Compliance News
EU Rules Restricting the International Transfers of Non-Personal Data
While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR. In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions. Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted.
In a recently published article, Kristof van Quathem and Anna Oberschelp de Meneses outline the current and forthcoming EU legislation on the international transfer of non-personal data
Ukraine: Switzerland implements the EU’s 13th package of sanctions
As part of a 13th package of sanctions adopted on 23 February 2024, the EU imposed new sanctions in response to Russia’s ongoing military aggression against Ukraine, which has continued for more than two years. On 29 February 2024, the Federal Department of Economic Affairs, Education and Research (EAER) followed suit on by expanding the Swiss sanctions lists under its jurisdiction to include a further 106 individuals and 88 entities and organisations as the Federal Council announced in its press release.
The newly sanctioned entities, organisations, and individuals are primarily engaged in the production of missiles, drones, anti-aircraft missile systems, and other military equipment within Russia’s military-industrial complex. Additionally, Russian companies and individuals involved in the supply of defence equipment from the Democratic People’s Republic of Korea to Russia are targeted by the new listings. In addition to judges and officials from the occupied territories of Ukraine, sanctions have been imposed on organisations and individuals involved in the forced transfer of Ukrainian children.
Further trade sanctions have been implemented in an effort to impede Russia’s acquisition of sensitive technologies and goods for its military. The export ban on dual-use goods and goods that may contribute to Russia’s military or technological advancement is expanded to include 27 additional entities under these measures. The scope of the export ban has been broadened to encompass a greater variety of products. For instance, components utilised in the design and production of drones are no longer permissible for sale or export to Russia.
The SECO adjusted the overview of the sanctions against Russia accordingly. All new measures became effective at 6:00 pm on 1 March 2024.
Digital Services Act enters into force
On 17 February 2024, a further part of the Digital Services Act came into force. While some regulations have already applied to 19 very large online platforms (VLOPs) and search engines (VLOSEs)s since 2023, they now apply to all platforms and hosting services. Corresponding services will soon have to take various user protection measures, including i) combating illegal content, ii) protecting minors, iii) informing users about the advertising displayed to them, iv) preventing advertising that is based on sensitive user data and v) making it easier to submit complaints and contact users as the EU Commission communicated.
Platforms not designated as VLOPs or VLOSEs will be supervised at EU Member State level by an independent regulator acting as the national Digital Services Coordinator (DSC). It will be the responsibility of the DSCs to ensure that these platforms play by the rules. DSCs will supervise and enforce the DSA for the platforms established on their territory.
In its press release, the EU Commission also communicated that it intends to adopt Guidelines on risk mitigation measures for electoral processes in March 2024. Furthermore, the EU Commission expects a public consultation on the data access delegated act in April 2024 with adoption by July 2024 and entry into force in October 2024. In May 2024, the EU Commission plans to adopt an Implementing Act on transparency report templates. Finally, the EU Commission made more details accessible online.
Past ECS Events 2024
ECS Working Group Events
Thinking Like a Scientist: Building a Modern Ethics and Compliance Program
On March 14 around 30 practitioners convened in the Zurich offices of E&Y.
Andreas Buscher introduces both speakers Zach Coseglia (co-founder and managing principal of R&G Insights Lab. Zach is an experienced litigator, investigator, and former compliance executive; he is also a thought leader on compliance analytics and organizational culture. Before founding the Lab, Zach held senior legal and compliance positions at Pfizer, including as Vice President and Global Head of Monitoring, Analytics and Digital Compliance; and as Assistant General Counsel and Chief Investigations Counsel for Asia Pacific, based in Beijing) and Hui Chen (Senior Advisor within R&G Insights Lab and an international leader and expert in organizational integrity. She was the first Compliance Expert at the U.S. Department of Justice, and authored the “Evaluation of Corporate Compliance Programs” document that redefined compliance expectations. She began her career as a federal prosecutor in the Department of Justice in Washington, D.C. and the Eastern District of New York. Hui has extensive in-house experience as a senior legal and compliance leader at Microsoft Corporation, Pfizer Inc., and Standard Chartered Bank, in locations across the globe).
