On September 5, 2024, Institutional Shareholder Services (ISS) released its 2024 Proxy Season Review:  United States – Executive Compensation. The below chart summarizes our observations of the 2024 data and key takeaways as we look to the 2025 proxy season. While these trends are positive for issuers overall, they underscore that issuers, their boards, compensation committees, and management should continue to take an active role in compensation programs, disclosure, and shareholder engagement practices.

Observations

Key Takeaways

Increased shareholder support for say-on-pay and equity plan proposals.  Median say-on-pay support levels rebounded after steadily declining since 2017, though median say-on-pay support did not quite reach 95% (hovering at 94.9%, well below the highs of 2015-2017). Instances of low (less than 70%) say-on-pay support and failed say-on-pay votes each also decreased to 5.1% and 1%, respectively in 2024.  

Likewise, after declining in 2022 and 2023, equity plan support improved in 2024 and equity plan failure rates normalized at just under 1% (down from 1.6% in 2023).

ISS notes that this is the lowest proxy season say-on-pay failure rate ever observed. We attribute this positive trend to continued transparency in compensation program disclosures and increased attention on shareholder engagement efforts.

Issuers should continue to address in their disclosures (1) how their compensation practices affect shareholder dilution and reflect and respond to broader market conditions, including inflationary pressures and economic volatility, and (2) how these factors impact their approach to designing and administering their compensation programs.

Continued positive correlation between pay-for-performance quantitative screen and ISS say-on-pay vote recommendation.  Unsurprisingly, higher quantitative screen concern levels correlated to a higher likelihood of an “against” recommendation, with over half of issuers flagged with a “high” concern level receiving “against” recommendations.

Interestingly, the 3% of issuers with a “low” concern level that received “against” recommendations generally were cited for problematic contractual provisions, non-CEO executive pay, insufficient board responsiveness, or severance payouts.

Rising CEO pay.  After dipping slightly in 2023, median CEO pay in the S&P 500 reached its highest level since say-on-pay votes began over a decade ago – $15.6 million. The Russell 3000 (excluding the S&P 500) median CEO pay also trended up slightly to $5.3 million, but was still below the high-water mark set in 2021.

ISS notes that the record low say-on-pay failure rates combined with the record high S&P CEO median pay level suggest that investors are considering factors beyond pay magnitude in their voting decisions. Consistent with ISS’s proxy voting guidelines, many large investors’ say-on-pay votes can be swayed by problematic pay practices (such as one-time awards or application of discretion in pay decisions) without clear disclosure of a compelling rationale.

Compensation plan design continues to favor formulaic and performance-based compensation.  Annual and long-term incentive awards trended towards non-discretionary and performance-based design, respectively.

ISS’s focus on formulaic performance-based compensation, including the impact of ISS’s pay-for-performance quantitative screen noted above, continues to correlate with the say-on-pay vote recommendation.

Specific sectors and the Russell 3000 continue to use discretionary compensation.  While discretionary compensation across all sectors and indices has generally declined or remained steady year-over-year, financial sector CEOs and a higher percentage of Russell 3000 (excluding S&P 500) CEOs continued to receive discretionary bonuses.

Discretionary compensation may still have specific appropriate use cases, though issuers should consider clearly disclosing the business or sector-specific rationale when deploying discretionary compensation. Based on these trends, benchmarking against sector-specific peers may also be helpful.

Higher perquisite numbers driven by aircraft perks and security costs.  Median values of CEO “all other compensation” reported in 2024 climbed markedly in the S&P 500, particularly in the upper percentiles of perquisite values.

The ISS report noted that increases in CEO “all other compensation” levels appeared to be primarily driven by larger corporate aircraft perks and security costs.  And at the same time, issuers have seen an enhanced focus by the SEC and IRS on reporting and disclosure of these benefits.

Equity plan design trends include continuing rise of evergreen provisions, use of discretion to accelerate vesting, and no minimum vesting requirement.  While “problematic” provisions like repricings or cash buyouts of equity awards without shareholder approval, and liberal change in control vesting provisions continued to decline overall, evergreen provisions in equity plans continued a steady rise and were observed in over 15% of 2024 plans up for approval. Issuers seeking plan approval in 2024 continued to eschew limitations on flexibility to accelerate vesting and set vesting schedules.

The prevalence of evergreen provisions is likely attributable in part to the repeal of Section 162(m) of the Internal Revenue Code in 2017 and an increase in SPAC/de-SPAC transactions since 2021. Favoring the ability to set and adjust vesting schedules is unsurprising as issuers balance the need for flexibility in equity plan administration.

No surprises in pay-versus-performance disclosure.  Consistent with 2023, most industries used earnings as their most important performance metric and technology, media and telecom looked to revenue. Compensation actually paid (CAP) trended upwards in most industries.

The overall increase in CAP is not surprising given its correlation to increases in stock prices and the year-over-year performance of the relevant industries from fiscal year 2022 to fiscal year 2023.

Modest increases in CEO pay ratio.  Median CEO pay ratio in the S&P 500 saw a small increase year-over-year while the other indices (S&P 400, S&P 600, and remaining Russell 3000) remained steady.

Consistent with the trends in CEO pay levels, the median CEO pay-to-median employee ratios in the S&P 500, S&P 400, S&P 600 and remaining Russell 3000 were 189, 111, 73, and 45, respectively.

Say-on-golden parachute failure rate increased.  In 2024, proposals seeking advisory approval of compensation payable in connection with a change of control dipped below 80% average support for the first time since 2017, and the failure rate for these proposals hit an all-time-high of 17%.

Say-on-golden parachute support/failure rates have generally correlated to changes in median golden parachute value, which increased 35% year-over-year from 2023 to 2024.


The following Gibson Dunn lawyers assisted in preparing this update: Krista Hanvey, Elizabeth Ising, Ronald Mueller, Ekaterina Napalkova, and Lori Zyskowski.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these developments, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Executive Compensation and Employee Benefits or Securities Regulation and Corporate Governance practice groups:

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+ 214.698.3425, [email protected])
Kate Napalkova – New York (+1 212.351.4048, [email protected])

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Orange County (+1 949.451.4343, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

I. Introduction

For fiscal years beginning on or after April 1, 2023, domestic public companies are required to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale, and/or other dispositions of their securities by their directors, officers and employees, or the companies themselves, and if so to file those policies and procedures as an exhibit to their annual reports on Form 10-K.[1] While calendar year companies must comply with these requirements in their Form 10-K for, or proxy statement following, the fiscal year ending December 31, 2024, 49 S&P 500 companies had addressed these requirements in filings as of June 30, 2024.[2]

As discussed in the summary of our preliminary observations below, while specific provisions vary from company to company, certain common approaches are emerging with respect to key policy terms. That said, company policies and procedures can vary based on a company’s particular circumstances, some companies may have interpretive materials that were not filed but elaborate on the operation of their policies and procedures, and some companies are updating their policies and procedures in light of the new filing requirements. As a result, we caution companies against treating these early observations as “best practices.” Your Gibson Dunn contacts are available to discuss the specifics of your policy and answer any questions you may have.

II. Persons Subject to the Insider Trading Policies

Nearly all policies we reviewed (96%) cover all company personnel (i.e., directors, officers and all employees of companies and their subsidiaries and, in some cases, certain affiliates) and their family members. Additionally, a significant majority of the policies (82%) expressly state that they apply to legal entities such as trusts whose securities transactions are controlled or influenced by company personnel and, in some cases, their family members. A majority of the policies (63%) also apply insider trading restrictions to contractors and/or consultants.[3]

III. Transactions in Company Securities Subject to the Insider Trading Policies

All of the policies specify types of transactions that are subject to, or are exempt from, the policy terms. Aside from open market sales or purchases, which are addressed in all of the policies, the most commonly addressed transactions include the following:

  • A significant majority of the policies (86%) provide some level of restriction on gifts, addressing to one degree or another the SEC’s position that gifts can constitute a form of insider trading.[4] A majority (61%) specifically address gifts as being subject to the policy for all covered persons (i.e., prohibiting gifts when an individual subject to the policy is in possession of material nonpublic information (“MNPI”) and/or applying window periods and/or pre-clearance restrictions to gifts),[5] although a handful of companies (8%) restrict gifts only if the donor has reason to believe the donee will sell while the donor has MNPI. Of the policies that do not apply gift restrictions to all employees, a majority restrict gifts only for certain covered persons that are subject to additional restrictions, such as blackout periods and/or pre-clearance procedures.
  • Option Exercises. A majority of the policies (69%) exempt exercises of options when there is no associated sale on the market; however, exercises of options where there is a sale of some or a portion of shares delivered upon exercise (e.g., cashless broker exercise) are typically treated like any other sale. Of this group, approximately a quarter of the policies specifically provide that withholding of shares for tax withholding purposes is exempt, and a smaller minority of policies provide that withholding of shares for tax withholding purposes and/or the payment of exercise price is exempt.
  • Vesting and Settlementof Other Equity Awards. A majority of the policies (59%) exempt vesting and settlement of equity awards, such as RSUs and restricted stock, and 51% of the policies specifically provide that withholding of shares for tax purposes (i.e., net share settlement) is exempt.

IV. Transactions in Other Company Securities

Nearly all policies (96%) specifically include some form of restriction on trading in the securities of another company when the person is aware of MNPI about that company or its securities. A significant majority of the policies (82%) prohibit trading in the securities of another company when the person is aware of MNPI about such company that was learned in the course of or as a result of the covered person’s employment or relationship with the company. The rest apply the prohibition more broadly to trading in the securities of another company while aware of MNPI about that company, without specifically addressing how the information was learned. Of the 82%, a minority tailor the prohibition to apply only to trading in the securities of another company that has some sort of a business relationship with the company (e.g., customers, vendors, or suppliers) or that is engaged in a potential business transaction with the company, and a smaller subset of these policies also include a specific reference to “competitors” in this prohibition.

V. Blackout Periods and Preclearance Procedures

  • Persons subject to quarterly blackout periods. A significant majority of the policies (88%) subject directors, executive officers and a designated subset of employees to regular quarterly blackout periods, with a few policies applying two different blackout periods to different groups of employees. Although the groups of persons (other than directors and executive officers) who are subject to quarterly blackout periods tend to be company-specific, most of the policies identify the “restricted persons” to include employees by title (e.g., all Vice Presidents or higher) and/or by department or role (e.g., all officers in accounting, financial planning and analysis, investor relations, legal and finance departments, etc.) as well as other employees who have been identified as having access to systems that have MNPI. Some policies take a less specific approach and identify restricted persons as those who are designated as such by the officer administering the insider trading policy. A minority of the policies (6%) subject all covered persons under the policy to quarterly blackout periods.
  • Start and end of quarterly blackout periods. The start date of the quarterly blackout periods ranges from quarter end to four weeks or more prior to quarter end. Under almost half of the policies (45%), the quarterly blackout periods start approximately two weeks prior to quarter end, 14% start the blackout periods three to four weeks prior to quarter end, and 18% start four weeks or more prior to quarter end. A significant majority of the policies (76%) end the quarterly blackout periods one to two full trading days after the release of earnings, with more policies ending after one trading day (51%) than two trading days (24%).[6] Additionally, nearly all policies specifically state that from time to time the company may implement additional special blackout periods.
  • Preclearance procedures. Nearly all policies require that certain covered persons must preclear their transactions with the appropriate officer administering the insider trading policy prior to execution. There is, however, variation in the persons subject to preclearance procedures—for 65% of the policies, the preclearance persons are a subset of the persons subject to blackout periods, while for a minority of the policies (29%), they are the same as the persons subject to the blackout periods. Of the 65% of the policies, a minority (38%) require preclearance only from the company’s directors and executive officers.[7] Regardless of scope, nearly all of the policies provide that directors and executive officers are subject to preclearance procedures.

VI. Special Prohibitions Under the Insider Trading Policies

All of the policies prohibit or otherwise restrict certain types of transactions regardless of whether they involve actual insider trading, in some cases stating that such transactions present a heightened risk of securities law violations or the potential appearance of improper or inappropriate conduct. The most common prohibitions addressed: hedging transactions (96%);[8] speculative transactions (96%); pledging securities as collateral for a loan (90%); and trading on margin or holding securities in margin accounts (82%). Although a significant majority of the policies apply the prohibition on hedging and speculative transactions to all persons subject to the policy, prohibitions on pledging and/or margin trading/accounts are sometimes limited to sub-categories of persons subject to the insider trading policies (39% and 27%, respectively): for instance, some policies apply the prohibition only to directors and executive officers or persons subject to quarterly blackout periods and/or preclearance procedures.[9]

A significant majority of the policies do not specifically address standing or limit orders or short-term trading, but of the ones that do, a significant majority take the approach of discouraging such transactions rather than strictly prohibiting them. Even where standing or limit orders are not strictly prohibited, some policies require that such orders be cancelled if the person becomes aware of MNPI (or prior to the start of a blackout period, if applicable). A few policies prohibit standing or limit orders if they go beyond a specified duration.

VII. Rule 10b5-1 Plans

All of the policies address the availability of Rule 10b5-1 plans. A significant majority of the policies (86%) do not set forth restrictions on who can enter into a Rule 10b5-1 plan so long as approval and other requirements are met, but a minority of the policies (12%) limit the use of 10b5-1 plans to directors and designated officers. A small minority of the policies (6%) require directors and designated officers to trade only pursuant to Rule 10b5-1 plans.

All of the policies require that Rule 10b5-1 plans be approved prior to adoption, but the policies tend to vary in approach when describing the guidelines for entering into Rule 10b5-1 plans (or modifying or terminating them). A significant majority (71%) of the policies describe the specified conditions under the SEC rules for a plan to qualify as a Rule 10b5-1 plan, although some do so in a more streamlined manner than others. Of these policies, a majority include Rule 10b5-1 plan requirements within the body of the policy, although a minority do so in an appendix and one company filed the plan guidelines as a separate exhibit. A minority of the policies (29%) do not describe the specified conditions under Rule 10b5-1, but provide a general statement regarding the affirmative defense from insider trading liability under the securities laws for transactions under a compliant Rule 10b5-1 plan and refer covered persons to the officer administering the policy for more information and guidelines on how to establish such a plan.

VIII. Policies Addressing Company Transactions

As noted above, Item 408(b) of Regulation S-K requires a public company to disclose whether it has adopted insider trading policies and procedures governing transactions in company securities by the company itself, and, if so, to file the policies and procedures, or if not, to explain why. Of the 23 S&P 500 companies subject to Item 408(b) that filed a Form 10-K and proxy statement prior to June 30, 2024, a significant majority (78%) did not address insider trading policies or procedures governing companies’ transactions in their own securities.[10] Of the ones that did, most included a brief sentence or two about the company’s policy of complying with applicable laws in trading in its own securities. Only one company in our surveyed group filed a company repurchase policy as a separate exhibit.

IX. Filing Practices Regarding Related Policies or Documents

A significant majority (88%) of the companies filed only a single insider trading policy and no other related policies or documents (even where they referenced other related policies in their insider trading policy).[11] In the few cases where multiple policies were filed, they appear to be supplemental guidelines/policies covering topics not generally applicable to all employees (e.g., trading windows, preclearance, 10b5-1 plans).

* * * *

We will continue to monitor public company filings of insider trading policies and procedures and expect to update our survey in early 2025 once calendar year-end companies’ Forms 10-K are on file, as we expect disclosure and filing practices to evolve as companies go through the first full year of complying with the new Item 408(b) disclosure and filing requirements.

[1]See Items 408(b) and 601(b)(19) of Regulation S-K, adopted by the SEC in connection with the Rule 10b5-1 amendments in December 2022. If a company has not adopted such policies and procedures, it is required to explain why it has not done so. Disclosure about the adoption (or not) of policies or procedures must appear in a company’s proxy statement (and must also be included in, or incorporated by reference to, Part III of a company’s Form 10-K), whereas the policies and procedures are to be filed as exhibits to the company’s Form 10-K.

[2] This group of 49 S&P 500 companies includes 23 companies that made Item 408(b) disclosures and 26 companies that were not subject to the disclosure requirements but voluntarily filed their insider trading policies and procedures with a Form 10-K filed prior to June 30, 2024.

[3] A minority of policies also include other service providers specific to their businesses.

[4] See Final Rule: Insider Trading Arrangements and Related Disclosures, Release No. 33-11138 (Dec. 14, 2022). In its adopting release, the SEC stated its view that the terms “trade” and “sale” in Rule 10b5-1 include bona fide gifts of securities and that gifts can be subject to Section 10(b) liability, since the Securities Exchange Act of 1934 does not require that a “sale” be for value and instead provides that the terms “sale” or “sell” each include “any contract to sell or otherwise dispose of.”

[5] A small minority of these policies also provide certain exceptions for gifts, including gifts to family members and/or controlled entities that are already subject to the policy, or exceptions on a case by case basis.

[6] Some policies use business days instead of trading days, but many policies do not define either term. We treated them as the same for purposes of our data analysis.

[7] The remaining 6% includes two policies that do not address preclearance procedures and one policy which is unclear.

[8] Item 407(i) of Regulation S-K requires companies to disclose practices or policies they have adopted regarding the ability of employees (including officers) or directors to engage in certain hedging transactions.

[9] A few policies allow for exceptions, subject to preclearance.

[10] For the purposes of this survey, we limited our review to Exhibit 19 filings and did not review the companies’ disclosures in the body of the proxy statement or Form 10-K addressing Item 408(b)(1) of Regulation S-K.

[11] Under Regulation S-K Item 408(b)(2), if all of a company’s insider trading policies and procedures are included in its code of ethics that is filed as an exhibit to the company’s Form 10-K, that satisfies the exhibit requirement. However, many companies do not file their code of ethics and instead rely on one of the alternative means of making the code available allowed under S-K Item 406(c)(2) and (3).

The following Gibson Dunn lawyers assisted in preparing this update: Aaron K. Briggs, Thomas Kim, Brian Lane, Julia Lapitskaya, James Moloney, Ronald Mueller, Michael Titera, Lori Zyskowski, and Stella Kwak.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups:

Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, [email protected])
Hillary H. Holmes – Houston (+1 346.718.6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415.393.8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213.229.7242, [email protected])

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Mike Titera – Orange County (+1 949.451.4365, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This guidance reflects the increasing willingness of Hong Kong financial regulators to regulate the use of artificial intelligence.

In recent weeks, the Hong Kong Monetary Authority (“HKMA”) has been active in releasing guidance to authorized institutions (“AIs”) regarding their use of artificial intelligence in both customer-facing applications as well as in relating to detection of money laundering and terrorist financing (“ML/TF”). This guidance reflects the increasing willingness of Hong Kong financial regulators to regulate the use of artificial intelligence. We consider that this is reflective of the significant interest of financial institutions in Hong Kong in exploring the use of generative artificial intelligence (“GenAI”) in particular, with 39% of AIs surveyed by the HKMA earlier this year reporting that they either have already adopted GenAI in the provision of general banking products and services as well as daily operations, or that they plan to do so.  Given this, we expect other Hong Kong regulators to issue guidance in this space in the coming months.

This client briefing covers:

  1. The guiding principles issued by the HKMA on August 19, 2024 (“GenAI”) in customer-facing applications (“GenAI Guidelines”).[1] The GenAI Guidelines build on a previous HKMA circular “Consumer Protection in respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions” dated November 5, 2019 (“2019 BDAI Guiding Principles”) and provide specific guidelines to AIs on the use of GenAI;[2] and
  2. The circular issued by the HKMA on September 9, 2024 requiring AIs with significant operations in Hong Kong to (a) undertake a study to consider the feasibility of using artificial intelligence in tackling ML/TF, and to (b) submit the feasibility study and an implementation plan to the HKMA by the end of March 2025 (“ML/TF Circular).[3]

I. Background to GenAI Regulation by the HKMA

GenAI is a form of big data analytics and artificial intelligence (“BDAI”) that enables generation of new content such as text, image, audio, video, code or other media, based on vast amounts of data. GenAI’s ability to generate new and original content sets it apart from other forms of traditional artificial intelligence, which is focused on analyzing information and automating processes. While its content-generating ability gives GenAI tremendous potential to streamline business processes and improve efficiency, this ability also creates risks such as hallucination risk (i.e. where a GenAI model generates incorrect or misleading results due to insufficient training data, incorrect assumptions or biases made by the model).

This content-generating ability, combined with the growing interest in GenAI adoption within the banking sector, has prompted the HKMA to issue the GenAI Guidelines. According to a recent survey on the use of BDAI (including GenAI) by AIs conducted by the HKMA, 39% of surveyed AIs reported adopting or planning to adopt GenAI in the provision of general banking products and services, as well as daily operations. While the majority of the current reported use cases in GenAI are in relation to internal business functions, such as summarisation and translation, coding and internal chatbots, the HKMA has stated that it considers that:

  • the content-generating capability of GenAI lends itself to increased uptake and deployment in relation to customer-facing activities; and
  • the prospective increase in the use of GenAI in customer-facing activities raises consumer protection concerns due to risks such as lack of explanability and hallucination risks, which in the HKMA’s words ‘could cause even more significant impact on customers’ than the use of less complex BDAI.

Given this, while the HKMA expects all AIs to continue to apply the 2019 BDAI Guiding Principles, the HKMA also expects all AIs to adhere to the additional principles in the GenAI Guidelines in order to ensure appropriate safeguards are in place when GenAI is adopted for customer-facing applications.

II. Summary of the HKMA’s GenAI Guidelines

Using the 2019 BDAI Guiding Principles as a foundation, the GenAI Guidelines adopts the same core principles of governance and accountability, fairness, transparency and disclosure, and data privacy and protection, but introduces additional requirements to address the specific challenges presented by GenAI.

Core Principles Requirements under GenAI Guidelines
Governance and Accountability The board and senior management of AIs should remain accountable for all GenAI-driven decisions and processes, and should thoroughly consider the potential impact of GenAI applications on customers through an appropriate committee which sits within the AI’s governance framework.The board and senior management should ensure the following:

  • Clearly defined scope of customer-facing GenAI applications to avoid GenAI usage in unintended areas;
  • Proper policies and procedures and related control measures for responsible GenAI use in customer-facing applications; and
  • Proper validation of GenAI models, including a “human-in-the-loop” approach in early stages, i.e. having a human retain control in the decision-making process, to ensure the model-generated outputs are accurate and not misleading.
Fairness AIs are responsible for ensuring that GenAI models produce objective, consistent, ethical, and fair outcomes for customers. This includes:

  • That model generated outputs do not lead to unfair outcomes for customers. As part of this, AIs are expected to give consideration to different approaches that may be deployed in GenAI models, such as (a) anonymizing certain data categories; (b) using comprehensive and fair datasets; and (c) making adjustments to remove bias during validation and review; and
  • During the early deployment stage, provide customers with an option to opt out of GenAI use and request human intervention on GenAI-generated decisions as far as practicable. If an “opt-out” option is unavailable, AIs should provide channels for customers to request review of GenAI-generated decisions.
Transparency and Disclosure AIs should:

  • Provide appropriate transparency to customers regarding GenAI applications;
  • Disclose the use of GenAI to customers; and
  • Communicate the use, purpose, and limitations of GenAI models to enhance customer understanding.
Data Privacy and Protection AIs should:

  • Implement effective protection measures for customer data; and
  • Where personal data are collected and processed by GenAI applications, comply with the Personal Data (Privacy) Ordinance, including the relevant recommendations and good practices issued by the Office of the Privacy Commissioner for Personal Data, such as the “Guidance on the Ethical Development and Use of Artificial Intelligence” issued on August 18, 2021,[4] and the “Artificial Intelligence: Model Personal Data Protection Framework” issued on June 11, 2024.[5]

Notably, the HKMA has also expressed support for proactive use of BDAI and GenAI in enhancing consumer protection in the banking sector. Examples of suggested use cases include identification of customers who are vulnerable and require more protection and education; identification of customers who may need more information or clarifications to better understand product features, risks, and terms and conditions in the disclosure; or issuance of fraud alerts to customers engaging in transactions with potentially higher risks.

III. Summary of the HKMA Circular

Consistent with the HKMA’s recognition of the potential use of GenAI in consumer protection in the GenAI Guidelines, the HKMA Circular also indicates that the HKMA recognizes the considerable benefits that may come from the deployment of artificial intelligence in monitoring ML/TF. In particular, the HKMA Circular notes that the use of artificial intelligence powered systems ‘take into account a broad range of contextual information focusing not only on individual transactions, but also the active risk profile and past transaction patterns of customers…These systems have proved to be more effective and efficient than conventional rules-based transaction monitoring systems commonly used by AIs.’[6]

Given this, the HKMA has indicated that AIs with significant operations in Hong Kong should:

  • give due consideration to adopting artificial intelligence in their ML/TF monitoring systems to enable them to stay effective and efficient;
  • undertake a feasibility study in relation to the adoption of artificial intelligence in their ML/TF monitoring systems and, based on the outcome of that review, should formulate an implementation plan.

The feasibility study and implementation plan should be signed off at the board level and submitted to the HKMA by the end of March 2025.[7]

The HKMA has also indicated that it intends to support the use of artificial intelligence by AIs in this space through the establishment of a dedicated team to provide feedback and guidance to assist AIs, as well as through organisation of an experience sharing forum in November 2024 to allow firms to share regarding their use of artificial intelligence in relation to ML/TF monitoring.

