International NewsISSUE 3 2012

Social Media Privacy Around the Globe p.6 >>

The OECD Fights Multinationals over Transfer Pricing for Intangibles p.20 >>

Focus OnData Privacy and Security

6International News

In This IssueHugh Nineham 3

Focus On Data Privacy and Security

Minding the Gap: Taking the Step Beyond Regulatory Compliance into Effective Privacy Management Practices

Heather Egan Sussman and Ann Killilea 4

Social Media Privacy Around the Globe

Paul Melot de Beauregard, Heather Egan Sussman, Sharon Tan, Veronica Pinotti, May Lu, Jason Casero, Sebastien Le Coeur and Evan Panich 6

European Data Protection Reform: The Debate Rages On

Rohan Massey and Keo Shaw 8

Legitimacy of Social Media Background Checks in Germany

Paul Melot de Beauregard and Christian Gleich 10

Workplace E-mail Monitoring in Germany

Volker Teigelkötter and Bettina Holzberger 12

Privacy Scofflaws Beware: Increasing Fines in the United Kingdom and Europe

Sharon Tan 14

Italian Data Protection Authority Releases Guidelines on Cloud Computing

Massimiliano Russo 16

CO

NTE

NTS

Features

International Arbitration: Why to Agree to It and How to Avoid Going Through with It

B. Ted Howes and Jacob Grierson 18

The OECD Fights Multinationals over Transfer Pricing for Intangibles

Steven Hannes 20

The United Kingdom’s New Competitive Tax Regime for Companies

Tom Scott 21

Crowdsourcing Intellectual Property

Rohan Massey and Leigh Smith 22

Are Family Funds a Threat to Private Equity Funds?

Mark Davis, Mark Selinger and Eleanor West 24

CJEU Expands Freedom of Establishment in the European Union

Michael Ruoff 26

10

EditorHugh Nineham +44 20 7570 1425 hnineham@mwe.com

Managing EditorRohan Massey +44 20 7577 6929 rmassey@mwe.com

Publication EditorsKate Hinze

Ellen McDonald

Contributing AuthorsPaul Melot de Beauregard, Jason Casero, Mark Davis, Christian Gleich, Jacob Grierson, Steven Hannes, Bettina Holzberger, B. Ted Howes, Ann Killilea, Sebastien Le Coeur, May Lu, Rohan Massey, Evan Panich, Veronica Pinotti, Michael Ruoff, Massimilano Russo, Tom Scott, Mark Selinger, Keo Shaw, Leigh Smith, Heather Egan Sussman, Sharon Tan, Volker Teigelkötter, Eleanor West

To learn more about International News or our international practice, visitwww.mwe.com/international/. To be added to our mailing list or report a change of address, please e-mail mcdermottnews@mwe.com. To sign up to receive substantive communications from McDermott, visit www.mwe.com/subscribe/.

The material in this publication may not be reproduced, in whole or part without acknowledgement of its source and copyright. International News is intended to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with their McDermott Will & Emery lawyer or other professional counsel before acting on the information contained in this publication.

© 2012 McDermott Will & Emery. The following legal entities are collectively referred to as “McDermott Will & Emery,” “McDermott” or “the Firm”: McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. McDermott has a strategic alliance with MWE China Law Offices, a separate law firm. This communication may be considered attorney advertising. Prior results do not guarantee a similar outcome.

1418

Welcome to the last issue of International News for 2012. In this issue we focus on data privacy and security for national and international businesses.

When faced with the gap between the need to translate regulatory requirements relating to data privacy and security into actionable plans, companies want to know how other, similar multinationals address these issues. We there-fore start with a look at a 2012 study by Kenneth Bamberger and Deidre Mulligan into the management of privacy by US businesses.

A team of international contributors from across McDermott offices and from MWE China Law Offices then provides an overview of the extent to which employers can legally monitor their employ-ees’ e-mails and presence on social media sites.

We take an EU-wide perspective on the Euro-pean Commission’s proposal for data protec-tion reform. Since the proposed legislation was unveiled in January 2012, commentators, regulators, businesses and EU Member States have been abuzz, voicing their concerns. The outcome of a recent conference organised by the Committee on Civil Liberties, Justice and Home Affairs, the body appointed by the Eu-ropean Parliament to assist with data protection reforms, provides a good overview of the main issues that are of concern.

Returning to the issue of online privacy, we take an in-depth look into the legal situation in Germany with regards to employers conducting employee background checks through social media and the monitoring of workplace e-mails.

We turn then to the United Kingdom and re-view how the commitment of the Information Commissioner’s Office to enforcing the Data Protection Act 1998 (DPA) is translating into in-creased fines for serious breaches. With the level and number of fines increasing in the last year in the United Kingdom in line with a European trend, ensuring compliance with the DPA has never been more important.

We move then to Italy where we examine recent guidelines issued by the Italian Data Protection Authority on cloud computing. Efficiency and cost savings, the key benefits of this new technology, should not be allowed to outweigh the exposure to risk of non-compliance and data vulnerability.

In our Features section, we start with an ex-amination of how carefully worded escalation clauses in arbitration agreements can help

maximise the chances of an amicable settlement to disputes resolved through arbitration.

We then take a look at some recent developments in taxation. On 6 June 2012, the Organisation for Economic Co-operation and Development released a discussion draft in which it proposed changes to long-standing principles that deter-mine for income tax purposes the “arm’s length” compensation related parties should pay each other for the transfer or use of intangibles. The discussion draft’s most direct attack on interna-tional business concerns the standards used to evaluate which affiliate within the multinational group is considered to be the “tax owner” of in-tangibles. In the United Kingdom, in 2010, the Coalition Government published its “Corporate Tax Road Map”, setting out proposals to reform the UK corporate tax system. The Road Map’s stated aim is to create “the most competitive corporate tax regime in the G20”, and evidence is mounting that the United Kingdom is close to achieving that goal.

Our attention shifts to the emerging trend of us-ing “crowdsourcing”. This is essentially a form of mass outsourcing, but instead of engaging a specific third party to undertake a task, the task is made available for anyone in the “crowd” to complete. There are a number of legal chal-lenges inherent in crowdsourcing, but one of the most significant flows from the question of who owns the intellectual property in the responses received to a crowdsourced task. We explore ways in which companies can protect themselves.

Finally, we examine the challenge to private eq-uity (PE) funds. Historically PE funds have had only two types of competition: strategic investors and each other. In the past few years, however, a new form of competitor has emerged: their own limited partners. To be more specific, the threat is coming from the high net worth families that used to form the backbone of many PE funds, before institutional money came pouring in.

If you have any comments on this issue or would like to contribute to International News, please contact me at hnineham@mwe.com.

Hugh NinehamPartner & London Office Headhnineham@mwe.com

IN THISISS

UE

In This Issue

International News 3

As anyone who has taken a train knows, there is that moment when you must disembark, stepping from the car to the platform, traversing the threatening gap between the two. The same concern applies to a multinational organisation trying to bridge the gap between a moving and uncertain regulatory environment and the need to establish a stable and strategic corporate approach to privacy management.

Most mult inat ional enterprises now understand that there are myriad privacy requirements, but it is the next step—“now what do I do?”—that causes most corporate challenges. Companies must translate regulatory requirements into actionable plans that can be implemented across an array of countries, business units and worldwide functions such as human resources. As corporations face this challenge, they often want to know how other multinational enterprises address these issues, vertically from the board level down, and horizontally across business units and diverse geographies.

Comparative Corporate Privacy Management PracticesTwo US pr ivacy scholars, Kenneth Bamberger and Deidre Mulligan have conducted pivotal studies examining the

role of privacy management in corporations from diverse industries. They conducted empirical research into comparative privacy practices through interviews with chief privacy off icers (CPOs), or the senior corporate officer responsible for privacy, of nine companies. The CPO responses, although they represent various companies in multiple industries, evidence considerable coherence on a number of fronts:

� Privacy has moved from a compliance-oriented activity to a risk-assessment process. Corporations are embedding privacy in product design and market entry decisions, as well as in corporate policies.

� Legal developments, though critical for compliance purposes, provide only the baseline for justifying and allocating resources.

� The CPOs agreed that the concern now was about preventing consumer harm and fostering a trustworthy reputation in the eyes of the corporation’s customers.

� Privacy is a strategic core business matter, not only a compliance function. In the words of one interviewee CPO, “[T]he law in privacy … will only get you so far.” Another explained that

broader principles have to be developed that can guide privacy decisions consis-tently in a variety of contexts; privacy must be “strategic, part of the technical strategy and the business strategy.”

� This change in focus—away from purely a concern about compliance toward a concern about preventing consumer harm—makes it critical that privacy management be integrated into corporate decision-making, similar to a consumer product that incorporates safety as an attribute integral to the product.

� Privacy is viewed less as a cost centre and more as a function on the same level as product operability and process effectiveness.

This profound shift informs how these corporations organise the privacy function, including the reporting structure, the involvement of the board and high-level senior management, and the metrics for success.

From a rev iew of these and other corporate best practices, identif iable characterist ics are emerging: senior-level privacy leadership, a strategic risk management approach and distributed expertise and accountability. These form

DATA PRIVACY AND SECURITYFO

CU

S O

N

Minding the Gap: Taking the Step Beyond Regulatory Compliance into Effective Privacy Management Practices By Heather Egan Sussman and Ann Killilea

4 International News4 International News

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

International News 5

a solid foundation for an enterprise-wide program that takes a dynamic, forward-looking privacy approach.

Senior-Level Privacy LeadershipMost corporate mission statements emphasise the importance of delighting the consumer by providing high quality goods and services. Privacy fits into this rubric because it is about consumer trust: honouring consumer expectations and doing the consumer no harm. While legal compliance may be a non-negotiable deliverable, privacy is ultimately about the company’s relationship to its customers. Perceived this way, privacy programs will likely attract senior level commitment.

The Bamberger and Mulligan studies, as well as other presentations on this topic, show that the most effective CPO functions at the top level of f irm management. The CPO’s role includes substantial engagement with internal and external stakeholders. In the Bamberger and Mulligan studies, the CPOs described their roles as heavily strategic, as opposed to operational and compliance-oriented. One noted, “my team is not responsible for compliance; they’re responsible for enabling the compliance of the business.”

Strategic and Operational PrivacyA “one size fits all” approach to privacy cannot be applied as risk manifests itself in different ways depending on the organisation and its industry. The part of the organisation that the CPO reports to, the number of privacy specialists reporting to the CPO and the question of who should conduct privacy assessments depend on the maturity level of the organisation’s privacy culture and the attributes of the organisation.

