Corporate Compliance: A Global Perspective 6/27/2012 37 Offices in 18 Countries
Current Compliance Environment Ever-intensifying regulatory burden new areas of regulation existing regulations becoming more complex Global issue more countries jumping on board Consequences of infringement: unforgiving Step back look at compliance obligations and compare against benchmarking 2
Choices Corporate Counsel and boards need to make a number of important choices, e.g.: program scope and how intrusive? balance investment cost v- level of risk tolerance (80:20 rule) effective communication of senior management buy-in No two firms are identical no single blueprint for achieving corporate compliance importance of benchmarking 3
Compliance solutions Compliance tool-kit building blocks to a culture of compliance corporate compliance policies and programs training for boards, executives and staff protocols record-keeping audits and assessments More innovative solutions? e.g. compliance can be revenue generating: antitrust; trade; market access 4
Global Compliance Survey Background Together, Squire Sanders and Datacert decided to undertake a Global Compliance Survey Purpose Respond to requests from clients and Generals of the Revolution participants To make available benchmark data about compliance programs, challenges, and tools To solicit input and ideas within the compliance community about how to build, measure and improve the effectiveness of global compliance programs 5
Who are the participants? 88 Participants Average Annual Revenue = $11.75 Billion 6
Where do they do business?. 7
8 Does your organization have a dedicated compliance officer or resource?
9 What percentage of your compliance needs emanate from outside your primary HQ country?
10 2012 Expectations
Many Challenges on Many Fronts Compliance professionals must remain vigilant on many fronts, and many turn to outside providers for certain aspects of their compliance programs 11
Measuring Success Centrally tracking all information related to compliance is critical to success and satisfaction The next two graphs show us: There is much room for improvement In a cross-reference, we find that those who do have strong tracking are significantly more satisfied with their compliance programs overall 12
13 Tracking Compliance
14 Are you happy with your current compliance program?
Survey Key Findings Recap Participants expect both their domestic and global compliance challenges to rise. No one area of compliance stands out as the greatest challenge, suggesting that compliance professionals must spread their attention across many fronts Having a process and technology platform for centrally tracking all compliance-related information emerges as both a critical success factor and an area needing improvement 15
Conclusions and Insight Global compliance: a journey not a destination The combination of good compliance programs and technology leads to the highest level of satisfaction Benchmarking and cross-fertiliz(s)ation of compliance strategies to stay ahead of the game We hope this survey and the dialogue it generates will be a spur to further discussion 16
Questions? Pat Cornelius E pat.cornelius@squiresanders.com T +1 614 365 2781 M +1 614 209 9855 Don Hughes E don.hughes@squiresanders.com T +1 614 365 2734 M +1 614 563 7488 Colin Jennings E colin.jennings@squiresanders.com T +1 216 479 8420 M +1 440 668 5032 17
Corporate Compliance: A Global Perspective Pat Cornelius, Squire Sanders LLP General Practices in Compliance and Enterprise Risk Management General Principles Behind A Compliance Program Legal Compliance Risk Management Reduce Risk of Noncompliance Reduce Operational/Business Risks of Noncompliance Reduce Legal Risks of Noncompliance Reputational Impacts 18
Corporate Compliance: A Global Perspective What is the Approach What is the Current State of Play Discuss What is Needed (Create, Overhaul, Update, Supplement) Identify Highest Risk Areas (Based on Operations and Enforcement Activities) Focus Resources on Areas of Greatest Risk or Greatest Opportunity Put Together a Coordinated Team 19
Corporate Compliance: A Global Perspective Cross Border/Extraterritoriality Issues One compliance program for Entire Organization? Separate Plans For Different Jurisdictions? Combination? Global (common) rules and local rules/interpretations seek to achieve consistency where possible and if not possible, identify and manage instances of divergence (lowest common denominator) 20
Corporate Compliance: A Global Perspective Dan Roules, Squire Sanders LLP What are the key components of an effective anti-bribery compliance program for China and how should such programs be different in China from elsewhere in the world? How does one go about training and monitoring the performance of one s own employees in China? 21
Corporate Compliance: A Global Perspective Given the recent surges in M&A and commercial sales in China, what resources and procedures are recommended for due diligence on Chinese counterparts, whether acquisition targets, JV partners, or agents or distributors? How to deal with the "State secrets" issue, where there are no clear definitions and Chinese authorities interpret the law broadly. 22
Corporate Compliance: A Global Perspective Rob Elvin, Squire Sanders LLP Anti-bribery Compliance, a New Concept for the UK? The Bones of the Bribery Act. What is it that Makes the Act Troublesome for Global Companies. What Compliance Solutions are Global Companies Using. 23
Corporate Compliance: A Global Perspective Ann LaFrance, Squire Sanders LLP International Data Protection & Privacy EU Data Protection Regime EU Data Protection and e-privacy Principles Comparison to US approach Applicability to Cloud Computing services The Cloud in Europe E-Privacy Directive Cookies Proposed Overhaul of EU Data Protection Regime Questions? 24