IV. Conclusion

The issue of the GenAI Guidelines and HKMA Circular by the HKMA reflect the HKMA’s awareness of both the considerable potential of GenAI as well as the prospective risks associated with its deployment. Given the HKMA’s interest in this space, we recommend that AIs review and update their policies and procedures in relation to the use of GenAI to ensure compliance with the GenAI Guidelines. As part of this, AIs should ensure that the use of GenAI in customer-facing activities are thoroughly considered at a board and senior management and governance committee level.

Further, it is important more generally that AIs develop the necessary expertise in understanding the artificial intelligence model that is being adopted. This will not only assist senior management in its decision making process with respect to their deployment of artificial intelligence, but will also aid in the development of appropriate internal systems and controls with respect to the use of artificial intelligence. For instance, AIs can consider implementing staff training on the features and risks of artificial intelligence, to ensure that issues caused by artificial intelligence models are adequately escalated and addressed.

[1] “Consumer Protection in respect of Use of Generative Artificial Intelligence”, published by the HKMA on August 19, 2024, available at: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240819e1.pdf

[2] “Consumer Protection in respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions”, published by the HKMA on November 5, 2019, available at: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2019/20191105e1.pdf

[3] “Use of Artificial Intelligence for Monitoring of Suspicious Activities”, published by the HKMA on September 9, 2024, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240909e1.pdf

[4] “Guidance on the Ethical Development and Use of Artificial Intelligence”, published by the Office of the Privacy Commissioner for Personal Data on August 18, 2021, available at: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf

[5] “Artificial Intelligence: Model Personal Data Protection Framework”, published by the Office of the Privacy Commissioner for Personal Data on June 11, 2024, available at https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_protection_framework.pdf

[6] “Use of Artificial Intelligence for Monitoring of Suspicious Activities”, published by the Hong Kong Monetary Authority on September 9, 2024, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240909e1.pdf

[7] Ibid. The HKMA will communicate with AIs on an individual basis regarding the exact timing for the feasibility study and implementation plan and the format in which they should be provided, and will consider further engagement and follow up in due course. Reference should also be made to:

(a) “Report on AML/CFT Regtech: Case Studies and Insights Volume 1” published on 21 January 2021, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2021/20210121e1a1.pdf;

(b) “Report on AML/CFT Regtech: Case Studies and Insights Volume 2” published on 25 September 2023, available at https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/aml-cft/AMLCFT_Regtech-Case_Studies_and_Insights_Volume_2.pdf ; and

(c) “Thematic Review of Transaction Monitoring Systems and Use of Artificial Intelligence” published on 17 April 2024, which sets out insights for design, implementation and optimisation of transaction monitoring systems, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240417e1a1.pdf.


The following Gibson Dunn lawyers prepared this update: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Financial Regulatory team, including the following members in Hong Kong:

William R. Hallatt (+852 2214 3836, [email protected])
Emily Rumble (+852 2214 3839, [email protected])
Arnold Pun (+852 2214 3838, [email protected])
Becky Chung (+852 2214 3837, [email protected])
Jane Lu (+852 2214 3735, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Data center developers, investors, AI companies, and energy companies all stand to benefit from the Administration’s support for AI data center development.

With four months left in his administration, President Biden is making a play for the future with a concerted focus on developing infrastructure to support artificial intelligence (AI).  A limiting factor in the advancement of AI is the need to build data centers and their associated energy infrastructure to process the extraordinary quantities of information involved in AI computations and development of large language models.  Over the past weeks, the Administration has taken several significant steps to promote the development of AI data centers.  Data center developers, investors, AI companies, and energy companies all stand to benefit from the Administration’s support for AI data center development.

Several months ago, Gibson Dunn formed an interdisciplinary task force of partners specializing in energy, infrastructure, real estate, digital and AI, environment, litigation, national security, and public policy to provide integrated advice to clients who are actively pursuing opportunities in the data center sector.  We are closely tracking the Administration’s efforts regarding AI data centers and are available to help clients to share their insights with the Administration, as well as to take advantage of the opportunities these high-level initiatives may offer in the coming months.

I. White House Roundtable, Interagency Efforts to Promote AI Data Centers

On September 12, 2024, the Biden Administration convened AI industry leaders, utility companies, and high-level Administration officials to discuss how to ensure the United States continues to lead in AI.  After the roundtable, the White House announced several new initiatives to promote AI in ways that will advance national security and protect the environment.

Most significantly, the Administration launched its Task Force on AI Datacenter Infrastructure to coordinate federal government policy across agencies.  Led by the National Economic Council, National Security Council, and the White House Deputy Chief of Staff’s office, the Task Force involves the highest levels of the Biden Administration, indicating the importance the Administration is placing on this initiative.  The Task Force will work with private sector leaders to identify growth opportunities, as well as with agencies to prioritize AI data center projects.

The Administration also announced that it is tasking the Federal Permitting Improvement Steering Council to work with AI data center developers and federal agencies to set comprehensive timelines for project development, provide technical assistance to the permitting agencies, and distribute funding to agencies to expedite the permitting process for data centers.  The U.S. Army Corps of Engineers also will be identifying nationwide permits to expedite the construction of AI data centers.  AI data centers require substantial amounts of land, water, and energy—all resources protected or regulated by federal, state, and local permitting regimes.  This focus on easing the permitting process for data center developers may give investors some comfort about the shorter-term return on their investments and potentially serve as a model for broader infrastructure permitting reform.

II. Department of Energy Developments

Given AI data centers’ need for significant amounts of energy, combined with the Administration’s clean-energy goals, it is no surprise that the Department of Energy (DOE) is taking the lead on several significant projects to support AI data centers.  Of interest to clients, the DOE is planning a series of convenings with industry stakeholders to discuss the challenges associated with data centers’ energy needs.

Moreover, multiple offices within the DOE are working to provide solutions to stakeholders.  In August, the DOE Office of Policy developed a list of resources to help data center developers, owners and operators, and interconnection stakeholders take advantage of tax credits, financing programs, and technical assistance.

In July, the DOE Secretary of Energy Advisory Board convened a Working Group on Powering AI and Data Center Infrastructure and presented its recommendations to Jennifer Granholm, the Secretary of Energy.

The Working Group’s report encouraged the DOE to adopt several key immediate and longer-term impact recommendations for supporting AI-driven data center power demand while limiting harm to existing customers and greenhouse gas emissions.  The Working Group’s three immediate impact recommendations to the DOE encouraged the DOE to:

  • explore flexible siting and geographic distribution of AI large language model data centers in an effort to reduce highly concentrated loads;
  • foster dialogue between energy utilities, data center developers and operators, and other key stakeholders to manage current electricity supply bottlenecks and encourage real-time data sharing; and
  • rapidly assess reliability, cost, performance, and supply chain issues facing generation, storage, and grid technologies to support data center expansion.

As longer term recommendations, the Working Group encouraged the DOE to:

  • establish an AI testbed within the DOE to allow researchers to develop and assess algorithms for energy-efficient AI training, and advance the United States’ AI capabilities;
  • work with other government agencies and the private sector to develop a standardized and adaptable framework for orchestrating grid services; and
  • accelerate and de-risk private investment in emerging technologies, particularly nuclear, geothermal, long-duration storage, and carbon capture and sequestration.

The DOE’s focus on providing data center solutions will continue as it works in conjunction with other government agencies and the private sector to drive development, provide incentives, and discover efficiencies with respect to AI-driven data center power demands.

III. Department of Commerce Developments

Along with the DOE, the Department of Commerce will play a significant role in the Administration’s efforts to promote data center development.  The National Telecommunications and Information Administration (NTIA), a component of the Department of Commerce, has invited comments on data center security and supporting data center growth in the United States.  The NTIA is tasked with advising the President on issues related to the internet economy, including internet infrastructure, cybersecurity, and online privacy.  Much of its work focuses on expanding broadband access and adoption, particularly in rural parts of the country, and the NTIA administers grant funding programs to support expansion of broadband infrastructure.

The NTIA will use the comments to inform its work on a comprehensive report for the executive branch offering policy recommendations about how the federal government can promote data center development.  The NTIA is coordinating its efforts with the DOE.  The Administration seeks comments on a variety of data center development topics including AI data center usage, barriers to data center competition, supply chain vulnerabilities, risk management practices, staffing shortages, and power supply challenges.

Offering comments to the NTIA will allow interested parties to shape the recommendations made within the executive branch on the best path toward maximizing data center infrastructure.  The NTIA’s advisory role and its coordination with the DOE on this report will allow commenters to reach multiple interested executive agencies through this comment process.  Comments are due November 4.

Given the economic, strategic, and national security implications of the AI race, these efforts are likely just the start of a federal government campaign to support AI data centers, regardless of outcome of the November elections.  In light of the Administration’s keen interest in collaborating with the private sector on AI data center development, industry participants who want to shape the future of AI and data center policy should take this opportunity to make their voices heard. 

Gibson Dunn’s Data Center Task Force attorneys are available to assist clients by offering strategic advice; drafting comment letters to agencies; arranging and preparing for high-level executive branch and congressional meetings; and helping clients take advantage of potential opportunities emerging from the rapidly changing regulatory environment.


The following Gibson Dunn lawyers prepared this update: F. Joseph Warin, Eric Feuerstein, Stephenie Gosnell Handler, William R. Hollaway, Ph.D., Michael D. Bopp, Tory Lauterbach, Amanda Neely, David Casazza, and Simon Moskovitz.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Artificial Intelligence, Energy Regulation & Litigation, National Security, Public Policy, Real Estate, or White Collar Defense & Investigations practice groups, or the following authors:

Vivek Mohan – Co-Chair, Artificial Intelligence Practice Group, Palo Alto (+1 650.849.5345, [email protected])

William R. Hollaway, Ph.D. – Chair, Energy Regulation & Litigation Practice Group, Washington, D.C. (+1 202.955.8592, [email protected])

Tory Lauterbach – Partner, Energy Regulation & Litigation Practice Group, Washington, D.C. (+1 202.955.8519, [email protected])

Stephenie Gosnell Handler – Partner, National Security Practice Group, Washington, D.C. (+1 202.955.8510, [email protected])

Michael D. Bopp – Co-Chair, Public Policy Practice Group, Washington, D.C. (+1 202.955.8256, [email protected])

Eric M. Feuerstein – Co-Chair, Real Estate Practice Group, New York (+1 212.351.2323, [email protected])

F. Joseph Warin – Co-Chair, White Collar Defense & Investigations Practice Group, Washington, D.C. (+1 202.887.3609, [email protected])

Amanda H. Neely – Of Counsel, Public Policy Practice Group, Washington, D.C. (+1 202.777.9566, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

With this final rule, BIS seeks to tip the scales in favor of more frequent disclosures and introduces new factors to consider when assessing engagement with U.S. regulators.

In a final rule effective September 16, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) updated its process for handling voluntary self-disclosures from industry and expanded its discretion to impose higher monetary penalties for violations of export control laws.  Whether to submit a voluntary self-disclosure remains a fact-dependent decision and requires careful weighing of factual, legal, practical and policy considerations.

Background

Corporate violations of U.S. sanctions, export control laws, and foreign direct investment determinations are a key enforcement priority for BIS, the Department of Justice, the Department of the Treasury, and the Committee on Foreign Investment in the United States (“CFIUS”), with each taking an increasingly aggressive enforcement posture through new guidance, compliance expectations, and record-setting penalties in recent years.

On September 12, 2024, BIS announced the publication of a final rule updating its policies regarding voluntary self-disclosures (“VSD”) and the BIS Penalty Guidelines, found at Supplement No. 1 to Part 766 of the Export Administration Regulations (“EAR”).  The rule finalizes a series of policy changes by the Office of Export Enforcement (“OEE”) that were first articulated in memoranda publicly issued by BIS beginning in 2022 and that seek to strengthen BIS’s administrative enforcement program and encourage voluntary disclosures of apparent export control violations.[1]

As we summarized in our 2023 Year-End Sanctions and Export Control Update, these changes aim to:

  1. streamline self-disclosure of minor or technical violations, facilitate corrective action that might otherwise be prohibited, and prioritize enforcement actions against “significant” violations by establishing a dual-track process for VSD submission and processing;
  2. incentivize VSDs by treating failure to disclose significant apparent violations as an aggravating factor;
  3. enhance OEE’s discretion in assessing penalties when warranted;
  4. incentivize compliance-minded firms to report violations committed by other firms or competitors; and
  5. coordinate enforcement efforts through the appointment of a new Chief of Corporate Enforcement position.

The final rule, outlined in greater detail below, highlights BIS’s continued commitment to streamlining the VSD program to facilitate faster resolutions of non-egregious apparent violations and at the same time highlights BIS’s desire to focus its resources on significant infractions, including by expanding its discretion to impose higher civil monetary penalties.

1. Dual-Track VSD Processing, Streamlined Submission of Minor or Technical Violations, and Corrective Action Provisions

a. Dual-Track VSD Processing

Minor or Technical Violations Track

Section 764.5 of the EAR previously set forth a single track for handling VSDs, regardless of the severity of the violation at issue.  The final rule adds a new paragraph regarding disclosure of minor or technical violations, defined as any violation that does not include aggravating factors.

These revisions permit firms to disclose minor or technical violations through a “fast-track” process that will be resolved in 60 days, either through a no-action letter or a warning letter.  For such apparent violations, firms may submit by email an abbreviated narrative report in lieu of more burdensome narrative and documentation requirements previously set forth in Sections 764.5.  For minor or technical violations, the rule also removes the recommendation that firms conduct a five-year lookback, unless OEE suspects that aggravating factors are present.  Firms may also “bundle” multiple minor or technical apparent violations into a single submission, if such apparent violations occurred within the prior quarter.

OEE offered several examples of “minor or technical” violations, including immaterial Electronic Export Information filing errors and the incorrect use of one license exception where another license exception was available.

“Significant” Violations Track

For VSDs that concern a “significant violation,” firms should follow the prior procedures, including submission of a full narrative report.

The rule notes that parties unsure whether a disclosure involves a minor or technical violation or a significant violation are advised to follow the procedures for disclosing a significant violation.

Following disclosure of a “significant” apparent violation, OEE will conduct an investigation and may, depending on the facts and circumstances of the case, issue a warning letter or initiate an administrative enforcement proceeding.  OEE may also refer the matter to DOJ for criminal prosecution.

b. Treatment of Unlawfully Exported Items

The final rule revises the EAR with regards to the treatment of unlawfully exported items.  Consistent with a 2024 policy memorandum, the final rule clarifies that OEE authorizes any person, not just a party submitting a VSD, to request permission to engage in corrective activities otherwise prohibited by Section 764.2(e) (often referred to as a “General Prohibition 10 Waiver”).  The rule also authorizes firms to seek the return of any unlawfully exported item to the United States following notification to OEE and removes the need for firms to receive authorization from OEE for such return-related activities.  Further, items that have been returned to the United States do not require additional authorization from OEE, provided that those future activities comply with any applicable EAR requirements.  This change is likely due in part to the increase in General Prohibition 10 Waiver requests related to items exported, reexported, or transferred (in-country) to Russia and Belarus (including aircraft) following the imposition of strict export controls on these destinations.

Any re-export from abroad or transfer outside of the United States of an item that has been the subject of a self-disclosure would require a license from BIS.

2. Nondisclosure as Aggravating Factor

Assistant Secretary Axelrod previously explained in a January 2024 speech at NYU Law School, “when someone affirmatively chooses not to file a VSD, [BIS] want[s] them to know that they risk incurring concrete costs.”

Consistent with that statement and previous policy memoranda, the final rule confirms that BIS will consider a deliberate decision by a firm not to disclose a significant apparent violation to be an aggravating factor when determining what administrative penalty, if any, should be applied.

A “deliberate decision” occurs when a firm uncovers a significant apparent violation but then chooses not to file a VSD.

The rule adds a new Aggravating Factor D to the BIS Penalty Guidelines for “[f]ailure to disclose a significant violation.”

3. Penalty Guidelines and Increased Discretion

The final rule enhances OEE’s discretion in calculating potential penalties for apparent violations in several significant ways.

First, the rule removes the base penalty caps for non-egregious cases and instead links penalties to transaction value and other circumstances.

As a result, for non-egregious VSD cases, the base penalty amount is no longer capped at a maximum of $125,000, but is instead capped at one-half of the transaction value.  For a non-egregious case that is not initiated by a VSD, the base penalty amount is no longer capped at $250,000, but is instead capped at the full transaction value.  The rule describes this change as permitting OEE to “impose penalties with sufficient deterrent effect in situations where transaction values are high.”

For egregious VSD cases, the base penalty amount is capped at one-half of the statutory maximum—which is $364,992 or twice the full transaction value, whichever is greater.  For an egregious case that is not initiated by a VSD, the base penalty amount is capped at the statutory maximum.

Second, the rule permits BIS to issue non-monetary resolutions for non-egregious conduct that has not resulted in serious national security harm yet nonetheless merits stronger response than a no-action or warning letter.  The final rule indicates that such resolutions are likely to “require remediation through the imposition of a suspended denial order with certain conditions, such as training and compliance requirements.”

Third, the final rule removes from the Penalty Guidelines all specific percentage ranges for potential penalty reduction based on mitigating factors.  As the rule explains, “[t]he inclusion of specific percentage ranges for some mitigating factors and not for other factors led parties to incorrect assumptions about the range of reduction to which they were entitled.”  With the revisions, “OEE is making clear that the civil monetary penalty will be adjusted (up or down) to reflect the applicable factors for administrative action set forth in the BIS Penalty Guidelines.”

Fourth, the final rule amends Aggravating Factor C, “Harm to Regulatory Program Objectives,” to include transactions that enable human rights abuses as a specific consideration when assessing the potential impact of an apparent violation on U.S. foreign policy objectives.

Fifth, the final rule amends General Factor E (previously D), for “Individual Characteristics,” by expanding the scope of past corporate criminal resolutions that OEE may consider when calibrating an enforcement response.  Previously, this factor only mentioned prior conviction of an export-related criminal violation.  As revised, it includes not only where a respondent has been convicted or entered a guilty plea, but also where a party has entered into any other type of resolution with the Department of Justice or other authorities, including a Deferred Prosecution Agreement or a Non-Prosecution Agreement.

4. Exceptional Cooperation for Third-Party Tips

As explained by Assistant Secretary Axelrod in his January 2024 speech, BIS seeks to ensure a “level playing field” for compliance-minded firms, recognizing that rule-following firms can suffer as firms that flout regulations book business.

The revised Penalty Guidelines now clarify that disclosure of conduct by others that leads to an enforcement action counts as “exceptional cooperation.”  BIS will provide cooperation credit for such tips in “a future enforcement action, even for unrelated conduct,” if such an action is ever brought. 

The decision to provide cooperation credit for tips as to suspected third-party violations is unusual and marks a significant departure from other VSD programs with uncertain implications for industry.

5. Chief of Corporate Enforcement

Mirroring action taken by the Department of Justice’s National Security Division (“NSD”) in 2023, BIS announced the appointment of Raj Parekh as the agency’s first Chief of Corporate Enforcement.  An accompanying press release to the final rule indicates that Mr. Parekh will “serve as the primary interface between BIS’s special agents, the Department of Commerce’s Office of Chief Counsel for Industry and Security, and the Department of Justice,” with the aim of “advance[ing] significant corporate investigations.”

Mr. Parekh joins BIS from the U.S. Attorney’s Office for the Eastern District of Virginia, where he served as Acting U.S. Attorney.  He previously worked at DOJ NSD, and the press release notes that this appointment “further reflect[s] BIS’s commitment to this effort.”

Conclusion

In his January speech, Assistant Secretary Axelrod touted the early successes of recent changes to BIS’s VSD program.  Specifically, BIS received nearly 80 percent more VSDs containing potentially serious violations in FY2023 than in FY2022, even as the overall number of VSDs remained relatively constant.  BIS also experienced a 33 percent uptick in third-party disclosures from industry.

The revised rule reflects BIS’s continued focus on corporate compliance with export controls and the increased centrality of economic statecraft to U.S. national security policy.  It also demonstrates that BIS seeks to focus its investigative resources on infractions most likely to damage U.S. national security interests, and its willingness to impose steeper penalties to incentivize compliance.  In April 2023, for instance, BIS announced the largest standalone penalty in the agency’s history—a $300 million civil penalty against affiliates of a technology company that allegedly sold hard disk drives to Huawei Technologies Co. Ltd.  BIS is not alone in this prioritization, with CFIUS announcing in August 2024 that it imposed the largest penalty in its history—$60 million—for the breach of a mitigation agreement that resulted in harm to U.S. national security equities, and the Treasury’s Office of Foreign Assets Control levying two of the largest civil penalties in its history last year, including a $968 million settlement, for violations of U.S. sanctions law.

In addition, over the last two years, officials at DOJ have sounded a drumbeat of announcements indicating that criminal enforcement of U.S. export control and sanctions law is one of their highest priorities, with the Department hiring 25 new NSD prosecutors to “investigate national security-related economic crimes” and the publication of an updated NSD Enforcement Policy that “strongly encourages companies to voluntarily self-disclose directly to NSD all potentially criminal … violations of the U.S. government’s export control and sanctions regimes.”

While a decision to submit a voluntary self-disclosure will be the result of considering many factors, BIS is seeking to raise the consequences of a decision not to submit a self-disclosure where aggravating factors are present. The factors highlighted in this new rule, as well as the heightened importance of international trade controls in the United States’ response to global challenges, should remain at the forefront when considering a voluntary self-disclosure of any apparent export control violations to BIS or other regulators.

[1] See Memorandum from Bureau of Indus. & Sec., Further Strengthening Our Administrative Enforcement Program (June 30, 2022), https://www.bis.gov/sites/default/files/files/Administrative%20Enforcement%20Memo.pdf; Memorandum from Bureau of Indus. & Sec., Clarifying Our Policy Regarding Voluntary Self-Disclosures and Disclosures Concerning Others (Apr. 18, 2023), https://www.bis.gov/sites/default/files/files/VSD%20Policy%20Memo%20%2804.18.2023%29.pdf; Memorandum from Bureau of Indus. & Sec., Further Enhancements to Our Voluntary Self-Disclosure Process (Jan. 16, 2024), https://www.bis.gov/sites/default/files/files/VSD%20MEMO.pdf.


The following Gibson Dunn lawyers prepared this update: Cody Poplin, Christopher Timura, David Burns, Adam M. Smith, Stephenie Gosnell Handler, Samantha Sewall, Chris Mullen, and Audi Syarief.

Gibson Dunn lawyers are monitoring the proposed changes to U.S. export control laws closely and are available to counsel clients regarding potential or ongoing transactions and other compliance or public policy concerns.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])
Mason Gauch – Houston (+1 346.718.6723, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Claire Yi – New York (+1 212.351.2603, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])

Asia:
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Felicia Chen – Hong Kong (+852 2214 3728, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 224, [email protected])
Melina Kronester – Munich (+49 89 189 33 225, [email protected])
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The new regulations control quantum computing, advanced semiconductor items, and additive manufacturing technologies.

On September 6, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) published new regulations to control certain advanced and emerging technologies, including quantum computing,  semiconductor manufacturing equipment, Gate All-Around Field-Effect Transistor (GAAFET) technology, and additive manufacturing.[1] The regulations—which were effective when issued but published as an interim final rule (IFR)—are noteworthy because they introduce tools to both build and recognize new ad hoc agreements with like-minded nations on export controls to regulate advanced and emerging technologies, an objective that has been more and more out of reach due to the inability to achieve consensus through the broader multilateral Wassenaar Arrangement (WA) process.  This IFR is a key example of BIS’s efforts to enhance international collaboration among U.S. allies and key suppliers of critical inputs for advanced and emerging technologies to implement consistent export controls.  Specifically, in the regulations, BIS creates a new License Exception Implemented Export Controls (IEC) to recognize and reward countries who impose similar export controls with easier access to the technology, software, and commodities that enable the development of emerging technologies.  BIS also continues a several-year experiment with modified deemed export controls.  The new deemed export control framework created by the regulations will help ensure that the United States retains and continues to attract the international talent now working with U.S. universities, research institutes, and companies in advanced and emerging technologies and that BIS’s new export controls will not disrupt the work of non-U.S. collaborators with individual license requirements for foreign nationals on their teams.  The regulations became effective on September 6, 2024, however, parties transferring certain quantum technologies to Wassenaar participating states are not required to comply with corresponding license requirements until November 5, 2024.

I. Major features of the Interim Final Rule

BIS’s first step toward reaching a new agreement among like-minded countries on the regulation of advanced and emerging technologies represents a departure from BIS’s typical process of achieving consensus through iterative working group and plenary meetings of the WA.  The WA is a voluntary agreement among participating states (today 42 states participate) to control the export of conventional arms and certain dual-use goods to contribute to regional and international security.  Although certain states such as Israel, the People’s Republic of China, and Singapore do not participate in WA, the influence of the WA control lists extends beyond the current membership of the WA because many non-participating countries opt to adopt most or all of the same control parameters and exclusions into their own national controls.  The specific items that are described on the WA control lists change from year to year through the adoption of amendments to the control lists at annual plenary meetings.  However, the ability of the United States and many like-minded countries to reach consensus on the adoption of new controls on several advanced and emerging technologies has been stymied in recent years by the refusal of the Russian Federation, among others, to support the imposition of new controls.