What is common across businesses, however, is a desire to build brand and revenue, reduce risk and demonstrate compliance. Privacy management calls, therefore, for a cross-functional team made up of senior corporate management, business

unit management, information security, marketing, corporate communications, human resources, contracting, compliance and legal. In addition, this team needs to include a group of relative newcomers to privacy oversight: the board of directors, the chief executive officer (CEO) and the chief financial officer.

Data security is being taken increasingly seriously by shareholders and the US Government. The US Securities and Exchange Commiss ion has i s sued nonbinding encouragement to all public companies to disclose in their regulatory f i l ings descr ipt ions of the speci f ic cybersecurity threats they face and the steps they are taking to mitigate these risks. US Senator Rockefeller sent letters recently to the CEOs of the Fortune 500 asking that they reveal details of their cybersecurity programs.

With this backdrop, it becomes clear that privacy decision-making must be distributed throughout the company to senior people. It must be managed by a cross-functional team with clear leadership in the CPO, and take advantage of existing risk management processes that f low throughout the organisation, with appropriate oversight from leadership.

Distributed Expertise and AccountabilityIn the organisations studied by Bamberger and Mulligan, business unit managers are held accountable for setting and meeting privacy objectives. A network of specially trained advocates in the business units are assigned to identify and address privacy concerns during the design phases of business initiatives, product development and marketing programs.

The CPO and his or her direct reports arm these privacy advocates with specialised training, decision-making tools and regular reporting obligations so they can raise privacy issues as the business units or functions roll out new initiatives, products or strategies. Having someone at the table who is known as “the privacy person” will cause others to consider the privacy ramifications of the initiative from the outset and make privacy part of the corporate mentality.

If the privacy person is not available—or, worse, not readily identifiable—privacy

will become a box-checking exercise as the last, robotic corporate stop prior to product or service announcement. By then, it is often too late to minimise the potential of doing harm to the consumer, to maximise positive market impact and to mitigate legal risk. It also can be extraordinarily costly for a business to correct privacy and cybersecurity missteps at the end of the development lifecycle. By seating the privacy advocate at the table from concept through launch, design teams can innovate and thrive as they build the brand and consumer confidence in it.

By incorporating these corporate privacy management practices, a multinational enterprise can step confidently from one platform (a more limited compliance perspective) to another (an enterprise-wide program aligned with core values and having built-in accountability) without running into unnecessary or unanticipated risks. By having such an enterprise-wide program, when privacy or security incidents do occur, they are more likely to be the exception than the rule.

Kenneth Bamberger and Deidre Mulligan’s study, New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry. Law & Policy can be found at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1701087.

Heather Egan Sussman is a partner based in the Firm’s Boston office. She is co-chair of the Firm’s global Privacy and Data Protection Group and is a Certified Information Privacy Professional. She can be contacted on +1 617 535 4177 or at hsussman@mwe.com.

Ann Killilea is counsel based in the Firm’s Boston office. She has more than 25 years of experience as senior in-house corporate counsel, including advising Hewlett-Packard Development Company’s IT outsourcing business unit on privacy and data security matters. Ann can be contacted on +1 617 535 3933 or at akillilea@mwe.com.

“ ”Privacy is a strategic, core business issue, not just a compliance function.

As the popularity of social media and information sharing grows, so too does the importance of that shared data to employers. Information sent by employees—whether it is sent from e-mail accounts or through social networking services—can be invaluable for tracking inefficiency, investigating wrongdoing or even screening potential employees.

Unsurprisingly, the extent to which employ-ers can legally monitor their employees’ electronically shared data depends in large part upon where the employees are located. In a recent webcast, McDermott Will & Emery’s international team of data privacy and security lawyers discussed how the pri-vacy regimes of their respective countries apply to this evolving area of law.

ChinaIn China, it is uncertain if there is any precedent for an employer requesting an employee’s social media login details; there are certainly no specific laws or regulations covering this. Although there is a general belief that employers have a duty to protect the personal information of their employ-ees, it is unclear if the Chinese Government

will regulate employer conduct in this area.It is, however, reasonably common for Chinese employers to monitor their em-ployees’ e-mail communications. Again, there are no specific laws or regulations against doing so, but best practice dictates that employers draw a distinction between communications sent from company equipment and those sent from employees’ personal devices, and that employers provide notice to employees in advance before reviewing e-mails.

FranceIn France, employers cannot request the logins to social media accounts. As in other countries, however, there are no restrictions on employer access to employee profiles and postings that are open to the public. Al-though France protects freedom of speech, employees may nevertheless be terminated for abusing that freedom in social media.

French law has a developed regulatory framework for employers that wish to examine the content of employee e-mail communications. For instance, before ac-cessing e-mail, the employer must consult the proper government agencies. Once the proper paperwork has been filed, an em-

ployer can generally access the electronic files and communications of an employee, although files identified as “private” can only be accessed if the employee is present.

GermanyIn Germany, an employer may not request login credentials for the social media accounts of employees or potential em-ployees as this is considered an unjustified encroachment on the constitutional right of self-determination. Where the social media account is used by the employee solely for business purposes, however, the account could be classified as belonging to the employer so the employer, is permitted to access its login information and content. Although pending legislation may expand the rights of employers to investigate the content of employees’ leisure social media accounts, it is likely this will be limited to what is accessible publicly.

With respect to employer monitoring of employee e-mail, German law generally requires drawing a distinction between situations where private use of company equipment is permitted and where it is not. Where such use is permitted, an employer may not survey the content of personal

Social Media Privacy Around the Globe By Paul Melot de Beauregard, Heather Egan Sussman, Sharon Tan, Veronica Pinotti, May Lu, Jason Casero, Sebastien Le Coeur and Evan Panich

6 International News

DATA PRIVACY AND SECURITYFO

CU

S O

N

e-mail without the express consent of the employee. Where such use is not permitted, however, current legislation suggests there are no such restrictions.

For further detail on e-mail monitoring and social media access in Germany, please see pages 10 and 12.

ItalyItaly does not have well-developed guide-lines on employer monitoring of employees’ social media accounts. In the absence of specific regulation, Italy’s general principles concerning the protection of personal data apply. In this context, the content of social media accounts may be deemed particularly sensitive because they contain the personal data of not only employees, but also of third parties.

With respect to employer monitoring of employee e-mail communications, however, there is an abundance of case law. Exist-ing agreements between employers and trade unions have a significant impact on what employers are permitted to monitor. In practice, employers are encouraged to make available separate accounts and workstations to facilitate employees’ private communications so there can be no dispute regarding what constitutes professional communication.

United KingdomThe United Kingdom has taken a more categorical approach to employer requests for social media login credentials, the legitimacy of which depends on whether the account is personal or professional in nature. For instance, if the account is personal, an employer may request access, but cannot require it. If the account is purely professional in nature and has been set up by, and belongs to, the employer, then the employer can demand access.

When the account in question has both a personal and a professional component (as is the case for many professional network-ing services), a more nuanced approach is required. The employer may seek to assert some form of intellectual property rights over the data held in such accounts, but the employee may, for example, claim that the privacy settings used have rendered the material no longer confidential. Resolution

of such debates will depend upon an array of factors, such as any existing employment contract or social media policies that may be in place. In difficult cases, a balance must be struck between the legitimate interests of the employer and those of the employee.

In the case of e-mail monitoring, the poten-tially adverse effect on employees must be justified by the employer. Before making the decision to monitor these communications, employers should consider alternatives and understand the obligations that follow from a decision to monitor. In some cases, i.e., the interception of electronic communications in the course of transmission, employers are required to obtain the freely given consent of the affected employees.

United StatesIn the United States, some employers

have attracted a great deal of media atten-tion for requiring login credentials from current or prospective employees’ social media accounts. These requests are often founded upon legitimate business needs, e.g., information gathered from social media accounts can be used to test the veracity of claims made by interviewees.

The public response to these practices has, however, generally been negative, and state governments have responded ac-cordingly. The states of California, Illinois and Maryland have passed laws expressly prohibiting employers from requesting or requiring login credentials, and 14 states considered related legislation in 2012. The federal government has considered similar laws, but for now appears content to let the states take the lead.

Employer monitoring of employee e-mail is a more settled area of law in the United States. It has become common practice for employers to include within employee training materials and compliance policies clear notice that e-mail communications sent and received from company e-mail addresses may be monitored. In all but a few instances—for example, where an employer has failed to provide adequate notice to its employees—an employee does not have a legitimate expectation of privacy in company e-mail communications.

International News 7

Paul Melot de Beauregard is a partner based in the Firm’s Munich office and head of the Munich employment practice. He can be contacted on +49 89 12712 121 or at pbeauregard@mwe.com.

Heather Egan Sussman is a partner based in the Firm’s Boston office, co-chair of the global Privacy and Data Protection Group and a certified information privacy professional. She can be contacted on +1 617 535 4177 or at hsussman@mwe.com.

Sharon Tan is a partner based in the Firm’s London office. She focuses on all aspects of contentious and non-contentious employment law and on data privacy. She can be contacted on +44 20 7577 3488 or at srtan@mwe.com.

Veronica Pinotti is a partner based in the Firm’s Milan, Rome and Brussels offices, head of the Italian EU competition and regulatory practice and a member of the Firm’s Privacy and Data Protection Group. She can be contacted on +39 02 78627302 or at vpinotti@mwe.com.

May Lu is a counsel of MWE China Law Offices based in Shanghai and a China law advisor to McDermott’s Privacy and Data Protection Group. She can be contacted on +86 21 6105 0590 or at mlu@mwe.com.

Jason Casero is an associate based in the Firm’s New York office. He can be contacted on +1 212 547 5676 or at jcasero@mwe.com.

Sebastien Le Coeur is an associate based in the Firm’s Paris office. He can be contacted on + 33 7 61 67 34 54 or at slecoeur@mwe.com.

Evan Panich is an associate based in the Firm’s Boston office. He can be contacted on +1 617 535 3836 or at epanich@mwe.com.

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

DATA PRIVACY AND SECURITYFO

CU

S O

N

8 International News

European Data Protection Reform: The Debate Rages On By Rohan Massey and Keo Shaw

The European Commission issued a proposal for data protection reform at the start of 2012. The proposed leg-islation is set to replace the existing Directive 95/46/EC with the directly effective Data Protection Regulation (Regulation), designed to harmonise the currently fragmented rules, and a directive relating to the protection of personal data processed for the purposes of criminal offences and related judicial activities. Since January, commentators, regulators, businesses and EU Member States have been abuzz, voicing their con-cerns about the Regulation.

April saw detailed comments on the Regu-lation from the UK Information Commis-sioner’s Office and from the European Union Article 29 Data Protection Working Party. In June, the European Council prepared a revised version of the first 12 Articles of the Regulation, incorporating comments from various Member States.

