The last several years have brought significant changes to the General Counsel position and for many, a rise of greater prominence within their companies. Large-scale forces are transforming the economics of corporations as they face challenges related to accelerating competition, cost controls, technology development, reporting transparency, and Wall Street’s focus on short-term profit maximization.
As a result, the General Counsel increasingly has a broader scope beyond being strictly a legal advisor to also being a C-suite executive, senior counselor to the Board, the CEO, and the CFO, and the ultimate guardian of the company’s integrity. The General Counsel and her in-house lawyers are expected to understand the full spectrum of their company’s business and provide expert legal advice, business strategy input, and ethical guidance.
At GCI 11, you will explore ways to create and promote your legal department as a key business partner, develop and employ critical business relationships, and strategically advance your expertise and skills to bolster your prominence within the company. Through powerful personal stories, substantive legal workshops, and GCI’s unique open exchange of ideas, you will soar to new heights as you develop practical solutions to stay relevant in today’s evolving corporate legal and business environments.
Yesterday (October 6, 2015), 7 of the 13 members of the Council of the District of Columbia introduced the Universal Paid Leave Act of 2015 (the “Act”). If passed, the Act would significantly impact employers and workers in D.C., as the legislation proposes to provide D.C. employees with the most generous statutorily-mandated paid leave benefits in the country.
The bill would establish a universal paid leave system for D.C. residents and workers who are employed in D.C. Under the proposed law, qualified individuals would be eligible to receive up to 16 weeks of paid family and medical leave for certain qualifying events. Qualifying events include the birth or adoption of a child as well as caring for oneself or for a family member with a serious health condition. As proposed, workers earning up to $1,000 per week would be entitled to receive 100% of their average weekly wages. Employees earning over $1,000 per week would be entitled to receive $1,000 per week plus 50% of their income above that amount, up to a maximum benefit of $3,000 per week.
Employees covered under the proposed law include those individuals who have spent over 50% of their work time in D.C. during the year preceding the qualifying event. The Act applies to all private employers in D.C. Although federal government employees and employees who work outside of D.C. are not covered, the Act’s drafters have proposed a plan for those employees to pay a fee to participate in the program.
To fund this benefit, all D.C. employers would be required to pay a scaled percentage of their employees’ wage into a city-managed fund depending on their employees’ earnings. D.C. employers would pay:
1% of their employees’ salary for those earning over $150,000/year;
0.8% of their employees’ salary for those earning between $50,000-$150,000/year;
0.6% of their employees’ salary for those earning between $20,000-$50,000/year; or
0.5% of their employees’ salary for those earning between $10,000-$20,000/year.
If enacted, the Act would obviously place a heavy burden on D.C. employers. Of course, the Act will be subject to much scrutiny and debate before it becomes law. We will monitor its progress in the Council and keep you updated on any developments.
© 2015 Proskauer Rose LLP.
The powers of EU data protection authorities are significantly strengthened by the decision, allowing them to suspend some or all personal data flows into the United States in certain circumstances.
In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the European Court of Justice (ECJ) has ruled that the European Commission decision approving the Safe Harbor programme is invalid. Further, the ECJ ruled that EU data protection authorities do have powers to investigate complaints about the transfer of personal data outside Europe (whether by Safe Harbor-certified organisations or otherwise, but excluding countries deemed as having “adequate” data protection laws according to the EU). Finally, the ECJ ruled that data protection authorities can, where justified, suspend data transfers outside Europe until their investigations are completed.
Safe Harbor Programme
According to the European Commission, the United States is a country with “inadequate” data protection laws. The European Commission and the US Department of Commerce, therefore, agreed in 2000 to a self-certification programme for US organisations that receive personal data from Europe. Pursuant to the self-certification programme, a US organisation receiving personal data from Europe must certify that it adhered to certain standards of data processing comparable with EU data protection laws such that the EU citizens’ personal data was treated as adequately as if their personal data had remained in Europe. The Safe Harbor programme is operated by the US Department of Commerce and enforced by the Federal Trade Commission. Over 4,000 organisations have current self-certifications of adherence to Safe Harbor principles.
The Schrems Case
Mr. Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to protect adequately personal data after its transfer to the US in light of revelations about the National Security Agency’s (NSA’s) PRISM programme. The question of whether EU data protection authorities have the power to investigate complaints about the Safe Harbor programme was referred to the ECJ. Yves Bot, Advocate General at the ECJ, said in an opinion released on 23 September 2015 that the Safe Harbor programme does not currently do enough to protect EU citizens’ personal data because such data was transferred to US authorities in the course of “mass and indiscriminate surveillance and interception of such data” from Safe Harbor-certified organisations. Mr. Bot was of the opinion that the Irish Data Protection Commissioner, therefore, had the power to investigate complaints about Safe Harbor-certified organisations and, if there were “exceptional circumstances in which the suspension of specific data flows should be justified”, to suspend the data transfers pending the outcome of its investigation.
The ECJ followed Mr. Bot’s opinion and, further, declared that the European Commission’s decision to approve the Safe Harbor programme in 2000 was “invalid” on the basis that US laws fail to protect personal data transferred to US state authorities pursuant to derogations of “national security, public law or law enforcement requirements”. Furthermore, EU citizens do not have adequate rights of redress when their personal data protection rights are breached by US authorities.