In its new regulations, BIS seeks to encourage the development of new plurilateral controls outside the WA and without the Russian Federation’s support.  Since the export control reform efforts of the 2010s, the United States and many observers have described the goal of U.S. export controls as building higher fences around smaller yards.  The new framework is designed to enable the United States to coordinate faster fence building in other countries’ yards where critical advances in emerging technologies are also occurring.  In the IFR, BIS achieves this aim by imposing new permutations of world-wide licensing requirements on the export, reexport, and in-country transfer (collectively, “export”) of specified items and by creating a new license exception—License Exception IEC—which authorizes exports to and among countries who implement similar export control licensing requirements on these technologies.

  1. Adds new, and revises existing Export Control Classification Numbers (ECCNs) to identify controls on emerging advanced quantum computing, semiconductor manufacturing, GAAFET technology, and additive manufacturing technologies

BIS imposes its new, worldwide licensing requirements on the targeted technologies through amendments to the Export Administration Regulations’s (EAR’s) Commerce Control List (CCL)[2] which now includes additional ECCN entries for certain commodities, software, and technology that enable the design, manufacture, and functionality of (1) quantum computers, (2) semiconductor devices and circuitry, (3) high-performance computing chips, and (4) additive manufacturing items that produce metal or metal alloy components.  Examples of listed items in the interim rule include quantum computers and related electronic assemblies and components; cryogenic cooling systems and components; complimentary metal-oxide semiconductor (CMOS) integrated circuits; technology for the development or production of integrated circuits or devices, using GAAFET structures; additive manufacturing equipment, designed to produce metal or metal alloy components; and, technology related to coating systems; among others.  The newly-controlled commodities, software, and technology can be found at the following ECCNs: 2B910, 2D910, 2E903, 2E910, 3A901, 3A904, 3B903, 3B904, 3C907, 3C908, 3C909, 3D901, 3D907, 3E901, 3E905, 4A906, 4D906, and 4E906.  The IFR also revises the following nine ECCNs: 2E003, 3A001, 3B001, 3C001, 3D001, 3D002, 3E001, 4D001, and 4E001, which are ECCNs that have historically reflected WA controls, to include certain newly-controlled items.

BIS also amends the EAR to enable the agency to more easily identify these and other emerging technologies that it plans to make subject to non-WA-based worldwide export control licensing requirements.  Specifically, these items will be assigned ECCNs with a third digit of “9” and the fourth digit as a number from 0 to 7 (i.e., 3A901).

  1. BIS creates a new license exception and adopts new licensing policies that favor exports to like-minded and allied countries

While the new controls on emerging technologies are similar to BIS’s existing controls on other ECCNs controlled for national security and regional stability reasons, BIS will make available a more limited set of license exceptions and will apply different licensing review policies.  BIS amends the EAR to create a new License Exception IEC, which authorizes the export of specific technologies to countries that have agreed to adopt the same technical parameters and restrictions in their own export control regimes.  And for those countries who have not adopted similar controls, BIS will apply new license review policies that are keyed to the EAR’s country groups, reflective in part of a given state’s participation in different multilateral agreements and U.S. national security determinations and arms embargoes.[3]  Thus, when a proposed export involves items controlled by one of the new or modified ECCNs to a country that has not yet implemented similar controls, BIS will apply a presumption of approval for destinations specified in Country Groups A:1 (which includes all WA countries), A:5, and A:6, a presumption of denial for destinations specified in Country Groups D:1 (countries designated for U.S. national security reasons) and D:5 (countries subject to U.S. or UN arms embargoes), and a case-by-case review policy for destinations for the remaining balance of countries.

Alongside the creation of the new License Exception IEC, BIS makes a procedural change to more immediately reward countries that adopt parallel controls.  Specifically, BIS bypasses the need to publish every change related to IEC exception availability through Federal Register notices.  BIS does this by developing a mechanism to more quickly identify countries that have implemented the same controls through a cross-referenced list that will be available outside of the Federal Register publication.  This new  License Exception IEC Eligible Items and Destinations list will be maintained by BIS, hosted by the National Archives and Records Administration, and made available by a BIS website hyperlink.  By maintaining the list outside of the Federal Register, BIS will be able to more quickly expand the applicability of License Exception IEC by ECCN and by country when a given country adopts sufficient controls.  Were BIS obligated to reflect each of these changes in Federal Register notices, collaborators in the United States and like-minded countries would possibly need to wait months, rather than weeks or days, after their governments reached agreement on new controls to take advantage of the new IEC authorization.

  1. BIS uses General Orders to grandfather and authorize exports of specific advanced technologies in recognition of a limited, global talent pool

Over the past two years, BIS has grappled with the challenge of ensuring its new controls on emerging technologies do not disrupt ongoing work involving foreign nationals in the United States or dissuade talented foreign nationals from seeking employment in the United States or in other countries whose companies collaborate with U.S. companies.  This disruption can occur when licensing controls are placed on the release of software and technology to non-U.S. persons.  These transfers to non-U.S. persons located in the United States are referred to as “deemed exports,” because the release of controlled technology and software to foreign persons is deemed to be an export to the person’s most recent country of citizenship or legal permanent residence.  Similarly, a deemed reexport occurs when software or technology is released to a foreign person of a country other than the foreign country of the entity authorized to receive the controlled technology (e.g., a Syrian national employed by a company in France).  Given the scarcity of individuals with expertise in many areas of emerging technology and that many specially trained foreign nationals come from jurisdictions that often trigger export control licensing requirements such as China, BIS’s new approach to foreign national licensing is critical to ensuring that the United States does not undermine ongoing work involving emerging technologies and that U.S. companies can continue to recruit the talent they need to advance such activities.

BIS’s experiment with foreign national licensing in the context of advance technology exports started in October 2022, when BIS included an exclusion from the requirement to seek deemed export licenses for certain advanced semiconductor controls and other specified items, such as items related to advanced computing chips and computer technologies, controlled for new “regional stability” purposes.  In October 2023, BIS issued additional semiconductor controls and clarifications, which included updated ECCN item tables so as to “not undermine the deemed export and reexport exclusion.”[4]   BIS underscored in the same interim rule its interest in receiving comments from businesses on the impact of deemed export provisions which BIS could use to better inform potential additional changes to deemed export licensing requirements.  Finally, in April 2024, BIS released its most recent round of clarifications concerning semiconductor controls and reiterated that such controls did not require licensing for the deemed export or reexport of items controlled for “national security” reasons.

The present IFR introduces a few new permutations of deemed export authorizations.  The first authorization grandfathers U.S. and non-U.S. entities who had hired foreign national contractors or employees to advance their work as of the effective date of BIS’s new controls (i.e., September 6, 2024), except for those working with certain GAAFET technology.[5]  BIS also opted to wholly exclude from deemed export and reexport requirements the release of certain advanced semiconductor technology and software and to partially exclude other semiconductor manufacturing and quantum technology and software for all foreign nationals except those from Group D:1 countries, which are subject to U.S. national security export licensing requirements, and D:5 countries, which are subject to U.S. or United Nations arms embargoes.[6]

To authorize Group D:1 and Group D:5 foreign nationals’ access to controlled software and technology, BIS issues more specific authorizations through general orders, which provide the required authorization subject to certain reporting requirements.  One general order authorizes Group D:1 and Group D:5 foreign nationals working as contractors or employees of entities and having access to the newly controlled GAAFET technology, provided that the individuals were supporting GAAFET technology projects as of September 6, 2024.[7]  BIS also created a parallel authorization for foreign nationals from the same jurisdictions supporting work with newly controlled quantum technologies, though without a restriction on when these foreign nationals were hired or assigned to supporting these projects.[8]  To take advantage of the general licenses, exporters are obligated to file annual reports with BIS (due for 2024 on November 4, 2024 and on February 1 for every year thereafter) that detail the GAAFET and quantum software and technology that the foreign nationals are using or to which they otherwise receiving access in their work, as well as reports concerning the voluntary or involuntary termination of such employees.

Although the Federal Register notice does not offer a specific rationale for the new annual reporting requirements, BIS will be able to use the information gathered to help trace where the contractors and employees authorized to work with these advanced technologies go when their work terminates.  In accordance with newly added 15 C.F.R. §§ 743.7 and 743.8, entities must report the identity of the foreign personnel, the specific technology in question, when the person is terminated, and whether, upon termination, the person intends to go to a destination specified in Country Group D:1 or D:5.  The introduction of a regulatory requirement to that will allow BIS to track the movement of foreign national employees who are advancing the leading edges of emerging technologies is unprecedented, but may serve as the model for similar authorizations that BIS will extend to foreign nationals working with other emerging technologies.

Use of the export, reexport, and deemed export and reexport licenses set forth in clauses (f)(1) and (f)(2) of General Order No. 6 (which license certain GAAFET exports, reexports, and deemed exports and reexports ongoing prior to September 6, 2024) are also conditioned on the specific application of the technology and software.  In particular, although these general licenses extend to companies located in Country Groups A:5 and A:6, they expressly exclude any companies that are working at the direction of companies headquartered or whose ultimate parent is located in a sensitive jurisdiction (Country Groups D:1 or D:5) to develop or produce certain controlled items.  Thus, for example, the authorization could not be used to support GAAFET or quantum development or production projects being directed by companies in China or other listed jurisdictions.

II. More fences around more yards, more quickly

The set of amendments that BIS implements through the IFR are among the more complex we have seen. The rule reflects the increasingly innovative tools BIS is employing to address the complicated issues that have arisen over the last two years in imposing controls on emerging technologies advanced semiconductor, semiconductor manufacturing, and supercomputing technologies.  Moreover, BIS’s new License Exception IEC and novel use of grandfathering and general orders to mitigate the impact of new controls on the multinational teams collaborating to advance emerging technologies, among other rule features, constitute a playbook, and a new set of regulatory tools, for BIS to recruit like-minded countries to implement important controls outside of the consensus restraints associated with the WA.

Other countries are already adopting equivalent export controls concerning quantum computing and other technologies that will make them eligible for License Exception IEC.  For example, on September 7, 2024, a day after the IFR took effect, the Netherlands amended its Regulation on Advanced Production Equipment for Semiconductors to require chip manufacturing giant ASML to apply for a Netherlands export license—rather than a U.S. export license—in order to export its TWINSCAN NXT:1970i and 1980i DUV immersion lithography systems outside the European Union.  This amendment, which follows the Netherlands’ original restrictions targeting deep ultraviolet light machines (promulgated in September 2023), has the practical effect of building new walls around the flow of semiconductor manufacturing equipment to sensitive jurisdictions like China.  ASML noted in an official statement, that it “believes this requirement will harmonize the approach for issuing export licenses.”

We expect other nations to similarly mirror IEC items licensing requirements and potential exclusions for quantum computing and other emerging technologies in the coming months.  In response to the U.S. controls, as well as any potential future controls imposed by like-minded states, companies in the quantum computing, semiconductor manufacturing, GAAFET technology, and additive manufacturing industry should re-evaluate their previous item classifications, update deemed export and reexport policies as needed, and ensure that any required reports are filed in a timely manner.  Companies operating in these industries should also evaluate the potential applicability of License Exception IEC—as well as related licensing policies—to their products.  Finally, companies in these industries may wish to consider revising or re-evaluating human resources policies in order to more effectively comply with the above-described controls and authorizations relating to foreign nationals’ access to controlled software and technology.

[1] See Commerce Control List Additions and Revisions; Implementation of Controls on Advanced Technologies Consistent With Controls Implemented by International Partners, 89 Fed. Reg. 72,926 (Sept. 6, 2024).

[2] See 15 C.F.R. Part 774, Supplement No. 1.

[3] See 15 C.F.R. Part 740, Supplement No. 1.

[4] Implementation of Additional Export Controls: Certain Advanced Computing Items; Supercomputer and Semiconductor End Use; Updates and Corrections, 88 Fed. Reg. 73,458, 73,485 (Oct. 25, 2023) (codified at 15 C.F.R. § 774, Supplement No. 1).

[5] Commerce Control List Additions and Revisions; Implementation of Controls on Advanced Technologies Consistent with Controls Implemented by International Partners, 89 Fed. Reg. 72,926, 72,929 (Sept. 6, 2024) (to be codified at 15 C.F.R. §§ 742.4(a)(5)(i) &742.6(a)(10)(i)).

[6] Id. at 72,929.

[7] Id. at 72,936 (to be codified at 15 C.F.R. Part 736, Supplement No. 1 , General Order No. 6, subsections (f)(1) and (f)(2)).

[8] Id. at 72,936 (to be codified at 15 C.F.R. Part 736, Supplement No. 1 , General Order No. 6, subsection (f)(3)).


The following Gibson Dunn lawyers prepared this update: Nicole Martinez, Christopher Timura, Chris Mullen, Zach Kosbie, Stephenie Gosnell Handler, and Adam M. Smith.

Gibson Dunn lawyers are monitoring the proposed changes to U.S. export control laws closely and are available to counsel clients regarding potential or ongoing transactions and other compliance or public policy concerns.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])
Mason Gauch – Houston (+1 346.718.6723, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Claire Yi – New York (+1 212.351.2603, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])

Asia:
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Felicia Chen – Hong Kong (+852 2214 3728, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 224, [email protected])
Melina Kronester – Munich (+49 89 189 33 225, [email protected])
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, [email protected])

*Nicole Martinez, an associate in the firm’s New York office, is not admitted in New York.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

We are pleased to provide you with Gibson Dunn’s ESG update covering the following key developments during July and August 2024. Please click on the links below for further details.

I. GLOBAL

  1. The Network for Greening the Financial System (NGFS) publishes two complementary reports on nature-related risks

On July 2, 2024, NGFS published two reports. The first report is the final version of the Conceptual Framework for nature-related financial risks, which will provide policy guidance for central banks and financial supervisors. The NGFS published its initial version of this report in September 2023, but the final Conceptual Framework includes two cases to exemplify the application of the risk assessment framework to freshwater and forest ecosystems.

The second report outlines the key emerging trends related to nature-related litigation, including cases concerning biodiversity loss, ocean degradation and carbon sinks, and explores the potential relevance for central banks and the financial system. The two reports are complementary: the Conceptual Framework outlines the broad framework for nature-related risks, the second report aims to raise awareness more specifically about nature-related litigation risks.

  1. The Taskforce on Nature-related Financial Disclosures (TNFD) and Glasgow Financial Alliance for Net Zero (GFANZ) to launch separate consultations on nature and transition plans

On July 4, 2024, the TNFD, a global organization established to provide companies with a framework to quantify and disclose nature-related financial risks and opportunities, announced a new consultation which will focus on what a nature transition plan should include and how it should be disclosed. It will ask organizations to “describe the effect nature-related dependencies, impacts, risks and opportunities” have had on the organization’s business strategy and financial planning. The TNFD plans to publish its final guidance in Q2 of 2025.

GFANZ’s consultation will focus on how nature could be further considered in its net-zero transition plan (NZTP) framework, which will cover how nature-related levers can support net-zero implementation. The GFANZ has 36 members from across the net-zero alliances working on this initiative and aims to publish voluntary supplemental guidance on nature in NZTP in Q1 of 2025.

  1. NGFS publishes information note “Improving Greenhouse Gas Emissions Data”

On July 16, 2024, the NGFS published an information note on improving greenhouse gas (GHG) emissions. The NGFS focuses on GHG emissions data because it is one of the most significant data gaps and is a key factor in monitoring progress towards the transition to a low-carbon economy.

In its note, the NGFS expert network presents practical examples of how NGFS members use GHG emissions data, for example to classify bond issuers based on emission intensity. Such classification of bonds presents numerous practical challenges, such as discrepancies in the calculation of emissions metrics. NGFS’ guidance provides a set of collaborative measures and best practices that can tackle these challenges.

Among other items, the note states that financial institutions need to accelerate their collection of data on financed emissions. It also suggests that central banks, supervisors and regulators could provide information through their websites to increase supervised entities’ awareness of the importance of sustainability indicators.

  1. NGFS publishes their 2023 Annual Report

On July 25, 2024, the NFGS published its Annual Report for the year 2023. In this Annual Report, NGFS announced a growth in membership numbers with 13 new members and two new observers. Among the main issues that the NGFS focused on in 2023 was the potential use of transition plans from a micro prudential perspective, the enrichment of its long-term climate scenarios to prepare a theoretical note which would help develop a first set of short-term climate scenarios to help the financial system assess the economic impact of climate-related risks and held a number of knowledge and best practices sharing workshops, including on climate-related disclosures for central banks. 2023 was also a prolific year for publications as the NGFS also launched works on nature-related risks and a report on blended climate finance on ways to deploy private capital for climate mitigation and adaptation.

  1. Science Based Targets initiative (SBTi) publishes papers as part of its consultation on the SBTi Corporate Net-Zero Standard

On July 30, 2024, the SBTi published four technical papers as an early step in the process of reviewing the SBTi Corporate Net-Zero Standard. The publications focus on reviewing the approach to scope 3 emissions which on average account for 75% of a company’s emissions.

The scope 3 discussion paper outlines the SBTi’s initial considerations for refining scope 3 emissions targets, which includes encouraging companies to focus on reducing critical emission sources instead of relying on carbon credits. The paper outlines scenarios where carbon credits from outside the value chain may support evidence of corporate decarbonization or offset residual emissions, but stresses that credits should not replace direct value chain decarbonization.

  1. The International Accounting Standards Board (IASB) provides illustrative examples on reporting climate-related effects and other uncertainties in financial statements

On July 31, 2024, the IASB published a consultation document with eight different examples on how companies can apply the IFRS Accounting Standards when reporting on the effects of climate-related and other uncertainties in their financial statements, aiming to provide guidance on how the requirements in the Standards should be applied to provide investors with better information about this sort of risks. The illustrative examples come in response to requests from stakeholders concerned that the information they were reporting was insufficient or inconsistent with information provided outside the financial statements, particularly information reported in other general purpose financial reports. The examples focus on areas such as materiality judgments, disclosures about assumptions, credit risk, decommissioning and restoration provisions and disaggregated information. The IASB has opened a consultation process to invite stakeholders to provide feedback on the proposed examples. The deadline for submitting comment letters is November 28, 2024.

In case you missed it…

  1. Banks get International Capital Market Association (ICMA) and Loan Market Association (LMA) guidance on using bonds to fund sustainability-linked loan portfolios

On June 25, 2024, the ICMA and LMA jointly published new Guidelines for Sustainability-linked Loans Financing Bonds (SLLBs). The guidelines recommend transparency and disclosure for issues of SLLBs. For SLLBs to align with the guidelines, issuers must adhere to the four core components, which cover:

  1. the use of proceeds;
  2. the process for sustainability-linked loans evaluation and selection;
  3. the management of proceeds;
  4. and the reporting of information on portfolios.

Per the guidelines, issuers should also explain the alignment of their SLLBs in a framework document and ensure that external reviews are carried out and made publicly available.

II. UNITED KINGDOM

  1. The King’s Speech sets out 40 bill proposals from the new Labour government under which the party aim to boost industry growth and bring major changes to workers’ rights

On July 17, 2024, King Charles delivered the new UK Prime Minister’s legislative agenda in the King’s Speech at the state opening of parliament. Prime Minister Sir Keir Starmer has proposed 40 bills which he claims will commence “a decade of national renewal”. Amongst the bills outlined were several planning and transport proposals including the renationalization of Britain’s rail operators, greater power for local councils to develop their own bus services and the removal of potential obstacles to new housing developments in selected areas.

A notable proposal in the energy sector are plans for a new state-run company, GB Energy, which will be set up to manage and operate Britain’s clean energy projects. The new Labour government also intends to improve worker rights by banning zero-hours contracts which they consider exploitative, end “fire and rehire” practices as a means of employers unilaterally amending workers’ terms and conditions, making flexible working a day one right for all workers and improving access to parental leave and sick pay for new employees. The proposals would also remove previous Conservative legislation which placed restrictions on the ability of trade unions to take strike action which has been welcomed by unions.

  1. The new Labour government sets a record budget for this year’s renewable energy auction

On July 31, 2024, the UK’s Energy Secretary announced a £1.5 million budget for this year’s renewable energy auction, an increase of £500 million from last year’s budget. Each year the UK government holds an auction to encourage companies to bid for green energy projects to supply the UK national grid with electricity, for which they will receive a guaranteed price for the electricity generated from the government. Last year, there were no bids for offshore wind power projects as they were considered unviable due to their low price. In response, the former Conservative government significantly increased the guaranteed price for such projects last year. The new Labour government aims to quadruple Britain’s offshore wind power by 2030, and therefore the majority of this year’s budget will be directed towards such projects.

  1. Financial Conduct Authority (FCA) publishes downloadable labels for distributors subject to Sustainability Disclosure Requirements and investment labeling regime

On July 31, 2024, firms subject to the FCA’s labeling scheme were allowed to begin using the fund labels, which aim to tackle greenwashing. Firms are required to notify the FCA when using an investment label and have until December 2, 2024 to ensure the labeling of their funds are compliant.

The labeling scheme includes four labels for sustainable funds:

  1. Sustainability Improvers: funds that invest in assets that may not currently be sustainable but aim to improve their sustainability profile over time;
  2. Sustainability Impact: funds that invest in assets with clearly “pre-defined, positive, measurable impact in relation to an environmental and/or social impact”;
  3. Sustainability Focus: funds that invest in other sustainable assets; and
  4. Sustainability Mixed Goals: funds that invest in a combination of assets from the above three categories.

To comply with the FCA labeling rules, asset managers need to demonstrate that at least 70% of the fund’s assets support the label of choice.

  1. New bill proposed to regulate ESG rating agencies

On August 8, 2024, the UK’s Chancellor of the Exchequer announced a bill proposed by the new Labour government to regulate ESG rating agencies. ESG rating agencies are unregulated, electing to follow a voluntary code of conduct instead. This bill aims to enhance transparency and accountability in the ESG space and alleviate current concerns about the lack of consistency amongst ESG ratings provided by different agencies. ESG ratings play a key role in the direction of sustainability investments and the current inconsistency has led to investor confusion. It is envisaged that this new legislation will make it easier for investors to make informed decisions, as well as mirroring similar regulatory measures being taken in the EU.

  1. Royal Institute of Chartered Surveyors (RICS) issues new guides on Whole Life Carbon Assessment (WLCA) for the built environment

The RICS 2nd edition was published in September 2023 and is effective from July 1, 2024. RICS members now need to follow the 2nd edition standard’s requirements when completing a WLCA.

The transition from the 1st to the 2nd edition of the RICS WLCA marks a move towards a more comprehensive and integrated approach to carbon measurement in the built environment. The RICS’ guides support the new ‘Whole life carbon assessment, RICS – 2nd Edition’ tool, which was created to meet the requirements of the RICS 2nd edition. The tool will enable measurement of whole-life carbon emissions, manage carbon budgets, reduce life cycle emissions and deliver a net-zero future for the built environment.

The tool can be applied to any type of construction or built asset in the UK involving (i) new constructions or new-build assets; (ii) demolition of existing and construction of new assets; (iii) retrofit or refurbishment of existing assets; and (iv) fit-out of built assets. However, it cannot be used for infrastructure assets or civil engineering works.

  1. Oceana UK files legal challenge, calling recent oil & gas license “unlawful”

Oceana UK has filed a case at the High Court challenging fossil fuel exploration licenses in UK waters. In the claim, Oceana alleges that the previous UK government’s decision to issue 31 new oil and gas licenses in May 2024 was unlawful because it failed to consider the extreme impact of oil spills on marine life, as well as on several other grounds. Oceana and other members of the Ocean Alliance Against Offshore Drilling have now written to Ed Miliband, the Secretary of State for Energy Security and Net Zero in the new Labour government, urging the new government to concede the case and signal a commitment to, and clear departure from, reliance on fossil fuels.

III. EUROPE

  1. European Parliament publishes study on the current implementation of the Sustainability-related Financial Disclosures Regulation (SFDR)

On July 3, 2024, the European Parliament published a study on the SFDR. The study was provided by the Policy Department for Economic, Scientific and Quality of Life Policies at the request of the Committee on Economic and Monetary Affairs.

The SFDR is the centerpiece of the sustainable finance strategy for funds and other financial products. However, its provisions are too complex and don’t interact effectively with provisions shaping corporate reporting, indexes, or client preferences. The study states that a revised SFDR should aim to include more recognizable product labels or categories which will: enable transition investments; smoothly interact with corporate reporting; and expand the scope of disclosure obligations.

  1. The European Securities and Markets Authority (ESMA) issues Public Statement on the European Sustainability Reporting Standards (ESRS)

On July 5, 2024, ESMA published a statement on the ESRS in addition to its final report on the guidelines on enforcement of sustainability information. The public statement on the first application of the ESRS acknowledges the significant changes for the sustainability reporting practices due to the new EU requirements.

Both the statement and the report underline the areas of focus for in-scope companies preparing to issue their first sustainability statements due to be published in 2025 in accordance with the Corporate Sustainability Reporting Directive (CSRD). Significant points include the establishment of governance arrangements and internal controls, designing and conducting materiality assessments, and creating connectivity between financial and sustainability information.