Many of the amendments highlighted signif icant resistance to basic points of principle. The European Council’s re-vised draft dealt with just 13 per cent of the substantive provisions, and included 147 footnotes explaining the changes and detailing the views of Member States.

In October, an Interparliamentary Com-mittee Meeting was held at the European Parliament in Brussels. The conference was organised by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the body appointed by the European Parliament to assist with data protection reforms, headed up by rapporteurs Jan Albrecht and Dimitrios Droutsas. It was in-

tended to engage members of the European Parliament and national parliaments in an exchange of views on the reform of the EU data protection framework. This debate provides a good overview of the main issues that are still of concern.

The proposed harmonisation of rules through the use of the directly applicable Regulation and the plan to clarify appli-cable law by introducing a “one-stop-shop” system were broadly welcomed. Concerns about subsidiarity, however, and how the Regulation would be reconciled with na-tional laws and privacy cultures, remained. Unease was notable, particularly with re-gards to employment and law enforcement provisions, owing to legislative divergence in these areas.

The number of delegated and implemented acts were criticised consistently. These provisions would allow the European Commission to modify non-essential ele-ments of the legislation and to propose

“ ”The number of delegated and implemented acts were criticised consistently.

International News 9

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

non-legislative clarifications using a fast-track procedure. While the delegated acts introduce an element of flexibility into the framework, anxieties over legal certainty and excessive power being granted to the European Commission also exist. Viviane Reding, vice president of the European Commission, made it clear that the Com-mission would consider reducing the vast number of delegated acts. There was also consensus amongst attendees that details of enforcement, especially the practical implementation of the proposed consis-tency mechanism and cooperation between various data protection authorities and the proposed European Data Protection Board, needed more clarification.

The Right to be Forgotten (Article 17 of the proposed Regulation) received a significant amount of attention. The principle itself builds on rights that exist already in Eu-ropean data protection law, with the main purpose being to remove data that people have shared about themselves, and not data published by others. Serious criticisms per-sist, however, of the potential for this right to infringe freedom of expression and the possibility of intermediary liability being imposed. Making online services liable for the availability of content over which they have no control, for example, could lead to measures that infringe on freedom of expression. Such measures may include the implementation of monitoring technolo-gies that would fly in the face of everything the Regulation seeks to achieve. As such, skepticism remains as to how the right to privacy and the right to expression can be preserved without conflict.

While Article 80 of the Regulation directs Member States to provide derogations to protect freedom of expression, individual Member States sometimes have different interpretations of the fundamental right to freedom of expression. It is likely that rea-sonable exceptions in the Regulation will need to be expanded to take account of this.

Another contentious aspect of the Regula-tion is Article 23, which addresses data protection by design and by default. The concept of privacy by design is that data controllers should build privacy into the technological architecture of their products and services, as well as into their organisa-

tional policies, providing end-to-end privacy protection. The tensions between large, mostly US-based, corporations and Euro-pean data protection regulators is notable in relation to this point. The Managing Director of Facebook and former Member of the European Parliament, Erika Mann, made the point that privacy by design is not at all conducive to social media networks. This line of argument has been rebuffed previously: while it is true that people join social networks to share, that doesn’t imply necessarily that they do not also value their privacy. Making conscious choices about sharing information with other individuals is completely different from information being shared with third parties without the individual’s knowledge or consent.

Issues surrounding consent (Articles 3 and 7) were also considered at length at the conference. The Regulation proposes to ban all data processing anywhere in Europe unless the users have granted their explicit approval, strengthening the obligation to use opt-ins by which the user has to grant consent actively. At present, some national laws allow consent to be inferred from the situation. The Regulation now requires that consent be informed and explicit, with a clear affirmative action or statement. If a data controller relies on consent, he or she has the burden of proof on showing that it was given.

Importantly, consent cannot be used when there is a significant imbalance between the data subject and the controller. Regu-lators welcome the stricter test of explicit consent, but there are reservations as to the invalidity of consent where this significant imbalance exists.

By contrast, many Member States and corporate lobbyists have criticised the ad-ditional requirements to consent as being unrealistic. Companies fear that this form of explicit consent will result in “click fatigue”, causing a considerable drop in

user numbers and making personalised advertising considerably more difficult.

ConclusionThis is just a flavour of the heated debate that rumbles on in relation to European data protection reform. During this two-day event, the American delegation and the European Commission failed to make much progress towards reconciling their clashing viewpoints and, judging by the vehemence of argument that persists some seven months after the proposed Regula-tion was first published, there is still some way to go.

LIBE is expected to present its draft report on the proposed legislation by the end of this year, after which Member States will be invited to table their amendments. LIBE will then meet to discuss those amendments and it is expected that an orientation vote (where the committee votes and concludes upon its initial position in light of the negotiations) will be held in April 2013. The current timetable should allow the Regulation to be ready for trilogue with the European Council and European Com-mission by the summer of 2013, and to be put to a vote in the plenary session of the European Parliament in early 2014.

Keo Shaw, a trainee solicitor based in the Firm’s London office, also contributed to this article.

“ ”The Right to be Forgotten received a significant amount of attention.

Rohan Massey is a partner based in the Firm’s London office and the co-head of the Privacy and Data Protection Group. He regularly advises on a broad range of data protection, privacy and security issues, focusing on the tensions between European and US regimes and international data transfer compliance. Rohan can be contacted on +44 20 7577 6929 or at rmassey@mwe.com.

In an ideal situation, the employ-ment relationship should last for a significant time, so it should be as easy to manage and smooth-running as possible. On this basis, when an employer is recruiting, the person-ality of the applicant and his or her behavior in a social setting are as important as their qualifications.

Care must be taken to ensure the ap-plicant fits into the existing team and is unlikely to harm the public image of the employer. An employer does not want to discover after signing the contract that a newly recruited employee distributes extremist ideas to an inf inite number of people via the internet, or spends his or her free time partying and drinking, with the inevitable consequences on work performance.

These characteristics are rarely revealed at a job interview. Employers are therefore reliant on other sources to gather important information about their applicants. Social media provide a perfect opportunity to learn more about applicants, because individuals tend not to withhold sensitive information from their network. They upload private photos, comment on their friends and connections, post personal opinions, circulate information, etc. From online sources, certain inferences about the applicant’s character could be drawn easily. This leads to the decisive question of whether or not these social media “back-ground checks” are lawful in Germany. The Law as It StandsCurrently, there is no specific legal basis for social media background checks in Germany. The general provision of Section

28 Paragraph 1 of the Federal Data Pro-tection Act (BDSG) states the collection of personal data is only lawful if “the data is generally accessible or the controller would be allowed to publish them, unless the data subject has a clear and overriding legitimate interest in ruling out the possibility of processing or use”.

When Section 28 Paragraph 1 is applied to online background checks, personal data that could be revealed by entering the subject’s name into a search engine

Legitimacy of Social Media Background Checks in GermanyBy Paul Melot de Beauregard and Christian Gleich

10 International News

DATA PRIVACY AND SECURITYFO

CU

S O

N

“ ”Social media provide a perfect opportunity to learn more about applicants.

(e.g., Google) without any further registra-tion by the employer or approval by the applicant, may be taken into account legiti-mately by the employer. This also applies to social media, regardless of its character, which tends to be either work-related (e.g., LinkedIn) or leisure-related (e.g., Facebook).

The legal situation is more problematic if the information contained in social media is only accessible to members (in which case employers would have to register in order to access it) or certain parties authorised by the potential employee (such as Facebook friends or LinkedIn contacts). Owing to the lack of case law, the legal situation in this scenario is vague.

Some commentators say the line should be drawn in relation to the character of the social media: work-related or leisure-related. These commentators argue that only work-related media should be reviewed and all leisure-related media should remain private.

Others argue the line should be drawn at the point where the applicant has made his or her online information private. On this basis, an employer could legitimately review all public information. A background check would, however, be unlawful if the employer accessed the restricted, private profile by obtaining access by fraudulent means, e.g., by purporting to be someone else and establishing an online “friendship”. In an attempt to clarify the law, this is-sue was incorporated into a second draft of the proposed German Federal Data Protection Law for Employees that was submitted by the German Federal Cabinet in August 2010. The original version of the draft contained an express—and restric-tive—statement regarding social media background checks. According to the first draft, background checks would only be lawful if conducted in work-orientated social media; leisure-related media would have been off limits.

In the course of the law-making procedure, however, this provision was withdrawn by the Federal Ministry of the Interior and replaced by another, more abstract and less

restrictive, provision that refers not only to background checks but also to the personal data of employees in general. According to this provision, social media background checks would be lawful insofar as the social media is open to the public. This means that the sole limitation for background checks would be if the applicant has re-stricted access to his or her profile to friends, and if he or she did not grant friendship to the employer. This revised provision expands the legitimacy of background checks in favour of the employer, but un-til it is enshrined in law (and that date is currently unknown), the employer should still exercise caution in accessing potential employees’ leisure-related social media.

Consequences of a Breach of Privacy LawUntil the situation is fully clarified, either by the coming into effect of the Data Protection Law for Employees or through test cases that establish case law, employers need to con-sider two issues relating to liability. The first is the infringement of pre-contractual obliga-tions, and the second is the infringement of the constitutionally protected, general “right to personality”. Both infringements could result in damage claims.

According to German law, obligations between the contractual parties could arise even before the contract is concluded. The negotiating parties are obliged to act in a manner that ensures the legally protected rights of the other party, in particular their physical identity and property rights and right to personality, are not infringed.

Though such claims could not result in a demand for employment, they could result in compensation for the damage suffered, either a material (financial) loss or non-material damage (injury award).

Material damages can be awarded if the applicant can demonstrate and prove that a financial loss occurred as a result of an unlawful background check, i.e., the ap-plicant claims that he or she would have been employed if the employer had not conducted the background check. This is usually quite difficult for the employee to prove; in most cases, the applicants do not even know that a social media background check has been conducted. Employers should therefore be careful not to refer to a social media background check when

explaining to a candidate that they have not been selected. The same applies in relation to an injury award but, even if the applicant could demonstrate and prove an unlawful background check, the encroach-ment on the applicant’s right of personality would have to be severe in order to justify an award. This is unlikely to be the situation in ordinary cases.

In order to be as safe as possible, however, an employer should restrict social media background checks to search engine en-quiries and only access work-related and leisure-related personal profiles that are fully public. If an employer goes further, it runs the risk of facing injury and financial damages claims. Even if these are rejected by the courts, the time and expense of deal-ing with them, and the potential damage to its reputation, are unacceptable risks.

