Click for PDF

International Data Privacy Day was on January 28, 2022, and practitioners and enforcers alike took the opportunity to recognize developments over the past year, and look forward to what’s next.[1]  California Attorney General Rob Bonta’s Office was no exception.  Attorney General Bonta’s Office published Friday a press release announcing “an investigative sweep of a number of businesses operating loyalty programs in California” and that the Attorney General sent notices alleging noncompliance with the California Consumer Privacy Act (CCPA).

The CCPA passed in 2018, took effect January 1, 2020, and following multiple amendments and various versions of regulations, enforcement by the California Attorney General started July 1, 2020.  Since that time, Attorney General Bonta’s Office’s enforcement priorities had appeared to focus on transparency (e.g., in privacy notices), sale requirements (e.g., ensuring sufficient opt-outs), verification, and CCPA right request forms.  Indeed, in July 2021, the Attorney General’s Office published examples of its CCPA enforcement cases, only one of which related to transparency in the context of a loyalty program.  In this release, the Office also launched a consumer reporting link, which allowed consumers to report potential violations to the Attorney General’s Office.

Now, it seems the Attorney General’s Office is adding fuel to the focus on loyalty programs in its list of enforcement priorities.  As a reminder, the CCPA has various provisions and regulations relating to loyalty programs.  Under CCPA’s Section 1798.125:

“a business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:  (B)  Charging higher prices or rates for goods or services, including through the use of discounts or other benefits,” except that businesses can provide a different price, rate, level or quality, if the offering is:

  • “in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program”;
  • “reasonably related to the value provided by the consumer’s data”;
  • “for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer’s data.”

 

The CCPA Regulations provide further clarity on these provisions, stating among other requirements, that if “a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive . . . is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference” (Section 999.336, emphasis added), and that an explicit notice of financial incentive is required, which should include (1) a summary of the program, (2) material terms, (3) how to opt in and how to withdraw from the program, and (4) how the incentive is reasonably related to the value of the consumer’s data, including a good-faith estimate of the value, and the description of the method the business used to calculate it (Section 999.307).

Section 999.337 offers more detail regarding how to calculate the value of consumer data, including providing eight factors for consideration, such as the average value to the business, the revenue generated by the business from the processing of the consumers’ information, and the expenses relating to the processing.

Attorney General Bonta’s announcement serves as a helpful reminder that businesses offering financial incentives (including potentially discount coupons for submitting an email address), or loyalty programs (such as usage perks or membership discounts), should consider their CCPA compliance, and in particular review their disclosures regarding such programs.  It is also a reminder more generally that the Attorney General’s Office remains active in enforcing the CCPA, at least until July 2023, when enforcement of the CPRA will begin.

We remain available to discuss your particular compliance needs, including regarding loyalty programs, to which businesses may have devoted less attention in their CCPA compliance efforts, in light of the late finalization of the regulations in August 2020.

______________________

[1] See, for example, Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review – 2022, Jan. 31, 2022, available at https://www.gibsondunn.com/international-cybersecurity-and-data-privacy-outlook-and-review-2022/.


This alert was prepared by Cassandra L. Gaedt-Sheckter and Alexander H. Southwell.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, rhur@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

In 2021, the U.S. Department of Justice (“DOJ”) articulated a renewed prosecutorial vision and strong statements and took decisive moves to expand the scope of enforcement efforts and devote more resources to them.  Enforcement activity resulting in corporate non-prosecution agreements (“NPAs”) and deferred prosecution agreements (“DPAs”) was lower in 2021 than in 2020, but generally consistent with the trend in the past two decades.  We expect continued aggressive corporate enforcement in 2022 as part of President Biden’s stated initiative to revisit standards of corporate prosecution.

In this client alert, the 25th in our series on NPAs and DPAs, we: (1) report key statistics regarding NPAs and DPAs from 2000 through 2021; (2) analyze statements by DOJ about recalibrating corporate enforcement policies and a coming effort to “surge resources” in corporate enforcement; (3) take an in-depth look at the use of corporate resolutions by DOJ’s National Security Division (“NSD”); (4) provide an update on the SEC whistleblower program and its implications for NPAs and DPAs; (5) summarize 2021’s publicly available DOJ corporate NPAs and DPAs since our 2021 Mid-Year Update; and (6) survey recent developments in DPA regimes abroad.

Chart 1 below shows all known DOJ NPAs and DPAs from 2000 through 2021.  Of 2021’s 28 total NPAs and DPAs, 7 are NPAs and 21 are DPAs.[1]  The SEC, consistent with its trend since 2016, did not enter into any NPAs or DPAs in 2021.

Chart 2 reflects total monetary recoveries related to NPAs and DPAs from 2000 through 2021.  At approximately $4.0 billion, recoveries associated with NPAs and DPAs in 2021 are the lowest since 2018, and are below the average yearly recoveries for the period between 2005 (when use of these agreements became fairly routine) and 2021.  As we have stated repeatedly, annual statistics should not be isolated to try to extrapolate a trend.  The completion of investigations ebb and flow and are not calibrated to the calendar.  Although 2021 represents a significant reduction in recoveries compared to 2020’s record-breaking $9.4 billion, certain patterns identified in prior years have remained.  For example, in 2020, the two largest resolutions accounted for approximately 53% of the total monetary recoveries.  Similarly, in 2021, the two largest resolutions accounted for 69% of all recoveries, and the largest resolution accounted for approximately 62%.  In 2020, 34% of the agreements had total recoveries of $100 million or more; in 2021, approximately 21% included recoveries of at least $100 million.  Supported by statements suggesting a possible shift in DOJ corporate enforcement policies (discussed in further detail below), these 2021 trends suggest a continued focus by DOJ on large monetary resolutions.

2021 in Context

21 of the 28 resolutions—or 75%— in 2021 were DPAs.  The 28 resolutions entered in 2021 resolved investigations brought by fourteen distinct lead enforcement offices, including nine different U.S. Attorney’s offices.  Among the fourteen, DOJ’s Fraud Section (5), Antitrust Division (4), and Consumer Protection Branch (3) were most active.  Increased activity by DOJ’s Consumer Protection Branch, in particular, may be a trend to watch in the coming year.  This branch has a broad enforcement mandate and is staffed by approximately 100 lawyers.

Of particular note, the number of DPAs in 2021, as illustrated in Chart 3 below and discussed in our Mid-Year Update, is consistent with a seven-year trend toward the increased use of DPAs compared to NPAs.

Three of the seven NPAs entered in 2021 referenced division-specific self-disclosure programs as primary motivating factors.  SAP SE and Avnet Asia Pte. Ltd., respectively, qualified for NPAs under NSD’s Export Control and Sanctions Enforcement Policy for Business Organizations, announced in late 2019.[2]

Although there are limited outliers, the numbers reflect a continuing trend toward increased use of DPAs.

2021 was also the first year without a public declination pursuant to DOJ’s FCPA Corporate Enforcement Policy since DOJ first announced the precursor FCPA Pilot Program in 2016.  The program was designed originally to encourage voluntary self-disclosure and cooperation from companies involved in potential misconduct.  The number of public declinations offered by DOJ under the program and the FCPA Corporate Enforcement Policy has steadily declined in recent years, with four declinations in 2018, two in 2019, and only one in 2020.[3]  However, DOJ has disagreed with commentary suggesting this decline reflects a long-term trend, with an official spokesperson stating “We do not believe the aforementioned results in 2019 and 2020 reflect a ‘lull’ or a downward trend, rather we believe they reflect the natural ebb and flow of our cases.”[4]  Further, it remains possible that DOJ has issued private declinations where it has determined “a public declination is neither necessary nor warranted,” on the basis that that the decision to disclose a declination belongs solely to the DOJ.[5]   Gibson Dunn’s investigative inventory corresponds to DOJ’s perspective.

DOJ Announces Shifting Enforcement Policies and Resource “Surge”

In the final months of 2021, DOJ has made several important announcements regarding corporate enforcement as part of President Biden’s broader initiative to revisit the standards and practices that DOJ has applied to corporate criminal enforcement.  These announcements, which touch on every stage of corporate enforcement—from investigation through charging, settlement, and beyond—reflect that DOJ is taking a fresh, holistic look at its approach to corporate enforcement.  Through these changes, DOJ is signaling to companies that DOJ intends to maintain a sharp focus on identifying and addressing corporate crime.

Reflecting this focus, DOJ announced the formation of a Corporate Crime Advisory Group, which will be made up of representatives from all divisions of DOJ involved in corporate criminal enforcement.  This new advisory body has a broad mandate to make recommendations and propose revisions to DOJ’s policies on corporate criminal enforcement topics, including monitorship selection, recidivism and NPA/DPA non-compliance, and prioritization of individual accountability, all of which were targeted for updates in 2021.

Zero Tolerance for Recidivism and Noncompliance

In an October 5, 2021 speech, Principal Associate Deputy Attorney General (“PADAG”) John Carlin emphasized that DOJ will continue to use NPAs, DPAs, and guilty pleas, and that DOJ views the inking of an agreement as the start of a longer-term obligation.[6]  He stated that companies should expect DOJ to enforce agreement terms, noting that DOJ will be firm with companies that do not comply.  He also said that the consequences for violating an agreement “may be worse than the original punishment.”  Typically, DPAs and NPAs include specific obligations with respect to compliance, cooperation, and reporting of misconduct over the term of the agreement (often three years).

Shortly after PADAG Carlin’s speech, Deputy Attorney General (“DAG”) Lisa Monaco amplified this position, stating that DOJ has “no tolerance for companies that take advantage of [DPAs or NPAs] by going on to continue to commit crimes.”[7]  These statements hearken back to 2015, when DOJ similarly postured about not hesitating to “tear up” agreements for companies that fail to meet their NPA or DPA obligations.[8]  DOJ has already proved willing to follow through on this renewed zero-tolerance policy, requiring Monsanto Company (“Monsanto”) to plead guilty to both of the previously deferred two felony charges that otherwise would have been dismissed pursuant to its 2019 DPA, as well as thirty new misdemeanor charges, as a result of new conduct that violated laws involving the proper use of pesticides and the terms of the 2019 DPA.[9]

Further emphasizing its tough stance on recidivist behavior, DOJ also announced that it will take into account a corporation’s full criminal, civil, and regulatory record in making charging decisions, even if alleged prior misconduct is dissimilar from the alleged conduct at issue.[10]  No longer will DOJ focus primarily on prior misconduct similar to the conduct under investigation.  This revised policy is sweeping, implicating not only prior enforcement actions across all DOJ units, but all prosecutions and non-criminal enforcement actions across all federal regulators, the states and other countries, as well.[11]

Taken at face value, this means that a prior resolution for conduct that would not be illegal in the United States could theoretically be taken into account in a domestic charging decision.  Practitioners have raised significant concerns about this new policy, particularly given this potential for consideration of acts that are not punishable in the United States, and for consideration of criminal, civil, and regulatory actions involving completely inapposite facts, standards, and legal frameworks.

Speaking at the American Conference Institute’s 38th International Conference on the FCPA, Assistant Attorney General for the Criminal Division, Kenneth Polite, responded to these concerns, stating that, “it’s a discretionary evaluation, where we have to trust and rely on our trial attorneys to properly evaluate each instance…where every potential act of misconduct is not going to be weighted the same way.”[12]  At the same event, Chief of the DOJ’s FCPA Unit, David Last stated that, “if there are so many instances to count, that may be another conversation that we need to have…If you’re in the 50s, or the hundreds of prior touches, that’s something we probably need to know.”[13]

Surging Resources to Investigate Corporate Wrongdoing

Also in October, PADAG John Carlin noted that DOJ is “building up to surge resources for corporate enforcement.”[14]  These resources include additional FBI agents tasked to work full-time alongside the prosecutors in the Criminal Fraud section, which PADAG Carlin stated has worked in the past and would provide flexibility to pursue white-collar matters nationwide.

According to Mr. Carlin, the surge in resources also will facilitate the use of data analytics tools, including working together with other regulatory agencies to share “the same fruits of analytic [labor],” to identify criminal conduct.  He noted corporations should take advantage of these types of tools as DOJ will expect corporations to use data analytics in their compliance programs to look for and predict misconduct.[15]

These comments build on updates to DOJ’s corporate enforcement posture dating back to 2020.  On June 1, 2020, DOJ updated its guidance to prosecutors for assessing corporate compliance programs when conducting investigations, making charging decisions, and negotiating resolutions.  That guidance included an expectation that companies’ internal risk assessments should be based on “continuous access to operational data and information across functions.”  Reflecting the application of this guidance, 2021 agreements include a provision requiring data-based monitoring, review, and testing of a company’s compliance procedures.  As discussed in our Mid-Year Update, the Epsilon DPA, for example, requires the company to “conduct periodic reviews and testing” of its compliance program as it relates to “preventing and detecting the transfer or sale of consumer data.”[16]  More recently, the Recology DPA requires that “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing.”[17]  The Credit Suisse DPA contains nearly identical language that specifically aims at monitoring and testing transactional data.[18]  Given the express focus on analytics, Mr. Carlin’s recent messaging, and the cross-pollination that tends to occur among the 93 U.S. Attorney’s Offices and Main Justice, we expect to see this enhanced language make its way into future agreements.

Continued Focus on Pursuit of Individual Actions

Historically, DOJ has had a particular focus on pursuing individuals responsible for corporate crime.  In 2015, the Yates Memorandum announced a requirement that companies seeking cooperation credit provide DOJ with all non-privileged information about all individuals involved in misconduct to receive credit.[19]  Reflecting what some viewed as a more pro-company stance, DOJ modified the Yates Memo requirement in November 2018, in response to concerns that the requirement was slowing down investigations by forcing companies to pursue and disclose every individual fact pattern—even relatively immaterial ones.[20]  This revised standard premised cooperation credit on providing information about individuals who were “substantially” involved in, or responsible for, the misconduct.[21]

In October 2021, Deputy Attorney General Monaco announced a return to the Yates standard, explaining that the revised standard had proved unworkable because the standard was not clear and left too much to the judgment of cooperating companies.[22]  In response to renewed concerns about the burden on companies imposed by the Yates standard, Assistant Attorney General Polite disagreed about the impacts to companies, explaining that the Yates standard is appropriate because it swings the decision regarding who is culpable back to DOJ, which views itself as being in the best position to evaluate who is substantially involved, based on all of the information known to it.[23]

Monitorship Policy Reconsidered

In 2021, DOJ also has “rescinded” any prior guidance suggesting that monitorships are disfavored, and prosecutors are, therefore, free to impose a corporate monitor when they determine it is appropriate.  This signals a possible intent to reverse a trend away from compliance monitorships, which have declined in recent years in favor of self-reporting requirements.  According to our records, only two of the 28 publicly available agreements in 2021 and two of 38 resolutions in 2020 imposed a corporate monitor, as compared to 9 out of 40 agreements in 2016, for example, and 5 out of 23 in 2017.  Practitioners have raised concerns that DOJ’s new position on corporate monitors may make companies less willing to self-report, because self-reporting will carry a greater risk of monitorship—an extremely expensive and burdensome outcome.  It remains to be seen whether individual prosecutors will take this as a signal to increase use of monitorship arrangements, and whether this will have a chilling effect on self-reporting.

DOJ Adds a Formal Disclosure Certification

NPAs and DPAs have long included obligations to disclose additional related conduct or evidence of illegal activity identified during the agreement’s term.[24]  Many also require certification on behalf of the company, at the conclusion of the term, that all relevant evidence has been disclosed.[25]   Until recently, DOJ had not given form to this certification requirement, instead relying on companies to provide the certification in an ad hoc manner.

Beginning in late-2020, DOJ’s Fraud Section introduced a new certification attached to some NPAs and DPAs, formalizing the certification requirement.  This certification requires a company’s executives to certify, on the date that that the period of the NPA or DPA expires, that (1) they are aware of the company’s disclosure obligations under the NPA or DPA; and (2) the company has disclosed “any and all evidence,” including all allegations relating to broadly-specified conduct (which varies by agreement).[26]  In 2021, this new certification became standard across resolutions involving the Fraud Section.[27]  It  also was adopted by the Antitrust Division in several resolutions[28] and the USAO for the Eastern District of New York in at least one case[29].  The corporate officers required to sign the certification varies; the Fraud Section has thus far required the CEO and CFO to sign, the Antitrust Division lists the CEO/President and internal or external legal counsel as mandatory signatories, and the Eastern District of New York required that the President and Chief Compliance Officer sign the certification.

Consistent with past practice surrounding disclosures, the certification expressly deems any disclosure “ a material statement and representation by the Company to the executive branch of the United States” under 18 U.S.C. § 1001, which imposes harsh penalties for materially false or fraudulent statements.  The resolutions provide that the certification “constitute[s] a significant and important component” of the resolution for the purposes of determining whether the company has satisfied its obligations under the agreement—an express acknowledgment that did not exist before the new certification requirement.

At the same time, as has been the case in recent years, continuing disclosure requirements often are more expansive than the conduct at issue in the underlying agreement.  For example, an agreement may require disclosure of evidence relating to any potential violation of a specific law anywhere in the world, even where the underlying agreement relates to conduct specific to a location or line of business, even if the conduct would not constitute a violation of law because it did not occur within the jurisdiction of the United States, and even where the evidence is not credible on its face.  As a continuation of this trend, the certification form defines “disclosable information” exceptionally broadly, to include “any and all evidence or allegations” of specified illegal conduct – going well beyond concrete evidence of illegal activity.

As a result, accurate and complete self-reporting is becoming increasingly more difficult to navigate as companies seek to balance their self-reporting obligations with retaining some autonomy to make informed judgments about the credibility of allegations raised and the sufficiency of evidence identified in internal investigations.  This, coupled with the new statement that adherence to expansive self-reporting mandates is a “significant and important component” of agreement compliance, plus DOJ’s renewed emphasis on the consequences of breach and recidivist acts, create a mine field for companies seeking to meet their agreement obligations without outsourcing investigative judgment completely to the U.S. government.

We will continue to monitor whether this certification requirement becomes the norm across Divisions and USAOs moving forward.  For now, it continues a trend of extracting increasingly intrusive disclosure agreements from companies, and increasing the risk of potential breach when the letter of those requirements is not met.

Spotlight on DOJ National Security Division (NSD) Developments

Background on Updated Guidance

As detailed in a prior Gibson Dunn client alert, in December 2019, NSD released updated guidance governing the treatment of voluntary self-disclosures in criminal sanctions and export control investigations.[30]  To incentivize self-reporting, the NSD guidance established a presumption that a company that voluntarily discloses potentially willful criminal sanctions or export control violations will receive an NPA and will not pay a fine.[31]  Although a company will not pay a fine under the NSD guidance, the company must still pay all disgorgement, forfeiture, and restitution resulting from the misconduct.[32]  The NSD guidance also takes into account potential aggravating factors that could merit a DPA or guilty plea instead of an NPA.  Listed aggravating factors present elevated threats to national security, such as the export of items known to be used in the construction of weapons of mass destruction, the knowing involvement of upper management in the criminal conduct, or repeated violations.[33]  If aggravating factors are present such that a DPA or guilty plea is warranted, DOJ will recommend a reduced fine and will not require a monitor if the other requirements in the guidance are met, including voluntary self-disclosure, full cooperation with the government’s investigation, remediation, and the implementation of an effective compliance program.[34]  In this way, the guidance assigns value to voluntary self-disclosure even where the facts and circumstances of a particular case otherwise make an NPA inappropriate in the eyes of DOJ.

Recent NSD Corporate Resolutions

Since the NSD guidance was published in December 2019, NSD has entered into five corporate resolutions.  These resolutions provide an initial view into how DOJ is applying the updated NSD guidance in practice and how companies should weigh the guidance when considering a potential voluntary self-disclosure.  We covered two of these resolutions in our 2020 Mid‑Year and Year-End Updates.

In 2021, NSD entered into NPAs with Avnet Asia Pte. Ltd (“Avnet”) and SAP SE (“SAP”).  In January 2021, Avnet entered into a two-year NPA to resolve allegations related to an alleged criminal conspiracy carried out by former employees to violate U.S. export laws by shipping U.S. power amplifiers to Iran and China.[35]  Avnet paid a $1.5 million penalty.  Avnet did not receive voluntary self-disclosure credit.  The NPA suggests that Avnet may have made a self-disclosure to DOJ after prosecutors initiated their own investigation as it states that Avnet did not receive voluntary self-disclosure credit because it did not disclose the conduct “prior to commencement of the investigation.”[36]  In contrast, in April 2021 SAP entered into a three-year NPA after making voluntary self-disclosures to NSD, the Bureau of Industry and Security (“BIS”), and the Office of Foreign Assets Controls (“OFAC”) acknowledging violations of the Export Administration Regulations (“EAR”) and Iranian sanctions through the export of software to Iranian end users.[37]  SAP received full credit for its timely voluntary self-disclosure to NSD and, consistent with the 2019 NSD guidance, SAP was required to disgorge $5.14 million but was not required to pay additional financial penalties pursuant to the NPA.[38]  In the press release announcing the SAP NPA, NSD noted the December 2019 guidance and encouraged companies to make voluntary self-disclosures of all potentially willful violations of export control and sanctions laws.[39]  The SAP NPA is the first clear example of NSD applying the updated NSD guidance and entering an NPA, and it appears that the updated NSD guidance may have informed the approach for the Avnet NPA as well.

By contrast, in early 2021, NSD entered into a DPA with PT Bukit Muria Jaya (“BMJ”) to resolve allegations of conspiracy to commit bank fraud in connection with providing goods to North Korea.[40]  BMJ did not self-disclose and therefore did not receive voluntary self-disclosure credit, and the Company paid a $1.5 million penalty.[41]  The BMJ DPA did not identify aggravating factors related to repeat offenses or the involvement of upper management, so it appears that the lack of voluntary self-disclosure may have meaningfully influenced DOJ’s decision to offer a DPA instead of an NPA.

Guidance for Practitioners

These NSD developments illustrate several important considerations for companies when evaluating if and when to disclose potential misconduct.  The developments highlight the significant role played by NSD in the criminal enforcement of U.S. sanctions and export controls.  Relatedly, the updated NSD guidance includes a stringent timing requirement for voluntary self-disclosures.  To receive full credit, the updated NSD guidance requires that a company submit a voluntary self-disclosure to NSD rather than submitting it only to a regulatory agency (e.g. the Department of State’s Directorate of Defense Trade Controls (“DDTC”), BIS, or OFAC).[42]  In the SAP case, for example, SAP made a voluntary self-disclosure to DOJ on the same day that a voluntary self-disclosure was made to OFAC.[43]  In an investigation with NSD implications, careful consideration should be given to the NSD program.

Under the guidance, when considering the potential benefits or downside to self-disclosing misconduct, a company that discovers a potential willful export control or sanctions violation must carefully consider at what stage in an investigation the misconduct should be disclosed to the government; and to what agencies the disclosure should be made and in what sequence.  The NSD guidance does not answer these questions so much as it emphasizes that, for any situation in which the conduct at issue could be of interest to DOJ, timely voluntary self-disclosure can carry significant weight in resolution negotiations.

Developments in SEC Whistleblower Program

Effective December 7, 2020, the SEC amended its whistleblower program rules to include NPAs and DPAs in its definition of “administrative action.”[44]  Given that the SEC can award whistleblowers for information leading to a successful “administrative action,” this amendment  expands the scope of actions in which the SEC can make such awards.[45]  Gibson Dunn analyzed the changes to the whistleblower rules in an alert in September 2020, when the Commission first approved the amendments.  In February 2021, the SEC made its first award under the new rules, which included a $9.2 million award to a whistleblower who reportedly provided “significant information” that led to “successful related actions” by DOJ, “one of which was” an NPA or DPA.[46]  The SEC has continued to issue awards under this new rule.  On October 29, 2021, the SEC announced an award of over $2 million to a whistleblower who provided information that led to a successful NPA or DPA.[47]  The award order notes that the whistleblower “provided information that prompted the opening of the DOJ and SEC investigations.”[48]  The whistleblower also “provided extensive, ongoing assistance in the investigations.”[49]  This award came shortly after the SEC announced that it issued whistleblower awards in connection with four NPAs and DPAs in fiscal year 2021, accounting for more than $117 million in whistleblower awards, equivalent to approximately 21% of total whistleblower awards reported in 2021.[50]

This uptick in NPA- and DPA-related whistleblower awards is in line with the SEC’s overall whistleblower award increase.  According to the 2021 Whistleblower Program Annual Report to Congress, the SEC broke nearly every whistleblower program record in fiscal year 2021, including the highest amount awarded, the highest number of individuals awarded, and the highest number of whistleblower tips received—all previous highs from only one year prior.[51]  The report also states that the SEC has “made more whistleblower awards in FY 2021 than in all prior years combined.”[52]  We can expect the trend in NPA- and DPA-related whistleblower awards to continue, particularly in light of the link the SEC rule amendments now make between whistleblower tips and related DOJ “administrative actions,” DOJ’s own plans for a “surge” in corporate enforcement[53], and the other features of the amended SEC rules that reinforce incentives for whistleblowers to report directly to the government without first reporting internally.

2021 Agreements Since Mid-Year

Bank of N.T. Butterfield & Son Ltd. (NPA)

On July 26, 2021, The Bank of N.T. Butterfield & Son Limited (“Butterfield” or “Bank”) entered into a three-year NPA with the Office of the United States Attorney (“USAO”) for the Southern District of New York and the DOJ Tax Division.[54]  The government alleged that from at least 2001 through 2013, Butterfield, whose principal operations were based out of its Bermuda and Cayman Island operations, assisted U.S. taxpayer-clients in evading their U.S. tax obligations.[55]  The government alleged that Butterfield knew or should have known that these clients were using their Butterfield accounts to evade U.S. tax obligations.[56]

In entering into the NPA, the USAO considered Butterfield’s voluntary and “extraordinary cooperation” with the government, specifically noting that the Bank turned over approximately 386 client files; its voluntary implementation of remedial measures beginning in or about 2013; and its representation that the conduct did not extend beyond what is described in the NPA’s statement of facts.[57]  The government did not impose a criminal penalty on Butterfield.  Butterfield agreed to pay $5.6 million in forfeiture and restitution and agreed not to contest a civil forfeiture action filed by the United States.[58]  Further, Butterfield agreed to continuing cooperating and disclosure requirements for the NPA’s three-year term.[59]  During this term, Butterfield is also required to report any criminal conduct by, and criminal investigations of, Butterfield or its employees related to any federal law violations that come to senior management’s attention, in addition to any administrative proceeding or civil action brought by the U.S. government in which Butterfield is a party.[60]  Notwithstanding the three-year term, Butterfield is also required to cooperate with the government on any matters related to the conduct in the NPA until all investigations, proceedings, or appeals are concluded.[61]

Bicycle Casino (NPA)

On October 22, 2021, The Bicycle Casino, L.P. (“Bicycle”), a California-based hotel and casino, entered into a two-year NPA with the United States Attorney’s Office for the Central District of California to resolve an investigation into alleged violations of the anti-money laundering provisions of the Bank Secrecy Act (“BSA”).[62] According to the NPA, after a foreign national conducted certain transactions at the casino, Bicycle failed to properly file Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports for Casinos (“SARCS”) that are required under the BSA.[63]

In deciding to enter into the NPA, DOJ considered Bicycle’s remedial efforts to strengthen its anti-money laundering program, as well as its cooperation with authorities during the investigation.[64] Additionally, Bicycle agreed to pay $500,000, which represents the revenue that Bicycle made from the foreign national in question, and to undergo enhanced review and reporting requirements.  These requirements included both self-reporting and a one-time audit and report, within one year of signing the agreement and an at least two-year look-back review by an independent “third-party reviewer” retained by Bicycle and “subject to the determination of non-objection” of DOJ.[65]

Constructure Technologies (DPA)

On September 14, 2021, Constructure Technologies LLC (“Constructure”), a New York-based information technology services company, entered into a three-year DPA with the U.S. Attorney’s Office for the Eastern District of New York to resolve a criminal charge for violating the Digital Millennium Copyright Act (“DMCA”) in relation to certain copyright protection systems for software, including encryption systems.[66]  Specifically, the government alleged that from 2011 to 2018, the company installed unlicensed versions of software for its customers using illegally-obtained license keys that company employees had acquired through cracking programs and key generators found on the internet.  These keys allowed Constructure to grant its customers access to copyrighted software programs and then bill its customers for those same keys, which the customers believed to be legitimate license keys.[67]  This case appears to be the first time that the DOJ has entered into either a DPA or NPA in relation to the DMCA.

Under the terms of the DPA, Constructure agreed to pay a criminal penalty of $60,000 and implement a compliance and ethics program that will enhance the company’s ability to prevent and detect future violations of the DMCA.[68]  The company also agreed to fully cooperate with the government until the conclusion of the investigation or the end of the three-year DPA term, whichever is later.[69]  Three Constructure employees, including two principals, pleaded guilty to misdemeanor charges of criminal copyright infringement and face up to one year in prison and a fine.[70]

Credit Suisse (DPA)

On October 19, 2021, Credit Suisse Group AG (“Credit Suisse”) entered into a three-year DPA with DOJ’s Money Laundering and Asset Recovery Section (“MLARS”) and Fraud Section, and the United States Attorney’s Office for the Eastern District of New York.[71]  The government alleged that between 2013 and March 2017, Credit Suisse, through its subsidiary Credit Suisse Securities (Europe) Limited (“CSSEL”), defrauded investors in connection with a Mozambique lending project.[72]  DOJ alleged that Credit Suisse hid information regarding the risk that proceeds from loans to three Mozambican government-owned entities were used to pay approximately $150 million in bribes to senior government officials and $50 million in kickbacks to two CSSEL employees.[73]  DOJ also alleged that Credit Suisse hid from its investors information about debt owed by the Mozambique government.[74] The DPA followed guilty pleas by three CSSEL employees and was concurrent with CSSEL’s guilty plea to one count of conspiracy to commit wire fraud.[75]

Under the DPA, Credit Suisse agreed to pay a U.S. criminal monetary penalty of $247.5 million.[76]  The DPA considered Credit Suisse’s resolutions with SEC and United Kingdom’s Financial Conduct Authority (“FCA”), which included (1) a $65 million civil penalty and $34.1 million in disgorgement and prejudgment interest to SEC, and (2) a $200.6 million penalty to FCA and a promise to irrevocably undertake $200 million of debt relief to Mozambique.[77]  DOJ credited the Company for these payments, reducing its penalty to approximately $175.5 million.[78]  The DPA did not credit the Company with voluntary disclosure or full cooperation with the government’s investigation.[79]

Gree Electric Appliances (DPA)

On October 28, 2021, Gree Electric Appliances Inc. of Zhuhai (“Gree Zhuhai”)—a China-based appliance manufacturer—and one of its subsidiaries entered into a three-year DPA with the U.S. Attorney’s Office for the Central District of California and DOJ’s Consumer Protection Branch (“CPB”) to resolve charges related to the companies’ failure to notify the U.S. Consumer Product Safety Commission (“CPSC”) of defects in its humidifiers.[80]  DOJ alleged that the companies knew that their humidifiers failed to meet applicable safety standards and failed to notify the CPSC of these dangerous defects for six months.[81]  The resolutions are the first corporate criminal enforcement actions that have been brought under the Consumer Product Safety Act of 1972, the law which established the CPSC.[82]

Under the DPA terms, Gree Zhuhai agreed to pay $91 million in penalties and agreed to provide restitution for any uncompensated victims that received injuries as a result of the companies’ humidifiers.[83]  The companies also agreed to continue to cooperate with any ongoing or future investigations related to the defective humidifiers until these investigations are fully concluded.[84]  Additionally, Gree Zhuhai and its affiliate agreed to strengthen their compliance programs and to provide DOJ with yearly reports about the companies’ remediation efforts and the status of their compliance programs.[85]  Prior to the DPA, the Gree Companies had already agreed to pay a $15.45 million civil penalty as part of a 2016 settlement with the CPSC.[86]  Consistent with DOJ’s policy of coordinating resolution penalties in multi-agency investigations arising out of the same misconduct, the DPA credits the Gree Companies’ earlier payment of $15.45 million to the CPSC against the $91 million total penalty.[87]

National Spine and Pain Centers (NSPC) (NPA)

On August 4, 2021, the National Spine and Pain Centers, LLC (“NSPC” or “Company”) entered into a two-year NPA with the United States Attorney’s Offices for the Central District of California and Southern District of California (collectively “USAO”).[88]  NSPC agreed to pay $5.1 million to the government to resolve charges for receiving payments in violation of the Anti-Kickback Statute.

The USAO’s charges stem from NSPC’s and its affiliate’s agreement with Proove Biosciences, Inc. (“Proove”), a now defunct genetics testing company.  The USAO alleged, and NSPC admitted, that NSPC’s and its affiliate’s physicians received illegal kickback payments from Proove “under the guise of a clinical research program,” that they were receiving payments “per test” or “per patient,” and that as part of the scheme, these physicians submitted timesheets used by Proove to pay the physicians which overstated the time they spent conducting clinical research.[89]  The USAO also alleged that as a result of these violations, Medicare overpaid Proove for claims submitted in connection with its agreement with NSPC.[90]  NSPC terminated its contract with Proove for compliance reasons in March 2017 before NSPC was acquired by a new ownership group.[91]

In entering into the NPA, the USAO considered NSPC’s commitment to compliance, specifically noting its implementation of a compliance program designed to ensure compliance with the Anti-Kickback Statute; the Company’s early engagement and cooperation with the USAO’s investigation; the Company’s acceptance of responsibility; the Company’s voluntary undertaking of remedial measures prior to its knowledge of the criminal investigation; and the Company’s agreement to continue to cooperate with the USAO, FBI, and HHS-OIG.[92]  Further, the USAO determined that there was no need for an independent compliance monitor.[93]

Nine individuals were charged in connection with the alleged scheme in the Central District of California in a related case.[94]

Penn Credit Corp. (DPA)

On October 12, 2021, Penn Credit Corporation (“Penn Credit”), a debt collection company, entered into a two-year DPA with the United States Attorney’s Office for the Northern District of Illinois to resolve a corruption investigation.[95]  According to the DPA, Penn Credit engaged in a corruption scheme at the direction of its former owner, Donald Donagher, Jr.[96]  Donagher separately pleaded guilty to one count of bribery.[97]  Specifically, the scheme involved Donagher underwriting certain expenses for a special event hosted by the former Cook County Circuit Court Clerk in an effort to reward the Clerk for awarding debt collection work to Penn Credit.[98]

DOJ entered into the agreement based on the nature and seriousness of the offense conduct, Penn Credit’s and its current management’s ongoing cooperation, and its remedial measures and operational improvements.[99]  In terms of remedial measures, Penn Credit ensured that its former CEO is no longer employed by or has a business relationship with the company.[100]  Further, Penn Credit and its current management created a compliance policy and code of ethics for the company and implemented a system involving company counsel to ensure compliance with laws and regulations relating to monetary contributions to campaigns and/or charitable entities run or managed by elected officials.[101]  Additionally, Penn Credit agreed to report to DOJ annually during the term of the agreement regarding remediation and implementation of the compliance measures.[102]  As a part of the DPA, Penn Credit will pay a monetary penalty of $225,000.[103]

SF Recology Group (DPA)

On September 9, 2021, three San Francisco-based trash disposal subsidiaries of Recology, Inc., entered into a three-year DPA with the United States Attorney’s Office for the Northern District of California and agreed to pay $36 million in criminal penalties.[104]  The DPA resolved allegations that the companies conspired to commit honest services fraud in violation of 18 U.S.C. §§ 1343, 1346, and 1349.[105]  Specifically, the companies admitted to utilizing recurring nonprofit donations to pay bribes and kickbacks or rewards to a former public official with the City and County of San Francisco, with the intent to obtain favorable official action and influence.[106]

As part of the resolution, Recology and its subsidiaries agreed to cooperate with the government’s ongoing investigation into public corruption, and to adopt a new compliance program or modify its existing compliance program.[107]  The DPA outlines a number of remedial measures taken by Recology, including terminating employees identified as responsible for the underlying conduct.[108]  In addition, Recology “revamped” its companywide compliance program by, among other things, developing new policy guidance, procedures, training and reporting mechanisms around travel expenses, charitable contributions, gifts, and interactions with public officials.[109]

International Developments

As noted in prior Mid-Year and Year-End Updates (see, e.g., our 2020 Year-End Update), a number of countries have adopted DPA-like regimes.[110]  DPA-like agreements are available in Brazil, Canada, France, Singapore, and the United Kingdom, although prosecutors in Canada and Singapore have yet to enter into such an agreement since both countries passed legislation authorizing the practice in 2018.[111]

In 2021, France and Brazil had the most active DPA-like regimes.  Prosecuting authorities in each country entered into four DPA-like agreements this year.  The UK was close behind with the SFO entering into three DPAs in the first half of the year, but there have been no new agreements in the latter half of the year.  For a summary of the DPAs entered by the SFO in 2021, see our 2021 Mid-Year Alert.  As discussed there, the SFO has received wide-spread media attention recently for its failure to successfully prosecute individuals involved in the subject matter of past DPAs.

France

After a relatively quiet first half of the year, France’s prosecuting agencies entered into three DPA-like agreements (known as convention judiciaire d’intérêt public, or “CJIPs”) in the latter half of 2021.  On July 12, 2021, Systra SA, a subsidiary of French state transport company RATP and public railway company SNCF, entered into a CJIP with the French National Prosecutor’s Office (PNF) to resolve allegations that it profited in the amount of €5 million by engaging in multiple bribery schemes in connection with public contracts in Azerbaijan and Uzbekistan between 2009 and 2014.[112]  Consistent with the trend we are seeing in increasingly complex international enforcement interactions, the PNF initiated the investigation into Systra’s misconduct in 2017, based on a complaint filed by Japanese authorities in 2015, following a complaint by a Japanese expatriate living in Uzbekistan.[113]  The PNF’s investigation also identified misconduct by Systra in connection with the award of an engineering contract in Azerbaijan in May 2009.[114]

Under the CJIP, Systra agreed to pay a €7.5 million fine (approximately $8.9 million at the time of the agreement), which reflected a significant reduction from the maximum permitted under the law (€187.2 million).[115]  In imposing the reduced fine, the PNF considered mitigating factors such as the relatively distant dates of the misconduct, Systra’s implementation of a reinforced compliance program since the discovery of the facts, and the company’s ongoing cooperation and remediation.[116]

On September 2, 2021, JP Morgan Chase Bank (“JPMC”) entered into a CJIP with the PNF to resolve allegations that JPMC aided and abetted tax fraud committed by former executives and board directors at French investment company, the Wendel Group.[117]  The investigation was opened in 2012 after the French tax authority filed a complaint related to a series of transactions made from 2004 to 2007.[118]  JPMC allegedly helped finance 11 former executives and three former board directors at the Wendel Group to help them evade capital gains taxes on €315 million of investment income.[119]  Under the terms of the agreement, JPMC agreed to pay €25 million (approximately $29.6 million at the time of the agreement).[120]  JPMC’s role was limited to financing, and it did not act as a legal or tax advisor; PNF treated these facts, JPMC’s cooperation, and the isolated nature of the facts, as mitigating factors.[121]  Conversely, the complexity of the individuals’ alleged tax scheme was considered an aggravating factor.[122]  The individuals involved in the alleged misconduct are scheduled to go to trial in early 2022.[123]

Finally, on December 15, 2021, a luxury goods company agreed to pay €10 million (approximately $11.3 million) to resolve allegations that the company hired the former head of France’s domestic intelligence agency to spy on a French journalist and filmmaker and other private citizens.

Brazil

On October 25, 2021, Brazil’s Office of the Comptroller General (CGU) and the Attorney General of the Union (AGU) entered into a leniency agreement with Rolls-Royce PLC related to allegations that the company bribed public bribery Petrobras 2003, 2004, and 2005.[124]  The agreement is related to the coordinated resolution Rolls-Royce entered into in 2017 with the UK’s SFO, the Brazilian Ministério Público Federal (MPF), and DOJ to resolve allegations that Rolls-Royce caused millions in bribes to be paid to officials of state-owned oil companies in Angola, Azerbaijan, Brazil, Iraq, Kazakhstan, and Thailand.[125]  As discussed in our 2017 Mid-Year FCPA Update, under the terms of the 2017 settlement, Rolls-Royce agreed to pay over $800 million in penalties, including a penalty of approximately $25.5 million to the MPF in connection with conspiring to bribe Brazilian officials between 2005 and 2008.[126]  Under the new agreement with the CGU and AGU, Rolls-Royce agreed to pay a penalty of $27.8 million.[127]

On June 7, 2021, manufacturing companies SICPA do Brasil Ltda (SICPA) and CEPTIS SA (CEPTIS), agreed to pay fines and restitution totaling 762 million reais (approximately $135.4 million), to be paid to the Brazilian government and the Brazilian Mint in 21 installments over a 20-year period.[128]  Through its own internal investigation, SICPA identified irregularities in certain payments made to a public agent between 2009 and 2015 and self-disclosed the issue to Brazilian authorities.[129]  The agreement recognizes the companies’ cooperation and remedial efforts.[130]

On February 22, 2021, South Korean shipbuilder Samsung Heavy Industries (SHI) entered into a leniency agreement with the CGU, AGU, MPF to resolve allegations that the company engaged in bribery and money laundering in connection with its contracts with Petrobras.[131]  The agreement is second part of a global resolution SHI negotiated with Brazilian and U.S. authorities.[132]  As discussed in our 2019 Year-End Update, in November 2019, SHI entered into a DPA with the DOJ and agreed to pay a $75.5 million penalty.[133] Under the new agreement with Brazilian authorities, SHI agreed to a pay a total of 812 million reais (approximately $148.56 million), reflecting 706 million reais in damages to be paid to Petrobras and a 106 million reais fine.[134]

Brazilian authorities entered into a fourth leniency agreement in 2021, in connection with the resolution with Amec Foster Wheeler Energy Limited (“AFWEL”) that we discussed in our 2021 Mid-Year Update.[135]  DOJ and the SEC credited most of the amounts paid under the leniency agreement against those agencies’ resolutions in the AFWEL matter.[136]


APPENDIX:  2021 Non-Prosecution and Deferred Prosecution Agreements

The chart below summarizes the agreements entered into by DOJ in 2021.  The SEC has not entered into any NPAs or DPAs in 2021.  The complete text of each publicly available agreement is hyperlinked in the chart.

The figures for “Monetary Recoveries” may include amounts not strictly limited to an NPA or a DPA, such as fines, penalties, forfeitures, and restitution requirements imposed by other regulators and enforcement agencies, as well as amounts from related settlement agreements, all of which may be part of a global resolution in connection with the NPA or DPA, paid by the named entity and/or subsidiaries.  The term “Monitoring & Reporting” includes traditional compliance monitors, self-reporting arrangements, and other monitorship arrangements found in settlement agreements.

U.S. Deferred and Non-Prosecution Agreements in 2020

Company

Agency

Alleged Violation

Type

Monetary Recoveries

Monitoring & Reporting

Term of DPA/NPA (months)

Amec
Foster Wheeler Energy Limited

DOJ
Fraud; E.D.N.Y.

Conspiracy
to violate the FCPA

DPA

$41,139,287

Yes

36

American Century Companies, Inc.

DOJ Antitrust

Restraint
of interstate trade

NPA

$1,500,000

Yes

36

Argos
USA LLC

DOJ
Antitrust

Price-fixing
conspiracy

DPA

$20,024,015

Yes

36

A Medical Technology Company

DOJ
Fraud; DOJ CPB; N.D. Tex.

FDCA

DPA

$22,228,000

Yes

36

Avnet
Asia Pte. Ltd

D.D.C.;
DOJ NSD

Export
controls – conspiracy to violate the International Emergency Economic Powers
Act

NPA

$1,508,000

Yes

24

Bank
Julius Baer & Co. Ltd.

DOJ
MLARS; E.D.N.Y.

AML

DPA

$79,688,400

Yes

36

Bank of
N.T. Butterfield & Son Ltd.

DOJ
Tax; S.D.N.Y.

Defrauding
IRS; filing false tax returns; evading federal income tax

NPA

$5,600,000

No

36

Berlitz
Languages, Inc.

DOJ
Antitrust

Bid
rigging

DPA

$203,984

Yes

36

Bicycle
Casino

C.D.
Cal.

Bank
Secrecy Act

NPA

$500,000

Yes

24

The
Boeing Company

DOJ
Fraud; N.D. Texas

Fraud

DPA

$2,513,600,000

Yes

36

Colas
Djibouti SARL

S.D.
Cal.; DOJ Civil

FCA

DPA

$14,500,000

No

24

Comprehensive
Language Center, Inc.

DOJ
Antitrust

Bid
rigging

DPA

$196,984

Yes

36

Constructure
Technologies

E.D.N.Y.

Copyright

DPA

$60,000

No

36

Credit
Suisse

E.D.N.Y.

Wire
fraud

DPA

$
274,619,872

Yes

36

Deutsche
Bank AG

DOJ
Fraud; MLARS; E.D.N.Y.

FCPA

DPA

$124,796,046

Yes

36

Epsilon
Data Management, LLC

DOJ
CPB; D. Colo.

Mail
and wire fraud

DPA

$150,000,000

Yes

30

Gree Electric Appliances

DOJ
CPB; C.D. Cal.

Failure
to notify of substantial product hazards

DPA

$91,200,000

Yes

36

KBM
Group, LLC

DOJ
CPB; D. Colo.

Mail
and wire fraud

DPA

$42,000,000

Yes

30

National
Spine and Pain Centers

S.D.
Cal.; C.D. Cal.

Conspiracy
to defraud United States

NPA

$5,100,000

No

24

Penn
Credit Corp.

N.D.
Ill.

Offense
against the United States; bribery

DPA

$225,000

Yes

24

PT
Bukit Muria Jaya

D.D.C.;
DOJ NSD

Bank
fraud

DPA

$1,561,570

Yes

18

Rahn+Bodmer
Co.

S.D.N.Y.;
DOJ Tax

>Fraud,
false tax return filings, and tax evasion

DPA

$22,000,000

No

36

SAP
SE

DOJ
NSD; D. Mass.

Export
controls

NPA

$8,430,000

Yes

36

SF Recology Group

N.D.
Cal.

Honest
services wire fraud

DPA

$36,000,000

Yes

36

State
Street Corporation

D.
Mass.

Wire
fraud

DPA

$211,575,000

Yes

24

Swiss
Life Holding AG

S.D.N.Y.;
DOJ Tax

Fraud,
false tax return filings, and tax evasion

DPA

$77,374,337

No

36

United
Airlines, Inc.

DOJ
Fraud

Fraud

NPA

$49,458,102

No

36

__________________________

[1] For client reasons, an additional DPA is not discussed here but is included in relevant statistics.

[2] See infra “New NSD Corporate Resolutions”; see also U.S. Dep’t of Justice, NSD Div., Export Control and Sanctions Enforcement Policy for Business Organizations (Dec. 13, 2019), https://www.justice.gov/nsd/ces_vsd_policy_2019/download (hereinafter “Updated NSD Guidance”).

[3] See U.S. Dep’t of Justice, Fraud Section: Declinations, available at https://www.justice.gov/criminal-fraud/corporate-enforcement-policy/declinations.

[4] Clara Hudson, “DOJ sees decrease in corporate enforcement policy declinations,” Global Investigations Review (Apr. 15, 2021), https://globalinvestigationsreview.com/just-anti-corruption/fcpa/doj-corporate-enforcement-policy-declinations-decrease.

[5] Deputy Assistant Attorney General Matt Miner Delivers Remarks at The American Bar Association, Criminal Justice Section Third Global White Collar Crime Institute Conference, (June 27, 2019), available at https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matt-miner-delivers-remarks-american-bar-association.

[6] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[7] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[8] See Assistant Attorney General Leslie R. Caldwell Delivers Remarks at a Press Conference on Foreign Exchange Spot Market Manipulation (May 20, 2015), available at https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-press-conference-foreign (“If appropriate and proportional to the misconduct and the company’s track record, we will tear up an NPA or a DPA and prosecute the offending company based on the admitted statement of facts”).

[9] Press Release, Monsanto Agrees to Plead Guilty to Illegally Using Pesticide at Corn Growing Fields in Hawaii and to Pay Additional $12 Million (Dec. 9, 2021), https://www.justice.gov/usao-cdca/pr/monsanto-agrees-plead-guilty-illegally-using-pesticide-corn-growing-fields-hawaii-and.

[10] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[11] Id.

[12] Dylan Tokar, Justice Department Officials Dig In on Corporate Repeat Offenders, Wall. St. J. (Dec. 1, 2021), https://www.wsj.com/articles/justice-department-officials-dig-in-on-corporate-repeat-offenders-11638405092.

[13] Id.

[14] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[15] Id.

[16] Deferred Prosecution Agreement, United States v. Epsilon Data Mgmt., LLC, No. 21-cr-06 (D. Colo. Jan. 19, 2021) (hereinafter “Epsilon DPA”), at C-5.

[17] Deferred Prosecution Agreement, United States v. Recology San Francisco, et al., No. CR21-356 (N.D. Cal. Sep. 9, 2021) (hereinafter “Recology DPA”), at B-4.

[18] Deferred Prosecution Agreement, United States v. Credit Suisse Group AG, Cr. No. 21-521 (E.D.N.Y. Oct. 19, 2021) (hereinafter “Credit Suisse DPA”), at C-9.

[19] Memorandum from Sally Quillian Yates, Deputy Attorney General, U.S. Dep’t of Justice, to Assistant Attorney General, Antitrust Division, et al., Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015), at 3, http://www.justice.gov/dag/file/769036/download; as covered in our prior client alert here.

[20] See Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act (Nov. 29, 2018), available at https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0.

[21] Id.

[22] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[23] Jack Queen, New DOJ Crime Chief Talks ‘Carrot And Stick’ Enforcement, Law360 (Dec. 8, 2021), https://www.law360.com/articles/1447069/new-doj-crime-chief-talks-carrot-and-stick-enforcement.