  1. Corporate Sustainability Due Diligence Directive (CSDDD) published in Official Journal

On July 5, 2024, the Official Journal of the European Union published the CSDDD, following its adoption by the European Parliament and the Council of the EU earlier this year. The CSDDD introduces a due diligence duty on large EU companies and non-EU companies with significant EU activity to address adverse human rights and environmental impacts in their own operations, their subsidiaries and their supply chains.

EU member states must transpose the CSDDD rules into national measures by July 26, 2026.

From July 26, 2027, the CSDDD measures will become applicable in stages, based on whether the company is based in the EU, its number of employees and turnover.

Companies can start to prepare by:

  1. conducting risk assessments to identify actual and potential adverse impacts within their own operations, subsidiaries and value chains;
  2. adopting measures to prevent or where this is not possible, minimize the identified adverse impacts; and
  3. preparing suitable and fair contractual assurances to be included in direct and indirect business partner agreements.
  4. New monitoring rules agreed for the EU Emissions Trading System (ETS)

On August 29, 2024 EU Member States represented in the Climate Change Committee endorsed an amendment to the Monitoring and Reporting Regulation proposed by the Commission.

The revisions agreed introduce zero-rating of emissions from the combustion of renewable fuels of non-biological origin, recycled carbon fuels and synthetic low carbon fuels in the EU ETS, subject to compliance with the criteria set out in the Renewable Energy Directive, ensuring that such emissions are properly accounted for.

The changes to the rules also include zero-rating of biomass fuels concerning the use of a recently established EU-wide database; detailed monitoring and reporting requirements for alternative aviation fuels; harmonization of small emitter thresholds; and monitoring and reporting requirements for non-CO2 aviation effects per flight.

  1. The Association for Financial Markets in Europe (AFME) calls for UK’s green alignment with EU on its partnerships with the financial sector to deliver green growth

In its new paper, published last month, the AFME welcomed the UK’s new Labour government’s plans to make the UK a leading center for green finance while simultaneously encouraging the government to recognize that, in order to create opportunities for finance and investment to support green growth, conditions need to be in place to enable the real economy to transition. The AFME recommended that the government prioritize: (i) progression of UK Sustainability Reporting Standards which are aligned with the standards developed by the International Sustainability Standards Board; (ii) consulting on the adoption of transition plan disclosures for listed and unlisted companies; and (iii) following up on the recommendations of the Transition Finance Market Review to facilitate transition finance.

Further AFME recommendations include: (i) scaling up the role of blended finance; (ii) linkage of the UK ETS with the EU ETS; and (iii) before moving forward with delivering a UK Greem Taxonomy, wide engagement with companies and financial institutions to ensure that there is a clear use case for one.

  1. The European Securities and Markets Authority (ESMA) publishes Guidelines on funds’ names using ESG or sustainability-related terms

On August 21, 2024, ESMA, ESMA, the EU’s financial markets regulator and supervisor, published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. The Guidelines are aimed at ensuring that investors are protected against unsubstantiated or exaggerated sustainability claims in fund names, and to provide asset managers with clear and measurable criteria to assess their ability to use ESG or sustainability-related terms in fund names. The Guidelines will start to apply on November 21, 2024. Funds created on or after such date will be immediately subject to the Guidelines, while existing funds will be entitled to a six-month transitional period. By October 21, 2024, national competent authorities must notify ESMA whether they: (i) comply; (ii) do not comply, but intend to comply; or (iii) do not comply and do not intend to comply with the Guidelines.

IV. NORTH AMERICA

  1. U.S. Attorneys General seek answers from asset managers regarding support for environmental shareholder proposals

On August 29, a group of 24 attorneys general sent letters targeting the “twenty-five large asset managers . . . who”—between 2020 and 2023—had “voted 75% or more of the time” in support of proposals that Institutional Shareholder Services (ISS) had recommended votes “for” and which Ceres had flagged in its climate-related proposals database. The letter raises concerns that these asset managers had failed in their fiduciary duties by outsourcing their voting responsibilities to ISS or others.

  1. Large asset managers report declining support for environmental and social shareholder proposals during 2024 proxy season

On August 29, Vanguard released its 2024 U.S. Regional Brief disclosing its investment stewardship activities for the past proxy season. Vanguard-advised funds supported none of the 400 environmental and social shareholder proposals considered at U.S. portfolio companies’ meetings. The lack of support was attributed to Vanguard determining that “the proposals did not address financially material risks to shareholders,” “were overly prescriptive in their requests,” or repeated “previously filed proposals that companies [had] taken action to address.” Vanguard also noted that in some cases, it did not find a governance practice or disclosure gap that the proposal would address.

On August 14, BlackRock released its 2024 Investment Stewardship Voting Spotlight regarding its proxy voting and engagement activities in the most recent proxy season. BlackRock supported only 20 of the 493 global environmental and social proposals it voted on during the 2024 proxy season, as a “majority of [such] proposals . . . were overreaching, lacked economic merit, or sought outcomes that were unlikely to promote long-term shareholder value.” BlackRock also noted that some proposals concerned risks that companies had already addressed.  The month before, BlackRock released new Climate and Decarbonization Stewardship Guidelines describing its approach to voting “on behalf of funds with explicit decarbonization or climate-related investment objectives.”

For more information on trends from the 2024 proxy season, including shareholder proposals, see our recent client alert.

  1. Indiana sends BlackRock cease and desist order

On August 23, the office of the Secretary of State, Securities Division of Indiana issued a cease and desist order naming several BlackRock entities as engaged in alleged securities fraud in violation of Indiana law. In particular, the order alleges BlackRock made “various untrue statements of material fact” regarding its use and implementation of ESG standards. BlackRock had previously been placed on a watch list by the state’s Treasurer following the enactment of a law prohibiting the state’s public retirement system from investing assets with firms that use ESG principles in investment decisions.

  1. Interfaith Center on Corporate Responsibility (ICCR) asks Business Roundtable for information on its opposition to the SEC’s climate rules

On August 22, 2024, ICCR announced it had sent a letter to the Business Roundtable (BRT) regarding the amicus brief it filed in June 2024 opposing the SEC’s climate rules. In particular, ICCR noted that the BRT’s position in the brief did “not appear to be aligned with the positions and values of many BRT members” and sought more information about the “governance process” that led to the brief’s submission.

  1. Missouri Court strikes down anti-ESG investment rules

On August 14, 2024, a federal district court in Missouri granted summary judgment and a permanent injunction in favor of the Securities Industry and Financial Markets Association (SIFMA) in its challenge to certain state anti-ESG investment rules. The rules had required securities professionals and firms to collect signed consent forms from investors in the state before including social or nonfinancial objectives in investment advice or securities recommendations. The court held the rules were preempted by federal law and violated the First and Fourteenth Amendments.

  1. Additional briefing submitted in U.S. Securities and Exchange Commission (SEC) climate rules litigation

On August 6, the SEC filed its consolidated response brief in the multi-district litigation challenging the climate-related disclosure rules adopted last Spring (and summarized here). The SEC asserted it had sufficient Congressional authority to adopt the rules; that it complied with the requirements of the Administrative Procedure Act when proposing and adopting the rules; and that the rules are consistent with the First Amendment of the U.S. Constitution. Filings by amici both in support and in opposition to the climate rules were subsequently filed on August 19, 2024. Oral argument has not yet been scheduled.

  1. California State Teachers’ Retirement System (CalSTRS) reports climate-related expectations for portfolio companies and 2024 climate-related voting

On August 1, CalSTRS reported that during the 2024 proxy season, it had focused on climate risk disclosure and voted against the boards of directors at more than 2,250 companies. The press release also summarized the pension fund’s expectation that portfolio companies:

  1. publish sustainability-related disclosure aligned with the International Financial Reporting Standards;
  2. disclose Scope 1 and Scope 2 greenhouse gas emissions; and
  3. for high-emitting companies, including those on the Climate Action 100+ list, to set “appropriate targets to reduce GHG emissions.”
  1. ISS and Glass Lewis release 2024 policy surveys

On August 1, ISS Governance opened its annual benchmark policy survey, soliciting investor views on environmental and social topics such as Scope 3 GHG emission reduction target disclosure and the relevant factors to consider for climate- and workforce-diversity-related shareholder proposals. Responses were due by September 5, 2024.

Glass Lewis opened its 2024 policy survey in July. ESG-related questions focused on whether companies should consider transitioning to a B Corporation; if it is appropriate for an entity’s financial auditor to also be responsible for sustainability reporting assurance; what factors are relevant when voting on Say on Climate proposals or shareholder proposals more generally; whether the identity of a shareholder proposal proponent is relevant in voting decisions; whether information related to climate transition strategies and oversight would be helpful in proxy reports; and what factors would drive a vote against non-financial reporting by certain EU countries. Responses were due by August 30, 2024.

The results of these surveys are expected to inform future updates of ISS and Glass Lewis policies, research, and vote recommendations.

  1. ISS ESG announces new emission intensity solution

On July 31, ISS ESG announced its new industry average emission intensity data as an addition to its current climate solutions offering. The data focuses on supporting insurance companies and banks in their compliance with mandatory disclosures on climate matters.

  1. Republican lawmakers send letter to Climate Action 100+ signatories

On July 30, the chairmen of the House Judiciary Committee and the Subcommittee on the Administrative State, Regulatory Reform and Antitrust issued a press release regarding letters they sent to over 130 government pension programs, companies, and retirement systems seeking information as to “their involvement with the woke ESG cartel Climate Action 100+.”

  1. SEC issues Spring 2024 regulatory agenda

On July 8, the SEC released its Spring 2024 regulatory agenda. Compared to the Fall 2023 agenda, the SEC delayed proposed rules on human capital management from April 2024 to October 2025 and proposed rules on corporate board diversity from October 2024 to April 2025. The agenda also pushed back the timing for adoption of final rules seeking disclosure requirements from investment companies and advisers on ESG factors from April 2024 to October 2024. These timeframes are not hard deadlines for future SEC rulemaking, and the SEC retains flexibility to change this timing further in future agendas.

In case you missed it…

The Gibson Dunn Workplace DEI Task Force has published its updates for July and August summarizing the latest key developments, media coverage, case updates, and legislation related to diversity, equity, and inclusion.

V. APAC

  1. Climate Bonds Initiative (CBI) and the Institute for Global Environmental Strategies (IGES) develop a Transition Strategies Toolkit

On July 29, 2024, CBI and IGES collaboratively released the Transition Strategies Toolkit, a guidance tool based on scientific evidence to promote transition finance in Japanese industries. The toolkit provides guidance for Japanese companies to develop and implement credible, science-based transition plans and for investors to promote investments that support the transition to decarbonization. The Transition Strategy Toolkit builds on the Guidance for Assessing Transition Plans published by CBI in 2023 which outlined key features and frameworks for reliable transition planning. Based on this guidance, the Transition Strategy Toolkit is primarily intended to promote understanding of the basic characteristics and elements that Japanese companies should incorporate when developing transition plans in response to climate change.

  1. Australia’s opposition party calls for an end to the country’s nuclear energy ban

Australia’s opposition party has called for a change in the law to reverse the country’s 1998 ban on nuclear power and has instead pledged commitment to the construction of new nuclear plants. The current government is focused on the rapid phase-out of coal and scale-up of renewable energy sources, passing legislation which targets: a 43% cut in carbon emissions from 2005 levels by 2030; net zero emissions by 2050; and delivery of 82% of electricity from renewable sources by 2030. The government has described the opposition’s nuclear aspirations as too expensive, too slow to build and too risky. Energy policy is likely to remain a prominent issue in Australia in the lead up to next year’s election.

  1. China voices its opposition to the European Union Deforestation Regulation (EUDR)

The EUDR, which is set to take effect in December 2024 and is designed to limit deforestation, requires geolocational data for all forest products imported into the EU. China, a key supplier of forest products such as timber, paper and pulp, has recently voiced its opposition, citing security concerns with the sharing of such data. A potential withdrawal of China from compliance with the EUDR could materially disrupt global supply chains. This development follows resistance from the US, which is pushing for delayed implementation of the EUDR on the basis that it will impose “impossible standards” and act as a non-tariff trade barrier.

Please let us know if there are other topics that you would be interested in seeing covered in future editions of the monthly update.

Warmest regards,
Susy Bullock
Elizabeth Ising
Perlette M. Jura
Ronald Kirk
Michelle M. Kirschner
Michael K. Murphy
Selina S. Sagayam

Chairs, Environmental, Social and Governance Practice Group, Gibson Dunn & Crutcher LLP

For further information about any of the topics discussed herein, please contact the ESG Practice Group Chairs or contributors, or the Gibson Dunn attorney with whom you regularly work.


The following Gibson Dunn lawyers prepared this update: Lauren Assaf-Holmes, Natalie Lamb, Georgia Derbyshire, Magdalena Augé, Alex Eldredge*, Elizabeth Ising, Cynthia Mabry, Michelle Kirschner and Selina S. Sagayam.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Environmental, Social and Governance practice group:

Environmental, Social and Governance (ESG):

Susy Bullock – London (+44 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213.229.7121, [email protected])
Ronald Kirk – Dallas (+1 214.698.3295, [email protected])
Michelle Kirschner – London (+44 20 7071 4212, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, [email protected])
Selina S. Sagayam – London (+44 20 7071 4263, [email protected])

*Alex Eldredge, a trainee solicitor in the London office, is not admitted to practice law.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This edition of Gibson Dunn’s Federal Circuit Update for August 2024 summarizes the current status of petitions pending before the Supreme Court and recent Federal Circuit decisions concerning obviousness-type double patenting, Article III standing, and attorneys’ fees under Section 285.

Federal Circuit News

Noteworthy Petitions for a Writ of Certiorari:
There were no new potentially impactful petitions filed before the Supreme Court in August 2024. We provide an update below of the petitions pending before the Supreme Court that were summarized in our July 2024 update:

  • In United Therapeutics Corp. v. Liquidia Technologies, Inc. (US No. 23-1298), after the respondent waived its right to respond, a response was requested by the Court. The response brief was filed on August 27, 2024, and the reply brief was filed on September 10, 2024.
  • In Chestek PLLC v. Vidal (US No. 23-1217), the response brief was filed on August 14, 2024, and the reply brief was filed on August 29, 2024. Five amicus curiae briefs had been filed.
  • In Cellect LLC v. Vidal (US No. 23-1231), the response brief was filed on August 21, 2024, and the reply brief was filed on September 4, 2024. An additional amicus curiae brief was also filed on August 21, 2024. A total of eight amicus curiae briefs have now been filed.

All three petitions will be considered during the Court’s September 30, 2024 conference.

Other Federal Circuit News:

Release of Materials in Judicial Investigation. The Federal Circuit released additional materials in connection with the proceeding under the Judicial Conduct and Disability Act and the implementing Rules involving Judge Pauline Newman. The materials may be accessed here. In particular, the Judicial Council of the Federal Circuit has ordered that Judge Newman “not be permitted to hear or participate in any cases . . . for a period of one year beginning with the issuance of this Order.”

Notice of Proposed Amendments to Federal Circuit Rules of Practice. The Federal Circuit has published proposed amendments to the Federal Circuit Rules of Practice available here. Here is a summary of some of the proposed amendments:

  • Amending Rule 15 to extend the time to appeal from the Secretary of Veterans Affairs from 60 days to 6 years.
  • Amending Rule 30 to require parties to add information in the submitted appendices designating how a document was designated at the reviewed tribunal (such as docket numbers).
  • Combing Rule 35 regarding en banc rehearing with Rule 40 regarding panel rehearing.

Public comments must be received on or before October 4, 2024.

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website.

Key Case Summaries (August 2024)

Allergan USA, Inc. et al. v. MSN Laboratories Private Ltd. et al., No. 2024-1061 (Fed. Cir. Aug. 13, 2024):  Allergan markets and sells eluxadoline tablets under the brand name Viberzi®.  Allergan owns patents that cover the drug compound and composition.  The first-filed application issued as the ‘356 patent and had a total patent term adjustment (PTA) of 467 days.  Continuing applications were filed claiming the same priority date as the ‘356 patent, which issued as the ‘011 and ‘709 patents.  The ‘011 and ‘709 patents did not receive any PTA, and each was therefore set to expire before the ‘356 patent.  Defendant argued based on In re Cellect, LLC, 81 F.4th 1216 (Fed. Cir. 2023), that the ‘011 and ‘709 patents were obviousness-type double patenting (ODP) references that rendered the ‘356 patent invalid.  The district court agreed.

The Federal Circuit (Lourie, J., joined by Dyk and Reyna, JJ.) reversed.  The Court held that a “first-filed, first-issued, later-expiring claim” cannot “be invalidated by a later-filed, later-issued, earlier-expiring reference claim having a common priority date.”  The Court explained that a contrary result would be “antithetical to the principles of ODP,” which is “to prevent patentees from obtaining a second patent on a patentably indistinct invention to effectively extend the life of a first patent to that subject matter.”

(Judge Dyk concurred on the ODP issue but dissented with respect to other issues addressed by the Court.)

A more detailed summary of this case may be found here.

Platinum Optics Technology Inc. v. Viavi Solutions Inc., No. 23-1227 (Fed. Cir. Aug. 16, 2024): Viavi sued Platinum Optics (PTOT) alleging infringement in two civil actions on a patent directed to optical filters including layers of hydrogenated silicon and sensor systems comprising such optical filters. PTOT then petitioned for inter partes review (IPR), and the Patent Trial and Appeal Board (Board) concluded that PTOT failed to prove that the challenged claims were unpatentable. PTOT challenges the Board’s decision in this appeal. However, before the Board issued its final written decision, Viavi’s patent infringement claims regarding the challenged patent were dismissed with prejudice in both district court cases.

The Federal Circuit (Cecchi, J. (district judge sitting by designation), joined by Moore, C.J., and Taranto, J.) dismissed the appeal for lack of standing. Although a party does not need Article III standing to appear before an agency, PTOT failed to show it had standing to seek judicial review of the agency’s final action in federal court. In particular, the Court concluded that PTOT could not show that it had suffered an injury in fact, because it had not established there were concrete plans for future activity that created a substantial risk of infringement. The Court determined that a Viavi letter that stated Viavi did “not believe” PTOT could fulfill its supply agreements without infringing was mere speculation and insufficient to show a substantial risk of future infringement. Moreover, this letter was sent prior to the start of the district court cases, and the relevant claims had been dismissed with prejudice. The Court also determined that PTOT’s declaration regarding the continued development of new bandpass filters failed to identify any concrete plans that would implicate the challenged patent.

Realtime Adaptive Streaming LLC v. Sling TV, LLC, No. 23-1035 (Fed. Cir. August 23, 2024): Realtime sued DISH and related Sling entities for infringing patents directed to digital data compression. Over the next six years, a series of events related to determinations of ineligibility or invalidity of the asserted patent and its related patents occurred in various forums, leading the district court to ultimately find the asserted claims of the asserted patent ineligible.  While that determination of ineligibility was on appeal, the district court granted DISH’s motion for attorneys’ fees, highlighting six events that it considered “red flags,” finding that “Realtime’s dogged pursuit of the case notwithstanding those danger signals render[ed] this an exceptional case.”

The Federal Circuit (Albright, J. (district judge sitting by designation), joined by Moore, C.J. and Lourie, J.) vacated and remanded.  The Court determined that, although the district court did not err in giving weight to the decisions from two different district courts in determining that certain claims of a related patent were ineligible (one of the “red flags”), the district court erred in giving weight to the other five red flags.  The Court determined that the district court erred in finding that the Adaptive Streaming decision from the Federal Circuit should have put Realtime on notice that its patent claims were meritless. The Court explained that Adaptive Streaming was about technology that was different from that claimed in the asserted patent.  The Court also determined that the district court failed to explain why the final written decisions from the Board invalidating certain claims of a related patent and non-final office actions rejecting claims of the asserted patents were relevant to its decision to award attorneys’ fees. The Court next explained that a notice letter DISH had sent to Realtime contained “no analysis sufficient to put the patentee on notice that its arguments regarding ineligibility are so meritless as to amount to an exceptional case.” “Simply being on notice of adverse case law and the possibility that opposing counsel would pursue 285 fees does not amount to clear notice” that the claims in question were invalid and therefore did not support a finding of exceptionality.  Finally, the Court held that the district court erred in finding that the opinions of DISH’s expert regarding noninfringing alternatives should have put Realtime on notice that its arguments “were so without merit as to amount to an exceptional case.”


The following Gibson Dunn lawyers assisted in preparing this update: Blaine Evanson, Kate Dominguez, Jaysen Chung, Audrey Yang, Vivian Lu, Julia Tabat, and Michelle Zhu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:

Blaine H. Evanson – Orange County (+1 949.451.3805, [email protected])
Audrey Yang – Dallas (+1 214.698.3215, [email protected])

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, [email protected])
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Julian W. Poon – Los Angeles (+ 213.229.7758, [email protected])

Intellectual Property:Kate Dominguez – New York (+1 212.351.2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415.393.8224, [email protected])
Josh Krevitt – New York (+1 212.351.4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: This week, there were developments in the election event contracts case in the DC District Court and the DC Circuit Court and the CFTC amended exemptions from certain compliance requirements for commodity pool operators, commodity trading advisors, and commodity pools, which had not been amended since 1992.

New Developments

  • DC Circuit Court Orders Temporary Stay Suspending Trading on Election Contracts. On September 12, the United States Court of Appeals for the District of Columbia Circuit (the “DC Circuit Court”) ordered a temporary stay suspending trading on election contracts offered by KalshiEx LLC (“KalshiEx”) “to give the court sufficient opportunity to consider the emergency motion for stay pending appeal.” Prior to the temporary stay from the DC Circuit Court, the United States District Court for the District of Columbia (the “DC District Court”) overturned an order blocking KalshiEx from allowing election contract trading on its platform and denied the CFTC’s request for a stay pending appeal. KalshiEx filed a response to the CFTC’s emergency motion on September 12 and the CFTC’s reply is due to the DC Circuit Court by 6:00 pm on September 14. [NEW]
  • CFTC Approves Final Rule Regarding Exemptions from Certain Compliance Requirements for Commodity Pool Operators, Commodity Trading Advisors, and Commodity Pools. On September 12, the CFTC published a final rule that amends CFTC Regulation 4.7, a provision that provides exemptions from certain compliance requirements for commodity pool operators (“CPOs”) regarding commodity pool offerings to qualified eligible persons (“QEPs”) and for commodity trading advisors (“CTAs”) regarding trading programs advising QEPs. The final rule amends various provisions of the regulation that have not been updated since the rule’s original adoption in 1992. Specifically, the final rule: (1) increases the monetary thresholds outlined in the “Portfolio Requirement” definition that certain persons may use to qualify as Qualified Eligible Persons; (2) codifies exemptive letters allowing CPOs of Funds of Funds operated under Regulation 4.7 to choose to distribute monthly account statements within 45 days of the month-end; (3) includes technical amendments designed to improve its efficiency and usefulness for intermediaries and their prospective and actual QEP pool participants and advisory clients, as well as the general public; and, (4) updates citations within 17 CFR Part 4, and throughout the CFTC’s rulebook, to reflect the new structure of Regulation 4.7. [NEW]
  • CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.
  • CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market.
  • CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s DMO and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK.
  • CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (“DCR”) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.

New Developments Outside the U.S.

  • ESAs Warn of Risks From Economic and Geopolitical Events. On September 10, the three European Supervisory Authorities (“ESAs”) issued their Autumn 2024 Joint Committee Report on risks and vulnerabilities in the EU financial system. In the report, the ESAs underlined ongoing high economic and geopolitical uncertainties, warned of the financial stability risks that they believe stem from these uncertainties and called for continued vigilance from all financial market participants. For the first time, the report also includes a cross-sectoral deep dive into credit risks in the financial sector. [NEW]
  • EC Publishes Draghi Report on the Future of European Competitiveness. On September 9, the European Commission (“EC”) published a report, Future of European Competitiveness, authored by former Italian prime minister and head of the European Central Bank Mario Draghi. The report, which was commissioned by EC president Ursula von der Leyen, outlines the EU’s new industrial strategy. Part A of the report outlines the overarching strategy, while Part B discusses sectoral and horizontal policies and related recommendations in more detail. The report covers topics that include energy derivatives, sustainable finance, EU supervision, Basel framework, and collateral. The EC president indicated that she will aim to form a cabinet, with related mission letters that she expects to cover certain aspects of the report as part of future EU policies. [NEW]
  • MAS Updates FAQs on OTC Derivatives Reporting Regulations. On September 4, the Monetary Authority of Singapore (“MAS”) further updated the Frequently Asked Questions (FAQs) on the Securities and Futures (Reporting of Derivatives Contracts) Regulations 2013. MAS indicated that the FAQs are to aid implementation of the reporting obligations and elaborate on its intentions for some of the requirements. The new Singapore reporting rules will take effect on October 21, 2024. [NEW]
  • Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report stated that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit.