International News 11

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

Paul Melot de Beauregard is a partner and head of the Firm’s employment practice in Munich. He advises on data privacy and has significant experience regarding all issues of data privacy at the workplace including the implementation of works agreements, data privacy policies and respective inter-company agreements, the liability of board members and managing directors, and compliance with the legal framework on company and group level. Paul also advises on implementation and execution of clinical trials and data privacy violations. He can be contacted on +49 89 12712 121 or at pbeauregard@mwe.com.

Christian Gleich is an associate based in the Firm’s Munich office. He advises on labour and employment law, covering the entire field of formation of employment, service and termination agreements as well as the judicial and extrajudicial support of companies in relation to dismissal protection. Christian also advises companies on all aspects of data privacy law. He can be contacted on +49 89 12712 121 or at cgleich@mwe.com.

“ ”Both infringements could result in damage claims.

In 2009, the German public was shaken by several scandals that revealed a number of international compa-nies systematically, continuously and comprehensively monitored their employees’ personal data. This in-cluded spying on employees’ private bank accounts and secretly observing employees in their offices via hidden video surveillance.

Even though the general Federal Data Protection Act (the BDSG) was effective at the time, the German Government came to the welcome conclusion that it was neces-sary to implement a data protection act dedicated to the particularly sensitive rela-tionship between employers and employees, with the primary objective of protecting employees and their right to privacy.

Statutory ProvisionA new provision, Section 32 BDSG that was meant to be temporary, was enacted with haste. Despite being incomplete, it is still the only statutory standard according to which the legitimacy of any monitoring measure undertaken in an employment relationship is evaluated.

Pursuant to Section 32 BDSG, an em-ployee’s personal data may be collected, processed or used for employment-relat-ed purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. “Per-sonal data” means any information concern-ing the personal or material circumstances of a person, in this case the employee.

Section 32 BDSG is the only provision that governs the question whether or not and—if the answer is yes—under what circum-stances and to what extent the employer can monitor legally its employees’ business e-mail account.

Informed Written ConsentBesides Section 32 BDSG, and as a result of the employee’s fundamental right to make decisions relating to his or her personal data, such data can also be used legally with the employee’s express consent. Ac-cording to Section 4a, the consent has to be in writing and must be based on the employee’s freely made decision while being fully informed of the purpose of the collec-tion, processing or use of the data and the consequences of withholding consent.

Although it is not uncommon in German employment contracts to include a provi-sion containing the employee’s general consent to any kind of data collection, pro-cessing and use, it is doubtful that such general and unspecified consent (in terms of scope and purpose) in standard terms is in accordance with the prerequisites set out in Section 4a BDSG. Moreover, even if effective consent is granted, it is revocable by the employee at any time.

Legitimacy The crucial distinction that has to be made in order to assess the legitimacy of e-mail monitoring under Section 32 BDSG is whether or not the employer allows the use of the business e-mail system by its employees for private communications.

Workplace E-mail Monitoring in GermanyBy Volker Teigelkötter and Bettina Holzberger

12 International News

DATA PRIVACY AND SECURITYFO

CU

S O

N

“”

An exception applies to cases of obvious private use of the business e-mail system.

Private Use Prohibited

If the employer prohibits any private use of the business e-mail system it is—as a general rule—legal for the employer to monitor all e-mail correspondence. Just as traditional hard copy letters are business correspondence, e-mail correspondence is seen as business correspondence and there-fore cannot be considered “personal data”. As a result, the application of the BDSG and the protection it affords to employees is not triggered. The employer may save con-nection data (such as date, time and data volume) and the e-mail addresses of the sender and the recipient, as well as access and save the content of all e-mails (con-tent data) received and sent via the business account. An exception applies to cases of obvious private use of the business e-mail system, even if private use is prohibited. If an e-mail is marked as “private” by the employee or contains obviously private material (an indication of which could be a subject heading “personal”, “confiden-tial”, “your doctor’s appointment”, “holiday pictures”, etc.) the employer may neither access nor save those private e-mails be-cause the utilisation of such private data is not necessary for the establishment, carry-ing out or termination of an employment relationship under Section 32 BDSG.

Private Use Allowed or Accepted

If an employer allows the private use of the business e-mail system (joint e-mail address), it is prohibited from either saving or accessing connection data and content data. Significantly, this applies to private e-mails as well as to business e-mails. Ac-cess is prohibited to not only the content of the private e-mails, but also to the account itself as this would make available private information relating to the e-mail, such as the date and time it was sent, the subject heading and, most important, the person the employee is communicating with, or at least his or her e-mail address. As a con-sequence, the employer would not be able to access the employee’s account for any purpose, even in order to select business e-mails from private e-mails.

These strict standards apply not only if private use of the system is allowed expressly, but also if the employer accepts private use of the e-mail system implicitly. If, how-ever, the employer allows the private use

of the business e-mail system, but provides an e-mail account and address separate from the business account, the business account can be monitored fully, as it can be if private use was prohibited, whereas monitoring of the separate private account is strictly prohibited.

There is some controversy over whether or not the use of a business e-mail system is covered and protected by the secrecy obli-gation enshrined in the German Telecom-munications Act (Telekommunikationsge-setz, or TKG). Because the protection of the TKG ends with the completion of the data transmission process, however, it is the BDSG that governs the legitimacy of any monitoring measure taken after the e-mail is received into the employee’s business e-mail account.

Monitoring to Investigate CrimesSection 32 BDSG provides another reason for the lawful collection, processing and use of personal data, even if private use is allowed or accepted. The employer may take monitoring measures in order to reveal criminal conduct by its employee under the following statutory conditions:

� There must be a documented reason to believe the data subject has committed a crime while employed (in the frame-work of the employment relationship).

� The collection, processing or use of personal data is necessary to investigate the crime.

� The employee does not have an over-riding legitimate interest in ruling out the possibility of collection, processing or use of the data if the type and extent of the collection, processing or use is not disproportionate to the reason.

The standard of sufficient evidence needed to trigger e-mail monitoring is very strict. There must first be concrete evidence that

a crime has been committed. There must also be a tangible suspicion with regard to one specific employee—or at least with regard to a limited group of employees—and only those people can be monitored. Under no circumstances is company-wide monitoring of e-mail accounts of all employees permissible.

The assessment of legitimacy of e-mail monitoring in these circumstances has to be made on a case-by-case basis. This makes it difficult for the employer to legitimately take the decision to investigate crimes by monitoring e-mails. Other than in very clear-cut cases, a residual risk of violating the BDSG remains.

RecommendationsTo reduce the risk of violating the BDSG, an employer should

� Prohibit the private use of the business e-mail system

� Provide a separate private e-mail account if private use is allowed

� Obtain valid consent from the employee for the specific monitoring measures the employer intends to take.

International News 13

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

Volker Teigelkötter is a partner based in the Firm’s Düsseldorf office. He heads the German Labour and Employment Group, where his practice covers the entire spectrum of labour and employment law. Volker can be contacted on +49 211 30211 311 or at vteigelkoetter@mwe.com.

Bettina Holzberger is an associate in the Firm’s Düsseldorf office. She advises on all individual and collective aspects of labour and employment law. Bettina can be contacted on +49 211 30211 313 or at bholzberger@mwe.com.

“”

The employer may take monitoring measures in order to reveal criminal conduct.

The United Kingdom’s Information Commissioner’s Office (ICO) is com-mitted to enforcing the Data Protec-tion Act 1998 (DPA) and has the right to impose fines of up to £500,000 for serious breaches. With the level and number of fines increasing in the last year in the United Kingdom, in line with a European trend, ensuring compliance with the DPA has never been more important.

LegislationThe DPA, which came into force on 1 March 2000, provides the ICO with a number of tools to change the behaviour of organisations and individuals who col-lect, use and keep personal information. These tools include criminal prosecution, non-criminal enforcement and audits. The ICO also has the power to serve a financial penalty notice, requiring payment up to

£500,000 for serious breaches of the DPA occurring on or after 6 April 2010, or seri-ous breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011.

A financial penalty will only be appropriate in the most serious situations. When decid-ing the amount of a penalty, the ICO takes into consideration the seriousness of the breach and other relevant factors including the size, finances and other resources of the data controller.

Examples of PenaltiesThe f irst two f inancial penalties were issued in November 2010 to Hertfordshire County Council (employees in the child-care litigation unit accidentally sent faxes to the wrong recipients on two separate occasions) and A4e Limited (which lost an unencrypted laptop that contained personal information) for the amounts of £100,000 and £60,000 respectively. Since then, the ICO has issued more than 20 financial penalties ranging from £60,000 to £325,000. The largest penalty served so far was levied on Brighton and Sussex University Hospitals NHS Trust on 1 June 2012 following the discovery on hard drives sold on an online auction site of highly sensitive personal data belonging to tens of thousands of patients and staff, including information relating to HIV and Genito Urinary Medicine patients.

Privacy Scofflaws Beware: Increasing Fines in the United Kingdom and EuropeBy Sharon Tan

14 International News

DATA PRIVACY AND SECURITYFO

CU

S O

N

“”

The increasing level of fines imposed by the ICO appears to be in line with a European trend.

Significant penalties issued by the ICO since 2011 include

� A £250,000 penalty issued on 11 September 2012 to Scottish Borders Council after former employees’ pen-sion records were found in an overfilled paper recycle bank in a supermarket car park.

� A penalty of £175,000 issued on 6 August 2012 to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website.

� A penalty notice of £150,000 served on 5 July 2012 to Welcome Financial Services Limited following the loss of the personal data of more than half a million customers.

� A penalty notice of £225,000 served on 19 June 2012 to Belfast Health and Social Care Trust following a serious breach that led to the sensitive personal data of thousands of patients and staff being compromised. One of the behavioural issues taken into account by the ICO was the fact that the Trust failed to report the incident.

� A penalty of £100,000 issued on 13 February 2012 to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.

� A penalty of £140,000 issued on 30 January 2012 to Midlothian Council for disclosing to the wrong recipients sensitive personal data relating to children and their carers on five separate occasions. The penalty was the first against an organisation in Scotland.

� A penalty of £130,000 issued on 6 December 2011 to Powys County Council after the details of a child protection case were sent to the wrong recipient.

� A penalty of £120,000 issued on 9 June 2011 to Surrey County Council after sensitive personal information was e-mailed to the wrong recipients on three separate occasions.

These examples show the increasing value of the fines, from £120,000 in June 2011 to £250,000 in September 2012.

European TrendThe increasing level of fines imposed by the ICO in the United Kingdom appears to be in line with a European trend.