[24] See, e.g., Non-Prosecution Agreement, Petróleo Brasileiro S.A. – Petrobras (Sept. 26, 2018), at 5 (imposing obligation to “promptly report” “evidence or allegations of actual or potentially corrupt payments or actual or potential violations of the FCPA” to DOJ) (hereinafter “Petrobras NPA”); Deferred Prosecution Agreement, United States v. Telefonaktiebolaget LM Ericsson (Nov. 26, 2019), at 7 (hereinafter “Ericsson DPA”).

[25] Petrobras NPA at 5; Ericsson DPA at 18.

[26] See, e.g., Deferred Prosecution Agreement, United States v. Vitol Inc., No. 20-539 (ENV) (E.D.N.Y. Dec. 3, 2020).

[27] See, e.g., Deferred Prosecution Agreement, United States v. Deutsche Bank Aktiengesellschaft, No. 20-00584 (E.D.N.Y. Jan. 8, 2021); Deferred Prosecution Agreement, United States v. The Boeing Company (N.D. Tex. Jan. 7, 2021).

[28] See, e.g., Non-Prosecution Agreement, American Century Companies, Inc. (March 5, 2021); Deferred Prosecution Agreement, United States v. Argos USA LLC, No. 4:21-CR-0002-RSB-CLR (S.D. Ga. Jan. 4, 2021); Deferred Prosecution Agreement, United States v. Berlitz Languages, Inc., No. 21-51-FLW (D.N.J. Jan. 19, 2021); Deferred Prosecution Agreement, United States v. Comprehensive Language Center, Inc., No. 21-50-FLW (D.N.J. Jan. 19, 2021).

[29] See, e.g., Deferred Prosecution Agreement, United States v. Ticketmaster L.L.C., Cr. No. 20-563 (MKB) (E.D.N.Y. Dec. 29, 2020).

[30] U.S. Dep’t of Justice, NSD Div., Export Control and Sanctions Enforcement Policy for Business Organizations (Dec. 13, 2019), https://www.justice.gov/nsd/ces_vsd_policy_2019/download (hereinafter “Updated NSD Guidance”).

[31] Id. at 2.  NSD defines an act as willful if done with knowledge that it is illegal.  Id. at 1 n.2.

[32] Id. at 2-3.

[33] Id. at 6.

[34] Id. at 2.

[35] Press Release, U.S. Dep’t of Justice, Chinese National Charged with Criminal Conspiracy to Export US Power Amplifiers to China (Jan. 29, 2021), https://www.justice.gov/opa/pr/chinese-national-charged-criminal-conspiracy-export-us-power-amplifiers-china.

[36] Non-Prosecution Agreement, Avnet Asia Pte. Ltd. (Jan. 21, 2021), at 3, 4 (“The Company did not receive voluntary disclosure credit because it did not disclose to the Offices the conduct described in the Statement of Facts prior to commencement of the investigation.”)

[37] Press Release, U.S. Dep’t of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ (Apr. 29, 2021), https://www.justice.gov/opa/pr/sap-admits-thousands-illegal-exports-its-software-products-iran-and-enters-non-prosecution.

[38] Id.

[39] Id.

[40] Press Release, U.S. Dep’t of Justice, Indonesian Company Admits to Deceiving U.S. Banks in Order to Trade with North Korea, Agrees to Pay a Fine of More Than $1.5 Million (Jan. 17, 2021), https://www.justice.gov/opa/pr/indonesian-company-admits-deceiving-us-banks-order-trade-north-korea-agrees-pay-fine-more-15.

[41] United States v. PT Bukit Muria Jaya, No. 21-cr-14 (D.D.C. Jan. 14, 2021), at Attach. A, 3-4, 7‑8.

[42] Updated NSD Guidance, supra note 1, at 3 (“It is important to note that when a company identifies potentially willful conduct, but chooses to self-report only to a regulatory agency and not to DOJ, the company will not qualify for the benefits of a VSD under this Policy in any subsequent DOJ investigation.”).

[43] Non-Prosecution Agreement, SAP SE (Apr. 29, 2021), at Attach. A, 5 (“On September 8, 2017, SAP made a voluntary self-disclosure to DOJ’s National Security Division and the U.S. Department of the Treasury’s Office of Foreign Assets Control (‘OFAC&rsqrsquo;) regarding potential violations of the ITSR.”)

[44] 17 C.F.R. § 240.21F-4(d)(3)(i)-(ii).

[45] Id; 17 C.F.R. § 240.21F.

[46] Press Release, U.S. Sec. and Exch. Comm’n, SEC Awards More Than $9.2 Million to Whistleblower for Successful Related Actions, Including Agreement with DOJ (Feb. 23, 2021), https://www.sec.gov/news/press-release/2021-31; SEC Order Determining Whistleblower Award Claim, Release No. 91183 (Feb. 23, 2021), at 2, https://www.sec.gov/rules/other/2021/34-91183.pdf.

[47] Press Release, U.S. Sec. and Exch. Comm’n, SEC Awards More Than $2 Million to Whistleblower for Successful Related Action (Oct. 29, 2021), https://www.sec.gov/news/press-release/2021-220 (hereinafter “$2M Whistleblower Press Release”); SEC Order Determining Whistleblower Award Claim, Release No. 93465 (Oct. 29. 2021), https://www.sec.gov/rules/other/2021/34-93465.pdf (hereinafter “$2M Whistleblower Award Order”).

[48] $2M Whistleblower Award Order, at 2.

[49] Id.

[50] U.S. Sec. and Exch. Comm’n, Office of the Whistleblower, 2021 Annual Report to Congress: Whistleblower Program (2021), https://www.sec.gov/files/owb-2021-annual-report.pdf (hereinafter “2021 SEC Whistleblower Report”), at 1, 20.

[51] 2021 SEC Whistleblower Report, at 1.

[52] Id.

[53] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[54] Non-Prosecution Agreement, Bank of N.T. Butterfield & Son Ltd. (Jul. 26, 2021) (hereinafter “Butterfield NPA”).

[55] Id. at 1.

[56] Id., Ex. A at 2.

[57] Id. at 1.

[58] Press Release, U.S. Dep’t of Justice, Manhattan U.S. Attorney Announces Agreement With Bermudian Bank To Resolve Criminal Tax Investigation (Aug. 3, 2021), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-agreement-bermudian-bank-resolve-criminal-tax.

[59] Butterfield NPA at 2.

[60] Id. at 2‑3.

[61] Id.

[62] Non-Prosecution Agreement, The Bicycle Casino, L.P. (Oct. 22, 2021), (hereinafter “Bicycle NPA”); Press Release, U.S. Dep’t Justice, Bicycle Casino Agrees to Pay $500,000 Settlement and Submit to Increased Review of Anti-Money Laundering Compliance Program (Nov. 5, 2021), https://www.justice.gov/usao-cdca/pr/bicycle-casino-agrees-pay-500000-settlement-and-submit-increased-review-anti-money (hereinafter “Bicycle NPA Press Release”).

[63] Bicycle NPA Press Release.

[64] Id.

[65] Id.

[66] Press Release, U.S. Dep’t of Justice, Three Employees of a Long Island Information Technology Company Plead Guilty to Criminal Copyright Infringement (Sep. 16, 2021), https://www.justice.gov/usao-edny/pr/three-employees-long-island-information-technology-company-plead-guilty-criminal (hereinafter “Constructure Technologies DPA Press Release”).

[67] Id.

[68] Id.

[69] Deferred Prosecution Agreement, United States v. Constructure Technologies, LLC, No. 2:21-cr-00368, at 3 (E.D. N.Y., Sep. 15, 2021).

[70] Constructure Technologies DPA Press Release.

[71] Press Release, U.S. Dep’t of Justice, Credit Suisse Resolves Fraudulent Mozambique Loan Case in $547 Million Coordinated Global Resolution (Oct. 19, 2021), https://www.justice.gov/opa/pr/credit-suisse-resolves-fraudulent-mozambique-loan-case-547-million-coordinated-global.

[72] Id.

[73] Id.

[74] Id.

[75] Id.

[76] Id.

[77] Deferred Prosecution Agreement, United States v. Credit Suisse Group AG, No. 21-cr-00521, at 5 (E.D. N.Y., Oct. 19, 2021) (hereinafter “Credit Suisse DPA”).

[78] Credit Suisse Press Release, supra note 58.

[79] Credit Suisse DPA at 4.

[80] Deferred Prosecution Agreement, United States v. Gree Electric Appliances, Inc. of Zhuhai, and Hong Kong Gree Electric Appliances Sales Co., Ltd., (C.D. Cal. Oct. 28, 2021) (hereinafter “Gree DPA”); Press Release, U.S. Dep’t of Justice, Gree Appliance Companies Charged with Failure to Report Dangerous Dehumidifiers and Agree to $91 Million Resolution (Oct. 28, 2021), https://www.justice.gov/opa/pr/gree-appliance-companies-charged-failure-report-dangerous-dehumidifiers-and-agree-91-million (hereinafter “Gree Press Release”).

[81] Gree Press Release.

[82] Id.

[83] Id.

[84] Id.

[85] Id.

[86] Gree DPA at 17.

[87] Id. at 17‑18.

[88] Non-Prosecution Agreement, National Spine and Pain Centers, LLC (Aug. 3, 2021) (hereinafter “NSPC NPA”).

[89] Press Release, U.S. Dep’t of Justice, Pain Management Organization Pays $5.1 Million to Settle Criminal Medicare Kickback Violations (Aug. 6, 2021), https://www.justice.gov/usao-sdca/pr/pain-management-organization-pays-51-million-settle-criminal-medicare-kickback.

[90] NSPC NPA.

[91] Id.

[92] Id.

[93] Id.

[94] Case No. 21CR0112-JLS; Press Release, U.S. Dep’t of Justice, Pain Management Organization Pays $5.1 Million to Settle Criminal Medicare Kickback Violations (Aug. 6, 2021), https://www.justice.gov/usao-sdca/pr/pain-management-organization-pays-51-million-settle-criminal-medicare-kickback.

[95] Deferred Prosecution Agreement, United States v. Penn Credit Corporation, No. 19 CR 240 (Oct. 12, 2021), (hereinafter “Penn Credit DPA”); Press Release, Owner of Debt Collection Company Pleads Guilty to Corruptly Providing Benefits to Public Official (Oct. 12, 2021), https://www.justice.gov/usao-ndil/pr/owner-debt-collection-company-pleads-guilty-corruptly-providing-benefits-public (hereinafter “Penn Credit DPA Press Release”).

[96] Penn Credit DPA Press Release.

[97] Id.

[98] Id.

[99] Penn Credit DPA at 2-3.

[100] Id. at 6.

[101] Id.

[102] Id.

[103] Id.

[104] Press Release, U.S. Dep’t of Justice, Three San Francisco Garbage Companies Admit Bribery And Pay $36 Million To Resolve Federal Investigation (September 9, 2021), https://www.justice.gov/usao-ndca/pr/three-san-francisco-garbage-companies-admit-bribery-and-pay-36-million-resolve-federal.

[105] Deferred Prosecution Agreement, United States v. Recology San Francisco, Sunset Scavenger Company. Golden Gate Disposal & Recycling Company, No. 21-cr-356 (N.D. Cal., Sept. 9, 2021) (hereinafter “SF Recology DPA”).

[106] Id. at A-2.

[107] Id. at 4, 7.

[108] Id. at 7.

[109] Id at 7-8.

[110] Gibson, Dunn & Crutcher, 2020 Year-End Update On Corporate Non-Prosecution Agreements And Deferred Prosecution Agreements, at 22 (Jan. 19, 2021), https://www.gibsondunn.com/2020-year-end-update-on-corporate-non-prosecution-agreements-and-deferred-prosecution-agreements/.

[111] Lawrence F. Ritchie & Sonja Pavic, Canada’s Deferred Prosecution Agreements: Still Waiting for Takeoff, Osler (Dec. 11, 2020), https://www.osler.com/en/resources/regulations/2020/canada-s-deferred-prosecution-agreements-still-waiting-for-takeoff; Criminal Justice Reform Act 2018 (Act. No. 19/2018) (Sg.), https://sso.agc.gov.sg/Acts-Supp/19-2018.

[112] James Thomas, Regular compliance renewal helps French transport company minimize corruption fine, Global Investigations Review (Aug. 2, 2021) https://globalinvestigationsreview.com/anti-corruption/regular-compliance-renewal-helps-french-transport-company-minimise-corruption-fine

[113] Id.

[114] Id.

[115] Id.

[116] Id.

[117] Leila Abboud, JPMorgan to pay €25m to settle tax fraud case in France, Financial Times (Sept. 2, 2021) https://www.ft.com/content/0b845a1c-0b73-400f-93c5-b3d3d08ffe08/.

[118] Id.

[119] Fraude fiscale d’ex-dirigeants de Wendel: JPMorgan paie 25 millions d’euros d’amende pour clore les poursuites, Le Figaro (Sept. 2, 2021), https://www.lefigaro.fr/societes/fraude-fiscale-d-ex-dirigeants-de-wendel-jpmorgan-paie-25-millions-d-euros-d-amende-pour-clore-les-poursuites-20210902. \

[120] Id.

[121] Id.

[122] Id.

[123] US bank agrees 25 million euro deal to settle French tax fraud investigation (Sept. 2, 2021), https://www.rfi.fr/en/france/20210902-us-bank-agrees-25-million-euro-deal-to-settle-french-tax-fraud-investigation.

[124] CGU e AGU assinam acordo de leniência com a Rolls-Royce PLC (Oct. 26, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/10/cgu-e-agu-assinam-acordo-de-leniencia-com-a-rolls-royce-plc.

[125] Gibson, Dunn & Crutcher, 2017 Mid-Year FCPA Update, at 4-5 (July 10, 2017), https://www.gibsondunn.com/2017-mid-year-fcpa-update/.

[126] Id.

[127] CGU e AGU assinam acordo de leniência com a Rolls-Royce PLC (Oct. 26, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/10/cgu-e-agu-assinam-acordo-de-leniencia-com-a-rolls-royce-plc.

[128] Brazil Leniency Agreement (June 7, 2021), https://www.sicpa.com/news/brazil-leniency-agreement.

[129] CGU and AGU Enter Into a Leniency Agreement with the Companies SICPA and CEPTIS in the Amount of BRL 762 million, gov.br (June 7, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/06/cgu-e-agu-celebram-acordo-de-leniencia-com-as-empresas-sicpa-e-ceptis-no-valor-de-r-762-milhoes.

[130] Id.

[131] UPDATE 1-South Korea’s Samsung Heavy settles Brazil graft probe for $149 mln, Reuters (Feb. 23, 2021), https://www.reuters.com/article/samsung-heavy-brazil-corruption/update-1-south-koreas-samsung-heavy-settles-brazil-graft-probe-for-149-mln-idUSL1N2KT0E1.

[132] Id.

[133] Gibson, Dunn & Crutcher, 2019 Year-End FCPA Update, at 8 (Jan. 6, 2020), https://www.gibsondunn.com/2019-year-end-fcpa-update/.

[134] UPDATE 1-South Korea’s Samsung Heavy settles Brazil graft probe for $149 mln, Reuters (Feb. 23, 2021), https://www.reuters.com/article/samsung-heavy-brazil-corruption/update-1-south-koreas-samsung-heavy-settles-brazil-graft-probe-for-149-mln-idUSL1N2KT0E1.

[135] CGU and AGU Enter Into a R$86 Million Leniency Agreement with Companies for Illicit Activities in a Project with Petrobras (June 25, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/06/cgu-e-agu-celebram-acordo-de-leniencia-de-r-86-milhoes-com-empresas-por-ilicitos-em-projeto-com-a-petrobras.

[136] Deferred Prosecution Agreement, United States v. Amec Foster Wheeler Energy Limited, No. 21-cr-298 (E.D. N.Y., June 23, 2021) (hereinafter “Amec DPA”); Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of The Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, Release No. 92259 (June 25, 2021), https://www.sec.gov/litigation/admin/2021/34-92259.pdf.

 


The following Gibson Dunn lawyers assisted in preparing this client update: F. Joseph Warin, M. Kendall Day, Courtney Brown, Melissa Farrar, Laura Cole, Michael Dziuban, Alexandra Buettner, Will Cobb, Abiel Garcia, Yamini Grema, Sarah Hafeez, Cate Harding, Jasdeep Kaur, Teddy Kristek, Madelyn La France, Allison Lewis, Jacob McGee, Katie Mills, Tory Roberts, Alyse Ullery-Glod, and Brian Williamson.

Gibson Dunn’s White Collar Defense and Investigations Practice Group successfully defends corporations and senior corporate executives in a wide range of federal and state investigations and prosecutions, and conducts sensitive internal investigations for leading companies and their boards of directors in almost every business sector. The Group has members across the globe and in every domestic office of the Firm and draws on more than 125 attorneys with deep government experience, including more than 50 former federal and state prosecutors and officials, many of whom served at high levels within the Department of Justice and the Securities and Exchange Commission, as well as former non-U.S. enforcers. Joe Warin, a former federal prosecutor, is co-chair of the Group and served as the U.S. counsel for the compliance monitor for Siemens and as the FCPA compliance monitor for Alliance One International. He previously served as the monitor for Statoil pursuant to a DOJ and SEC enforcement action. He co-authored the seminal law review article on NPAs and DPAs in 2007. M. Kendall Day is a partner in the Group and a former white collar federal prosecutor who spent 15 years at the Department of Justice, rising to the highest career position in the DOJ’s Criminal Division as an Acting Deputy Assistant Attorney General.

The Group has received numerous recognitions and awards, including its third consecutive ranking as No. 1 in the Global Investigations Review GIR 30 2020, an annual guide to the world’s top 30 cross-border investigations practices. GIR noted, “Gibson Dunn & Crutcher is the premier firm in the investigations space and has an unrivalled Foreign Corrupt Practices Act practice.” The list was published in October 2020.

Please feel free to contact any of the following practice leaders and members:

Washington, D.C.
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
Stephanie L. Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
David P. Burns (+1 202-887-3786, dburns@gibsondunn.com)
John W.F. Chesley (+1 202-887-3788, jchesley@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
David Debold (+1 202-955-8551, ddebold@gibsondunn.com)
Michael Diamant (+1 202-887-3604, mdiamant@gibsondunn.com)
Richard W. Grime (202-955-8219, rgrime@gibsondunn.com)
Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com)
Judith A. Lee (+1 202-887-3591, jalee@gibsondunn.com)
Adam M. Smith (+1 202-887-3547, asmith@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
Oleh Vretsona (+1 202-887-3779, ovretsona@gibsondunn.com)
Courtney M. Brown (+1 202-955-8685, cmbrown@gibsondunn.com)
Ella Alves Capone (+1 202-887-3511, ecapone@gibsondunn.com)
Melissa Farrar (+1 202-887-3579, mfarrar@gibsondunn.com)
Jason H. Smith (+1 202-887-3576, jsmith@gibsondunn.com)
Pedro G. Soto (+1 202-955-8661, psoto@gibsondunn.com)

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Mylan L. Denerstein (+1 212-351-3850, mdenerstein@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Barry R. Goldsmith (+1 212-351-2440, bgoldsmith@gibsondunn.com)
Christopher M. Joralemon (+1 212-351-2668, cjoralemon@gibsondunn.com)
Mark A. Kirsch (+1 212-351-2662, mkirsch@gibsondunn.com)
Randy M. Mastro (+1 212-351-3825, rmastro@gibsondunn.com)
Karin Portlock (+1 212-351-2666, kportlock@gibsondunn.com)
Marc K. Schonfeld (+1 212-351-2433, mschonfeld@gibsondunn.com)
Orin Snyder (+1 212-351-2400, osnyder@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Laura M. Sturges (+1 303-298-5929, lsturges@gibsondunn.com)

Los Angeles
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)
Marcellus McRae (+1 213-229-7675, mmcrae@gibsondunn.com)
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)
Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)

Palo Alto
Benjamin B. Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

San Francisco
Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com)
Thad A. Davis (+1 415-393-8251, tadavis@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)
Michael Li-Ming Wong (+1 415-393-8234, mwong@gibsondunn.com)

London
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Charlie Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com)
Sacha Harber-Kelly (+44 20 7071 4205, sharber-kelly@gibsondunn.com)
Michelle Kirschner (+44 20 7071 4212, mkirschner@gibsondunn.com)
Matthew Nunan (+44 20 7071 4201, mnunan@gibsondunn.com)
Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com)
Steve Melrose (+44 20 7071 4219, smelrose@gibsondunn.com)

Paris
Benoît Fleury (+33 1 56 43 13 00, bfleury@gibsondunn.com)
Bernard Grinspan (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)

Munich
Benno Schwarz (+49 89 189 33-110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33-180, mwalther@gibsondunn.com)
Mark Zimmer
(+49 89 189 33-130, mzimmer@gibsondunn.com)

Dubai
Graham Lovett (+971 (0) 4 318 4620, glovett@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Oliver D. Welch (+852 2214 3716, owelch@gibsondunn.com)

São Paulo
Lisa A. Alfaro (+5511 3521-7160, lalfaro@gibsondunn.com)
Fernando Almeida (+5511 3521-7093, falmeida@gibsondunn.com)

Singapore
Joerg Bartz (+65 6507 3635, jbartz@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Thirty-five years ago, Congress ushered in the modern era of False Claims Act (“FCA”) enforcement when it enacted the False Claims Amendments Act of 1986. At the time, the FCA was a seldom-enforced statute that resulted in government recoveries each year counted in the tens of millions. Now, 35 years later, the FCA is firmly—and consistently from one administration to another—established as the government’s principal fraud enforcement tool, netting the government annual recoveries counted in the billions. This past year underscored the continuing impact of the FCA and attendant risks to companies that do business—directly or indirectly—with the government.

DOJ announced that it collected more than $5.6 billion in FCA and related recoveries during FY 2021, which is the second-largest total ever for FCA recoveries and the largest since 2014. That figure is inflated by Purdue Pharma’s $2.8 billion bankruptcy payment in connection with its opioid resolutions; but even without the Purdue payment, the government still recovered $2.8 billion from FCA defendants, in line with year-over-year trends for the last 5 years.

Meanwhile, on the legislative and policy front, the chief architect of the 1986 amendments, Senator Chuck Grassley (R-IA), advanced new legislation aimed at strengthening the FCA even further. DOJ also announced several of its own efforts to strengthen the FCA, including plans to unwind Trump Administration policies, leverage the FCA in cybersecurity enforcement, and police fraud on COVID-19 stimulus programs. On the judicial front, the federal appellate courts issued a number of significant decisions in the second half of 2021, including important decisions exploring the FCA’s materiality and scienter requirements, the public disclosure bar, and pleading fraud with particularity under Rule 9(b).

Below, we begin by summarizing recent enforcement activity, then provide an overview of notable legislative and policy developments at the federal and state levels, and finally analyze significant court decisions from the past six months.

As always, Gibson Dunn’s recent publications regarding the FCA may be found on our website, including in-depth discussions of the FCA’s framework and operation, industry-specific presentations, and practical guidance to help companies avoid or limit liability under the FCA. And, of course, we would be happy to discuss these developments—and their implications for your business—with you.

I.    FCA ENFORCEMENT ACTIVITY

A.    NEW FCA ACTIVITY

The government and qui tam relators filed 801 new cases in 2022.[1] That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.[2]

Last year, we noted that the government filed an abnormally high number of cases (250) on its own—i.e., without the involvement of qui tam relators. Cases of this sort remained historically high in 2021: although they dipped from 2020’s all-time high, DOJ initiated 203 cases in 2021, the second-highest total in the last 25 years. As discussed below, cases where the government is involved—either because the government brought the case, or later intervened—typically account for 90% of all FCA recoveries. If the government continues to bring more than 200 cases a year—up from an average of ~120 in the prior decade—then we will also expect to see increased DOJ recoveries. With the government’s stated commitments to proactive enforcement initiatives focusing on COVID stimulus fraud, cybersecurity, and matters stemming from health care data analysis, the number of government-driven new cases is likely to stay very high in 2022.

Number of FCA New Matters, Including Qui Tam Actions

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

 

B.    TOTAL RECOVERY AMOUNTS: 2021 RECOVERIES EXCEED $5.6 BILLION

The federal government recovered more than $5.6 billion during fiscal year 2021, which ended September 30, 2021. Of this amount, more than 90% was recovered in intervened cases, underscoring once again that companies face more significant exposure in cases in which the government initiated the case or intervened. Still, it is worth noting that relators’ recoveries from declined cases remained historically high since escalating significantly as a percentage of total recoveries in 2015; this data point reflects recent trends in relators’ willingness and ability to pursue cases into litigation after the government declines to intervene.

DOJ touted in its annual press release that the $5.6 billion haul represents the “second largest annual total in False Claims Act history, and the largest since 2014.”[3] But that only tells part of the story. The total includes approximately $3.2 billion in settlements stemming from the opioid crisis, including the $2.8 billion claim that Purdue agreed to allow in its bankruptcy “to resolve civil allegations that the company promoted its opioid drugs to health care providers it knew were prescribing opioids for uses that were unsafe, ineffective, and medically unnecessary, and that often led to abuse and diversion.”[4]

If the Purdue bankruptcy amount is removed, the government’s total recoveries this year are $2.8 billion. That amount is in line with trends during the last 5 years, while marking an increase from last year’s total of $2.2 billion.

Settlements or Judgments in Cases Where the Government Declined Intervention as a Percentage of Total FCA Recoveries

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

C.    INDUSTRY BREAKDOWN

The relative breakdown of FCA recoveries across industries remained consistent with past years. Health care cases comprised 90% of total recoveries, Department of Defense procurement issues made up 2%, and the remaining 8% was split among other industries.[5] If you exclude the Purdue bankruptcy amount, then health care cases were 80% of recoveries, defense procurement cases were 4%, and other cases accounted for the remaining 16%.

Within the health care industry, DOJ announced that its primary areas of enforcement were opioid abuse, Medicare Advantage (Part C) fraud, illegal kickbacks, and provision of medically unnecessary services. While opioids, kickbacks, and provision of medically unnecessary services are familiar entries on the list of top theories for the government, the emergence of alleged Medicare Advantage fraud as one of DOJ’s top sources for FCA settlements is a relatively new development. Although close observers of the FCA have watched for several years as DOJ began to pursue these cases in earnest, those efforts are just beginning to result in significant recoveries for the government.

FCA Recoveries by Industry

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

II.    NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2021

We summarize below the most notable FCA settlements in the second half of calendar year 2021, with a focus on the industries and theories of liability involved. We covered settlements from the first half of the year in our 2021 Mid-Year Update.

A.    HEALTH CARE AND LIFE SCIENCE INDUSTRIES

  • On July 2, two rehabilitation therapy providers agreed to pay $8.4 million to resolve allegations that they violated the FCA by encouraging skilled nursing facilities in New York and New Jersey to bill Medicare for rehabilitation therapy services that were unnecessary, unreasonable, and performed by unskilled employees. The allegations stemmed from a qui tam suit filed by a former employee of the provider; the whistleblower’s share of the recovery was not reported with the settlement.[6]
  • On July 2, an Ohio-based regional hospital system committed to pay $21.25 million to settle allegations that it paid certain physician groups substantially more than fair market value for patient referrals and then billed Medicare for these illegally referred patients, in violation of the Anti-Kickback Statute and the Stark Law. DOJ noted that the hospital system received credit for disclosing the allegedly improper compensation arrangements, which were implemented by the system’s prior leadership. The settlement also resolved claims brought under a qui tam suit filed by the hospital system’s former Director of Internal Audit; the whistleblower’s share of the recovery was not reported at the time of settlement.[7]
  • On July 8, two related medical device manufacturers agreed to pay $38.75 million to resolve allegations that they violated the FCA by submitting, and causing others to submit, claims to Medicare for defective blood coagulation monitors (used by patients prescribed anticoagulant drugs to verify that they were taking a clinically appropriate and safe dosage of the medication). The government alleged that the manufacturers knew the monitors contained a material defect, which purportedly produced inaccurate and unreliable results, but nonetheless billed Medicare for use of the devices and did not take appropriate corrective action until the U.S. Food & Drug Administration (“FDA”) initiated a product recall.[8]
  • On July 8, a medical device manufacturer committed to pay $27 million to settle allegations that it violated the FCA by knowingly selling defective miniature defibrillators to health care facilities that surgically implanted the devices into patients enrolled in federal health insurance programs. The government alleged that the manufacturer knew that the batteries in some of the defibrillators depleted prematurely and that two serious injuries and one death had been associated with premature battery depletion, but kept this information from the FDA when seeking approval for a change to the device to fix this issue. The settlement also resolved a qui tam suit filed by one of those patients; the whistleblower’s share of the recovery was not reported with the settlement.[9]
  • On July 19, one of the country’s largest hospital systems, the system’s chief executive, and a referring physician entered into a $37.5 million joint settlement with DOJ and the California Department of Justice resolving federal and state fraud allegations. The settlement stemmed from two qui tam suits filed by former employees of the hospital system; the United States declined to intervene in those suits, but it participated in negotiating the settlement agreement. The agreement resolved allegations that the hospital system paid kickbacks to the referring physician in exchange for patient referrals; that the hospital system and the referring physician knowingly billed Medicare and Medi-Cal for another, suspended doctor’s services under the referring physician’s billing number; and that the hospital system and its chief executive knowingly overbilled Medi-Cal and two federal programs for implantable medical devices. As part of the settlement, the hospital system and its chief executive entered into a five-year Corporate Integrity Agreement requiring the system to maintain a compliance program and hire an Independent Review Organization to assess certain business transactions. One of the whistleblowers, a former hospital executive, will receive approximately $10 million of the recovery.[10]
  • On July 23, a rehabilitation therapy provider in California agreed to pay $2 million to settle allegations that it caused false claims to be submitted to Medicare by pressuring therapists to artificially increase the number of patients who received Medicare’s most expensive level of care for skilled nursing, “Ultra High,” even when that level of services was not necessary. The settlement resolved a qui tam suit filed by a former Director of Rehabilitation at the company, who will receive $360,000 of the settlement proceeds.[11]
  • On July 21, an ambulatory electroencephalography (“EEG”) testing company and a private investment firm that owned a minority share in the company, both based in Texas, agreed to pay $15.3 million to settle kickback and false billing allegations. The United States alleged that the testing company improperly: induced physicians to refer patients to the company in exchange for free EEG test-interpretation reports; inflated invoices for certain EEG testing by using inaccurate billing codes; and billed for a specialized digital analysis that it never performed. The United States also alleged that the private investment firm learned about these schemes when performing pre-investment due diligence but allowed the schemes to continue. The settlement agreement consisted of payments to both the federal government and state Medicaid programs and also resolved claims brought under six different qui tam Two of the relators received approximately $3 million of the settlement funds; the respective shares of the other relators were not included in the settlement announcement.[12]
  • On July 20, a Billings, Montana rheumatologist committed to pay $2 million to resolve allegations that he violated the FCA by billing Medicare for improper medical treatments. The United States asserted that the rheumatologist knowingly billed Medicare for MRI scans, patient visits, and biologic infusions on behalf of patients who did not have rheumatoid arthritis.[13]
  • On August 2, a recently closed mail-order diabetic testing supplier and its parent company agreed to pay $160 million to resolve allegations that they violated the FCA through a kickback scheme and other fraudulent billing practices. The government alleged that the testing supplier, with its parent company’s approval, paid kickbacks to Medicare beneficiaries in the form of free glucometers and waived co-payments; billed Medicare for glucometers for which patients were not eligible; and billed Medicare on behalf of deceased patients, which led Medicare to revoke the company’s supplier number in 2016. In 2019, the testing company’s two founders each paid $500,000 to resolve allegations that they were personally involved in the kickback scheme. The civil settlement also resolves a qui tam suit filed by a former employee who worked at the testing company’s call center; he will receive approximately $28.5 million as his share of the recovery.[14]
  • On August 5, a hospital system in Michigan agreed to pay $2.8 million to resolve allegations that it violated the FCA by submitting bills to federal health care programs for medically unnecessary procedures performed by a specific physician. In the settlement announcement, DOJ noted that the hospital system made a submission under the Provider Self-Disclosure Protocol of the U.S. Department of Health & Human Services, Office of Inspector General (“HHS-OIG”) and implemented several remedial measures to address the physician’s conduct, such as hiring another physician to conduct a peer review, placing the physician in a performance improvement plan, and ultimately ending its relationship with the physician. The settlement also resolved a qui tam suit filed by three individuals, who received a combined payment of $532,000 as their share of the recovery.[15]
  • On August 6, a county medical center in California agreed to pay $11.4 million to settle allegations that it submitted, or caused the submission of, false claims to Medicare by admitting Medicare beneficiaries for inpatient services that were not medically necessary, such as when no alternative placements for a beneficiary could be found. As a part of the settlement, the medical center entered into a Corporate Integrity Agreement requiring the center to hire an Independent Review Organization to annually review the medical center’s inpatient admissions and billings of federal health insurance programs. The settlement also resolved a qui tam suit filed by a former employee of the medical center; that individual’s share of the recovery was not reported with the settlement announcement.[16]
  • On August 25, a California-based provider of home respiratory services and durable medical equipment agreed to pay $3.3 million total to the United States, California, and Nevada to settle allegations that it violated the FCA by billing public health care programs for home ventilators that were not medically necessary or that patients were no longer using. The settlement also resolved a qui tam suit filed by a respiratory therapist who worked for the company, who will receive approximately $612,000 as his share of the settlement amount.[17]
  • On August 26, a mental health and addiction treatment services provider agreed to the entry of judgments totaling over $15 million to resolve allegations that it violated the FCA and the Controlled Substances Act. Approximately $13.7 million, plus interest, of the judgment went to resolving allegations that the provider billed Medicare and Medicaid for mental health services performed by unqualified practitioners and billed Medicaid for mental health services using incorrect procedure codes that inflated the price of the care provided. The settlement partially resolved a related whistleblower suit filed by former employees, although the relators in that suit continued to pursue additional FCA claims against the company and its former chief executive. Additionally, the company agreed to the entry of a judgment for approximately $1.6 million, plus interest, to resolve allegations that it negligently failed to document its use of controlled substances and its transfer of controlled substances between locations. DOJ continued to pursue claims against several executives, including the former chief executive, alleging violations of the Controlled Substances Act.[18]
  • On August 27, a hospital in Texas agreed to pay $3.3 million to settle a qui tam suit brought by its former Director of Compliance resolving allegations that the hospital improperly utilized billing modifiers to inflate the cost of care it billed to federal health care programs. The relator received approximately $912,000 of the recovery. The settlement announcement noted that, although the government did not intervene in the case, it investigated the relator’s allegations and collaborated with the relator.[19]
  • On August 30, a California-based company who contracted to provide health care services to certain Medicare Advantage patients committed to pay $90 million to resolve allegations that it knowingly submitted incorrect diagnosis codes for those patients who inflated federal payments made to Medicare Advantage plans and, in turn, the provider. The settlement also resolved a qui tam suit filed by a former employee of the provider; the United States intervened in the claims against some, but not all, of the defendants named in the suit. Also, pursuant to the settlement, the provider entered into a five-year Corporate Integrity Agreement requiring it to implement a risk assessment program into its overarching compliance program and hire an Independent Review Organization to review a sample of its Medicare Advantage patients’ medical records and diagnosis codes each year.[20]
  • On September 3, the U.S. District Court for the District of South Carolina entered default judgments totaling $140 million against various pain management clinics, drug testing laboratories, and a substance abuse counseling center. The government alleged the defendant entities violated the FCA by providing illegal financial incentives to providers to induce drug test referrals and billed the federal government for unnecessary drug tests. The allegations arose from qui tam complaints by five former employees of the defendant pain management clinics.[21]
  • On September 8, a collection of home health care companies agreed to pay $17 million to settle allegations that they violated the FCA by paying a kickback to a retirement home operator when they purchased two of its home health agencies. The government alleged the companies bought the home health agencies to induce the seller to refer Medicare beneficiaries residing in its retirement homes throughout the United States, and then submitted false claims to Medicare for the resulting services. The allegations stem from a qui tam complaint, and the whistleblower’s share of the recovery was not disclosed at the time of the settlement announcement.[22]
  • On September 15, a cardiologist agreed to pay $6.75 million to settle allegations that he violated the FCA by billing federal health care programs for medically unnecessary ablations and vein stent procedures performed on patients. The government alleged that the cardiologist made false statements in patient medical records to justify the procedures, and that many of the ablations were performed by ultrasound technicians outside the scope of their practice. The cardiologist and his consulting company entered into a multi-year integrity agreement including requirements for training, reporting, and independent quarterly claims reviews.[23]
  • On October 1, three pharmaceutical manufacturers agreed to pay $447.2 million to resolve allegations that they violated the FCA by conspiring to fix prices for various generic drugs, resulting in higher drug prices for federal health care programs. DOJ alleged a novel theory of remuneration, contending that the manufacturers conveyed value in the form of agreements on pricing. The settlement is in addition to $424.7 million previously paid by the companies to resolve related criminal charges. The government alleged that between 2013 and 2015, the companies entered agreements on pricing, supply, and allocation of customers with other pharmaceutical manufacturers for drugs manufactured by the companies, purportedly in violation of the Anti-Kickback Statute. Each company also entered into a five-year Corporate Integrity Agreement, which includes monitoring, price transparency, and other compliance provisions.[24]
  • On October 8, two providers of home-based health care services agreed to pay $8.5 million to settle allegations that they violated the FCA by submitting claims to Medicare for laboratory and diagnostic testing performed between 2010 and 2015 that was not medically necessary. The allegations arose from five qui tam lawsuits; the first-to-file whistleblower will receive $1.53 million as a result of the settlement.[25]
  • On October 22, two physicians agreed to pay $3.9 million to settle allegations that they violated the FCA by ordering unnecessary drug tests for patients at their pain management clinic and lab. The allegations stem from a lawsuit filed by two qui tam The relators will receive 17% of the United States’ portion of the settlement, totaling approximately $618,000.[26]
  • On October 25, a group of pharmacies agreed to pay $4.6 million to resolve allegations that the pharmacies violated the FCA in various ways, including by charging the government higher prices than those charged to other patients and paying kickbacks to a third-party marketer who assisted in arranging for medically unnecessary prescriptions of pain and scar creams. The allegations arose from a qui tam lawsuit filed by a former pharmacist. The whistleblower will receive approximately $800,000 from the settlement.[27]
  • On October 28, a physical therapy company agreed to pay $4 million to settle allegations that it violated the FCA by billing the government for outpatient physical therapy that was not provided. The allegations stem from a qui tam lawsuit, and the relator’s share was not disclosed at the time of the settlement announcement.[28]
  • On November 8, a medical device company agreed to pay $16 million to resolve allegations that it violated the FCA by causing the submission of false claims to Medicare. The company made royalty payments to an orthopedic surgeon related to the surgeon’s contributions towards the company’s products. However, according to the government, these payments constituted illegal kickbacks because they were allegedly intended to encourage the surgeon to use and recommend the company’s products to patients. The underlying allegations relate to a qui tam suit, and the whistleblower will receive approximately $2.5 million of the settlement payment.[29]
  • On November 9, several anesthesia providers and outpatient surgery centers agreed to pay more than $28 million to resolve allegations that they violated the FCA by entering into arrangements involving purported kickbacks. The government alleged that the anesthesia providers sought to enter exclusive contracts with the outpatient surgery centers by offering kickbacks in the form of payments for drugs, supplies, and equipment and labor, as well as through the provision of free staffing services. According to the government, the alleged kickback scheme caused the submission of false claims. Relators who brought the underlying qui tam suit will receive over $4.7 million of the settlement payment.[30]
  • On November 9, a pharmaceutical manufacturer agreed to pay $12.7 million to resolve allegations that it violated the FCA by causing the submission of false claims for an injectable drug. The company allegedly directed doctors to preferred pharmacies despite being aware that certain of those preferred pharmacies submitted false prior authorization requests that misrepresented to insurers that the requests were submitted by physicians instead of by the pharmacies themselves, and/or included false or misleading information about the underlying patients’ medical histories. The allegations relate to a qui tam suit, and the whistleblower will receive approximately $2.5 million of the settlement payment.[31]
  • On November 22, a chiropractor agreed to a $9 million civil consent judgment to resolve allegations that he violated the FCA by conspiring to pay illegal kickbacks and bill for unnecessary medical services. The chiropractor purportedly caused the submission of false claims to federal health care programs through kickbacks paid to physicians for urine drug testing referrals, as well as through medically unnecessary prescriptions for pain creams. The chiropractor pleaded guilty to criminal charges arising from the same conduct and faces a potential sentence of up to five years in prison and a fine of $250,000.[32]
  • On November 22, a home health agency agreed to pay $4.2 million to resolve allegations that it violated the FCA by submitting claims for services that were not covered by Medicare or Medicaid, and by failing to timely refund associated overpayments. The non-covered services underlying the allegedly false claims included, among other things, services that lacked the required face-to-face certifications or plans, and services that did not document the beneficiary’s need for home care. The underlying allegations relate to a qui tam suit, and the relator will receive over $700,000 from the settlement.[33]
  • On November 23, a hospice and palliative care provider operating in Ohio and Tennessee agreed to pay $5.5 million to settle allegations that it violated the FCA by submitting claims to Medicare for non-covered hospice services. The provider allegedly submitted false claims to Medicare between January 2012 and December 2014 for hospice services and care provided to patients who were not terminally ill for at least a portion of the relevant time period during which they received care. The allegations arise from a qui tam lawsuit, and the whistleblower will receive approximately $1 million of the settlement payment.[34]
  • On December 2, a hospital agreed to pay $18.2 million to resolve allegations that it violated the FCA by submitting claims to Medicare, Medicaid, and TRICARE for services referred to the hospital as a result of alleged kickbacks. The hospital allegedly induced certain physicians to refer patients to the hospital by giving those physicians shares repurchased from older physician-owners. According to the government, the hospital then violated the FCA by submitting claims for services referred or ordered by the physicians who received the newly repurchased shares. The underlying allegations stem from a qui tam lawsuit, and the associated whistleblower will receive approximately $3 million of the settlement payment.[35]
  • On December 7, a pathology practice agreed to pay $2.4 million to resolve allegations that it violated the FCA by making false representations in connection with submissions to the government. The practice allegedly submitted certain claims to the government without written substantiation, and as a result billed Medicare for a type of testing analysis that was not actually required. Contemporaneous with the settlement, the pathology practice entered into a three-year Corporate Integrity Agreement requiring training, auditing, and monitoring designed to address the alleged misconduct along with other evolving compliance risks. The underlying allegations arose from a qui tam lawsuit, and the whistleblower for that suit will receive approximately $450,000 from the settlement.[36]
  • On December 8, a physician and a medical device manufacturer agreed to pay a collective $4.2 million to resolve allegations that they violated the FCA by entering into kickback arrangements. The government alleged that, between 2014 and 2018, the company provided kickbacks—in the form of cash payments, commissions, and all-expense paid trips—to the physician to induce him to direct physicians at his institute to utilize the company’s medical devices and to increase the number of certain surgeries performed in order to then increase orders of the company’s supplies. The physician also allegedly directed physicians to order toxicology and genetic tests from a medical testing laboratory from which he accepted additional kickbacks. The civil settlement resolved claims brought under a qui tam suit, and the whistleblower will receive approximately $600,000 from the settlement.[37]

B.    GOVERNMENT CONTRACTING AND PROCUREMENT

  • On July 6, an aviation company based in Illinois and Florida agreed to pay $11 million to resolve allegations that it violated the FCA in connection with two U.S. Transportation Command contracts for aircraft maintenance services supporting U.S. Department of Defense (“DOD”) operations in Afghanistan and Africa. According to the government, the company knowingly failed to maintain several helicopters utilized by the Department of Defense to transport cargo and personnel in accordance with contract requirements, such that the helicopters were not airworthy and should not have been certified as “fully mission capable.” The settlement included a resolution of claims brought in a qui tam suit filed by a former employee, who received approximately $2.2 million of the settlement proceeds. The company also agreed to pay a separate $429,000 fine to the Federal Aviation Administration for purported deficiencies in its helicopter maintenance program.[38]
  • On September 27, an oil and natural gas exploration and production company agreed to pay $6.15 million to settle allegations that it violated the FCA by underpaying royalties for natural gas from federal lands. The government alleged that the company improperly deducted processing costs from the royalties due to the United States under a lease that permitted the company to extract natural gas from federal lands as long as the gas was placed in marketable condition at no cost to the United States.[39]
  • On October 6, a military supplier agreed to pay over $4.5 million to settle allegations that it violated the FCA by failing to comply with requirements for certain products supplied to the military. The government alleged that the supplier had provided high-performance butterfly valves to military ship builders from May 2011 through September 2017 and failed to disclose that there had been unapproved modifications made to the valves. The allegations stem from a qui tam lawsuit brought by a former employee, and the whistleblower will receive approximately $850,000 of the recovery.[40]
  • On October 15, a contracting company entered into a consent judgment, agreeing to pay $4.8 million to settle allegations that it violated the FCA by submitting false certifications of eligibility to obtain federal contracts intended to benefit service-disabled veterans. The complaint alleged that the company was not owned by a veteran but instead recruited a service-disabled veteran to nominally run a pass-through entity that enabled the company to obtain federal contracts for which it otherwise would not have been eligible.[41]
  • On December 21, an information technology contractor agreed to pay over $1.3 million to resolve allegations that it violated the FCA when seeking payment for information technology and cybersecurity services. The government alleged that the company caused the submission of false claims by billing the government for labor hours in excess of time worked, labor rates that exceeded the rates actually paid to employees, labor costs exceeding the company’s actual recorded costs, and overly high indirect rates.[42]
  • On December 22, an aircraft manufacturer agreed to pay $1.9 million to resolve allegations related to a jet fuel spill, including allegations that it violated the FCA during the government’s investigation of the incident. According to the government, employees of the manufacturer made material false statements to avoid contractual liability for cleanup related to the spill and, by doing so, violated the reverse false claims provision of the FCA.[43]

C.    OTHER

  • On July 12, the Florida Department of Children and Families (“FDCF”) agreed to pay $17.5 million to settle allegations that its management of federal Supplemental Nutrition Assistance Program (“SNAP”) funds violated the FCA, one of several settlement agreements the United States has secured recently with state agencies and a private consulting firm regarding alleged manipulation of SNAP data. The U.S. Department of Agriculture (“USDA”) requires states to determine individuals’ eligibility for SNAP benefits and maintain quality control processes to confirm eligibility decisions. Additionally, states must accurately report their error rates in awarding benefits to USDA, and USDA pays performance bonuses to states that report low error rates and demonstrate decreasing error rates. The government alleged that FDCF improperly injected bias into its SNAP quality control program that caused the submission of false information to USDA regarding FDCF’s error rate. This, in turn, allegedly led USDA to pay FDCF performance bonuses that it did not earn. As part of the settlement, FDCF also agreed to forego $14.7 million in pending bonus payments that it had not yet received from USDA.[44]
  • On July 28, two clothing companies and their former chief executive and owner agreed to pay $6 million to resolve allegations of underreporting the value of imports on invoices submitted to U.S. Customs & Border Protection in order to pay less in customs duties. In a related criminal prosecution from 2020, the former chief executive and owner also pled guilty to a subset of this conduct, was sentenced to six months in prison, and paid a separate forfeiture amount of $1.7 million. The allegations leading to his conviction and the subsequent civil settlement agreement stemmed from a qui tam complaint, but the whistleblower share of the recovery was not announced with the settlement.[45]
  • On August 5, the Tennessee Department of Human Services (“TDHS”) committed to pay $6.8 million to resolve allegations that it submitted false quality control data to USDA regarding TDHS’s award of SNAP benefits to low-income individuals. The United States alleged that TDHS, in implementing the recommendations of an outside consulting firm, inserted bias into its quality control program that led to the submission of false quality control data to USDA. According to the government, TDHS then received performance bonuses from USDA on the basis of this false data.[46]

III.    LEGISLATIVE AND POLICY DEVELOPMENTS

A.    FEDERAL POLICY DEVELOPMENTS

In its first year, the Biden Administration has not ushered in a major shift in overarching FCA policy. But the Administration has emphasized that it remains focused on FCA enforcement, and significant changes have nonetheless begun to take shape.

1.    Biden Administration Continues Move Away from “Brand” Memo

In July 2021, DOJ promulgated an interim final rule that opens the door for DOJ attorneys to leverage agency guidance in enforcement actions. This step culminates a shift that we flagged in our 2021 Mid-Year Update, in which we discussed Executive Order 13992, issued on the day of President Biden’s inauguration. That Order foreshadowed a possible shift away from DOJ’s so-called Brand Memo.

By way of background, the internal DOJ guidance communicated by the January 2018 Brand Memo stated that agency “[g]uidance documents” without notice-and-comment rulemaking “cannot create binding requirements that do not already exist by statute or regulation.”[47] In December 2018, DOJ codified the Brand Memo at Section 1-20.100 of the Justice Manual, which explained that with limited exceptions, DOJ “should not treat a party’s noncompliance with a guidance document as itself a violation of applicable statutes or regulations.”[48] Executive Order 13992 did not refer expressly to DOJ’s civil enforcement of the FCA, but it did explicitly revoke President Trump’s Executive Order 13891, which expressed a principle similar to that codified in Section 1-20.100 of the Justice Manual.

Effective July 1, 2021, DOJ issued the interim final rule implementing Executive Order 13992 and rescinding DOJ regulations that proscribed use of guidance documents in DOJ enforcement actions.[49] On the same date, Attorney General Merrick Garland issued a memo to all DOJ component heads explaining that, while guidance alone cannot form the basis for an enforcement action, it “may be entitled to deference or otherwise carry persuasive weight with respect to the meaning of the applicable legal requirements” in a particular case.[50] The memo stated that “[t]o the extent guidance documents are relevant to claims or defenses in litigation, Department attorneys are free to cite or rely on such documents as appropriate.”[51] These developments surely will open back up the reliance that many DOJ attorneys placed on sub-regulatory guidance as evidence both that a claim is materially false and that defendants recklessly disregarded statutory and regulatory requirements.  On the other hand, while the Brand Memo’s safeguards against the use of guidance as the basis for asserting falsity under the FCA have eroded, certain federal courts—and Supreme Court justices—have signaled significant skepticism about use of sub-regulatory guidance to impose substantive legal standards. E.g., Whitman v. United States, 574 U.S. 1003 (2014) (statement of Justice Scalia and Justice Thomas on denial of certiorari, warning that courts should not defer to “executive interpretations of a variety of laws that have both criminal and administrative applications”).