New Industry-Led Developments

  • ISDA Responds to Australia’s CFR on Bonds and Repo Clearing. On September 4, ISDA submitted a response to a consultation from Australia’s Council of Financial Regulators (“CFR”) on the central clearing of bonds and repos in Australia. In response to changes in the size and structure of the Australian bond and repo markets, the CFR sought feedback on the costs and benefits of introducing a central counterparty (“CCP”) in the Australian bond and repo markets. It also sought views on the circumstances under which a bond and repo CCP could be operated safely and efficiently by an overseas operator and what additional protections may be required in Australia. ISDA said that it welcomes the fact that the CFR is not considering the introduction of a clearing mandate. In its response, ISDA set out its opinion on the costs and benefits of voluntary central clearing for the Australian bond and repo markets. ISDA also commented on participation and other factors to consider for a bond and repo clearing offering to be viable. On location, the response states it is not uncommon for an overseas operator to provide clearing services related to non-domestic markets and ISDA indicated that it does not see any increased risk for an overseas operator to provide clearing services for the Australian bond and repo markets, as long as the overseas CCP is appropriately supervised and risk-managed. [NEW]
  • ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g., for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.”
  • ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus  – New York (212.351.3869,  [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Gibson Dunn’s Workplace DEI Task Force aims to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Key Developments:

On August 29, 2024, America First Legal Foundation (AFL), the conservative organization founded and run by former Trump policy advisor Stephen Miller, sent a letter to Jeremy Gosch, CEO of Hy-Vee, Inc., demanding that the supermarket chain terminate its “Hy-Vee OpportUNITY Inclusive Business Summit’s Pitch Competition,” through which Hy-Vee pledged to give $50,000 to local minority and women-owned businesses in Iowa and the surrounding states. The competition is open to businesses with “at least 51% ownership, operation and control by the [] diversity classifications defined by the Small Business Administration[, including] minority, women, and/or other disadvantaged populations.” AFL alleges that the program unlawfully limits eligibility by race and gender and precludes “white and/or male” individuals from participating, in violation of 42 U.S.C. § 1981.

On September 3, 2024, AFL announced that it had filed a federal civil rights complaint with the EEOC against Williams-Sonoma, Inc., alleging that the company sets diversity goals for hiring and promotion based on race and sex, in violation of Title VII. AFL also sent a letter to Williams Sonoma’s board of directors demanding that the company end its allegedly discriminatory practices. The complaint references the company’s 2024 Annual Report, which states that its Equity Action Plan has led to approximately 68.1% of the workforce identifying as female and about 41.1% identifying as a member of an ethnic minority group. AFL contends that the Equity Action Plan illegally tracks and sets goals for diversity among employees and board members. The complaint also criticizes statements on the company’s website, including a goal to “consciously increase Black representation among our vendors, partners, and collaborators.” Williams Sonoma has yet to respond to AFL’s complaint.

Several elite colleges and universities in the United States have reported a decline in enrollment of minority students following the Supreme Court’s SFFA decision striking down affirmative action in college admissions. Harvard University, Amherst College, Tufts University, and the Massachusetts Institute of Technology (MIT) all reported a decrease in the percentage in enrollment of Black students. At MIT, for example, the percentage of incoming Black students dropped from 15% to 5%. In addition, the percentage of Latino students decreased from 16% to 11%, while the percentages of white and Asian American students increased.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

  • Washington Post, “Fearless Fund settles with DEI foes, ends grant program for Black women” (September 11): The Washington Post’s Julian Mark and Taylor Telford report on the settlement between Fearless Fund, a venture capital firm started by Black women to invest in businesses owned by women of color (represented by Gibson Dunn, among others), and the American Alliance for Equal Rights (AAER), a conservative nonprofit organization. Mark and Telford say that, as part of the agreement, Fearless Foundation has decided to permanently close its Fearless Strivers grant contest, which previously awarded $20,000 grants to Black female-owned businesses. AAER, led by conservative activist Edward Blum, sued Fearless Fund on August 2, 2023, alleging discrimination against non-Black businesspeople. Alphonso David, one of Fearless Fund’s attorneys, described the settlement as “narrow,” and said that Fearless Fund’s intent was to limit the case’s impact to the Eleventh Circuit. Civil rights activist Reverend Al Sharpton, who has supported Fearless Fund since the outset, described the settlement as a “sacrifice,” commenting that “if we had fought, and Blum and them wanted to go all the way to the Supreme Court, we’d have lost the fight for generations.”
  • Wall Street Journal, “Fearless Fund Shuts Down Grant Program for Black Founders After Legal Settlement; The outcome of a legal battle with Edward Blum’s organization is a setback for diversity efforts in venture capital” (September 11): Yuliya Chernova of The Wall Street Journal reports on the closure of Fearless Foundation’s grant program for Black female entrepreneurs, which comes as part of a legal settlement with the American Alliance for Equal Rights. Chernova notes that the settlement has prompted concerns about the potential impact on other initiatives aimed at diversifying the venture capital industry. According to Chernova, venture-backed startups remain predominantly led by white men, and U.S. companies with at least one female founder have secured just 22.6% of all venture funding. Edward Blum, president of AAER, commented that “race-exclusive programs like the one the Fearless Fund promoted are divisive and illegal. Opening grant programs to all applicants, regardless of their race, is enshrined in our nation’s civil rights laws and supported by significant majorities of all Americans.” In response, Arian Simone, CEO of Fearless Fund, affirmed that her organizations will continue their efforts to help under-resourced entrepreneurs despite the program’s closure.
  • Financial Times, “Meet Robby Starbuck, the anti-woke activist who is shaking up boardrooms” (September 6): Taylor Nicole Rogers of The Financial Times reports on conservative activist Robby Starbuck’s recent campaigns against corporate DEI initiatives. Known for his social media campaigns against a number of companies, Starbuck has now turned his focus to Molson Coors, the maker of Coors Light and Miller beers. As a result of his efforts, Rogers says that Molson Coors announced that it would no longer participate in the Human Rights Campaign’s scoring system, which rates companies based on LGBTQ+ inclusion in the workspace, and that the company will eliminate its supplier-diversity goals. Rogers reports that Starbuck, who engages his 600,000 followers on X and employs two staff members to research companies’ diversity efforts, has shifted his focus from companies with conservative customer bases to those with more neutral or diverse audiences. According to Starbuck, “The situation these companies are facing is a very different new world where I have a direct line to a sizeable portion of their customers. These customers are engaged and they now understand something very important: their wallets are a weapon.”
  • Bloomberg, “Investors Craft Counterattacks After Influencer’s Anti-DEI Blitz” (September 6): Bloomberg’s David Hood reports on the efforts by shareholder groups to reinstate DEI commitments at companies that have been targeted by conservative activist Robby Starbuck. Hood says that these groups are exploring a range of strategies—from proxy proposals to litigation—to restore DEI polices at companies attacked by Starbuck. Andy Behar, CEO of shareholder advocacy group As You Sow, indicated that his organization is considering helping investors launch campaigns to replace board members at companies that reversed course on DEI. Additionally, Brad Lander, New York City’s Comptroller, who oversees funds totaling nearly $500 million across seven companies targeted by Starbuck, stated that companies yielding to Starbucks’s demands should be “on notice” and warned that “we’re not going to stand by as folks with no track record in investing try to roll back proven strategies for advancing diversity of companies across the economy in effective ways.”
  • Wall Street Journal, “Molson Coors Rolls Back DEI Initiatives” (September 3): The Wall Street Journal’s Joseph Pisani reports that Molson Coors, the maker of Coors Light and Miller beers, has decided to pull back on its diversity policies and initiatives. The company announced that it would no longer participate in the Human Rights Campaign’s scoring system, which rates companies based on LGBTQ+ inclusion in the workspace. Additionally, Pisani reports that Molson Coors will eliminate its supplier-diversity goals. Conservative activist Robby Starbuck claimed responsibility for the changes at Molson Coors, stating that he messaged company executives the week before the announcement. Molson Coors representatives indicated that this shift is intended to broaden its DEI efforts to ensure that all employees feel welcomed.
  • CalMatters, “California may ban legacy admissions at colleges. The end of affirmative action is a reason why” (August 29): Mikhail Zinshteyn of CalMatters, a nonprofit news organization that covers California state politics and policies, reports that California’s legislature passed a bill on August 28, 2024, barring the state’s private nonprofit colleges from making admissions decisions based on whether family members of students donated money to the school or had attended the school themselves. If signed by Governor Newsom, California would join Illinois, Maryland, Virginia, and Colorado in banning legacy preferences in admissions at either public or private institutions. Currently, only six private colleges in California use legacy as a factor in admissions, while no public colleges in the state do. If the bill becomes law, schools will be prohibited from considering an applicant’s legacy or donor connections in admissions decisions starting September 1, 2025. Zinshteyn reports that the bill is intended to serve as “a necessary corrective” to the Supreme Court’s ruling that banned colleges from using race as a factor in admissions. According to Democratic Assemblymember Phillip Ting, the bill is intended to “make sure that everyone’s getting in because of their own merit, because of their grades, their test scores, what they provide to that institution, not because of their pocketbooks, of their parents or their family members.”
  • Forbes, “Chicago Bears Settle Lawsuit Over ‘Legal Diversity Fellow’ Role” (August 28): Forbes’ Chris Deubert reports that the Chicago Bears have confidentially settled a lawsuit filed by Jonathan Bresser, a law student at DePaul University College of Law. Bresser challenged the constitutionality of the team’s “Legal Diversity Fellow” program, which provided opportunities for local law students to work with the Bears’ legal team and DEI department on various goals and initiatives. Deubert reports that the fellowship was open only to law students who are women or persons of color. Bresser, who is a white male, applied for the fellowship in November 2023 but was not selected. He subsequently filed a lawsuit in the U.S. District Court for the Northern District of Illinois, alleging that the Bears and several of its employees violated Title VII and its Illinois equivalent by not hiring him based on his race and gender. According to the court records, the matter was settled on August 27, 2024.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

  • American Alliance for Equal Rights v. Southwest Airlines Co., No. 24-cv-01209 (N.D. Tex. 2024): On May 20, 2024, American Alliance for Equal Rights (AAER) filed a complaint against Southwest Airlines, alleging that the company’s ¡Latanzé! Travel Award Program, which awards free flights to students who “identify direct or parental ties to a specific country” of Hispanic origin, improperly discriminates based on race. AAER is seeking a declaratory judgment that the program violates Section 1981 and Title VI, a temporary restraining order barring Southwest from closing the next application period (set to open in March 2025), and a permanent injunction barring enforcement of the of the program’s ethnic eligibility criteria.
    • Latest update: On August 22, 2024, Southwest filed a motion to dismiss, arguing that the case was moot because the company had signed a covenant with AAER that eliminated the challenged provisions from any and all future program application cycles. The program is now open to students who are “enrolled at a college/university located at least 200 miles from a student’s home” and is “not limited by race, ethnicity, or national origin.” On August 29, 2024, the court stayed proceedings in the case, pending resolution of Southwest’s motion to dismiss. Oral argument on the motion is scheduled for November 12, 2024.

2. Employment discrimination and related claims:

  • Newman v. Elk Grove Education Association, No. 2:24-cv-01487 (E.D. Cal. 2024): On May 24, 2024, a white teacher at the Elk Grove Unified School District in Sacramento, California, sued the teachers’ union under Title VII and California law, after the District created an executive board position called the “BIPOC At-Large Director” open only to those who “self-identify” as “African American (Black), Native American, Alaska Native, Native Hawai’ian, Pacific Islander, Latino (including Puerto Rican), Asian, Arab, and Middle Eastern.” The plaintiff alleges that he is a union member who “wants to run for union office to address the District’s recent adoption of what he believes to be aggressive and unnecessary Diversity, Equity & Inclusion (‘DEI’) policies,” but is ineligible for this board seat because of his race.
    • Latest update: On August 26, 2024, the defendant filed a motion to dismiss, arguing that the plaintiff’s claims are moot because the union “no longer has any position with any eligibility criteria that is based on race” and has replaced the BIPOC At-Large Director position with a new Racial Equity Director At-Large position that is open to all members regardless of race. The defendant also moved to dismiss the plaintiff’s claims for punitive damages, arguing that he had not pled any facts sufficient to show malice, reckless indifference, or oppression. Oral argument on the hearing is scheduled for October 15, 2024.
  • Harker v. Meta Platforms, Inc., No. 23-cv-7865 (S.D.N.Y. 2023): A lighting technician who worked on a set where a Meta commercial was produced sued Meta and a film producers association, alleging that their diversity initiative Double the Line (DTL) violated Title VII, Sections 1981 and 1985, and New York law. The plaintiff also claimed that he was retaliated against after raising questions about the qualifications of a coworker hired pursuant to the DTL initiative. On December 19, 2023, the defendants moved to dismiss the plaintiff’s first amended complaint. On January 25, 2024, the plaintiff filed his opposition to Meta’s motion.
    • Latest update: On August 29, 2024, the court granted the defendants’ motions to dismiss for lack of standing. The court reasoned that because the plaintiff did not apply, attempt to apply, or even express interest in applying for, a lighting technician position under the DTL program, he had not alleged any injury-in-fact sufficient to establish standing. The court further denied leave to amend the complaint and entered judgment closing the case.

3. Challenges to agency rules, laws and regulatory decisions:

  • Do No Harm v. Lee, No. 3:23-cv-01175-WLC (M.D. Tenn. 2023): On November 8, 2023, Do No Harm sued Tennessee Governor Bill Lee under the Equal Protection Clause, seeking to enjoin a 1988 Tennessee law requiring the governor to “strive to ensure” that at least one board member of the six-member Tennessee Board of Podiatric Medical Examiners is a racial minority. On February 2, 2024, Governor Lee moved to dismiss the complaint for lack of standing. On August 8, 2024, the court granted Governor Lee’s motion to dismiss and entered judgment in the case, holding that Do No Harm had not demonstrated injury in fact.
    • Latest update: On August 30, 2024, Do No Harm appealed the district court’s decision to the Sixth Circuit.
  • Young Americans for Freedom v. United States Department of Education, No. 3:24-cv-00163 (D.N.D. 2024): On August 27, 2024, the University of North Dakota Chapter of Young Americans for Freedom (YAF) sued the U.S. Department of Education (DOE) over its McNair Post-Baccalaureate Achievement Program, a research and graduate studies grant program that supports incoming graduate students who are either low-income first-generation college students or “member[s] of a group that is underrepresented in graduate education.” Relevant federal regulations define these underrepresented groups as “Black (non-Hispanic), Hispanic, American Indian, Alaskan Native, Native Hawaiians, and Native American Pacific Islanders.” YAF alleges that the McNair program violates the Equal Protection Clause by restricting admission based on race, and violates the Administrative Procedure Act as an agency action that is “contrary to a constitutional right.” See 5 U.S.C. § 706(2)(B). YAF requests, among other things, a preliminary injunction enjoining the DOE from enforcing all race-based qualifications for the McNair program.
    • Latest update: On September 4, 2024, YAF filed a motion for preliminary injunction, requesting that the court prevent the DOE from enforcing the racial and ethnic qualifications of the McNair program, and requiring the DOE to notify all participating institutions of higher education that they cannot impose or rely upon such classifications. YAF argues that the racial eligibility criteria fails the strict scrutiny test for affirmative action policies because the government did not have evidence of discrimination when it started the McNair program. The docket does not reflect that the DOE has been served.

4. Actions against Educational Institutions:

  • Students for Fair Admissions v. United States Naval Academy, No. 1:23-cv-02699 (D. Md. 2023): On October 5, 2023, Students for Fair Admissions (SFFA) sued the U.S. Naval Academy, arguing that consideration of race in its admissions process violates the Fifth Amendment. On December 20, 2023, the district court denied SFFA’s preliminary injunction motion, holding that SFFA did not show that it would succeed on the merits of its Equal Protection claim because it failed to show that the defendants’ justifications for their policies did not satisfy strict scrutiny.
    • Latest update: On August 15, 2024, SFFA filed a motion for partial summary judgment on the issue of standing, arguing that the four anonymous SFFA members, each of whom applied for admission at the Naval Academy but were denied, would have standing to sue in their own right. SFFA argued that each member sustained an injury of being denied the opportunity to compete for admission to the Naval Academy on an equal basis and is “ready to apply” if the court redresses the issue. On August 23, 2024, the Naval Academy opposed the motion, urging the court to consider the issue of standing after trial because there are disputed issues of material fact as to whether SFFA members are “able and ready” to apply. On August 28, 2024, SFFA replied, arguing that the disputes over their members’ “ability and readiness to apply” are not material or genuine, and therefore should not be a bar to granting partial summary judgment ahead of trial. A pretrial conference and hearing on motions in limine was held on September 5, 2024, and a bench trial is scheduled for September 16–27, 2024.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Mollie Reiss, Jenna Voronov, Alana Bevan, Marquan Robertson, Janice Jiang, Elizabeth Penava, Skylar Drefcinski, Mary Lindsay Krebs, David Offit, Lauren Meyer, Kameron Mitchell, Maura Carey, and Jayee Malwankar.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Europe

08/06/2024

Council of Europe | Report | Neural data

The Council of Europe reported on the data protection challenges linked to neurotechnology and neural data from the perspective of the Convention 108+.

The report highlights the challenges posed by neural data and neurotechnology, including the impact it may have on human rights and fundamental freedoms, in particular the right to privacy and to the protection of personal data. It provides a legal and technical description of neurotechnology and neural data and suggests solutions to address privacy concerns related to neural data processing.

For further information: Council of Europe Website

08/01/2024

European Commission | EU AI Act

The European Artificial Intelligence Act (“AI Act”) came into force.

The European Commission announced that the AI Act came into force on August 1, 2024. The majority of rules of the AI Act will start applying on August 2, 2026.

For more information: European Commission Website

Belgium

08/23/2024

Belgian Supervisory Authority | Sanction | Access Request

The Belgian Supervisory Authority (“APD”) imposed a fine of €100,000 on a telecom operator for late reply to a right to access request.

The APD determined that the telecom operator failed to appropriately process and reply to the individual’s access request by providing a response 14 months after the access request was submitted.

For more information: EDPB Website

Denmark

08/26/2024

Danish Supervisory Authority | Decision | AI

On August 26, 2024, the Danish Supervisory Authority (“Datatilsynet”) published its decision allowing an insurance company to record and use artificial intelligence for analyzing incoming telephone calls.

Following its investigation in March 2023 on the insurance company and its use of artificial intelligence to analyze customer service calls, the Datatilsynet found that the insurance company complies with GDPR rules. Finally, the Datatilsynet’s decision recalls that the processing must comply with data protection rules, particularly with regard to obtaining consent and the information given to data subjects.

For more information: Datatilsynet Website [DA]

France

08/27/2024

French Supervisory Authority | Monitoring Tool | Binding Corporate Rules

The French Supervisory Authority (“CNIL”) published a monitoring tool for Binding Corporate Rules (“BCR”).

The CNIL makes available to BCR holders a self-assessment tool to verify their level of compliance with BCR requirements and specifies the steps for its deployment.

For more information: CNIL Website

Germany

08/30/2024

Saxony Supervisory Authority | Recommendation | Technical and Organizational Measures

On August 30, 2024, the Saxon Supervisory Authority (“SDTB”) published its recommendation on the redaction of documents.

The SDTB pointed out that it is often necessary to delete or anonymize personal data (for example when publishing documents containing sensitive data) and that, in such cases, technical and organizational measures, including document redaction, must be implemented for data protection. In particular, the recommendation describes the possible sources of error and solutions relating to redaction.

For more information: SDTB Website [DE]

08/28/2024

Rhineland-Palatinate Supervisory Authority | Press Release | Customer Account

The Rhineland-Palatinate Supervisory Authority (“LfDI Rheinland-Pfalz”) announced in a press release that it has sent an information letter to 13 e-shops on the necessity of providing guest access when placing an order.

While recognizing the advantages of creating a customer account (e.g., ordering without having to enter the same data again or reviewing orders), the LfDI Rheinland-Pfalz points out that individuals should always have an equal alternative when shopping online. It further considers that online shops have an obligation to implement a guest ordering process which results from the provisions of Articles 5 and 6 of the GDPR.

For more information: LfDI Rheinland-Pfalz Website [DE]

08/15/2024

BfDI | Press Release | Messenger Services Standard Test Catalogue

The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) has launched a public consultation process on the creation of a uniform test for messenger services regarding their compliance with the GDPR.

The BfDI has initiated the development of a uniform standard test regarding the GDPR compliance of messenger services. This is especially important due to their widespread use both in private life and for work related purposes. So as to create a useful uniform standard test, the BfDI now invites specialist users or deployers and the civil society to comment on and participate in the development of criteria for the published draft test.

For more information: BfDI Website [DE]

08/01/2024

Saxony Supervisory Authority | Guidelines | Data Subject Access Requests

On August 1, 2024, the Saxon Supervisory Authority (“SDTB”) published guidelines for local authorities and administrative bodies on how to handle data subject access requests under Article 15 of the GDPR.

The SDTB’s guidelines are intended to provide guidance on how to comply with requests regarding the right of access of data subjects. It incorporates the latest higher court’s and especially the Court of Justice of the European Union’s case law.

For more information: SDTB Website [DE]

Italy

08/09/2024

Italian Supervisory Authority | Sanction | Unlawful access to a database

The Italian Supervisory Authority (“Garante”) published its decision of June 6, 2024, imposing a fine of €1 million on a financial institution for unlawful processing.

The Garante received a complaint where an individual claimed having been blacklisted and denied financing for a long-term car rental, following verifications in a database. The complainant requested to the car rental company and its parent company, a financial institution, information on the reasons behind the backlisting in the context of a request to exercise his rights under the GDPR but received no response. Upon investigation, the Garante found that the financial institution, which proceeded to verifications on behalf of the car rental company, did not have the authorization from the Ministry of Economy and Finance to access the centralized fraud prevention system (“SCIPAFI”) and concluded that the complainant’s personal data had been unlawfully processed.

For more information: Garante Website [IT]

08/09/2024

Italian Supervisory Authority | FAQ | Right to be forgotten

The Italian Supervisory Authority (“Garante”) announced having released frequently asked questions (“FAQs”) on the “right to be forgotten in oncology”.

The FAQs aim to clarify the provisions of the Law No. 193 of 7 December 2023 on “right to be forgotten in oncology”, which allows individuals who have recovered from an oncological disease not to provide information or be investigated regarding their previous condition to access to banking, financial, investment and insurance services, to insolvency procedures, as well as to employment and professional training. The Garante will be in charge of the enforcement of these provisions.

For more information: Garante Website [IT]

Switzerland

08/14/2024

Swiss Federal Council | Adequacy Decision | Swiss-US Data Privacy Framework

The Swiss Federal Council adopted its decision of adequacy regarding the USA under the Swiss-US Data Privacy Framework (“DPF”).

Over a year after the European Commission, the Swiss Federal Council has now also adopted its adequacy decision for US-companies certified under the DPF and thus facilitates the transfer of personal data to the USA in compliance with data protection regulations. This will enter into force on 15 September 2024.

For more information: Federal Council Website

United Kingdom

08/21/2024

Department for Science, Innovation and Technology | Blog | Privacy-Preserving Federated Learning

The Department for Science, Innovation and Technology (“DSIT”) published a blog post on implementation challenges in Privacy-Preserving Federated Learning (“PPFL”).

The blog highlights challenges to developing deployable PPFL, which are due to several factors such as real-world conditions for deployment (e.g., insufficient computational power) or flaws in the system design which can lead to privacy breaches.

For more information: UK Government Website

08/13/2024

UK Supervisory Authority | Report | Privacy Enhancing Technologies

The UK Supervisory Authority (“ICO”) published a report entitled “Tackling Barriers to Privacy-Enhancing Technologies Adoption”.

Privacy-Enhancing Technologies (“PETs”) are defined by the ICO as technologies supporting data privacy by minimizing the use of personal data and increasing their security. The report explains, in particular, the barriers to adopting such technologies and provides recommendations on how to support and promote their use across organizations.

For more information: ICO Website

08/07/2024

UK Supervisory Authority | Sanction | Ransomware Attack

The UK Supervisory Authority (“ICO”) issued a provisional decision to impose a fine of £6.09 million (approximately €7,14 million) on a software provider following a ransomware attack which occurred in 2022.

The ICO explained that hackers accessed the company’s health and care systems through a customer account which was not protected via multi-factor authentication. The attack led to the exfiltration of personal data from 82,946 individuals, including phone numbers, medical records, and information on how to gain entry to the homes of 890 people receiving home care. Critical services had also been disrupted. The ICO’s findings are provisional, and a final decision has not yet been made. If issued, this will notably be the first time that the ICO issues a fine to a processor for a breach of its obligations under data protection laws.

For more information: ICO Website

08/02/2024

UK Supervisory Authority | Statement | Children protection

The UK Supervisory Authority (“ICO”) issued a statement calling on social media platforms (“SMPs”) and video-sharing platforms (“VSPs”) to improve their children’s data privacy practices.

The ICO stated that it has reviewed 34 SMPs and VSPs focusing on the process children go through to sign-up for accounts. The ICO found different levels of compliance with the Children’s Code, and sent some of the platforms questions on issues relating to default privacy settings, geolocation, age assurance and targeted advertising.