Germany has been at the forefront of privacy law developments for the last few years. In 2009 the German Federal Data Protection Act (the BDSG) was amended to introduce a stricter enforcement regime, increasing to €300,000 the maximum fine for each instance of unlawful processing of personal data. In November 2010, the Hamburg data protection authority (DPA) imposed a €200,000 fine against Hamburger Sparkasse, a savings and loans company, for using neuromarket-ing techniques without customer consent. The Hamburg DPA determined that the disclosure of bank account data to external consultants and the creation of customer profiles for targeted promotions constituted a serious breach of the BDSG, warranting the considerable €200,000 fine. The fine may well have been even higher had the bank not cooperated rapidly and made a strong commitment to comply with data protection law in the future.

Now other European territories are follow-ing suit. The Garante per la Protezione dei Dati Personali (the Guarante), the Italian data protection authority, released a new set of data breach notif ication rules on 7 August 2012. These rules require that all telecommunications and internet ser-vice providers notify the Guarante within 24 hours of discovering a data breach. In the most serious cases, individual users must also be notified within 72 hours. Entities that fail to make the required notifications can be fined between €25,000 and €150,000.

In the same month, Portugal also announced a new law requiring electronic communica-tion service companies to similarly notify the Portuguese data protection authority, the National Data Protection Commission, of breaches “without unjustified delay”. Notifi-cations must also be made to end users if the breach could affect them negatively, unless the entity can show that it has adopted “ad-equate technological protection measures”.

Violations can lead to significant fines of between €5,000 and €5 million.

The move towards increased penalties for breaches of data privacy is highlighted by proposals for reform of the EU data protec-tion law. In January 2012, the European Commission published its long-awaited pro-posals, and the main aspect of the reform is the draft Data Protection Regulation that would replace the Data Protection Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The new law, expected to come into effect by the end of 2013, has hit the headlines because, amongst other things, the fines for breach will be significantly greater than at present. Written warning will be issued in cases of first and non-intentional failures to comply, followed by fines of up to €1 million, or a staggering 2 per cent of annual world-wide turnover for international businesses, depending on the seriousness of the breach and circumstances of the case.

The FutureAccording to the ICO, the number and size of financial penalties issued should compel individuals and organisations to take better care of personal data. It is clear the ICO will not shy away from using its powers to impose high penalties where there have been serious breaches of data protection law. Moreover, the new EU data protection law, when adopted, will increase the potential consequences for failing to treat data privacy as a key compliance issue for all businesses.

International News 15

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

“ ”The ICO will not shy away from using its powers

Sharon Tan is a partner based in the Firm’s London office. Sharon’s data privacy practice includes advising clients on data privacy and data security laws, building privacy and data protection programmes, rolling them out to global workforces and providing counsel regarding the collection, use, retention, disclosure, transfer and disposal of personal data in an employment context. She can be contacted on +44 20 7577 3488 or srtan@mwe.com.

There is a general assumption that adopting innovative technology will help improve efficiency and generate cost savings. Unfortunately, new technology is very often considered only from a business and IT point of view, despite it clearly triggering critical issues in terms of legal com-pliance. Efficiency and cost savings, the key elements of new technology, might imply hidden costs in terms of exposure to risk of non-compliance and data vulnerability.

Cloud computing allows companies to access data and documents, including confidential information, from any computer at any site in the world. To address some of the pitfalls inherent in cloud computing, the Italian Data Protection Authority (IDPA) has released a simple but comprehensive guide

for businesses, “How to Protect Your Data Without Falling From a Cloud” (the guide-lines), available at www.garanteprivacy.it/garante/doc.jsp?ID=1894503. Although aimed specifically at Italian businesses, the guidelines are useful to any organisation that is considering, or that already uses, cloud computing services. Types of Cloud ComputingThe guidelines define cloud computing as a set of technologies that enable the storage and processing of information by means of the services of a third-party cloud provider. The guidelines also separate cloud comput-ing into private and public systems:

� A private cloud is defined as an IT infrastructure based on a network of computers providing services to a company that hosts the infrastructure

on its own premises. Alternatively, management of the network and supply of services may be outsourced by means of a more traditional server hosting agreement, although data is still under the supervision and control of the company user that qualifies as Data Controller.

� A public cloud is defined as an IT infrastructure owned by a service pro-vider that makes its systems available to client users by sharing and offering via the internet certain IT applications, data processing features and data stor-age services. The services may involve simply a transfer of data to the service provider’s systems or both the storage and processing of data by the service provider. The service provider there-fore assumes a key role in ensuring

Italian Data Protection Authority Releases Guidelines on Cloud ComputingBy Massimiliano Russo

16 International News

DATA PRIVACY AND SECURITYFO

CU

S O

N

the effectiveness of the measures adopted to protect data stored and/or processed. Even under this definition, however, the client company is recognised as the Data Controller as it is responsible for ensuring the cloud service provider has in place adequate data security.

Regulatory Framework: Roles and ResponsibilitiesAccording to the guidelines, the current laws may need to be updated in order to apply adequately to cloud computing. In particular, certain key legal issues—alloca-tion of liabilities, data security, jurisdiction and notification of breaches to the supervi-sory authority, as already proposed at the EU level—are highlighted as arising from the adoption of data processing and storage services outsourced via the internet.

Nonetheless, the existing rules still apply to cloud services. In particular, by entrust-ing an external provider with databases and processing operations, the client user (which qualifies as Data Controller), must appoint the cloud service provider as exter-nal Data Processor, formally and in writing as required by the Italian Personal Data Protection Code.

The selection and appointment of the cloud service provider as a Data Processor means the client will need to obtain information on the reliability and business reputation of the provider, its experience in the sector, profes-sional and technical skills, the quality and levels of services it provides, and procedures and policies that will be adopted to protect the integrity and confidentiality of the data processed and stored via the cloud services. The Data Controller is still, however, in prin-ciple liable for violations if it is found to have a lack of control or be negligent in entrusting its data processing to third parties and in supervising the Data Processor’s activities.

The guidelines also warn that some services offered by the cloud provider are actually purchased from other service providers, which could pose significant issues as to availability and access to the data. Ac-cessibility is key to being able to provide personal data to data subjects on demand. In this case, the Data Controller must obtain in advance detailed information on each participant company involved at each level (particularly in relation to storage and transfer of the data), in order to make a thorough and considered decision.

The guidelines recommend that adequate insurance coverage for damages is granted by the cloud service provider and indi-cated expressly in the service agreement. Alternative dispute resolution clauses and penalties should also be outlined clearly.

Server Location and Transfer of DataDespite cloud computing’s image as an amorphous, “virtual” storage system that does not exist physically in any jurisdiction, data entrusted to a cloud service provider is still subject to the laws of the Data Control-ler’s home jurisdiction.

The location of the server used for data stor-age/processing purposes also has a crucial impact on the jurisdiction applicable to data processing and storage security, and the jurisdiction for disputes. As part of the service agreement, therefore, the cloud ser-vice provider must state clearly the primary and ancillary location/s of its server/s and business operations. The client will need this information to ensure that transfer of data outside the European Union is compliant with data protection rules.

Because EU rules prohibit the movement of data through or to countries that don’t have adequate levels of protection, many cloud service providers that have facilities located in different countries may not be compliant with the rules on international transfer of data. This means the client company, as Data Controller, may also not be compliant. The guidelines confirm that the IDPA will be strict in this respect, and urge companies to check with their providers to ensure the transfer of data will be legal.

To ensure the movement of data i s protected, the guidelines recommend that data is encrypted. Data SecurityTheoretically, one advantage of cloud services is that a professional cloud pro-vider may adopt a higher level of protection

against viruses, hackers or other third-party attacks than that used by a Data Control-ler. The client cannot, however, make this assumption. The security principles that apply under normal circumstances also apply to cloud computing. Regardless of whether data is held internally or in a cloud, the Data Controller is required to ensure adequate technical and organisational mea-sures are in place to minimise the risk that data may be destroyed, lost or accessed by third parties. The guidelines recommend clients check that necessary measures are in place and that the cloud service provider, particularly in the case of non-EU based providers, holds certifications (such as the International Organization for Standard-ization security standards) or has in place adequate policies in relation to its security measures and data processing procedures.

Immediate Access to Data and Disaster RecoveryA sensible Data Controller will have in place contingency and backup plans in case of a system breakdown. The same applies to cloud service providers, which must keep a copy of the data by way of a copy database or via a mirror server, as required legally or for tax purposes. This is particularly important in relation to the legal requirement of making data available to data subjects. Any such request (which may include rectification or even deletion of data stored), must be fulfilled within a certain timeframe, and the fact that the system has crashed will not be considered an adequate reason for delay.

International News 17

FOCUS ON DATA

PR

IVA

CY

AN

D S

EC

UR

ITY

Massimiliano Russo is counsel based in the Firm’s Rome office and head of the Italian data privacy practice. He advises clients on due diligence and auditing (regulatory and commercial compliance matters) in relation to its e-commerce business presence and strategies, such as websites and portals, and on issues relating to consumer data protection, advertising and promotional schemes. Massimiliano can be contacted on +39 06 462024 1 or at mrusso@mwe.com.

“”The Data Controller is still, however, in principle liable for violations.

The advantages of arbitration over national court litigation for resolving disputes under international agree-ments are well known. These are worth revisiting at a time when there has been increasing criticism of international arbitration as being too slow and too costly, in order to remind ourselves that international arbitration is still the best way to resolve international disputes. There is, however, an even better way to resolve such disputes: an amicable settlement. Drafting a carefully worded escalation clause in the un-derlying arbitration agreement can help maximise the chances of such a settlement.

Advantages of International ArbitrationThe first advantage of international ar-bitration is that it is a nationality-neutral

process. When a Korean company wishes to enter into an agreement with a French company, it is no more likely that the Korean company will agree to submit its disputes to the French courts than the French company will agree to submit its disputes to the Korean courts. This has nothing to do with the quality of those courts. It is simply a desire of both parties to engage on a neutral playing field. Inter-national arbitration offers this by providing for both the possibility of a neutral venue for the parties’ dispute (e.g., Switzerland in the case of a Korean-French dispute) and the possibility of a nationality-neutral decision-maker (e.g., in the case of a Korean-French dispute, the sole arbitrator or chair-man of the three-member arbitral tribunal deciding the dispute will be of Swiss or another neutral nationality).

A second advantage is the quality of the decision-making. Obviously, there are

many national judges who are excellent decision-makers, but not all are, especially when it comes to applying foreign laws or understanding the cultural differences that are sometimes key to the fair resolution of an international dispute. In comparison, there is an excellent cadre of sophisticated international arbitrators who decide inter-national disputes full time. These interna-tional arbitrators have both substantial ex-perience in resolving international disputes and substantial reputations to uphold by applying justice in an even-handed manner.