The audience listened passionately to stories, studies and real-life examples where compliance did (not) have the desired effect. The speakers stressed the importance of a “human-centered” and “data-driven” approach when it comes to the compliance program and showed how data can be used across all elements of a compliance management program.
Decision Making in Health Care Compliance
Approx 20 participants met on March 5 in the Bayer offices in Zurich. Alex Fuchs (regional compliance officer at Seagen-Pfizer) and Patrick Wellens (co-chair of WG life sciences) presented to the audience some of the factors that determine the compliance philosophy of a company.
Not all companies have the same culture and philosophy with regards to compliance risks. Some companies believe in training the employees and trust that employees will make the right decision; other companies believe in a shared responsibility between Compliance and the business (“compliance as an advisor”) and in other companies certain business transactions can’t be executed unless approved by Compliance.
Both speakers created some polling questions which triggered an interactive discussion with the participants why in their organization with regards to healthcare compliance (i.e. interactions with healthcare professionals, healthcare organizations and patient organizations such as sponsoring, congress, advisory boards, donations, patient assistance programs etc.) a particular compliance philosophy was chosen.
The benefit for the participants is to hear what healthcare compliance philosophies are chosen by other companies and why thereby reflecting on their own choices.
Competition Law Compliance and ISO 37301 – How Integrating Competition Law in a Compliance Management System can look like”.
On 18 January 2024, the ECS Working Group on Competition Law held its first event in Zurich.
Our first speaker was Dr. Karin Amberg, M.A., Senior Legal Counsel, Compliance Officer Competition Law at SBB and the topic of discussion was “Competition Law Compliance and ISO 37301 – How Integrating Competition Law in a Compliance Management System can look like”.
The event was followed by a drinks reception to celebrate the launch of the ECS Working Group on Competition Law.
EU Sustainability Due Diligence Directive
On February 26 members of the Working Group on Life Sciences came together in the Basel offices of Deloitte to listen to Sandra Klemm, partner at Amatin Law firm who gave an overview on the background and scope of the upcoming EU Directive, what are the obligations of companies, what are the expectations on companies with regards to due diligence and what are civil liabilities if companies do not follow the EU Directive.
The participants then actively discussed what companies can do and how to best integrate this environmental and human rights due diligence in their existing third party due diligence framework.
How to create a Code of Ethics (with examples)
A code of ethics outlines the ethical principles that govern employee behavior in the workplace. It often includes the company’s values, as well as the policies meant to guide employees in how they make decisions and conduct themselves at work. The purpose of a code of ethics is to have a comprehensive and formal way of telling employees and stakeholders what their expectations are around how people will behave in the workplace.
A strong code of ethics will be memorable and inspire employees to live by its espoused values in their daily lives. This will hopefully prevent unethical behaviors that could hurt customer relations, scare away ethical employees, and ultimately tarnish the reputation of your company. In a new article recently, published, Jeff Rumage explains how to write a Code of Ethics and provides several examples of how this can be implemented.
Federal Council holds debate on EU deforestation regulation
As an element of the European Green Deal, the European Parliament and the EU Council adopted on 31 May 2023 the new Regulation (EU) 2023/1115 (“EU Deforestation Regulation” or “EUDR”) that seeks to prevent EU consumption from contributing to worldwide deforestation and forest degradation caused by agricultural expansion associated with the commodities in question as already reported by the ECS Compliance News. The EU Deforestation Regulation will be implemented in the EU from January 2025. The EUDR impacts cocoa, coffee, palm oil, rubber, soya, cattle, wood, and coffee, in addition to the goods manufactured from these materials, including coffee capsules, furniture, automobile tyres, and coffee capsules. Beginning in 2025, the placement or exportation of these raw materials and finished goods from the EU will be restricted to those that were not manufactured in regions that underwent deforestation after 2020, or that are otherwise unrelated to deforest degradation.
