corruption, anti-money laundering and
‘One of our first and main For example, if workers complain,
that’s when factories go ahead and
national security law. Prior to joining the concerns is that the factories actually try to abide by the laws. [But] the
firm, Glen was the chair of the regional
leaders of the global sanctions and trade
are violating Chinese labour penalties [for breaching labour laws]
aren’t sufficiently heavy to be effective –
group of a leading international law laws, for example the so it is still more profitable to exploit their
firm. Glen has served as an Attorney working hours.’ workers. These are still major problems
Adviser at the US Department of State. even though the law is still being better
All Mr Li’s comments were voiced by implemented than it was in 2000.
Elaine Lu, a Program Officer at China protect workers from very bad
Labor Watch who interpreted the conditions. Do you think that’s fair to say gnK: Okay. So, how is CLW trying to
interview. There are points in the – that there’s also a need to change to shine a light on these concerns and bring
conversation where Ms. Lu has added laws as well as applying and enforcing about change?
her own comments based on her them? LQ: We continue to do a lot of factory
understanding of and familiarity with Li Qiang: The most important thing is for research and investigations and we target
Mr Li’s thinking. workers to have freedom of association. the MNCs’ products that are
13 Trade Security Journal Issue 9TALKING TRADE SECURITY
manufactured in China to try highlight changes to the conditions for their products, so the wage increases are not
the rights of workers. dispatch workers [a type of temporary really benefiting workers in the long run.
Some of these MNCs, such as Apple worker status not entitled to the rights of A lot of the MNCs that have moved
and Samsung, have made changes in full-time employees under Chinese law]. their factories to other countries from
their factories after we have released our The majority of [them] started to be China have done so [for reasons besides
reports. On the other hand, when we converted to regular workers, which was the increase in labour costs]. And
investigated [certain] Chinese companies, important because [previously] there workers are also the victims of this.
we actually received a lot of retaliation were too many dispatch workers at If you break down the revenues from
from the Chinese government through Foxconn. manufacturing operations in China, first
the local public security bureau [police After we released a report on one of a large portion goes to the companies’
office]. Apple’s suppliers, they paid back their profits. Second, the Chinese
But we have seen that some of these workers 3.7 million RMB in overdue government’s revenues [taxes, licensing
companies do make changes and we try wages. and other fees] are a large portion. Then
to identify and target companies that the bank [financing, interest payments
may be willing to do so. Increased gnK: In the last few years, a lot of etc] costs and property costs are a large
freedom of association in their factories multinational companies have been portion. Out of the total profits [revenues
provides support and resources for the focused on the rising cost of generated from manufacturing done in
local NGOs to really push for freedom. manufacturing in China, including rising China], labour costs only take a really
labour costs. I think there’s an small share of the pie. So even if they
gnK: Is there just one CLW office in China? assumption that labour rights must be gave more to workers, manufacturing
LQ: We used to have two, but last year improving because wages are rising. Is costs could nonetheless decrease. The
our Shenzhen office closed because of the the average worker actually seeing a lot Chinese government gets a share. The
Ivanka Trump investigations. The of benefit from those increases in the banks get a share. MNCs get a share, so
government took all of our computers cost of production? Are the conditions in in the end no-one wants to give way and
and everything. China really improving? say, ‘Let’s give more money to workers.’
LQ: I don’t believe that there are That’s why attention has been focused on
gnK: Recently, it seems like there have improvements for workers. It’s really the labour costs.
been some CLW investigations that get a [inflation]. The prices of consumer
lot of attention. Ivanka Trump products products have increased and that’s gnK: Are there any steps being taken by
was one. Another is Amazon.com which I what’s pushed the increase in wages the Chinese government to address any
think is working with Foxconn. They more than anything else. Property prices of these concerns regarding labour
attracted a lot of coverage for your have increased, and basically products conditions, labour rights? For example,
activities. Does that help, or is it more of like eggs, vegetables, meat, these prices [are] there reforms of the official labour
a distraction? have also increased in China as well. We unions? Is that something that’s still
LQ: Generally, it is helpful; for example can say that workers’ wages have being discussed in the government?
in the Amazon case, Foxconn made some increased but so have the costs of basic LQ: The steps that are taken are very
TSJ editorial board member, Glen Kelley met Li Qiang at the China Labour Watch offices this summer.
14 Trade Security Journal Issue 9You can also read