Third, international arbitration is a more private and confidential process than nation-al court litigation. Depending on the terms of the arbitration agreement, the place of arbitration and the arbitral organisation selected, the general rule remains that parties must respect the confidentiality of the arbitrations in which they participate. In addition, arbitral institutions and tribunals

International Arbitration: Why to Agree to It and How to Avoid Going Through with ItBy B. Ted Howes and Jacob Grierson

18 International News

ARBITRATIONIN

TER

NAT

ION

AL

will not themselves disclose to third parties any of the details concerning the arbitra-tions they handle, nor any of the documen-tation or other information exchanged in the course of an arbitration.

Fourth, international awards are final: they cannot be appealed or challenged except in very few and limited circumstances. This contrasts with national court litigation, where a first-instance judgment may turn out to be only the first course in a long banquet of litigation.

Finally, and perhaps most importantly, ar-bitral awards are in general much easier to enforce around the world than national court judgments. With the exception of the EU Judgments Regulation, which ap-plies only to the enforcement of the judg-ments of one EU Member State in another Member State, there are few multinational treaties requiring the enforcement of court judgments. The 1958 Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the New York Conven-tion), by contrast, allows for the enforce-ment of arbitral awards in no fewer than 147 countries, subject to only limited grounds for opposing enforcement.

The Importance of Including a Well-Drafted Escalation ClauseThere have been numerous recent efforts to control the time and cost of arbitra-tion by cutting down on delays by arbitral institutions, arbitrators and the parties themselves. Thus, for example, the new 2012 rules of the International Chamber of Commerce (ICC) require ICC arbitral tribunals to take a more proactive role in case management, and to inform not only the ICC, but also the parties, of the date they expect to submit their draft award to the ICC. In addition, it is now stated clear-ly in the ICC Rules that parties may be sanctioned in costs for failure to act “in an expeditious and cost-effective manner”.

Such streamlining of the arbitral pro-cess is to be commended, and should help to restore confidence in interna-tional arbitration. It does not change the fact, however, that the quickest way to resolve an international dispute is still to settle it amicably. Doing so allows the par-ties to avoid incurring legal costs and to de-vote management time to more productive endeavours. A settlement also, significant-ly, often results in the parties re-establishing vital commercial relations.

One effective way to increase the chances of settlement is to include in the underlying contract an “escalation clause”, i.e., a clause that requires the parties to go through some form of negotiation process before embark-ing on arbitration. Such a clause can be tailor-made to suit the circumstances, in some cases including negotiations between various levels of corporate officers and/or non-binding mediation before a neutral third party before arbitration proceedings can be commenced. An example of such an escalation clause is the following:

The parties shall attempt to resolve any dispute arising out of or in connection with this Agreement (a “Dispute”) pur-suant to the procedures specified below:

1. Negotiation When a Dispute arises, either party may give the other party written notice of the Dispute (a “Dispute Notice”). With-in seven days after delivery of a Dispute Notice, the receiving party shall submit a written response. Thereafter, the ex-ecutives who have authority to settle the controversy shall promptly confer in person or by telephone to attempt to resolve the Dispute.

2. MediationIf the Dispute has not been resolved by negotiation within 30 days of the deliv-ery of the Dispute Notice, for whatever reason, the parties shall submit the Dis-pute to non-binding mediation under the [insert mediation rules] in effect on the date of this Agreement. The place of mediation shall be [city, country]. All negotiations and proceedings pursuant to paragraphs 1 and 2 shall be confidential and shall be treated as compromise and settlement negotiations for purposes of applicable rules of evidence and any additional confidentiality protections provided by applicable law.

3. ArbitrationIf the Dispute has not been resolved by mediation as provided herein within 60 days of the delivery of the Dispute Notice, for whatever reason, such Dis-pute shall be finally settled by arbitra-tion under the Rules of Arbitration of [insert rest of arbitration clause].

The principal benefit of such an escala-tion clause is that it removes the first-mover reticence that can sometimes be an obstacle to entering into negotiations. Obviously, in some cases such pre-arbitral negotiations will lead nowhere, as the dis-pute may not yet be ripe for settlement. However, it can do little harm, and involve relatively limited costs, to hold such nego-tiations, which may result in an arbitration being averted altogether.

Importantly, such clauses need to make clear, as in the example given above, what event triggers the obligation to negotiate, exactly what obligations each party then has and—most importantly—exactly when the parties become free to commence arbi-tration proceedings if they cannot reach a settlement. Failure to include such specifics in the escalation clause can lead to lengthy correspondence about whether the obliga-tion to negotiate has been complied with properly, and provide a contract-breaker with a way of delaying the enforcement of the contract.

International News 19

INTERNATIONALAR

BITR

ATION

B. Ted Howes is a partner based in the Firm’s New York office and head of the Firm’s international arbitration practice. Ted can be contacted at +01 212 547 5354 or at bhowes@mwe.com.

Jacob Grierson is a partner based in the Firm’s Paris office and a member of the Firm’s international arbitration practice. He has acted as counsel and arbitrator in more than 20 ICC arbitrations and is the co-author of a guide to the 2012 ICC Rules, published by Kluwer earlier this year. Jacob can be contacted on +33 1 81 69 15 07 or at jgrierson@mwe.com.

“”

Arbitral awards are in general much easier to enforce around the world than national court judgments.

On 6 June 2012, the Organisation for Economic Co-operation and Development (OECD) released a discussion draft entitled “Revision of the Special Considerations for Intangibles in Chapter VI of the OECD Transfer Pricing Guidelines and Related Provisions” (DDI). In it, the OECD proposes changes to long-standing principles that determine for income tax purposes the “arm’s length” compensation that related parties, such as entities within a corporate group, should pay each other for the transfer or use of intangibles.

The OECD’s request for public comments on the DDI resulted in a record volume of responses from the multinational business community and its advisors. Among the matters at issue is what constitutes “intangible property”. Historically, intangible property has included items such as patents and trade marks. Some tax authorities would like “intangibles” to include other items as well, such as a work force in place.

T he DDI ’s most d i rec t at t ack on internat ional business concerns the standards used to evaluate which affiliate within the multinational group is considered to be the “tax owner” of intangibles. It is the tax owner that is entitled to the financial returns generated by intangible assets and that will be taxed on the income they generate. The proposals, in essence, would provide intangible-related returns to an affiliate within the group only if it develops, enhances, maintains and protects the intangible assets. In a highly controversial

move, the DDI would require that such activities be carried out in many cases by the employees of the affiliate that would like to claim the intangible-related returns for income tax purposes. In other words, outsourcing functions such as research, whether through affiliates or even through third parties (although including the latter may have been an error), would get in the way of the aff iliate’s entitlement to intangible-related returns.

These proposals are intended partly to safeguard against multinational groups allegedly placing in tax havens affiliates with few, if any, business activities in order to claim intangible-related returns there and thereby reduce the group’s world-wide tax liability. However, the proposals would also affect affiliates outside tax havens that have substantial business activities and bear the costs and risks of the discovery, development, enhancement, maintenance and protection of intangibles. If adopted largely in their current form, the proposals would cause multinational groups to rethink current international tax and business strategies.

Fortunately, the DDI is only a preliminary discussion document. Industry and tax advisors have already pushed back on the extreme position against outsourcing and made recommendations in their comment letters. Certain tax authorities are also resisting aspects of the proposals, e.g., the US Department of the Treasury has already expressed strong reservations about the outsourcing attacks in the DDI. At the same time, however, other tax administrations are taking aggressive positions in tax audits and

will be urging the OECD to adopt tough and unorthodox measures to correct perceived international tax abuses involving transfer pricing of intangibles.

The OECD will issue revisions to the DDI in the near future, following its November 2012 business consultation. Whatever the outcome, there will continue to be opportunities for effective business and tax planning in this important area.

McDermott Will & Emery submitted a comment letter on behalf of the Transfer Pricing Discussion Group that discusses numerous aspects of the OECD proposals. The letter is in the 28 September 2012 OECD compilation of comment letters, available at www.oecd.org.

20 International News20 International News

The OECD Fights Multinationals over Transfer Pricing for Intangibles By Steven Hannes

TAXATIONM

ULT

INAT

ION

AL

Steven Hannes is a partner based in the Firm’s Washington, DC, office. He focuses his practice on advising US- and foreign-based multinational corporations on developing their cross-border transactions, as well as representing multinationals in tax controversies. He is the founder and chair of the Transfer Pricing Discussion Group. Prior to entering private practice, Steven was the Associate International Tax Counsel in the Office of the Assistant Secretary (Tax Policy) of the US Department of the Treasury. Steven can be contacted on +1 202 756 8218 or at shannes@mwe.com.

I n November 2010, t he United Kingdom’s Coalition Government published its “Corporate Tax Road Map”, setting out proposals to reform the UK corporate tax system over a five-year period. The Road Map’s stated aim is to create “the most competitive corporate tax regime in the G20”, and evidence is mounting that the United Kingdom is close to achieving that goal.

The Road Map endorses explicitly two guiding principles for corporate tax reform. The first is to lower the rate of tax while broadening the base on which that tax is charged; businesses focus not only on the headline rate, but also on what is taxed and relieved. The second is to move closer to a “territorial” system of tax, concentrating on income earned in the United Kingdom.

In practice, a third principle is implicit in the reforms. The greatest competition between nations is for mobile income, and the proposals seek to make the United Kingdom competitive in this area, at least where it is likely to result in jobs in the country.

So, how competitive is this new regime? The United Kingdom now of fers the following:

� A corporate tax rate of 24 per cent, reducing to 22 per cent by 2014. The Government has signalled that, if feasible, the long-term aim is to reduce the rate further, to 20 per cent. By 2014, the United Kingdom will have the lowest corporate tax rate in the G7, lower than Canada, France, Germany, Italy, Japan and the United States.

� No tax on dividends paid from overseas to the United Kingdom. The UK system encourages non-UK profits to be repatriated to the United Kingdom. Since 2009, the vast majority of both UK and foreign dividends have been exempt from UK corporate tax.

� No withholding tax on dividends. Profits earned by a UK multinational’s overseas subsidiaries can be distributed to the United Kingdom and paid on to the ultimate shareholders, with no UK corporate or withholding taxes.

� An extensive double tax treaty network.

� A generous regime for the deduct-ibility of interest. While many European countries have restricted, or propose to restrict, the tax deductibility of interest, the United Kingdom continues to provide a deduction for arms’ length interest costs in most commercial situations.

� A more restricted regime for “controlled foreign companies”. From 2013, the retained profits of overseas companies controlled by a UK company can only be taxed in the United Kingdom if, broadly, they represent profits diverted from the United Kingdom. Additionally, inter-est earned by those overseas companies is taxable at a reduced rate, provided it has not resulted in a UK tax deduction.

� An exemption for branch profits. Subject to anti-avoidance rules, a UK company may elect for its branch profits to be exempt from UK tax.