Additionally, Swiss firms that wish to export to the EU the raw materials and finished goods impacted by the EUDR will be required to comply with the new regulations. This is the case irrespective of Switzerland’s decision to adopt the EUDR fully or partially or abstain from doing so in its legislation. Switzerland exported to the EU approximately CHF 4 billion worth of EUDR-subject raw materials and finished goods in 2022. In total, the value of exports (EU and non-EU) was approximately CHF 7.5 billion.
The Federal Council deliberated on this subject during its meeting on 14 February 2024. The Federal Council will abstain from amending Swiss law for the time being, provided that mutual recognition with the European Union remains unattainable. Companies run the risk of encountering parallel regulations and duplicating efforts in the absence of mutual recognition. Organisations whose products are not designed for the European Union market and are thus exempt from the EUDR can prevent a substantial supplementary cost by abstaining from adaptation. By the summer of 2024, the Federal Council will conduct a comprehensive evaluation of the situation considering a regulatory impact assessment.
Nevertheless, the Federal Council acknowledges that Swiss companies impacted by the EUDR will bear a greater burden. Its primary objectives are to examine support measures for the affected industries and businesses and to continue the dialogue between the Federal Government and the business community regarding this subject. Additionally, it seeks clarification from the EU Commission regarding the prerequisites for establishing a connection to the EU information system and for the reciprocal acknowledgment of relevant regulations. In addition, the Federal Council wishes to specify which legal modifications would be required to harmonise Swiss law with the EUDR. The Federal Council has declared that it will give an update on the progress of these clarifications following the end of the summer break.
New WHO recommendations regarding the governance and ethics of large multi-modal models of AI
On 18 January 2024, the World Health Organisation (WHO) issued a New Guidance on the ethics and governance of large multi-modal models (LMMs). The document is intended to assist technology companies, healthcare providers, and governments in promoting the responsible application of AI and safeguarding public health.
The WHO asserts that LMMs possess extensive potential for application across various domains within the healthcare sector. These domains include scientific research and drug development, clinical care and diagnosis, medical and nursing education, administrative tasks (e.g., cataloguing and collecting medical examinations in electronic medical records), and patient functionality (e.g., searching for information on symptoms and treatment modalities).
However, the WHO also identifies potential risks associated with the use of AI. These risks primarily pertain to the production of false, inaccurate, or incomplete data, which may have adverse effects on individuals who rely on such information to make health-related decisions. Additionally, the WHO warns of the possibility of bias and distortion in the output generated by AI when it is trained on substandard data or calibrated by bias. Therefore, to improve the capacity of health systems and advance the interests of patients, the WHO has issued a series of recommendations to governments, which are responsible for establishing standards for the development and deployment of AI, and to developers, who ought to involve potential users and stakeholders in the design phase.
Sanctions: Federal Council commentary on Control Committee recommendations
The Control Committee of the Council of States (CC-S) commended the Federal Council’s prompt implementation of European Union sanctions regarding the Ukraine crisis in its report dated 14 November 2023. However, the CC-S maintained that enhancements to the execution of economic sanctions were imperative and devised six additional suggestions for the Federal Council to consider.
The Federal Council provided its commentary on the CC-S recommendations on 14 February 2024. As per the press release, the Federal Council acknowledges that the sanctions imposed in response to Russia’s military aggression against Ukraine exceeded expectations in multiple ways. Consequently, this may engender a sense of ambiguity among the relevant authorities and other stakeholders. Nevertheless, due to uncertainties alone, the Federal Council believes that additional authorizations or oversight by SECO would be extremely beneficial in a unique crisis. As a result, its proposal for a transparency register as a component of the partial revision of the Anti-Money Laundering Act is its primary focus. According to the Federal Council, SECO has demonstrated its capability to respond promptly and effectively to inquiries or complications that may arise during the implementation of novel sanction measures. Nevertheless, the Federal Council endorses the CC-S’s suggestion to reassess SECO’s crisis concept.