The EU-US Data Protection Umbrella Agreement
In the last two years, the European Commission and various data protection working parties have discussed ways to improve the Safe Harbor programme and strengthen rights for EU citizens in cases where their personal data is transferred to the United States. Recently, the United States and European Union finalised a data protection umbrella agreement to provide minimum privacy protections for personal data transferred between EU and US authorities for law enforcement purposes. The umbrella agreement will provide certain protections to ensure that personal data is protected when exchanged between police and criminal justice authorities of the United States and the European Union. The umbrella agreement, however, does not apply to personal data shared with national security agencies.
The umbrella agreement also provides that EU citizens will have the right to seek judicial redress before US courts where US authorities deny access or rectification or unlawfully disclose their personal data. Currently, US citizens have the right to seek judicial redress in the European Union if their data—transferred for law enforcement purposes—is misused by EU law enforcement authorities. EU citizens, however, do not have corresponding rights of redress in the United States. A judicial redress bill has been introduced in the US House of Representatives; adoption of the bill would allow the United States and European Union to finalise the umbrella agreement.
Key Findings of the ECJ Decision
The key findings of the ECJ decision are as follows (quotes indicate excerpts from the ruling itself):
“The guarantee of independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the monitoring of compliance with the provisions concerning protection of individuals”.
The powers of supervisory authorities include “effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data, and the power to engage in legal proceedings”.
The Safe Harbor programme “cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim. . .concerning the protection of their rights and freedoms”.
National courts can consider the validity of the Safe Harbor programme, but only the ECJ can declare that it is invalid.
Where the national data protection authorities find that complaints regarding the protection of personal data by Safe Harbor-certified companies are well-founded, they “must. . .be able to engage in legal proceedings”.
Organisations self-certified under the Safe Harbor programme are permitted to “disregard” the Safe Harbor principles to comply with US national security, public interest, or law enforcement requirements.
There is no provision in the Safe Harbor programme for protection for EU citizens against US authorities who gain access to their personal data transferred to the United States pursuant to the Safe Harbor programme. There is only a provision for commercial dispute resolution.
The EU Data Protection Directive “requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary”, but there is no such requirement applicable in the United States following the transfer of personal data pursuant to the Safe Harbor programme.
The Safe Harbor programme “fails to comply with the requirements” to protect personal data to the “adequate” standard required by the EU Data Protection Directive and is “accordingly invalid”.
Other Options to Transfer Personal Data to the United States
Safe Harbor-certified organisations should note that there are other options to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements. Organisations using Safe Harbor-certified vendors may wish to discuss these other options with their vendors. There is, however, a risk that this decision could affect these other options, as national security derogations are likely to override the protection of personal data regardless of how it is transferred, with the only exception being the specific and informed consent of an individual to the transfer of his or her personal data to governmental authorities for national security purposes.
The ECJ decision is likely to take the European Commission by surprise.
The powers of national data protection authorities are significantly strengthened by this decision. They could allow data protection authorities to suspend some or all personal data flows into the United States in serious circumstances and where there is a justifiable reason to do so. There is a risk that a data protection authority could order that the data transfers by an international organisation outside of Europe be suspended from that jurisdiction, whereas data transfers in other European jurisdictions are permitted. To mitigate this risk, the European Commission is entitled to issue EU-wide “adequacy decisions” for consistency purposes.
The European Commission has today announced that it intends to release guidance for Safe Harbor-certified companies within the next two weeks.
 See Judgment of the Court (Grand Chamber) (6 October 2015)
 See Safe Harbor List.
 Directive 95/46/EC
Where: The Capital Hilton, Washington D.C.
When: October 28-30, 2015
The annual Women, Influence & Power in Law Conference offers an opportunity for unprecedented exchange with women outside counsel. This unique event was created with the assistance of an unheralded advisory board comprised of high ranking women General Counsel or direct reports to the GC and were drawn from across the country. These attorneys have the highest levels of expertise and experience in key practice areas.
The Women, Influence & Power in Law Conference is not a forum for lawyers to discuss so-called “women’s issues.” It is a conference for women in-house and outside counsel to discuss current legal topics, bringing their individual experience and perspectives on issues of:
- Governance & Compliance
- Litigation & Investigations
- Intellectual Property
- Government Relations & Public Policy
- Global Litigation & Transactions
- Labor & Employment
- Executive Leadership Skills Development
Who Should Attend
- Chief Legal Officers
- General Counsel
- Corporate Counsel
- Associate General Counsel
- Senior Counsel
- Corporate Compliance Officers
BTI West is coming back for a 3rd year! Register for the Bank and Capital Markets Tax Institute West – December 3-4 in San Diego
When: December 3-4, 2015
Where: The Westin San Diego, San Diego, California
In an industry that thrives on both coasts, we will continue to offer exceptional educational and networking opportunities to ALL of the hard-working banking and tax professionals across the country. Join us at the 2nd Annual Bank and Capital Markets Tax Institute WEST, where essential updates will be provided on key industry topics such as General Banking, Community Banking, GAAP, Tax and Regulatory Reporting, and much more.
The Bank Tax & Capital Markets Institute Conference – West will feature a full one-day program consisting of keynote presentation, deep-dive technical sessions, and peer exchange and networking time.