This is a development we will continue to closely watch.

2.    DOJ Announces Initiative to Use FCA in Cybersecurity Cases

On October 6, 2021, Deputy Attorney General Lisa Monaco announced a new Civil Cyber Fraud Initiative that will leverage the FCA to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[52] The new effort will “combine [DOJ’s] expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”[53]

On October 13, 2021, Acting Assistant Attorney General Brian Boynton delivered remarks on this new initiative at the Cybersecurity and Infrastructure Security Agency Fourth Annual National Cybersecurity Summit.[54] AAG Boynton noted that the Civil Cyber Fraud Initiative “will use the [FCA] to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.” He indicated that “three common cybersecurity failures” are “prime candidates” for potential FCA enforcement by DOJ: (1) “knowing failures to comply with cybersecurity standards,” such as those negotiated with government contractors; (2) “knowing misrepresentation of security controls and practices”; and (3) “knowing failure to timely report suspected breaches.”

3.    DOJ Continues FCA Enforcement to Protect COVID-19 Spending

Spending packages tied to COVID-19 also continue to be a focus for federal FCA enforcement. Under the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”)[55] and subsequent stimulus programs, including the American Rescue Plan in March 2021,[56] the government provided trillions of dollars in government funds to mitigate the effects of COVID-19. Anytime the government spends money, particularly massive amounts, there is a possibility the funds are misspent. This, in turn, brings the FCA into play as a potential remedy; unsurprisingly, the government has repeatedly indicated its intent to rely heavily on the FCA to police any fraud associated with pandemic relief funds.

The Paycheck Protection Program (“PPP”), one of several programs created by the CARES Act, aims to allow businesses to receive low-interest private loans to pay for their payroll and certain other costs. In January 2021, DOJ settled its first civil case involving the Paycheck Protection Program with SlideBelts, Inc. and its President and CEO.[57] Since then, DOJ has entered into at least two other settlements related to the Program.

  • Pursuant to the settlement agreement reached in United States ex rel. Hablitzel v. All in Jets, LLC & Seth A. Bernstein, the owner of a jet charter company agreed to pay almost $290,000 to settle allegations that he diverted nearly $100,000 from a $1.2 million PPP loan for personal, non-company related expenses within a day of receiving the loan. The relator (a former employee) who initially filed the action received close to $60,000.[58]
  • In United States ex rel. Quesenberry v. Sextant Marine Consulting LLC et al., a duct cleaning company agreed to pay $30,000 in damages and civil penalties for conduct associated with two PPP loans, in addition to repaying the duplicative PPP funds in full.[59] The relator received $4,500 of this amount. According to DOJ, additional claims against other entities remain under seal in Quesenberry.

These sorts of relatively small dollar-value settlements likely do not represent the extent of DOJ’s focus on FCA enforcement related to PPP funds. FCA investigations—and subsequent litigation—often take years to play out. And all signs indicate that the biggest and most important FCA cases to come out of the COVID-19 pandemic are still to come.

The CARES Act also contained a provision establishing a Special Inspector General for Pandemic Recovery (“SIGPR”),[60] who “has the duty to conduct, supervise, and coordinate audits and investigations of the making, purchase, management, and sale of loans, loan guarantees, and other investments by the Secretary of the Treasury under any program established by the Secretary under Division A of the CARES Act.”[61] Since September 2020, the SIGPR has added thirty-three staff members, and it has sought “a place in the annual federal budget” beyond the original $25 million first allocated for five years of the office’s service.[62] The SIGPR has thus far focused on cases where CARES Act participants allegedly sought funding from multiple programs to be used for the same purpose.[63] Although the SIGPR has not focused on FCA claims, the fact that it has referred a significant number of fraud-related claims to other agencies for investigation leaves the door open to new FCA claims arising from this office.

4.    DOJ Updates FCA Penalty Amount to Adjust for Inflation

DOJ is required by law to adjust penalties to keep pace with inflation. In December, DOJ issued a final rule to update penalties for 2021. See 86 Fed. Reg. 70740 (Dec. 13, 2021). Under the final rule, FCA penalties now range from a minimum of $11,803 to a maximum of $23,607 for penalties assessed after December 13, 2021, compared to the prior range of $11,665–$23,331. These increased amounts apply to any violation of the FCA that occurred after November 2, 2015, when the law requiring inflation adjustments took effect.

B.    FEDERAL LEGISLATIVE DEVELOPMENTS

Congressional attention on FCA enforcement reignited in the latter half of 2021 with the introduction of proposed legislative amendments by Senator Chuck Grassley (R-IA). Senator Grassley, the architect of the 1986 amendments, has long touted himself as a leading advocate of the FCA. This past year, he set his sights on cementing his legacy as the FCA’s principal champion.

As discussed in our Mid-Year Update, in February 2021, Senator Grassley sent a letter to then-Attorney General Nominee Merrick Garland, criticizing DOJ’s actions in dismissing relator claims, decrying the effects of the Supreme Court’s decision in Escobar, and requesting assistance in crafting new legislation to address his concerns.[64]

In July 2021, Senator Grassley—joined by a bipartisan group of four co-sponsors—made good on his promise and introduced the False Claims Amendments Act of 2021 (the “Amendments”), which included four main provisions.[65] First, the Amendments would implement a burden-shifting scheme under which the plaintiff (government or relator) may establish materiality by a simple “preponderance of the evidence,” at which point the defendant “may” rebut evidence of materiality by “clear and convincing” proof. Second, the Amendments would require that, when DOJ seeks to dismiss declined qui tam cases, the relator must first have an opportunity to show that the reasons for dismissal are fraudulent, arbitrary and capricious, or contrary to law. Third, the Amendments would allow DOJ to shift the cost of discovery defendant served on the government to the defendant if the defendant’s discovery requests are irrelevant, disproportional, or unduly burdensome. Finally, the Amendments would expressly apply the FCA’s existing anti-retaliation provisions to post-employment retaliation. The Amendments would be applicable to all pending and future litigation “to ensure that [the FCA] covers the trillions of dollars spent on COVID relief.”[66]

In October 2021, Senator Grassley amended his proposal in several respects. First, he eliminated the burden-shifting approach to the materiality standard. This portion of the bill now reads: “In determining materiality, the decision of the Government to forego a refund or pay a claim despite actual knowledge of fraud or falsity shall not be considered dispositive if other reasons exist for the decision of the Government with respect to such refund or payment.”[67] With this revision, Senator Grassley again is targeting the Supreme Court’s decision in Escobar.

If adopted, this provision could have broader implications than the original burden‑shifting framework. The original framework, by its plain language, focused only on evidentiary burdens, whereas the revised framework speaks in more general terms of “determin[ations]” of materiality.[68] Such determinations could occur at the motion-to-dismiss stage, as the Escobar Court clearly contemplated, even before litigation stages involving evidentiary determinations. A basic principle of civil pleading is that an “obvious alternative explanation” for the conduct a plaintiff alleges is enough to make the plaintiff’s allegations legally implausible and subject to dismissal. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 567–68 (2007). The revised provision of the Amendments threatens to upend this principle by making payment of claims notwithstanding their falsity “not . . . dispositive” of materiality as a matter of law, where otherwise such facts could form the basis for an argument that an “obvious alternative explanation” for the government’s payments was that it spotted the alleged fraud and decided it was immaterial. Senator Grassley’s amendments also removed the original bill’s cost-shifting provisions for discovery expenses.[69]

This revised bill was reported out of Committee in November 2021,[70] but it remains unclear if the bill will receive a vote on the Senate floor. If enacted, however, the Amendments would surely give DOJ and relators new arguments in a variety of different FCA scenarios, and could have a meaningful impact on the cost of defending against FCA cases, particularly including meritless cases brought by a would-be whistleblower.

Gibson Dunn will continue to monitor this and other legislative developments.

C.     STATE LEGISLATIVE DEVELOPMENTS

The federal government provides incentives for states to enact false claims statutes in keeping with the federal FCA. In particular, HHS-OIG grants “a 10-percentage-point increase” in a state’s share of any recoveries under the relevant laws to any state that obtains HHS-OIG approval for its false claims statute.[71] Such approval requires that the statute in question, among other requirements, “contain provisions that are at least as effective in rewarding and facilitating qui tam actions for false or fraudulent claims as those described in the [federal] FCA.”[72] Approval is also contingent on the statute containing a sixty-day sealing provision and “a civil penalty that is not less than the amount of the civil penalty authorized under the [federal] FCA.”[73] The total number of states with approved statutes remains at twenty-two, with Montana (which was previously on the “approved” list) having obtained approval on October 4, 2021 for the amendments to its false claims act that we covered in our 2021 Mid-Year Update.[74] The list of seven states with false claims statutes listed by HHS-OIG as “not approved” likewise remains the same: Florida, Louisiana, Michigan, New Hampshire, New Jersey, New Mexico, and Wisconsin.[75]

The “not approved” list may soon shrink, however. On October 20, 2021, the Wisconsin legislature introduced a bill that would “restore[] a private individual’s authority to bring a qui tam claim against a person who makes a false claim for medical assistance, which was eliminated in 2015 Wisconsin Act 55.”[76] The bill also provides for qui tam awards of up to thirty percent of recoveries, which is consistent with the federal FCA, and for “additional changes not included in the prior law to conform state law to the federal [FCA], including expanding provisions to facilitate qui tam actions and modifying the bases for liability to parallel the liability provisions under the federal False Claims Act.”[77] While Wisconsin’s 2015 repeal of false claims liability for Medicaid claims was not expressly one of the grounds HHS-OIG relied on in refusing to grant federal incentives, the government did in 2016 cite the state statute’s lack of a provision pegging civil penalties to inflation as grounds for the government’s continued “not approved” designation.[78] The 2021 bill ostensibly seeks to address this issue (among others cited by HHS-OIG) by incorporating the federal FCA penalty amounts, which are pegged to inflation.[79]

IV.    CASE LAW DEVELOPMENTS

The second half of 2021 saw a number of notable federal appellate court decisions, which we have summarized below.

A.    Seventh and Second Circuits Evaluate How Government’s Continued Payment Bears on Materiality Under Escobar

During the latter half of 2021, courts continued to refine the FCA’s materiality requirement, applying the standard articulated by the Supreme Court in Universal Health Services Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016). In Escobar, the Supreme Court noted that to survive a motion to dismiss plaintiffs must “plead[] facts to support allegations of materiality” when bringing claims under the FCA. Id. at 195 n.6. In the five years since Escobar, materiality has become a key consideration at the motion-to-dismiss stage, even when it requires courts to make factually specific, case-by-case determinations.

In United States v. Molina Healthcare of Illinois, Inc., 17 F.4th 732 (7th Cir. 2021), the Seventh Circuit reversed a district court’s order dismissing a complaint involving alleged false certifications by Molina Healthcare of Illinois, Inc. relating to Medicaid reimbursement. Molina Healthcare and the State of Illinois had agreed to a capitated system of Medicaid payments—payments based on the number of patients a health care provider projects it will serve based on patients’ risk levels. Id. at 736. As part of the agreement, Molina agreed to provide skilled nursing facility services to the most expensive (riskiest) tier of patients. Id. A relator filed an FCA complaint alleging that Molina falsely certified that it was providing such services to patients. According to the relator, Molina stopped providing these services a year into the agreement, yet continued to collect the Medicaid payments owed under the capitated payment system for the most expensive tier of patients. Id. at 737.

The Seventh Circuit allowed the relator’s suit to proceed, concluding that Molina Healthcare’s certification regarding its skilled nursing facility services was material to the State’s decision to continue making Medicaid payments to Molina Healthcare. Id. at 744. The court acknowledged that the State continued paying even after it knew that Molina Healthcare did not provide the relevant services. Id. at 743–44. But it concluded this did not dispose of the materiality inquiry. Rather, the court focused on the fact that those patients who qualified for skilled nursing facility services were in a much more expensive tier in the capitation system than other patients. Id. at 743. The difference in cost between patients in the most expensive tier and those in lower tiers suggested that Molina Healthcare’s certification was material, notwithstanding the inference that the government knew of the alleged misconduct and disregarded it in its payment decision.

The court also held that the relator adequately alleged Molina Healthcare knew its certifications were material. Id. at 745. The district court had also premised its dismissal on the relator’s failure to plead specific allegations about Molina Healthcare’s knowledge. The Seventh Circuit disagreed. It concluded that because Molina Healthcare was “a highly sophisticated member of the medical-services industry,” relator plausibly alleged that the company may have known the importance of its false certifications in Medicaid payment decisions. Id. at 744-5.

In United States ex rel. Foreman v. AECOM, 19 F.4th 85 (2d Cir. 2021), the Second Circuit applied Escobar’s materiality factors and affirmed, in part, a district court’s decision to dismiss a relator’s FCA complaint. The case involved allegations that AECOM, a company that provided maintenance and management services to the U.S. Army in Afghanistan, violated the FCA by failing to live up to contractual obligations. Id. at 95. Specifically, the relator alleged that AECOM overstated its man-hour utilization rate, overbilled the government for labor not actually performed, and failed to properly track government property. Id. AECOM moved to dismiss, arguing that the alleged misrepresentations to the government were not material to any payments, pointing to government reports suggesting that the government knew about the issues and continued to pay in any event. The district court agreed and dismissed the complaint.

The Second Circuit affirmed in part and reversed in part. In doing so, the Second Circuit focused on three factors identified in Escobar to determine whether a false certification of compliance with a contract was material to payment by the government: (1) whether the government “expressly identified a provision as a condition of payment,” id. at 110, (2) “the government’s response to noncompliance” with the contract, id. at 111, and (3) whether the “alleged noncompliance was substantial,” id. at 116. In granting AECOM’s motion to dismiss, the district court had focused on the second factor, relying on government reports indicating that the government had been aware of the alleged false claims and still chose to pay AECOM for its work under the contract.

Although the Second Circuit observed that the government’s continued payment—i.e., the “response to noncompliance”—bore heavily on the question of materiality, the court took a restrictive view of what documents it could consider at the motion-to-dismiss stage to demonstrate the government’s “response to noncompliance.” In drafting the complaint, the relator had expressly referenced and relied on government reports about man-hour-utilization rate and property tracking. Id. at 113–14. Because the relator’s complaint included those documents, the Second Circuit determined that the trial court could consider these documents. And those reports indicated that the government knew about the alleged fraud and “not only continued to extend and pay claims under the [contract], but also never demanded repayment, disallowed any charged costs, or penalized AECOM.” Id. at 115. By contrast, the court concluded that separate government reports referencing overbilling—which the district court also relied on—were not integral to or referenced in the complaint and, thus, should not have been considered at the pleading stage. Id. at 116. Without the presence of those reports for consideration on the motion to dismiss stage showing the government’s response to AECOM’s alleged overbilling practices, the court allowed the relator to proceed on those claims. Id. at 117–18.

B.    Seventh and Eighth Circuits Issue Important Decisions on the FCA’s Scienter and Falsity Requirements

In United States ex rel. Schutte v. SuperValu, Inc., 9 F.4th 455 (7th Cir. 2021), the Seventh Circuit became the latest circuit court to apply the scienter standard announced by the U.S. Supreme Court in Safeco Insurance Company of America v. Burr, 551 U.S. 47 (2007), to the FCA. The FCA defines “knowingly” to mean that a person “(i) has actual knowledge of the information, (ii) acts in deliberate ignorance of the truth or falsity of the information, or (iii) acts in reckless disregard of the truth or falsity of the information.” 31 U.S.C. § 3729(b)(1)(A). In Safeco, which addressed the Fair Credit Reporting Act’s nearly identical scienter requirement, the Supreme Court determined that a person who acts under an incorrect interpretation of a relevant statute or regulation does not act with “reckless disregard” if the interpretation is objectively reasonable and no authoritative guidance cautioned the person against it. Safeco, 551 U.S. at 70.

The relators in SuperValu alleged that when SuperValu sought Medicare and Medicaid reimbursements, it misrepresented its “usual and customary” drug prices. See 9 F.4th at 459. After interpreting the relevant regulations, SuperValu reported its retail cash prices as its usual and customary drug prices rather than the lower, price-matched amounts that it charged customers under its price-match discount drug program, through which SuperValu would match discounted prices of local competitors upon request from anyone purchasing. Id. The court agreed with the relator that SuperValu’s discounted prices were the correct usual and customary prices under the relevant regulations, and that SuperValu therefore should have reported those prices. The court applied the Safeco scienter standard, however, and concluded that SuperValu’s interpretation of the regulations was objectively reasonable and that there was no authoritative guidance that warned SuperValu away from its interpretation. Id. at 472. The court therefore found that SuperValu faced no liability under the FCA. Id.

The SuperValu opinion is significant for FCA defendants who are often required to interpret vague and ambiguous regulations. It provides FCA defendants with a basis to contest scienter as a matter of law, instead of leaving scienter issues for juries to decide.

In Thayer v. Planned Parenthood of the Heartland, 11 F.4th 934 (8th Cir. 2021), the Eighth Circuit explored the intersection of FCA’s scienter and falsity requirements. In that case, the relator alleged two distinct bases for FCA liability. The relator alleged that Planned Parenthood dispensed extra cycles of contraceptives without a physician’s order in violation of Iowa law and knowingly billed Iowa Medicaid Enterprise for post-abortion-related services in violation of state and federal law. The district court granted summary judgment to Planned Parenthood on both counts.

The Eighth Circuit first disposed of the claim that Planned Parenthood illegally dispensed extra cycles of contraceptives without a physician’s order, affirming that relator’s complaint was not particular enough to survive summary judgment. Id. at 940. Next, the court turned to the allegations of illegal billing for post-abortion related services. As to two of the patients, the Eighth Circuit held that the billing codes used were appropriate for the services provided, and therefore “there [was] no real dispute that Planned Parenthood did not submit a false claim for these patients.” Id. at 942. In other words, Iowa may not have intended to pay those types of claims, but there was nothing false about the information submitted. As to the remaining patients, the court noted that “to prove knowing falsity, [relator] must do more than show that the . . . billing code was wrong; she must have evidence that the defendants knowingly or recklessly cheated the government.” Id. at 943 (emphasis in original) (internal quotation marks and citation omitted). The relator contended that Planned Parenthood improperly and knowingly entered level-three billing codes for services that justified only level-two billing codes on four occasions, resulting in a minor difference in the amount reimbursed. But, in the court’s view, “a one-level difference in billing, resulting in less than a $12.00 reimbursement difference, is at most evidence of an innocent mistake or negligence, not a willful lie to cheat the government.” Id. at 944. Therefore, the court held there was no knowing falsity.

C.    Fifth and Second Circuits Grapple with Scope of Public Disclosure Bar

The FCA’s public disclosure bar requires dismissal of an FCA case brought by a private plaintiff “if substantially the same allegations or transactions” forming the basis of the action have been publicly disclosed, including “in a Federal criminal, civil, or administrative hearing in which the Government or its agent is a party,” unless the relator is an “original source of the information.” 31 U.S.C. § 3730(e)(4).

In United States ex rel. Schweizer v. Canon, Inc., 9 F.4th 269 (5th Cir. 2021), the Fifth Circuit took up the issue of whether a copycat lawsuit premised on the same fundamental facts, but against a different defendant, is prohibited by the public disclosure bar. From November 2004 to December 2005, the relator worked as a General Services Administration (“GSA”) contracts manager for Océ North America Inc., a company that sold printers, copiers, and related services to the government. In 2006, the relator filed an FCA suit against Océ. She alleged that the United States was “overpaying Océ for copiers and services, and that its products were manufactured in noncompliant countries including China.” Id. at 272. Before the district court, she alleged that Océ violated the applicable “Price Reductions Clause” (by charging the government more than it did its commercial customers) and the Trade Agreements Act (by sourcing products from China and other non-TAA-compliant countries). In 2013, the district court presiding over that action approved a settlement in which Océ agreed to pay the government $1,200,000 in exchange for a release of the asserted FCA claims. In 2012—before the action became final—Océ was acquired by Canon. Id.

In 2016, the relator filed another FCA suit, this time against Canon. She alleged the same violations of the FCA as she had alleged against Océ in 2006. Canon moved to dismiss the suit, arguing that the FCA’s public disclosure bar prevented Schweizer’s claims. The district court agreed, and the Fifth Circuit affirmed the district court’s judgment on appeal. As the Fifth Circuit explained: “Schweizer’s allegations against Canon are ‘based upon’ the allegations and transactions asserted in the Océ litigation,” and “one could have produced the substance of the [Canon] complaint merely by synthesizing the public disclosures’ description of the [Océ] scheme.” Id. at 275–76 (internal quotation marks and citation omitted). The court rejected the relator’s arguments that the public disclosure bar did not apply because the companies were different, that Canon’s alleged scheme occurred at a later time, and that Canon allegedly violated additional government contracts. Id. at 276–77.

In United States ex rel. Foreman v. AECOM, 19 F.4th 85 (2d Cir. 2021) (discussed above), the Second Circuit also analyzed whether the FCA’s public disclosure bar precluded relator’s claims. The FCA disallows an action if substantially the same allegations have been “publicly disclosed” in a federal report. See 31 U.S.C. § 3730(e)(4)(A)(ii). AECOM argued that all the claims had been made available to the public through government reports presented to AECOM’s employees. The court disagreed. In interpreting the FCA’s requirement that disclosure be public, the court concluded that information does not become “public” if it is (1) not disclosed to innocent employees of the government contractor and (2) when information is disclosed, it comes with the obligation that employees keep the information confidential. Id. at 125. The court thus determined that the information had not been made public here when provided to AECOM employees through a government report. As such, the Second Circuit held that the public disclosure bar did not put an end to relator’s claim.

D.    Several Courts Issue Notable Decisions on Pleading Fraud with Particularity Under Rule 9(B) in FCA Cases, and Supreme Court Invites Solicitor General’s View on Topic

In United States ex rel. Mamalakis v. Anesthetix Management LLC, 20 F.4th 295 (7th Cir. 2021), the Seventh Circuit addressed the level of specificity required for a relator’s allegations to satisfy the heightened pleading standards of Federal Rule of Civil Procedure 9(b). The relator alleged that Anesthetix fraudulently billed Medicare and Medicaid for services performed by anesthesiologists by using the code for “medically directed” services rather than the more appropriate and lower rate “medically supervised” services code. Id. at 297. After an initial dismissal without prejudice for failure to meet Rule 9(b)’s requirements, the relator filed an amended complaint including ten examples, identifying a particular procedure and anesthesiologist, and alleging the services did not qualify for payment at the medical-directed billing rate. Id.

The Seventh Circuit held that the district court’s decision to dismiss the amended complaint was “error” because the “ten examples, read in context with the other allegations in the amended complaint, provide sufficient particularity about the alleged fraudulent billing to survive dismissal.” Id. Although a relator “need not produce the invoices and accompanying representations at the outset of the suit, it is nevertheless essential to show a false statement, though this can be accomplished by including particularized factual allegations that give rise to a plausible inference of fraud.” Id. at 301 (internal quotation marks and citation omitted). The court concluded that the ten examples identifying specific procedures, anesthesiologists, and billing rates “provide[d] a particularized basis from which to plausibly infer that at least on these occasions, [defendant] presented false claims to the government.” Id. at 303. By providing such examples, the relator “injected enough precision and substantiation into his allegations of fraud to entitle him to move forward with his case.” Id.

The Sixth Circuit took a similar approach to Rule 9(b) pleading requirements in United States ex rel. Owsley v. Fazzi Associates, Inc., 16 F.4th 192 (6th Cir. 2021). There, the relator alleged “in detail, a fraudulent scheme” in which defendants allegedly fraudulently up-coded patient data and subsequently submitted inflated requests for payment to the Centers for Medicare and Medicaid Services (“CMS”). Id. at 196. But fatal to the relator’s claim was her failure “to identify any specific claims that [defendants] submitted pursuant to the scheme.” Id. (emphasis added) (internal quotation marks and citation omitted).

The court explained that the relator could have satisfied Rule 9(b)’s standard in one of two ways: identifying a “representative claim that was actually submitted to the government for payment,” or otherwise alleging facts “based on personal knowledge of billing practice” sufficient to support “a strong inference that particular identified claims were submitted to the government for payment.” Id. (emphasis in original) (internal quotation marks and citations omitted). The relator alleged “personal knowledge of billing practices” but “did not allege facts that identify any specific fraudulent claims” because she failed to identify the dates on which she reviewed patient records, the dates of any related claims for payment, or the amounts of those claims. Id. at 196–97. Acknowledging that the Rule 9(b) inquiry will turn on the facts of each particular case, the court clarified the “touchstone” consideration is “whether the complaint provides the defendant with notice of a specific representative claim that the plaintiff thinks was fraudulent.” Id. at 197. The information in the relator’s complaint failed to meet this standard and thus did not satisfy Rule 9(b). Id.

Finally, the Supreme Court invited the views of the Solicitor General on the issue of application of Rule 9(b) in FCA cases. See Johnson, et al. v. Bethany Hospice and Palliative Care LLC, No. 21-462, 2022 WL 145173, at *1 (U.S. Jan. 18, 2022). But it remains to be seen whether the Court will take up the issue. Indeed, this is not the first time parties have petitioned the Court on this issue, and the Supreme Court has rejected multiple petitions to clarify the interplay of Rule 9(b) and the FCA in recent years. See e.g., 81 U.S.L.W. 3650 (U.S. Mar. 31, 2014) (No. 12-1349). This is also not the first time the Supreme Court has asked for the views of the Solicitor General on this issue: in 2014, the Court asked for the input of the Solicitor General on whether to grant certiorari on this issue in the Fourth Circuit case of United States ex rel. Nathan v. Takeda Pharm., 707 F.3d 451 (4th Cir. 2013). After the Solicitor General urged the Court not to take up the issue, the Supreme Court denied certiorari, see Brief for the United States as Amicus Curiae Supporting Respondents, United States ex re. Nathan v. Takeda Pharm., 572 U.S. 1003 (2014); 81 U.S.L.W. 3650 (U.S. Mar. 31, 2014) (No. 12-1349).

E.    Third Circuit Analyzes DOJ’s Authority to Dismiss Qui Tam FCA Cases

In October, the Third Circuit waded into the circuit split concerning the government’s statutory authority to dismiss an FCA qui tam suit. In Polansky v. Exec. Health Res. Inc., 17 F.4th 376 (3d Cir. 2021), a case in which the government initially declined to intervene in relator’s suit but then later moved to dismiss without formally intervening, the court considered two questions: (1) whether the government may move to dismiss a relator’s suit without intervening, and (2) what standard must the government meet for dismissal to be granted.

First, the court considered the government’s statutory authority to seek dismissal when it does not intervene. The court recognized the split between the D.C., Ninth, and Tenth Circuits, which read 31 U.S.C. § 3730(c) as granting authority to move for dismissal at any point in the litigation regardless of whether the government intervenes, and the Sixth and Seventh Circuits, which interpret the section to only grant authority to seek dismissal after intervention pursuant to Federal Rule of Civil Procedure 41.

In analyzing the question, the court accepted that the government may only dismiss cases where it has intervened. The court concluded that 31 U.S.C. § 3730(c)(2)(A) is not “a standalone provision that grants the Government unconditional authority to seek dismissal as a non-party.” Id. at 385. The court held that, when read in context along canons of statutory construction, 31 U.S.C. § 3730(c)(2)(A) served as a limit on relator’s rights “if—and only if—the Government proceeds with the action.” Id. The court noted that the other limitations in section 3730(c)(2), such as enabling the government to limit a relator’s ability to call witnesses where it “would interfere with … the Government’s prosecution of the case,” only make sense if the government is party to the case. Id. Furthermore, to allow the government to dismiss without intervention would limit the relator regardless of whether the government “proceeds with the action,” rendering those words superfluous. However, the Third Circuit rejected the relator’s argument that the government may only move to dismiss if it intervenes at the outset of a case. Id. at 387.

Second, the court held that, “[h]aving intervened, the Government becomes a party, and like any party, it is subject to the Federal Rules of Civil Procedure, including the rule governing Voluntary Dismissal.” Id. at 389. Recognizing that the FCA added “certain wrinkles,” the court concluded that the government must only meet the threshold requirements of Federal Rule of Civil Procedure 41(a), while also providing relator “notice and an opportunity for a hearing” under 31 U.S.C. § 3730(c)(2)(A). Id. In doing so, the Third Circuit agreed with the Seventh Circuit and expressly rejected both the Swift approach of the D.C. Circuit for being incongruous with other provisions of the FCA and relegating the Article III judge to the role of “serv[ing] . . . some donuts and coffee” as well as the Sequoia Orange approach of the Ninth Circuit for focusing solely on constitutional limits and for failing to consider the limitations of the Federal Rules of Civil Procedure on voluntary dismissal. Id. at 392–93 (quoting United States ex rel. CIMZNHCA, LLC v. UCB, Inc., 970 F.3d 835, 850 (7th Cir. 2020)).

Despite holding that the government must “intervene under § 3730(c)(3) before seeking to dismiss relator’s case,” the court ultimately construed the government’s motion to dismiss as including a motion to intervene, again adhering to the Seventh Circuit’s approach. Id. at 392. Further, the court found no abuse of discretion “[i]n light of [the] thorough examination and weighing of the interests of all the parties, and Rule 41(a)(2)’s ‘broad grant of discretion’ to shape the ‘proper’ terms of dismissal.” Id. at 393. In sum, the Third Circuit has responded to the growing circuit split over the authority of the government to dismiss whistleblower lawsuits by adopting the Seventh Circuit’s position in CIMZNHCA; the government must intervene to dismiss and the standard for dismissal should be primarily informed by Federal Rule of Civil Procedure 41.

F.    Third Circuit Considers Retroactivity of Amendments to FCA

In United States ex rel. International Brotherhood of Electrical Workers Local Union No. 98 v. Fairfield Co., 5 F.4th 315 (3d Cir. 2021), the Third Circuit grappled with the question of whether (relatively) recent amendments to the FCA had retroactive effect. The Fraud Enforcement and Recovery Act of 2009 (“FERA”), Pub. L. No. 111-21, § 4, 123 Stat. 1625, amended several portions of the FCA, including eliminating the requirement that the false claim be presented to an office or employee of the United States, and removing the requirement for specific intent. Id. at 324. Fairfield challenged the purported retroactivity of the FERA amendments, claiming that should the specific intent provision remain, judgment must be in Fairfield’s favor. Id. at 329–30. The Third Circuit concluded, however, that the statute included a clear expression of retroactivity. The court also held that applying FERA’s amendments would not violate the ex post facto clause of the U.S. Constitution, because the penalties under the FCA were insufficiently punitive in nature to trigger that clause. Id. at 330–41.

After resolving the retroactivity point, the Third Circuit affirmed the district court’s orders entering judgment against Fairfield for FCA violations stemming from Fairfield’s alleged violation of the Davis Bacon Act, 40 U.S.C. § 3142, et. seq., which requires contractors performing work on federally funded construction projects to pay prevailing wages to their employees based on the classification of work performed. Id. at 323. As the court explained, a misclassification of employees may result in those individuals being underpaid, which means accompanying certifications to the government that a contractor is in compliance with the Act may be both false and material to payment for contractual performance. Id. at 323–24. Fairfield allegedly underpaid its employees as compared to the wages the Act required, but still submitted certifications to the government that it satisfied applicable wage requirements. Id. at 326–27.

G.    Eleventh Circuit Addresses Novel Excessive Fines Issue

In Yates v. Pinellas Hematology & Oncology, P.A., 21 F.4th 1288 (11th Cir. 2021), the Eleventh Circuit considered whether a penalty imposed under the FCA violated the Eighth Amendment’s Excessive Fines Clause. Pinellas was a medical practice that collected and tested blood samples at its clinical laboratory. The entity purchased a second location—an oncology practice—at which it also performed testing allegedly without obtaining a new certification under the Clinical Laboratory Improvement Amendments (“CLIA”) of 1988, as required, for almost a year after the purchase. Id. at 1295. According to the qui tam suit, in which the government declined to intervene, the defendant allegedly then submitted reimbursement claims for blood tests to Medicare that miscited the CLIA certificate at its other location and other claims that misrepresented the location of service. Id. at 1296. A jury ultimately found the defendant liable for submitting 214 false claims to Medicare and found that the government sustained $755.54 in damages. Id. Under the FCA’s treble damages and statutory penalty provisions, discussed above, the district court imposed a total monetary award of $1,179,266.62 (composed of $2,266.62 in treble damages (3 x $755.54) and $1,177,000 in statutory penalties (214 x $5,500)). Id. at 1297.

The defendant challenged both the jury’s verdict and the district court’s monetary award. The Eleventh Circuit affirmed the jury’s verdict, concluding that the evidence presented at trial supported the jury’s findings that the defendant knowingly submitted materially false reimbursement claims. The court also disagreed with the defendant’s argument that the damages finding was incorrect because the government had received exactly what it paid for: 214 blood tests. The court explained that, in cases involving Medicare claims, damages are measured as the difference between what the government paid and what it would have paid if the defendant’s claims had been truthful. Id. at *1304–05. Thus, the court found that the evidence supported $755.54 in damages.

The defendant also argued the district court’s monetary award violated the Eighth Amendment’s Excessive Fines Clause. As a matter of first impression, the Eleventh Circuit considered whether the Excessive Fines Clause applies to an FCA case in which the government has declined to intervene (as was the case here). After explaining that the Eighth Amendment applies only to government imposition of fines and noting that the qui tam relator was a private citizen, the Eleventh Circuit held that an FCA monetary award is a fine for purposes of the Excessive Fines Clause, that it is the United States that imposes such a fine in a non-intervened qui tam action, and that the Eighth Amendment thus should apply to such actions. Id. at 1307. In so holding, the court focused on the fact that the government, although “not a formal party to a non-intervened qui tam action,” “remains a real party in interest,” has “significant procedural rights” in the ability to decide whether to intervene, and remains involved in non-intervened cases—namely, by preserving the ability to intervene later, receiving the vast majority of any monetary award, and maintaining control over whether a relator can dismiss a qui tam action. Id. at 1308–14. The court then weighed the proportionality of the award and found, based on the defendant’s alleged repeated violations and the fact that the award fell at the low-end of the FCA’s prescribed penalty range, that the penalty was not excessive. Id. at 1314–16.

H.    DC Circuit Issues Opinion on Medicare Overpayment Rule

The D.C. Circuit issued a decision that, while not specifically adjudicating FCA liability, is likely to impact future FCA litigation.

In UnitedHealthcare Insurance Co. v. Becerra, 16 F.4th 867 (D.C. Cir. 2021), the D.C. Circuit considered a challenge by health care insurers to a rule promulgated by CMS, known as the “Overpayment Rule.” Under the Overpayment Rule, if an insurer “learns a diagnosis it submitted to CMS for payment lacks support in the beneficiary’s medical record, the insurer must refund that payment within sixty days.” Id. at 869. In the context of Medicare Advantage—private Medicare plans where members “elect to receive their health insurance through a private insurer . . . rather than directly through the government under traditional Medicare”—insurers must accurately track diagnosis and demographic information for purposes of ensuring that “risk-adjusted” payments from CMS are accurate. Id. at 869–70. For many years, the government has pursued FCA investigations and actions against insurers, alleging that they artificially inflated those “risk-adjusted” payments by manipulating diagnosis codes collected for members, and therefore owed CMS money, including under the Overpayment Rule.

Insurers brought suit seeking to invalidate the Overpayment Rule, claiming that the Overpayment Rule violated statutory provisions guaranteeing that risk-adjusted payments under Medicare Advantage would be “actuarially equivalent” to payment under traditional Medicare and employ the “same methodology.” According to insurers, the mechanisms established by the Overpayment Rule would violate these requirements by, in essence, requiring the return of “overpayments” under Medicare Advantage that departed from actuarial standards used in traditional Medicare.

The district court agreed with the insurers and struck down the rule. Id. at 880. In doing so, the district court also rejected the Overpayment Rule’s imposition of a “reasonable diligence” or negligence-type standard for identifying and reporting overpayments, which, according to the court, was inconsistent with the “knowingly” standard set forth in the FCA. Id. at 881. The D.C. Circuit, however, overturned the district court’s decision and held, as a matter of first impression, that nothing in the Overpayment Rule or applicable authority violated application of the “actuarial equivalence” requirement for the Medicare Advantage plans. Id. at 884–87. The D.C. Circuit also rejected the district court’s findings that the Rule violates the Medicare statute’s “same methodology” requirement. Id. at 891–92. The district court’s rejection of the “reasonable diligence” standard was not challenged on appeal.

It remains to be seen how the district court will apply the circuit court’s position on remand. But enactment and application of the Overpayment Rule will likely have significant consequences for potential FCA liability against health care insurers, and we will continue to watch this case closely.

V.    CONCLUSION

We will monitor these developments, along with other FCA legislative activity, settlements, and jurisprudence throughout the year and report back in our 2022 False Claims Act Mid-Year Update, which we will publish in July 2022.

___________________________

[1] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department’s False Claims Act Settlements and Judgments Exceed $5.6 Billion in Fiscal Year 2021 (Feb. 1, 2022), https://www.justice.gov/opa/pr/justice-department-s-false-claims-act-settlements-and-judgments-exceed-56-billion-fiscal-year [hereinafter DOJ FY 2021 Recoveries Press Release].

[2] See U.S. Dep’t of Justice, Fraud Statistics Overview (Feb. 1, 2022), https://www.justice.gov/opa/press-release/file/1467811/download [hereinafter DOJ FY 2021 Stats].

[3] DOJ FY 2021 Recoveries Press Release.

[4]  Id.

[5] DOJ FY 2021 Stats.

[6] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Contract Rehabilitation Therapy Providers Agree to Pay $8.4 Million to Resolve False Claims Act Allegations Relating to the Provision of Medically Unnecessary Therapy Services (July 2, 2021), https://www.justice.gov/opa/pr/contract-rehabilitation-therapy-providers-agree-pay-84-million-resolve-false-claims-act.

[7] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Northern Ohio Health System Agrees to Pay Over $21 Million to Resolve False Claims Act Allegations for Improper Payments to Referring Physicians (July 2, 2021), https://www.justice.gov/opa/pr/northern-ohio-health-system-agrees-pay-over-21-million-resolve-false-claims-act-allegations.

[8] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Companies Alere Inc. and Alere San Diego Inc. Agree to Pay $38.75 Million to Settle False Claims Act Allegations (July 8, 2021), https://www.justice.gov/opa/pr/medical-device-companies-alere-inc-and-alere-san-diego-inc-agree-pay-3875-million-settle.

[9] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, St. Jude Agrees to Pay $27 Million for Allegedly Selling Defective Heart Devices (July 8, 2021), https://www.justice.gov/opa/pr/st-jude-agrees-pay-27-million-allegedly-selling-defective-heart-devices.

[10] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Prime Healthcare Services and Two Doctors Agree to Pay $37.5 Million to Settle Allegations of Kickbacks, Billing for a Suspended Doctor, and False Claims for Implantable Medical Hardware (July 19, 2021), https://www.justice.gov/opa/pr/prime-healthcare-services-and-two-doctors-agree-pay-375-million-settle-allegations-kickbacks.

[11] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Interface Rehab to Pay $2 Million to Resolve False Claims Act Allegations (July 23, 2021), https://www.justice.gov/opa/pr/interface-rehab-pay-2-million-resolve-false-claims-act-allegations.

[12] See Press Release, U.S. Dep’t of Justice, EEG Testing and Private Investment Companies Pay $15.3 Million to Resolve Kickback and False Billing Allegations (July 21, 2021), https://www.justice.gov/opa/pr/eeg-testing-and-private-investment-companies-pay-153-million-resolve-kickback-and-false.

[13] See Press Release, U.S. Atty’s Office for the Dist. of MT, Former Billings Rheumatologist Settles Alleged Health Care Fraud Claims for $2 Million (July 20, 2021), https://www.justice.gov/usao-mt/pr/former-billings-rheumatologist-settles-alleged-health-care-fraud-claims-2-million.

[14] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Mail-Order Diabetic Testing Supplier and Parent Company Agree to Pay $160 Million to Resolve Alleged False Claims to Medicare (Aug. 2, 2021), https://www.justice.gov/opa/pr/mail-order-diabetic-testing-supplier-and-parent-company-agree-pay-160-million-resolve-alleged.

[15] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Ascension Michigan to Pay $2.8 Million to Resolve False Claims Act Allegations (Aug. 5, 2021), https://www.justice.gov/opa/pr/ascension-michigan-pay-28-million-resolve-false-claims-act-allegations.

[16] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, County Medical Center and County Agree to Pay $11.4 Million to Resolve False Claims Act Allegations Relating to Medically Unnecessary Inpatient Admissions (Aug. 6, 2021), https://www.justice.gov/opa/pr/county-medical-center-and-county-agree-pay-114-million-resolve-false-claims-act-allegations.

[17] See Press Release, U.S. Atty’s Office for the Central Dist. of CA, Downey Company that Provides In-Home Respiratory Services Agrees to Pay Over $3.3 Million to Resolve Fraud Allegations (Aug. 25, 2021), https://www.justice.gov/usao-cdca/pr/downey-company-provides-home-respiratory-services-agrees-pay-over-33-million-resolve.

[18] See Press Release, U.S. Atty’s Office for the Dist. of DE, Connections Community Support Programs Agrees to Judgments of Over $15 Million to Resolve Health Care Fraud and Controlled Substances Allegations (Aug. 26, 2021), https://www.justice.gov/usao-de/pr/connections-community-support-programs-agrees-judgments-over-15-million-resolve-health.

[19] See Press Release, U.S. Atty’s Office for the Northern Dist. of TX, Hospital to Pay More Than $3 Million to Settle Whistleblower Suit (Aug. 27, 2021), https://www.justice.gov/usao-ndtx/pr/hospital-pay-more-3-million-settle-whistleblower-suit.

[20] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Sutter Health and Affiliates to Pay $90 Million to Settle False Claims Act Allegations of Mischarging the Medicare Advantage Program (Aug. 30, 2021), https://www.justice.gov/opa/pr/sutter-health-and-affiliates-pay-90-million-settle-false-claims-act-allegations-mischarging.

[21] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, United States Obtains $140 Million in False Claims Act Judgments Against South Carolina Pain Management Clinics, Drug Testing Laboratories and a Substance Abuse Counseling Center (Sept. 3, 2021), https://www.justice.gov/opa/pr/united-states-obtains-140-million-false-claims-act-judgments-against-south-carolina-pain.

[22] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Home Health Agency Operator BAYADA to Pay $17 Million to Resolve False Claims Act Allegations for Paying Kickback (Sept. 8, 2021), https://www.justice.gov/opa/pr/home-health-agency-operator-bayada-pay-17-million-resolve-false-claims-act-allegations-paying.

[23] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Orlando Cardiologist Pays $6.75 Million to Resolve Allegations of Performing Unnecessary Medical Procedures (Sept. 15, 2021), https://www.justice.gov/opa/pr/orlando-cardiologist-pays-675-million-resolve-allegations-performing-unnecessary-medical.

[24] See Press Release, U.S. Atty’s Office for the Eastern Dist. of PA, Three Generic Pharmaceutical Companies Agree to Pay Almost Half a Billion Dollars to Resolve Alleged False Claims Act Liability, Bringing Total Payments for Price-Fixing to Nearly $900 Million (Oct. 15 2021), https://www.justice.gov/usao-edpa/pr/three-generic-pharmaceutical-companies-agree-pay-almost-half-billion-dollars-resolve.

[25] See Press Release, U.S. Atty’s Office for the Eastern Dist. of MI, USMM and VPA Pay $8.5 Million To Resolve Overpayment of Medicare Claims for Laboratory and Diagnostic Testing (Oct. 8, 2021), https://www.justice.gov/usao-edmi/pr/usmm-and-vpa-pay-85-million-resolve-overpayment-medicare-claims-laboratory-and.

[26] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Texas Pain Management Physicians Agree to Pay $3.9 Million to Resolve Allegations Relating to Unnecessary Urine Drug Testing (Oct. 22, 2021), https://www.justice.gov/opa/pr/texas-pain-management-physicians-agree-pay-39-million-resolve-allegations-relating.

[27] See Press Release, U.S. Atty’s Office for the Northern Dist. of GA, Atlanta pharmacy to pay $4.6 million to settle False Claims Act allegations regarding compound medications (Oct. 25, 2021), https://www.justice.gov/usao-ndga/pr/atlanta-pharmacy-pay-46-million-settle-false-claims-act-allegations-regarding-compound.

[28] See Press Release, U.S. Atty’s Office for MN, Physical Therapy Provider to Pay $4 Million to Resolve Alleged False Claims Act Violations (Oct. 28, 2021), https://www.justice.gov/usao-mn/pr/physical-therapy-provider-pay-4-million-resolve-alleged-false-claims-act-violations.

[29] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Company Arthrex to Pay $16 Million to Resolve Kickback Allegations (November 8, 2021), https://www.justice.gov/opa/pr/medical-device-company-arthrex-pay-16-million-resolve-kickback-allegations.

[30] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Anesthesia providers and outpatient surgery centers pay more than $28 million to resolve kickback and False Claims Act allegations (Nov. 9, 2021), https://www.justice.gov/usao-ndga/pr/anesthesia-providers-and-outpatient-surgery-centers-pay-more-28-million-resolve.

[31] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Kaléo Inc. Agrees to Pay $12.7 Million to Resolve Allegations of False Claims for Anti-Overdose Drug (Nov. 9, 2021), https://www.justice.gov/opa/pr/kal-o-inc-agrees-pay-127-million-resolve-allegations-false-claims-anti-overdose-drug.

[32] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, South Carolina Chiropractor Pleads Guilty and Agrees to $9 Million False Claims Act Consent Judgment (Nov. 22, 2021), https://www.justice.gov/opa/pr/south-carolina-chiropractor-pleads-guilty-and-agrees-9-million-false-claims-act-consent.

[33] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Home health agency to pay $4.2 million to settle False Claims Act allegations (Nov. 22, 2021), https://www.justice.gov/usao-ndga/pr/home-health-agency-pay-42-million-settle-false-claims-act-allegations-0.

[34] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Crossroads Hospice Agrees to Pay $5.5 Million to Settle False Claims Act Liability (Nov. 23, 2021), https://www.justice.gov/opa/pr/crossroads-hospice-agrees-pay-55-million-settle-false-claims-act-liability.

[35] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Flower Mound Hospital to Pay $18.2 Million to Settle Federal and State False Claims Act Allegations Arising from Improper Inducements to Referring Physicians (Dec. 2, 2021), https://www.justice.gov/opa/pr/flower-mound-hospital-pay-182-million-settle-federal-and-state-false-claims-act-allegations.

[36] See Press Release, U.S. Atty’s Office for the Dist. of NJ., Pathology Practice Agrees to Pay $2.4 Million to Resolve False Claims Act Allegations (Dec. 7, 2021), https://www.justice.gov/usao-nj/pr/pathology-practice-agrees-pay-24-million-resolve-false-claims-act-allegations.

[37] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Dr. Jeffrey M. Gallups and Entellus Medical agree to pay $4.2 million to resolve False Claims Act lawsuit alleging kick-back arrangements (Dec. 8, 2021), https://www.justice.gov/usao-ndga/pr/dr-jeffrey-m-gallups-and-entellus-medical-agree-pay-42-million-resolve-false-claims-act.

[38] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, AAR Corp. Agrees to Pay $11 Million to Settle False Claims Act Allegations on Aircraft Maintenance Contract and to Pay Penalties Assessed by the FAA (July 6, 2021), https://www.justice.gov/opa/pr/aar-corp-agrees-pay-11-million-settle-false-claims-act-allegations-aircraft-maintenance.

[39] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Devon Energy Companies Agree to Pay $6.15 Million to Settle False Claims Act Allegations for Underpaying Royalties on Gas from Federal Lands (Sept. 27, 2021), https://www.justice.gov/opa/pr/devon-energy-companies-agree-pay-615-million-settle-false-claims-act-allegations-underpaying.

[40] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Crane Company Agrees to Pay More Than $4.5 Million to Resolve False Claims Act Lawsuit for Non-Compliance with Military Specifications (Oct. 6, 2021), https://www.justice.gov/opa/pr/crane-company-agrees-pay-more-45-million-resolve-false-claims-act-lawsuit-non-compliance.

[41] See Press Release, U.S. Atty’s Office for the Western Dist. of NY, Cheektowaga Contractor Agrees To Settle False Claims Act Violations (Oct. 15, 2021), https://www.justice.gov/usao-wdny/pr/cheektowaga-contractor-agrees-settle-false-claims-act-violations.

[42] See Press Release, U.S. Atty’s Office for the Dist. of Md., Information Technology Contractor Agrees to Pay More Than $1.3 Million to Settle Federal False Claims Act Allegations of Overbilling (Dec. 21, 2021), https://www.justice.gov/usao-md/pr/information-technology-contractor-agrees-pay-more-13-million-settle-federal-false-claims.

[43] See Press Release, U.S. Atty’s Office for the W. Dist. of Tx., Maytag Aircraft Corporation Agrees to Pay $1.9 Million to Resolve Liability for 2014 Jet Fuel Spill at Fort Hood (Dec. 22, 2021), https://www.justice.gov/usao-wdtx/pr/maytag-aircraft-corporation-agrees-pay-19-million-resolve-liability-2014-jet-fuel-spill.

[44] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Florida Department of Children and Families Agrees to Pay $17.5 Million to Resolve False Claims Act Liability in Connection with SNAP Quality Control (July 12, 2021), https://www.justice.gov/opa/pr/florida-department-children-and-families-agrees-pay-175-million-resolve-false-claims-act.

[45] See Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Manhattan U.S. Attorney Settles Civil Fraud Lawsuit Against Clothing Companies and Their Former CEO for Misrepresenting the Value of Goods to Avoid Paying Customs Duties (July 28, 2021), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-settles-civil-fraud-lawsuit-against-clothing-companies-and-their.