For more information: ICO Website


This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])

Joel Harrison – Partner, Co-Chair, PCDI Practice, London ([email protected])

Vera Lukic – Partner, Paris ([email protected])

Lore Leitner – Partner, London ([email protected])

Kai Gesing – Partner, Munich ([email protected])

Clémence Pugnet – Associate, Paris ([email protected])

Thomas Baculard – Associate, Paris ([email protected])

Hermine Hubert – Associate, Paris ([email protected])

Billur Cinar – Associate, Paris ([email protected])

Christoph Jacob – Associate, Munich ([email protected])

Yannick Oberacker – Associate, Munich ([email protected])

Sarah Villani – Associate, London ([email protected])

Miles Lynn – Associate, London ([email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: This week, the CFTC staff issued a no-action letter regarding swap data reporting and recordkeeping regulations. The no-action letter is comparable to previous letters issued for similarly situated designated contract markets and derivatives clearing organizations.

New Developments

  • CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.
  • CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market.
  • CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s DMO and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK.
  • CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (“DCR”) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.

New Developments Outside the U.S.

  • Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report stated that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit.
  • ESMA Publishes Translations of its Guidelines on Funds’ Names. On August 21, ESMA published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. National competent authorities must notify ESMA by October 21, 2024 whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
  • ESAs’ Joint Board of Appeal Allows the Appeal Lodged by NOVIS and Remits the Case to EIOPA. On August 13, the Joint Board of Appeal of the European Supervisory Authorities (“ESAs”) unanimously decided that the appeal brought by NOVIS against the European Insurance and Occupational Pensions Authority (“EIOPA”) is admissible. The appeal was brought in relation to the EIOPA decision not to grant access to documents, which were requested by NOVIS. In its decision, the board of appeal acknowledged that requests for access to documents laid out in Regulation No 1049/2001 can be dismissed by way of exceptions to protect certain public and private interests.
  • ESMA Recognizes CDS Clearing and Depository Services as Tier 1 CCP Following MoU with the British Columbia Securities Commission. On August 13, ESMA signed a Memorandum of Understanding (“MoU”) with the British Columbia Securities Commission and updated its list of recognized third-country central counterparties (“CCPs”) under the European Markets Infrastructure Regulation (“EMIR”). The MoU establishes cooperation arrangements, including the exchange of information, regarding CCPs that are established in Canada and authorized or recognized by the British Columbia Securities Commission, and which have applied for EU recognition under EMIR.

New Industry-Led Developments

  • ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g. for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.” [NEW]
  • ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus  – New York (212.351.3869,  [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Personal Data | Cybersecurity | Data Innovation

Europe

03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation

On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.

The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.

For further information: ENISA Website


03/14/2023 – European Parliament | Regulation | Data Act

On 14 March 2023, the European Parliament adopted the draft Data Act.

The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.

For further information: European Parliament Website


02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework

On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.

The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.

For further information: EDPB Website


02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns

On 24 February 2023, the European Data Protection Board published final version of three guidelines.

Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.

For further information: EDPB Website


02/15/2023 – European Commission | Decision | Whistleblowing

On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.

The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.

For further information: European Commission Website


01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce 

On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.

The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.

For further information: EDPB Website


01/16/2023 – European Union | Regulation | Digital Operational Resilience Act 

The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.

The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.

For further information: Official Journal Website


01/12/2023 – Court of Justice of the European Union | Decision | Right of access

On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.

The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

For further information: Press Release


Austria

02/01/2023 – Austrian Parliament | National Council | Whistleblowing 

On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.

For further information: Austrian Parliament Website


Belgium

02/15/2023 – House of Representatives | Legislation | Whistleblowing 

On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.

For further information: Whistleblowing Law


Bulgaria

01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing 

On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.

For further information: CPDP Website [BG]


Czech Republic

03/07/2023 – Czech Supervisory Authority | FAQ | Cookies

On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.

For further information: UOOU Website [CZ]


Denmark

02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls 

The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.

The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.

For further information: Danish DPA Website [DK]


01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent 

On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.

For further information: Danish DPA Website [DK]


Finland

02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation 

On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.

In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.

For further information: Finnish DPA Website


France

03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data

On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.

The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.

For further information: CNIL Website


03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras

On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.

The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.

For further information: CNIL Website


02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act

On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.

For further information: CNIL Website


01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence

On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.

The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.

For further information: CNIL Website


01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance

On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.

For further information: LOPMI


01/04/2023 – French Supervisory Authority | Sanction | Consent 

On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.

The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.

The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.

For further information: CNIL Website


01/17/2023 – French Supervisory Authority | Sanction | Consent

On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.

The company was using an essentially technical identifier for advertising purposes without the user’s consent.

For further information: CNIL Website


Germany

03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”

The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.

The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.

For further information: DSK Website [DE]


03/15/2023 – Supervisory Authorities| BfDI | Activity Report 

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.

For further information: BfDI [DE]


03/15/2023 – Supervisory Authorities| Activity Reports 

The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.

The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.

For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]


03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework

The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.

For further information: Bundestag Website [DE] and BfDI [DE]


02/13/2023 – German Competition Authority | Decision | US Data Transfers

On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.

In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.

For further information: BKartA Website [DE]


02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages

On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.

In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.


Italy

03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot 

The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.

The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.

For further information: Garante Website [IT]


03/09/2023 – Council of Ministers | Legislation | Whistleblowing

On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.

The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.

For further information: Governo Italiano Website [IT]


02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices 

The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.

For further information: Garante Website [IT]


02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.

The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.

For further information: Garante Website


Ireland

02/27/2023 – Irish Supervisory Authority | Sanction | Security

On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.

The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.

For further information: #DPC Website


02/23/2023 – Irish Supervisory Authority | Sanction | Security

On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.

The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.

For further information: DPC Website


01/16/2023 – Irish Supervisory Authority | Sanction | CCTV

On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.

For further information: DPC Website


Netherlands

02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings

The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.

For instance, the car may still take camera images, but only when the user activates that function.

For further information: AP Website [NL]


02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing

On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.

For further information: AP Website [NL]


Norway

03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool

On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.

For further information: Datatilsynet Website [NO]


02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation

On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).

For further information: Datatilsynet Website [NO]


Portugal

01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures

The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.

These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.

For further information: Press release [PT]


Romania

03/28/2023 – President of Romania | Legislation | Whistleblowing 

The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.

For further information: CDEP Website [RO]


Spain

03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization 

The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.

For further information: AEPD Website [ES]


03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation

The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.

In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.

For further information: AEPD Website [ES]


03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability

The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.

For further information: AEPD Website [ES]


03/13/2023 – Spanish Senate | Legislation | Whistleblowing 

The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.

For further information: BOE Website [ES]


United Kingdom

03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing

On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.

The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.

For further information: ICO Website


03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations

The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.

The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.

For further information: ICO Website


03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection

The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.

The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.

For further information: ICO Website


03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default

The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.

The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.

For further information: ICO Website


03/08/2023 – UK Government | Legislation | Cookies

The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.

The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.

For further information: UK Government Website


02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children

The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.

For further information: ICO Website


This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Personal Data | Cybersecurity | Data Innovation

Europe

08/25/2023 – Digital Services Act | Regulation | Very Large Online Platforms and Very Large Online Search Engines 

On 25 August 2023, the Digital Services Act (“DSA”) started to apply to very large online platforms and very large online search engines.

As a reminder, on 25 April 2023, the European Commission designated nineteen providers of very large online platforms and of very large online search engines. The DSA will apply to the designated providers from four months after the notification of the designated decisions

For further information: DSA Regulation; European Commission Website


07/25/2023 – European Consumer Organisation | Position Paper | AI Act 

The European Consumer Organisation (“BEUC”) published a position paper urging EU legislators to ensure that consumers can expect a high level of protection when using AI systems as they enter the final legislative stage on the Artificial Intelligence Act (“AI Act”).

For further information: BEUC Website


07/18/2023 – European Data Protection Board | Information note | EU-US Data transfers

The European Data Protection Board (“EDPB”) published an information note on data transfers to the United States after the adoption of the adequacy decision on 10 July 2023.

The EDPB outlines that transfers to entities in the US which are not included in the “Data Privacy Framework List” cannot be based on the adequacy decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g., through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.

For further information: EDPB Website


07/12/2023 – European Commission | Strategy | Metaverse

The European Commission issued its strategy for “Virtual Worlds”, commonly referred to as metaverses.

For further information: European Commission Website


07/10/2023 – European Commission | Press Release | EU-US Data Transfers

The European Commission has formally adopted the adequacy decision for the EU-US Data Privacy Framework.

This decision finds that the EU-US Data Privacy Framework provides an adequate level of protection, comparable to that of the European Union, for data transfers from the EU to US companies under the new framework. As a result, personal data can flow safely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards.

For further information: European Commission Website


07/05/2023 – Council of Europe | Guidelines | Data Processing for Financial Services

The Council published guidelines on data protection for the processing of personal data for Anti-Money Laundering/Countering Financing of Terrorism (“AML/CFT”) purposes.

The purpose of these guidelines is to provide orientation on how to integrate the requirements of Convention 108+ in the area of AML/CFT in order to provide for an appropriate level of data protection while facilitating transborder data flows, and to highlight certain areas in the AML/CFT context where data protection safeguards should be strengthened.

For further information: Council of Europe Website


07/04/2023 – Court of Justice of the European Union | Decision | Antitrust, Competition & GDPR enforcement

The Court of Justice of the European Union (“CJEU”) ruled that a competition authority of a Member State may identify a violation of the GDPR in order to establish the existence of an abuse of a dominant position.

For further information: CJEU decision


07/04/2023 – European Commission | Proposal for Regulation | GDPR Enforcement

The European Commission has proposed to adopt a new regulation “to streamline cooperation between data protection authorities” with regards to GDPR enforcement in cross-border cases.

The regulation aims to further harmonize procedural rules in cross-border cases. It contains provisions regulating the rights of complainants, the rights of the parties under investigation as well as provisions to streamline the cooperation and dispute resolution process. According to the European Commission, the proposed regulation will lead to “swifter resolution of cases” and enhance the efficiency of GDPR enforcement.

For further information: European Commission Website


06/28/2023 – European Parliament/Council of the EU | Regulation | Data Act

The European Parliament and the Council of the EU have reached a political agreement on the European Data Act. This new legislation aims at “boosting” the EU’s data economy by ensuring a competitive European data market.

The proposal contains provisions regulating data access rights, unfair contractual terms as well as rules governing the switch between cloud data-processing service providers among other things. The draft EU Data Act complements the Data Governance Act of November 2020 and is expected to enter into force in late 2024. The next step in the legislative process is the formal passing of the law by the European Parliament and the Council, which is expected later this year.

For further information: European Commission Website


06/22/2023 – Court of Justice of the European Union | Judgement | Data Subject Rights

The Court of Justice of the European Union (“CJEU”) ruled that the fact that a data controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has no effect on the scope of the right granted to the data subject.

For further information: CJEU Website


06/21/2023 – European Data Protection Board | Recommendations | Binding Corporate Rules

The European Data Protection Board (“EDPB”) adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (“BCR-C”).

For further information: EDPB Website


06/07/2023 – European Data Protection Board | Guidelines | Calculation of Administrative Fines

The European Data Protection Board (“EDPB”) adopted a final version of the guidelines 04/2022 on the calculation of administrative fines following public consultation.

For further information: EDPB Website


05/24/2023 – European Commission | News Announcement| EU-ASEAN Data Transfers

The European Commission announced that the EU and the Association of Southeast Asian Nations (“ASEAN”) issued a joint guide identifying commonalities between the EU Standard Contractual Clauses (“SCCs”) and the ASEAN Model Contractual Clauses for cross-border data transfers.

The objective of the guide is to assist companies operating across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses, thereby facilitating compliance with ASEAN and EU data protection laws as applicable.

For further information: European Commission Website


05/22/2023 – European Data Protection Board | Case Digest | Right to Object and Erasure

The European Data Protection Board (“EDPB”) published a case digest on the right to object and erasure.

In particular, the case digest examines a selection of one-stop-shop decisions taken from the EDPB’s public register relating to Articles 17 and 21 of the GDPR. Most of the complaints under those articles concern minor violations where the data controller shows active cooperation, with spontaneous remediation of the infringement. Hence, the decisions analyzed often result in reprimands. Although in some cases the lead supervisory authorities have imposed specific sanctions on data controllers, this is usually due to a large number of infringements of the GDPR, with a minor role played by violations of Articles 17 and 21.

For further information: EDPB Website


05/04/2023 – Court of Justice of the European Union | Decision | Right to Compensation

The Court of Justice of the European Union ruled that a mere infringement of the GDPR does not give rise to a right to compensation.

Overall, the Court stated that the right to compensation under the GDPR is subject to three cumulative conditions: an infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. Moreover, the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. Finally, as the GDPR does not contain any rules governing the assessment of damages, it is for each Member State to prescribe them, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.

For further information: CJEU Website


05/04/2023 – Court of Justice of the European Union | Decision | Data Subjects Rights

The Court of Justice of the European Union ruled that the data subject’s right to obtain from the controller a “copy” of the personal data undergoing processing as per Article 15(3) GDPR means that the data subject must be given a faithful and intelligible reproduction of all those personal data.

In particular, that entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, if the provision of such copy is essential to enable the data subject to exercise effectively the right granted to him/her by that regulation, taking into account the rights and freedoms of others.

For further information: CJEU Website


04/26/2023 – European Union General Court | Decision | Pseudonymized Data

The General Court of the European Union ruled that in order to determine whether information constitutes personal data, it is necessary to determine whether the information relates to “identifiable persons”. The European Data Protection Supervisor (“EDPS”) has appealed this decision before the Court of Justice of the European Union (“CJEU”) on 5 July 2023.

The EDPS argues, that the General Court has not interpreted the relevant provisions correctly. Therefore, the EDPS seeks that the CJEU sets aside the General Court’s judgement in its entirety as well as give a final judgment in the dispute.

For further information: Official Journal of the European Union Website; CJEU Website


04/19/2023 – European Data Protection Board | Report | 101 NOYB Data Transfer Complaints

The European Data Protection Board (“EDPB”) published a report of the work undertaken by the supervisory authorities within the 101 Task Force.

The report sets out the common positions agreed by the supervisory authorities taking part in the task force with a view to handling the “101 complaints” received from NOYB in the aftermath of the Schrems II ruling. Notably, several supervisory authorities have ordered website operators to comply with the requirements of Chapter V of the GDPR, and if necessary, to stop the transfer at stake.

For further information: EDPB Website


04/17/2023 – European Data Protection Board | Guidelines | Right of Access

The European Data Protection Board (“EDPB”) published a final version of the guidelines 01/2022 on data subjects’ right of access, following a public consultation.

For further information: EDPB Website


04/17/2023 –European Data Protection Board | Guidelines | Lead Supervisory Authority

The European Data Protection Board (“EDPB”) published a final version of the guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.

For further information: EDPB Website


04/13/2023 – European Protection Data Board | Guidance | Data Subject Rights

The European Data Protection Board (“EDPB”) published a guide for exercising data subjects’ rights, compiled by the Schengen Information System (“SIS”) II Supervision Coordination Group.

For further information: EDPB Website


04/04/2023 – European Data Protection Board | Guidelines | Personal Data Breach Notification

The European Data Protection Board released a new version of its guidelines 9/2022 on personal data breach notification under the GDPR.

For further information: EDPB Website


04/04/2023 – European Commission | Statement | Japan-EU Mutual Adequacy Arrangement

The European Commission released a joint press statement on the successful conclusion of the first review of the Japan-EU mutual adequacy arrangement.

In 2019, the EU and Japan recognized each other’s data protection systems as “equivalent”, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows.

For further information: European Commission Website


Austria

05/10/2023 – Austrian Supervisory Authority | Sanction | GDPR Violations

The Austrian Supervisory Authority issued a sanction against an American facial recognition company for multiple breaches of the GDPR, but did not issue a fine.

The facial recognition company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources. The complainant found out that his image data was processed by the company and lodged a complaint. In particular, the Austrian Supervisory Authority found that the processing carried out by the company serves a completely different purpose from the original publication of the complainant’s personal data (especially photographs).

For further information: EDPB Website


Belgium

05/24/2023 – Belgian Supervisory Authority | Press Release | Personal Data Transfers

The Belgian Supervisory Authority announced the prohibition of transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance to the US tax authorities under the intergovernmental Foreign Account Tax Compliance Act (“FATCA”) agreement.

The Litigation Chamber of the Belgian Supervisory Authority held that the generalized and undifferentiated transfer of tax data provided under FATCA breaches the principle of purpose limitation (FATCA does not contain exact objectives for the transfer of data), as well as the principles of proportionality and data minimization of the GDPR.

For further information: ADP Website


05/22/2023 – Belgian Supervisory Authority | Announcement | 2022 Annual Activity Report

The Belgian Supervisory Authority announced the publication of its 2022 annual activity report.

In particular, the report highlights that, in 2022 the Authority received 604 complaints and the main topics of the complaints and requests for mediation in 2022 were direct marketing as well as photos and cameras. The Dispute Chamber of the Authority issued 189 decisions in 2022, including fines totaling €738,900. As for data breaches, the Authority opened 1426 data leak files.

For further information: ADP Website [FR]


Denmark

07/13/2023 – Danish Supervisory Authority | Guidance | Right to erasure

The Danish Supervisory Authority expanded its guidance on what applies when an individual wants to have a search result related to him/her deleted from a search engine (e.g. Google and Bing).

For further information: Datatilsynet Website [DK]


06/27/2023 – Danish Supervisory Authority | Guidance | Video Surveillance

The Danish Supervisory Authority published new guidance on video surveillance used by companies.

For further information: Datatilsynet Website [DK]


03/29/2023 – Danish Supervisory Authority | Guidance | Employment Relationships

The Danish Supervisory Authority published an updated guidance on data protection in employment relationships.

For further information: Datatilsynet Website [DK]


Finland

08/08/2023 – Finnish Supervisory Authority | Press Release | Data transfers

The Finnish Supervisory Authority announced that it has issued an order to an international platform which provides taxi services to suspend its data transfers from Finland to Russia temporarily and to cease the processing of the personal data.

The Authority considers that this order is necessary because of a legislative reform that will enter into force in Russia will significantly weaken the protection of customers’ personal data when using the platform. For instance, the Russian intelligence service will have the right to receive data processed in taxi operations.

For further information: Ombudsman Website


France

06/22/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision which was issued on 15 June 2023 and imposed a €40 million fine to an advertising company, for several GDPR violations.

The company specializes in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalized advertisements. In particular, the Authority considered that the advertising company had failed to demonstrate that the data subjects gave their consent.

For further information: CNIL Website


06/15/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision issued on 8 June 2023, imposing a €150,000 fine to a company which provides clairvoyance consultation through its website (by chat or telephone), for failing to comply with its obligations under the GDPR and the French Data Protection Act.

In particular, the Authority found that the company collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.

For further information: CNIL Website


05/26/2023 – French Supervisory Authority | Decision | Consent

The French Supervisory Authority published a decision issued on 11 May 2023, in which it closed the injunction issued on a technology company.

On 19 December 2022, the company was fined 60 million euros by the Authority, which also required the company, within three months, to allow users of its search engine located in France to give their consent to the use of trackers to combat advertising fraud, as soon as they arrived on the website. The company responded within the timeframe and made technical modifications so that tracking linked to the fight against advertising fraud would be inactive in the absence of specific consent from French users.

For further information: CNIL Website


05/17/2023 – French Supervisory Authority | Sanction | Health Data and Cookies

The French Supervisory Authority published a decision issued on 11 May 2023, imposing a €380,000 fine to a health and well-being website for several breaches of the GDPR and of the French Data Protection Act.

Following a complaint by an association, the Authority carried out investigations into the company. The Authority identified several infringements, namely a failure to store data for no longer than necessary, failure to obtain consent from individuals to collect their health data, failure to provide a formal legal framework for the processing operations carried out jointly with another data controller, failure to ensure the security of personal data and a failure to comply with obligations related to the use of cookies.

For further information: CNIL Website


05/16/2023 – French Supervisory Authority | Action Plan | Artificial Intelligence

The French Supervisory Authority published its action plan for the deployment of AI systems that respect individuals’ privacy.

In 2023, the Authority will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: (i) understand the functioning of AI systems and their impact on people, (ii) enable and guide the development of privacy-friendly AI, (iii) federate and support innovative players in the AI ecosystem in France and Europe, and (iv) audit and control AI systems and protect people. This work will also allow to prepare for the entry into application of the draft European AI Regulation currently under discussion.

For further information: CNIL Website


05/10/2023 – French Supervisory Authority | Sanction | Compliance

The French Supervisory Authority published a decision issued on 17 April 2023, imposing a €5,2 million fine to a facial recognition company, for failing to comply with the injunction issued in its October 2022 sanction decision.

The Authority had fined the company €20 million and enjoined the company to refrain from collecting and processing the data of individuals in France without a legal basis, and to delete the data of these individuals after responding to requests for access. The injunction was accompanied by an penalty of 100,000 euros per day of delay at the end of the two-month period. The Authority considered that the company had not complied with the order and imposed an overdue penalty payment.

For further information: CNIL Website [FR]


05/09/2023 – French Supervisory Authority | Publication | Data Protection Officers

The French Supervisory Authority announced that as part of a coordinated enforcement framework at the European level, it is conducting audits on public and private organizations to verify the role and means entrusted to their Data Protection Officer (“DPO”).

For its assessment, the Authority sent a dozen surveys in April to public institutions, local authorities and private companies, particularly in the luxury and transport sectors. The answers provided by the organizations will be analyzed in coordination with the Authority’s European counterparts. Depending on the results of these initial checks, on-site inspections may be carried out to complete the findings.

For further information: CNIL Website [FR]


04/03/2023 – French Supervisory Authority | Guidelines | Security of Personal Data

The French Supervisory Authority published updated guidelines relating to personal data security.

This guidelines aim to support actors dealing with personal data by reminding them of the basic precautions to be taken. The updated guidelines take into account the latest recommendations of the Authority regarding passwords and login.

For further information: CNIL Website [FR]


03/21/2023 – French Supervisory Authority | Publication | Connected Vehicles

The French Supervisory Authority announced the creation of a “compliance club” dedicated to players in the connected vehicle and mobility sectors, as part of its industry support initiative.

This privileged forum for dialogue will enable regular exchanges on issues affecting the daily lives of French individuals, and encourage innovation that respects their privacy.

For further information: CNIL Website [FR]


Germany

08/17/2023 – German Federal Ministry of the Interior and Community | Regulation | Federal Data Protection Act

The German Federal Ministry of the Interior and Community is working on an amendment to the Federal Data Protection Act. The Ministry’s current legislative draft has become public following a request under Germany’s Freedom of Information Act (“IFG”).

The draft is still at a very early stage and aims at institutionalizing the German Data Protection Conference (“Datenschutzkonferenz” / DSK), a body consisting of representatives from each of the German data protection authorities. Additionally, the proposed provisions include various changes, e.g. simplifications in terms of determining which authority is competent.

For further information: FragDenStaat [DE]


08/02/2023 – Berlin Supervisory Authority | Sanction | Data Protection

The Berlin Supervisory Authority announced imposing a €215,000 fine to a company for illegally documenting a list of information about employees on probationary period including sensitive data.

The authority found that in order to determine whether to continue employment of the data subjects, the company was processing health and non-company related justifications that would conflict with flexible shift scheduling.

For further information: BlnBDI [DE]


06/06/2023 – German Federal Labour Court | Decision | Data Protection Officers

The German Federal Labour Court has ruled that a chairman of the works council usually cannot serve as a data protection officer at the same time. The German Federal Labour Court argues, that these positions would typically lead to a conflict of interest.

For further information: German Federal Labour Court Press Release [DE]


06/02/2023 – German Parliament | Regulation | Whistleblowing Directive

The Law to improve the protection of whistleblowers and to implement the directive on the protection of persons who report violations of Union law transposing the Whistleblowing Directive was published in the Federal Gazette.

For further information: Official Gazette [DE]


05/31/2023 – Berlin Supervisory Authority | Sanction | GDPR Violations

The Berlin Supervisory Authority announced issuing a fine of €300,000 on a bank for lack of transparency regarding an automated individual decision.

In particular, the complainant informed the Authority that the bank’s algorithm rejected its application for a credit card without providing any specific justification, preventing the complainant from challenging the automated decision.

For further information: BlnBDI Website [DE]


04/19/2023 – Schleswig-Holstein Supervisory Authority | Questionnaire | Artificial Intelligence Chatbot

The Schleswig-Holstein Supervisory Authority published the questionnaire that was sent by German Supervisory Authorities to an AI chatbot company in relation to its data processing.

For further information: UDL Website [DE]


04/14/2023 – Federal Office for Information Security | Guide | Security and Artificial Intelligence

The Federal Office for Information Security (“BSI”) published a Practical AI-Security guide.

The guide contains a brief and clear presentation of the current state of research in the area of attacks on AI and developers are also presented with possible defenses against attacks.

For further information: BSI Website [DE]


Ireland

08/21 /2023 – Irish Supervisory Authority | Sanction | Data minimization

The Irish Supervisory Authority published a decision imposing a reprimand and corrective measures on an online platform providing intermediation service, for infringing the principle of data minimization.

In particular, the Authority found that the platform’s retention of a copy of the complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimization.

For further information: DPC website


04/28/2023 – Irish Supervisory Authority | Guidance | Data Protection in the Workplace

The Irish Supervisory Authority announced the publication of guidance for employers, regarding data protection in the workplace.

