Monday, 30 January 2012

Interview with Alfredo Della Monica (American Express)

Following the success of the Data Protection in the Financial Services Sector conference, last October in central London, Michiel Willems spoke to one of the key speakers, Alfredo Della Monica, Counsel at American Express and responsible for the company's data protection issues in Europe, Africa and the Middle East.

Alfredo, what are the biggest challenges financial institutions are facing at the moment?
The transfer of transaction data is certainly the key issue. For example, the SWIFT case a few years ago raised the attention of all the relevant stakeholders. More broadly, the economic backdrop in many markets makes for a particularly challenging operating environment.

Financial services firms operate, increasingly, across borders and jurisdictions. Is it still possible to control which data flows where and which laws govern what information?
Certainly, it is quite difficult, but it is possible to establish appropriate controls. In my view, if you really want to manage data protection in your firm, you have to think 'what, where, how' about your data every single day.
What are the main practical issues the industry is facing at the moment in relation to data transfers?
The length of the binding corporate rules (BCRs) process, as well as the impracticality of the standard contractual clauses.

Can you tell us a bit more about model contracts and BCRs? What is their importance - from a data protection point of view - for the industry?
Model contracts would be the preferred solution but they are unmanageable, as you need one model contract for each transfer and one model contract for each controller/processor. That would mean millions of model contracts if you are a global company. The BCRs are therefore the only real solution, but it would be helpful if the authorities could speed up the approval process. This may encourage firms to go for this option.

When financial services business operate internationally, or globally, how should they manage the different regulatory requirements?
I believe that a strong compliance program would be enough to monitor the different regulatory requirements in all the relevant jurisdictions. And, most importantly, I would suggest setting a baseline of standard requirements, having in mind the provisions of the EU Directive as many countries in the world adopt those as standards.

Why are banks and other financial institutions regularly in the news regarding data breaches and issues with data management?
This is an issue which affects all companies entrusted with customer data, particularly in today's digital economy. That is why the proposals being drawn up by the European Commission are so important, and why the industry must work together with regulators to achieve a framework which helps consumers while also being workable for businesses.

Do you think cloud computing has added an interesting dimension to the data protection debate?
It could, but in practice it is still too early to comprehensively evaluate the implications of cloud computing.

Do you believe that the sanctions for mismanagement of data are strict enough?
The responsible management of customer data should be good business practice for all companies. Regardless of how a sanctions regime is structured, it should not be a primary motivator for organisations to act as responsible data custodians.

Many thanks for your time, Alfredo.
Thanks for the opportunity.

Michiel Willems © 2012 CP Publishing Ltd. London, UK. Picture: CP Conferences 2011.

Saturday, 28 January 2012

US Court: domain registrar not liable if domains merely 'forward'

A District Court in California ruled on 10 January that a domain name registrar is not liable for 'cyber squatting' if it redirects web users from a squatted website to another site.

Two domain names, registered by Go Daddy (GD) and bearing the name of the oil company Petronas, redirected visitors to a pornographic website through GD's servers. The District Judge ruled that "the forwarding of the disputed domains does not amount to 'use' of the domain names".

Simon Bennett, Partner at Fox Williams, believes the "decision was the right one, since [GD] does not exercise editorial control over sites hosted under domain names for which it acts as registrar".

Gillian Anderson, an Associate at Pinsent Masons, also called the ruling "the correct decision", while referring to the 2011 case Microsoft Corp v Shah Civil Action. In that case a claim of 'contributory cyber squatting' was upheld. "In contrast, Petronas' claim failed because the court decided that the registrar had not directly contributed to the infringement", Anderson explains. "It remains to be seen how the Petronas decision will be applied in future cases given the opposing outcomes from Petronas and Microsoft."

Cyber squatting - the practice of registering a domain name with the intent to profit from the goodwill of a trademark belonging to someone else - is illegal under the Anti-cyber squatting Consumer Protection Act (ACPA) if it happens in bad faith and with the intent to profit.

Michiel Willems © 2012 ECLP January issue, CP Publishing Ltd. London, UK.