[46] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Tennessee Department of Human Services Agrees to Pay $6.8 Million to Resolve False Claims Act Liability in Connection with SNAP Quality Control (Aug. 5, 2021), https://www.justice.gov/opa/pr/tennessee-department-human-services-agrees-pay-68-million-resolve-false-claims-act-liability.

[47] U.S. Dep’t of Justice, Office of the Associate Attorney General Rachel Brand, Memorandum for Heads of Civil Litigating Components and United States Attorneys: Limiting Use of Agency Guidance Documents In Affirmative Civil Enforcement Cases (Jan. 25, 2018), https://www.justice.gov/file/1028756/download.

[48] U.S. Dep’t of Justice, Justice Manual § 1-20.100 (Dec. 2018), https://web.archive.org/web/20190327044939/https://www.justice.gov/jm/1-20000-limitation-use-guidance-documents-litigation.

[49] See 86 Fed. Reg. 37674 (July 16, 2021), https://www.govinfo.gov/content/pkg/FR-2021-07-16/pdf/2021-14480.pdf.

[50] U.S. Dep’t of Justice, Office of the Attorney General, Memorandum for Heads of All Department Components: Issuance and Use of Guidance Documents by the Department of Justice (July 1, 2021), https://www.justice.gov/opa/page/file/1408606/download.

[51] Id.

[52] Press Release, U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[53] Id.

[54] U.S. Dep’t of Justice, Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit (Oct. 13, 2021), https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-cybersecurity-and.

[55] See Gibson, Dunn & Crutcher LLP, Emergency Federal Measures to Combat Coronavirus (Mar. 18, 2020), https://www.gibsondunn.com/emergency-federal-measures-to-combat-coronavirus/.

[56] American Rescue Plan Act, 2021, Pub. L. No. 117-2, 117th Cong. (2021).

[57] Press Release, U.S. Dep’t of Justice, Eastern District of California Obtains Nation’s First Civil Settlement for Fraud on Cares Act Paycheck Protection Program (Jan. 12, 2021), https://www.justice.gov/usao-edca/pr/eastern-district-california-obtains-nation-s-first-civil-settlement-fraud-cares-act.

[58] Press Release, U.S. Dep’t of Justice, Owner of Jet Charter Company Settles False Claims Act Allegations Regarding Misappropriation of Payment Protection Program Loan (Aug. 27, 2021), https://www.justice.gov/usao-sdfl/pr/owner-jet-charter-company-settles-false-claims-act-allegations-regarding.

[59] Press Release, U.S. Dep’t of Justice, COVID-19 Task Force Nets Florida Duct Cleaning Company; Settles False Claims Act Allegations Relating to Improper Paycheck Protection Program Loan (Oct. 28, 2021), https://www.justice.gov/opa/pr/covid-19-task-force-nets-florida-duct-cleaning-company-settles-false-claims-act-allegations.

[60] CARES Act, Pub. L. No. 116-136, 116th Cong. (2020), § 4018.

[61] Special Inspector Gen. for Pandemic Recovery, SIGPR Overview, https://www.sigpr.gov/about-sigpr/sigpr-overview.

[62] Special Inspector Gen. for Pandemic Recovery, Quarterly Report: Message from the Special Inspector General for Pandemic Recovery (July 30, 2021), https://www.sigpr.gov/news/quarterly-report-message-special-inspector-general-pandemic-recovery.

[63]  See Press Release, U.S. Dep’t of Justice, Baltimore Woman Facing Federal Indictment for Allegedly Obtaining More Than $1.6 Million in Federal Funds Intended to Relieve Financial Distress Caused by the Covid-19 Pandemic (Dec. 15, 2021), https://www.justice.gov/usao-md/pr/baltimore-woman-facing-federal-indictment-allegedly-obtaining-more-16-million-federal (reflecting SIGPR’s involvement in action); see also Baltimore Woman Used Fake Documents To Get $1.6 Million In COVID Relief Funds, Feds Say, Balt. Sun (Dec. 15, 2021), https://www.baltimoresun.com/news/crime/bs-md-ci-cr-covid-relief-charges-20211215-wcf7ydmpozd2rm7tb77dt7o7ze-story.html.

[64] Ltr. from Sen. Charles Grassley to Hon. Merrick B. Garland (Feb. 24, 2021), https://g7x5y3i9.rocketcdn.me/wp-content/uploads/2021/03/2021-02-24-CEG-to-DOJAG-Nominee-Garland-regarding-FCA.pdf.

[65] False Claims Amendments Act of 2021, S. 2428, 117th Cong. (July 22, 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/text/is?r=1.

[66] Press Release, Sen. Chuck Grassley, False Claims Act Amendments of 2021, https://www.grassley.senate.gov/imo/media/doc/false_claims_amendments_act_summary.pdf.

 [67] False Claims Amendments Act of 2021, S. 2428, 117th Cong. (Nov. 16, 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/text/rs?r=1.

 [68] Id.

 [69] Id.

[70] Actions Overview, False Claims Amendments Act of 2021, S. 2428, 117th Cong. (1st Sess. 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/actions?r=1&s=1.

[71] HHS-OIG, State False Claims Act Reviews, https://oig.hhs.gov/fraud/state-false-claims-act-reviews/.

[72] Id.

[73] Id.

[74] See Ltr. from Christi A. Grimm, Principal Deputy Inspector General, to Hon. Austin Knudsen, Attorney General of Minnesota (Oct. 4, 2021), https://oig.hhs.gov/documents/false-claims-act/1003/montana2021.pdf.

[75] HHS-OIG, supra note 63.

[76] Analysis by the Legislative Reference Bureau, Wisconsin S.B. 652 (Oct. 20, 2021), https://docs.legis.wisconsin.gov/2021/related/proposals/sb652.pdf.

[77] Id.

[78] See Ltr. from Daniel R. Levinson, Inspector General, to Hon. Brad Schimel, Attorney General of Wisconsin (Dec. 28, 2016), https://oig.hhs.gov/documents/false-claims-act/276/Wisconsin-supplement.pdf.

[79] See Analysis of the Legislative Reference Bureau, supra note 76.


The following Gibson Dunn lawyers assisted in the preparation of this alert: Jonathan Phillips, John Partridge, James Zelenay, Reid Rector, Michael Dziuban, Allison Chapin, Chelsea Knudson, Becca Smith, Emma Strong, Phuntso Wangdra, Mike Ulmer, Katie King, Jabari Julien, Nick Perry, Ben Gibson, and John Turquet Bravard.

Gibson Dunn lawyers regularly counsel clients on the False Claims Act issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s False Claims Act/Qui Tam Defense Group:

Washington, D.C.
Jonathan M. Phillips – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 202-887-3546, jphillips@gibsondunn.com)
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
Joseph D. West (+1 202-955-8658, jwest@gibsondunn.com)
Robert K. Hur (+1 202-887-3674, rhur@gibsondunn.com)
Geoffrey M. Sigler (+1 202-887-3752, gsigler@gibsondunn.com) 
Lindsay M. Paulin (+1 202-887-3701, lpaulin@gibsondunn.com)

San Francisco
Winston Y. Chan – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 415-393-8362, wchan@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)

New York
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Mylan Denerstein (+1 212-351-3850, mdenerstein@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Brendan Stewart (+1 212-351-6393, bstewart@gibsondunn.com)
Casey Kyung-Se Lee (+1 212-351-2419, clee@gibsondunn.com)

Denver
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
Monica K. Loseman (+1 303-298-5784, mloseman@gibsondunn.com)
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Reid Rector (+1 303-298-5923, rrector@gibsondunn.com)

Dallas
Robert C. Walters (+1 214-698-3114, rwalters@gibsondunn.com)
Andrew LeGrand (+1 214-698-3405, alegrand@gibsondunn.com)

Los Angeles
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)
Timothy J. Hatch (+1 213-229-7368, thatch@gibsondunn.com)
Deborah L. Stein (+1 213-229-7164, dstein@gibsondunn.com)
James L. Zelenay Jr. (+1 213-229-7449, jzelenay@gibsondunn.com)

Palo Alto
Benjamin Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Please join us for a discussion about FCPA developments and emerging trends from 2021. Intended to complement our Year-End FCPA Update, this webcast discusses in greater detail recent FCPA enforcement updates of note, the Biden Administration’s focus and initiatives on combating corruption, and the increasing interplay between anti-corruption and anti-money laundering efforts. We also discuss key takeaways from these developments, including with respect to anti-corruption compliance program trends and recommendations. Download our FCPA Year-End Update.



PANELISTS:

Patrick Stokes is Co-Chair of the firm’s Anti-Corruption and FCPA Practice Group and a partner in the Washington, D.C. office, where he focuses his practice on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. Mr. Stokes is ranked nationally and globally by Chambers USA and Chambers Global as a leading attorney in FCPA. Prior to joining the firm, Mr. Stokes headed the DOJ’s FCPA Unit, managing the FCPA enforcement program and all criminal FCPA matters throughout the United States covering every significant business sector. Previously, he served as Co-Chief of the DOJ’s Securities and Financial Fraud Unit.

John W.F. Chesley is a partner in the Washington, D.C. office. Mr. Chesley has been recognized repeatedly recognized for his white collar defense work by Global Investigations Review’s “40 Under 40,” as well as Law 360’s “Rising Stars”. He represents corporations, audit committees, and executives in internal investigations and before government agencies in matters involving the FCPA, procurement fraud, environmental crimes, securities violations, antitrust violations, and whistleblower claims. He also litigates government contracts disputes in federal courts and administrative tribunals.

Ella Capone is a senior associate in the Washington, D.C. office, where she is a member of the White Collar Defense and Investigations and Anti-Money Laundering practice groups. Her practice focuses primarily in the areas of white collar criminal defense, corporate compliance, and securities litigation. Ms. Capone regularly conducts internal investigations and advises multinational corporations and financial institutions, on compliance with anti-corruption and anti-money laundering laws and regulations.

Joseph Warin is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and he is chair of the over 200-person Litigation Department of the Washington, D.C. office.  Mr. Warin is ranked in the top-tier year after year by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience.  He has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers, including UK’s SFO and FCA, and government regulators in Germany, Switzerland, Hong Kong, and the Middle East.  Mr. Warin has served as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ.


MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement.

This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

In this client alert, we outline a number of significant UK and international tax developments of recent weeks and months, many of which will continue to take shape as we move forward into 2022.

In the UK, domestic tax policy looks set to play as important a role as ever as the government continues to walk the tightrope of seeking to stimulate economic activity and investment, whilst raising much needed revenue. Forecasters have predicted strong economic growth over 2022, but this is against the backdrop of record pandemic borrowing, a drop in tax revenue figures for 2020/2021, high inflation and expected interest rate rises (of course exacerbating the government’s cost of borrowing). Many will find themselves wondering if the current government will be able to hold out on all aspects of the “triple tax lock” pledge to not raise income tax, National Insurance contributions or VAT until 2024 – of course already side-lined in relation to National Insurance contributions which are due to increase by 1.25% from April 2022.

In the international tax arena, 2022 promises to be a seminal, perhaps “make or break”, year. The OECD’s BEPS 2.0 project is in full motion, at least as regards Pillar II in relation to which model rules were published in a flurry of activity in December 2021. With a scheduled 2023 effective date, some degree of turmoil looks inevitable as numerous stakeholders get to grips with the finer details of local implementation – and that’s before we even begin to understand the interplay with US domestic tax policy and reform. Pillar I proposals on the other hand would appear to be considerably less advanced and so far less certain to succeed, although model rules for domestic implementation are still expected in early 2022.

In any event, we expect to see the UK government continue to stake the UK’s claim to be “open for business”, with significant measures in the asset management and investment funds sector in particular which seek to enable the UK to compete with other jurisdictions and bolster the financial services components of the UK economy – as analysed further below.

We hope that you find this alert useful. Please do not hesitate to contact us with any questions or requests for further information.

Read More


Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the Tax Practice Group, or the authors in London:

Sandy Bhogal (+44 (0) 20 7071 4266, sbhogal@gibsondunn.com)
Benjamin Fryer (+44 (0) 20 7071 4232, bfryer@gibsondunn.com)
Bridget English (+44 (0) 20 7071 4228, benglish@gibsondunn.com)
James Chandler (+44 (0) 20 7071 4211, jchandler@gibsondunn.com)
William Inchbald (+44 (0) 20 7071 4264, winchbald@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

For the fourth consecutive year, and complementing the publication of Gibson Dunn’s upcoming tenth annual U.S. Cybersecurity and Data Privacy Outlook and Review, we offer this separate International Outlook and Review. As every year, this Outlook and Review provides an overview of past and upcoming developments related to global privacy and cybersecurity laws.

2021 saw an increasing number of data protection bills and laws passed across numerous international jurisdictions. Notably, China, the UAE, Brazil, Russia and Switzerland, among others, passed new laws, amendments or implementing regulations paving the way for a new round of significant data privacy regimes. It is expected that international authorities will make full use of their new powers in order to apply and enforce their respective data protection legislation in the near future.

In the European Union (“EU”), there were a significant number of developments in the evolution of the data protection and cybersecurity landscape:

  • In the aftermath of the Schrems II ruling, the EDPB adopted a series of Recommendations and Guidelines in order to clarify the regime and rules applicable to data transfers to the U.S. and other jurisdictions that do not benefit from an adequacy decision, as well as on the territorial scope of the General Data Protection Regulation (“GDPR”). Furthermore, the European Commission adopted new sets of Standard Contract Clauses (“SCCs”) that must be used as of 27 September 2021 for new contractual arrangements and apply to existing contractual arrangements by 27 December 2022.
  • Further to the three-year review of the e-Privacy Regulation Bill by the EU Member States, negotiations between the Council, the European Parliament and the European Commission commenced for its finalisation and adoption, which is due to replace the 20-year-old e-Privacy Directive.
  • EU lawmakers have also made progress on the adoption of the revised Network Infrastructure Security Directive (“NIS2 Directive”), which is due to replace the current NIS Directive by expanding its scope and seeking to harmonise further this sector across all levels (including sanctions).
  • EU supervisory authorities continued to apply and enforce the GDPR vigorously, imposing record-setting fines and making full use of EU law instruments to achieve a harmonised approach.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

I.   European Union

A.   International data transfers

1.   Aftermath of the Schrems II Ruling

As we indicated in the 2021 International Outlook and Review, on 16 July 2020, the so-called Schrems II ruling of the Court of Justice of the EU (“CJEU”) struck down the EU-U.S. Privacy Shield, which numerous companies had relied upon to transfer personal data from the EU to the U.S. Despite this, the CJEU also ruled that the SCCs approved by the European Commission, another mechanism used by an even higher number of companies to transfer personal data outside of the EU, remained valid subject to certain caveats.[1]

Further to the Schrems II ruling, organisations transferring personal data to a third country must verify, on a case-by-case basis, if there is anything in the law and practice of the third country which may impinge on the appropriate safeguards of the transfer tools (a “Risk Assessment”). If the law and practice of the third country do impinge the transfer tools safeguards, the organisations are required to implement supplementary measures to ensure an equivalent level of protection.

In this respect, the European Data Protection Board (“EDPB”) issued important new guidance on international transfers of personal data, namely:

  • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[2] which provide guidance to help organisations conduct their Risk Assessment and determine which supplementary measures should be implemented;
  • Recommendations 02/2020 on the European Essential Guarantees for surveillance measures adopted by the EDPB,[3] which clarify the elements that organisations are required to take into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance.

In parallel, on 4 June 2021, the European Commission adopted new SCCs to cover data transfers among controllers and processors from the European Economic Area (“EEA”) to third countries not recognised by the European Commission as ensuring an adequate level of protection for personal data.[4] These new set of SCCs replace the old SCCs adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC (“e-Privacy Directive”), and take into account the conclusions of the CJEU in Schrems II. Since 27 September 2021, it is no longer possible to execute the old SCCs and, as of 27 December 2022, existing contracts will need to have been replaced or amended to incorporate the new SCCs.

The EDPB also adopted the Guidelines 04/2021 on codes of conduct as tools for transfers[5], the Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR[6], each for public consultation. The latter Guidelines aim to clarify the territorial scope of the GDPR and the provisions on international transfers, to assist controllers and processors to determine whether a particular data processing activity falls directly under the GDPR, or should be covered by a legal data transfer mechanism to provide adequate safeguards.

In light of these developments, several Member State supervisory authorities issued statements and guidance in relation to matters concerning international data transfers:[7]

  • the Austrian Data Protection Authority ruled that the provider of a website using Google Analytics was illegally transferring data to the U.S. considering that Google, as an electronic communication service provider, is subject to U.S. surveillance and that the safeguards provided were insufficient to prevent U.S. intelligence from accessing the data;
  • the Italian Garante[8] fined a Milanese university €200,000 in relation to the transfer of personal data to the U.S. on the basis of the SCCs due to the lack of Risk Assessment and insufficient encryption measures;
  • the Belgian Conseil d’Etat[9] decided not to suspend a transfer of personal data to the U.S. since it could not exclude that encryption with separate key management can constitute a sufficient supplementary measure in this context;
  • in Germany, the Bavarian BayLDA[10] considered a data transfer as being unlawful due to the lack of Risk Assessment;
  • the Portuguese CNPD[11] ordered a controller to suspend within 12 hours any international transfers to the U.S. or other third countries without an adequate level of protection; and
  • the French Conseil d’Etat[12] decided not to suspend transfers of personal data to the U.S. in view of the safeguards implemented by the controller.

2.   Adequacy decisions

On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom,[13] under the GDPR and the Law Enforcement Directive. These decisions will allow personal data to flow freely from the EU to the UK without the need for additional tools or authorisations. The adequacy findings include a ‘sunset clause’, which means that the decisions will automatically expire four years after their entry into force. It is likely that the decisions will only be renewed if the UK continues to ensure an adequate level of data protection of personal data.

On 17 December 2021, the European Commission also adopted the South Korea adequacy decision,[14] making it possible for personal data to be transferred safely from the EU to the Republic of Korea. With this decision, the Commission guarantees that the South Korean legislation on data protection, combined with the additional safeguards implemented in the country, ensure an adequate level of protection for EU data subjects’ personal data.

B.   Proposed E-Privacy Regulation and Cookies and Telemarketing Enforcement

As we indicated was likely in the 2021 International Outlook and Review, the e-Privacy Regulation, which was proposed by the European Commission in 2017 to update laws applicable to telecoms, digital and online data processing, was not adopted in 2021.

In 2021, the Council, the European Parliament and the European Commission initiated joint discussions for the adoption of the e-Privacy Regulation. Although the co-legislators failed to find common ground, the situation does not look as dim as in 2020 and 2021. Legislators and industry experts are confident that the final Regulation will be adopted in 2022 or 2023.[15]

Relatedly, European e-privacy laws have continued to be the object of enforcement by EU data protection authorities. As explained further in Section ‎I.E below, in 2021, the Luxemburg, French and Spanish supervisory authorities, among others, imposed significant fines on companies for e-privacy violations (e.g., setting of cookies, the use of online targeted advertising and the use of telemarketing, without consent).

C.   Proposed Network Information Security (“NIS2”) Directive Proposal

As explained in past iterations of the International Outlook and Review, the Network and Information Security (“NIS”) Directive, the first piece of EU-wide legislation on cybersecurity, had the specific aim of achieving a high common level of cybersecurity across the Member States.

While the NIS Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult and resulted in a patchwork of national legislations across the EU. To respond to the growth of digitalisation and cyber-attacks, on 16 December 2020, the European Commission submitted the NIS2 Directive Proposal to replace the NIS Directive. The NIS2 Directive Proposal aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The NIS2 Directive Proposal will also have a broader scope of application, effectively requiring more entities and sectors to take the prescribed measures in relation to cybersecurity.

Further to the Council discussions, the European Parliament adopted its report on 28 October 2021, leading to interinstitutional negotiations with the European Commission.[16] It is expected that the NIS2 Directive will be effectively adopted in 2022 or in 2023.

D.   EDPB Guidance

Aside from its guidance on international data transfers, the EDPB issued Guidelines on various topics, including:

  • Guidelines 06/2020 on the interplay between the second Payment Services Directive (PSD2) and the GDPR,[17] which notably address lawful grounds for further processing under the PSD2;
  • Guidelines 07/2020 on the concepts of controller and processor in the GDPR,[18] which aim to clarify these concepts and the consequences of attributing these roles to entities that collect and process personal data;
  • Guidelines 08/2020 on the targeting of social media users,[19] which provide an overview of the main parties and the targeting mechanisms involved in such processing, as well as the related GDPR requirements;
  • Guidelines 10/2020 on restrictions under Article 23 GDPR,[20] which address the grounds for restricting data subjects’ rights, including for national security and public defence, and for objectives of general public interest; and
  • Guidelines 01/2021 on Examples regarding Data Breach Notification,[21]which aim to assist data controllers in determining how to handle data breaches and what factors to consider during a risk assessment.

The EDPB also issued its Strategy 2021-2023,[22] as well as its Work Program 2021/2022,[23] notably announcing awaited Guidelines on, inter alia, legitimate interest, blockchain and the calculation of administrative fines.

E.   Enforcement by Supervisory Authorities

In 2021, the GDPR and the e-Privacy Directive continued to be applied and enforced by EU Member State supervisory authorities. As explained in previous issues of our Outlook and Review, the GDPR put in place a one-stop shop mechanism to enable lead supervisory authorities of one Member State to adopt decisions and impose fines for EU-wide GDPR violations resulting from cross-border data processing activities.

On 15 June 2021, the CJEU generally upheld and confirmed the status of lead supervisory authorities as “sole interlocutors” of controllers and processors that process personal data cross-border within the EU.[24] Other supervisory authorities cannot therefore initiate any action, administrative or in court, that runs in parallel to that of the lead supervisory authority, except in exceptional circumstances foreseen by the GDPR (e.g., in urgency procedures under Article 66).

The GDPR’s jurisdictional rules were also addressed in another matter before the supervisory authority in France. In 2016, the French data protection authority (“CNIL”) had initiated investigations against the EU operations of a U.S. tech company regarding particularly its data sharing activities with the U.S. parent company. Among the alleged grievances being investigated, the CNIL considered that such data sharing was undertaken without appropriate legal basis. However, one of the key procedural issues being disputed was to determine whether the CNIL still had jurisdiction over a case initiated prior to the GDPR, but which continued after the GDPR became applicable in 2018 and after the U.S. tech company set up an EU establishment in charge of its processing activities in the same year. The CNIL eventually held in 2021 that it did not have jurisdiction on this case and did not sanction the U.S. tech company.

On 16 July 2021, the Luxembourg CNPD imposed a record-breaking €746 million fine on an e-commerce and online services corporation and required the company to remedy the instances of non-compliance within six months, with a penalty of €746,000 per day of delay.[25] According to the plaintiff, La Quadrature du Net, the company was processing personal data for targeted advertising purposes without a valid legal basis. The sanction has since been partially suspended by a local administrative court.[26]

On 2 September 2021, the Irish Data Protection Commission (“DPC”) imposed a fine of €225 million on online messaging service provider for allegedly failing to meet its transparency obligations under the GDPR. Given that the company’s data processing activities were cross-border, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under the GDPR.

On 31 December 2021, the French CNIL imposed a €150 million fine on Google (€90 million for Google LLC and €60 million for Google Ireland Ltd), as well as a €60 million fine on a social network service[27], on the basis of the e-Privacy Directive, for allegedly not enabling users to refuse cookies as easily as to accept them. The CNIL also summoned the companies, in both cases, to bring their practices in compliance with the e-Privacy Directive within three months, with a penalty of €100,000 per day of delay.

On 25 May 2021, the German Competition Authority (“Bundeskartellamt”) opened proceedings under Germany’s 2021 GWB Digitalization Act against Google Germany GmbH, Google Ireland Ltd., Dublin, Ireland, and Alphabet Inc., USA, reviewing Google’s data processing terms and cross-service data processing. Subsequently, on 30 December 2021, it took a decision determining that Google has a paramount significance for competition across markets which is a prerequisite for the further investigation under the new law. Of note, the German Bundeskartellamt is not a supervisory authority under the GDPR, but is an active enforcer in the digital economy – including at the interface to the processing of personal data under the GDPR.

In addition, throughout 2021, several European Supervisory Authorities issued fines around €5-10 million, including for unlawful employee surveillance[28] or marketing calls[29] and lack of valid consent for the processing of personal data.[30]

II.   Developments in Other European Jurisdictions: UK, Switzerland, Russia and Turkey

A.   UK

In the UK, the Information Commissioner’s Office (“ICO”) has continued to undertake efforts to enforce the UK GDPR and the Data Protection Act 2018. Notably, in 2021, it announced its provisional intent to fine Clearview AI, Inc. £17 million[31] for its processing of biometric data scraped from the internet, and issued a provisional notice to stop further processing and delete the personal data of individuals in the UK. Throughout the year, the ICO also imposed fines of a lower amount to corporations and local businesses for their failure to apply data protection and e-privacy laws.[32]

In addition to its enforcement action, the UK ICO also undertook efforts to complete its regulatory framework post-Brexit. The most important development relates to the publication of draft international data transfer agreement (“IDTA”) and guidance, which were subject to consultation and are intended to replace the EU’s legacy SCCs.[33]

B.   Switzerland

As we indicated in the 2021 International Outlook and Review, on 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”). In anticipation of its upcoming entry into law in the second half of 2022, on 5 March 2021, the Federal Data Protection and Information Commissioner (“FDPIC”) published guidance on how the private sector and federal authorities needed to adapt their processing activities to comply with the new provisions of the Revised FADP. In particular, the guidance covers the right to data portability, codes of conduct, records of processing activities and cross-border transfers and extended requirements around providing information on data processing and transparency under the Revised FADP.[34]

On 23 June 2021, the Swiss Federal Council also released a draft revised Ordinance on the Federal Data Protection Act for public consultation following the adoption of the Revised FADP. In particular, the Council highlighted that the revisions to the Ordinance include minimum data security requirements, the modalities of the duty to inform data subjects, the right of access, data breach notification requirements, and exceptions to the obligation to keep a record of data processing activities for companies with fewer than 250 employees. Furthermore, the draft Ordinance specifies the criteria which the Council must take into account in its assessment of the adequacy of transfers of personal data to third countries, and includes a draft list of 34 countries which are considered to provide an adequate level of protection.[35]

With regard to data transfers, the FDPIC published a guide on 18 June 2021 to allow companies to review the admissibility of data transfers to third countries in accordance with the Federal Act on Data Protection 1992. The guide provides a flowchart detailing the actions required by organisations to ensure data transfers are made in compliance with the Act and, notably, elaborates on the legal requirement that apply to transfers to third countries that do not appear on the FDPIC list of adequate countries.[36]

Furthermore, on 27 August 2021, the FDPIC announced that the new SCCs adopted by the European Commission on 4 June 2021 for data transfers to third countries were also valid under Swiss law. The FDPIC recalled that the Commission’s SCCs may be used by data exporters, provided that the necessary adaptations and amendments be made for use under Swiss data protection law (i.e., replacing references to the EU with references to Switzerland). In addition, in line with the timeline in the EU, the FDPIC confirmed that the European Commission’s old SCCs could still be entered into until 27 September 2021 and existing agreements entered into under the old SCCs may still be used during a transitional period until 31 December 2022.[37]

C.   Russia

As we indicated in the 2021 International Outlook and Review, Russia undertook a number of legislative modifications in 2021 to enhance and complete its data protection regime, notably in terms of increasing applicable fines.

In the same vein, Russia adopted a new federal law in 2021 ‘On Amendments to the Code of Administrative Offenses’, which increased the amounts of administrative fines prescribed in the Code of Administrative Offenses against the Federal Law On Personal Data. The amendments do not touch upon the highest fines for breaching the data localisation requirement, but do increase the administrative fines for repeated offenses (i.e., offences that occur within one year from the date the previous violation was enforced). Recidivism concerning the localisation requirement may lead to fines between RUB 6,000,000 and 18,000, 000 (approximately USD 80,000 to 240,000) on companies, and responsible managers may face fines between RUB 500,000 and 800,000 (approximately USD 6,600 to 10,500).[38]

In addition, the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”) and the Russian Parliament (“Duma”) have continued to undertake efforts to protect Russian consumers and citizens. First, on 29 March 2021, the Ministry of Digital Development published draft amendments to the Federal Law of 27 July 2006 No. 152-FZ on Personal Data in order to require telecom operators to obtain the consent of subscribers prior to the sale of their personal data for telemarketing purposes.[39]

On 1 July 2021, the Roskomnadzor also announced that it had launched an online service allowing companies to obtain and record consent to the processing of personal data collected directly from the data subject. The Roskomnadzor claims that the template service will enable operators to meet the consent requirements following the entry into force of the amendments to the Federal Law on Personal Data in March 2021. Furthermore, the Roskomnadzor noted that the template may be customised to the specific activities of the operator, and that data subjects may record their preferences as to how their personal data may be processed and further distributed to third parties.

Finally, on 10 November 2021, the Duma registered a bill on ‘Amendments to Article 14.8 of the Code of the Russian Federation on Administrative Offences’ in order to prohibit companies from forcing consumers to provide personal data in cases where such data is not necessary to complete the transaction and is not provided for by legislation.[40]

D.    Turkey

In 2021, the Turkish data protection authority (“KVKK”) proceeded with its significant activity in providing guidance on the application of the Turkish Data Protection Act. Notably, on 20 October 2021, it issued guidance on the right to be forgotten (“RTBF”) in respect of search engines. The guidance follows up on the KVKK Board Decision 2020/481 regarding the requests of individuals to remove names, surnames and the results of searches made through search engines from the index, and it aims to clarify issues relating to the exercise of the RTBF. Among other points, it indicates that the individuals may exercise the RTBF either by making a request to the data controller (search engine) or by complaining to the KVKK.[41]

Finally, throughout 2021, the KVKK continued with its enforcement of the Turkish Data Protection Act. For example, on 21 June 2021, it imposed a fine of TRY 800,000 (approx. €77,390) on an e-commerce site for data security and breach notification failures under the Turkish Data Protection Act. In particular, the KVKK noted that the investigation was triggered by a complaint that access to the information of third-party companies was provided through the customer service panel on the e-commerce site.[42] On 3 September 2021, the KVKK published a summary of review of a decision concerning an online messaging service provider, in which it imposed a fine of TRY 1,950,000 (approx. €195,000) for allegedly failing to take necessary technical and administrative measures to ensure data security pursuant to the Act.[43]

III.   Developments in Asia-Pacific

A.   Australia

As explained in the 2021 International Outlook and Review, the Australian government is currently undertaking a wholesale review of the Privacy Act 1988 with a view to implementing significant reforms to the country’s privacy regime. In October 2021, the Attorney-General’s Department released a discussion paper considering the items raised in the issues paper published in October 2020 (and referred to in the 2021 International Outlook and Review) and has sought further feedback on the proposed reforms.[44] Submissions on the discussion paper closed on 10 January 2022, and those submissions will now form the basis of a final report to be submitted to government.

The discussion paper proposes wide-ranging reforms which would align Australia’s privacy regime more closely to global equivalents, such as the GDPR, in order to reflect recent developments in the digital economy, including to expand the definition of personal information, impose stricter anonymisation requirements on organisations subject to the laws, increase maximum civil penalties for non-compliance, strengthen the rights of individuals to object to the collection and use of disclosure of their information or require its erasure and to modify the framework for international data transfers.

This review has been conducted concurrently with a public consultation process on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (“Online Privacy Bill”), which was released on 25 October 2021.[45] The Online Privacy Bill proposes to establish a binding privacy code for social media platforms, data brokerage services and large online platforms, expand the enforcement options available to the regulator and significantly broaden the extra-territorial reach of the Privacy Act 1988 to apply to acts performed outside Australia by foreign organisations carrying on business in Australia. Submissions on the Online Privacy Bill closed on 6 December 2021 and those submissions will inform further development of the Online Privacy Bill before its introduction to Parliament in 2022.

In addition to the ongoing review of the Privacy Act 1988 and the Online Privacy Bill, the US and Australian governments signed an agreement on 15 December 2021 to facilitate access to electronic data for investigations authorised by the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018.[46] This agreement allows authorities from each country to access certain data directly from providers operating in the others’ jurisdiction to mitigate, detect and investigate serious crimes, including ransomware attacks and terrorism, as well as crimes that sabotage critical infrastructure over the internet. The agreement will undergo parliamentary and congressional review procedures in 2022 and is intended to replace the mutual legal assistance mechanism currently used to access data from such providers, which relevant authorities perceive as too slow and awkward to fulfil its intended purpose.[47]

B.   China

1.   Passage of the Personal Information Protection Law

On 20 August 2021, the Standing Committee of China’s National People’s Congress passed the Personal Information Protection Law (“PIPL”), which took effect on 1 November 2021.[48] The PIPL applies to “personal information processing entities (‘PIPEs’)”, defined as “an organisation or individual that independently determines the purposes and means for processing of personal information”. The PIPL defines “personal information” broadly as “various types of electronic or otherwise recorded information relating to an identified or identifiable natural person”, excluding anonymised information, and defines “processing” as “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information” (PIPL Article 4).

The PIPL shares many similarities with the EU’s GDPR, including its extraterritorial reach, restrictions on data transfer, compliance obligations and sanctions for non-compliance, amongst others. The PIPL raises some concerns for companies that conduct business in China, even where such companies’ data processing activities take place outside of China, and the consequences for failing to comply could potentially include monetary penalties and companies being placed on a government blacklist.

The PIPL applies to cross-border transmission of personal information and applies extraterritorially. Where PIPEs transmit personal information to entities outside China, they must inform the data subjects of the transfer, obtain their specific consent to the transfer and ensure that the data recipients satisfy standards of personal information protection similar to those in the PIPL. The PIPL applies to organisations operating in China, as well as to foreign organisations and individuals processing personal information outside China in any one of the following circumstances: (1) the organisation collects and processes personal data for the purpose of providing products or services to natural persons in China; (2) the data will be used in analysing and evaluating the behaviour of natural persons in China; or (3) under other unspecified “circumstances stipulated by laws and administrative regulations”. This is an important similarity between the PIPL and GDPR, as the GDPR’s data protection obligations apply to non-EU data controllers and processors that track, analyse and handle data from visitors within the EU. Similarly, under the PIPL, a foreign receiving party must comply with the PIPL’s standard of personal information protection if it handles personal information from natural persons located in China.

The PIPL gives the Chinese government broad authority in processing personal information. State organisations may process personal information to fulfil statutory duties, but may not process the data in a way that exceeds the scope necessary to fulfil these statutory duties. Personal information processed by state organisations must be stored within China.

The PIPL establishes guiding principles on protection of personal information. According to the PIPL, processing of personal information should have a “clear and reasonable purpose” and should be directly related to that purpose. The PIPL requires that the collection of personal information be minimised and not excessive, and that PIPEs ensure the security of personal information. To that end, the PIPL imposes a number of compliance obligations on PIPEs, including requiring PIPEs to establish policies and procedures on personal information protection, implement technological solutions to ensure data security and carry out risk assessments prior to engaging in certain processing activities.

The PIPL adopts a risk-based approach, imposing heightened compliance obligations in specified high-risk scenarios. For instance, PIPEs whose processing volume exceeds a yet-to-be-specified threshold must designate a personal information protection officer responsible for supervising the processing of personal data. PIPEs operating “internet platforms” that have a “very large” number of users must engage an external, independent entity to monitor compliance with personal information protection obligations, and regularly publish “social responsibility reports” on the status of their personal information protection efforts. The law mandates additional protections for “sensitive personal information”, broadly defined as personal information that, once disclosed or used in an illegal manner, could infringe on the personal dignity of natural persons or harm persons or property. “Sensitive personal information” includes biometrics, religious information, special status, medical information, financial account, location information and personal information of minors under the age of 14. When processing “sensitive personal information”, according to the PIPL, PIPEs must only use information necessary to achieve the specified purpose of the collection, adopt strict protective measures and obtain the data subjects’ specific consent.

The PIPL creates legal rights for data subjects. According to the new law, PIPEs may process personal information only after obtaining fully informed consent in a voluntary and explicit statement, although the law does not provide additional details regarding the required format of this consent. The law also sets forth certain situations where obtaining consent is unnecessary, including where necessary to fulfil statutory duties and responsibilities or statutory obligations, or when handling personal information within a reasonable scope to implement news reporting, public opinion supervision and other such activities for the public interest. Where consent is required, PIPEs should obtain a new consent where it changes the purpose or method of personal information processing after the initial collection. The law also requires PIPEs to provide a convenient way for individuals to withdraw their consent, and mandates that PIPEs keep the personal information only for the shortest period of time necessary to achieve the original purpose of the collection. If PIPEs use computer algorithms to engage in “automated decision making” based on individuals’ data, the PIPEs are required to be transparent and fair in the decision making, and are prohibited from using automated decision making to engaging in “unreasonably discriminatory” pricing practices. “Automated decision-making” is defined as the activity of using computer programs to automatically analyse or assess personal behaviours, habits, interests, hobbies, financial, health, credit or other status, and make decisions based thereupon. When individuals’ rights are significantly impacted by PIPEs’ automated decision making, individuals can demand PIPEs to explain the decision making and decline automated decision making.

The PIPL creates penalties for organisations that fail to fulfil their obligations to protect personal information. These penalties include disgorgement of profits and provisional suspension or termination of electronic applications used by PIPEs to conduct the unlawful collection or processing. Companies and individuals may be subject to a fine of not more than 1 million RMB (approximately $154,378.20) where they fail to remediate conduct found to be in violation of the PIPL, with responsible individuals subject to fines of 10,000 to 100,000 RMB (approximately $1,544 to $15,438). Companies and responsible individuals face particularly stringent penalties where the violations are “grave”, a term left undefined in the statute. In these cases, the PIPL allows for fines of up to 50 million RMB (approximately $7,719,027) or 5% of annual revenue, although the PIPL does not specify which parameter serves as the upper limit for the fines. Authorities may also suspend the offending business activities, stop all business activities entirely or cancel all administrative or business licenses. Individuals responsible for “grave” violations may be fined between 100,000 and 1 million RMB (approximately $15,438 to $154,383), and may also be prohibited from holding certain job titles, including Director, Supervisor, high-level Manager or Personal Information Protection Officer, for a period of time. In contrast, fines for severe violations of the GDPR can be up to €20 million (approximately $23,486,300) or up to 4% of the undertaking’s total global turnover of the preceding fiscal year (whichever is higher).

For more details regarding potential issues for companies operating in China and the impact of the PIPL, please see our client alert here.

2.   Draft Measures for Data Export Security Evaluations

On 29 October 2021, the Cyberspace Administration of China requested public comments on the draft Measures for Data Export Security Evaluation until 28 November 2021. The draft underscores the need to standardise data exports under the PIPL, Cybersecurity Law and Data Security Law. Under the draft, PIPEs transferring data which meets one of the following requirements outside of China are required to submit a report through the provincial Cyberspace Administration: (1) personal information and important data are generated by operators of critical information infrastructure; (2) outbound data contains important data; (3) personal information processors who have processed personal information of one million people; (4) personal information processors who have processed personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad; or (5) other situations required by the Cyberspace Administration.

3.   Regulations on the Security Protection of Critical Information Infrastructure

Following the United States’ proposal of the Cyber Incident Notification Act of 2021 and the EU’s adoption of Directive (EU) 2016/1148 on Security of Network and Information Systems in 2016, China introduced rules to protect the country from cyber-attacks on critical information systems. China’s Regulations on the Security Protection of Critical Information Infrastructure (the “Regulations”) took effect on 1 September 2021.[49]

The Regulations are a key feature of China’s Cybersecurity Law, which was implemented on 1 June 2017. The Regulations protect the security of critical information infrastructure (“CII”) and expand on the Cybersecurity Law by imposing additional compliance obligations. Article 31 of the Cybersecurity Law delegates further authority to the State Council to formulate specific security protection measures for CII. By enacting the Regulations, the State Council has broadened the definition of CII, clarified which authorities are responsible for CII protection, outlined the duties of CII operators and third parties in relation to testing / monitoring CII and established penalties for non-compliance.

The Cybersecurity Law defines CII as infrastructure from important industries, including public communication and information services, energy, transportation, water conservancy, finance, public services, e-government and other critical information infrastructure which may endanger national security, national welfare, people’s livelihoods or the public interest if data is disabled, damaged or leaked. The Regulations not only define CII as those industries identified in Article 31 of the Cybersecurity Law, but also national defence and technology industries. This includes:

  • Public communications and information services;
  • Energy;
  • Transportation;
  • Water conservancy;
  • Finance;
  • Public services;
  • E-government;
  • National defence science, technology and industry; and
  • Other important network facilities and information systems that may severely threaten national security, national welfare, people’s livelihood or the public interest if disabled, damaged or leaked.

The Regulations impose obligations on CII operators (“CIIOs”), including, but not limited to: (1) establishing a security management department; (2) conducting background checks on key personnel with the assistance of police and national security agencies; (3) conducting an annual risk audit and assessing security risks; (4) reporting cyber incidents or threats to relevant authorities (including the Cyberspace Administration and the State Council); (5) conducting cybersecurity reviews when the network products and services a CIIO purchases may influence national security; and (6) reporting any corporate activity that may impact cyber security, including mergers or dissolutions (Regulations Articles 15, 19, 21).

The Regulations prohibit any entity or individual from illegally invading, interfering with or destroying CII and carrying out loophole detection or permeability tests on CII (Regulations Article 5). Additionally, no entity or individual may carry out vulnerability monitoring, penetration testing or other such activities on CII that may influence or endanger the security of CII, unless such entity or individual has received approval from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator (Regulations Article 31). If an entity or individual chooses to carry out such activities on basic telecommunications networks, it must report such activity in advance to the State Council department in charge of telecommunications (Regulations Article 31).

Under the Regulations, companies may face monetary fines of up to RMB 1 million (USD 155,000) for serious violations, and key individuals may face fines up to RMB 100,000 (US 15,000) (Regulations Articles 39, 40, 41, 42 and 43).

The Regulations will impact network operators as more network operators may be deemed CIIOs and more compliance obligations will likely be imposed by competent industry regulators. Network operators in critical industries should remain alert to their industry regulators and ensure their compliance programs align with the Regulations and the Cybersecurity Law. Global clients that operate in China in the identified industries and sectors should be aware of these requirements and alert to the prospect that they may be designed as CIIOs. Further, firms in the business of carrying out vulnerability monitoring or penetration testing on businesses in China operating in the industries outlined above should be conscious of the prospect that their clients could be considered CIIOs, and should ensure that they are seeking assurances from their clients that they are not CIIOs before undertaking this work. Alternatively, these firms should be prepared for the need to seek approval for this work from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator.

4.   Draft Regulations on Algorithmic Recommendation Technology

Chinese authorities announced the Internet Information Service Algorithmic Recommendation Management Provisions, which will come into force on 1 March 2022.[50] These regulations apply to technology such as personalised recommendations, search filters and any algorithms that provide content to users. These regulations cover various services, such as social media platforms and entertainment streaming. The regulations not only apply to the PIPL, but also the Cybersecurity Law, Data Security Law and the Internet Information Services Management Rules for the purpose of promoting national security and public interests.

C.   India

As indicated in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Indian Parliament on 11 December 2019 and subsequently referred to a Joint Parliamentary Committee (“JPC”) for consideration. On 16 December 2021, after a prolonged review period, the JPC tabled its report and suggested amendments to the PDP Bill, which has not yet been enacted. The resulting report and amendments were primarily informed by the stated need to balance data-driven innovation while catering to national security demands. Some of the key recommendations include:[51]

  • Expansion of the scope of the PDP Bill to cover both personal and non-personal data. The JPC suggested that consolidation of the regulatory framework in this manner was necessary in light of the impossibility to distinguish between personal and non-personal data when mass data is collected or transported.
  • Preparation and implementation of data localisation policies to ensure that sensitive personal data or other critical data is stored and processed in India, and only transferred outside India with the DPA’s approval (subject to government consultation).
  • Establishment of a mechanism for the formal certification of digital and IoT devices to ensure their integrity with respect to data security.
  • Assigning responsibility to social media platforms for the content hosted on their platforms and requiring those platforms to set up an office in India.
  • Introduction of a fixed timeline of 72 hours for breach reporting.

The JPC recommended that a 24-month transitional period should apply for implementation of the PDP Bill to allow relevant parties to update their policies, infrastructure and processes. The JPC’s report and amendments to the PDP Bill will be reviewed by the Parliament before being enacted. Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 continue to govern data protection in India.

D.   Indonesia

As identified in the 2021 International Outlook and Review, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives on 24 January 2020.[52] The PDP Bill consolidates the rules related to personal data protection in Indonesia and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[53]

On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[54] However, as of the date of this review, the Indonesian House of Representatives is still yet to pass the PDP Bill due to ongoing debate over the position, form and independence of the authority slated to oversee its regulation and enforcement.[55] Despite this, the expectation is that the PDP Bill will be enacted in the first quarter of 2022.

E.   Hong Kong

The Personal Data (Privacy) Ordinance (“PDPO”), passed in 1995, is one of Asia’s longest standing data protection laws. The PDPO was amended in 2021 to combat doxxing acts which intrude on personal data privacy.

The Personal Data (Privacy) (Amendment) Bill 2021 (“PDPO Bill”) came into effect on 8 October 2021 after the Hong Kong legislature passed the legislation on 29 September 2021.[56] The PDPO Bill criminalises doxxing acts, including imprisonment for five years and fines up to HK$1 million. In addition, the PDPO Bill empowers the Office of the Privacy Commissioner for Personal Data to persecute individuals for doxxing incidents and perform related criminal investigations.

F.   Japan

1.   APPI Amendments

As explained in the 2021 International Outlook and Review, the Parliament of Japan adopted a bill on 5 June 2020  to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”). The APPI will take force on 1 April 2022, while transitional measures for companies that share data with third parties took effect on 1 October 2021.

2.   Review of EU-Japan Mutual Adequacy Agreement

On 26 October 2021, the Personal Information Protection Commission of Japan, the European Commission and other relevant authorities conducted the first review of the EU-Japan mutual adequacy arrangement effective in 2019. The Commissions will publish separate reports to conclude the review process.[57]

G.   Mongolia

In 2021, the Standing Committees on Innovation and e-Policy and Legal Affairs in Mongolia opened discussions on a Draft Law on the Protection of Personal Information, which details data subject rights, requirements and responsibilities for data processors and controllers, and requirements for overseas data transfers.

H.   New Zealand

The New Zealand Privacy Act 2020 (“NZ Privacy Act”) came into force on 1 December 2020, repealing and replacing an existing 1993 act. In implementing the new act, the New Zealand government sought to modernise the privacy regime in New Zealand and reflect global trends in international privacy standards and the digital economy. While the NZ Privacy Act remains less onerous than international equivalents, such as the GDPR, it nonetheless introduces significant reforms to the privacy regime in the country, such as mandatory data breach reporting, broader investigative and enforcement powers for the regulator and new criminal offences and penalties, including fines of up to NZ$10,000. Pursuant to the changes, the NZ Privacy Act applies extraterritorially to overseas organisations carrying on business in New Zealand and which hold information about New Zealand individuals.[58]

Despite these recent reforms, the Office of the Privacy Commissioner of New Zealand recommended in 2021 that “further changes are desirable” in response to fast-changing technologies. The proposed changes include the introduction of a right of personal information portability and a right to be forgotten, protection against the risk of re-identification from de-identified information, limitation of harm caused by automated decision making algorithms, increased civil penalties for non-compliance and expanded powers of the regulator to require compliance reporting by organisations subject to the NZ Privacy Act.[59]

I.   Philippines

On 4 February 2021, the National Privacy Commission of the Philippines (“NPC”) announced the approval of a substitute bill to amend the Data Privacy Act of 2012 (“PDPA”). The proposed bill seeks to implement wide-ranging reforms to the Philippines privacy regime, including to redefine “sensitive personal information” to include biometric and genetic data, clarify the extra-territorial application of the PDPA (including in circumstances where an organisation offers goods or services, or monitors the behaviour of individuals within the Philippines or where it has a link with the country), render performance of a contract as a lawful basis for processing of personal information, allow controllers outside of the Philippines to authorise processors within the Philippines to notify the Commissioner of a data breach, widen the enforcement powers of the regulator and modify the criminal penalties for non-compliance.[60]

J.   Singapore

As explained in the 2021 International Outlook and Review, data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).

The initial phase of the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) (“Singapore PDPA Amendments”) took effect on 1 February 2021. On 1 February 2021, the Singapore PDPA Amendments’ requirement for mandatory notification to the Personal Data Protection Commission (“PDPC”) for data breaches came into force. This requires organisations to notify the PDPC no later than three calendar days after the organisation determines that a data breach is notifiable if either of the following occurs: (1) a data breach that results in or is likely to result in significant harm to the data subject or (2) a data breach of a significant scale (i.e. which involves more than 500 affected data subjects). The PDPC also made follow-up amendments on 1 October 2021 to clarify these situations.[61]

On 25 November 2021, the PDPC announced its collaboration with the Singapore Police Force and Cyber Security Agency of Singapore to develop a handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018) and Computer Misuse Act (Cap. 50A).[62]

On 9 December 2021, Singapore and the United Kingdom published a Digital Economy Agreement (“DEA”). The DEA aims to facilitate cross-border data flows while upholding data protection standards. Furthermore, both countries have committed that neither will introduce unjustified data localisation requirements, giving businesses in the United Kingdom a guarantee that they will not have to pay for data storage and processing in Singapore. The DEA will require both countries to maintain their data protection frameworks.[63]

K.   South Korea

As explained in the 2021 International Outlook and Review, data protection in South Korea is currently governed by the Personal Information Protection Act (“PIPA”).

As noted above, on 17 December 2021, the PIPC and the European Commissioner for Justice formally announced an adequacy agreement between South Korea and the European Union for transfers of personal data. This adequacy agreement promotes the transfer of personal data between South Korea and the European Union without additional mechanisms or authorisations for data transfers.[64]

L.   Sri Lanka

Sri Lanka’s official gazette published the Regulation of Processing of Personal Data (2021) on 25 November 2021 to be considered by the Parliament of Sri Lanka.[65]

M.   Thailand

As noted in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020. However, in May 2020, and then again in May 2021, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021 and, subsequently, 31 May 2022, citing the negative effects of the COVID-19 pandemic and the requirement for further legislative work as the primary reasons for doing so.[66]

Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation. Moreover, the Thailand PDPA provides for the creation of a 16-member Personal Data Protection Committee (“PDPC”), which is yet to be fully established. As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand. Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA once it is passed.