� A “Patent Box” regime and research and development (R&D) tax credits. From April 2013, UK companies can elect into a new regime that applies a lower rate of corporate tax to profits from UK and EU patents. The relief will be phased in over a five-year period, culminating in an effective rate of 10 per cent for such income. Rules exist that effectively require the company, or its group, to have been involved actively in the development or exploita-tion of the patent. Qualifying R&D can also attract repayable tax credits that are particularly generous for smaller companies.

In combination, these features make the United Kingdom a highly attractive regime for companies, particularly given the country’s other advantages, such as its infrastructure and capital markets. Some companies that exited the United Kingdom when the regime was less attractive have returned, while others have moved or are planning to move there. The path set out in the Road Map appears, for now, to be heading in the right direction.

The United Kingdom’s New Competitive Tax Regime for Companies By Tom Scott

Tom Scott is a partner based in the Firm’s London office, where he leads the London tax practice. He advises on international and domestic corporate tax issues, including mergers and acquisitions, reorganisations, financing, private equity, transfer pricing and dispute resolution. Tom can be contacted on +44 20 7577 3442 or at tscott@mwe.com.

UK TAXRE

GIM

E

International News 21

Crowdsourcing Intellectual Property By Rohan Massey and Leigh Smith

22 International News

INTELLECTUAL PROPERTYC

RO

WD

SO

UR

CIN

G

“”

Concerns over IP infringement claims flow from the question of who is the owner of the IP.

Crowdsourcing is essentially a form of mass outsourcing. Instead of engaging a specific third party to undertake a task, however, the task is made available for anyone in the “crowd” to complete. In seeking a solution to a problem, a business could crowdsource tens, possibly hundreds, of responses, then select the best one.

The process is akin to a competition in that only the preferred response, and perhaps two runners up, will receive any remuneration for their efforts. Whatever the task, it is almost inevitable that it will involve the creation of intellectual property (IP) rights that the business will want to exploit.

The benefit of crowdsourcing is that a business can, at a relatively low cost, access a wide range of talent. The crowd consists typically of up-and-coming freelancers in the relevant field, who gain the chance of working for a business that would normally be beyond their reach.

There are, however, potential commercial and legal risks. For example, the use of crowdsourcing may give a business’ competitors insight into future product development, or could even prevent the novelty of a future patent application. There are also potential risks for the company’s reputation, such as the business being seen to be running out of its own ideas. One of the most significant and tangible risks, however, is the risk of claims of IP infringement arising from crowdsourcing.

Ownership of Crowdsourced IPConcerns over IP infringement claims flow from the question of who is the owner of the IP in the responses received to a crowdsourced task. If a task is given to employees of the business, then any resulting IP generally will vest in the business. Equally, if the task is given to a third party contracted by the business for that purpose, the IP rights can vest in the business by virtue of the terms of the contract. In contrast, the starting point for

crowdsourcing is that participants retain their rights until they are transferred to the business.

When a business selects its preferred response(s) to a crowdsourced task, payment to the winner(s) should be structured as consideration for an assignment of all the IP rights in the winning response. In this respect, crowdsourcing is effectively the same as outsourcing, except that the relationship is formalised after the work is completed.

The problems arise mainly from the member s o f the crowd who were unsuccessful. There is a parallel to be

drawn between unsuccessful crowdsourced responses and the age old problem of what to do with unsolicited ideas and suggestions that a business may receive. Businesses have long been advised not to review unsolicited ideas for fear of being accused at a later date of having copied them. In the case of crowdsourcing, the unwanted ideas, by definition, have to be reviewed.

Because the crowd members have all responded to the same task, it is likely that there will be a degree of overlap between the themes and content of the unsuccessful responses and the responses purchased by the business. This could lead to accusations that a response is being used by the business without payment, owing to similarities between the winning response (or elements thereof) and an unsuccessful response, or owing to similarities between an unsuccessful response and something the business developed itself independently.

Where the claim in question is for copyright infringement in the United Kingdom, for example, the crowd member needs to show that the two works were substantially similar and that the infringing work was derived from the original response. Because it is easy for the crowd member to prove the response was received and reviewed, crowdsourcing inherently establishes a causal connection. Under English law, a causal connection between two works and a substantial similarity between the two can shift the burden of proof on to the alleged infringer. It is then, of course, rather difficult to prove conclusively that the work was not copied.

Protecting the Business In considering how to eliminate, or at least minimise, these risks, it is important to strike a balance between the interests of the crowdsourcing business and the crowd so the solution implemented is not too onerous on the crowd. If the rules for providing a response are draconian or favour the business heavily, the crowd may simply choose not to respond to the task.

An example of a heavy handed solution is where the business requires each member of the crowd who provides a response to grant a non-exclusive (or even exclusive) perpetual licence to use any IP included

in the response, without further payment. This would certainly eliminate the risk of infringement claims from the crowd, but, aside from the issue of whether this licence would even be enforceable, it raises the question of where is the incentive for the crowd to expend the effort in preparing a response? If the crowd gives up the value of its responses, why would the business ever need to reward the preferred response? The other risk associated with seeking a licence from the entire crowd is that if one licence is found to be invalid, then it is likely that the rest will also be invalid. The attempt to eliminate the risk could then result in an avalanche of claims from opportunists subject to these licences.

Businesses can instead focus on breaking the chain of causation by creating barriers between their IP and the crowdsourced responses. This can be done by putting in place procedures that ensure only limited individuals have access to crowdsourced submissions. If a third party is being used to supply the crowdsourcing environment, it may be appropriate to have all the responses remain on the third-party server. Only a limited number of staff should have access to all the responses for the initial review; that way, a significant portion of the responses will be reviewed and discarded by a small group of people. By retaining a record of who was involved at each stage, future claims can be met with a clear statement of which submissions were reviewed by which staff.

A strict policy should also be put in place so that staff understand the importance of limiting the number of individuals who have access to crowdsourced material. Staff training is essential to ensure employees understand the potential consequences of misusing crowdsourced designs and ideas. Those responsible for reviewing responses should be aware of the risks involved and

that submissions remain the property of third parties until purchased by the business. Equally, the crowd should be asked to acknowledge, as part of submitting their responses, that the business has its own development pipeline and may have developed independently (or may in the future develop independently) something similar to their work.

Crowdsourcing creates a number of IP-related issues because it goes against conventional wisdom: it actively encourages third parties to participate in a business’ creative process without first ensuring the business is protected adequately. However, by taking a considered and well-documented approach to the use of crowdsourcing, a business can reap its benefits without exposure to unnecessary risk. When the use of crowdsourcing is proposed, it is therefore essential that the business anticipates and prepares itself fully for the IP risks involved.

International News 23

CROWDSOURCINGINTE

LLEC

TUA

L PR

OP

ER

TY

Rohan Massey is a partner based in the Firm’s London office. He focuses his practice on media, e-commerce, outsourcing, IT and data protection. As well as advising on intellectual property issues arising in corporate transactions, Rohan specialises in media and marketing, advising on a wide range of sponsorship, advertising, sales promotions, clinical trials and intellectual property issues. He can be contacted on +44 20 7577 6929 or at rmassey@mwe.com.

Leigh Smith is an associate based in the Firm’s London office. His practice encompasses all aspects of intellectual property law, with a particular emphasis on trade marks. Leigh can be contacted on +44 20 7570 1437 or at ljsmith@mwe.com.

“”

It is important to strike a balance between the interests of the business and the crowd.

For most of the past two decades, private equity (PE) funds have had only two types of competition: strategic investors and each other. Special purpose acquisition companies, business development companies and hedge fund side pockets all emerged during this period, but none have really challenged the primacy of PE funds. In the past few years, however, a new form of competitor has emerged: their own limited partners (LPs). To be more specific, the threat is coming from high net worth (HNW) families that used to form the backbone of many PE funds, before institutional money came pouring in.

This is the group that, in the late 2000s, several PE funds shunned, either explicitly or by rais ing minimum investment requirements. The recession, however, changed the financial landscape and PE funds faced new challenges. The drying up of credit for two years slowed exits to a trickle and created barriers to executing PE’s

favoured leveraged buyout model. LPs were still required to pay the yearly management fee, but were not seeing their cash being put to work, or any consistent return on their investments. The illiquid nature of PE investments and the restrictions on transfer began to rankle at least some HNW investors. Perhaps contrary to expectation, these investors did not shy away from the sector. Indeed, in the period post-2008, many HNW families upped the allocation to alternative assets in their investment portfolios, confident that the difficult financial conditions could throw up fruitful investment opportunities. There was, however, a need to diversify and, unhappy with the PE funds, the answer for some was to go it alone.

The Rise of the Family FundThough many HNW families had made direct investments in the past or had co-invested alongside PE funds, making a commitment to investing directly requires a different level of infrastructure and a high-grade team, neither of which comes cheaply

or easily. Bringing these activities in-house typically means overhead costs in excess of US$1.5 million a year, making it a feasible prospect only for those HNW families with an asset base of US$100 million or more, or those who club together to gain economies of scale. In the past, there was no way to lure a young manager away from the promises of riches offered by a PE fund, but, especially in the mid-market, the recession created a significant shift in the expectations of managers. Many saw less potential in carry, facing frustrating restrictions on their investment activities and the prospect of fundraising in a daunting market. In this

Are Family Funds a Threat to Private Equity Funds?By Mark Davis, Mark Selinger and Eleanor West

FUNDSFA

MIL

Y

“”

Making a commitment to investing directly requires a different level of infrastructure and a high-grade team.

24 International News

International News 25

FAMILYFUN

DSenvironment, a well-funded, single source

of capital, coupled with the freedom and flexibility to invest creatively became all the more attractive.

Meanwhile, PE funds were becoming less competitive. Where credit was available, lenders were cautious, requiring extensive diligence and making the acquisition process cumbersome and uncertain, as well as offering, at times, unattractive pricing. The traditional model became redundant, and the PE funds had to rethink their strategy. In being forced to change, PE funds have become more comfortable with writing large, up-front equity cheques and looking at ways of creating value in their portfolio companies, rather than relying on financial engineering to generate returns. That said, deal flow remains slow.

PE funds are also restricted by the strict investment criteria on which they are mandated by their LPs (e.g., in terms of asset grade, structure, sector and geography) and these constraints have led to PE funds competing against each other for the most attractive assets. Given the flexibility afforded by the structure of their private funds, HNW families are best advised to sidestep this battle, and many do just that, concentrating their efforts elsewhere to good effect and finding that opportunities are plentiful.