This new guidance is specifically aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing the personal data of their employees, former employees and prospective employees.

For further information: DPC website


04/19/2023 – Irish Supervisory Authority | Guidance | Records of Processing Activities

The Irish Supervisory Authority announced the publication of guidance on records of processing activities.

For further information: DPC website


Italy

07/06/2023 – Italian Supervisory Authority | Annual Report

The Italian Supervisory Authority published its annual report for the year 2022.

The report outlines the need for ensuring the protection of data subjects’ rights and freedoms against the risks resulting from large-scale processing activities based on AI tools, as well as actions of the Authority in this regard.

For further information: Guarante Website [IT]


06/22/2023 – Italian Supervisory Authority | Sanction | GDPR violation

The Italian Supervisory Authority announced that a concessionaire for the construction and management of toll motorways was fined €1 million for violating the GDPR.

In this ruling, the Authority considered that the concessionaries violated the principles of correctness and transparency, given the failure to provide adequate information in relation to the processing, as well as the misclassification of the GDPR status.

For further information: Guarante Website [IT]


06/09/2023 – Italian Supervisory Authority | Sanction | GDPR Violations

The Italian Supervisory Authority published a decision issued on 14 April 2023, in which it imposed a fine of €676,956 to an energy provider company for data protection failures with regard to promotional calls.

The Authority outlined that, by virtue of the principle of accountability and privacy by design, the data controller should prepare suitable measures to guarantee, at any time and, even more so, at the request of the Authority, the traceability of all operations carried out.

For further information: Guarante Website [IT]


04/20/2023 – Italian Supervisory Authority | Press Release | Dark Patterns

The Italian Supervisory Authority published information on deceptive design patterns that can influence online browsing behavior and hinder data protection.

The Authority launched an information page which is part of a large information and awareness project on data protection, digital education and safety, for a conscious use of the Internet and new technologies.

For further information: Guarante Website [IT]


04/14/2023 – Italian Supervisory Authority | Sanction | Unlawful Telemarketing Activities

The Italian Supervisory Authority issued a decision on 13 April 2023 imposing a €7,631,175 fine to a telecommunications company, for multiple GDPR violations.

In particular, the Authority found that the company had failed to reply to data subject access requests, lacked valid documentation demonstrating the consent of the company’s commercial communications, failed to act on a data breach and remained inactive over time.

For further information: Guarante Website [IT]


Netherlands

05/17/2023 – Dutch Supervisory Authority | Annual Plan 2023

The Dutch Supervisory Authority published its annual plan for the year 2023.

In 2023, the Authority will pay particular attention to (i) algorithms & AI, (ii) big tech, and (iii) freedom & security.

For further information: AP Website [NL]


04/13/2023 – Dutch Supervisory Authority | Sanction | Inadequate Identity Checks

The Dutch Supervisory Authority announced imposing a fine of €150,000 on the organization which implements national insurance schemes in the Netherlands, for failure to adequately confirm the identity of callers to its telephone helpdesk and disclosed personal data to unauthorized individuals.

The organization has now taken measures to address the matter.

For further information: AP Website [NL]


Norway

07/27/2023 – Norwegian Supervisory Authority | Advice | Analytics and Tracking

The Norwegian Supervisory Authority published an advice on the use of website analytics and tracking.

As analytics and tracking tools on the market are not all legal, the Authority provides guidance to websites (e.g., regarding cookie banner requirements, the use of consent as a legal basis, data transfers).

For further information: Datatilsynet Website [NO]


Portugal

04/20/2023 – Portuguese Supervisory Authority | Press Release | Security Incidents

The Portuguese Supervisory Authority published an overview of the security incidents in Portugal for the year 2022.

In 2022, 37 security incidents were reported to the Authority by electronic communications network and service companies and impacted approximately 6,4 million subscribers.

For further information: ANACOM Website [PT]


Spain

08/22/2023 – Council of Minister | Authority Appointment | Artificial Intelligence

The Council of Ministers has approved the statute of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA).

With the creation of the AESIA, Spain becomes the first European country to have such an entity and anticipates the entry into force of the European Artificial Intelligence Act.

For further information: Government Website [ES]


08/21/2023 – Spanish Supervisory Authority | Sanction | Sub-processing

The Spanish Supervisory Authority published a decision imposing a €120,000 fine (reduced €72,000) against a transport company for unlawful sub-processing.

The Authority found that it was clear that the subcontracting did not comply with the provisions of the GDPR due to the lack of formalization of contracts or legal acts, as well as the lack of authorizations prior to their formalization.

For further information: AEPD Website [ES]


07/28/2023 – Spanish Supervisory Authority | Sanction | Security

The Authority issued a €2,5 million fine against a bank for failing to implement appropriate security measures.

In particular, the Authority considered that the technical and organizational measures implemented by the bank did not guarantee a level of security appropriate to the risk, due to the nature of the personal data processed, which deserve special protection in terms of their confidentiality and integrity.

For further information: AEPD Website [ES]


07/11/2023 – Spanish Supervisory Authority | Guidance | Cookies

The Spanish Supervisory Authority released an updated cookie guide taking into account the EDPB guidelines on deceptive design patterns.

For further information: AEPD Website [ES]


05/09/2023 – Spanish Supervisory Authority | Guidelines | Encryption

The Spanish Supervisory Authority published guidelines for the validation of cryptographic systems in data protection processing.

For further information: AEPD Website [ES]


Sweden

06/27/2023 – Swedish Supervisory Authority | Press Release | Profiling

The Swedish Supervisory Authority published its decision, issued on 26 June 2023, imposing a fine of SEK 13 million (approx. €1,09 million) on a publishing company, for profiling its customers and web visitors without consent.

For further information: IMY Website


06/12/2023 – Swedish Supervisory Authority | Sanction | GDPR Violations

The Swedish Supervisory Authority issued a decision imposing a SEK 58 million (approx. €4,9 million) fine to a company providing an audio streaming service for shortcomings regarding the right of access.

The Authority considered that the company does not provide information about how it uses the personal data it processes upon a request of access of individuals and specifies that this information must be easy to understand. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. The Authority has further found that the company had failed in its handling of requests for access related to two out of three of the complaints examined.

For further information: NOYB Website


Switzerland

05/11/2023 – Swiss Supervisory Authority | Press Release | Revised Federal Act on Data Protection | Website Update

The Swiss Supervisory Authority updated the content of its website in anticipation of the new Data Protection Act coming into force on 1 September 2023. At the same time, it is launching the “DataBreach Portal” for reporting security vulnerabilities.

For further information: FDPIC Website


United Kingdom

08/30/2023 – UK Supervisory Authority | Guidance | Email Communications

The UK Supervisory Authority published new guidance for organisations sending bulk communications by email.

For further information: ICO Website


08/24/2023 – UK Supervisory Authority | Guidance | Data Scraping

The UK Supervisory Authority released a joint statement on data scraping and the protection of privacy with agencies from Australia, Canada, Hong Kong, Switzerland, Norway, New Zealand, Columbia, Jersey, Morocco, Argentina and Mexico.

The statement calls for the protection of people’s personal data from unlawful data scraping taking place on social media sites. It also sets expectations for how social media companies should protect people’s data from unlawful data scraping.

For further information: ICO Website


08/18/2023 – UK Supervisory Authority | Guidance | Biometric Data

The UK Supervisory Authority published draft guidance on biometric data and biometric technologies, which is open for public consultation until 20 October 2023.

For further information: ICO Website


07/17/2023 – UK Supervisory Authority| Blog | Unlawful Marketing

The UK Supervisory Authority released a blog post on its ongoing work to tackle unlawful marketing calls and messages.

The UK Supervisory Authority has issued more than £2,4 million in fines (approx. €2,8 million) since April 2022, through the enforcement of the UK Privacy and Electronic Communications Regulations 2003, against companies responsible for nuisance calls, texts and emails.

For further information: ICO Website


07/06/2023 – National Cyber Security Centre | Report | Risk Management

The National Cyber Security Centre announced the release of its sixth annual report providing a retrospective summary of the work carried out as part of the Active Cyber Defense program.

For further information: NCSC Website


06/19/2023 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies

The UK Supervisory Authority issued guidance which discusses privacy-enhancing technologies (“PETs”).

As a reminder, PETs are technologies that embody fundamental data protection principles by (i) minimizing personal data use, (ii) maximizing information security, or (iii) empowering people.

For further information: ICO Website


06/08/2023 – UK Supervisory Authority | Sanction | Unlawful Marketing Calls

The UK Supervisory Authority announced it fined two energy companies a total of £250,000 (approx. €291,577) for bombarding people and businesses on the UK’s “do not call” register with unlawful marketing calls.

The UK Supervisory Authority also issued an enforcement notice to both companies to stop calling people and businesses on the UK’s “do not call” register, or who had previously objected to such calls.

For further information: ICO Website


06/08/2023 – UK Government | Press Release | UK-US Data Transfers

The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, that will create a “data bridge” between the two countries.

US companies who are approved to join the framework, would be able to receive UK personal data under the new data bridge.

For further information: UK Government Website


05/30/2023 – UK Supervisory Authority | Guidance | Children Data

The UK Supervisory Authority announced that it updated its guidance on edtech and the Children’s code to clarify when an edtech service may be in the scope of the Children’s code.

For further information: ICO Website


05/24/2023 – UK Supervisory Authority | Guidance | Access Requests and Employers

The UK Supervisory Authority published new guidance for businesses and employers on responding to data subject access requests (“SARs”).

For further information: ICO Website


05/19/2023 – UK High Court of Justice | Decision | Loss Of Control Over Personal Data

The High Court struck out a class action claim for damages in relation to loss of control over personal data against a technology company and its AI company, and ordered summary judgment in their favor.

For further information: Royal Courts of Justice Website


04/14/2023 – UK Supervisory Authority | Sanction | Consent

The UK Supervisory Authority announced imposing a £130,000 (approximately €150,000) fine against a job search website provider for sending 107 million spam emails targeting jobseekers.

The UK Supervisory Authority established in its decision that the company had not obtained valid consent to send direct marketing in accordance with the UK Privacy and Electronic Communications Regulations 2003.

For further information: ICO Website


04/13/2023 – National Cyber Security Centre | Guidance | Security by Design and by Default

On 13 April 2023, the National Cyber Security Centre (“NCSC”) as well as agencies from the US, Australia, Canada, Germany, the Netherlands and New Zealand issued a new joint guide on security by design and by default.

In particular, the guide encourages software manufacturers to embed secure-by-design and by-default principles into their products to help keep customers safe.

For further information: NCSC Website


This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2023 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

European Data Privacy Newsletter

Europe

12/14/2023

Court of Justice of the European Union | Decision | Misuse of personal data

The Court of Justice of the European Union ruled that the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.

In this case, the Bulgarian Supreme Administrative Court requested clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. The Court emphasized that the mere occurrence of unauthorized disclosure or access to personal data does not automatically imply that the protective measures implemented by the controller were not appropriate, they must be assessed in a concrete manner.

For more information: CJEU Website


12/07/2023

Court of Justice of the European Union | Decision | Automated Individual Decision

The Court of Justice of the European Union issued a significant ruling in cases involving a private credit information agency declaring that “scoring” qualifies as “automated individual decision-making” and is, in principle, prohibited by Article 22 of the GDPR.

While ‘scoring’ is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR. The court emphasized the primacy of data subjects’ rights and interests, asserting their right to prompt deletion when their personal data have been unlawfully processed, i.e. beyond the retention period.

For more information: CJEU Website


12/05/2023

Court of Justice of the European Union | Decision | Calculation of Fines

The Court of Justice of the European Union disclosed two rulings in which it shared an interpretation of the GDPR concerning the assessment and computation of penalties for breaches.

The CJEU clarifies the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the GDPR. In particular, it holds that the imposition of such a fine requires that a wrongful conduct; in other words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the entire group.

For more information: CJEU Website


11/27/2023

European Commission | Data Act

The European Regulation 2023/2854, often referred to as the “Data Act”, has been adopted on 27 November 2023 and entered into force on 11 January 2024.

For more information: Council of the European Union Website


11/16/2023

European Court of Justice | Decision | Indirect exercise of rights

On November 16, 2023, the European Court of Justice ruled that supervisory authority’s decisions in the context of the indirect exercise of the data subject’s rights are legally binding.

As a result, an appeal to the decision is possible, and the authority must provide sufficient information to the data subject to allow him/her to decide whether or not to appeal.

For more information: ECJ Decision


11/16/2023

European Data Protection Board | Guidelines | Tracking technologies

The European Data Protection Board published its guidelines on the application of article 5(3) of the e-Privacy Directive on new tracking technologies.

The guidelines aims to clarify how the e-Privacy Directive applies to innovative technologies. The EDPB is open to comments until January 18, 2024.

For more information: EDPB Guidelines


10/28/2023

European Commission and Japan | Agreement | Cross Border Data flows

On October 28, 2023, the European Commission has reached an agreement with Japan concerning cross-border data flows.

This agreement aims to facilitate efficient data handling between both parties, eliminating burdensome administrative and storage requirements. Notably, the agreement removes the requirement for companies to physically store their data locally. Once ratified, the provisions of this agreement will be incorporated into the EU-Japan Economic Partnership Agreement.

For more information: European Commission Website


10/26/2023

Confederation of European Data Protection Organizations | Paper | Generative AI

The Confederation of European Data Protection Organizations released a paper addressing the data protection implications of Generative AI.

Key issues covered include data-sharing risks, accuracy of personal data, conducting DPIAs on generative AI tools, implementing data protection by design, selecting a lawful basis for training generative AI systems, optimizing organizational structures, applying privacy-enhancing techniques and handling data subject rights within this technological context.

For more information: CEDPO Website


10/26/2023

Court of Justice of the European Union | Decision | CJEU rules on Art. 15 GDPR (right to access)

The CJEU has clarified the rights of data subjects. The court ruled that the controller may only charge a fee for providing a copy under Art. 15 (3) GDPR where the data subject has already obtained a free copy before.

Furthermore, the data subject must receive a full copy of his/her personal data, where the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible.

For more information: CJEU Website


10/17/2023

European Data Protection Board | Announcement | EDPB to launch coordinated enforcement action regarding Art. 15 GDPR

The EDPB selected the topic for its third coordinated enforcement action and announced that it will be launched in 2024. The action will concern the implementation of the right of access by controllers.

For more information: EDPB Website


10/12/2023

Court of Justice of the European Union | Press Release | Data Privacy Framework

The Court of Justice of the European Union (“CJEU”) dismissed a French citizen’s request to suspend the execution of the EU-US Data Privacy Framework’s adequacy decision.

The CJEU considered that the French citizen failed to demonstrate the necessary prerequisites for such request, as he was unable to prove that he would experience significant harm if the execution of the adequacy decision was not suspended.

For more information: CJEU Website


10/05/2023

European Commission | Press Release | Contractual Clauses For AI

The Commission announced the finalization of the EU model contractual AI clauses to use in procurements of AI.

The clauses are developed for pilot use in the procurement of AI with the aim to establish responsibilities for trustworthy, transparent, and accountable development of AI technologies between the supplier and the public organization. The EU model contractual AI clauses contain provisions specific to AI systems and on matters covered by the proposed AI Act, thus excluding other obligations or requirements that may arise under relevant applicable legislation such as the GDPR.

For more information: European Commission Website


09/28/2023

European Data Protection Supervisor | Blog | Data Protection & Cybersecurity

The European Data Protection Supervisor published a blog post on the interplay between data protection and cybersecurity.

The post highlights the need to take into account data protection into cybersecurity strategies, advocating collaboration between data protection officers and IT security departments. Additionally, it discusses the dual role of artificial intelligence in cybersecurity, noting its potential to enhance current cybersecurity solutions and how it also allows, for instance, the production of (fake) pictures, videos, photos, texts, and more, which cybercriminals can exploit to steal someone’s identity as part of social engineering attacks.

For more information: EDPS Website


09/25/2023

European Commission | Data Governance Act

The European Regulation 2022/868, often referred to as the “Data Governance Act”, entered into force on 24 September 2023.

As a reminder, the regulation seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data, notably with public actors.

For more information: European Commission Website


Denmark

12/07/2023

Danish Supervisory Authority | Guide | Access Rights

The Danish Supervisory Authority released guidance on access rights management, emphasizing that it is a collective responsibility within organizations.

The guide highlights that all employees, regardless of their IT security role, share the responsibility of being aware of and respecting their access rights.

For further information: Datatilsynet Website [DA]


11/28/2023

Danish Supervisory Authority | Measures | Data Security

The Danish Supervisory Authority released a catalog outlining technical and organizational measures essential for ensuring security in compliance with Articles 5 and 32 of the GDPR.

The catalog suggests technical measures such as automatic encryption, multi-factor authentication, automatic access control, logging of users’ personal data use, and physical access control. On the organizational front, recommendations include measures such as minimizing privileged access rights, implementing role-based access rights, documenting data access authorizations, and establishing withdrawal procedures.

For further information: Datatilsynet Website [DA]


09/28/2023

Danish Supervisory Authority | Sanction | GDPR Violations

The Danish Supervisory Authority issued a DKK 1 million (approx. €134,000) fine against a hotel group for failure to delete personal data.

For more information: Datatilsynet Website [DK]


Finland

11/08/2023

Finnish Supervisory Authority | Guidance | Security Breach Notification

The Finnish Supervisory Authority published guidance on filing a data breach notification.

The guidance concerns risk assessment which should take into account consequences of the data breach from the point of view of the data subject, communication to the data subject, and completion of the notification to the supervisory authority and compliance with deadlines.

For further information: Ombudsman Website [FI]


France

12/12/2023

French Competition Authority | Joint Declaration | Cooperation in data protection and competition

The French Competition Authority and the French Supervisory Authority signed a joint declaration to enhance cooperation in the areas of data protection and competition.

For more information: CNIL Website [FR]


11/24/2023

French Supervisory Authority | Recommendation | API Data Sharing

The French Supervisory Authority issued a recommendation regarding the use of application programming interfaces (“APIs”) for data sharing.

The recommendation outlines three specific roles involved in the usage of APIs: the data holder, the API manager, and the data re-user. The recommendation also highlights the importance of evaluating the risks associated with APIs, considering factors like the type of database access, the security levels of authentication methods, and the categories of data involved, including sensitive data.

For more information: CNIL Website [FR]


11/15/2023

French Supervisory Authority | Referential | Health Data conservation duration

The French Supervisory Authority published a referential and guidance note on retention period for health data.

For more information : CNIL Website [FR]


11/07/2023

French Supervisory Authority | Sanction | Simplified Procedure

The French Supervisory Authority (“CNIL”) issued ten new decisions under its new simplified sanction procedure, introduced in 2022.

Private and public-sector players were fined a total amount of €97,000 for various violations, including failure to respond to CNIL requests, non-compliance with the principle of data minimization (geolocation and continuous video surveillance of employee), lack of information on the processing carried out and its purposes, and failure to respect individuals’ rights (in particular to respond to a request for objection).

For more information: CNIL Website


10/13/2023

French National Assembly | Clarifying Bill | GDPR Scope

The French National Assembly adopted an amendment to complete the French Data Protection Law in order to clarify the scope of the GDPR and ensure that certain practices are covered by French and European obligations in terms of personal data protection.

The French Supervisory Authority identified a legal gap in the data protection legislation which allows the trading of personal data by entities not established in the EU without the knowledge of individuals. The amendment seeks to supplement French law, ensuring that the GDPR applies effectively.

For more information: French National Assembly Website [FR]


10/11/2023

French Supervisory Authority | Publication | Databases Trainings For AI

The French Supervisory Authority opened to public consultation its first set of guidelines on use of artificial intelligence (AI), regarding the development of learning databases for AI systems.

For more information: CNIL Website [FR]


09/28/2023

French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority (“CNIL”) issued a €200,000 fine against an air freight company.

During the investigation, the CNIL observed some infringements regarding, in particular, an excessive data collection, a non-compliance with the ban on processing sensitive data and data relating to offences and a lack of cooperation with the CNIL services.

For more information: CNIL Website


Germany

11/29/2023

German Supervisory Authority | Opinion | EU AI ACT

The German Supervisory released its stance on the EU AI Act, emphasizing the need for a comprehensive allocation of responsibilities throughout the entire artificial intelligence value chain.

The Authority asserted that the EU AI Act should clearly outline the requirements for all parties involved, including manufacturers and providers of basic AI models. Critically, it argued against a unilateral transfer of legal responsibility to the later stages of the value chain, deeming such a shift as economically unsound and detrimental to data protection. The Authority contended that a balanced distribution of responsibilities is essential to safeguard the fundamental rights of individuals whose data undergoes processing by AI systems.

For more information: DSK Website [DE]


11/02/2023

Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Behavioral Advertising

The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) issued a press release addressing a social media platform’s new business model in light of the European Data Protection Board’s (“EDPB”) binding decision on behavioral advertising.

Following the EDPB’s binding decision, the social media has provided a new option where users can choose between a free version that still includes behavioral advertising, and a paid version without this type of marketing. Referring to the Resolution of the Data Protection Conference (“DSK”) on subscription models, the Hamburg Commissioner for Data Protection and Freedom of Information noted that the social media platform’s payment model will have to fulfill requirements like granularity in consent, transparency, and the avoidance of misleading design tools. The German Supervisory Authority expressed various problems and are now expecting a legal assessment by the lead authority in Ireland.

For more information: HmbBfDI Website [DE]


10/05/2023

German Competition Authority | Press Release | Competition

The German Competition Authority (“Bundeskartellamt”) obtained commitments from an American technology services company to grant users better control of their data.

The Bundeskartellamt conducted a proceeding, based on the new instrument under competition law which allows it to intervene when competition is threatened by large digital companies. In the future, the company will have to provide its users with the possibility to give free, specific, informed and unambiguous consent to the processing of their data across services. For this purpose, the company has to offer corresponding choice options for the combination of data. The choice options must be designed so as not to guide users manipulatively towards cross-service data processing to avoid “dark patterns”. Such an obligation will already result from the Digital Markets Act (“DMA”) for certain company services which have recently been designated by the European Commission and, thus are not covered by the commitments.

For more information: Bundeskartellamt Website


09/26/2023

German Federal Court of Justice | Decision | submits questions to CJEU regarding injunctive relief under the GDPR as well as regarding Art. 82 GDPR

The German Federal Court of Justice (“Bundesgerichtshof”) asked the CJEU under Art. 267 TFEU to provide a preliminary ruling as to whether Art. 17 (right to erasure) or Art. 18 (right to restriction of processing) of the GDPR also provide for a data subject’s right to request from a controller to refrain from any future illegitimate processing of personal data (injunctive relief).

Furthermore, the court asked the CJEU to clarify whether mere negative feelings such as anger, resentment, dissatisfaction, worry and fear, which, in the German court’s view, may be “part of the general risk of life and everyday experience” could constitute an immaterial damage within the meaning of Art. 82 GDPR.

For more information: Bundesgerichtshof Website [DE]


09/19/2023

Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Data Breach Notification

The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) published guidance on handling data breach notifications.

The guidance concerns, for instance, the cases that should be notified, the deadline that applies, and the form to use to notify the German Supervisory Authority.

For more information: HmbBfDI Website [DE]


09/04/2023

Supervisory Authorities | Information Note | Data Protection Framework

The German Data Protection Conference (“DSK”) published an information note to explain the background and content of the EU-U.S. Data Protection Framework.

The note is aimed at both data controllers and processors in Germany who transfer personal data to the U.S. and data subjects. In particular, the note highlights the scope and application of the new framework, the use of alternative instruments for transfers to the U.S., and the scope and enforcement of data subjects’ rights vis-à-vis entities in the U.S.

For more information: DSK Announcement [DE]


Ireland

09/28/2023

Irish Council for Civil Liberties | Statement | Irish Data Protection Commission

The Irish Council for Civil Liberties urged the Government to guarantee no appearance of conflict of interest in the selection of new leaders of the Irish Supervisory Authority.

For more information: ICCL Website


09/11/2023

Irish Supervisory Authority |Press Release | Unlawful Marketing

The Irish Supervisory Authority welcomed the outcome of the prosecution proceedings that were taken against several companies in Ireland for sending unsolicited marketing communications without obtaining consent.

For more information: Irish Supervisory Authority Website


Italy

12/12/2023

Italian Supervisory Authority | Guidelines | Password Storage

The Italian national security agency and the Italian Supervisory Authority jointly released guidelines addressing the technical measures to be adopted for password storage.

The primary goal of the guidelines is to offer recommendations for implementing the most secure technical functions for password storage, with a focus on preventing unauthorized access by cybercriminals. The guidelines outline various techniques and minimum parameters, emphasizing the improvement of password hashing techniques and the utilization of diverse algorithms as key measures to enhance password security. The overarching aim is to bolster the protection of sensitive data and mitigate the risk of unauthorized access.

For more information: Garante Website [IT]


11/22/2023

Italian Supervisory Authority | Investigation | Web scraping

The Italian Supervisory Authority announced the commencement of an investigation into public and private websites.

The aim is to assess the implementation of adequate security measures to prevent the web scraping of personal data for the training of artificial intelligence algorithms by third parties. The investigation targets all entities, acting as controllers, based in Italy or providing services in Italy, that publicly expose personal data online.