N.   Vietnam

As explained in the 2021 International Outlook and Review, the data protection framework in Vietnam is fragmented, and relevant provisions can be found in numerous laws. In February 2020, however, a draft personal data protection decree (“Draft PDPD”) was released, which sets out principles of data protection, including purpose limitation, data security, data subject rights and the regulation of cross-border data transfers. Moreover, the Draft PDPD contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, the creation of a data protection authority and the introduction of penalties for non-compliance, ranging between VDN 50 million to VDN 100 million.

From February to April 2021, the Ministry of Public Security sought public comments on the Draft PDPD with a view to the final decree coming into effect on 1 December 2021. As of the date of this publication, the Draft PDPD remains unissued, with little clarity over the timing of the parliamentary process required for it to come into effect.

IV.   Developments in Africa

A.   Botswana

On 15 October 2021, the Data Protection Act entered into effect, more than three years after it was passed by the National Assembly on 12 July 2018. The Act’s transition period is 12 months from the date of commencement and will automatically end on 15 October 2022, meaning that data controllers, including companies and organisations, must take compliance measures until that date. The Act requires data controllers and processors to respect in their processing: the lawfulness and fairness of processing, imposes limitations with respect to the purpose of processing, personal data retention and minimisation, in addition to other protections concerning the relevance and adequacy, integrity and confidentiality of personal data collected by entities. Further, the Act provides for data subject rights, including the right to be informed, the right to access, the right to be given reasons if the access is denied, the right to object and revoke consent and the right to raise a challenge for purposes of deletion and amendment, in addition to setting out restrictions of matters such as direct marketing, sensitive data and data transfers. The Act creates the Information and Data Protection Commission, which will be responsible to protect the personal rights of individuals with regard to their personal data, and to ensure the effective application and enforcement of the Act. Unlike the GDPR, the Act also provides for significant potential prison terms ranging from three to 12 years for certain violations.[67]

B.   Kenya

In 2021, the Ministry of ICT, Innovation and Youth Affairs launched a public consultation on three draft data protection regulations, which remained open until 11 May 2021:

  • The Data Protection (General) Regulations 2021, which set out the procedures for enforcement of the rights of the data subjects and outline the duties and obligations of the data controllers and data processors.
  • The Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021, which define the procedure that will be adopted by the Office of the Data Commissioner in registering data controllers and data processors.
  • The Data Protection (Compliance and Enforcement) Regulations, 2021, which outline the compliance and enforcement provisions for Data Commissioner, Data Controllers and Data Processors.

In January 2021, the Office of the Data Protection Commissioner published a guidance note on access to personal data during the Coronavirus pandemic. According to the guidance, the access and processing of personal data of individuals in response to the pandemic is subject to the Data Protection Act No. 24 of 2019. The key principles emphasised by the guidance include the processing of personal data in an accountable manner, the maintenance of the integrity and confidentiality of data and the responsibility for the implementation of a protection and safeguarding personal data mechanism.[68]

C.   Nigeria

The National Information Technology Development Agency (“NITDA”) announced in a press release on 12 November 2021 its collaboration with the Federal Competition and Consumer Protection Commission (“FCCPC”) in order to combat data privacy abuse by money lending operators.[69] The partnership is anticipated to provide a more robust and concerted regulatory approach while ensuring that Nigerians get necessary reprieve from the illegal use of their personal data for money lending operations, including through joint investigations, enforcement and possible prosecution for non-compliance.[70]

In this regard, NITDA announced, on 17 August 2021, that it had fined Soko Loans Lending Company Limited NGN 10 million (approx. €20,700) for various violations of the Nigeria Data Protection Regulation, 2019 (“NDPR”), marking the first fine issued under the NDPR. NITDA outlined that the fine followed an investigation into a series of complaints against Soko Loans for unauthorised disclosures, failure to protect customers’ personal data and defamation of character, as well as failure to carry out the necessary due diligence required by the NDPR. Soko Loans grants its customers uncollateralised loans and requires them to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the borrowing customer’s phone contacts. Following the complainant customers’ failures to meet loan repayment obligations, the company unilaterally sent privacy invading messages to their contacts (who were neither were parties to the loan transaction nor consented to the processing of their data). In addition, NITDA found that Soko Loans embedded trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis. NITDA therefore found that Soko Loan and its entities violated multiple provisions of the NDPR.

In addition to a financial penalty, NITDA compelled Soko Loans to suspend the issuance of privacy-invading messages to any Nigerian until the company and its entities show full compliance with the NDPR, paid for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO, and were placed on mandatory Information Technology and Data Protection supervision for nine months.[71]

D.   Rwanda

Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (the “Law”) came into effect upon its publication in the Rwanda Official Gazette on 15 October 2021. The Law establishes provisions relating to the processing of personal data, including  the rights of the data subject such as the right to object to the processing of personal data, to personal data portability, to the  erasure of personal data and to rectification of incorrect personal information.

The Law also provides for the duties and powers of the supervisory authority relating to the protection of personal data and privacy, stipulates the obligations and registration requirements of data controllers and processors, and includes provisions regarding the sharing, transfer and retention of personal data. Moreover, the Law provides for the consequences and sanctions of non-compliance, including fines ranging from RWF 2,000,000 (approx. €1,500) to RWF 5,000,000 (approx. €4,243) or, in the case of a corporate body or legal entity, 1% of their global turnover in the preceding financial year.

The Law provides for a two-year transitional period before its application to data controllers or data processors who are already in operation.[72] The National Cyber Security Authority (“NCSA”) has been designated as the supervisory authority in charge of enforcement of the Law.[73]

On 10 December 2021, the NCSA issued a notice on the Personal Data Law detailing that the Personal Data Law requires all those who wish to process personal data to register with the NCSA as a data controller or data processor.[74]

On 14 December 2021, the NCSA also published a notice clarifying that consent of the data subject is a key foundation to the lawful collection and processing of personal data and may be made in oral, written or electronic format.[75]

E.   South Africa

The enforcement powers of the supervisory authority of South Africa (the “Information Regulator”) under the Protection of Personal Information Act, 2013 (“POPIA”) came into effect on 1 July 2021, following the conclusion of a 12-month transitional grace period.[76]

In 2021, the Information Regulator issued a set of notices and rules for guidance on different sections of POPIA. Notably:

  • Guidance note on the processing of special personal information under sections 26 and 27(1) of POPIA to guide responsible parties who are required to obtain authorisation from the Information Regulator to process special personal information, as provided for in section 27(2) of POPIA. The guidance provides for the manner of submission of an application for authorisation and outlines specific exemptions in which the prohibition on processing of personal information does not apply.[77]
  • Guidance note on Exemptions from the Conditions for Lawful Processing of Personal Information under sections 37 and 38 of POPIA. In particular, the guidance outlines that these exemptions include that the processing is either in the public interest or involves a clear benefit to the data subject.[78]
  • Rules on the manner in which a complaint must be submitted and handled by the Information Regulator which will come into operation on a future date that the Information Regulator determines.[79]

On the enforcement front, the Information Regulator has initiated its action by targeting both local and international businesses. For example, in a media statement published on 13 May 2021, the Information Regulator announced that it was preparing a litigation opinion contending the need for an online messaging service provider to adopt its EU privacy policy in South Africa and other developing countries with frameworks similar to the GDPR. However, the service provider has so far declined to make any revisions to its South African privacy policy.[80]

Finally, on 1 June 2021, the President assented to the Cybercrimes Act 19, 2020, which intends to criminalise the disclosure of harmful data messages, regulate relevant government authorities’ powers to investigate cybercrimes, provide for the establishment of a designated Point of Contact and impose obligations to report cybercrimes. The President has not yet proclaimed the commencement date of this new legislation.[81]

F.   Other African Jurisdictions

Other developments in 2021 in data protection and cybersecurity regulation in Africa include:

  • Togo: On 29 June 2021, the National Assembly adopted a Bill authorising the ratification of the Convention on Cyber Security and Personal Data Protection. According to the National Assembly, this convention will strengthen the country’s legal framework for electronic transactions, the protection of personal data and the fight against cybercrime.[82]
  • Uganda: The Data Protection and Privacy Regulations, 2021 of the Republic of Uganda (“the Regulations”) came into force on 12 March 2021. The Regulations establish provisions for the collection and processing of personal data and the rights of data subjects in regard to their personal data, in addition to establishing an independent Personal Data Protection Office (“PDPO”) in the National Information Technology Authority of Uganda (“NITA-U”), which shall be responsible for personal data protection and privacy and for the implementation of the Data Protection and Privacy Act, 2019, including the imposition of administrative, civil or criminal sanctions for non-compliance. [83]

On 2 November 2021, the PDPO issued a press release announcing that it required data collectors, processors and controllers to register on its website before the end of the grace period of 31 December 2021 and that it will begin enforcement measures for those that do not in January 2022.[84]

  • Zambia: On 23 March 2021, the Parliament of Zambia enacted the Data Protection Act No. 3 of 2021, which stipulates a system for the use and protection of personal data by regulating the collection, use, transmission, storage and processing of personal data. The Act also establishes the Office of the Data Protection Commissioner and outlines the duties of data controllers and data processors, the rights of data subjects and the conditions for cross-border transfer of personal data. The Minister will appoint the date of the commencement of the Act by statutory instrument.[85]
  • Zimbabwe: The Data Protection Act [Chapter 11:12] was enacted on 3 December 2021. The Act provides for the establishment of the Cyber Security and Monitoring Center and the designation of the Postal and Telecommunications Regulatory Authority of Zimbabwe (“POTRAZ”) as the data protection authority. The Act addresses the processing of personal data collected and processed by companies, cross-border transfers of personal data, and general provisions, including the appeals process, offences and penalties. The Act does not establish a date of application or a transitional period prior to its application.[86]

V.   Developments in the Middle East

A.   Israel

On 6 January 2022, the Government of Israel published a Bill[87] amending and updating Israel’s Protection of Privacy Law, 5741-1981 (“PPL”).[88] The Deputy Prime Minister and the Minister of Justice announced that the Bill aims to protect citizens and adapt the PPL’s provisions and enforcement to the current digital era. The most noteworthy amendments, summarised by Israel’s Privacy Protection Authority (“PPA”), include the expansion of PPA’s substantive investigation and enforcement powers, including the imposition of administrative sanctions in an amount up to 3.2 million NIS ($1 million), the adaptation of definitions in the law to technological and social developments, and the reduction of bureaucratic burdens through a significant reduction in the obligation to register databases.[89] The Bill would be effective six months after its approval by the parliament.

Before the introduction of the Bill, a ransomware attack on sensitive data of more than 290,000 Israeli medical patients and members of an LGBTQ+ website was reported. An Iranian-based hacking group targeted host program CyberServe and, on 2 November 2021, released the data, demanding a ransom of $1 million that the company refused. Israel’s National Cyber Directorate had previously warned CyberServe on multiple occasions that its systems were not secure.[90] The ransomware attack was followed by a press release of the U.S. Department of the Treasury on 14 November 2021, announcing that it established a partnership with Israel to combat ransomware.[91]

On the enforcement side, on 23 May 2021, the PPA announced that, following a serious information security incident that resulted in the disclosure of sensitive personal information from the databases of the Hod Hasharon Municipality, it had determined that the Hod Hasharon Municipality had violated the Privacy Protection Law and regulations under it. The PPA’s investigation concluded that sensitive personal information, including documents, email correspondence and complaints from residents (including names and ID numbers and information about employees using municipal systems) contained in the municipality’s database, was accessible to unauthorised persons, and that the municipality did not take appropriate measures to assure that access to the database was carried out by authorised users. Additionally, according to the PPA’s findings, the municipality had not conducted an assessment to identify security risks in its systems at the required time and did not correct the findings of a previous assessment, as required by the Protection of Privacy (Data Security) Regulations, 5777 – 2017. In light of this, the PPA gave the municipality instructions to correct the deficiencies discovered and fined it NIS 10,000 (approx. €2,530) for failing to register databases required to be registered under the provisions of the PPL.[92]

In his efforts to support the global fight against COVID-19, Israel’s Prime Minister Benjamin Netanyahu announced an agreement between the Israeli Ministry of Health (“MoH”) and Pfizer for an expedited supply of COVID-19 vaccines to Israel, under which Israel agreed to share with Pfizer “statistical data that would help develop strategies for defeating the coronavirus”. In order to address privacy and transparency concerns, the MoH published a partially redacted version of its Real-World Epidemiological Evidence Collaboration Agreement with Pfizer. The agreement provides that the MoH will share “aggregate de-identified data” and jointly analyse such data with Pfizer. In particular, the MoH is required to provide “data transfers” that include, “at a minimum”, weekly counts of confirmed COVID-19 cases, hospitalisations, severe or critical cases, ventilator use, deaths, symptomatic cases, vaccines given “by age and other demographic subgroups” and COVID-19 cases by age groups “and other demographic factors”. The MoH undertook to provide such data “solely in a form rendered anonymised by the MoH in accordance with Regulatory Requirements” so that the data could not reasonably be used to re-identify the identity of an individual.[93]

B.   United Arab Emirates

In late 2021, the UAE issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the “Data Protection Law”), alongside a law establishing the new UAE Data Office with the mandate to ensure the full protection of personal data, monitor the application of the Data Protection Law and issue necessary guidelines and instructions for its implementation (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).

According to the announcement of the Cabinet of UAE,[94] the Data Protection Law relevantly:

  • has extraterritorial effect and applies to the processing of personal data (a) inside the country or (b) outside the country about data subjects within the country;
  • prohibits the processing of personal data without the consent of its owner (subject to prescribed exceptions);
  • defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure personal data and maintain its confidentiality;
  • defines the rights and cases in which the owner has the right to request correction of inaccurate personal data, restrict or stop the processing of personal data; and
  • sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.

The Data Protection Law became effective on 2 January 2022. Executive regulations are due to be issued within six months of the date of issuance of the Data Protection Law (i.e. by 20 March 2022). UAE companies will then have six months from the issuance of those executive regulations to comply with the Data Protection Law (although that period may be extended by the Cabinet).[95]

On 14 February 2021, following public consultation conducted in 2020, the Abu Dhabi Global Market (“ADGM”) announced that it had enacted the Data Protection Regulations 2021, which replaced the Data Protection Regulations 2015. In its announcement, ADGM endorsed the EU’s GDPR for its robust data protection provisions and outlined that the new Regulations intend to be proportionate and business friendly, without undermining the key ambition of achieving a high standard of protection for personal data. Acknowledging that the adoption of the new Regulations will result in additional responsibilities for data controllers and data processors, ADGM proposed a transitional grace period of 12 months for current establishments and six months for new establishments, starting from 14 February 2021.[96] The Office of Data Protection (“ODP”) has been established to monitor the compliance with the new Regulations.[97] The ODP has also published several guidance notes and templates to support ADGM entities and authorities in compliance with the Regulations.[98]

C.   Other Middle East Jurisdictions

Other developments in 2021 in data protection and cybersecurity regulation in the Middle East include:

  • Jordan: On 29 December 2021, the Council of Ministers approved a draft law on the protection of personal data.[99] The draft law intends to protect personal data in light of the ease of its collection, retention and processing, and to prevent attacks on the rights of citizens. The law also aims to establish a safe and stable online environment and define the obligations of persons responsible for personal data. A personal data protection board will be established to enforce the draft law. The draft law became publicly available in January 2022[100] and its commencement will follow upon approval by the parliament and the king.
  • Pakistan: On 25 August 2021, the Ministry of Information Technology (“MOITT”) published a revised draft for consultation on the Personal Data Protection Bill 2021. The revised draft provides for the establishment of the National Commission for Personal Data Protection. The draft includes also provisions for the cross-border transfer of personal data, the right to data portability and the right not to be subject to a decision based solely on automated processing. Unlike the previous draft Personal Data Protection Bill 2020, which was presented to the Cabinet of Pakistan for approval in April 2020, the revised draft requires data controllers to notify the supervisory authority and the data subject in the event of a data breach without undue delay and, where reasonably possible, not beyond 72 hours of becoming aware of the breach.[101]
  • Qatar: On 16 August 2021, the Qatar Financial Centre (“QFC”) Authority launched a public Consultation Paper proposing changes to the QFC Data Protection Regulations and Rules.[102] The proposed changes aim to make the scope of the QFC Data Protection Regulations consistent with the provisions of international data protection laws and reflect the needs for expanded digitalisation in a global business environment. The amendments, inter alia, propose additional rights for data subjects and increased responsibilities for data controllers and data processors. On 31 January 2021, the Compliance and Data Protection Department at the Ministry of Transport and Communications released guidelines on the Personal Data Privacy Protection Law No. 13 of 2016 to inform individuals, regulated entities and stakeholders on their respective responsibilities, rights and practices as per the amended law.[103]
  • Saudi Arabia: The National Centre for Documents and Archives Royal Court published, on 24 September 2021, the new Personal Data Protection Law (“PDPL”), marking the introduction of Saudi Arabia’s first data protection law. The PDPL includes provisions for data controllers, the rights of data subjects and sanctions for non-compliance. The PDPL will come into force 180 days after the date of its publication in the Official Gazette.[104] In the field of cybersecurity, the Regulatory Framework for Cyber Security for Service Providers in the Communications, Information Technology and Postal Sector came into force on 29 May 2021. That framework intends to raise the level of cybersecurity maturity of service providers by requiring them to improve their cybersecurity risk management in accordance with international best practices and frameworks.[105]

VI.   Developments in Latin America and the Caribbean

A.   Brazil

As we indicated in the 2021 International Outlook and Review, the biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018 and the General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (“LGPD”), on 18 September 2020.

During 2021, the Brazilian data protection authority (“ANPD”) adopted and published a series of guidance and FAQs regarding the LGPD. In particular:

  • Guidance for Personal Data Processing Agents and Data Protection Officers, which aims to resolve common issues, set out non-binding guidelines for data processing agents and explain who may exercise the role of a data controller, operator and/or data protection officer. For each of those roles, the Guidance also specifies their respective liability regime, legal definition and example cases, in addition to FAQs regarding the same.[106]
  • FAQs related to the commencement of the application of sanctions and fines under the LGPD.[107]
  • Regulation CD/ANPD No. 1, on the Inspection Process and the Sanctioning Administrative Process’, which aims to establish procedures with respect to the conduct of inspections and rules with respect to the administrative processes carried out by the ANPD. Moreover, the Regulation covers topics such as inspection, monitoring, guidance, injunctive measures and provides for an administrative fining procedure.[108]
  • FAQs on data subjects’ rights to petition controllers to enforce their data subject rights under the LGPD, which provide guidance on, among other things, procedures to be observed by data controllers, as well as the right of data subjects to complain about possible irregularities regarding the processing of their personal data.[109]

Finally, while the ANPD assumed its enforcement and fining powers, other Brazilian authorities have applied and enforced rules that concerned the protection of personal data in their territories. For example, on 14 June 2021, the Brazilian Federal Department of Consumer Protection of the National Consumer Secretariat (“SENACON”) announced that it had fined Banco Cetelem S.A. with BRL 4,000,000 (approx. €653,200) for financial fraud that included the contracting of payroll loans with the improper use of personal data of elderly consumers.[110] In addition, on 13 July 2021, the Protection and Consumer Defence Foundation of the State of Mato Grosso (“Procon-MT”) fined the pharmacies Droga Raia S.A and Drogasil S.A BRL 572,680.71 (approx. €94,210) for the irregular receipt of authorisation from customers for the processing and use of their data.[111]

B.   Developments in Other Latin American and Caribbean Jurisdictions

There have also been significant developments in the adoption and enforcement of cybersecurity and data privacy laws in other Central and South American jurisdictions in 2021. We have set out highlights in key countries below:

  • Argentina: On 16 April 2021, the Central Bank of Argentina (“BCRA”) published guidelines on cybersecurity incident response and recovery. The BCRA noted that the guidelines are aimed at financial institutions, payment service providers that offer payment accounts and financial market infrastructures. However, the BCRA highlighted that, due to their general nature, the guidelines can also be adopted by any institution in the financial sector, as well as by information technology and communication service providers, among others.[112]
  • Chile: On 5 November 2021, the Information Security Incident Response Team (“CSIRT”) released cybersecurity guidelines for small and medium-sized enterprises (“SMEs”). In particular, the guidelines aim at supporting SMEs in the digitalisation process in a secure manner, helping them manage risks of data breaches, loss of business continuity, phishing, ransomware and other cyber threats.[113]
  • Costa Rica: On 12 February 2021, the Bill No. 22.388 was published to Reform the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011. In particular, the bill aims to reform the current data protection law in Costa Rica by, among other things, improving the legal definitions for certain technical concepts (e.g., biometric data, genetic data and pseudonymisation), developing the principles governing the processing of personal data (such as transparency and data minimisation), improving data subject rights; strengthening the Costa Rican data protection authority, and strengthening the sanctions regime.
  • Ecuador: On 21 May 2021, the Organic Law on the Protection of Personal Data was published, triggering a two-year grace period for companies and other entities that process personal data to adapt their operations to the new law.[114]
  • Panama: On 28 May 2021, the National Authority of Transparency and Access to Information (“ANTAI”) announced that the President of the Republic of Panama approved the Executive Decree No. 285 of 28 May 2021 that regulates the Law No. 81 on Personal Data Protection. The Executive Decree obliges all companies to put in place protocols or procedures to process data in compliance with the new law. Furthermore, the Executive Decree includes general provisions, information gathering requirements, the functions of the new role of data protection officer and the criteria for applying sanctions.[115]
  • Paraguay: On 30 April 2021, the Chamber of Deputies announced the official presentation of the bill on the Protection of Personal Data of the Republic of Paraguay. The bill provides for the regulation of, among other things, data subject rights, security standards and obligations, data protection officer activities, and issues related to the creation of and procedures applicable to a supervisory authority.[116]
  • Uruguay: On 16 September 2021, the Uruguayan data protection authority (“URCDP”) announced the adoption of Resolution No. 23/021 of 8 June 2021, which implements important changes in the international data transfer regime in Uruguay. In particular, the resolution excludes the U.S. from the list of territories considered appropriate, in addition to suggesting the use of other mechanisms to transfer personal data abroad (e.g., contractual clauses, consent of the interested parties and other elements justifying transfers). Moreover, to assist data controllers and processors, the URCDP published Resolution No. 41/021 of 8 September 2021, which includes a guide for the drafting of contractual clauses to transfer personal data.[117]

VII.   Conclusion

As can be seen, 2021 was an eventful year in the field of data protection and privacy worldwide. In addition to the recently adopted laws and regulations on data privacy adopted by China, UAE, Brazil and Mexico, international lawmakers put a special focus on the regulatory treatment of key issues such as data localisation and transfers (e.g., in the EU, Russia and India).

2022 promises to be an equally active year from a legal and enforcement perspective, as regulators worldwide commence to make use of new legal tools and apply their respective national laws. We will continue to monitor the events in this space, and cover them in our monthly updates and in the Outlook and Review of 2023.

_______________________________

  [1]   See http://curia.europa.eu/juris/document/document.jsf;jsessionid=2BDC80771D0FB7EA8B6F60B9A3C4F572?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=20032710.

  [2]   See
https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.

  [3]   See https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.

  [4]   See https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

  [5]   See https://edpb.europa.eu/system/files/2021-07/edpb_guidelinescodesconducttransfers_publicconsultation_en.pdf.

  [6]   See https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en.

  [7]   See, e.g., the French CNIL published guidance on the implementation of the SCCs, two Q&As on the content and the consequences of the Schrems II ruling, as well as a methodology to help controllers identify and process data transfers outside of the EU. German authorities released revised recommendations and updated guidance on international data transfers. The UK ICO launched a public consultation on its draft international data transfer agreement that would replace the current SCCs to take into account the Schrems II ruling.

  [8]   See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9703988.

  [9]   See http://www.raadvst-consetat.be/Arresten/251000/300/251378.pdf#xml=http://www.raadvst-consetat.be/apps/dtsearch/getpdf.asp?DocId=42765&Index=c%3a%5csoftware%5cdtsearch%5cindex%5carrets%5fnl%5c&HitCount=10&hits=28+29+2c+6b+de+17a+1de+505+150c+1884+&11111202021318.

[10]   See https://edpb.europa.eu/news/national-news/2021/bavarian-dpa-baylda-calls-german-company-cease-use-mailchimp-tool_en.

[11]   See https://edpb.europa.eu/news/national-news/2021/census-2021-portuguese-dpa-cnpd-suspended-data-flows-usa_en.

[12]   See https://www.conseil-etat.fr/fr/arianeweb/CE/decision/2021-03-12/450163.

[13]   See https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183.

[14]   See https://ec.europa.eu/info/sites/default/files/1_1_180366_dec_ade_kor_new_en.pdf.

[15]  Relatedly, some Member States have continued to update their e-privacy legislation under the e-Privacy Directive.  For example, in Germany, the Data Protection and Privacy in Telecommunications and Telemedia Act was enacted effective 1 December 2021, and contains comprehensive data protection regulations in the e-privacy field.

[16]   See https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333.

[17]   See https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf.

[18]   See https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf.

[19]   See https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf.

[20]   See https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf.

[21]   See https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf.

[22]   See https://edpb.europa.eu/sites/default/files/files/file1/edpb_strategy2021-2023_en.pdf.

[23]   See https://edpb.europa.eu/system/files/2021-03/edpb_workprogramme_2021-2022_en.pdf.

[24]   See https://curia.europa.eu/juris/document/document.jsf?text=&docid=242821&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=558920.

[25]   See https://d18rn0p25nwr6d.cloudfront.net/CIK-0001018724/cbae1abf-eddb-4451-9186-6753b02cc4eb.pdf.

[26]   See https://justice.public.lu/fr/actualites/2021/12/communique-presid-trib-adm-ordonnance-amazon-cnpd.html.

[27]   See https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance.

[28]   See, e.g. Lower-Saxony Supervisory Authority https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html.

[29]   See, e.g. Spanish AEPD https://www.aepd.es/es/documento/ps-00059-2020.pdf and Italian Garante https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9570980.

[30]   See, e.g. Norwegian Datatilsynet https://www.datatilsynet.no/en/regulations-and-tools/regulations/avgjorelser-fra-datatilsynet/2021/gebyr-til-grindr/ and Spanish AEPD https://edpb.europa.eu/news/national-news/2021/spanish-data-protection-authority-aepd-imposes-fine-6000000-eur-caixabank_en.

[31]   See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/11/ico-issues-provisional-view-to-fine-clearview-ai-inc-over-17-million/.

[32]   See https://ico.org.uk/action-weve-taken/enforcement/.

[33]   See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-consults-on-data-transferred-outside-of-the-uk/.

[34]   See https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/revdsg.pdf.download.pdf/revDSG_EN.pdf.

[35]   See https://www.bj.admin.ch/dam/bj/fr/data/staat/gesetzgebung/datenschutzstaerkung/vdsg/vorentw.pdf.

[36]   See https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.download.pdf/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.

[37]&nbnbsp;  See https://www.edoeb.admin.ch/edoeb/en/home/latest-news/aktuell_news.html#-1259254222.

[38]   See https://iapp.org/news/a/level-up-russia-enhances-the-protection-of-personal-data/#:~:text=Russia%20amends%20data%20protection%20law%20to%20increase%20personal%20data%20subjects’%20rights,-schedule%20May%2013&text=Beginning%20March%2027%2C%202021%2C%20Russia,period%20for%20data%2Drelated%20breaches.

[39]   See https://rg.ru/2021/03/29/sotovym-operatoram-zapretiat-tajno-prodavat-dannye-klientov.html.

[40]   See https://sozd.duma.gov.ru/bill/1184517-7#bh_note.

[41]   See https://kvkk.gov.tr/SharedFolderServer/CMSFiles/11b6fd99-d42a-45b1-a009-21f2d36ded21.pdf.

[42]   See https://kvkk.gov.tr/Icerik/6981/2021-427.

[43]   https://www.kvkk.gov.tr/Icerik/7045/WHATSAPP-UYGULAMASI-HAKKINDA-YURUTULEN-RESEN-INCELEMEYE-ILISKIN-KAMUOYU-DUYURUSU.

[44]  See https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/.

[45]  See https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/.

[46]  See https://www.justice.gov/opa/pr/united-states-and-australia-enter-cloud-act-agreement-facilitate-investigations-serious-crime.

[47]  See https://www.itnews.com.au/news/australia-and-us-sign-cloud-act-deal-for-cross-border-data-access-574128.

[48]  An unofficial English translation of the newly enacted PIPL is available at <https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-effective-nov-1-2021> and the Mandarin version of the PIPL is available at <http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml>.

[49]   An unofficial translation of the Regulations is available <https://digichina.stanford.edu/news/translation-critical-information-infrastructure-security-protection-regulations-effective-sept>.

[50]   An unofficial English translation of the Internet Information Service Algorithmic Recommendation Management Provisions is available at <https://digichina.stanford.edu/work/translation-internet-information-service-algorithmic-recommendation-management-provisions-effective-march-1-2022/>.

[51]   See https://www.dsci.in/sites/default/files/Summary-%20and-Primer-on-Joint-Parliamentary-Committee-Report-and-Data-Protection-Bill-2021.pdf.

[52]   Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers; the PDP Bill (in Indonesian) is available athttps://web.kominfo.go.id/sites/default/files/users/4752/Rancangan%20UU%20PDP%20Final%20%28Setneg%20061219%29.pdf.

[53]   Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24041/menkominfo-indonesia-akan-menjadi-negara-ke-5-di-asean-pemilik-uu-pdp/0/berita_satker.

[54]   Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/29084/siaran-pers-no-104hmkominfo092020-tentang-pemerintah-apresiasi-pandangan-fraksi-terhadap-ruu-pdp/0/siaran_pers.

[55]   See https://kr-asia.com/indonesia-needs-a-data-protection-authority-but-cant-decide-how-to-create-one.

[56]   The PDPO Bill is available at <https://www.gld.gov.hk/egazette/pdf/20212540/es12021254032.pdf>.

[57]   For more information on the first review of the EU-Japan mutual adequacy arrangement, please click <https://ec.europa.eu/newsroom/just/items/724795/en>.

[58]   See https://www.natlawreview.com/article/less-two-weeks-to-go-new-zealand-privacy-act-commences-1-december-2020.

[59]   See https://www.privacy.org.nz/publications/reports-to-parliament-and-government/2020-briefing-to-the-incoming-minister-of-justice/.

[60]   See https://www.privacy.gov.ph/2021/06/a-stronger-data-privacy-law-sought-in-proposed-amendments/.

[61]   The PDPC’s updated advisory guidelines are available at https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/03/Advisory-Guidelines-on-Key-Concepts-in-the-Personal-Data-Protection-Act and <https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/02/Advisory-Guidelines-on-the-Personal-Data-Protection-Act-for-Selected-Topics>.

[62]   The handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018), and Computer Misuse Act (Cap. 50A) is available at <https://www.csa.gov.sg/News/Publications/overview-of-legislations>.

[63]   More information on the Digital Economy Agreement between Singapore and the United Kingdom is available at <https://www.gov.uk/government/publications/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer>.

[64]   The adequacy decision between South Korea and the European Union is available at <https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-republic-korea-annexes_en>.

[65]   The Regulation of Processing of Personal Data (2021) is available at <http://documents.gov.lk/files/bill/2021/11/152-2021_E.pdf>.

[66]   See https://www.bangkokpost.com/business/2110719/controversial-law-on-personal-data-againt-postponed-for-another-year.

[67]   See Act No. 32 of 2018 Data Protection Act (12 July 2018), available athttps://www.bocra.org.bw/sites/default/files/documents/32%20Act%2010-08-2018-Data%20Protection.pdf and Data Protection Act (Commencement Date) Order, 2021 (15 October 2021).

[68]   See Republic of Kenya, Office of the Data Protection Commissioner, “Guidance Note on access to personal date during Covid-19 pandemic” (January 2021), available at https://ict.go.ke/wp-content/uploads/2021/01/Draft-Data-Request-Review-Framework-Jan-2021.pdf.

[69]   The FCCPC is empowered to administer and enforce provisions of every Nigerian law with respect to competition and protection of consumers under Section 17(a) of the Federal Competition and Consumer Protection Act, 2019.

[70]   See “NITDA Collaborates With The Federal Competition And Consumer Commission (FCCPC) To Tackle Data Abuse By Money Lending Operations”, Press Release (12 November 2021), available athttps://nitda.gov.ng/nitda-collaborates-with-the-federal-competition-and-consumer-commission-fccpc-to-tackle-data-abuse-by-money-lending-operations/.

[71]   See “NITDA Sanctions SokoLoan For Privacy Invasion”, Press Release (17 August 2021), available athttps://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/.

[72]  See Law No. 058/2021 Law relating to the protection of personal data and privacy (15 October 2021), available at https://www.minijust.gov.rw/fileadmin/user_upload/Minijust/Publications/Official_Gazette/_2021_Official_Gazettes/October/OG_Special_of_15.10.2021_Amakuru_bwite.pdf.

[73]  See “Rwanda passes new Law protecting personal data”, Press Release (21 October 2021), available at https://www.minict.gov.rw/fileadmin/user_upload/minict_user_upload/Documents/Press_Release/211021_PRESS_RELEASE_Rwanda_s_New_Data_Protection_Law_ENGLISH.pdf.

[74]  See National Cyber Security Authority, “The Significance of Rwanda’s Personal Data Protection and Privacy Law” (10 December 2021), available at https://cyber.gov.rw/updates/article/the-significance-of-rwandas-personal-data-protection-and-privacy-law-1/.

[75]  See National Cyber Security Authority, “Consent, Ownership and Lawful Data Processing” (14 December 2021), available at https://cyber.gov.rw/updates/article/consent-ownership-and-lawful-data-processing-1/.

[76]  See Section 110 of POPIA.

[77]  See Information Regulator (South Africa), “Guidance Note on Processing of Special Personal Information” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-Processing-SpecialPersonalInformation-20210628.pdf.

[78]  See Information Regulator (South Africa), “Guidance Note On Exemptions From The Conditions For Lawful Processing Of Personal Information In Terms Of Section 37 And 38 Of The Protection Of Personal Information Act 4 Of 2013, 2021” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-LawfulProcessing-202106.pdf.

[79]  See Information Regulator (South Africa), “Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Regulator, 2021” (October 2021), available at https://www.justice.gov.za/inforeg/legal/20211012-InfoReg-RulesOfProcedure-HandlingPOPIAcomplaints.pdf.

[80]  See “Information Regulator to take further action regarding the WhatsApp privacy policy”, Media Statement (13 May 2021), available at https://www.justice.gov.za/inforeg/docs/ms/ms-20210513-WhatsAppPrivacyPolicy.pdf.

[81]  See Act No. 19 of 2020 Cybercrimes Act, 2020 (1 June 2021), available at https://www.gov.za/sites/default/files/gcis_document/202106/44651gon324.pdf.

[82]  See “Togo : l’Assemblée nationale ratifie la convention de Malabo et actualise le fonctionnement de la CNDH” (in French) (14 July 2021), available at https://togomedia24.com/2021/07/01/togo-lassemblee-nationale-ratifie/.

[83]  See Statutory Instrument No. 21 of 2021 The Data Protection and Privacy Regulations, 2021 (12 March 2021).

[84]  See “Requirement to register with Personal Data Protection Office”, Press Release (2 November 2021), available at https://www.linkedin.com/posts/personal-data-protection-office-pdpo_press-release-on-requirement-to-register-activity-6863366852064628736-wJc_.

[85]  See Act No. 3 of 2021 The Data Protection Act, 2021 (24 March 2021).

[86]  See Data Protection Act [Chapter 11:22].

[87]  Bill (in Hebrew), available at https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:1510391d-592a-3272-bd12-d559164b70e2#pageNum=1.

[88]  An unofficial translation of the Protection of Privacy Law, 5741 – 1981 is available at https://www.gov.il/BlobFolder/legalinfo/legislation/en/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf.

[89]  Press Release (in Hebrew), available at https://www.gov.il/he/departments/news/amendments_privacy_protection_act.

[90]  See “Iranian Hacking Group Leaks Patient and LGBTQ Info” (4 November 2021), available at https://www.infosecurity-magazine.com/news/iranian-hacking-group-leaks/.

[91]  See “U.S. Department of the Treasury Announces Partnership with Israel to Combat Ransomware”, Press Release (14 November 2021), available at https://home.treasury.gov/news/press-releases/jy0479.

[92]  Announcement (in Hebrew), available at https://www.gov.il/he/departments/news/privacy_hod_hasharon_city.

[93]  See “Israel to Share Vaccination Data With Pfizer as Part of Secret Deal” (10 January 2021), available at https://www.haaretz.com/israel-news/.premium-israel-to-share-covid-vaccine-data-with-pfizer-but-agreement-remains-secret-1.9438504, and a partially redacted version of the Real-World Epidemiological Evidence Collaboration Agreement, available at https://govextra.gov.il/media/30806/11221-moh-pfizer-collaboration-agreement-redacted.pdf.

[94]  See “UAE adopts largest legislative reform in its history”, Media Release, available at https://uaecabinet.ae/en/details/news/uae-adopts-largest-legislative-reform-in-its-history.

[95]  The Data Protection Laws of UAE are available at https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws.

[96]  See “ADGM enacts its new Data Protection Regulations 2021”, Media Release (14 February 2021), available at https://www.adgm.com/media/announcements/adgm-enacts-its-new-data-protection-regulations-2021.

[97]  See the dedicated website of the Office of Data Protection, available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/overview.

[98]  The Data Protection Guidance 2021, templates and assessments are available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance.

[99]  Prime Minister’s announcement (in Arabic), available at http://www.pm.gov.jo/content/1640846700/%D9%85%D8%AC%D9%84%D8%B3-%D8%A7%D9%84%D9%88%D8%B2%D8%B1%D8%A7%D8%A1-%D9%8A%D9%82%D8%B1%D9%91-%D9%85%D8%B4%D8%B1%D9%88%D8%B9-%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9.html, and Ministry’s announcement (in Arabic), available at https://modee.gov.jo/Ar/NewsDetails/%D9%82%D8%A7%D9%86%D9%88%D9%86_%D8%AD%D9%85%D8%A7%D9%8A%D8%A9_%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA_%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9_%D9%84%D8%B3%D9%86%D8%A9_2021%D9%85.

[100] The text of the draft law (in Arabic) is available at http://www.lob.jo/?v=1.14&url=ar/DraftDetails?DraftID:10254,AddComment:0,PageIndex:1&DraftTitle:%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D8%A9-/–%D8%AA%D9%85-%D8%AA%D9%85%D8%AF%D9%8A%D8%AF-%D9%85%D8%AF%D8%A9-%D9%86%D8%B4%D8%B1%D9%87-%D8%B9%D9%84%D9%89-%D8%A7%D9%84%D9%85%D9%88%D9%82%D8%B9-%D8%A7%D8%B1%D8%A8%D8%B9-%D8%A7%D9%8A%D8%A7%D9%85-%D8%B9%D9%85%D9%84-%D8%A7%D8%B6%D8%A7%D9%81%D9%8A%D8%A9.

[101] The Consultation Draft of the Personal Data Protection Bill 2021 (25 August 2021) is available at https://moitt.gov.pk/SiteImage/Misc/files/25821%20DPA%20Bill%20Consultation%20Draft_docx.pdf.

[102] See the announcement of the Qatar Financial Centre (QFC) Authority “Consultation on proposed changes to QFC Data Protections Regulations & Rules”, available at https://www.linkedin.com/feed/update/urn:li:activity:6833700338965512192/, and the Consultation Paper “QFCA CP No. 1 of 2021 Proposed Changes to QFC Data Protection Regulations and Rules”, available at https://qfcra-en.thomsonreuters.com/rulebook/qfca-cp-no-1-2021-proposed-changes-qfc-data-protection-regulations-and-rules.

[103] See “MOTC Releases Guidelines on Personal Data Privacy Protection Law”, Media Release (31 January 2021), available at https://www.motc.gov.qa/en/news-events/news/motc-releases-guidelines-personal-data-privacy-protection-law.

[104] See Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 (in Arabic) (14 September 2021), available at https://ncar.gov.sa/Documents/Details?Id=waEbJasbk9cJVNdJ%2B31GUA%3D%3D.

[105] See “The Communications Commission announces the entry into force of the Regulatory Framework for Cyber Security for Service Providers in the Communications, Information Technology and Postal Sector”, Press Release (29 May 2021), available at https://www.citc.gov.sa/ar/mediacenter/pressreleases/Pages/20210529.aspx, and the Commission’s portal on cybersecurity regulations, available at https://www.citc.gov.sa/ar/RulesandSystems/CyberSecurity/Pages/default.aspx.

[106] See https://www.gov.br/anpd/pt-br/assuntos/noticias/2021-05-27-guia-agentes-de-tratamento_final.pdf.

[107] See https://www.gov.br/anpd/pt-br/assuntos/noticias/sancoes-administrativas-o-que-muda-apos-1o-de-agosto-de-2021.

[108] See https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-1-de-28-de-outubro-de-2021-355817513.

[109] See https://www.gov.br/anpd/pt-br/canais_atendimento/cidadao-titular-de-dados/peticao-de-titular-contra-controlador-de-dados/reclamacao.

[110] See https://www.gov.br/mj/pt-br/assuntos/noticias/secretaria-nacional-do-consumidor-multa-banco-por-utilizar-dados-sem-consentimento-de-consumidores-idosos.

[111] See http://www.procon.mt.gov.br/-/17501890-procon-estadual-multa-rede-de-farmacias-por-infracao-a-lei-de-protecao-de-dados-pessoais.

[112] See http://www.bcra.gov.ar/Noticias/Ciberincidentes-lineamientos-para-respuesta-y-recuperacion.asp.

[113] See https://www.ciberseguridad.gob.cl/media/2021/11/Ciberguía-para-pymes.pdf.

[114] See https://www.dinardap.gob.ec/dos-anos-tienen-las-entidades-publicas-y-empresas-privadas-para-adaptar-sus-procesos-a-la-ley-de-proteccion-de-datos-personales/.

[115] See https://www.antai.gob.pa/reglamentan-ley-81-de-proteccion-de-datos-personales/.

[116] See http://silpy.congreso.gov.py/expediente/123459.

[117] See https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-23021 and https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-41021.


The following Gibson Dunn lawyers assisted in the preparation of this article: Alejandro Guerrero in Brussels; Ahmed Baladi, Vera Lukic, Clémence Pugnet, and Lena Bionducci in Paris; Connell O’Neil, Nicholas Hay, and Jocelyn Shih in Hong Kong; Kai Gesing in Munich; and Alex Southwell, Ryan Bergsieker, and Cassandra Gaedt-Sheckter in the United States.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33 180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

With the backdrop of the continuing COVID-19 pandemic and high M&A volume, 2021 presented new issues for dealmakers. Hear from seasoned practitioners on how deals are getting done and the issues being confronted. This discussion covers various M&A-related topics, including the following:

• Key deal issues to navigate in light of increased antitrust regulatory scrutiny;
• Limitations on liability for fraud;
• Clauses to include in deal documents to avoid pitfalls; and
• Current state of play for SPAC transactions, and forecasts for the future.



PANELISTS:

Quinton C. Farrar is a corporate partner in the New York office of Gibson, Dunn & Crutcher. Mr. Farrar advises public and privately held companies, including private equity sponsors and their portfolio companies, investors, financial advisors, boards of directors and individuals in connection with a wide variety of complex corporate matters, including mergers and acquisitions, asset sales, leveraged buyouts, spin-offs, joint ventures and minority investments and divestitures.  He also has substantial experience advising clients on corporate governance issues as well as in advising issuers and underwriters in connection with public and private issuances of debt and equity securities.

Abtin Jalali is a partner in the San Francisco office of Gibson, Dunn & Crutcher. He is a member of Gibson Dunn’s Private Equity and Mergers and Acquisitions Practice Groups. Mr. Jalali has extensive experience representing private equity firms and their portfolio companies in all aspects of their businesses, with a focus on mergers and acquisitions, divestitures, growth equity investments, minority investments and general corporate matters. Mr. Jalali’s representative private equity clients include Serent Capital, True Wind Capital, TPG Capital, FTV Capital, Gryphon Investors and Tower Arch Capital.

Robert B. Little is a partner in Gibson, Dunn & Crutcher’s Dallas office. He is a Global Co-Chair of the Mergers and Acquisitions Practice Group. Mr. Little has consistently been named among the nation’s top M&A lawyers every year since 2013 by Chambers USA. Admired by clients as “very efficient, always knowledgeable in the subjects with immediate recommendations for action” and “an excellent corporate attorney well suited for negotiating tough deals” (Chambers, 2021), his practice focuses on corporate transactions, including mergers and acquisitions, securities offerings, joint ventures, investments in public and private entities, and commercial transactions. Mr. Little has represented clients in a variety of industries, including energy, retail, technology, infrastructure, transportation, manufacturing, and financial services.

Kristen P. Poole is a corporate partner in the New York office of Gibson, Dunn & Crutcher, where her practice focuses on mergers and acquisitions and private equity. Ms. Poole represents both public and private companies, as well as financial sponsors, in connection with mergers, acquisitions, divestitures, minority investments, restructurings and other complex corporate transactions.  She also advises clients with respect to general corporate governance matters and shareholder activism matters.


MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.0 hour. Regulated by the Solicitors Regulation Authority (Number 324652).

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

Most participants should anticipate receiving their certificates of attendance via e-mail in approximately 4-6 weeks following the webcast.

Members of the Virginia Bar should anticipate receiving the applicable certification forms in approximately 6-8 weeks.

Click for PDF

On January 27, 2022, the Supreme Court of California issued a decision that changes the burden for employers that are defending against current or former employees’ whistleblower retaliation claims.  In Lawson v. PPG Architectural Finishes, Inc., No. S266001,___ Cal.5th ___, the Court answered a question that the Ninth Circuit had certified in an effort to dispel “widespread confusion” over the evidentiary standard for retaliation claims bought under California Labor Code section 1102.5.  Some courts had concluded the traditional burden-shifting framework set out in McDonnell Douglas Corp. v. Green (1972) 411 U.S. 792, should apply, with plaintiffs having to prove that they were retaliated against for a pretextual reason.  Others had decided that the more employee-friendly California Labor Code section 1102.6 should apply, with employers having to prove by clear and convincing evidence that the plaintiffs would have suffered the challenged consequence (such as losing their jobs) even if they had not identified any wrongdoing.  The California Supreme Court sided with the latter group, holding that section 1102.6’s framework applies both on summary judgment and at trial.

In Lawson, the plaintiff sued his former employer under section 1102.5 for firing him after he complained of allegedly fraudulent practices.  The district court granted the employer’s motion for summary judgment on the ground that the plaintiff failed to demonstrate that the employer’s stated reasons for termination, including poor performance, were pretextual.

The issue on appeal was the appropriate framework for Lawson’s claim.  The district court applied McDonnell Douglas’s three-part burden-shifting framework:  (1) the employee establishes a prima facie case of retaliation; (2) the burden of production shifts to the employer to articulate a legitimate reason for its decision; and (3) the burden shifts back to the employee to show that that the employer’s reason is pretextual.  Lawson argued the district court instead should have followed section 1102.6’s two-part framework, which mirrors the analysis required for retaliation claims brought under the Sarbanes-Oxley Act and related federal statutes:  (1) the employee demonstrates (by a preponderance of the evidence) that retaliation was a “contributing factor” in the adverse employment action, and (2) the burden shifts to the employer to prove (by clear and convincing evidence) that the adverse action would have occurred even if the employee had not engaged in protected conduct.  The Ninth Circuit certified the question to the California Supreme Court because, it observed, the “state’s appellate courts do not follow a consistent practice.”

In a unanimous decision written by Justice Leondra Kruger, the Court held that section 1102.6 governs section 1102.5 retaliation claims.  The Court anchored its conclusion in the statutory text:  The statute “[b]y its terms” specifies “the applicable substantive standards and burdens of proof.”  The statute’s legislative history, by contrast, “yields no clear answers on the McDonnell Douglas question.”  The Court also observed that the McDonnell Douglas framework is not “well suited” to employee-whistleblower claims because while McDonnell Douglas presumes an employer’s reason for adverse action “is either discriminatory or legitimate,” a section 1102.5 plaintiff can prove unlawful retaliation “even when other, legitimate factors also contributed to the adverse action.” Finally, the Court rejected the employer’s argument that the McDonnell Douglas framework should apply at least during the summary judgment stage, explaining that “the parties’ burdens of proof at summary judgment generally depend on their burdens of proof at trial.”

The Court’s decision changes the burden that employers must satisfy in attempting to prove that they took adverse employment actions for legitimate, nonretaliatory reasons.  Under McDonnell Douglas, an employer has to show only a legitimate, nonretaliatory reason for its decision, at which point the burden shifts to the employee to prove that reason is pretextual.  But under section 1102.6, an employer must instead prove, by “clear and convincing” evidence, that it would have taken the same action against the employee “even had the plaintiff not engaged in protected activity.”  Section 1102.6 thus makes it easier for employees alleging retaliation to prove their case and avoid summary judgment. Yet the Court’s decision did not change plaintiffs’ burden to establish, by a preponderance of the evidence, that their protected activity “was a contributing factor in a contested employment action.” The Court also made clear that under the section 1102.6 framework, employers will “be able to raise a same-decision defense on summary judgment,” allowing courts to dismiss “meritless” retaliation claims before trial.


