Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Friday, January 23, 2009

Article 29 Working Party Releases 11th Annual Report

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

Labels: , , , ,


Thursday, January 22, 2009

US-Swiss Safe Harbor Framework Signed

by Mehmet Munur

On December 9, 2008, the Swiss Federal Data Protection and Information Commissioner and the Department of Commerce signed “an exchange of letters” to create the “US-Swiss Safe Harbor Framework.” As a result, multinational corporations certified under the Department of Commerce Safe Harbor program are now able to transfer data from Switzerland to the US more conveniently.

The Swiss Federal Data Protection Act operates similar to the 95/46/EC Data Protection Directive. Article 6 of the Swiss Act prohibits data exports in the absence of adequate guarantees, similar to Article 25 of the Directive. Since the US, without the Safe Harbor, does not offer adequate protections for personal data, companies were forced to use exceptions under Article 6 for data transfers, such as standard contractual clauses approved by the Data Protection Commissioner of Switzerland. Companies can now self-certify for transfers of personal data from Switzerland at the Department of Commerce website in addition to other European Economic Area countries.

Labels: ,


Monday, January 19, 2009

US Supreme Court to Review Whether States Can Enforce Antidiscrimination Laws against Federally Chartered Banks

By Dino Tsibouris

The US Supreme Court will consider whether the New York Attorney General can enforce antidiscrimination laws against federally chartered banks. In The Clearing House Assoc., LLC v. Cuomo, 510 F.3d 105 (2d Cir. 2007), the New York-based Second Circuit Court of Appeals upheld the OCC's position that a state may not request or subpoena information relating to potential lending discrimination from such banks. Opinion at:


Originally, Eliot Spitzer started a probe to determine if banks were charging higher rates to minority applicants. As Attorney General Cuomo continued the investigation, the court ruled that national bank regulation is a matter of federal law, and that Congress left no role for the states.

The court could hear arguments and decide the case by the end of its term in late June. The case is Cuomo v. Clearing House Association, 08-453 at:


All federally chartered lenders and their service providers should watch this closely.


Friday, January 16, 2009

ABA: Boutique Law Firms Make Inroads During the Downturn

By Dino Tsibouris

The ABA Journal and New York Law Journal have interesting stories about how the downturn in work at large law firms has opened doors for small firms that offer specialized expertise at competitive rates. The article focuses on the New York market, but the factors apply in any legal market:

Despite the struggling economy and Wall Street layoffs, some small law firms in New York are seeing their business boom.

Among the reasons why are the significantly lower hourly rates charged by these law boutiques and a growing number of small businesses being launched by laid-off workers that need legal services, reports the New York Law Journal. Its article is reprinted by New York Lawyer (reg. req.).

Labels: ,