The Federal Council maintains its stance regarding the CC-S’s request for clarification regarding the extent of the reporting obligation for attorneys: the Federal Supreme Court has ruled that the particular activities of attorneys are protected by professional secrecy. This encompasses activities such as legal document drafting, representation, or assistance in administrative or judicial proceedings, and the provision of legal counsel. However, professional secrecy does not automatically apply to every action taken by an attorney. The Federal Council continues to assert that professional secrecy is not incompatible with the requirement to disclose information regarding activities that do not pertain to the practice of law. Therefore, attorneys who aid in the violation of sanction provisions may remain subject to prosecution.
According to the CC-S, Switzerland has adopted the list of individuals sanctioned by the EU. Consequently, the CC-S is of the opinion that it is necessary to investigate whether measures to ensure the rule of law require scrutiny. The Federal Council asserts that the implementation of EU sanctions has demonstrated its value as the preeminent trading partner in this context. The efficacy of unilateral sanctions would be constrained, whereas Switzerland’s propensity for numerous deviations could facilitate their circumvention and diminish predictability. Sanctioned entities, including organisations, companies, and individuals, still could assert their rights, according to the Federal Council.
Finally, the CC-S approves the actions implemented by the SECO and the Federal Council in accordance. However, as part of its follow-up review, the CC-S notes that it is currently unable to render a final assessment. Therefore, the CC-S announced that it will revisit the relevant recommendations in the future. The Federal Council shares the CC-S’s view that the data basis for participation in economic sanctions has been improved and that the movement of goods is monitored more closely, particularly in connection with the sanctions against Russia.
Congress expands DOJ’s authority to pursue corrupt non-US government officials with Foreign Extortion Prevention Act (FEPA)
On 14 December 2023, as part of the National Defense Authorization Act for Fiscal Year 2024 (NDAA), the U.S. Congress enacted the Foreign Extortion Prevention Act (FEPA). The FEPA creates criminal liability for foreign public officials who solicit or accept bribes from certain categories of US persons and companies and thus mirrors the Foreign Corrupt Practices Act (FCPA).
FEPA was primarily intended to equalise the playing field for companies conducting business outside the United States. Foreign corroboration by corporations (i.e., the supply side of bribery) is explicitly forbidden by the Foreign Corrupt Practices Act (FCPA) in the case of multinational corporations. FEPA thus criminalises the demand side of bribery, which consists of foreign officials soliciting or accepting bribes. This affords businesses the chance to counter the corrupt demands of foreign officials by emphasising that, due to FEPA, both the business and the government official may be held criminally liable for the bribe.
Infractions of the FEPA may result in i) a fine of up to USD 250’000 or three times the monetary equivalent of the valuable item (in contrast to the FCPA, which imposes a maximum penalty of two times the monetary gain or loss suffered by another individual), or ii) imprisonment for a maximum of 15 years (in contrast to the FCPA’s statutory maximum of five years imprisonment). In addition, the US Attorney General is obligated by FEPA to release a yearly report that provides a summary of the primary enforcement actions undertaken by the US Department of Justice (DOJ) in accordance with the law.
Dutch data privacy case: tech giant as guinea pig in EU’s class-action reforms
A Dutch consumer rights organisation filed a lawsuit against tech giant Amazon late last year, alleging that the company unlawfully tracks users’ online activity without their consent. This allegation is remarkably comparable to one that Amazon was found to have violated the GDPR in 2021.
The latest legal dispute involving Amazon in the Netherlands has the potential to become a forum where public policy concerns are contested, with implications that transcend the specific case at hand. Stichting Data Bescherming Nederland (SDBN; the Netherlands Data Protection Foundation) filed a class-action lawsuit against Amazon on the grounds of privacy law infringement, subsequent to the EU’s enactment of legislation that facilitated the ability of consumer organisations to initiate legal proceedings against companies. Although class-action lawsuits have traditionally been a customary occurrence in U.S. courts, the implementation of this novel legislation might cause a transformation in the way consumers pursue redress.
The class action is among the initial significant cases after the EU’s facilitation of class-action claim filing by consumers. However, it is yet to be seen whether the new law will benefit aggrieved consumers or burden the court system excessively, according to author Chelsea Burkhart.