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have about these matters or regarding developments at the California Supreme Court or in state or federal appellate courts in California. Please feel free to contact any member of the Appellate and Constitutional Law or Labor and Employment practice groups, or the following appellate lawyers in California:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, tboutrous@gibsondunn.com)
Julian W. Poon – Los Angeles (+1 213-229-7758, jpoon@gibsondunn.com)
Theane Evangelis – Co-Chair, Litigation Group, Los Angeles (+1 213-229-7726, tevangelis@gibsondunn.com)
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, bhamburger@gibsondunn.com)
Michael Holecek – Los Angeles (+1 213-229-7018, mholecek@gibsondunn.com)
Daniel R. Adler – Los Angeles (+1 213-229-7634, dadler@gibsondunn.com)
Ryan Azad – San Francisco (+1 415-393-8276, razad@gibsondunn.com)
Matt Aidan Getz – Los Angeles (+1 213-229-7754, mgetz@gibsondunn.com)
Matthew Ball – Denver (+1 303-298-5731, mnball@gibsondunn.com)

Please also feel free to contact the following Labor and Employment practice leaders and members:

Harris M. Mufson – Co-Head, Whistleblower Team of Labor & Employment Group, New York (+1 212-351-3805, hmufson@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

We are pleased to present Gibson Dunn’s ninth “Federal Circuit Year In Review,” providing a statistical overview and substantive summaries of the 76 precedential patent opinions issued by the Federal Circuit between August 1, 2020 and July 31, 2021.  This term included significant panel decisions in patent law jurisprudence with regard to standing (ABS Global, Inc. v. Cytonome/ST, LLC, 984 F.3d 1017 (Fed. Cir. 2021) and Gen. Elec. Co. v. Raytheon Techs. Corp., 983 F.3d 1334 (Fed. Cir. 2020)); subject matter eligibility (cxLoyalty, Inc. v. Maritz Holdings Inc., 986 F.3d 1367 (Fed. Cir. 2021) and Illumina, Inc. v. Ariosa Diagnostics, Inc., 967 F.3d 1319 (Fed. Cir. 2020)); venue (In re Samsung Elecs. Co., 2 F.4th 1371 (Fed. Cir. 2021) and Valeant Pharms. N. Am. LLC v. Mylan Pharms. Inc., 978 F.3d 1374 (Fed. Cir. 2020)); IPR procedures (Facebook, Inc. v. Windy City Innovations, LLC, 973 F.3d 1321 (Fed. Cir. 2020)); and public accessibility of prior art (M & K Holdings, Inc. v. Samsung Elecs. Co., 985 F.3d 1376 (Fed. Cir. 2021) and VidStream LLC v. Twitter, Inc., 981 F.3d 1060 (Fed. Cir. 2020)).  Each of these decisions, as well as all other precedential decisions issued by the Federal Circuit in the 2020‒2021 term, is summarized in the Federal Circuit Year In Review.

Use the Federal Circuit Year In Review to find out:

  • The easy-to-use Table of Contents is organized by substantive issue, so that the reader can easily identify all of the relevant cases bearing on the issue of choice.
  • Which issues may have a better chance (or risk) on appeal based on the Federal Circuit’s history of affirming or reversing on those issues in the past.
  • The average length of time from issuance of a final decision in the district court and docketing at the Federal Circuit to issuance of a Federal Circuit opinion on appeal.
  • What the success rate has been at the Federal Circuit if you are a patentee or the opponent based on the issue being appealed.
  • The Federal Circuit’s history of affirming or reversing cases from a specific district court.
  • How likely a particular panel may be to render a unanimous opinion or a fractured decision with a majority, concurrence, or dissent.
  • The Federal Circuit’s affirmance/reversal rate in cases from the district court, ITC, and the PTO.

The Year In Review provides statistical analyses of how the Federal Circuit has been deciding precedential patent cases, such as affirmance and reversal rates (overall, by issue, and by District Court), average time from lower tribunal decision to key milestones (oral argument, decision), win rate for patentee versus opponent (overall, by issue, and by District Court), decision rate by Judge (number of unanimous, majority, plurality, concurring, or dissenting opinions), and other helpful metrics. The Year In Review is an ideal resource for participants in intellectual property litigation seeking an objective report on the Court’s decisions.

Gibson Dunn is nationally recognized for its premier practices in both Intellectual Property and Appellate litigation.  Our lawyers work seamlessly together on all aspects of patent litigation, including appeals to the Federal Circuit from both district courts and the agencies.

Please click here to view the FEDERAL CIRCUIT YEAR IN REVIEW


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work or the authors of this alert:

Mark A. Perry – Washington, D.C. (+1 202-887-3667, mperry@gibsondunn.com)
Nathan R. Curtis – Dallas (+1 214-698-3423, ncurtis@gibsondunn.com)
Florina Yezril – New York (+1 212-351-2689, fyezril@gibsondunn.com)

Please also feel free to contact any of the following practice group co-chairs or any member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:

Appellate and Constitutional Law Group:
Allyson N. Ho – Dallas (+1 214-698-3233, aho@gibsondunn.com)
Mark A. Perry – Washington, D.C. (+1 202-887-3667, mperry@gibsondunn.com)

Intellectual Property Group:
Kate Dominguez – New York (+1 212-351-2338, kdominguez@gibsondunn.com)
Y. Ernest Hsin – San Francisco (+1 415-393-8224, ehsin@gibsondunn.com)
Josh Krevitt – New York (+1 212-351-4000, jkrevitt@gibsondunn.com)
Jane M. Love, Ph.D. – New York (+1 212-351-3922, jlove@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

In February and March 2021, we published updates on global legislative developments in relation to mandatory human rights due diligence and supply chain reporting (see here and here).

At that time, it was expected that the European Commission (“EC”) would publish draft legislation at the pan-European level in the form of a Sustainable Corporate Governance proposal (“SCG”) in Summer 2021.  The anticipated draft directive was hailed as a potential game-changer: directing how companies should manage matters in their own operations and value chains as regards human rights, climate change and the environment, and related governance.

By comparison, fewer material developments have arisen in the United States, with the most notable change to the law in this field in recent years being the California Transparency in Supply Chains Act 2010.  But the landscape may be changing, both with the recently passed federal Uyghur Forced Labor Prevention Act and a new proposed law pending in New York State (the draft “Fashion Sustainability and Social Accountability Act”) that may impose significant reporting requirements on the fashion industry.

Pan-European Developments – EC draft legislation significantly delayed

As it stands, the EC draft directive has not yet been handed down and updates on its status have not been forthcoming from the EC.  However, it is reported that the delay is a result of a (second) rejection by the EC’s internal Regulatory Scrutiny Board (an independent body charged with quality control and impact assessment of legislation).  The latest indications by the EC are that the draft directive is now expected in February 2022.

Unsurprisingly, this delay has been met with widespread condemnation and concern from civil society. For example, on 8 December 2021, in an open letter signed by 47 civil society and trade union organizations to EC President Ursula von der Leyen (see here), complaints were made about delays to a “crucial new law that can help millions of people to demand justice against human rights violations…” and expressing “dee[p] concer[n]” about the “complete lack of transparency on the reasons for this new delay”.  The letter called on the President to “publicly reiterate [the] commitment … to making supply chains of companies active on the EU market sustainable through ambitious, binding human rights and environmental due diligence legislation”.

US Developments – Groundbreaking draft legislation proposed

Meanwhile, in the US, human rights due diligence legislation has advanced with two meaningful developments.

On the federal level, on 23 December 2021, President Biden signed the Uyghur Forced Labor Prevention Act (the “UFLPA”) into law.  The UFLPA creates a rebuttable presumption that all goods manufactured – even partially – in China’s Xinjiang Uyghur Autonomous Region are the product of forced labor and therefore not entitled to entry at US ports.  The UFLPA also builds on prior legislation, such as the Uyghur Human Rights Policy Act of 2020, by expanding that Act’s authorization of sanctions to cover foreign individuals responsible for human rights abuses related to forced labor in the Xinjiang region.  We explore the UFLPA in detail in our client alert, here.

On the state level, earlier this month, two New York State Senators introduced historic legislation to set broad sustainability mandates for the fashion industry – an industry which is (according to some estimates) responsible for approximately 4-8.6% of global greenhouse gas emissions.  The Fashion Sustainability and Social Accountability Act (the “FSSAA”), sponsored by Senator Alessandra Biaggi and assembly member Dr. Anna Kelles, is a proposal that, if enacted, would require fashion retailers and manufacturers doing business in New York State with annual global gross revenues that exceed $100 million to publish extensive disclosures on their websites about their “environmental and social due diligence policies, processes and outcomes, including significant real or potential adverse environmental and social impacts” (see here).  The FSSAA would therefore place obligations on many household fashion names and brands based around the world.

The disclosures under the draft FSSAA include, among other things: (i) supply chain mapping of at least 50% of suppliers by volume across all tiers of production; (ii) a “sustainability report” identifying each business’s risks, as informed by United Nations and International Labor Organization principles; (iii) independently verified greenhouse gas reporting; and (iv) quantitative measures, such as publishing the median wages of workers of suppliers compared with the local minimum wage.  The FSSAA requires that all disclosures be made on the retail or manufacturer’s website within a year of the legislation’s enactment into law.

In terms of enforcement, the FSSAA, if passed, would require New York’s Attorney General (“AG”) to publish an annual report regarding companies’ compliance with the law.  And, if enacted, failure to meet the legislation’s requirements would result in the AG having the power to fine sellers and manufacturers up to 2% of annual revenues of $450 million or more.  Such money will then be deposited into a community benefit fund, which will be used for environmental projects that directly and verifiably benefit environmental justice communities.

While legislation can take years, advocates are hoping that the bill is passed by Spring 2022 and certainly no later than the end of the 2022 New York State legislative session in June.  The legislation has four cosponsors and is currently pending before the New York House Consumer Affairs and Protection  and Senate Consumer Protection Committees and, if it advances out of committee, it will be voted on by the full legislative body.

Conclusion

These initiatives in the US are a further indication of the general direction of evolving due diligence expectations.  If enacted, the FSSAA would not only make waves in the fashion world, but could also foreshadow legislation requiring ESG disclosures for other industries in the US.

With this in mind, together with the anticipated EC legislation and individual country developments, companies should continue to reflect on their knowledge of their own supply chains, human rights and environmental risks within their business, and internal due diligence processes/compliance methodologies.  The expectations of companies in terms of their substantive management of environmental and human rights risks, as well as their reporting obligations, looks set only to increase.


This alert has been prepared by Susy Bullock, Stephanie Collins, and Ryan Butcher* in London; and Roscoe Jones, Jr., Howard S. Hogan, Perlette Michèle Jura, and Jessica C. Benvenisty in the United States.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Environmental, Social and Governance (ESG) practice, or the following authors in London and the US:

Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Stephanie Collins – London (+44 (0) 20 7071 4216, SCollins@gibsondunn.com)
Roscoe Jones, Jr. – Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Perlette M. Jura – Los Angeles (+1 213-229-7121, pjura@gibsondunn.com)
Jessica C. Benvenisty – New York (+1 212-351-2415, jbenvenisty@gibsondunn.com)

Please also feel free to contact the following ESG practice leaders:

Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
Perlette M. Jura – Los Angeles (+1 213-229-7121, pjura@gibsondunn.com)
Ronald Kirk – Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, mmurphy@gibsondunn.com)
Selina S. Sagayam – London (+44 (0) 20 7071 4263, ssagayam@gibsondunn.com)

* Ryan Butcher is a trainee solicitor working in the firm’s London office who is not yet admitted to practice law.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On the heels of a record-setting 2020, the year 2021 saw a more modest pace of Foreign Corrupt Practices Act (“FCPA”) enforcement, particularly as it relates to corporate actions.  The inevitable slowdown from any changeover in presidential administrations, combined with the lingering impacts of the global pandemic, undoubtedly contributed to this phenomenon.  But with the Biden Administration doubling down on the strategic importance of global anti-corruption enforcement, and with continuing robust FCPA-related enforcement against individuals, we fully anticipate a return to substantial corporate FCPA enforcement in the years to come.

This client update provides an overview of the FCPA and other domestic and international anti-corruption enforcement, litigation, and policy developments from 2021, as well as the trends we see from this activity.  Gibson Dunn has the privilege of helping our clients navigate anti-corruption-related challenges every day, and we are honored to have been ranked again this year Number 1 in the Global Investigations Review “GIR 30” ranking of the world’s top investigations practices—Gibson Dunn’s fourth consecutive year and sixth in the last seven years to have been so honored.  For more analysis on anti-corruption enforcement and related developments over the past year, we invite you to join us for our upcoming complimentary webcast presentations:

  • “FCPA 2021 Year-End Update” on February 1, 2022 (to register, Click Here)
  • “Corporate Compliance and U.S. Sentencing Guidelines” on March 30, 2022 (to register, Click Here)

FCPA OVERVIEW

The FCPA’s anti-bribery provisions make it illegal to corruptly offer or provide money or anything else of value to officials of foreign governments, foreign political parties, or public international organizations with the intent to obtain or retain business.  These provisions apply to “issuers,” “domestic concerns,” and those acting on behalf of issuers and domestic concerns, as well as to “any person” who acts while in the territory of the United States.  The term “issuer” covers any business entity that is registered under 15 U.S.C. § 78l or that is required to file reports under 15 U.S.C. § 78o(d).  In this context, foreign issuers whose American Depositary Receipts (“ADRs”) or American Depositary Shares (“ADSs”) are listed on a U.S. exchange are “issuers” for purposes of the FCPA.  The term “domestic concern” is even broader and includes any U.S. citizen, national, or resident, as well as any business entity that is organized under the laws of a U.S. state or that has its principal place of business in the United States.

In addition to the anti-bribery provisions, the FCPA also has “accounting provisions” that apply to issuers and those acting on their behalf.  First, there is the books-and-records provision, which requires issuers to make and keep accurate books, records, and accounts that, in reasonable detail, accurately and fairly reflect the issuer’s transactions and disposition of assets.  Second, the FCPA’s internal controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations.  Prosecutors and regulators frequently invoke these latter two sections when they cannot establish the elements for an anti-bribery prosecution or as a mechanism for compromise in settlement negotiations.  Because there is no requirement that a false record or deficient control be linked to an improper payment, even a payment that does not constitute a violation of the anti-bribery provisions can lead to prosecution under the accounting provisions if inaccurately recorded or attributable to an internal controls deficiency.

International corruption also may implicate other U.S. criminal laws.  Increasingly, prosecutors from the FCPA Unit of the Department of Justice (“DOJ”) have been charging non-FCPA crimes such as money laundering, mail and wire fraud, Travel Act violations, tax violations, and even false statements, in addition to or instead of FCPA charges.  Without question, the most prevalent amongst these “FCPA-related” charges is money laundering—a generic term used as shorthand for statutory provisions that generally criminalize conducting or attempting to conduct a transaction involving proceeds of “specified unlawful activity” or transferring funds to or from the United States, in either case to promote the carrying on of specified unlawful activity, to conceal or disguise the nature, location, source, ownership or control of the proceeds, or to avoid a transaction reporting requirement.  “Specified unlawful activity” includes over 200 enumerated U.S. crimes and certain foreign crimes, including the FCPA, fraud, and corruption offenses under the laws of foreign nations.  Although this has not always been the case, in recent years, DOJ has frequently deployed the money laundering statutes to charge “foreign officials” who are not themselves subject to the FCPA.  It is now commonplace for DOJ to charge the alleged provider of a corrupt payment under the FCPA and the alleged recipient with money laundering violations.

FCPA AND FCPA-RELATED ENFORCEMENT STATISTICS

The below table and graph detail the number of FCPA enforcement actions initiated by DOJ and the Securities and Exchange Commission (“SEC”), the statute’s dual enforcers, during the past 10 years.

2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

11

12

19

8

17

9

10

10

21

32

29

10

22

17

35

19

21

11

11

4

But as our readers know, the number of FCPA enforcement actions represents only a piece of the robust pipeline of international anti-corruption enforcement efforts by DOJ.  Indeed, the increasing proportion of “FCPA-related” charges in the overall enforcement docket of FCPA prosecutors is a trend we have been remarking upon for years.  In total, DOJ brought 17 such FCPA-related actions in 2021, bringing the overall anti-corruption figures for the past year to 28 cases filed or unsealed by DOJ.  The past 10 years of FCPA plus FCPA-related enforcement activity is illustrated in the following table and graph.

2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

12

12

21

8

23

9

12

10

27

32

36

10

48

17

54

19

40

11

28

4

2021 FCPA-RELATED ENFORCEMENT TRENDS

In each of our year-end FCPA updates, we seek not merely to report on the year’s FCPA enforcement actions, but also to distill the thematic trends we see stemming from these individual events.  For 2021, we have identified three key enforcement trends that we believe stand out from the rest:

  1. Sharp downturn in corporate FCPA enforcement actions and financial penalties;
  2. DOJ continues substantial FCPA and FCPA-related enforcement against individuals; and
  3. Biden Administration policies foreshadow a return to robust corporate anti-corruption enforcement in the coming years.

Sharp Downturn in Corporate FCPA Enforcement Actions and Financial Penalties

The modern era of FCPA enforcement (often described as beginning with the blockbuster Siemens resolution in 2008) may certainly be characterized by its penchant for setting enforcement records in one year, and then breaking them the next.  But this overall trend has not always been linear, and indeed, frequently, there is a drop-off in cases in the years that presidential administrations change.  So, it is accurate to say that corporate FCPA enforcement—after reaching new heights of penalties imposed in 2019 ($2.66 billion in corporate penalties on 21 enforcement actions) and 2020 ($2.79 billion in corporate penalties on 16 enforcement actions)—fell off the proverbial cliff in 2021 ($259.5 million on 6 enforcement actions).  But we would not go nearly so far as to foretell the demise of corporate anti-corruption enforcement in the years to come.  Indeed, based on what we are seeing at DOJ and the SEC, we counsel against such predictions.

The first corporate FCPA enforcement action of 2021 was with German financial institution and U.S.-issuer Deutsche Bank AG, which on January 8 reached a coordinated FCPA resolution with DOJ and the SEC to resolve allegations of internal control deficiencies and inaccurate record-keeping associated with the use of third-party business development consultants between 2009 and 2016.  The DOJ allegations focused on consultants in Abu Dhabi and Saudi Arabia, each of which was allegedly known by Deutsche Bank employees to be relatives or close associates of government officials who would pass portions of their consulting payments on to the officials in exchange for business awarded to the bank.  The SEC resolution additionally identified purportedly questionable consulting relationships in China and Italy.

To resolve the criminal charges, Deutsche Bank entered into a three-year deferred prosecution agreement with DOJ alleging conspiracy to violate each of the FCPA’s books-and-records and internal controls provisions, as well as a separate wire fraud conspiracy charge associated with an unrelated commodities trading scheme that was charged together with the FCPA matter.  For the FCPA misconduct, the bank paid a criminal penalty of $79.6 million, which represented a 25% discount from the middle of the U.S. Sentencing Guidelines range—this was the maximum discount for cooperation (in a non-voluntary disclosure case), but the discount was taken from the middle rather than the bottom of the range because of a prior criminal antitrust resolution in 2016.  To resolve the SEC charge, Deutsche Bank consented to the entry of an administrative cease-and-desist order charging FCPA accounting violations and agreed to pay $43.3 million in disgorgement and prejudgment interest.  Gibson Dunn represented Deutsche Bank in these matters.

On June 25, 2021, global engineering firm Amec Foster Wheeler Ltd. (“AFW”), which during the relevant period was principally based in the UK but traded on a U.S. exchange, reached a $177 million coordinated resolution with anti-corruption authorities in Brazil, the United Kingdom, and the United States.  The U.S. charging documents allege that between 2011 and 2014, an AFW subsidiary used several agents—including one that failed AFW’s due diligence process based on compliance concerns, but nonetheless continued working “unofficially” on the project—to make more than $1 million in improper payments to win a contract with state-owned oil company Petróleo Brasileiro S.A. (“Petrobras”).

On the U.S. front, to resolve the SEC’s investigation, AFW consented to the entry of an administrative cease-and-desist order charging FCPA bribery and accounting violations and ordering $22.76 million in disgorgement and prejudgment interest.  To resolve a criminal FCPA bribery conspiracy charge, a UK subsidiary of AFW entered into a three-year deferred prosecution agreement with DOJ and agreed to a criminal penalty of $18.375 million.  Both the SEC and DOJ applied offsetting credits for payments to authorities in Brazil and the UK in connection with the coordinated resolution, bringing the total due to the SEC to $10.13 million and $7.66 million to the United States.  The Petrobras-related allegations were only a part of a larger anti-corruption resolution reached by the UK AFW subsidiary and the SFO, which as described in our UK section below imposed the USD-equivalent of $142.7 million in penalties and disgorgement for alleged improper payments in India, Malaysia, Nigeria, and Saudi Arabia, as well as Brazil, as part of its own, separate three-year deferred prosecution agreement.  The U.S. resolutions, which were coordinated by Gibson Dunn, acknowledged AFW’s cooperation and remediation by applying the maximum available 25% discount from the bottom of the U.S. Sentencing Guidelines range and not requiring an independent compliance monitor.

The third corporate FCPA enforcement action of 2021, and the only one that was resolved solely with civil SEC charges, was with WPP Plc, the world’s largest advertising group and an ADS issuer.  On September 24, 2021, the SEC announced that WPP consented to the entry of a cease-and-desist order charging FCPA bribery and accounting violations, and agreed to pay $10.1 million in disgorgement, $1.1 million in prejudgment interest, and an $8 million civil penalty, without admitting or denying the SEC’s allegations.

According to the SEC’s charging document, prior to 2018, WPP deployed a global growth strategy by which it entered markets through acquisitions of smaller advertising agencies, frequently with an “earn-out provision” that deferred a portion of the purchase price pending the accomplishment of future financial goals, which in many cases the acquired agency’s founder stayed on to achieve.  These newly acquired agencies and their founders were the focus of this enforcement action, with the SEC alleging improper payments in Brazil, China, India, and Peru.  A DOJ investigation reportedly is ongoing, and it is not clear whether additional charges are forthcoming.

Closing out the year in corporate FCPA enforcement, on October 19, 2021 Swiss financial institution and ADR issuer Credit Suisse Group AG agreed to an FCPA resolution with the SEC and a related non-FCPA, wire fraud resolution with DOJ.  The DOJ and SEC allegations concern the same Mozambique loan bribery and kickback scheme that we first reported in our 2019 Year-End FCPA Update, wherein we described FCPA and FCPA-related charges against three Credit Suisse bankers, two former Mozambican government officials and a business consultant, as well as two Lebanese former executives of a UAE shipbuilding company.  The allegations are that between 2013 and 2016, the defendants structured three syndicated loan and securities offerings worth $2 billion involving Mozambican state-owned entities, from which at least $200 million was allegedly misappropriated for bribes and kickbacks to the scheme participants.

To resolve the SEC’s charges, Credit Suisse consented to an administrative cease-and-desist proceeding alleging violations of the FCPA’s accounting provisions, as well as fraud-based securities violations, and agreed to pay combined disgorgement and prejudgment interest of $34 million plus a $65 million civil penalty.  To resolve the criminal investigation, Credit Suisse entered into a three-year deferred prosecution agreement with DOJ concerning, and a UK subsidiary pleaded to, wire fraud charges, and agreed to pay a cumulative criminal fine of $247.5 million, plus $10.34 million in criminal forfeiture.  After applying a variety of offsets, Credit Suisse ultimately agreed to pay $99 million to the SEC, $175 million to DOJ, and $200 million to the UK Financial Conduct Authority (“FCA”) in a related resolution.  The bank also agreed to forgive $200 million in debt owed by the Government of Mozambique, which the prosecutors and regulators considered, together with Credit Suisse’s remediation and cooperation efforts, in setting the $475 million combined resolution amount.

DOJ Continues Substantial FCPA and FCPA-Related Enforcement Against Individuals

DOJ filed or unsealed FCPA or FCPA-related charges against 25 individual defendants in 2021, which may be grouped as follows.

Ecuadorian Police Pension Fund Defendants

On March 2, 2021, DOJ announced the arrest of Ecuadorian citizens John Luzuriaga Aguinaga and Jorge Cherrez Miño for their alleged roles in a long-running bribery scheme involving the Instituto de Seguridad Social de la Policia Nacional (“ISSPOL”), Ecuador’s public police pension fund.  DOJ alleges that from 2014 to 2020, Cherrez, an investment advisor with operations in Florida and Panama, paid more than $2.6 million in bribes to ISSPOL officials, including now-former ISSPOL Risk Director Luzuriaga, in exchange for the right to manage ISSPOL funds.  Two-and-a-half months later, on May 19, 2021, Ecuadorian investment company manager Luis Alvarez Villamar pleaded guilty to money laundering conspiracy for his role in accepting funds from Cherrez in connection with the ISSPOL corruption scheme.  Luzuriaga is currently scheduled for trial on money laundering charges in the Southern District of Florida in February 2022, and Cherrez is considered a fugitive on his pending FCPA bribery and money laundering charges.

Additional PDVSA (Citgo) Charges

For years, we have been covering a multi-faceted corruption investigation by DOJ with the common nucleus being Venezuelan state-owned oil company Petróleos de Venezuela S.A. (“PDVSA”).  One of the investigation strands has involved a pay-to-play corruption scheme at Citgo Petroleum Corporation, PDVSA’s U.S. subsidiary, as covered most recently in our 2020 Year-End FCPA Update.  On March 12, 2021, DOJ unsealed money laundering conspiracy charges initially filed two years earlier against another defendant, former Citgo buyer Laymar Giosse Pena-Torrealba.  According to the charging documents, Pena-Torrealba accepted bribes from Juan Manuel Gonzalez (who himself pleaded guilty in May 2019) in exchange for helping Gonzalez’s companies to secure contracts with Citgo.  Pena-Torrealba pleaded guilty to one count of money laundering conspiracy and was sentenced in November 2021 to three years of probation.

Additional PetroEcuador Charges

We also have been reporting for several years now on a multi-agency investigation into alleged corruption at  Ecuador’s state-owned oil company, Empresa Publica de Hidrocarburos del Ecuador (“PetroEcuador”).  This has included coordinated charges brought by DOJ and the Commodity Futures Trading Commission (“CFTC”) against energy trading firm Vitol, Inc., as well as several of its traders, as covered in our 2020 Year-End FCPA Update.  On April 6, 2021, DOJ unsealed an August 2020 criminal complaint against Canadian citizen Raymond Kohut, a now-former employee of a different Swiss energy trading firm.  According to the charges, two Asian state-owned entities contracted to provide loans to PetroEcuador backed by periodic oil deliveries, and Kohut’s employer negotiated with the Asian entities to market and sell those oil products.  Starting in 2012, Kohut and his co-conspirators allegedly made more than $22 million in corrupt payments to PetroEcuador officials to award contracts to the Asian entities under favorable terms so that Kohut’s company could then enter related, advantageous trading agreements with the Asian entities.  Kohut and his co-conspirators allegedly met to discuss the conspiracy in Florida, and some of the payments flowed through New York correspondent bank accounts.  Kohut pleaded guilty to a single count of money laundering on April 6, 2021, and awaits sentencing.

Additional Odebrecht-Related Charges

The blockbuster multinational anti-corruption resolution with Odebrecht S.A. in 2016, first covered in our 2016 Year-End FCPA Update, continues to be a recurring source of FCPA and FCPA-related charges against individual defendants.  On May 20, 2021, DOJ unsealed money laundering charges against Austrian citizens and bank executives Peter Weinzierl and Alexander Waldstein.  The indictment alleges that Weinzierl and Waldstein moved more than $170 million through a series of fraudulent transactions and sham agreements from Odebrecht’s New York bank accounts, through Weinzierl’s and Waldstein’s Austrian bank, into accounts at an Antiguan bank allegedly used by Odebrecht as a slush fund used to pay bribes to Brazilian, Mexican, and Panamanian officials.  Weinzierl was arrested on May 25, 2021 in the United Kingdom, where he is currently undergoing extradition proceedings.  Waldstein remains at large.

Chadian Oil Rights Defendants

On May 24, 2021, DOJ announced the indictment of two diplomats from Chad—Mahamoud Adam Bechir and Youssouf Hamid Takane—Bechir’s wife Nouracham Bechir Niam, and the founder of a Canadian energy company, Naeem Riaz Tyab, all on FCPA or FCPA-related charges stemming from an alleged bribery scheme relating to the award of oil rights in the Republic of Chad.  According to the indictment, while serving in Washington, D.C. as Chad’s Ambassador to the United States and Canada and Deputy Chief of Mission, respectively, Bechir and Takane collectively solicited and accepted $2 million in bribes, plus corporate shares, in exchange for awarding Tyab’s company oil rights worth tens of millions of dollars.  Bechir’s wife Niam was allegedly brought into the scheme when Tyab received legal advice not to enter a consulting contract with a company owned by Bechir, and so instead, entered into substantially the same consulting contract with a company owned by Niam, in addition to awarding Niam substantial shares in Tyab’s company.  Tyab and Niam were both charged with conspiracy to violate the FCPA, and all four defendants were charged with conspiracy to commit money laundering.

The indictment was initially handed down in February 2019, shortly before Tyab was arrested in New York City.  According to court documents, Tyab immediately began cooperating and pleaded guilty in April 2019.  But the case remained sealed as DOJ sought to obtain custody of the other three defendants.  More than two years later, in May 2021, DOJ acknowledged that its efforts to arrest the other defendants were unlikely to be successful in the near term and moved to unseal the indictment.  Further illustrating the long tail of these corruption cases, Tyab’s company—Griffiths Energy International Inc.—pleaded guilty to violations of Canada’s Corruption of Foreign Public Officials Act in 2013 as covered in our 2013 Year-End FCPA Update.  Bechir, Takane, and Niam all remain at large, and Tyab is currently scheduled to be sentenced in February 2022.

Bolivian Military Equipment Defendants

Also in May 2021, DOJ announced charges against five individuals in an alleged pay-to-play bribery scheme involving the sale of tactical defense equipment to the Bolivian Ministry of Defense.  DOJ alleges that Bryan Berkman, the owner of Bravo Tactical Solutions LLC, his father Luis Berkman, and his business associate Philip Lichtenfeld, all conspired to make over $600,000 in corrupt payments to former Bolivian Minister of Government Arturo Carlos Murillo Prijic and his former Chief of Staff Sergio Rodrigo Mendez Mendizabal in exchange for a $5.6 million contract to supply tear gas and other non-lethal riot equipment to the Ministry of Defense.  Four of the five defendants have pleaded guilty—Bryan Berkman and Lichtenfeld to FCPA conspiracy charges and Luis Berkman and Mendez to money laundering conspiracy charges.  Murillo is currently set for a May 2022 trial date on a superseding eight-count money laundering indictment.

Nigeria Oil Contract Defendant

On July 26, 2021, DOJ filed a criminal information charging Anthony Stimler, a former West Africa-based oil trader for a Swiss commodity trading and mining firm, with one count each of conspiracy to violate the FCPA’s anti-bribery provisions and money laundering conspiracy.  According to the charging document, between 2007 and 2018, Stimler participated in a scheme to bribe employees of the state-owned Nigerian National Petroleum Corporation to obtain contracts for more lucrative grades of oil on better delivery schedules for the commodity trading firm.  Stimler has pleaded guilty and is cooperating with DOJ on the ongoing investigation of Stimler’s former employer.

CASA Corruption Defendant

On August 4, 2021, DOJ announced the arrest of Florida businessman Naman Wakil on charges that between 2010 and 2017 he allegedly bribed officials of both PDVSA and Venezuelan state-owned food company Corporación de Abastecimiento y Servicios Agrícola (“CASA”) to secure approximately $250 million in contracts for his companies.  Wakil faces substantive and conspiracy FCPA and money laundering charges.  He has pleaded not guilty and is currently set for a November 2022 trial date.

Ericsson Djibouti Defendant

On September 8, 2021, DOJ announced the unsealing of a June 2020 FCPA and money laundering conspiracy indictment of former Telefonaktiebolaget LM Ericsson Horn of Africa Account Manager Afework Bereket.  According to the indictment, between 2010 and 2014, Bereket participated in a scheme to pay approximately $2.1 million to two high-ranking officials in Djibouti’s executive branch and one employee of a Djibouti state-owned telecommunications company to secure a €20.3 million contract with the state-owned entity.  The indictment further alleges that Bereket concealed the bribes by entering a sham consulting contract with a company owned by the spouse of one of the officials, and concealing that ownership interest from others at Ericsson.  As first reported in our 2019 Year-End FCPA Update, in 2019, Ericsson entered into an FCPA resolution with DOJ and the SEC that included the Djibouti scheme.  Bereket remains at large.

CLAP Corruption Defendants

On October 21, 2021, DOJ announced a money laundering indictment returned against five defendants stemming from alleged corruption involving Comité Local de Abastecimiento y Producción (“CLAP”), a Venezuelan state-owned and state-controlled food and medicine distribution program.  The indictment alleges a scheme involving a staggering $1.6 billion in food and medicine contracts obtained by Colombian businessmen Alvaro Pulido Vargas, Emmanuel Enrique Rubio Gonzalez, and Carlos Rolando Lizcano Manrique, and Venezuelan businesswoman Ana Guillermo Luis obtained through corrupt payments to the then-governor of Venezuelan State Táchira, Jose Gregorio Vielma-Mora.  All five defendants are considered fugitives.  Pulido—who additionally faces money laundering charges stemming from a separate pay-to-play scheme described in our 2019 Year-End FCPA Update—along with Rubio and Vielma-Mora also were sanctioned by the Office of Foreign Assets Control in 2019 for alleged CLAP-related corruption.

Egyptian Coal Sale Defendant

On November 3, 2021, DOJ charged Frederick Cushmore Jr., the now-former Head of International Sales for a Pennsylvania-based coal mining company, with one count of conspiracy to violate the FCPA’s anti-bribery provisions.  According to the criminal information, between 2016 and 2020, Cushmore and others at his company engaged an Egyptian sales agent to secure $143 million in coal contracts with an Egyptian state-owned company, knowing that the agent would provide a portion of his $4.8 million in commissions to officials at the state-owned entity.  The information further alleges that Cushmore and others used encrypted messaging applications and commercial email accounts in an effort to avoid detection of their corruption scheme.  Cushmore is currently scheduled to be sentenced in the Western District of Pennsylvania in March 2022, but the limited information available publicly suggests additional charges may be forthcoming, which would likely impact that sentencing date.

Biden Administration Policies Foreshadow Return to Robust Corporate Anti-Corruption Enforcement in the Coming Years

As noted above, there may be a slowdown in government enforcement actions that takes place with any change in presidential administrations.  Although most prosecutors and enforcement lawyers at DOJ and the SEC are career attorneys who holdover across administrations, the senior political leadership often changes, and that can cause a delay in necessary approvals or willingness to move more significant cases forward until new leadership is in place.  This is particularly true for high-profile enforcement activities such as corporate FCPA actions.  If there was any lingering doubt, further tempering overreliance on last year’s comparatively low corporate FCPA enforcement rate, the Biden Administration took several notable steps in 2021 that lead us to anticipate a return to robust corporate enforcement in the years to come.

Biden Administration Announces U.S. Strategy on Countering Corruption

On June 3, 2021, the White House published a National Security Study Memorandum that identifies “countering corruption as a core United States national security interest.”  The memorandum emphasizes the significant costs of corruption, estimated at between two and five percent of global GDP, as well as its associated impacts on less tangible (but equally important) societal goods, such as rule of law, inequality, trust in government, and national security.  The memorandum directed the National Security Advisor and Assistants to the President for Economic Policy and Domestic Policy to conduct a review across numerous government agencies to devise a comprehensive anti-corruption strategy report and recommendations within 200 days.

On December 6, 2021, the Biden Administration released its first-ever “United States Strategy on Countering Corruption.”  This 38-page Strategy Memorandum is structured around five “pillars”:  (1) “modernizing, coordinating, and resourcing U.S. Government efforts to fight corruption”;
(2) “curbing illicit finance”; (3) “holding corrupt actors accountable”; (4) “preserving and strengthening the multilateral anti-corruption architecture”; and (5) “improving diplomatic engagement and leveraging foreign assistance to advance policy goals.”  The Strategy Memorandum further emphasizes that the Biden Administration will pursue “aggressive enforcement action” in support of its anti-corruption objectives through enforcement of the FCPA and other statutes by U.S. enforcers in coordination with foreign law enforcement partners.  It also suggests that the Biden Administration will seek additional tools to broaden the reach of its anti-corruption enforcement powers, including through enhanced legislation to target the “demand side” of bribery.  The Strategy Memorandum further recognizes the need for increased coordination and synergy between the U.S.’s anti-corruption and anti-money laundering efforts and to address “deficiencies in the U.S. anti-money laundering regime” through the extension of regulatory compliance and reporting requirements to non-financial institution “gatekeepers,” such as lawyers, accountants, and trust and company service providers.

For additional details regarding the Strategy Memorandum, please consult our recent Client Alert, “U.S. Strategy on Countering Corruption Signals Focus on Enforcement.”  And for further details on the Biden Administration’s overall approach to anti-corruption enforcement, please consult our Client Alert “Big Changes Afoot for FCPA and Anti-Bribery Enforcement?

Deputy Attorney General Announces Changes to DOJ Criminal Enforcement Policies

In a sign of an increasingly tough approach to corporate enforcement generally, on October 28, 2021, Deputy Attorney General Lisa O. Monaco announced that DOJ is modifying certain corporate criminal enforcement policies.  Specifically, these policy changes:  (1) restore prior guidance concerning the need for corporations to provide non-privileged information about all individuals involved in misconduct (not just those substantially involved) in order to receive cooperation credit; (2) require prosecutors to consider a corporation’s full criminal, civil, and regulatory record in making charging decisions (not just conduct related to the misconduct at issue in the present case); and (3) make clear that there is no general presumption against monitorships and prosecutors are free to require the imposition of a corporate monitor whenever they determine it appropriate.  Further, Monaco highlighted DOJ’s increasing scrutiny of companies that have received pretrial diversion (such as deferred or non-prosecution agreements) in the past, including to determine whether they continue their criminal conduct during the period of those agreements.  Close in time to Monaco’s speech, several companies announced that DOJ is investigating breach allegations, including in the FCPA context an announcement by Telefonaktiebolaget LM Ericsson that DOJ determined the company breached its obligations under its deferred prosecution agreement covered in our 2019 Year-End FCPA Update.

Although these policy changes concern general corporate criminal enforcement, they touch closely upon corporate FCPA matters.  For further details on Deputy Attorney General Monaco’s speech, please see our recent Client Alert, “Deputy Attorney General Announces Important Changes to DOJ’s Corporate Criminal Enforcement Policies.”

2021 FCPA-RELATED ENFORCEMENT LITIGATION

Following the filing of FCPA or FCPA-related charges, criminal and civil enforcement proceedings can often take years to wind through the courts.  A selection of prior-year matters that saw material enforcement litigation developments during 2021 follows.

Two Alleged Fugitives Challenge Their Indictments from Abroad

A recurring theme in FCPA investigations is indictments returned and sometimes unsealed while the defendant is abroad.  A frequently litigated issue that arises in these circumstances is whether the defendant is able to challenge the charges—frequently on jurisdictional grounds—from abroad without submitting themselves physically to the Court’s jurisdiction.  Courts have reached differing conclusions on whether these challenges are barred by the so-called “fugitive disentitlement” doctrine, including two district court decisions from different circuit courts of appeal going in opposite directions in 2021.

On March 18, 2021, the Honorable Robert N. Scola, Jr. of the U.S. District Court for the Southern District of Florida denied a motion to enter a special appearance and challenge the indictment filed by Alex Nain Saab Moran, a joint Colombian and Venezuelan national charged with money laundering offenses in connection with a $350 million construction-related bribery scheme in Venezuela as covered in our 2019 Year-End FCPA Update.  In January 2021, 18 months after the indictment was returned, Saab moved to vacate his fugitive status with leave to challenge his indictment on the grounds that he is a Venezuelan diplomat entitled to absolute immunity under the Vienna Convention on Diplomatic Relations, as well as that the indictment does not state an offense given Saab’s lack of connection to the United States.  Saab’s motion followed his arrest in the Republic of Cape Verde, where he was detained as his plane stopped for refueling en route from Venezuela to Iran based on an INTERPOL “red notice” request filed by the United States.

Saab argued that the fugitive disentitlement doctrine should not apply because he was not in the United States when the indictment was returned—indeed he asserted he had not been to the United States in nearly three decades, long before the alleged criminal activity—and therefore he could not be correctly described as a fugitive who fled the charges.  But Judge Scola disagreed, holding that a defendant who is aware of an indictment and does not appear in court to answer the charges is a fugitive regardless of whether they affirmatively fled the United States to avoid the charges—this concept is known in the Eleventh Circuit as “constructive flight.”  The Court denied the motion for a special appearance and declined to consider the substantive motion to dismiss.

Saab has appealed the district court’s ruling, and DOJ has moved to dismiss the appeal.  Meanwhile, the Republic of Cabo Verde granted the extradition request and transferred Saab to the United States, where he is now being detained pending trial.  To fulfill a condition of the extradition, DOJ dismissed seven of the eight counts against Saab to ensure that the maximum term of imprisonment is consistent with Cabo Verde law.

The case of Daisy Teresa Rafoi Bleuler—a Swiss citizen and wealth manager charged with FCPA and money laundering offenses arising from the transfer of allegedly corrupt proceeds associated with a PDVSA-related bribery scheme covered in our 2019 Year-End FCPA Update—turned out very differently under Fifth Circuit law.  Rafoi was arrested by Italian authorities, again on a U.S.-initiated INTERPOL red notice request, as she vacationed with family in Lake Como. As she underwent extradition proceedings, first in Italy and then in Switzerland, Rafoi filed a motion to dismiss the indictment on jurisdictional grounds.

In an opinion dated November 10, 2021, the Honorable Kenneth M. Hoyt of the U.S. District Court for the Southern District of Texas made short work of the government’s argument that Rafoi’s motion should not be heard under the fugitive disentitlement doctrine.  The Court held that fugitive disentitlement is a discretionary doctrine, and found that where a foreign national challenges the applicability of U.S. law to their actions, without having affirmatively fled the United States, they should be permitted to do so from abroad.  Moving to the merits of the motion to dismiss, Judge Hoyt fond that as a matter of law the indictment was deficient in alleging any action by Rafoi in the territory of the United States such as to bring her within the scope of 15 U.S.C. § 78dd-3, that she acted as an agent of U.S. persons under 15 U.S.C. § 78dd-2, or that she engaged in any financial transactions subject to U.S. jurisdiction under the money laundering statutes.  Fundamentally, the Court found that neither the FCPA nor the money laundering statutes should be read so broadly as to apply to foreign nationals acting completely outside the United States, and that any other interpretation would lead to serious constitutional due process concerns under the “void for vagueness” doctrine.

On December 7, 2021, DOJ noticed an appeal to the U.S. Court of Appeals for the Fifth Circuit.  We expect this appeal could lead to an important appellate court ruling on the breadth of the FCPA and money laundering statutes as applied to foreign nationals in 2022, likely to be joined by the heavily-anticipated revisitation of the Hoskins case by the Second Circuit Court of Appeals, covered in our 2020 Mid-Year FCPA Update and still pending after an August 17, 2021 argument.

Roger Ng Motion to Dismiss Denied

We reported in our 2018 Year-End FCPA Update on the indictment of former Goldman Sachs banker “Roger” Ng Chong Hwa on FCPA bribery and money laundering conspiracy charges arising from the 1Malaysia Development Berhad (“1MDB”) scandal in Malaysia.  In October 2020, after being extradited to the United States to face these charges, Ng filed a comprehensive motion to dismiss, arguing:  (1) the superseding indictment returned after his extradition from Malaysia violated the “rule of specialty,” which prohibits material changes to charges post-extradition; (2) venue in the Eastern District of New York was insufficiently alleged in the indictment; (3) the indictment did not meet the requirement of alleging that he was an “agent of an issuer” because the “U.S. Financial Institution #1” described in the indictment—meant to refer to Goldman Sachs—was in fact an “artificial combination” between various Goldman Sachs entities; (4) he could not have circumvented Goldman Sachs’s internal accounting controls because the alleged bribes were paid with 1MDB funds, rather than money from Goldman Sachs; (5) the money laundering count was deficient because it did not specify the particular Malaysia bribery statute alleged to have been violated as the requisite specified unlawful activity; (6) the so-called “silence provision” in Goldman Sachs’s deferred prosecution agreement—a standard term that prohibits companies from contracting the admitted statement of facts—violated his constitutional right to call witnesses in his defense; and (7) he was entitled to Brady disclosures from Goldman Sachs because the bank’s cooperation with DOJ made it a part of the “prosecution team.”

In September 2021, the Honorable Margo Brodie of the U.S. District Court for the Eastern District of New York denied Ng’s motion to dismiss in its entirety in an equally comprehensive, 160-page memorandum opinion.  Trial is currently scheduled to commence in February 2022.

SEC Imposes $35,000 Civil Penalty—In a Case from 2016

We reported in our 2016 Year-End FCPA Update on the SEC’s enforcement action against former Och-Ziff CFO Joel M. Frank in which, without admitting or denying the SEC’s findings, Frank agreed to cease and desist from future violations of the FCPA’s books-and-records and internal controls provisions.  The parties further agreed that Frank would pay a civil penalty, but in an unusual move left for another day the determination of the penalty amount.  That other day came four-and-a-half years later, on March 16, 2021, when the SEC published a new cease-and-desist order imposing a $35,000 civil penalty.  The new order also softened some of the allegations against Frank, acknowledging that he “expressed objections” regarding certain of the payments in question, while still taking the position that because Frank allegedly “had final signing authority” for all expenditures he was responsible for causing the company’s accounting violations.

Baptiste and Boncy FCPA Convictions Reversed for Ineffective Assistance of Counsel

We reported in our 2019 Year-End and then 2020 Mid-Year FCPA updates on the jury trial convictions of retired U.S. Army colonel Joseph Baptiste and businessperson Roger Richard Boncy on conspiracy to violate the FCPA and the Travel Act arising from an FBI sting simulating a bribery scheme involving Haitian port project investments, followed by the post-trial grant of a new trial to both defendants based on the ineffective assistance of Baptiste’s counsel infecting the fundamental fairness of the joint trial.  DOJ appealed the new trial grants but, on August 9, 2021, the U.S. Court of Appeals for the First Circuit affirmed the district court’s ruling.

On appeal DOJ did not contest the lower court’s deficient-performance findings—which included that Baptiste’s counsel did not open discovery files or share them with his client, did not obtain independent translations of Haitian-Creole audio recordings even after learning of deficiencies in the government’s translations, and did not subpoena any defense witnesses, including experts who could have testified about Haitian law or business practices.  Instead, DOJ argued that the “overwhelming” evidence against both defendants was so strong that there was no prejudice based on the deficient performance of Baptiste’s counsel, and even if there was that prejudice did not extend to Boncy, whose counsel was competent.  Writing for the First Circuit panel, the Honorable O. Rogeriee Thompson disagreed and held that the focus of Fifth and Sixth Amendment rights to due process and counsel is on the fundamental fairness of the proceeding, which clearly was undermined for both defendants based on the deficient performance of one defendant’s counsel.  Both cases have been remanded to the district court and a joint retrial is currently set for July 2022.

2021 FCPA-RELATED LEGISLATIVE AND POLICY DEVELOPMENTS

In addition to the enforcement developments covered above, 2021 saw numerous important developments in FCPA-related legislative and policy areas.

Congress Strengthens SEC Disgorgement Authority

On January 1, 2021, Congress passed the National Defense Authorization Act (“NDAA”) for the 60th consecutive year, overriding a presidential veto from then-President Trump.  Included within the nearly 1,500 pages of omnibus legislation, at Section 6501, is an expansion of the SEC’s statutory authority to seek disgorgement.  These revisions are clearly a response to recent Supreme Court decisions in Kokesh v. SEC and Liu v. SEC, both of which narrowed the scope of the SEC’s disgorgement power, which (as our readership knows) is a critical driver of the SEC’s ability to penalize corporate and individual misconduct, including in FCPA cases.  The Section 6501 changes explicitly authorize the SEC to seek disgorgement in cases filed in federal court, eliminating any residual doubt after Liu.  They also extend the statute of limitations from five years to ten years for SEC enforcement actions based on scienter-based claims, a change which applies to both pending cases and enforcement actions initiated after the passage of the NDAA.  For further details regarding the impact of Section 6501, please consult our separate Client Alert “Congress Buries Expansion of SEC Disgorgement Authority in Annual Defense Budget.”

Congress Passes Comprehensive Anti-Money Laundering Legislation

The NDAA also included the Anti-Money Laundering Act of 2020 (“AMLA”), which enacted the most consequential set of anti-money laundering reforms since the passage of the USA PATRIOT Act in 2001.  As our readership knows, U.S. enforcers increasingly use the money laundering laws to prosecute and pursue proceeds of corruption passed through the U.S. financial system.  The AMLA strengthens the government’s ability to investigate and prosecute corruption-related money laundering.  Specifically, to limit the practice of using shell companies to launder ill-gotten gains, the AMLA implemented beneficial ownership reporting requirements for certain U.S. entities and foreign entities registered to do business in the United States and tasked the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) with maintaining a beneficial ownership registry of such reported information, which will be available for use by law enforcement agencies.  Other changes made by the AMLA include enhancing the government’s ability to investigate money laundering, including by expanding DOJ’s authority to subpoena foreign banks with U.S.-based correspondent banking accounts.  For a detailed summary of the most significant changes enacted by the AMLA, please see our separate Client Alert, “The Top 10 Takeaways for Financial Institutions from the Anti-Money Laundering Act of 2020.”

FinCEN Identifies Corruption as a Key National Priority

On June 30, 2021, FinCEN announced its first set of government-wide anti-money laundering and countering the financing of terrorism priorities, which will be updated every four years pursuant to the AMLA.  FinCEN developed these priorities in consultation with federal and state regulators, law enforcement, and national security agencies.  In its announcement, FinCEN explained that these priorities were meant to identify and describe the most significant money laundering and terrorist financing threats currently facing the United States to both signal FinCEN’s upcoming regulatory priorities and to provide guidance to covered institutions in developing and updating their compliance programs.  Although FinCEN’s announcement stated that the priorities were listed in no particular order, it bears noting that corruption was the first priority listed.  Consistent with other statements by the U.S. government in 2021, as reported herein, FinCEN identified anti-corruption as “a core national security interest of the United States,” in which anti-money laundering regulation and enforcement plays a crucial role.