Friday, 27 January 2012

Radio broadcasts

Two recent items I recently did for Radio 1 in the Netherlands - in Dutch

The European premiere of the movie The Iron Lady, click HERE

Dutch Prime Minister Rutte's visit to Downing Street, click HERE

FTC settles over use of flash cookies

The US Federal Trade Commission (FTC) has reached a settlement with advertising network ScanScout Inc. over the online advertising network's use of Flash cookies which consumers' web browser settings could not opt out of, contrary to the company's privacy policy.

ScanScout - which was acquired by Tremor Media during the process - used Flash cookies to collect consumer data for the period between April 2007 and September 2009.

Although its privacy policy stated that consumers could block the cookies by changing their browser settings, the FTC found that the Flash cookies were unaffected by users' browser settings since they were not controlled through a computer's browser, unlike HTTP cookies.
Consequently, the FTC found the practice constituted 'deceptive acts or practices in or affecting commerce' and in violation of the Federal Trade Commission Act.

"The failure to properly disclose the use of Flash cookies can result in FTC enforcement", said Dana Rosenfeld, Partner at Kelley Drye & Warren LLP.

ECLP (C) 2011, CP Publishing, London. Picture:

The UIGEA, at last?

It sent shock waves through the industry. On 7 December, a jury in the US District Court of Boston found Todd Lyons guilty of illegal gambling offences under the Unlawful Internet Gambling Enforcement Act (UIGEA).

The jury was convinced Lyons ran the illegal gambling business Sports Offshore together with a number of co-defendants. Although Sports Offshore is based in Antigua, it was not licensed there and the business actively targeted and recruited customers throughout the US. Since Lyons acted as an 'on-the-ground agent' ­ collecting losses from US sports betters and shipping the proceeds back to Antigua ­ he was found guilty of 'acceptance of financial instruments for unlawful internet gambling', specifically stated under terms set out in the UIGEA. He was also convicted for racketeering under the Racketeer Influenced and Corruption Organisations Act (RICO) as well as violations of the Wire Act. 

And so it was official. The first conviction under the UIGEA ever was a fact. A historic moment? For the industry it certainly was. The conviction was hailed as a huge victory for those who oppose online gambling and the US Attorney for Massachusetts, Carmen M. Ortiz, said in a statement that the conviction of Lyons 'should serve as a message to those involved in illegal gambling schemes'. Really? This is a strong message from a government that has never convicted someone before under the UIGEA, even though the law has been in effect for more than five years. 

Lawyers and industry experts wonder what to make of this UIGEA verdict, and where to go from here. Before Lyons conviction, the Wire Act and RICO were as good as the only legal tools available to prosecute and convict persons involved in illegal gambling. 

So does this case mean a change of course? The answer is most likely no. The UIGEA conviction was merely possible because Lyons was physically collecting gambling proceeds within the United States, while practically all gambling businesses that even dare to offer their services to US customers stay well away from such practices. Money is transferred out of the country and collected in offshore jurisdictions far away, such as Barbados or Panama. 

So can we expect another UIGEA conviction soon? Probably not. Although since Black Friday it is clear that cracking down on online gambling activities in the US has become a priority for the US Department of Justice, the UIGEA's own terms limit the possibilities for prosecutors to crack down on online gambling businesses that attempt to take advantage of America's millions of poker players. 

In all likelihood, this conviction should be seen as a one-off event and prosecutors ought to celebrate the existence of the Wire Act and RICO if they wish to continue cracking down on online gambling in 2012.

Michiel Willems in WOGLR, December issue © 2011 CPP Publishing Ltd

Japan: 9 months after Fukushima

Please find below some pictures I took while on a recent visit to Japan. Although tourism is still at an all-time low, the country is slowly recovering from the earthquake, tsunami and nuclear crisis that hit the north of Japan on 11 March 2011. It was a truly impressive journey full of sushi, sake, sumo, Sony, and samurai.

Michiel Willems 2011 (C)

Thursday, 12 January 2012

Review: My Week With Marilyn

Set in the summer of 1956, the young graduate Colin Flark dreams of finding a job in the film industry so he decides to leave the safety of his parents’ home to embark on an adventurous journey to London, not knowing where destiny is going to take him. 

Against the odds, he lands himself a job at a production house in the heart of Britain’s film industry – the Warner Bros. studios in Leavesden - and before Flark properly realises what is happening he finds himself in the presence of the legendary Sir Laurence Olivier and becomes a witness of the tense interaction between Olivier and the absolute superstar of the late ‘50s, Marilyn Monroe, during the production of the comedy ‘The Prince and the Showgirl’. 

