Posted
By

The Court of Justice of the European Union (CJEU) has been very busy in recent weeks re-shaping EU privacy laws. In addition to the much-anticipated decision in “Schrems” (Case C-362/14), which essentially rules the US-EU Safe Harbor invalid, the CJEU has also considered the key issue of “establishment” in another landmark case, namely “Weltimmo” (Case C-230/14).

In particular, it has ruled that businesses with only very minimal operations in an EU Member State can nevertheless be subject to the data protection laws of that Member State, where they process personal data in the context of activities directed towards that Member State. This effectively widens the scope of “establishment” and creates additional headaches for those with European operations.

The action point for companies with a European footprint is therefore to review their European processing activities, re-think where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.

Continue reading

Posted
By and

Yesterday was a big day for the Court of Justice of the European Union!  The fifteen-year-old regime governing EU-U.S. data transfers has been struck down. Specifically, the CJEU declared invalid the safe harbour framework (the “Safe Harbor Framework” or the “Framework”) that thousands of U.S. companies have relied upon to facilitate data transfers from the EU to the United States. To read the entire article published by our Pillsbury London and U.S. teams click here.

Posted
By

Global Sourcing attorney Sarah Atkinson, who are based in Pillsbury’s London office, have recently published the article, The payment services market under the eye of the regulator , in Banking Technology. The article considers criticisms of the payment services industry and how the new Payment Services Regulator is hoping to address these. In particular, they consider the issue of technical barriers (including technology barriers) and how these currently inhibit direct access to payment systems. To read the full article on the Banking Technology website click here.

Posted
By

These days it seems every supplier’s infrastructure pitch book is full of the virtues and potential benefits of their drive toward automation, the objective being to get the same work done for less. What’s not clear is whether the supplier will actually be able to achieve what they promise or how to allocate the benefits between buyer and seller.

The same for less is a well-travelled road; the same goal drove moving work to less expensive delivery locations over the last couple of decades. Along the way some algorithmic alchemy created an acceptable balance among costs, margins, prices and benefit to the buyer. While the arithmetic to ensure the benefits were reasonably distributed amongst buyers and sellers could be complex, the factors of production to drive economic verification models were pretty well known, or at least could be with a bit of research. Underlying it all was a basic assumption, that an FTE was an FTE, and many buyers used the number of proposed FTEs to validate a suppliers’ ability to actually perform the work.

Automation changes all that. Is an FTE still an FTE, or is an automation assisted FTE a 125% of an historical FTE or maybe it is 150%, or maybe even more? What if there is no FTE at all just some robotics doing what an FTE used to do? Since an automaton is likely to make fewer mistakes than a human FTE, and will do those error-reduced tasks faster than the human FTE, the promise of better and faster and cheaper seems attainable.

Continue reading

Posted
By

This blog is the second part of a two-part series on key contracting issues with technology service providers, and the focus is specifically geared toward companies doing business in the real estate industry.

As noted in Part 1, technology has infused every sector of society, and the real estate business is no different. Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third party technology providers can come with risk and requires a contracting strategy. In Part 1, I discussed the issues of pricing and service performance. In this Part 2 below, I discuss data protection, infringement, and insurance.

Continue reading

Posted
By

Technology continues to infuse our homes, businesses, and places of employment. For example, the “Internet of Things” – as it is sometimes called – brings a lot of promise to a wide variety of industries and sectors, including farming, government, natural resources, and manufacturing. The list goes on.

Even though it often gets the (unwarranted) reputation as being slow to innovate, the real estate industry has joined the technological trend. Real estate developers, property managers, and construction firms are constantly on the lookout for new ways to incorporate the promises of new technology into the design, development, and maintenance of their projects and properties.

For example, automated parking garages have become an efficient way to maximize parking in markets where automobile space is at a premium. Some hotel chains are doing away with keys and permitting guests to access their rooms with smartphone apps. Homes and apartments are following suit. Construction firms are starting to gain FAA approval for drone use in connection with their projects. And finally, there is a smartphone app for just about every sector of the real estate industry.

Continue reading

Posted
By

Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. More recently, managed security services has become a “niche” sourcing alternative that many companies are considering as they seek to leverage supplier’s expertise in cyber threat assessment, detection and response. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities. In a sense, you may hire a supplier to protect your and your clients’ data and cyber infrastructure to the degree required of your organization under the law, but if those legal standards are not met by the supplier, your organization remains liable.

Under U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Management Act (FISMA), executive orders and state-specific regulations, or the UK Data Protection Act, you may outsource day-to-day information management; you may not outsource your regulatory liability. If a breach occurs, your organization must notify your own clients, state Attorneys General and federal agencies, as applicable. Enforcement actions may be taken against your organization based on violation by a supplier, regardless of your organization’s knowledge, involvement, or lack thereof. For example, the Consumer Financial Protection Bureau (CFPB), a relatively new federal agency formed in 2011 under The Dodd-Frank Act, explicitly targets its enforcement powers at the conduct of both financial institutions and their service providers.

As of 2012, the CFPB announced that it expects “supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law” and avoids harm to consumers. And what is one of the biggest risks of harm facing consumers in 2015? Loss or improper disclosure of consumers’ personal and financial data, which may occur over the Internet, via smart-devices and related applications, at merchant points of sale when making card payments, or even at the hands of a rogue employee within your organization or that of your supplier. If the CFPB investigates your organization, as a matter of course they will likely investigate your service provider(s), if any, and focus on areas of consumer data security and risk of identity fraud.

Continue reading

Posted
By

Commercial lawyers ink thousands of contracts every day. Faced with an ever-shortening business cycle, they often do not have the luxury of seeking perfection in the contracting process. Fortunately, very few contracts ultimately end up in a formal legal dispute, but when they do, the fine points of the terms and conditions can become pivotal to litigation success or failure. There are things we can do to increase the odds that our contracts will work for us, rather than against us, if there is a dispute. Based on our experience in negotiating, implementing, disputing and litigating these kinds of agreements, this article suggests some areas of a typical service agreements that should not be overlooked during the contracting process.

To read the full article as published in Business Law News click here.

Posted
By

Computer Weekly recently published the article NHS Care.data: The security concerns by Mike Pierides and Sarah Atkinson, Global Sourcing attorneys in Pillsbury’s London office. In the article, Pierides and Atkinson consider how England’s National Health Service is implementing a controversial programme to share patient data with the private sector, how the Care.data programme is intended to work, its legislative background, and the data security concerns that surround it.

Click here to read the full article

Posted
By

Be careful what you’ve promised your customers … or what has been promised about data you buy!

In today’s world, consumer data is a huge asset for companies across all industries, in particular those in technology-focused spaces like social media, apps, wearables, and retailers involved in e-commerce. The value of such data, however, is at least partly dependent on the extent to which the data can be transferred to third parties without restrictions on use. The ability of a company to sell or otherwise transfer its consumer data, whether in a merger, acquisition or otherwise, typically ties back directly to statements made in the company’s privacy policy. As illustrated by RadioShack’s recent bankruptcy sale, the latest in a series of high-profile examples over the years on this topic, promising not to share consumer information can create a significant obstacle for future asset sale transactions.

For more information, check out our Client Alert.