New IRS Treatment of FCPA Disgorgement Payments

The U.S. Internal Revenue Service (“IRS”) has long prohibited tax deductions for fines or penalties paid to the government for unlawful conduct, including violations of the FCPA.  But a question has arisen over the years as to whether disgorgement and forfeiture constitute a fine or penalty such that it is non-deductible.  As covered in our 2017 Year-End FCPA Update, the IRS answered that question in the affirmative, issuing an advice memorandum opining that consistent with the Supreme Court’s decision in Kokesh v. SEC, disgorgement is equivalent to a penalty.  The December 2017 Tax Cuts and Jobs Act, however, revised the Internal Revenue Code to make an exception for amounts paid to the government for restitution, remediation, or to come into compliance with the law.  In January 2021, the IRS issued a finalized rule in response to this law, which sets out a multi-factored inquiry to determine whether an amount paid in disgorgement or forfeiture is deductible as restitution or remediation.  The requirements are quite stringent and generally inconsistent with DOJ / SEC practice in FCPA resolutions, including a requirement that the payments must be made directly to victims rather than to the U.S. Treasury, potentially continuing to limit the ability of companies to deduct amounts paid as disgorgement or forfeiture in an FCPA enforcement action.

2021 FCPA-RELATED PRIVATE CIVIL LITIGATION

Although the FCPA does not provide for a private right of action, civil litigants have pursued a variety of causes of action in connection with FCPA-related conduct, with varying degrees of success.  A selection of matters with material developments in 2021 follows.

Shareholder Lawsuits / Class Actions

  • MTS – As covered in our 2019 Year-End FCPA Update, Russian telecommunications company and U.S. issuer Mobile TeleSystems PJSC (“MTS”) reached an $850 million joint FCPA resolution with the SEC and DOJ to resolve allegations of corrupt payments to the daughter of the late Uzbek president, to facilitate access to the telecommunications market in Uzbekistan. Shortly after the announcement of this settlement, a class action suit was filed against MTS and several individual defendants in the U.S. District Court for the Eastern District of New York, alleging that MTS issued false and misleading statements about the company’s inability to predict the outcome of the U.S. government’s investigations into its Uzbekistan operations, the effectiveness of the company’s internal controls and compliance systems, and its level of cooperation with U.S. regulatory agencies.  On March 1, 2021, the Honorable Ann M. Donnelly dismissed the lawsuit, finding that the plaintiffs did not demonstrate that the challenged statements were false or misleading, that MTS could not have predicted the outcome of the investigation, and that its disclosures about the existence of the investigation were not insufficient.  Plaintiffs have appealed the dismissal to the Second Circuit Court of Appeals, and the case is currently set for argument in March 2022.
  • VEON – We covered in our 2016 Mid-Year FCPA Update an FCPA resolution by then-VimpelCom Ltd. (now VEON Ltd.) in connection with the same Uzbek fact pattern described above for MTS. VEON also found itself faced with a putative class action arising from alleged material omissions in securities filings relating to the adequacy of its internal controls, which also was dismissed in 2021.  Specifically, on March 11, the Honorable Andrew L. Carter of the U.S. District Court for the Southern District of New York granted VEON’s motion to dismiss finding that the plaintiffs failed to establish that the company omitted material facts that it had a duty to disclose.  This mooted the case as to lead plaintiffs, but the Court reopened the lead plaintiff appointment process, which remains ongoing.
  • IFF – In 2018, following an acquisition of Israel-based Frutarom Industries Ltd, International Flavors & Fragrances, Inc. (“IFF”) disclosed that during the integration process it learned that pre-acquisition Frutarom executives had made improper payments in Russia and Ukraine, and that IFF had disclosed the matter to DOJ. Shareholders brought suit against IFF, Frutarom, and certain executives, claiming they lost millions of dollars when the news became public and IFF’s share price dropped.  On March 30, 2021, the Honorable Naomi Reice Buchwald of the U.S. District Court for the Southern District of New York dismissed the lawsuit, explaining that the investors failed to show how they were misled by IFF, failed to allege improper conduct during the putative class period, and failed even to adequately allege how the payments by the Israeli company Frutarom violated U.S. law.  The plaintiff shareholders have appealed aspects of the decision to the Second Circuit, with oral arguments scheduled for February 2022.
  • 500.com – In 2020, shareholders brought suit against Chinese online gaming company and U.S. issuer 500.com Ltd., alleging that company executives made improper payments to Japanese government officials to secure a lucrative gaming license, and then made misrepresentations concerning the same in the company’s public filings, including filings containing the text of its code of conduct. On September 20, 2021, the Honorable Gary R. Brown of the U.S. District Court for the Eastern District of New York granted 500.com’s motion to dismiss, adopting the report and recommendation of Magistrate Judge A. Kathleen Tomlinson.  The two decisions together note that only in rare circumstances have courts permitted statements in a code of conduct to survive motions to dismiss and in those rare cases, the statements were made in response to inquiries or challenges to the company’s conduct rather than general, aspirational statements about how the company expects its employees to act.  Regarding the alleged misstatements or omissions unrelated to the code of conduct, Judge Tomlinson found that the plaintiff failed to allege scienter adequately and that 500.com was not obligated to disclose uncharged wrongdoing.
  • OSI – As reported in our 2019 Year-End FCPA Update, OSI Systems, Inc. succeeded in dismissing a putative class action lawsuit that arose from a short-seller’s report relating to alleged corruption in connection with an Albanian scanning contract (the underlying conduct of which was declined for prosecution by DOJ and the SEC), but plaintiffs were given leave to amend. Amend they did, and on October 22, 2021, OSI agreed to a $12.5 million settlement to resolve the matter.  The October 2021 settlement agreement has received preliminary approval from the Honorable Fernando M. Olguin of the U.S. District Court for the Central District of California, and a final fairness hearing is scheduled for May 2022.
  • Cognizant – Another FCPA enforcement case we covered in our 2019 Year End FCPA Update that wound its way towards a private civil resolution in 2021 concerns Cognizant Technology Solutions Corporation. Following an SEC FCPA resolution and DOJ declination with disgorgement arising from an alleged bribery scheme in India, a putative class of investors sued Cognizant in the U.S. District Court for the District of New Jersey.  On September 7, 2021, Cognizant reached an agreement-in-principle to a $95 million settlement of the matter, which was approved by the Honorable Esther Salas on December 20, 2021.

Civil Fraud / RICO Actions

  • Samsung – We covered in our 2019 Year-End FCPA Update a DOJ FCPA resolution reached by Samsung Heavy Industries Co., Ltd. arising from alleged corruption of Petrobras officials in the “Operation Car Wash” investigation. Also in 2019, Petrobras’s U.S. subsidiary filed a RICO / common-law fraud complaint against Samsung in Texas state court, which Samsung removed to federal district court and moved to dismiss.  In June 2020, the district court dismissed the complaint on statute-of-limitation grounds, but on August 11, 2021 the U.S. Court of Appeals for the Fifth Circuit revived the case, finding that when Petrobras learned (or should have learned) of the corruption allegations such as to begin the clock was a dispute of fact and that Samsung had not conclusively established that Petrobras’s claims accrued before Petrobras filed its complaint.  Following the Fifth Circuit’s remand, the case is now back before the Honorable Lee H. Rosenthal of the U.S. District Court for the Southern District of Texas.
  • Ericsson – In an unfiled (but still quite noteworthy) action, on May 12, 2021 Telefonaktiebolaget LM Ericsson announced that it had reach an agreement to pay competitor Nokia Corporation $97 million to settle potential damages claims arising from the events that were the subject of Ericsson’s FCPA 2019 resolution with DOJ and the SEC. That resolution, covered in our 2019 Year-End FCPA Update, resulted in more than $1 billion in fines for alleged FCPA violations in China, Djibouti, Indonesia, Kuwait, Saudi Arabia, and Vietnam.  There are no public details about Nokia’s claims, but it would seem that the case was predicated on Nokia losing out on competitive bids due to Ericsson’s alleged corruption.

Whistleblower Actions

  • Western Digital – On June 25, 2021, Chief Judge Richard Seeborg of the U.S. District Court for the Northern District of California granted Western Digital Corp.’s motion to dismiss a bribery-related whistleblower lawsuit for lack of jurisdiction and failure to state a claim. The lawsuit was brought by a Brazilian citizen formerly employed by Western Digital’s Brazilian subsidiary, who alleged that he was terminated in retaliation for raising bribery and tax fraud concerns in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”).  In dismissing the case, the Court held that Dodd-Frank’s anti-retaliation provision does not apply to overseas conduct.  Moreover, the Court held that, even if the claim alleged domestic wrongdoing, the former employee “failed to allege sufficient facts to give rise to a plausible inference that he suffered adverse employment actions in retaliation for whistleblowing” given the length of time between his report and his termination and the fact that he caused the company to be victimized by a phishing scam close in time to his firing.

2021 INTERNATIONAL ANTI-CORRUPTION DEVELOPMENTS

Multilateral Development Banks

U.S. Federal Court Reinforces World Bank Sovereign Immunity

In our 2016 Year-End FCPA Update, we discussed the landmark Canadian Supreme Court decision in World Bank Group v. Wallace, which concluded that the Bank had not waived its privileges and immunities by providing evidence gathered in a Bank investigation to national law enforcement authorities.  On April 5, 2021, Chief Judge Beryl A. Howell of the U.S. District Court for the District of Columbia reached a similar conclusion in a lawsuit filed by businessmen Noah J. Rosenkrantz and Christopher Thibedeau against the Inter-American Development Bank (“IDB”) asserting that the internal sanctions proceedings against their company failed to comply with the sanctions procedures governing such procedures, in violation of its contractual obligations.  In dismissing the lawsuit, the Court held that the IDB is immune from suit in U.S. federal court as a sovereign entity and emphasized, like the Canadian court in Wallace, that a contrary ruling would undermine the Bank’s ability to carry out its mission.  The plaintiffs have appealed the dismissal to the U.S. Court of Appeals for the District of Columbia Circuit.

Europe

United Kingdom

WGPSN (Holdings)

On March 16, 2021, Scotland’s Crown Office and Procurator Fiscal Service announced that WGPSN, a subsidiary of John Wood Group PLC, agreed to pay £6.46 million to Scotland’s Civil Recovery Unit to resolve allegations that PSNA Limited, a company WGPSN had acquired, benefitted from improper payments to secure contracts in Kazakhstan.  These payments were allegedly made between 2012 and 2015, all prior to WGPSN’s acquisition, and when discovered by WGPSN were voluntarily reported to Scottish authorities.

GPT Special Project Management Ltd.

On April 28, 2021, the UK Serious Fraud Office (“SFO”) announced that Airbus subsidiary GPT Special Project Management pleaded guilty to corruption in violation of section 1 of the Prevention of Corruption Act 1906 and was ordered to pay a confiscation order of £20,603,000, a fine of £7,521,920, and costs of £2,200,000.  The charges arise from alleged improper payments involving the Saudi Arabian National Guard.  In setting the penalty, Justice Bryan at Southwark Crown Court considered GPT’s guilty plea, the fact that it no longer is in operation, the company’s cooperation with the SFO’s investigation, and the UK government’s role in facilitating the conduct.  Also relevant was the fact that parent company Airbus entered into a $3.9 billion deferred prosecution agreement in January 2020 (as covered in our 2020 Mid-Year FCPA Update).

Amec Foster Wheeler Energy Ltd.

As covered above, on June 25, 2021 Amec Foster Wheeler reached a coordinated anti-corruption resolution with UK, U.S., and Brazilian authorities.  The U.S. and Brazilian cases related to only to Brazil, while the UK case brought by the SFO is broader and covers alleged corrupt payments between 1996 and 2014 in India, Nigeria, Saudi Arabia, and Malaysia, as well as Brazil.  Pursuant to a three-year deferred prosecution agreement approved by Lord Justice Edis, sitting at the Royal Courts of Justice, Amec Foster Wheeler agreed to pay £103 million in connection with a 10-count indictment, including nine counts of violating Section 1 of the Criminal Law Act 1977 and Section 1 of the Prevention of Corruption Act 1906 and one count of failure to prevent bribery under Section 7 of the Bribery Act 2010.

Petrofac Ltd.

On October 1, 2021, the SFO secured the conviction of Petrofac for seven separate counts of failure to prevent bribery between 2011 and 2017.  Petrofac admitted to failing to prevent former senior executives of the group’s subsidiaries from using agents to pay bribes of £32 million to win oil contracts in Iraq, Saudi Arabia, and the United Arab Emirates worth approximately £2.6 billion.  Petrofac will pay a confiscation order of £22.8 million; a fine of approximately £47.2 million; and the SFO’s investigation costs of £7 million.  On the same day, Petrofac’s former Global Head of Sales David Lufkin was sentenced to a two-year custodial sentence, suspended for 18 months, as a result of his January 14, 2021, guilty plea admitting to three individual counts of bribery related to corrupt offers and payments made between 2012 and 2018 to influence the award of contracts to Petrofac in the United Arab Emirates.  Lufkin had previously pleaded guilty in February 2019 to 11 counts of bribery already brought by the SFO (as discussed in our 2019 Year-End FCPA Update).

Unaoil Individual Prosecutions

On February 24, 2021, the SFO secured the conviction of former SBM Offshore executive Paul Bond arising out of his role in allegedly conspiring to bribe public officials to secure oil contracts from Iraq’s South Oil Company in the years following the overthrow of Saddam Hussain in 2003.  A jury found the former senior sales manager guilty on two counts of conspiracy to give corrupt payments following a retrial of his case.  On March 1, 2021, Bond was sentenced to three-and-a-half years in prison, making him the fourth individual to be sentenced in the case involving Iraq’s South Oil Company, which forms part of the SFO’s broader investigation into bribery at Unaoil. As covered in our 2020 Year-End FCPA Update, Bond’s three co-defendants have been sentenced to a collective total of 11 years and four months in prison.

On June 17, 2021, the SFO secured an approximately £402,000 confiscation order by consent against former Unaoil executive Basil Al Jarah.  And on November 3, 2021, Stephen Whiteley, former Vice President at SBM Offshore and Unaoil’s territory manager for Iraq, was ordered to repay criminal gains of £100,000.

In a judgement handed down on December 10, 2021, the UK Court of Appeal quashed the conviction of Ziad Akle, another Unaoil executive who was convicted in 2020 of conspiracy to give corrupt payments as covered in our 2020 Year-End FCPA Update.  The Court criticized the SFO for its contact with a U.S.-based “fixer” who had offered to assist in obtaining the convictions of related parties.  The Court also found that the SFO had failed to disclose material relating to that contact, which was necessary for the defense to properly bring its case.  The Court refused an application for a retrial on the grounds of the SFO’s misconduct.  The UK Attorney General has since announced an independent review into the matter.  Bond has appealed his conviction on the same grounds as Akle.

SFO Deferred Prosecution Agreements with Two Unidentified Companies

On July 19, 2021, the SFO entered into separate deferred prosecution agreements with two UK-based companies for bribery offenses.  The SFO did not identify the companies because the investigations are ongoing, but confirmed that the criminal conduct saw bribes paid in relation to multi-million pound UK contracts.  The two companies will pay more than £2.5 million between them, representing disgorgement of profits along with a financial penalty, and the SFO acknowledged that both companies fully cooperated.  We will report back on these agreements when the companies names are made public.

France

A bill to strengthen the fight against corruption in France was registered at the French National Assembly on October 19, 2021.  The bill outlines several proposals concerning the French Anti-Corruption Agency (“AFA”), the extension of anti-corruption obligations of public and private actors, the regulation of lobbying, and negotiated justice.  Among other things, the bill would extend anti-corruption obligations to subsidiaries of large foreign organizations.  The text also would make companies and public entities (other than the French State) criminally liable if a lack of supervision led to the commission of one or more offenses by an employee.

Italy

After more than three years of proceedings, in March 2021 an Italian court acquitted oil companies Royal Dutch Shell and Eni SpA, as well as a number of individuals, including the Eni CEO, of charges that they paid more than $1 billion to acquire the license to an offshore block in Nigeria.  Prosecutors alleged that the money was intended as bribes, while the companies successfully defended with evidence that the payment was legitimate and intended to resolve long-running disputes as to the block’s ownership.

Kyrgyzstan

On May 31, 2021, Kyrgyzstan’s State Committee for National Security announced the arrest of former Prime Minister Omurbek Babanov as part of an investigation into corruption involving a gold mine project in Kumtor.  The project was operated by Canadian company Centerra Gold until the Kyrgyz government took it over, citing a new law allowing it to take control of a project for up to three months due to environmental or safety violations.  The Kumtor mine accounts for more than 12% of the national economy, according to Centerra, which has denounced the Kyrgyz government’s seizure.

Norway

In our 2015 Year-End FCPA Update, we reported that several senior level officers of Norwegian fertilizer manufacturer Yara International ASA were sentenced to prison in Norway for their role in an alleged scheme to pay bribes to government officials in India, Libya, and Russia.  The former chief legal officer in particular, U.S. citizen Kendrick Wallace, received a two-and-a-half year prison sentence for his role.  In 2017 the Norwegian appeals court upheld Wallace’s conviction and revised his sentence to seven years, finding that his conduct had been “very central” to the alleged scheme.

Norway subsequently submitted a request for extradition of Wallace.  On June 11, 2021, the Honorable Sean P. Flynn, Magistrate Judge of the U.S. District Court for the Middle District of Florida, denied the request.  The Court found that “Wallace cannot be extradited because the prosecution for the offense of which extradition is sought has become barred by lapse of time according to the laws of the United States.”  Specifically, the Court found that while Wallace’s crimes were committed in 2007, he was indicted in 2014, exceeding the applicable five-year statute of limitations in the United States.  The DOJ provided evidence that Norway sought evidence pursuant to Mutual Legal Assistance Treaty requests—which would toll the statute of limitations in the United States pursuant to 18 U.S.C. § 3292—but the Court found the specific evidentiary showing lacking, and ordered Wallace’s release from custody.

Russia

The Russian Federation Prosecutor General’s office reported nearly 30,000 corruption-related crimes in the first nine months of 2021, a 12.7% increase as compared to the same period a year ago, with bribery accounting for more than half of all corruption-related offenses.  The reported damage caused by corruption-related crimes also increased from 45 billion rubles (approximately $612 million) to 53 billion rubles (approximately $719 million).  In 2020, the number of corruption-related convictions of Russian officials was at an eight-year low of just under 7,000, continuous decline from a high of approximately 11,500 in 2015, but the number of convictions stemming from large-scale bribes, defined as greater than one million rubles (approximately $13,700), has increased 12-fold since 2012.

On the legislative front, on October 1, 2021, the Russian Duma approved the National Plan For Countering Corruption through 2024.  This plan prioritizes prohibiting anyone who has been fined for corrupt activities from holding government positions, improving the procedures for the submission and auditing of government employees’ asset declarations, implementing technology to combat corruption, instituting anti-corruption regulations involving the purchase of goods and services for government/municipal use, monitoring international agreements for cooperation in fighting corruption, and employing Duma deputies to participate in an inter-parliamentary organization aimed at preventing corruption.

And on the judicial front, on June 9, 2021, a Moscow court issued a decision classifying activist Alexei Navalny’s political organization, the Anti-Corruption Foundation (“ACF”), as an “extremist” movement.  Under the applicable “anti-extremism” law, authorities can jail ACF members and freeze their assets, and those associated with the group cannot run for public office.  On August 10, 2021, Russia’s financial watchdog—the Federal Financial Monitoring Service—also added ACF to its blacklist of groups accused of extremist activities or terrorism, which freezes the organization’s bank account and prevents ACF from opening new accounts.

Sweden

In our 2019 Year-End FCPA Update, we covered the trial acquittal in Sweden of three former Telia executives—former CEO Lars Nyberg, former deputy CEO and head of Eurasia unit Tero Kivisaari, and former general counsel for the Eurasia unit Olli Tuohimaa—on charges of bribing Uzbek’s then-first daughter Gulnara Karimova in exchange for telecommunications contracts in Uzbekistan.  In February 2021, a Swedish appeals court upheld the acquittals, agreeing that Karimova, the daughter of Uzbekistan’s former president, was not a government official under Swedish law.

Switzerland

In January 2021, a Swiss court convicted Beny Steinmetz of 2019 charges (discussed in our 2019 Year-End FCPA Update) of paying bribes to the wife of former-Guinean President Lansana Conté and of related forgery to obtain a mining concession.  He was sentenced to five years in prison and ordered to pay a CHF 50 million fine (~ $56.5 million).

In November 2021, three Swiss subsidiaries of Netherlands-based SBM Offshore were ordered to pay more than CHF 7 million (~ $7.6 million) for failing to prevent the bribery of public officials in Angola, Equatorial Guinea, and Nigeria between 2006 and 2012.  The Office of the Attorney General of Switzerland found that these companies had entered into sham contracts with shell companies to pay more than $22 million in bribes.  The Office of the Attorney General alleged that in light of the “extent and duration of the acts of corruption,” the companies’ risk assessment measures and anti-corruption controls were allegedly “either non-existent, or wholly inadequate.”  This order is in addition to the more than $800 million that SBM Offshore has already paid to resolve corruption probes dating back to its 2017 FCPA resolutions reported in our 2017 Year-End FCPA Update.

Ukraine

Ukrainian President Zelensky’s focus in the first half of 2021 was on securing the release of the remainder of a $5-billion IMF loan to bolster Ukraine’s economy.  After a six-week virtual mission to Ukraine in the beginning of 2021, the IMF refused to release the funds in what some viewed as an indication that Ukraine had not met the IMF’s expectations for tackling corruption.  Following this refusal, in June 2021, Ukraine’s parliament, the Verkhovna Rada, passed two bills:  the first reestablished the High Judicial Council, a special commission on appointing judges that will be majority-comprised of international experts; and pursuant to the second bill, public officials who fail to submit or submit false income or asset declarations could face prison sentences.  Additionally, on November 8, 2021, President Zelensky signed into law amendments to legislation that provide for the independence of the anti-corruption bureau (“NABU”).  Subsequently, on November 22, 2021, following a review by its Executive Board, the IMF announced that Ukrainian authorities would be allowed to draw on an additional $699 million.

The Americas

Brazil

In February 2021, President Bolsonaro disbanded Operation Car Wash, one of the most prolific anti-corruption investigations of all time and a staple of these updates for years.  Operation Car Wash led to dozens of convictions, many prominent enforcement actions, and hundreds of millions of dollars in penalties within Brazil and billions of dollars globally.  Still, the ripples of Operation Car Wash continued throughout the year.  For example, on February 22, 2021, Korean engineering company Samsung Heavy Industries Co., Ltd. entered into a leniency agreement in Brazil to resolve allegations concerning contracts with Petróleo Brasileiro S.A. (Petrobras).  Samsung Heavy Industries, as covered in our 2019 Year-End FCPA Update, previously in November 2019 entered into a deferred prosecution agreement with DOJ and agreed to pay a $75.5 million criminal fine to resolve FCPA anti-bribery conspiracy charges arising from the company’s alleged provision of $20 million to an intermediary, while knowing that some or all of that amount would be paid to officials at Petrobras.  Half of the U.S. criminal fine was to be credited to a parallel resolution with Brazilian authorities.  In connection with the Brazilian leniency agreement, Samsung Heavy Industries agreed to pay approximately R$ 706 million in damages to Petrobras together with R$ 106 million in fines.  And on April 15, 2021, Brazil’s Supreme Court upheld a ruling annulling one of the most notable convictions resulting from Operation Car Wash—that of former President Luiz Inácio Lula da Silva, on grounds that the lower court in which Lula was tried did not have jurisdiction.  The case was transferred to a federal court for retrial and, should no conviction follow, Lula will be able to run for presidential office in the upcoming 2022 election.

In August 2021, Brazil’s Federal Prosecution Service (“MPF”) filed a criminal complaint against two executives at French engineering company Doris Group over allegedly corrupt activity concerning platform vessel contracts totaling more than $200 million.  The MPF also charged a former treasurer of Brazil’s Workers’ Party and two associates for active and passive money laundering.  The executives allegedly paid bribes via a financial operator to a former manager of Petrobras and the former treasurer.  The financial operator and Petrobras manager both signed collaboration agreements with the MPF in which they confessed to their roles in the scheme and cooperated by providing relevant documents and information.

In September 2021, a review body within the São Paulo prosecutor’s office vacated a resolution prosecutors reached with EcoRodovias in 2020.  The now-nullified agreement was the culmination of a two-year bribery investigation into EcoRodovias and its subsidiaries concerning allegations that the companies engaged in a cartel that bribed public officials to obtain road concessions contracts between 1998 and 2015.  In signing the 2020 agreement, EcoRodovias admitted to paying bribes and agreed to pay a fine of $113.72 million.  The review body threw out the agreement due to a lack of evidence of illegal conduct.

And on October 27, 2021, Rolls Royce signed an agreement with Brazil’s Office of the Comptroller and Attorney General’s Office to pay $27.8 million to settle allegations that it bribed Brazilian public officials in connection with its contracts with Petrobras.  As covered in our 2017 Mid-Year FCPA Update, the company in 2017 previously agreed to pay more than $800 million through a global resolution with the SFO, DOJ, and MPF.  Under the new agreement, Brazilian officials will credit the $25.6 million that Rolls Royce paid to the MPF, leaving the company to pay another $2.2 million.

Canada

As reported in our 2019 Year-End FCPA Update, in September 2018 Canada passed legislation allowing deferred prosecution agreements for corporate offenders.  In 2019, following a long-running investigation into alleged bribery of Libyan officials, engineering and construction giant SNC-Lavalin became one of the first major companies to seek such an agreement.  Canadian prosecutors, however, reportedly were unwilling to negotiate with the company, and in 2021, prosecutors charged the company with several offenses, including fraud against the government.  The Royal Canadian Mounted Police also arrested two former executives and charged them with fraud and forgery offenses tied to the investigation.  The company has publicly stated that it is cooperating with the investigation and that prosecutors have invited it to negotiate a settlement.  According to SNC-Lavalin, it is the first company to receive such an offer.

In August 2021, the Court of Appeal for Ontario threw out the bribery convictions of two former employees of Cryptometrics.  As discussed in our 2019 Year-End FCPA Update, following trial in 2018, U.S. citizen Robert Barra and UK citizen Shailesh Govindia were sentenced to two-and-a-half years in prison for agreeing to bribe Indian aviation officials, including employees of Air India.  But the appellate court found a “reasonable possibility” that prosecutors delayed disclosing emails they exchanged with a principal witness—the former Cryptometrics COO—and that such delay unduly impacted the trial’s fairness.  The appellate court further found that the prosecution’s slow production of potentially exculpatory information, only after repeated requests from the defense, deprived the defense of the opportunity to conduct further lines of inquiry or obtain additional evidence.

Costa Rica

Costa Rican officials have been investigating an alleged scheme known as “Cochinilla,” involving allegations that certain construction companies bribed government officials to secure contracts to build public roads, resulting in approximately $125 million in misappropriated funds.  On June 14, 2021, the Costa Rican Judicial Investigation Police executed 57 search warrants and made 28 arrests in connection with the investigation, including at the Casa Presidencial, the National Highway Council, the Ministry of Public Works and Transport, and the Public Transport Council, as well as at private homes and at the offices of several construction companies.  In August 2021, the Judicial Investigation Police unearthed a trove of invoices apparently related to the investigation buried in a municipal cemetery.

Additionally, on November 16, 2021, six mayors—including the current mayors of San José, Escazú, Alajuela, Osa, and San Carlos—were arrested in connection with the “Diamante” investigation into public works corruption.  The Diamante investigators conducted more than 80 raids across the country in connection with the probe.

Ecuador

In April 2021, Ecuador’s Comptroller General Pablo Celi, former Oil Minister José Augusto Briones, and several others were arrested as part of the long-running investigation concerning Ecuador’s state-owned oil company Empresa Pública de Hidrocarburos del Ecuador (“PetroEcuador”).  The alleged scheme, covered previously in these pages, allegedly allowed contracting companies to charge PetroEcuador artificially inflated prices to supply fuel, with a percentage of the profits then kicked back to PetroEcuador executives.  Augusto died in his jail cell by apparent suicide while awaiting trial.

El Salvador

In July 2021, prosecutors in El Salvador issued an arrest warrant for former president Salvador Sánchez Cerén in connection to the “Public Looting” scam that allegedly occurred while Sánchez Cerén was serving as Vice President from 2009 to 2014.  The scandal allegedly involved $351 million in government funds illegally used to pay bonuses to government employees and their associates.  Two weeks after the warrant was issued, Sánchez Cerén and his family fled to Nicaragua.

Peru

In an offshoot of the Odebrecht investigation (covered in our 2019 Year-End FCPA Update), in May 2021 Peru’s Attorney General and National Public Prosecution Office announced a plea agreement with Peruvian real estate and construction company Aenza (formerly Graña y Montero), to resolve allegations that the company, two subsidiaries, and certain former employees were involved in corruption in connection with several public infrastructure projects in the country.  Under the agreement, Aenza will pay approximately $126 million to the state over several years.

Earlier, in March 2021, prosecutors charged former presidential candidate Keiko Fujimori with money laundering following a multi-year investigation into allegations that she received more than $1 million in bribes from Odebrecht during a prior presidential run.  Prosecutors are seeking a sentence of 30 years in prison, while Fujimori denies any wrongdoing.  In June 2021, Fujimori’s opponent in the presidential race claimed victory, which Fujimori disputed before conceding in August 2021.  The first hearing related to Fujimori’s trial began in late August 2021.

Finally, on September 28, 2021, Magistrate Judge Thomas Hixson of the U.S. District Court for the Northern District of California granted Peru’s request to extradite former Peruvian President Alejandro Toledo.  Peru had been seeking Toledo’s extradition since May 2018, and Toledo was arrested in 2019, in connection with alleged corruption and money laundering in an Odebrecht project for the construction of the Peru-Brazil Southern Interoceanic Highway.  In his ruling, Judge Hixson found that there was enough evidence to “establish probable cause to believe that Toledo committed collusion and money laundering.”  The Court said that this included testimony from Odebrecht’s former executive director in Peru, and Mr. Toledo’s admission during the extradition proceeding that he had received approximately $500,000 in Odebrecht bribes.

Asia

China

In 2020, China’s Supreme People’s Procuratorate (“SPP”) launched the first phase of a pilot program focusing on corporate criminal compliance.  Although China does not have a mechanism equivalent to a U.S.-style deferred prosecution agreement, the pilot program encourages local procuratorates to decline prosecutions or arrests for corporate criminal cases, or to propose lighter or suspended sentences, where companies are committed to making compliance enhancements and implementing remediation plans.  In April 2021, the SPP published the Work Plan on Launching the Pilot Program for Corporate Compliance Reform, which signals the launch of the second phase of the pilot program and its expansion to 10 provinces and cities, including Beijing, Shanghai, and Guangdong.  In June 2021, the SPP, along with eight other national authorities, issued the Guiding Opinions on Establishing a Third-Party Supervision and Evaluation Mechanism for the Compliance of Enterprises Involved in Criminal Cases (for Trial Implementation).  Under these guiding opinions, the SPP can refer a company that qualifies for the pilot program to a yet-unspecified third-party organization to investigate, evaluate, supervise, and inspect compliance commitments made by the company.  The SPP confirmed in a press release in June 2021 that bribery-related cases may qualify for leniency under the pilot program, citing an example concerning Shenzhen Y Technology Co., Ltd, an audio equipment supplier whose employee was suspected of bribing customers to secure advantages in the procurement process, but which the SPP decided not to prosecute in lieu of a compliance supervision agreement.

On September 20, 2021, the Supervision Law of the People’s Republic of China came into effect, with implementing regulations issued by the National Supervision Commission.  The National Supervision Commission was established in 2018 and is primarily responsible for supervising China’s anti-corruption efforts.  The Supervision Law seeks to standardize the National Supervision Commission’s work by setting forth the scope, jurisdiction, procedures, and oversight of China’s anti-corruption agencies.  In the same month, the National Supervision Commission, the Central Commission for Discipline Inspection (“CCDI”), and the SPP, among other government agencies, jointly issued a document titled “Opinions on Further Promoting the Investigation of Bribery and Acceptance of Bribes.”  These opinions emphasize the importance of investigating those offering bribes, which marks a turn for an enforcement regime that historically has focused predominately on those who accept improper payments.  These opinions also suggest that enforcement authorities should explore the implementation of a “blacklist” that would impose market restrictions on those that make improper payments, although implementing guidance on this “blacklist” proposal has yet to be issued.

Last but not least, 2021 saw a seismic shift in China’s data and privacy protection laws, with the developments likely to have far-reaching implications for cross-border investigations and litigation.  The Standing Committee of the National People’s Congress first passed the Data Security Law, which took effect on September 1, 2021.  Among other things, Article 36 of the Data Security Law prohibits “provid[ing] data stored within the People’s Republic of China to foreign judicial or law enforcement bodies without the approval of the competent authority of the People’s Republic of China.”  In August 2021, the Standing Committee of China’s National People’s Congress passed the Personal Information Protection Law (“PIPL”), which came into effect on November 1, 2021.  The PIPL is China’s first comprehensive legislation regulating personal data processing activities, and it shares many similarities with the EU’s General Data Protection Regulation, including, among other things, its extraterritorial reach, restrictions on data transfer, compliance obligations, and sanctions for non-compliance.  In October 2021, the Cyberspace Administration of China (“CAC”) published the “Draft Measures for Data Export Security Assessment” to regulate the export of data in accordance with the Cybersecurity Law, the Data Security Law, and the PIPL.  Under the Draft Measures, data processors must apply to the CAC for a “security assessment” of the outbound data in certain circumstances.  For a detailed analysis of these new legislative developments, please see our separate Client Alerts, “China Constricts Sharing of In-Country Corporate and Personal Data Through New Legislation“ and “China Passes the Personal Information Protection Law, to Take Effect on November 1.”

Hong Kong

In May 2019, the Independent Commission Against Corruption (“ICAC”) charged Catherine Leung Kar-cheung, a former senior banker at JPMorgan Chase & Co., in connection with the long-running “Sons and Daughters” investigation.  The ICAC accused Leung of offering a job to the son of a logistics company chairperson in an effort to win a mandate for an initial public offering.  In January 2021, the district court acquitted Leung of the charges, finding that there was insufficient evidence that she corruptly sought to secure the IPO mandate by making the job offer.

India

The Indian Government has issued standard operating procedures that must be followed by Indian police before commencing any investigation against Indian public officials for alleged violations of India’s Prevention of Corruption Act, 1988.  One of these standards is to require additional approvals to open an investigation, which have been criticized as erecting barriers to bringing enforcement actions against public officials.

In November 2021, India’s Enforcement Directorate arrested a former cabinet minister of the State of Maharashtra, Anil Deshmukh, on allegations involving money laundering and extortion.  Deshmukh, who stepped down from his post earlier this year, is accused of using police officials to extort various hotels, restaurants, and bars in Mumbai, and of using shell companies to siphon the funds received for personal use.  He is accused of extorting up to INR 100 crore (~ $13.4 million) per month while in office.

Indonesia

In August 2021, former Indonesian social affairs minister Juliari Batubara was sentenced to 12 years in prison by the Jakarta Corruption Court over a multi-million dollar COVID-19 graft scandal.  A judge found the former politician “convincingly guilty of corruption” for receiving IDR 32.4 billion (~ $2.25 million) in kickbacks related to procurement intended for COVID-19 social assistance packages.  The Court also fined Batubara IDR 500 million (~ $350,000) and ordered him to return IDR 14.5 billion (~ $1 million) in funds.  As a result of his sentence, Batubara also will be banned from public office for four years after serving his prison term.

In 2021, Indonesia’s Corruption Eradication Commission (Komisi Pemberantasan Korupsi Republik Indonesia) (“KPK”) removed 57 of its graft investigators and personnel, while subjecting two dozen more to re-training, after 75 of its personnel failed a tailor-made civil service exam implemented as part of an effort to fold the body into the civil service.  Controversy has surrounded the composition of the test:  the National Commission on Human Rights has said that the test was plagued with “baseless stigmatization” and “illegal conduct,” while the Indonesian Ombudsman found that the document that set forth the legal basis for organizing the test was signed by officials who did not attend the meeting to discuss it.  The KPK has defended the exam, which was taken by 1,300 staff.  Dozens of the employees plan to appeal their dismissals.

Japan

In May 2021, the Japanese Ministry of Economy, Trade and Industry (“METI”) revised the Guidelines for the Prevention of Bribery of Foreign Public Officials.  These revised Guidelines include a new subsection on mergers and acquisitions and provide additional guidance on third-party due diligence, facilitation payments, and applicability of the “agreement system” under the Japanese Criminal Procedure Code to bribery offenses.  The due diligence provisions closely track the recommendations made by DOJ and the SEC in the FCPA Resource Guide.  In addition, the revised Guidelines urge Japanese companies to prohibit small facilitation payments, noting that such payments could be made “in order to obtain a wrongful gain in business” in violation of the Unfair Competition Prevention Act.

Malaysia

The Malaysian government reached two corporate resolutions in 2021 in connection with the 1Malaysia Development Berhad (“1MDB”) scandal.  First, in February 2021, the Malaysian banking group AMMB Holdings Berhad agreed to pay MYR 2.83 billion (~ $682.3 million) to settle outstanding claims and actions related to AMMB’s involvement in the 1MDB scandal, although the specifics of that involvement were not reported.  Second, in March 2021, Deloitte PLT agreed to pay $80 million to the Malaysian government to settle claims related to its auditing of reports issued by 1MDB and a former 1MDB subsidiary.  Also related to 1MDB, on August 5, 2021, DOJ announced that it had repatriated to Malaysia an additional $452 million in funds in connection with the scandal, bringing the total repatriated to more than $1.2 billion.

In other enforcement developments, we reported in our 2020 Year-End FCPA Update on amendments to the Malaysia Anti-Corruption Commission Act 2009 that took effect in June 2020,  allowing for corporate liability.  Under Section 17A, a commercial organization commits a criminal offense if a person associated with the organization corruptly gives any gratification with intent to obtain or retain any business or advantage for the commercial organization.  In March 2021, Pristine Offshore Sdn Bhd became the first organization charged by the Malaysia Anti-Corruption Commission (“MACC”) under Section 17A, for allegedly having paid MYR 321,350 (~ $78,000) to the chief operating officer of Deleum Primera Sdn Bhd to secure a subcontract for the supply of workboats  Both Pristine Offshore and its former director have pleaded not guilty.

Singapore

In February 2021, Singapore’s Corrupt Practices Investigation Bureau charged three former employees of a Singaporean subsidiary of Royal Dutch Shell with bribing shipping inspectors in exchange for assistance in stealing millions of metric tons of fuel from the company.  In May 2021, Daewoo Engineering and Construction executives Ro Sung-Young and Kim Young-Gyu pleaded guilty to conspiring to bribe a Singapore Land Transport Authority official in exchange for contracts with the authority.  Prosecutors also charged the official, alleging that he received bribes totaling SGD 1.2 million (~ $893,300) between 2014 and 2019.  Also in May, a Singapore court sentenced Chang Peng Hong Clarence, a former Regional Director for Marine Fuels at BP plc’s Singapore subsidiary, to 4.5 years in prison for receiving bribes of almost $4 million from Koh Seng Lee, the executive director of a Singaporean petroleum and petroleum products wholesaler, in exchange for promoting that company’s business within BP.  The court also ordered Chang to pay a SGD 6.2 million (~ $4.7 million) penalty.

South Korea

In January 2021, the Korean government launched the Corruption Investigation Office for High-Ranking Officials (“CIO”), an independent investigative agency with jurisdiction to prosecute corruption cases involving high-ranking public officials.  The creation of the CIO, which has exclusive prosecution authority over financial crimes involving certain categories of senior officials (as well as private parties involved in the investigations), fulfills a key campaign promise of President Moon Jae-In, who came to power in 2017 following a corruption scandal that resulted in the impeachment of his predecessor (as discussed in our 2020 Year-End FCPA Update).  The CIO was active throughout 2021, conducting multiple investigations that even extended to searches of the Supreme Prosecutor’s Office and offices of National Assembly members.  Perhaps predictably, these measures have led to claims that the CIO is acting too aggressively.

On the legislative front, in November and December 2021 the Korean National Assembly passed a series of amendments to the Improper Solicitation and Graft Act (“Anti-Graft Act”) and the Act on the Prevention of Corruption and the Establishment and Management of the Anti-Corruption and Civil Rights Commission.  These amendments expand the law and its proscriptions to include additional improper advantages such as employment and internship opportunities, selection of scholarship recipients, positive reviews of dissertations and granting of degrees, and activities of prison guards.  The amendments also increase the threshold for permissible agricultural gifts given to public officials during public holidays, and allow for anonymous reporting of Anti-Graft Act violations through attorneys.

The Middle East and Africa

Israel

Months after the corruption trial of Benjamin Netanyahu restarted following delays due to COVID-19, Netanyahu’s election loss ended his 12 years as Israeli Prime Minister.  As covered most recently in our 2020 Year-End FCPA Update, the Israeli Attorney General announced indictments in February 2019 stemming from three separate allegations of wrongdoing.  On February 8, 2021, Netanyahu pleaded not guilty, and the trial then was postponed again due to a disagreement over certain documents.  One former media adviser to Netanyahu and his family recently testified regarding regulatory favors Netanyahu allegedly awarded to media tycoons in return for positive press coverage and gifts.  The witness, who previously was charged and signed a cooperation deal with the government, also provided investigators with recordings of conversations with Netanyahu and his family.

Namibia

In 2021, state-owned National Fishing Corporation of Namibia (“Fishcor”), and several executives including former CEO Mike Nghipunya, were charged with racketeering, conspiracy, fraud, money laundering, tax evasion, and obstruction of justice.  The investigation began in 2019, after Wikileaks published more than 30,000 documents from a former managing director of Icelandic seafood company Samherji’s Namibian operations.  According to prosecutors, Fishcor illegally sold quotas to Samherji for $11.1 million, with funds then being provided to others, including a former Namibian fisheries minister.  Pretrial hearings are scheduled for January 2022.

South Africa

The trial of former South African President Jacob Zuma for allegedly accepting bribes related to a 1994 arms purchase spent most of 2021 plagued with delays.  The National Prosecuting Authority accuses Zuma of accepting bribes on hundreds of occasions.  Zuma was first charged in 2005, but the charges have been dropped and reinstated many times over the years amid allegations of political interference, and recent delays have been caused by the unexplained simultaneous resignation of Zuma’s entire legal team and Zuma’s application to remove the chief prosecutor on alleged bias grounds.  Zuma’s trial is currently set to begin in April 2022.


The following Gibson Dunn lawyers and alumnae participated in preparing this client update: F. Joseph Warin, John Chesley, Richard Grime, Patrick Stokes, Kelly Austin, Patrick Doris, Matthew Nunan, Oleh Vretsona, Oliver Welch, Christopher Sullivan, Anna Aguillard, Claire Aristide, Anthony Balzofiore, Junghyun Baek, Sean Brennan, Alexandra Buettner, Lizzy Brilliant, Ella Alves Capone, Josiah Clarke, Priya Datta, Bobby DeNault, Nathan Eagan, Amanda Kenner, Derek Kraft, Michael Kutz, Caroline Leahy, Nicole Lee, Allison Lewis, Jenny Lotova, Andrei Malikov, Megan Meagher, Katie Mills, Erin Morgan, Sandy Moss, Monica Murphy, Jaclyn Neely, Ning Ning, Kareen Ramadan, Hayley Smith, Jason Smith, Pedro Soto, Laura Sturges, Karthik Ashwin Thiagarajan, Katie Tomsett, Dillon Westfall, Sophie White, Terry Wong, and Caroline Ziser Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues.  We have more than 110 attorneys with FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices.  Please contact the Gibson Dunn attorney with whom you work, or any of the following:

Washington, D.C.
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
Richard W. Grime (+1 202-955-8219, rgrime@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
Judith A. Lee (+1 202-887-3591, jalee@gibsondunn.com)
David P. Burns (+1 202-887-3786, dburns@gibsondunn.com)
David Debold (+1 202-955-8551, ddebold@gibsondunn.com)
Michael S. Diamant (+1 202-887-3604, mdiamant@gibsondunn.com)
John W.F. Chesley (+1 202-887-3788, jchesley@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
Stephanie Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
Robert K. Hur (+1 202-887-3674, rhur@gibsondunn.com)
Adam M. Smith (+1 202-887-3547, asmith@gibsondunn.com)
Oleh Vretsona (+1 202-887-3779, ovretsona@gibsondunn.com)
Courtney M. Brown (+1 202-955-8685, cmbrown@gibsondunn.com)
Jason H. Smith (+1 202-887-3576, jsmith@gibsondunn.com)
Ella Alves Capone (+1 202-887-3511, ecapone@gibsondunn.com)
Pedro G. Soto (+1 202-955-8661, psoto@gibsondunn.com)

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Mark A. Kirsch (+1 212-351-2662, mkirsch@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)
Karin Portlock (+1 212-351-2666, kportlock@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Laura M. Sturges (+1 303-298-5929, lsturges@gibsondunn.com)

Los Angeles
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)
Marcellus McRae (+1 213-229-7675, mmcrae@gibsondunn.com)
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)

San Francisco
Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com)
Thad A. Davis (+1 415-393-8251, tadavis@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)
Michael Li-Ming Wong (+1 415-393-8333, mwong@gibsondunn.com)

Palo Alto
Benjamin Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

London
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Charlie Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com)
Sacha Harber-Kelly (+44 20 7071 4205, sharber-kelly@gibsondunn.com)
Michelle Kirschner (+44 20 7071 4212, mkirschner@gibsondunn.com)
Matthew Nunan (+44 20 7071 4201, mnunan@gibsondunn.com)
Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com)
Steve Melrose (+44 20 7071 4219, smelrose@gibsondunn.com)

Paris
Benoît Fleury (+33 1 56 43 13 00, bfleury@gibsondunn.com)
Bernard Grinspan (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)

Munich
Benno Schwarz (+49 89 189 33-110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33-180, mwalther@gibsondunn.com)
Mark Zimmer
(+49 89 189 33-130, mzimmer@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Oliver D. Welch (+852 2214 3716, owelch@gibsondunn.com)

São Paulo
Lisa A. Alfaro (+5511 3521-7160, lalfaro@gibsondunn.com)
Fernando Almeida (+5511 3521-7093, falmeida@gibsondunn.com)

Singapore
Joerg Bartz (+65 6507 3635, jbartz@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On January 24, 2022, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”).  Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product.  The new thresholds will take effect on February 23, 2022, applying to transactions that close on or after that date.

The size of transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $9.0 million, from $92 million in 2021 to $101 million for 2022.

Original Threshold

2021 Threshold

2022 Threshold

$10 million

$18.4 million

$20.2 million

$50 million

$92.0 million

$101 million

$100 million

$184.0 million

$202 million

$110 million

$202.4 million

$222.2 million

$200 million

$368.0 million

$403.9 million

$500 million

$919.9 million

$1.0098 billion

$1 billion

$1,839.8 million

$2.0196 billion

 

The maximum fine for violations of the HSR Act has increased from $43,792 per day to $46,517.

The amounts of the filing fees have not changed, but the thresholds that trigger each fee have increased:

Fee

Size of Transaction

$45,000

Valued at more than $101 million but less than $202 million

$125,000

Valued at $202 million or more but less than $1.0098 billion

$280,000

Valued at $1.0098 billion or more

 

The 2022 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $41,034,000 for Section 8(a)(l) (size of corporation) and $4,103,400 for Section 8(a)(2)(A) (competitive sales).  The Section 8 thresholds took effect on January 21, 2022.

If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact any of the partners or counsel listed below.


The following Gibson Dunn lawyers prepared this client alert: Adam Di Vincenzo, Andrew Cline, and Chris Wilson.

Gibson Dunn’s lawyers are available to assist clients in addressing any questions they may have regarding the HSR Act or antitrust issues raised by business transactions. Please feel free to contact the Gibson Dunn attorney with whom you usually work in the firm’s Antitrust and Competition Practice Group, or the following:

Adam Di Vincenzo – Washington, D.C. (+1 202-887-3704, adivincenzo@gibsondunn.com)

Andrew Cline – Washington, D.C. (+1 202-887-3698, acline@gibsondunn.com)

Chris Wilson – Washington, D.C. (+1 202-955-8520, cwilson@gibsondunn.com)

Rachel S. Brass – Co-Chair, Antitrust & Competition Group, San Francisco
(+1 415-393-8293, rbrass@gibsondunn.com)

Stephen Weissman – Co-Chair, Antitrust & Competition Group, Washington, D.C.
(+1 202-955-8678, sweissman@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

BlackRock, Vanguard and State Street Global Advisors (“State Street”) recently issued their voting policy updates for 2022, as well as guidance about their 2022 priorities for their portfolio companies.  On January 18, 2022, BlackRock’s CEO issued his annual “Letter to CEOs” (available here), following closely on the heels of State Street’s CEO, who issued his annual letter to public company directors (available here) on January 12.

These pronouncements from the “Big Three” asset managers reflect a number of common themes, including an emphasis on climate and the transition to a Net Zero economy, diversity at the board level and throughout the workforce, and effective human capital management.  Links to the BlackRock and Vanguard voting policies for 2022 are below.  State Street’s voting policy updates span several documents that provide guidance on areas that State Street views as focal points for the coming year.  Links to these documents are also below.