EU Data Protection Regime Article 8 of the Charter of Fundamental Rights of the EU expressly recognises that all citizens of the EU have a fundamental right to privacy. Data Protection Directive 1995 Establishes the baseline rules on how data is processed (including how it is obtained, recorded, used, disclosed, erased). Each EU Member State has implemented the directive with a national flavor, and there are some significant substantive and procedural differences among Member States within the EU. Privacy and Electronic Communications Directive 2002 (e-privacy Directive) Data breach notification (comms providers) Enforcement mechanisms/audits (comms providers) Cookies (all) 25
EU Data Protection and e-privacy Principles Core data protection principles that must be respected by data importers (i.e. individuals/legal entities outside the EEA): 1. Justification for processing and purpose limitation data must only be used for specified and permitted purposes 2. Data quality and proportionality - data must be accurate, up-to-date, adequate and relevant 3. Transparency data subjects must be provided with information necessary to ensure fair processing 4. Security and confidentiality measures appropriate to risk must be taken and written commitments obtained from third party processors 5. Rights of access, rectification, deletion and objection generally data subjects must have such rights in relation to their personal information held by an organisation 6. Sensitive data additional measures should be taken to protect such data 7. Data used for marketing purposes effective opt-out procedures should be in place 8. Automated decisions about individuals can only be made in limited circumstances and individual rights must be protected 26
Comparison to US approach In contrast to US practice, protection of personal data is the rule and not the exception in the EU. Horizontal versus vertical approach to regulation. In the EU, individuals are generally viewed as having the right to be informed of whether and how data about them is collected, processed and transferred, including in the workplace. In some cases, their explicit consent is required. The EU prohibits the exportation of EU personal data to points outside the EU (and this includes remote access to EU personal data from points outside the EU), unless specified conditions are met. Exportation of personal data within a corporate group or partnership is caught by the prohibition/required conditions. EU Member States interpret/enforce the EU Directives differently. 27
Applicability to Cloud Computing Services Significant EU data protection issues raised by Cloud Computing (storage SaaS) Who has jurisdiction over the Cloud? Where the provider is headquartered/operates? Where the servers are located? Where the customer is located? Where the customer s customers are located? All of the above? How to comply with rules relating to export of data outside EU/EEA in a commercially sensible way? How to deal with data breach incidents and swift protection of individual rights in a global server farm set-up? 28
The Cloud in Europe Germany Resolution and Guidance Paper (29 September 2011) sets out minimum requirements for cloud providers including: Italy Transparency technical, organisational and legal framework of cloud provider Unambiguous contract terms relating to processing Certificates from independent auditors concerning the information security Guidance from Garante on 24 May 2012: Prioritise services promoting data portability Consult on where data will reside Ensure availability of data Awareness of contractual clauses check times and storages of data France France is also looking into the issues and has circulated a consultation. 29
e-privacy Directive - Cookies The e-privacy Directive was amended in 2009 to tighten up the prior opt out rule for cookies. The 2009 amendment gave Member States until 25 May 2011 to implement the changes (although the Information Commissioner s Office gave UK businesses an extra year) Member States are in various stages of implementation of the Directive. 30
Cookies cont d Article 5(3) of the e-privacy Directive states that: Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensible information inter alia about the purposes of the processing. ICO Guidance (May 2012) was amended at the last minute to include implied consent as a valid form of consent out-of step with Europe? The e-privacy Directive suggests browser settings may be one means of obtaining consent. ICO has said this is not sufficient in the UK but consent can be given by use of appropriate browser settings in some Eastern European countries (e.g. Hungary, Romania) 31
Cookies cont d The Article 29 Working Party adopted an Opinion on 7 June 2012 clarifying which cookies can be exempt from the requirement of informed consent. They include: User-input cookies (session-id) e.g. those used as a shopping cart Authentication cookies used to identify a user once they have logged in User interface customisation cookies e.g. language preference cookies The Working Party also set out non exempted cookies, including: First party analytics Third party cookies used for behavioural advertising 32
Proposed Overhaul of EU Data Protection Regime On 25 January 2012, the European Commission published a proposal for a Data Protection Regulation that is intended to replace the current regulatory framework in Europe. Implementation is not expected before mid-2014 (with a two year implementation period). Highlights include: Right to be forgotten Data portability Privacy by design Explicit consent Binding corporate processor option Data breach notification Data Protection Officer Industry Codes of Practice 33 Sanctions