HNW families are often prepared to accept a greater degree of risk than PE funds in terms of sector and stage of investment. This places them in a good position to look at industries, geographies and deal structures considered too exotic or risky for PE funds. This can be seen clearly in Europe, for example, where family offices have been, and are predicted to continue to be, prevalent investors in technology development and pre-operational assets (e.g., clean tech), plugging the funding gap left by venture capital departing the

sector in favour of “safer” assets and locked-in value. HNW families typically take a longer term view, with a focus on building capital value rather than securing a rapid return on their investments. Likewise, in territories such as Africa, where there is a significant need for growth capital, PE funds tend to struggle to accommodate founders’ reluctance to part with equity or relinquish control. Here, HNW families can differentiate themselves, offering up flexibility in the form of debt instruments with simple downside protection mechanics.

No Two Families Are the SameNot all HNW families operate in the same way; there is no standard investment strategy. Instead, a variety of approaches and attitudes are taken by family offices operating at different stages of development and serving the investment profiles of different numbers of family members. Small family offices with fewer family members tend to be more nimble, as they have a leaner decision-making process and often look to add value by getting actively involved in the management of their investments. This in itself can be an attractive attribute for a company looking for investment, particularly where it sees synergies with the family’s existing businesses and an opportunity to leverage off the family’s reputation and network.

Larger family offices operate investment vehicles that look to the outside world much like PE funds, but the stories these family funds tell prospective investee companies differentiates them from PE funds. For example, there is no requirement to look to exit within the three to five years usual for a PE investment. In addition, the head of the family fund is often a former operator-entrepreneur, whose story may sound familiar to many founders. Lastly, the family fund operates outside the constraints of financial regulation and without the structural constraints included in many PE fund documents.

Family funds do lack some things that successful PE funds have: name recognition, an LP network and, most important, a track record. These drawbacks can, however, be overcome. Hiring a successful manager from a well-regarded PE fund can help minimise

the track record obstacle, and a prominent family backer can outweigh the name recognition and networking connections of all but the best-known PE funds.

Family funds are still in their infancy, and there’s no doubt there will be missteps along the way. As PE funds survey the competitive landscape, however, they will likely find that the seat next to them at the bidding table is filled not by another PE fund or strategic investor, but by a family fund with deep pockets and a growing appetite for deals.

Mark Davis is a partner based in the Firm’s London office. Mark’s practice focuses on cross-border leveraged buyouts and exits. He also has a wide range of experience in private equity and other M&A transactions and has represented a number of the largest buy-out funds in Europe and the United States in connection with complex cross-border deals. Mark can be contacted on +44 20 7577 3441 or at markdavis@mwe.com.

Mark Selinger is a partner based in the Firm’s New York office. Mark represents family offices and investment funds in all aspects of their direct investing activities, including initial and follow-on investments, restructurings and exit transactions. He also represents fund portfolio companies in commercial and transactional matters. Mark can be contacted on +1 212 547 5438 or at mselinger@mwe.com.

Eleanor West is an associate based in the Firm’s London office. Her practice focuses on UK and international private equity investments and buy-out transactions, acting for both institutions and management teams. Eleanor can be contacted on +44 20 7577 3461 or at ewest@mwe.com.

“”

HNW families typically take a longer term view, with a focus on building capital value.

The Court of Justice of the European Union (CJEU) has expanded recently the freedom of companies to move from one EU Member State (the de-parture State) to another State (the des-tination State). The destination State cannot prohibit a company incorpo-rated under the laws of the departure State from moving its registered office and principal place of business into the destination State and changing its legal structure into a form recognised under the laws of that State.

The Move Towards Freedom of Establishment for CompaniesIn Centros Ltd v Erhvervs- og Selskabsstyrelsen [1999] C-212/97, the CJEU ruled that the destination State may not refuse to register a branch of a company incorporated in the departure State, even if the company con-ducts all its business through that branch.

In Überseering BV v Nordic Construction Com-pany Baumanagement GmbH [2002] C-08/00, the CJEU ruled that the destination State has to recognise a company as a legal entity, even if it remains incorporated under the laws of its departure State.

In Sevic Systems AG [2005] C-411/03, the CJEU ruled that all EU Member States have to treat cross-border mergers in the same manner as they treat a merger of companies within their jurisdiction.

In Cartesio Oktató és Szolgáltató bt, [2008] C-210/06, the CJEU ruled that the de-parture State may require that a company maintains its principal place of business within its territory if it wishes to maintain its status as a legal entity under the depar-ture State’s laws. In the same judgment, however, the CJEU stated explicitly that this does not allow the departure State to prohibit companies from moving their prin-cipal place of business and registered office into the destination State, and thereby as-suming a new legal form under the laws of the destination State, if this is allowed under the destination State’s law.

In the most recent ruling, VALE Építési Kft. [2012] C-378/10, the CJEU ruled that the destination State must allow a company to move its registered office and principal place of business into the State’s territory and thereby assume a legal form under its laws, if the destination State’s laws provide for transformations between the legal forms of the destination State.

On one hand, because most Member States’ laws provide for the transformation of a company’s legal form, the Cartesio and VALE judgments mean companies can move freely within the European Union and assume a legal form under the laws of the destination State. This is a definite improvement on the situation that existed previously, under which only corporations organised as a Societas Europaea (European Stock Corporation) could move between States. Alternative solutions such as cross-border mergers, which were introduced following Sevic Systems, no longer need to be used, as their procedures are more complex.

On the other hand, however, as the laws of most Member States do not provide spe-cifically for cross-border transformations, the Cartesio and VALE judgments will be complicated to implement; the respective provisions for domestic transformations need to be applied mutatis mutandis. It is likely that the European Commission will begin to harmonise the laws on transfor-mations between EU Member States and thereby also introduce mandatory provi-sions for cross-border transformations, but this process may take several years.

With respect to taxation, it should be noted that most Member States have already introduced tax rules for cross-border merg-ers that can be applied to cross-border transformations.

CJEU Expands Freedom of Establishment in the European Union By Michael Ruoff

26 International News

UNIONEU

RO

PE

AN

Michael Ruoff is a partner based in the Firm’s Munich office. He is a member of the Firm’s Transaction Business Unit and heads the German Energy Advisory Group. He advises on corporate law and M&A transactions. Michael can be contacted on +49 89 12712 321 or at mruoff@mwe.com.

”“The Cartesio and VALE judgments will be complicated to implement.

”“The VALE Decision brings more flexibility for companies.

Stay up to date with current issues through McDermott’s other publications and news alerts. Please visit our website, www.mwe.com, to read the full articles, or sign up to receive substantive communications from McDermott at www.mwe.com/subscribe/.

We provide a range of publications which include the following:

• Brussels Brief• China Law Alert (MWE China Law Offices)• European Intellectual Property Bulletin• Focus on Private Equity• Inside M&A• IP Update• On the Subjects• UK Employment Alerts• White Papers

McDermott’s blogs track key legal developments and industry news. Follow them at:

www.antitrustalert.comwww.employeebenefitsblog.comwww.energybusinesslaw.comwww.healthcarelawreform.comwww.itc337update.comwww.transferpricing360.com

Our On the Subjects provide insight into key legal developments and the way in which those developments affect business. A recent selection includes the following:

• EU Commission Can Bring Follow-On Actions for Damages on Behalf of the European Union in Cartel Cases

• US Government Issues Guidance on Foreign Corrupt Practices Act

• Proposed Remedies in the Midst of the Patent Wars

• Effective Resolution of BRICS Country Transfer Pricing Disputes

• Employers Can Provide Tax-Free Disaster Assistance to Employee

• Taxpayers Affected by Hurricane Sandy Could Be Penalized Under the “Repair Regulations”

• Anti-Bribery and Corruption Multi-Jurisdictional Client Guide 2012

LearnMore

www.mwe.com/international/

McDermott’s international legal professionals advise multinational entities on cross-border legal matters. Interdisciplinary practice groups, integrated by practice rather than geography, allow our lawyers to respond to challenges our clients face, day or night.

SGS-COC-006363

FSC MS3

BOSTON28 State Street Boston, MA 02109USATel: +1 617 535 4000Fax: +1 617 535 3800

BRUSSELSAvenue des Nerviens 9 - 311040 BrusselsBelgiumTel: +32 2 230 50 59 Fax: +32 2 230 57 13

CHICAGO 227 West Monroe Street Chicago, IL 60606 USA Tel: +1 312 372 2000 Fax: +1 312 984 7700

DÜSSELDORF Stadttor 1 40219 Düsseldorf Germany Tel: +49 211 30211 0 Fax: +49 211 30211 555

FRANKFURTFeldbergstraße 3560323 Frankfurt a. M.GermanyTel: +1 49 69 951145 0Fax: +1 49 69 271599 633

HOUSTON1000 Louisiana StreetSuite 3900Houston, TX 77002USATel: +1 713 653 1700Fax: +1 713 739 7592

LONDONHeron Tower110 BishopsgateLondon EC2N 4AYUnited KingdomTel: +44 20 7577 6900Fax: +44 20 7577 6950

LOS ANGELES2049 Century Park East 38th FloorLos Angeles, CA 90067USATel: +1 310 277 4110Fax: +1 310 277 4730

MIAMI333 Avenue of the AmericasSuite 4500Miami, FL 33131USATel: +1 305 358 3500 Fax: +1 305 347 6500

MILAN Via dei Bossi, 4/620121 Milan ItalyTel: +39 02 78627300Fax: +39 02 78627333

MUNICHNymphenburger Str. 380335 MunichGermanyTel: +49 89 12712 0Fax: +49 89 12712 111

NEW YORK 340 Madison Avenue New York, NY 10173 USA Tel: +1 212 547 5400 Fax: +1 212 547 5444

ORANGE COUNTY 4 Park PlazaSuite 1700Irvine, CA 92614USATel: +1 949 851 0633Fax: +1 949 851 9348

SHANGHAI MWE China Law Offices Strategic alliance with McDermott Will & Emery 28th Floor Jin Mao Building 88 Century Boulevard Shanghai Pudong New Area P.R. China 200121 Tel: +86 21 6105 0500 Fax: +86 21 6105 0501

PARIS23 rue de l’Université75007 ParisFranceTel: +33 1 81 69 15 00Fax: +33 1 81 69 15 15

SILICON VALLEY 275 Middlefield RoadSuite 100 Menlo Park, CA 94025 USATel: +1 650 815 7400 Fax: +1 650 815 7401

ROME Via A. Ristori, 38 00197 Rome Italy Tel: +39 06 462024 1 Fax: +39 06 48906285

WASHINGTON, DC The McDermott Building500 North Capitol Street, N.W. Washington, DC 20001 USA Tel: +1 202 756 8000 Fax: +1 202 756 8087

SEOUL 18F West TowerMirae Asset Center126, Euji-ro 5-gil, Jung-guSeoul 100-210Korea Tel: +82 2 6030 3600 Fax: +82 2 6322 9866