BlackRock         Proxy Voting Guidelines for U.S. Securities (effective as of January 2022)

Vanguard          Proxy Voting Policy for U.S. Companies (effective as of March 1, 2022)

State Street

1. BlackRock

2022 Letter to CEOs

In his 2022 letter titled “The Power of Capitalism,” BlackRock CEO Larry Fink encourages companies to focus on their purpose and put that purpose at the foundation of their relationships with stakeholders, in order to be valued by their stakeholders and deliver long-term value for their shareholders.  The letter urges companies to think about whether they are creating an environment that helps their employee-stakeholders navigate the new world of work that has emerged from the pandemic.  The letter observes that most stakeholders now expect companies to play a role in moving toward a Net Zero global economy and discusses BlackRock’s approach to climate and sustainability.  This is a priority area for BlackRock because of its need, as a capitalist and fiduciary to its clients, to understand how companies are adjusting their business to massive changes in the economy.  Mr. Fink also emphasizes that divesting from entire sectors, or simply passing carbon-intensive assets from public to private markets, will not move the world to Net Zero.  BlackRock does not pursue divestment from oil and gas companies as a policy, but believes that action by “foresighted companies” in a variety of carbon-intensive industries is a critical part of the transition to a greener economy.  Government participation on the policy, regulatory and disclosure fronts is also critical because, Mr. Fink notes, “businesses can’t do this alone, and they cannot be the climate police.”

The letter concludes with a reminder that BlackRock has built a stewardship team so it can understand companies’ progress throughout the year, and not just during proxy season.  BlackRock previously announced an initiative to give more of its clients the option to vote their own holdings, rather than BlackRock casting votes on their behalf.  The letter notes that this option is now available to certain institutional clients, including pension funds that support 60 million people.  The letter also commits to expanding that universe as BlackRock is committed to a future where every investor, including individual investors, have the option to participate in the proxy voting process.

2022 BlackRock Voting Policy Updates

30% Target on Board Diversity 

BlackRock believes boards should aspire to 30% diversity, and encourages companies to have at least two directors who identify as female and at least one who identifies as being from an “underrepresented group.”  The definition of “underrepresented group” is broad and includes individuals who identify as racial or ethnic minorities, LGBTQ+, underrepresented based on national, Indigenous, religious or cultural identity, individuals with disabilities and veterans.  Although the wording of the policy is aspirational, insufficient board diversity was a top reason BlackRock opposed the election of directors in 2021.

Board Diversity Disclosure

BlackRock updated its expectations for disclosure about board diversity.  It asks that companies disclose how the diversity characteristics of the board, in aggregate, are aligned with a company’s long-term strategy and business model, and whether a diverse slate of nominees is considered for all available board seats.

Votes on Compensation Committee Members

BlackRock appears to be strengthening its position on votes for compensation committee members where there is a lack of alignment between pay and performance.  In that situation, BlackRock will vote “against” the say-on-pay proposal and relevant compensation committee members (rather than simply “considering” negative votes for committee members).

Sustainability Reporting

BlackRock will continue to ask that companies report in accordance with the Task Force on Climate-related Financial Disclosure (“TCFD”) framework.  In recognition of continuing advances in sustainability reporting standards, the 2022 voting guidelines recognize that in addition to TCFD, many companies report using industry-specific metrics other than those developed by the Sustainability Accounting Standards Board (“SASB”).  For those companies, BlackRock asks that they highlight metrics that are industry- or company- specific.  It also recommends that companies disclose any multinational standards they have adopted, any industry initiatives in which they participate, any peer group benchmarking undertaken, and any assurance processes to help investors understand their approach to sustainable and responsible business conduct.

Climate Risk

BlackRock continues to ask companies to disclose Net Zero-aligned business plans that are consistent with their business model and sector.  For 2022, it is encouraging companies to: (1) demonstrate that their plans are resilient under likely decarbonization pathways and the global aspiration to limit warming to 1.5°C; and (2) disclose how considerations related to having a reliable energy supply and a “just transition” (that protects the most vulnerable from energy price shocks and economic dislocation) affect their plans.  BlackRock also updated its voting policies to reflect its existing approach of signaling concerns about a company’s plans or disclosures in its votes on directors, particularly at companies facing material climate risks.  In determining how to vote, it will continue to assess whether a company’s disclosures are aligned with the TCFD and provide short-, medium-, and long-term reduction targets for Scope 1 and 2 emissions.

ESG Performance Metrics

BlackRock does not have a position on the use of ESG performance metrics, but it believes that where companies choose to use them, they should be relevant to the company’s business and strategy, clearly articulated, and appropriately rigorous, like other financial and non-financial performance metrics.

Votes on Committee Members at Controlled Companies

BlackRock may vote “against,” or “withhold” votes from, directors serving on “key” committees (audit, compensation, nominating/governance), that it does not consider to be independent, including at controlled companies.  Previously, this policy was limited to votes on insiders or affiliates serving on the audit committee, and did not extend to other committees.

2. Vanguard

Vanguard’s voting policy updates address several of the same areas as BlackRock’s, including oversight of climate risk, and board diversity and related disclosures.  The introduction to the voting policies also contains more explicit language emphasizing that proposals often require fact-intensive analyses based on an expansive set of factors, and that proposals are voted case-by-case at the direction of the boards of individual Vanguard funds.

Climate Risk Oversight “Failures”

Vanguard’s voting policies outline certain situations in which funds will oppose the re-election of directors on “accountability” grounds—that is, “because of governance failings or as a means to escalate other issues that remain unaddressed by a company.”  Under Vanguard’s current policies, funds will consider votes “against,” or “withhold” votes from, directors or a committee for governance or material risk oversight failures.

For 2022, Vanguard has updated this policy to clarify that in cases where there is a risk oversight “failure,” funds will generally vote “against,” or “withhold” votes from, the chair of the committee responsible for overseeing a particular material risk (or the lead independent director and board chair, if a risk does not fall under the purview of a specific committee).  The policy has also been updated to reflect that it covers material social and environmental risks, including climate change.  On the subject of climate change, the updated policy lists factors that funds will consider in evaluating whether board oversight of climate risk is appropriate, including: (1) the materiality of the risk; (2) the effectiveness of disclosures to enable the market to understand and price the risk; (3) whether a company has disclosed business strategies, including reasonable risk mitigation plans in the context of anticipated regulatory requirements and changes in market activity, in line with the Paris Agreement or subsequent agreements; and (4) company specific-context, regulations and expectations.  Funds will also consider the board’s overall governance of climate risk and the effectiveness of its independent oversight of this area.

Board Diversity and Qualifications

For 2022, Vanguard has clarified its expectations on disclosure about board diversity and qualifications.  The policy states that boards can inform shareholders about the board’s current composition and related strategy by disclosing at least: (1) statements about the board’s intended composition strategy, including expectations for year-over-year progress, from the nominating/governance committee or other relevant directors; (2) policies for promoting progress toward greater board diversity; and (3) current attributes of the board’s composition.  The policy states that board diversity disclosure should cover, at a minimum, the genders, races, ethnicities, tenures, skills and experience that are represented on the board.  While disclosure about self-identified personal characteristics such as race and ethnicity can be presented at the aggregate or individual level, Vanguard expects to see disclosure about tenure, skills and experience at the individual level.

Under its policy on board “accountability” votes, a lack of progress on board diversity and/or disclosures about board diversity may lead to votes “against,” or “withhold” votes from, the chair of the nominating/governance committee.  Vanguard has updated this policy for 2022 to reflect its expectations about the various dimensions of diversity (gender, race, etc.) that should be represented on boards and about companies’ disclosures.  The policy includes a reminder that “many boards still have an opportunity to increase diversity across different dimensions,” and that these boards “should demonstrate how they intend to continue making progress.”

Director Overboarding

Vanguard has clarified how its overboarding policy applies to directors who are named executive officers (NEOs).  Although Vanguard’s limit of two public company boards remains in place, the policy updates clarify that the two boards could consist of either the NEO’s own board and one outside board, or two outside boards if an NEO does not sit on the board at their own company.  Vanguard funds will generally oppose the election of directors who exceed this limit at their outside board(s), but not at the company where they are an NEO.

For other directors, Vanguard’s existing limit of four public company boards is unchanged.

Vanguard funds will also look for companies to have good governance practices on director commitments, including adopting a policy on outside board service and disclosure about how the board oversees the policy.

Unilateral Board Adoption of Exclusive Forum Provisions

Vanguard has updated its voting policy on board “accountability” votes where a company adopts policies limiting shareholder rights.  Under this policy, Vanguard funds will generally oppose the election of the independent board chair or lead director, and the members of the nominating/governance committee, in response to unilateral board actions that “meaningfully limit” shareholder rights.  For 2022, this policy has been updated to specify that these board actions may include the adoption of an exclusive forum provision without shareholder approval.

Proposals on Virtual and Hybrid Shareholder Meetings

According to Vanguard, data show that virtual meetings can increase shareholder participation and reduce costs.  Vanguard funds will consider supporting proposals on virtual meetings if meeting procedures and requirements are disclosed ahead of time, there is a formal process for shareholders to submit questions, real-time video footage is available, shareholders can call into the meeting or send recorded messages, and shareholder rights are not unreasonably curtailed.

3. State Street

In his letter, State Street CEO Cyrus Taraporevala announces that in 2022, State Street’s main focus “will be to support the acceleration of the systemic transformations underway in climate change and the diversity of boards and workforces.”  To that end, the letter attaches three guidance documents outlining State Street’s expectations and voting policies for the 2022 proxy season in the areas of climate change and diversity, equity and inclusion.  State Street has also published other guidance documents on director overboarding/time commitments and human capital for the 2022 proxy season.

The guidance documents are worth reading in their entirety because they provide detailed information about the practices and disclosures State Street expects to see from its portfolio companies in both 2022 and 2023, and about State Street’s related voting policies.  A summary of the key highlights is below.

Corporate Climate Disclosures

General

State Street expects all companies in its portfolio to provide disclosures in accordance with the four pillars of the TCFD framework: governance, strategy, risk management, and metrics and targets.  In approaching its disclosure expectations, State Street will begin by engaging with companies.  The guidance document includes a list of questions (organized by the four TCFD pillars) that State Street may ask companies as part of its engagement efforts.

For companies that it believes are not making sufficient progress after engagement, State Street will consider taking action through its votes on directors and/or shareholder proposals.  Starting in 2022, at S&P 500 companies, State Street may vote against the independent board leader if a company fails to provide sufficient disclosure in accordance with the TCFD framework, including about board oversight of climate-related risks and opportunities, total Scope 1 and Scope 2 greenhouse gas (“GHG”) emissions, and targets for reducing GHG emissions.

Companies in “Carbon-Intensive Sectors”

For several years, State Street has had specific disclosure expectations for companies in “carbon-intensive sectors” (oil and gas, utilities and mining), and the guidance document outlines what State Street expects to see beginning in 2022.  Disclosures are expected to address: (1) interim GHG emissions reductions targets to accompany long-term climate ambitions; (2) discussion of the impacts of scenario-planning on strategy and financial planning; (3) use of carbon pricing in capital allocation decisions; and (4) Scope 1, Scope 2 and material categories of Scope 3 emissions.

Climate Change Shareholder Proposals

State Street will evaluate climate-related shareholder proposals on a case-by-case basis, taking into account factors that include the reasonableness of a proposal, alignment with the TCFD framework and SASB standards where relevant, emergent market and industry trends, peer performance, and dialogue with the board, management and other stakeholders.  For companies in carbon-intensive sectors, State Street will consider alignment with its disclosure expectations specific to these companies.  The guidance also addresses specific factors State Street will consider in assessing climate-related lobbying proposals.

Climate Transition Plan Disclosures

Related to the broader subject of climate disclosures, State Street has also issued guidance specific to disclosures about companies’ climate transition plans.  In the guidance, State Street notes that there is no one-size-fits-all approach to reaching Net Zero, and that climate-related risks and opportunities are highly nuanced across and within industries.  It plans to continue developing its disclosure expectations over time, including taking into account any disclosures mandated by regulators.  In his letter, State Street CEO Cyrus Taraporevala emphasizes that what State Street is seeking from climate transition plans, as a long-term investor, “is not purity but pragmatic clarity around how and why a particular transition plan helps a company make meaningful progress.”  Mr. Taraporevala also emphasizes the need to take a big-picture look at whether the climate commitments individual companies make have the effect of reducing climate impacts at the aggregate level.  In this regard, he observes that so-called “brown-spinning” (public companies selling off their highest-emitting assets to private equity or other market participants), “reduces disclosure, shields polluters, and allows the publicly-traded company to appear more ‘green,’ without any overall reduction in the level of emissions on the planet.”  State Street recognizes that in the near term, additional investments in light fossil fuels may be necessary to propel the transition to Net Zero.

In light of these considerations, State Street intends its guidance document on climate transition plans as a “first step” to provide transparency about the core criteria State Street expects companies to address in developing their plans.  These criteria are organized into ten categories that generally align with those found in two external frameworks: the Institutional Investors Group on Climate Change (IIGCC) Net Zero Investment Framework and Climate Action 100+ Net-Zero Company Benchmark.  The criteria include decarbonization strategy, capital allocation, climate governance, climate policy and stakeholder engagement.

As a companion to its 2022 policy on holding independent board leaders accountable for climate disclosures (discussed above), this year, State Street plans to launch an engagement campaign on climate transition plan disclosure targeted at “significant emitters in carbon-intensive sectors.”  Starting in 2023, it will hold directors at these companies accountable if their company fails to show adequate progress in meeting its climate transition disclosure expectations.

Diversity Disclosures

State Street’s guidance document lists five topics it expects all of its portfolio companies to address in their diversity disclosures:

  1. Board oversight—How the board oversees the company’s diversity, equity and inclusion efforts, including the potential impacts of products and services on diverse communities;
  2. Strategy—The company’s timebound and specific diversity goals (related to gender, race and ethnicity at a minimum), the policies and programs in place to meet these goals, and how they are measured, managed and progressing;
  3. Goals—Same as Strategy.
  4. Metrics—Measures of the diversity of the company’s global workforce and board. For employees, this should include diversity by gender, race and ethnicity (at a minimum) where permitted by law, broken down by industry-relevant employment categories or seniority levels, for all full-time employees.  In the U.S., companies are expected to use the disclosure framework from the EEO-1 at a minimum.  For the board, disclosures should be provided by gender, race and ethnicity (at a minimum), and can be on an aggregate or individual level; and
  5. Board diversity—Efforts to achieve diversity at the board level, including how the nominating/governance committee ensures diverse candidates are considered as part of the recruitment process.

State Street also encourages companies to consider providing disclosures about other dimensions of diversity (LGBTQ+, disabilities, etc.), as it views these attributes as furthering the overarching goal of contributing to the diversity of thought on boards and in the workforce.

Diversity and Proxy Voting

State Street will consider disclosures about board diversity in deciding how to vote on directors, as follows:

Racial/Ethnic Diversity – S&P 500 Companies

In 2022, State Street will vote “against,” or “withhold” votes from:

  • The chair of the nominating/ governance committee if the company does not disclose the racial and ethnic composition of its board, either at the aggregate or individual level;
  • The chair of the nominating/ governance committee if the company does not have at least one director from “an underrepresented racial or ethnic community”; and
  • The chair of the compensation committee, if the company does not disclose its EEO-1 report, with acceptable disclosure including the original report, or the exact content of the report translated into custom graphics.

Gender Diversity

State Street may vote “against,” or “withhold” votes from, the chair of the nominating/governance committee:

  • Beginning in 2022, for companies in all markets, if there is not at least one female director on the board; and
  • Beginning in 2023, at Russell 3000 companies, if the board does not have at least 30% female directors. State Street may waive this policy if a company engages with it and provides a specific, timebound plan for reaching 30%.

If a company fails to meet the gender diversity expectations for three consecutive years, State Street may vote against all incumbent nominating/governance committee members.

The guidance also outlines State Street’s approach to voting on diversity-related shareholder proposals, including specific criteria relating to proposals seeking reporting on diversity, “pay gap” proposals, and proposals seeking racial equity audits.

State Street notes that its voting policies currently focus on increasing board diversity, but that in coming years it intends to shift its focus to the workforce and executive levels.  Related to the subject of workforce diversity, the guidance previews ten recommended areas of focus for boards in overseeing racial and ethnic diversity.  These are addressed in more detail in a publication issued by State Street in partnership with Russell Reynolds and the Ford Foundation.

Director Overboarding

For 2022, State Street is moving toward an approach that relies more heavily on nominating/governance committee oversight (and enhanced disclosures) about whether directors have enough time to fulfill their commitments.  The updated approach is designed to ensure that nominating/governance committees are evaluating directors’ time commitments, regularly assessing director effectiveness, and providing disclosure about their policies and efforts.  State Street cites two factors as the key drivers of these updates: its own research showing that boards with overcommitted directors have been slower to adopt leading governance practices and provide robust shareholder rights, and concerns about “tokenism” (nominating already-overcommitted diverse directors) and the need to broaden the candidate pools of diverse directors.  The policy updates also address service on SPAC boards.

As a result of the policy updates, beginning in March 2022, State Street will apply the following overboarding limits to directors:

  • For board chairs or lead directors, three public company boards; and
  • Other director nominees who are not public company NEOs, four public company boards.

State Street may consider waiving these limits and support a director’s election if the company discloses its policy on outside board seats.  This policy (or the related disclosure) must include:

  • A numerical limit on public company board seats that does not exceed State Street policies by more than one;
  • Consideration of public company board leadership positions;
  • An affirmation that all directors are currently in compliance with the policy; and
  • A description of the nominating/governance committee’s annual process for review outside board commitments.

This waiver policy will not apply to public company NEOs, who remain subject to State Street’s existing limit of two public company boards.

In calculating outside boards, State Street will not count mutual fund boards or SPAC boards, but it expects the nominating/governance committee to consider these boards in evaluating directors’ time commitments.

Human Capital Management (HCM) Disclosures and Practices

State Street’s guidance document lists the five topics it expects companies to address in their HCM disclosures: (1) board oversight; (2) strategy (specifically, how a company’s approach to HCM advances its overall long-term business strategy); (3) compensation, and how it helps to attract and retain employees and incentivize contributions to an effective HCM strategy; (4) “voice” (how companies solicit and act on employee feedback, and how the workforce is engaged in the organization); and (5) how the company advances diversity, equity and inclusion.

State Street emphasizes that it expects companies to provide specificity on these subjects.  For example, rather than disclosing that employees are surveyed regularly, State Street suggests that companies disclose survey frequency, examples of questions asked, and relevant examples of actions taken in response to employee feedback.  State Street also encourages companies to consider emerging disclosure frameworks, such as the framework outlined by the Human Capital Management Coalition, which includes 35 institutional investors representing over $6.6 trillion in assets.

State Street will approach HCM issues by starting with engagement, focusing on the companies and industries with the greatest HCM risks and opportunities.  For companies that it believes are not making sufficient progress after engagement, State Street will consider taking action through its votes on directors and/or shareholder proposals.  It will consider supporting shareholder proposals at companies whose HCM disclosures are not sufficiently aligned with State Street’s disclosure expectations.


The following Gibson Dunn lawyers assisted in the preparation of this client update: Elizabeth Ising and Lori Zyskowski.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the Securities Regulation and Corporate Governance and Executive Compensation and Employee Benefits practice groups, or any of the following practice leaders and members:

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
Lori Zyskowski – New York, NY (+1 212-351-2309, lzyskowski@gibsondunn.com)
Ron Mueller – Washington, D.C. (+1 202-955-8671, rmueller@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
Mike Titera – Orange County, CA (+1 949-451-4365, mtitera@gibsondunn.com)
Aaron Briggs – San Francisco, CA (+1 415-393-8297, abriggs@gibsondunn.com)
Julia Lapitskaya – New York, NY (+1 212-351-2354, jlapitskaya@gibsondunn.com)
Cassandra Tillinghast – Washington, D.C. (+1 202-887-3524, ctillinghast@gibsondunn.com)

Executive Compensation and Employee Benefits Group:
Stephen W. Fackler – Palo Alto/New York (+1 650-849-5385/+1 212-351-2392, sfackler@gibsondunn.com)
Sean C. Feller – Los Angeles (+1 310-551-8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214-698-3425, khanvey@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

As we do each year, we offer our observations on new developments and recommended practices for calendar-year filers to consider in preparing their Form 10-K. This alert reviews the recent amendments to Regulation S-K adopted by the U.S. Securities and Exchange Commission (“SEC”) and discusses how public companies are reacting to these new requirements. In addition, it discusses other disclosure topics, including Environmental, Social, and Governance (“ESG”) issues such as human capital management, climate change, and cybersecurity, that, in light of increasing investor focus and forthcoming rulemaking, continue to be a top priority for public companies.

Read More


The following Gibson Dunn attorneys assisted in preparing this client update: Mike Titera, Justine Robinson, Andrew Fabens, Hillary Holmes, Elizabeth Ising, Thomas Kim, David Korvin, Ron Mueller, Jim Moloney, and Victor Twu.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the Securities Regulation and Corporate Governance and Capital Markets practice groups, or any of the following practice leaders and members:

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com)
Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com)
Brian J. Lane – Washington, D.C. (+1 202-887-3646, blane@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, rmueller@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
Mike Titera – Orange County, CA (+1 949-451-4365, mtitera@gibsondunn.com)
Aaron Briggs – San Francisco, CA (+1 415-393-8297, abriggs@gibsondunn.com)
Julia Lapitskaya – New York, NY (+1 212-351-2354, jlapitskaya@gibsondunn.com)

Capital Markets Group:
Andrew L. Fabens – New York (+1 212-351-4034, afabens@gibsondunn.com)
Hillary H. Holmes – Houston (+1 346-718-6602, hholmes@gibsondunn.com)
Stewart L. McDowell – San Francisco (+1 415-393-8322, smcdowell@gibsondunn.com)
Peter W. Wardle – Los Angeles (+1 213-229-7242, pwardle@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Adding to the growing list of jurisdictions that have passed pay transparency laws, effective May 15, 2022, employers in New York City will be required to include salary ranges in job postings.

Brief Summary

The new pay transparency law makes it an “unlawful discriminatory practice” under the New York City Human Rights Law (“NYCHRL”) for an employer to advertise a job, promotion, or transfer opportunity without stating the position’s minimum and maximum salary in the advertisement.

The salary range may include the lowest and highest salaries that the employer believes in “good faith” that it would pay for the job, promotion, or transfer at the time of the posting.

Notably, the law does not define “advertise” and it does not differentiate between jobs that are posted externally versus internally.  The law also does not define a “salary,” nor does it clarify the requirements for non-salaried positions.

Covered Employers

The law applies to all employers with at least four employees in New York City, and independent contractors are counted towards that threshold.  Significantly, however, the law does not apply to temporary positions advertised by temporary staffing agencies.

Enforcement and Penalties

The New York City Commission on Human Rights is authorized to take action to implement the law, including, among other things, through the promulgation of rules and/or imposition of civil penalties under the NYCHRL.

Growing Trend of Pay Transparency Laws

New York City’s pay transparency law is part of a growing trend in the United States.

In 2021, Colorado enacted a law that requires employers to disclose, among other things, the compensation or range of possible compensation in job postings.  Of note, Colorado’s law is more expansive than New York City’s in that it requires employers with even one employee based in Colorado to post such salary information in any job postings for remote work (i.e., work that is performable anywhere, including Colorado).

Last year, Connecticut and Nevada enacted similar pay transparency laws, and Rhode Island passed a law (effective January 1, 2023) which will require employers to provide wage or salary range information to applicants and employees under certain conditions.

California, Maryland, and Washington also have laws requiring salary disclosure, but only upon the request of an applicant or employee, and each law’s disclosure requirements vary slightly.  Maryland, for example, requires disclosure of a position’s wage range upon request of any applicant.  In comparison, California requires disclosure upon request from applicants who have completed an initial interview and Washington requires disclosure upon request from applicants who have received an offer.

This trend appears poised to continue as other state legislatures, including Massachusetts and South Carolina, are considering pay transparency bills.

Similar to laws banning questions related to an applicant’s salary history during the hiring process, these pay transparency laws are aimed at promoting equal pay.  Where state or local law provide for a private right of action, employers may face “tag-along” claims alleging pay disclosure non-compliance in addition to claims of workplace discrimination and/or retaliation.

Takeaway

All covered employers in New York City should take steps to ensure compliance with these new pay transparency requirements effective May 2022.  And, employers operating in multiple jurisdictions should carefully monitor the ever-growing patchwork of pay transparency laws in order to ensure compliance wherever located.


The following Gibson Dunn attorneys assisted in preparing this client update: Danielle Moss, Harris Mufson, Gabby Levin, and Meika Freeman.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following:

Danielle J. Moss – New York (+1 212-351-6338, dmoss@gibsondunn.com)

Harris M. Mufson – New York (+1 212-351-3805, hmufson@gibsondunn.com)

Gabrielle Levin – New York (+1 212-351-3901, glevin@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

California has seen a flurry of legislative activity over the last couple of years focused on protecting the rights of employees entering separation or settlement agreements with employers.  Employers who have not updated their separation or severance agreement templates in the last few years should consider whether updates to their agreements are needed.  This is especially true in light of SB 331 which Governor Gavin Newsom signed into law on October 7, 2021.  SB 331, or the “Silenced No More Act,” introduces additional restrictions on settlement agreements, non-disparagement agreements and separation agreements executed with employees in California after January 1, 2022.

Background – Recent Legal Developments

California has made a number of changes to requirements for separation and settlement agreements over the past few years, including but not limited to:

  • SB 1431, effective January 1, 2019, which amended the language of Section 1542 of the California Civil Code, often cited in settlement agreements, to read as follows: “A general release does not extend to claims that the creditor or releasing party does not know or suspect to exist in his or her favor at the time of executing the release and that, if known by him or her, would have materially affected his or her settlement with the debtor or released party.”
  • SB 820 which prohibits provisions in settlement agreements entered into after January 1, 2019 that prevent the disclosure of facts related to sexual assault, harassment, and discrimination claims “filed in a civil action” or in “a complaint filed in an administrative action.” SB 820 did not prohibit provisions requiring confidentiality of a settlement payment amount, and the law included an exception for provisions protecting the identity of the claimant where requested by the claimant.
  • SB 1300, effective January 1, 2019, amended California’s Fair Employment and Housing Act to prohibit employers from requiring employees to agree to a non-disparagement agreement or other document limiting the disclosure of information about unlawful workplace acts in exchange for a raise or bonus, or as a condition of employment or continued employment. SB 1300 further prohibited employers from requiring, in exchange for a raise or bonus or as a condition of employment or continued employment, that an individual “execute a statement that he or she does not possess any claim or injury against the employer” or release “a right to file and pursue a civil action or complaint with, or otherwise notify, a state agency, other public prosecutor, law enforcement agency, or any court or other governmental entity.”  Under the law, any such agreement is contrary to public policy and unenforceable.  That said, negotiated settlement agreements of civil claims supported by valuable consideration were exempted from these prohibitions.
  • AB 749 went into effect on January 1, 2020 and further impacted settlement agreements by limiting the inclusion of “no-rehire” provisions in agreements that settle employment disputes. AB 749 created Code of Civil Procedure Section 1002.5, which prohibits an agreement to settle an employment dispute from containing “a provision prohibiting, preventing, or otherwise restricting a settling party that is an aggrieved person from obtaining future employment with the employer against which the aggrieved person has filed a claim, or any parent company, subsidiary, division, affiliate, or contractor of the employer.”  AB 749 defined an “aggrieved person” as “a person who has filed a claim against the person’s employer in court, before an administrative agency, in an alternative dispute resolution forum, or through the employer’s internal complaint process.”  Notably, AB 749 continued to allow a “no-rehire” provision in a settlement agreement with an employee whom the employer, in good faith, determined engaged in sexual harassment or sexual assault.  AB 749 did not restrict the execution of a severance agreement that is unrelated to a claim filed by the employee against the employer.
  • AB 2143, which took effect January 1, 2021, modified the provisions enacted by AB 749 to further clarify and expand when employers can include a “no-rehire” provision in separation or settlement agreements. Specifically, AB 2143 amended Code of Civil Procedure Section 1002.5 to also allow a “no-rehire” provision if the aggrieved party has engaged in “any criminal conduct.” AB 2143 also clarified that in order to include a “no-rehire” provision in a separation or settlement agreement, an employer must have made and documented a good-faith determination that such individual engaged in sexual harassment, sexual assault, or any criminal conduct before the aggrieved employee raised his or her claim.  Finally, AB 2143 also made clear that the restriction on “no-rehire” provisions set forth in Code of Civil Procedure Section 1002.5 applies only to employees whose claims were filed in “good faith.”

SB 331 – Key Changes

Against this legal backdrop, SB 331 has introduced additional restrictions that employers should keep in mind when entering into settlement or separation agreements with employees in California.

Settlement Agreements

Building on the protections included in SB 820, SB 331 expanded SB 820’s prohibition on provisions that prevent the disclosure of facts to include all facts related to all forms of harassment, discrimination, and retaliation—not just those related to sexual assault, sexual harassment, or sex discrimination.  Just as with SB 820, parties can agree to prevent the disclosure of the settlement payment amount, and the identity of the claimant can be protected where requested by the claimant.

Non-Disparagement Covenants and Separation Agreements

Consistent with SB 1300, SB 331 prohibits an employer from requiring an employee to agree to a non-disparagement agreement or other document limiting the disclosure of “information about unlawful acts in the workplace” in exchange for a raise or bonus, or as a condition of employment or continued employment.  SB 331 also prohibits an employer from including in any separation agreement with an employee or former employee any provision that prevents the disclosure of “information about unlawful acts in the workplace” which includes, but is not limited to, information pertaining to harassment or discrimination or any other conduct that the employee has reasonable cause to believe is unlawful.

Effective January 1, 2022, any non-disparagement or other contractual provision that restricts an employee’s ability to disclose information related to conditions in the workplace must include, in substantial form, the following language: “Nothing in this agreement prevents you from discussing or disclosing information about unlawful acts in the workplace, such as harassment or discrimination or any other conduct that you have reason to believe is unlawful.”

Finally, SB 331 also provides that any separation agreement with an employee or former employee related to an employee’s separation from employment that includes a release of claims must provide: (i) notice that the employee has the right to consult an attorney regarding the agreement and (ii) a reasonable time period of at least five (5) business days in which to consult with an attorney.  An employee may sign the agreement before the end of such reasonable time period so long as such employee’s decision is “knowing and voluntary” and is not induced by the employer through fraud, misrepresentation or a threat to withdraw or alter the offer prior to the expiration of such reasonable period of time or by providing different terms to the employees who sign such an agreement before the expiration of such time period.  The SB 331 requirements do not apply to a negotiated agreement to resolve an underlying claim filed by an employee in court, before an administrative agency, in arbitration, or through an employer’s internal complaint process.

Conclusion and Next Steps

SB 331 represents the latest step taken by California intended to protect employees’ rights by restraining employers from preventing the disclosure of information regarding certain workplace conditions.

When evaluating separation or severance agreement templates, employers should consider whether the agreements:

  • Include language requiring that a settlement or severance amount be held in the strictest confidence by the employee or former employee.
  • Have the latest amended Section 1542 language.
  • Have the appropriate disclosures for any non-disparagement provisions.
  • Provide employees with sufficient disclosures and time to consider the separation agreement.
  • Include limitations on individuals which are now prohibited.

Employers should navigate these requirements with care.  Compliance with California’s multifaceted legal protections for employees and former employees will require careful drafting.  Employers should consider seeking the assistance of legal counsel to refresh templates prior to entering into settlement or separation agreements in California.


The following Gibson Dunn attorneys assisted in preparing this client update: Tiffany Phan, Florentino Salazar, Sean Feller, Jason Schwartz, and Katherine V.A. Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following:

Tiffany Phan – Los Angeles (+1 213-229-7522, tphan@gibsondunn.com)

Sean C. Feller – Co-Chair, Executive Compensation & Employee Benefits Group, Los Angeles
(+1 310-551-8746, sfeller@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, ksmith@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Introduction

On 12 January 2022, the Hong Kong Monetary Authority (HKMA) released a Discussion Paper on the expansion of the Hong Kong regulatory framework to stablecoins (e.g. crypto-assets pegged to fiat currencies). The Paper considers the adequacy of the existing regulatory framework in light of the growing use of stablecoins and other types of crypto-assets in financial markets, and the challenges posed by this increase in their prevalence. It further poses eight questions for consideration by the industry, including the scope of a proposed new regulatory regime to cover what the HKMA describes as “payment-related stablecoins”.

This client alert provides an overview of the HKMA’s views on crypto-assets and stablecoins as outlined in the Paper, discusses the implications for players in the stablecoin ecosystem if the proposed changes are implemented, and suggested next steps for interested parties.

The HKMA has requested responses to the Paper by 31 March 2022, and has indicated that it intends to introduce this new stablecoin regulatory regime by 2023-2024.

HKMA’s views on crypto-assets and financial stability

The Paper provides a valuable insight into the HKMA’s views on crypto-assets in general, and stablecoins in particular, including their linkages to the traditional financial system and ramifications on financial stability.

In introducing its proposal to regulate payment related stablecoins, the HKMA has made it clear that while the current size and trading activity of crypto-assets globally may not pose an immediate threat to the stability of the global financial system from a systemic point of view, it does consider the increasing prevalence of crypto-assets to have the potential to impact financial stability. In particular, the HKMA has flagged that it considers the growing exposure of institutional investors, as well as certain segments of the retail public, to such assets as an alternative to, or to complement traditional asset classes, indicates growing interconnectedness with the mainstream financial system.

Further, as noted by the HKMA, it understands that while Hong Kong authorised banks (Authorised Institutions or AIs) currently undertake only limited activities in relation to crypto-assets, AIs are interested in pursuing these activities further, given that they face increasing demand from customers for crypto-related products and services. This is consistent with what we understand is a steady increase in high net wealth investors hungry for yield demanding access to crypto-assets through their private wealth managers, as well as an uptick in demand from retail investors in Hong Kong eager for the same exposure to upside. To this end, the HKMA has flagged that it will soon provide AIs with more detailed regulatory guidance in relation to their interface with and provision of services to customers in relation to crypto-assets.

Finally, the HKMA has also noted its concerns that the ease of anonymous transfer of crypto-assets may make them susceptible to the risk of illicit and money laundering / terrorist financing activities.

The HKMA’s views on stablecoins

The Paper also flags the HKMA’s view that stablecoins are increasingly viewed as a ‘widely acceptable means of payment’ and that this, alongside the actual increase in their use, has increased the potential for their incorporation into the mainstream financial system. In the HKMA’s opinion, this in turn raises broader monetary and financial stability implications and has resulted in the regulation of stablecoins becoming a key priority for the HKMA, which has stated in the Paper that it wishes to ensure that such coins “are appropriately regulated before they operate in Hong Kong or are marketed to the public of Hong Kong”.

The Paper goes on to identify a number of potential risks that may arise in relation to the use of stablecoins, including, in summary:

  • Payment integrity risks where stablecoins are commonly accepted as a means of payment and operational disruptions or failures occur in relation to the stablecoins;
  • Banking stability risks if banks were to increase their exposure to stablecoins, particularly if stablecoins were viewed as a substitute for bank deposits;
  • Monetary policy risks in relation to the issue and redemption of HKD-backed stablecoins, which could affect interbank HKD demand and supply; and
  • User protection risks where a user may have no or limited recourse in relation to operational disruptions or failures of a stablecoin.

Given these potential risks, the HKMA has stated in the Paper that it considers it appropriate to expand the regulatory perimeter to cover payment-related stablecoins in the first instance, although it has not ruled out the possibility of regulating other forms of stablecoins as well.

The HKMA’s discussion questions for industry consideration

The HKMA has noted in the Paper that it considers ‘the need to regulate [stablecoins] is well justified and the tool to regulate…[can] be decided at a later stage’. However, it has indicated that it wishes for feedback from the industry and the public on the scope of the regulatory regime applicable to stablecoins, and to this end has set out eight discussion questions for industry consideration. A summary of the key questions posed by the HKMA, as well as the HKMA’s views on those questions, is set out below.

Question 1: Should we regulate activities relating to all types of stablecoins or give priority to those payment-related stablecoins that pose higher risks to the monetary and financial systems while providing flexibility in the regime to make adjustments to the scope of stablecoins that may be subject to regulation as needed in the future?

In posing this question, the HKMA has noted that it intends to take a risk-based approach focused initially on payment-related stablecoins at this stage given their predominance in the market and higher potential to be incorporated into the mainstream financial market (as discussed above). However, the HKMA has noted that it intends to ensure that whatever regime is introduced is sufficiently flexible that it could extend to other types of stablecoins in the future. As such, issuers and traders of other types of stablecoins should not expect to avoid regulatory scrutiny forever.

Question 2: What types of stablecoin-related activities should fall under the regulatory ambit, e.g. issuance and redemption, custody and administration, reserves management?

The HKMA has proposed regulating a broad range of stablecoin-related activities, including:

  • Issuing, creating or destroying stablecoins;
  • Managing reserve assets to ensure stabilisation of stablecoin value;
  • Validating transactions and records;
  • Storing private keys used to provide access to stablecoins;
  • Facilitating the redemption of stablecoins;
  • Transmission of funds to settle transactions; and
  • Executing transactions in stablecoins.

This broad list is based on a list of activities in relation to stablecoins published by the Financial Stability Board[1] and as such may be viewed as in keeping with international standards. However, as discussed below in relation to Question 5, the breadth of this regime may raise concerns regarding the degree of overlap between this regime and others proposed by Hong Kong regulators, including the proposed VASP regime to be administered by the Securities and Futures Commission (SFC) (see our alert here).

Question 3: What kind of authorisation and regulatory requirements would be envisaged for those entities subject to the new licensing regime?

The HMKA has suggested that it considers that entities subject to the new stablecoin licensing regime would be subject to the following requirements:

  • authorisation and prudential requirements, including adequate financial resources and liquidity requirements;
  • fit and proper requirements in relation to both management and ownership;
  • requirements relating to the maintenance and management of reserves of backing assets; and systems; and
  • controls, governance and risk management requirements.

Further, given that it is common for multiple entities to be involved in different parts of a stablecoin arrangement, the HKMA has noted that such entities could be subject to part or all of the requirements, depending on the services they offer.

If requirements in relation to these matters are ultimately implemented by the HKMA, the stablecoin regime would cover some of the requirements of the proposed VASP regime, with the exception of requirements of reserves of backing assets, which will presumably only be applied to stablecoins given their nature.

Question 4: What is the intended coverage as to who needs a licence under the intended regulatory regime?

The HKMA has signalled that it believes that only entities incorporated in Hong Kong and holding a relevant licence granted by HKMA should carry out regulated activities, to enable the HKMA to exercise effective regulation on the relevant entities. As such, it has stated in the Paper that it expects that foreign companies / groups which intend to provide regulated activities in Hong Kong or actively market those activities in Hong Kong to incorporate a company in Hong Kong and apply for a licence to the HKMA under this regime.

If implemented, this would have significant ramifications for those global crypto-exchanges currently offering trading in stablecoins to Hong Kong users from offshore. These businesses would be faced with a choice between either incorporating in Hong Kong and seeking a licence, or discontinuing their trading for Hong Kong users.

Question 5: When will this new, risk-based regime on stablecoins be established, and would there be regulatory overlap with other financial regulatory regimes in Hong Kong, including but not limited to the SFC’s VASP regime, and the SVF licensing regime of the PSSVFO?

The HKMA has stated that it will collaborate and coordinate with other financial regulators when defining the scope of its oversight and will seek to avoid regulatory arbitrage, including in relation to areas which ‘may be subject to regulation by more than one local financial authority’.

However, an HKMA-administered regime of the breadth proposed above would create a situation in which an exchange undertaking transactions in non-stablecoin crypto-assets would be regulated by the SFC under its proposed new VASP regime while being regulated by both the SFC and the HKMA under its stablecoin regime. In this respect, we note that the proposed definition of ‘virtual asset’ under the proposed new VASP regime ‘applies equally to virtual coins that are stable (i.e. the so-called “stablecoins”)’.[2] While the HKMA and SFC share regulatory responsibility for Registered Institutions (i.e. Authorised Institutions which are separately licensed by the SFC to undertake securities and futures business), that shared regulatory responsibility concerns distinctly different types of activities. In contrast, we consider that from an exchange’s perspective, the act of executing transactions in stablecoins is substantially similar to executing transactions in non-stablecoin crypto-assets. As such, this approach may lead to unnecessary and undesirable regulatory inefficiencies if exchanges are required to be licensed under both the SFC and HKMA regimes to undertake transactions in crypto-assets.

Question 6: Stablecoins could be subject to run and become potential substitutes of bank deposits. Should the HKMA require stablecoin issuers to be AIs under the Banking Ordinance, similar to the recommendations in the Report on Stablecoins issued by the US President’s Working Group on Financial Markets?

While not expressly stating that it will not require stablecoin issuers to be regulated as AIs under the Banking Ordinance, the HKMA has indicated that it expects that the requirements applicable to stablecoin issuers will instead borrow from Hong Kong’s current regulatory framework for stored value facilities (SVF). However, the HKMA has signalled that certain stablecoin issuers may be subject to higher prudential requirements than SVF issuers where they issue stablecoins of systemic importance.

Question 7: [Does] the HKMA also have plan[s] to regulate unbacked crypto-assets given their growing linkage with the mainstream financial system and risk to financial stability?

The HKMA has not expressly ruled out regulating unbacked crypto-assets, and has stated that it is necessary to continue monitoring the risks posed by this asset class. In stating this, the HKMA has also pointed to the VASP regime, suggesting that the HKMA’s approach to this area is likely to depend on the success of that regime once implemented.

Question 8: For current or prospective parties and entities in the stablecoins ecosystem, what should they do before the HKMA’s regulatory regime is introduced?

The HKMA has advised current and prospective players in the stablecoin ecosystem to provide feedback on the proposals set out in the Discussion Paper, and has noted that in the interim, it will continue to supervise AIs’ activities in relation to crypto-assets and implement the SVF licensing regime pending implementation of this new regime.

Conclusion

The Discussion Paper provides a valuable insight into the HKMA’s plans for the future of stablecoin regulation in Hong Kong. While some concerns exist as to the potential overlap between the HKMA’s new proposed regime and the SFC’s VASP regime, it is clear that the HKMA intends to ensure that it is regarded as the primary regulator of stablecoins going forward, and that it sees the regulation of this asset class as closely linked to its key objective of ensuring financial stability.

____________________________

   [1]   See Financial Stability Board, Regulation, Supervision and Oversight of “Global Stablecoin” Arrangements: Final Report and High-Level Recommendations, https://www.fsb.org/wp-content/uploads/P131020-3.pdf, page 10.

   [2]   See Financial Services and the Treasury Bureau, Public Consultation on Legislative Proposals to Enhance Anti-Money Laundering and Counter-Terrorist Financing Regulation in Hong Kong (Consultation Conclusions), https://www.fstb.gov.hk/fsb/en/publication/consult/doc/consult_conclu_amlo_e.pdf, paragraph 2.8.


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Crypto Taskforce (cryptotaskforce@gibsondunn.com) or the Global Financial Regulatory team, including the following authors in Hong Kong:

William R. Hallatt (+852 2214 3836, whallatt@gibsondunn.com)
Emily Rumble (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun (+852 2214 3838, apun@gibsondunn.com)
Becky Chung (+852 2214 3837, bchung@gibsondunn.com)

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Decided January 13, 2022

National Federation of Independent Business v. Occupational Safety and Health Administration, No. 21A244; and

Ohio v. Occupational Safety and Health Administration, No. 21A247

On Thursday, January 13, 2022, by a 6–3 vote, the Supreme Court prevented the implementation of an OSHA rule that would have imposed a vaccine-or-testing regime on employers with 100 or more employees.

Background:

On November 5, 2021, the Occupational Safety and Health Administration (“OSHA”) issued an emergency temporary standard (“ETS”) governing employers with 100 or more employees. The ETS mandated covered employers to “develop, implement, and enforce a mandatory COVID-19 vaccination policy, with an exception for employers” that require unvaccinated employees to undergo weekly COVID-19 testing and to wear a mask during the workday.

Business groups and States filed petitions for review of the ETS in each regional Court of Appeals, contending that OSHA exceeded its statutory authority under the Occupational Safety and Health Act. The Fifth Circuit stayed the ETS and later held that the OSHA mandate was overly broad, not justified by a “grave” danger from COVID-19, and constitutionally dubious. After all petitions for review were consolidated in the Sixth Circuit, that court dissolved the Fifth Circuit’s stay. The panel majority held that COVID-19 was an emergency warranting an ETS and that OSHA had likely acted within its statutory authority.

Issue:

Whether to stay implementation of the vaccine-or-testing mandate pending the outcome of litigation challenging OSHA’s statutory authority to require employers with 100 or more employees to develop, adopt, and enforce a vaccine-and-testing regime for their employees.

Court’s Holding:

The vaccine-or-testing mandate should be stayed because OSHA likely lacks the statutory authority to adopt the vaccine-or-test mandate in the absence of an unmistakable delegation from Congress.

“It is telling that OSHA, in its half century of existence, has never before adopted a broad public health regulation of this kind—addressing a threat that is untethered, in any causal sense, from the workplace.

Per Curiam Opinion of the Court

What It Means:

  • The Court’s decision prevents the implementation of the OSHA mandate, which applies to 84 million Americans.  Echoing its recent decision in Alabama Ass’n of Realtors v. Dep’t of Health & Human Services, the Court emphasized that agency action with such “vast economic and political significance” requires a clear delegation from Congress.  It is doubtful that the stay will be lifted to allow OSHA to enforce the mandate before the ETS expires in May, meaning that it is unlikely employers will ever actually be subject to the ETS’s vaccine-or-testing mandate.
  • The challengers had argued that covered employers would incur unrecoverable compliance costs and that employees would quit rather than comply.  The federal government, for its part, had argued that the OSHA mandate would save over 6,500 lives and prevent hundreds of thousands of hospitalizations.  The Court stayed the mandate without resolving this dispute on the ground that only Congress could properly weigh such tradeoffs.
  • The Court’s decision to hear oral argument on the stay applications may signal the beginning of a trend, as this is the second time this Term that the Court moved an application to vacate a stay from the emergency docket to the argument calendar.
  • Other Mandates:  The Court stayed lower court injunctions against the vaccine mandate issued by the Centers for Medicare & Medicaid Services (“CMS”).  See Biden v. Missouri, 21A240; Becerra v. Louisiana, 21A241.  By a 5–4 vote, the Court ruled that the Secretary of Health and Human Services likely has the statutory authority to require vaccination for healthcare workers at facilities that participate in Medicare and Medicaid.  Today’s decisions do not address the federal contractor vaccine mandate that is presently enjoined on a nationwide basis by a federal district court in Georgia. Four other federal district courts also have enjoined the government from enforcing that mandate. So far, the Sixth and Eleventh Circuits have refused to stay the injunctions against the federal contractor mandate pending appeal.

The Court’s opinions are available here and here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Allyson N. Ho
+1 214.698.3233
aho@gibsondunn.com
Mark A. Perry
+1 202.887.3667
mperry@gibsondunn.com
Lucas C. Townsend
+1 202.887.3731
ltownsend@gibsondunn.com
Bradley J. Hamburger
+1 213.229.7658
bhamburger@gibsondunn.com

Related Practice: Labor and Employment:

Eugene Scalia
+1 202.955.8543
escalia@gibsondunn.com
Jessica Brown
+1 303.298.5944
jbrown@gibsondunn.com
Jason C. Schwartz
+1 202.955.8242
jschwartz@gibsondunn.com
Katherine V.A. Smith
+1 213.229.7107
ksmith@gibsondunn.com

Click for PDF

The tense political battles between former President Donald J. Trump and the United States House of Representatives under Democratic leadership renewed debates over the nature and extent of Congress’s authority to investigate and conduct oversight and have wide-ranging implications for congressional investigation of not just the Executive Branch but also of private parties.

In furtherance of the House of Representatives’ vigorous efforts to investigate President Trump, three House committees issued a series of subpoenas to banks and an accounting firm seeking the personal financial records of the President relating to periods both before and after he took office. The President and his business entities resisted, challenging the congressional subpoenas in court, thus drawing the judiciary into the fray. The President’s challenges culminated in the issuance of the Supreme Court’s historic decision in Trump v. Mazars and Trump v. Deutsche Bank AG, which announced groundbreaking new principles of law that will have profound implications for congressional oversight and investigations. In addition, the D.C. Circuit recently encountered related questions of congressional authority over the Executive Branch in connection with separate information requests to former White House Counsel Donald McGahn, leading to a series of hotly debated rulings (and an eventual settlement) in Committee on the Judiciary v. McGahn.

These cases arose against a seemingly well-established backdrop. It has long been understood that Congress possesses inherent constitutional authority to inquire into matters that could become the subject of legislation, such as through the use of compulsory process directed to both government officials and private citizens. As the Supreme Court recognized nearly a century ago, Congress “cannot legislate wisely or effectively in the absence of information respecting the conditions which the legislation is intended to affect or change.” Thus, “the power of inquiry—with process to enforce it—is an essential and appropriate auxiliary to the legislative function.” The Executive and Legislative Branches often resolve disputes about congressional requests for information through the “hurly-burly, the give-and-take of the political process between the legislative and the executive.” Only recently has Congress resorted repeatedly to the courts in an effort to enforce subpoenas against Executive Branch officials.

Read More

Washington, D.C. partners Michael Bopp and Thomas Hungar, with Chantalle Carles Schropp, prepared this article, originally published by the University of Virginia’s Journal of Law & Politics, Vol. 37, No. 1, in 2021.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On December 15, 2021, the Securities and Exchange Commission (“SEC” or “Commission”) held a virtual open meeting where it considered four rule proposals, including two that are particularly pertinent to all public companies: (i) amendments regarding Rule 10b5-1 insider trading plans and related disclosures and (ii) new share repurchase disclosures rules.

Both proposals passed, though only the proposed amendments regarding Rule 10b5-1 insider trading plans and related disclosures passed unanimously; the proposed new share repurchase disclosures rules passed on party lines. Notably, these proposals only have a 45-day comment period, which is shorter than the more customary 60- or 90-day comment periods. Commissioner Roisman, in particular, raised concerns about the 45-day comment periods being too short, noting that the comment periods run “not only over several holidays,” but “also concurrent with five other rule proposals that have open comment periods.”

Below, please find summary descriptions of the these two rule proposals, as well as certain Commissioners’ concerns related to these proposals.

Read More

The following Gibson Dunn attorneys assisted in preparing this update: Ronald Mueller, Andrew Fabens, James Moloney, Lori Zyskowski, Thomas Kim, Brian Lane, and Elizabeth Ising.