Monroe, who is joined by her then new husband Arthur Miller, has her moments of insecurity, depression and behaviour that borders insanity, resulting in continuous production delays which deeply frustrate the ambitious Olivier. 

When Miller leaves England, Monroe's loneliness and desperate need for attention are filled by the funny, energetic Clark, who introduces Marilyn to some of the pleasures of English life. A heavenly, surreal week, in which he makes Monroe escape from the Hollywood sycophants and the pressures of being a superstar, is to follow. An affair which is encouraged by some on set, but loathed by others who secretly desire the attention of Marilyn themselves. It is the story of a genuine summer love which is bound to go wrong, without anyone really getting hurt.

Director Simon Curtis delivers an excellent performance with a sexy, appealing Michelle Williams as Monroe. Kenneth Branagh (Olivier) keeps the whole lot together, while Judi Dench acts as the moral conscience of the crew and Harry Potter’s Emma Watson is casted as a motivating extra who anxiously fancies Flark. But it is Eddie Redmayne - portraying the young, naive and slightly insecure Flark - who is amazingly strong and carries the story throughout. The convincing story, in combination with the 1950s vibe and fashion, as well as the compelling music of the time, turn this all-round production into a success. The genuine on-screen chemistry between Williams and Flark make this movie a must-see for anyone who still dares to say yes to love. - Michiel Willems

My Week With Marilyn (UK, 99 mins, drama, first released on 25 November in London)

Tuesday, 10 January 2012

Controversy over Google Wallet's data security

Google's Mobile Wallet does not store personal data securely, research firm ViaForensics (VF) has said.

The security firm tested the application on a rooted handset - a mobile phone with a modified operating system in order to change the (privacy) settings - and it discovered that sensitive data is stored in SQLite databases, a serverless engine which stores data unencrypted. This includes credit card balances, limits, expiration dates, names, locations and transaction dates.

Google responded by releasing a statement: 'This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers.'

VF agreed Google does a 'decent job' by securely storing full credit card numbers and that a PIN is needed to authorise payments. However, VF's Report came only days after Verizon, the largest telecom provider in the US, demanded on 7 December that Google disables its Mobile Wallet application in the forthcoming edition of the latest Galaxy Nexus smartphone. Verizon cited 'security concerns' as the main reason.

Published previously in E-Finance & Payments Law & Policy, December issue. CPP. Copyrights apply. Picture:

Germany enters a 'historical year' as SH refuses to sign new Treaty

BERLIN - Schleswig-Holstein (SH), the German Federal State that adopted a law liberalising online gambling last September, has refused to sign the new Interstate Treaty on Gambling (ITG), approved by all the other Lander on 15 December.

Since SH's gambling law will come into effect on 1 January it is "very likely the new year will turn out to be a historical year in German gambling legislation, because the online market for sports betting, and casino games insofar as SchleswigHolstein is concerned, will be opened for the first time for private operators", said Matthias Spitzer, Attorney at Melchers Law. Much to the annoyance of the other states, SH will continue to pursue its own gambling policy "for the time being", said Barbara Ploeckl, Associate at Freshfields Bruckhaus Deringer. Spitzer adds: "There is no evidence that SH would turn back, quite the contrary." It is expected that SH will start issuing licences in January or February.

Germany's 15 other Federal States did sign the new ITG, which retains public monopolies by existing state companies. But when the new ITG will become actual law is difficult to say since the "[15] states agreed to only pass the law onto the parliaments of their states for ratification once the European Commission (EC) has given a positive comment", said Ploeckl.

It is not likely the EC will approve this ITG. The previous draft text  which hardly differs from the latest version  was fiercely rejected by the EC in July. Back then, the EC called the proposed regime 'anti-competitive' and even recommended SH's liberal law as a model for a future ITG.

Published previously in the December issue of World Online Gambling Law Report, CPP. Copyrights apply.


Tuesday, 3 January 2012

Happy New Year

Goodbye riots, Amy and the Royal Wedding. Bring on the London 2012 Olympics and the Queen's Diamond Jubilee Party in Twenty Twelve. Happy New Year.
Picture: Getty Images,