For more information: Garante Website [IT]


10/23/2023

Italian Supervisory Authority | Sanction | Inaccurate Personal Data

The Italian Supervisory Authority imposed a €10 million fine on an energy company for the activation of unsolicited contracts with inaccurate and outdated data.

The Authority also ordered corrective actions, such as implementing a contract accuracy verification system, alert systems to identify improper data acquisition, and enhancing audit procedures against sales agencies.

For further information: Garante Website [IT]


Norway

09/29/2023

Norwegian Privacy Appeals Board | Decision | Sensitive Data

The Norwegian Privacy Appeals Board confirmed the decision of the Norwegian Supervisory Authority from December 2021 to issue a NOK 65 million (approx. €5,5 million) fine against a dating application.

The Authority found that the dating application disclosed its users’ personal data such as GPS location, IP address, mobile phone’s advertising ID, age and gender – in addition to the fact that they were using the dating application – to several third parties for behavioral marketing purposes, without a proper legal basis.


Spain

11/23/2023

Spanish Supervisory Authority | Guide | Biometric Data

The Spanish Supervisory Authority issued a guide on the use of biometric data for presence and access control, outlining criteria to ensure compliance with the GDPR and other regulations.

For more information: AEPD Website [ES]


11/02/2023

Spanish Supervisory Authority | Blog Post | Synthetic Data

The Spanish Supervisory Authority (“AEPD”) provided guidance on the use and generation of synthetic data.

According to the AEPD, creation of synthetic data from real personal data is itself a processing governed by the GDPR. Therefore, it is necessary to consider the provisions of the GDPR and in particular the principle of accountability, and the assessment of a possible risk of re-identification from the created synthetic data set.

For more information: AEPD Website


10/20/2023

Spanish Supervisory Authority | Sanction | Cyber Security

The Spanish Supervisory Authority issued a €1 million fine (reduced to €800,000) against a Spanish banking company for insufficiently protecting the personal data of customers.

A customer had reported that its credit card had been stolen, and the bank had not properly taken the information into account, leading to identity theft where hackers took out loans and transferred money in the complainant’s name.

For more information: AEPD Website [ES]


10/05/2023

Spanish Supervisory Authority | Tool | Encryption

The Spanish Supervisory Authority (“AEPD”) released a tool called “ValidaCrypto”, designed to evaluate encryption systems.

ValidaCripto transfers the methodology of the AEPD’s previously released guidelines on cryptographic systems, to an intuitive web tool that helps to visually evaluate encryption systems’ compliance with data protection requirements.

For more information: AEPD Website


09/28/2023

Spanish Supervisory Authority | Blog | Privacy Enhancing Technologies

The Spanish Supervisory Authority published guidance on Privacy Enhancing Technologies.

The Blog emphasizes that the Privacy Enhancing Technologies or PETs allow to implement privacy principles, but the same tools are useful to implement the governance policies that guarantee the trust and data sovereignty in a Data Space. Therefore, PETs should be “dual-use” technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy.

For more information: AEPD Website


United Kingdom

12/15/2023

UK Supervisory Authority | Guidance | Transfer Risk Assessment

The UK Supervisory Authority released guidance on transfer risk assessment for entities transferring personal information to the US using Article 46 of the UK GDPR.

The guidance aims to support organizations engaged in restricted transfers of personal data to the US, employing mechanisms outlined in Article 46 of the UK GDPR. Following the Schrems II case in 2020, the guidance highlights the necessity of conducting a Transfer Risk Assessment before transferring personal data from the UK, emphasizing the importance of Department for Science, Innovation and Technology’s analysis to streamline the process. The Department of Science, Innovation and Technology analysis evaluates US laws concerning access and usage of personal information for national security and law enforcement purposes.

For more information: ICO Website


12/12/2023

UK Supervisory Authority | Draft guidance | Employment practices and data protection

The UK Supervisory Authority released two draft guidance documents on data protection compliance in the areas of “keeping employment records” and “recruitment and selection”.

The guidance for keeping employment records is directed at employers, outlining their obligations under the UK GDPR and the Data Protection Act 2018 concerning the collection and maintenance of worker records. It emphasizes the need for a balance between the necessity of employment records for organizational operations and the privacy rights of workers. The second draft guidance is tailored for employers and entities involved in recruitment processes, including agencies and consultancies. It addresses the intricacies of managing diverse personal data, including sensitive data, during recruitment, with a focus on protecting candidates’ data protection rights. These guidance documents are open for consultation from relevant stakeholders (including employers, professional associations, those representing the interests of staff, recruitment agencies, employment dispute resolution bodies, workers, volunteers and employees, and suppliers of employment technology solutions) until 5 March 2024.

For more information: ICO Website


11/09/2023

Office of Communications | Statement | Online Safety Act

On September 11, 2023, the Office of Communications (“Ofcom”) announced its new role as the regulator for online safety, following the enactment of the Online Safety Act on October 26, 2023.

Ofcom’s role is to make online services safer for the people who use them, by ensuring regulated services take appropriate steps to protect their users. Ofcom will set out codes of practice and guidance for companies falling under the scope of the Online Safety Act. It will have powers to take enforcement action, including issuing fines to services if they fail to comply with their duties. However, Ofcom will not responsible for removing online content, and won’t require companies to remove content, or particular accounts. It should be noted that Ofcom’s powers are not limited to service providers based in the UK.

For more information: Ofcom Website


10/25/2023

Department of Science, Innovation and Technology | Publication | Data Transfers

The Department of Science, Innovation and Technology (“DSIT”) released an executive summary and initial conclusions from the first phase of an evaluation into the implementation of the International Data Transfer Agreement (“IDTA”).

This evaluation started at the beginning of the implementation period of the UK’s new standard data protection clauses, the IDTA and Addendum to the European Commission’s Standard Contractual Clauses for international transfers, which replace the previous EU SCCs for international transfers. The evaluation was meant to assess how businesses experienced the transition to the new clauses. A further phase of this research is planned following the end of the transitional period. DSIT will work with the ICO to reflect on the findings of the research.

For more information: UK Government Website


10/12/2023

UK-US Data Bridge | Entry into Force | Adequate Protection

On October, 12, 2023, the Data Protection Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) entered into effect.

This UK extension to the EU-US Data Privacy Framework allows businesses to transfer personal data to US certified entities listed in the EU-US Data Privacy Framework without additional safeguards. However, UK organizations must update privacy policies and document data transfer methods to comply with this new framework.

For more information: The Data Protection (Adequacy) (United States of America) Regulations 2023


09/20/2023

UK Supervisory Authority | Sanction | Unlawful Marketing practices

The UK Supervisory Authority announced that it issued a fine against five companies totaling £590,000 (approx. €670,000) for unwanted marketing calls which targeted the elderly and people with vulnerabilities.

For more information: ICO Website


This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Q1 and Q2 2024

Europe

07/12/2024

European Union | Artificial Intelligence Regulation | Publication

The AI Act (Regulation 2024/1689) was published in the OJEU today. It will enter into force on 1 August, meaning the 2-year transition period for most of the Act will end on 1 August 2026.

The Act applies to AI providers, deployers, importers, distributors, and manufacturers, with exemptions for military and research uses. It classifies AI systems by risk, prohibits certain practices, and in particular imposes requirements on high-risk systems. Enforcement includes the creation of an AI Office, a scientific panel, an AI Board, and an advisory forum, with possible fines up to €35 million or 7% of global turnover for severe breaches.

For more information: Official Journal of the European Union

06/20/2024

Court of Justice of the European Union | GDPR Violation | Right to Compensation

The Court of Justice of the European Union (“CJEU”) published a judgment on the right to compensation for non-material damage as a result of fear.

In the case C-590/22, the CJEU ruled that an infringement of the GDPR alone does not suffice to establish a right to compensation. The claimant must demonstrate actual damage caused by the infringement, although the damage need not be severe. The CJEU also determined that a claimant’s fear of personal data disclosure to third parties — as a result of a breach of the GDPR — can constitute non-material damage if the fear and its negative consequences are duly demonstrated. Notably, the criteria for administrative fines do not apply to compensation assessments, and compensation is not meant to serve a dissuasive function. Furthermore, violations of national laws that do not specifically relate to the GDPR do not need to be considered when determining compensation amounts.

For more information: CJEU Judgment– C-590/22

06/20/2024

Court of Justice of the European Union | GDPR Violation | Right to Compensation

The Court of Justice of the European Union (“CJEU”) published rulings on the right to compensation for non-material damages based on theft of personal data.

The CJEU made several important rulings regarding compensation under Article 82(1) of the GDPR. First, the court clarified that the right to compensation is intended solely to fully compensate for the damage suffered due to GDPR violations and does not serve a punitive purpose. Second, the severity or intentional nature of the violation does not need to be considered when determining the amount of compensation. Third, the court emphasized that non-material damage from a data breach is not inherently less significant than physical injury. Furthermore, minimal compensation can be awarded for minor damage as long as it fully compensates the harm. Finally, the court stated that for identity theft under the GDPR, actual misuse of stolen data must be shown, but compensation for non-material damage is not limited to cases where identity misuse is proven.

For more information: CJEU Judgment – C-182/22 and C-189/22

04/18/2024

European Data Protection Board | Strategy | Priorities for 2024-2027

On April 18, 2024, the European Data Protection Board (“EDPB”) released its strategy for 2024-2027.

The EDPB aims to support supervisory authorities in enforcing the GDPR and the Law Enforcement Directive, while also facilitating their interaction with new legislation such as the EU AI Act, the Digital Services Act, and the Digital Markets Act. Specifically addressing artificial intelligence, the EDPB plans to offer guidance on data protection and GDPR implementation, focusing on high-risk areas and vulnerable groups, such as children. Regarding the EU-US Data Privacy Framework, the EDPB intends to provide public information and template complaint forms to facilitate the implementation of redress mechanisms.

For more information: EDPB Website

03/14/2024

Court of Justice of the European Union | Personal Data | Powers of the Supervisory Authority

The Court of Justice of the European Union (“CJEU”) ruled that the supervisory authority of a Member State may order, of its own motion, the erasure of personal data in case of unlawful processing.

The CJEU clarified that the supervisory authority is entitled to order the erasure of data in order to ensure that the GDPR is fully enforced, even in the absence of a prior request made by the data subject to that effect. The CJEU further specified that, like other corrective measures, the power of the supervisory authority to order the erasure of data applies regardless of whether the data is collected directly from the data subject or indirectly from another source.

For more information: CJEU Judgment – C-46/23

04/11/2024

Court of Justice of the European Union | Compensation | GDPR Violation

In a ruling issued on April 11, 2024, the Court of Justice of the European Union (“CJEU”) clarified the concept of non-material damage, the conditions for exemption from liability and the criteria for determining the amount of damages.

Referring to its previous case law, the CJEU ruled that the mere infringement of GDPR provisions granting rights to individuals is insufficient to establish non-material damage, unless the individual can prove actual harm, regardless of its severity. The Court emphasized that an organization cannot evade liability simply by attributing the infringement to human error within its operation. Additionally, when assessing compensation for non-material damages under GDPR, the criteria for setting administrative fines are not applicable, nor should the quantity of infringements affect compensation calculations. The judgment asserts the need for full and effective compensation directly proportional to the actual damage suffered, adhering strictly to the compensatory rather than punitive intent of the provision.

For more information: CJEU Judgment – C-741/21

03/07/2024

Court of Justice of the European Union | Personal Data | Online Advertising

The Court of Justice of the European Union (“CJEU”) rendered its judgment in the IAB Europe case and clarified the organization’s status with regard to data processing operations for advertising purposes within the Transparency and Consent Framework (“TCF”).

The TCF is a set of rules established by IAB Europe, consisting of guidelines and technical specifications that enable its members (website or application providers, data brokers, and advertising platforms) to lawfully process the personal data of users of a website or an application. The TCF allows, inter alia, the recording of users’ preferences through Consent Management Platforms, by generating a signal called “TC String”. First, the Court confirmed that the TC String is personal data within the meaning of the GDPR since it contains certain information that can be used to identify a user if associated with an identifier, such as an IP address. Second, the Court held that IAB Europe is a joint controller with its members when the consent preferences are recorded in a TC String. However, the Court stated that IAB Europe cannot be regarded as a controller for the subsequent data processing operations by members.

For more information: CJEU Judgment – inter alia

03/07/2024

Court of Justice of the European Union | Personal Data | Concept of Processing

The Court of Justice of the European Union (“CJEU”) ruled that the oral disclosure of information on possible ongoing or completed criminal proceedings to which a natural person has been subject constitutes processing of personal data.

The CJEU reiterates that since the oral disclosure of personal data constitutes non-automated processing, the personal data subject to such processing must be contained or intended to be contained in a filing system in order for that processing to fall within the material scope of the GDPR. The CJEU states that, in the present case, information on criminal proceedings is contained in a register of persons kept by a court, i.e., a filing system. Therefore, any oral disclosure of its contents may take place only if the conditions imposed by the GDPR are satisfied.

For more information: CJEU Judgment – C-740/22

03/07/2024

Court of Justice of the European Union | Personal Data | Concept of Identifiable Person

The Court of Justice of the European Union (“CJEU”) annulled a judgement issued by the General Court for misinterpreting the concept of “identifiable natural person”.

The case concerns a compensation claim brought before the General Court by a scientist with regard to a press release published by the European Anti-Fraud Office. In its judgement, the General Court had held that information contained in the press release did not constitute personal data since the person concerned was not identifiable with that information alone. The CJEU referred to its previous case law and stated that for information to be considered as “personal data”, it is not required that all the information enabling the identification of the data subject is in the hands of one person. In the present case, the data subject could be identified, in particular, by persons working in the same scientific field.

For more information: CJEU Judgment – C-479/22 P

02/13/2024

European Data Protection Board | Opinion | Notion of Main Establishment

The European Data Protection Board (“EDPB”) adopted an Opinion on the notion of main establishment and the criteria for the application of the One-Stop-Shop mechanism following a request by the French Supervisory Authority.

The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular in cases where decisions regarding the processing are taken outside the EU.

For more information: EDPB Website

01/18/2024

European Data Protection Board | Case Digest | Data Breach

The European Data Protection Board (“EDPB”) published a thematic one-stop-shop case digest on security of processing and data breaches.

The case digest analyses decisions adopted by supervisory authorities under the one-stop-shop mechanism relating to security of personal data and personal data breaches. It is intended to provide insights on how supervisory authorities have applied the relevant GDPR provisions in different data breach scenarios, such as ransomware or accidental data disclosure.

For more information: EDPB Website

01/11/2024

European Union | Regulation | Data Act

The Regulation on harmonized rules on fair access to and use of data (“Data Act”) entered into force.

The Data Act introduces, in particular, new data sharing and contractual obligations for providers of connected devices and related services, as well as cloud computing providers. The Act will become applicable 20 months from the date of entry into force, i.e., from September 12, 2025. Requirements on access to data generated by connected devices will apply to devices placed on the market after September 12, 2026.

For more information: Official Journal of the European Union

01/07/2024

European Union | Regulation | Cybersecurity

The new Cybersecurity Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices, and agencies of the Union entered into force.

The regulation aims to achieve a high common level of cybersecurity within Union entities by introducing an internal risk management, governance, and control framework, and establishing an Interinstitutional Cybersecurity Board to monitor its implementation.

For more information: Official Journal of the European Union

France

06/10/2024

French Supervisory Authority | Public Consultation | Artificial Intelligence

On June 10, 2024, the French Supervisory Authority (“CNIL”) opened a public consultation on its AI recommendations.

The consultation primarily focuses on the legal basis of processing for AI models’ development phase, data scraping for model training, and distribution of open-source AI models. It also covers other GDPR-related issues such as informing data subjects and the management of their rights.

For more information: CNIL Website

05/22/2024

French Parliament | Regulation | SREN Act

The Securing and Regulating the Digital Space Act (“SREN Act”) has been published in the Official Journal.

The SREN Act introduces a wide range of provisions in areas such as online child protection, cloud services, and Jonum (i.e., games offering monetizable digital objects). Additionally, it aims to align French law with the Digital Services Act (“DSA”) and the Digital Markets Act (“DMA”). With regard to the DSA, the Arcom is designated as the “digital services coordinator”. While the DGCCRF will be in charge of monitoring marketplace providers’ compliance with their obligations, the French Supervisory Authority will be responsible for ensuring that platforms comply with requirements related to online advertising. Regarding the DMA, the French Competition Authority and the Ministry of the Economy will be able to investigate and cooperate with the European Commission on gatekeepers’ practices. Furthermore, the SREN Act addresses the adaptation of French law to the Data Act and the Data Governance Act and grants new powers to regulatory bodies.

For more information: Official Journal [FR]

05/14/2024

French Supervisory Authority | Guidance | Traffic Data

On May 14, 2024, the French Supervisory Authority (“CNIL”) issued guidance on providing public internet access, emphasizing legal obligations for retaining traffic data.

Under the French law, organizations providing public internet access must retain IP addresses to identify devices, connection details (date, time, duration), and data identifying communication recipients. In this context, the CNIL reiterated that traffic data, being personal data, should be limited to what is necessary for processing. The retention periods vary according to the concerned data (from 3 months to 5 years).

For more information : CNIL Website [FR]

04/04/2024

French Supervisory Authority | Sanction | Direct Marketing

The French Supervisory Authority (“CNIL”) fined a telecommunications equipment retailer €525,000 for unlawfully processing its prospects’ personal data collected from data brokers for direct marketing.

The CNIL found that the data collection forms used by data brokers were misleading and did not allow the acquisition of free and unambiguous consent to marketing texts by third parties. The French Authority pointed out that contractual obligations imposed on data brokers were not sufficient to ensure that prospects’ consent was validly obtained, and the retailer should have implemented effective controls in this respect. With regard to the legal basis of marketing calls, the CNIL noted that the retailer could not validly rely on legitimate interest since the forms used by data brokers did not systematically mention the retailer in the list of data recipients.

For more information: CNIL Website

Germany

06/17/2024

Bavarian Data Protection Commissioner | Guidance | Joint Controllers

The Bavarian Data Protection Commissioner (“Bavarian DPC”) published guidance on joint controllers.

The Bavarian DPC’s new guidance aims at eliminating uncertainties and inhibitions in connection with joint controllership (Article 26 GDPR), which is always relevant when two or more controllers jointly determine the purposes and means of the processing of personal data. As the Bavarian DPC is the competent authority for public administration, the recommendations for action are primarily directed at stakeholders of the public sector and the examples in the guidelines are selected accordingly.

For more information: Bavarian DPC Website [DE]

05/14/2024

German Parliament | Regulation | Digital Services Act

The German Parliament aligned German law with the EU Digital Services Act (“DSA”).

The German Digital Services Act (Digitale-Dienste-Gesetz, “DDG”) accompanies the DSA and aligns German law with it at the national level. With the DDG entered into force on May 14, 2024, the German Telemedia Act (Telemediengesetz) lost its effect and is now replaced by the DSA and the DDG. In addition, the Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz) has been renamed the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).

For more information: German Federal Government Website [DE]

05/06/2024

German Supervisory Authorities | Guidance | Artificial Intelligence

The German Data Protection Conference (“DSK”) released guidance on artificial intelligence and data protection.

The new guidance focuses on the use of generative AI models by organizations and recalls their obligations in terms of data privacy, such as carrying out a Data Protection Impact Assessment, identifying a proper legal basis, and providing information to data subjects.

For more information: DSK Website [DE]

Italy

06/26/2024

Italian Supervisory Authority | Enforcement | Prospection

The Italian Supervisory Authority (“Garante”) published its decision of June 6, issuing a fine of €6.4 million to an energy company for illicit marketing calls.

The Garante found that marketing calls had been made without data subjects’ consent or despite the registration of their numbers on the Do Not Call List. In addition to the fine, the Garante ordered the company to cease further processing of the complainants’ personal data and to send them the Garante’s decision.

For more information: Garante Website

05/20/2024

Italian Supervisory Authority | Investigation | Web scraping

On May 20, 2024, the Italian Supervisory Authority (“Garante”) issued guidelines on web scraping by public and private entities acting as data controllers.

The guidelines address the indiscriminate collection of online data by third parties, particularly for training generative AI models. The Garante recommends several measures to prevent or hinder web scraping, namely, creating reserved areas that require registration to access data, including anti-scraping clauses in websites’ terms of use, monitoring web traffic to detect abnormal data flows, and implementing technological solutions to block unwanted scraping. The Garante noted that current investigations into the legality of web scraping based on legitimate interests are still pending, and the guidelines are part of interim measures.

For more information: Garante Website [IT]

03/07/2024

Italian Supervisory Authority | Sanction | Personal Data Breach

The Italian Supervisory Authority (“Garante”) imposed a €2.8 million fine on a bank following a cyber-attack that occurred in 2018, and a €800,000 fine on the bank’s service provider in charge of carrying out security tests.

The Garante stated that the cyber-attack had affected the data of approximately 778,000 former and current customers and resulted notably in the identification of over 6,800 customers’ PINs (personal identification number) to the mobile banking portal. The Garante concluded that the bank had not adopted necessary security measures to effectively counter cyber-attacks and had not required its customers to create stronger PINs. The Garante also found that the bank’s service provider had failed to notify the data breach to the bank within the required deadline and had engaged a sub-processor for the performance of security tests without prior consent of the bank.

For further information: Garante Website [IT]

Norway

07/01/2024

Oslo District Court | Judgement | Dating service

The Oslo District Court has confirmed a fine of NOK 65 million (about €5.7 million) imposed by the Norwegian Data Protection Authority on a dating service.

The fine was originally imposed by the Norwegian data protection authority (“Datatilsynet”) in 2020 because the dating service passed on too much information to advertising companies. In particular, GPS-data was affected. According to Datatilsynet, the use of the app itself involves particularly sensitive data, which is why the company has violated Article 9 GDPR. The case was triggered by a complaint from the Norwegian Consumer Council (“Forbrukerradet”). Datatilsynet’s opinion has now been confirmed by the Oslo district court.

For more information: Oslo Tingrett Website [NOR]

Netherlands

06/04/2024

Dutch Supervisory Authority | Guidance | Cookies

The Dutch Supervisory Authority (“AP”) has published guidelines on cookie consent.

In its guidelines, the AP gives guidance on how to design cookie banners to ensure that they comply with consent requirements and provides concrete examples.

For more information: AP Website [NL]

05/01/2024

Dutch Supervisory Authority | Guidelines | Data Scraping

On May 1, 2024, the Dutch Supervisory Authority (“AP”) released guidelines regarding data scraping practices by private individuals and organizations.

The guidelines emphasize GDPR compliance in data scraping endeavors, mandating adherence to the principles of legality, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The AP also clarifies situations where the GDPR does not apply, such as scraping for personal use or targeted scrapping (e.g., an organization scrapes a news media website to get news related to its business).

For more information: AP Website [NL]

Spain

05/14/2024

Spanish Supervisory Authority | Guide | Cookie

On May 14, 2024, the Spanish Supervisory Authority (“AEPD”) released an updated guide on cookie use to align it with Opinion 08/2024 on valid consent in “consent or pay” models by the European Data Protection Board (“EDPB”).

The AEPD incorporates the EDPB’s guidelines into its own guide, and notes that the EDPB plans to issue a comprehensive guide on consent validity in “consent or pay” models by early 2025.

For more information: AEPD Website [ES]

04/12/2024

Spanish Supervisory Authority | Sanction | GDPR violations

On April 12, 2024, the Spanish Supervisory Authority (“AEPD”) fined a financial services company €2 million (later reduced to €1.2 million) for GDPR violations following a complaint.

As part of a verification process, the financial services company requested personal and economic data from the complainant via a form requiring consent for such data collection, without giving an option to decline. When asked for further explanation, the financial services company stated that the complainant’s bank account would be blocked if consent was not provided. The AEPD found this violated GDPR Article 6(1), as the consent was not valid and there was no legal requirement for the data verification method used by the financial services company.

For more information: AEPD Website [ES]

United Kingdom

06/07/2024

UK High Court | Judgment | Data Subject Rights

On June 7, 2024, the High Court ruled in Harrison v Cameron & Another that under the UK GDPR, data subjects have the right to know the specific identities of their personal data recipients, not just the categories.

The High Court ruled that data subjects are entitled to know the specific identities of recipients who have access to their personal data. It is within the data subject’s discretion to request either detailed identities or merely the categories of these recipients.

For more information: UK High Court Judgment

05/13/2024

British Supervisory Authority | Consultation | Generative AI

On May 13, 2024, the UK Data Protection Authority (“ICO”) launched the fourth chapter of its consultation series on generative artificial intelligence (AI), focusing on data subject rights in relation to the training and fine-tuning of generative AI models.

The consultation highlighted several rights that individuals have under the UK GDPR, including: the right to access, the right to rectification, the right to erasure and the right not to be subjected to automated decision-making. These rights apply to personal data in various contexts, including training data, fine-tuning data, outputs of the generative AI model, and user queries. The consultation emphasized that organizations must have processes in place to enable individuals to exercise these rights throughout the AI lifecycle. The consultation outlines several obligations for organizations developing or deploying generative AI models, namely: inform individuals if their data is being processed, provide clear, accessible information about data usage and individuals’ rights, justify any exemptions used and safeguard individuals’ rights and freedoms, and apply privacy-enhancing technologies and techniques to protect data. The consultation also invites feedback on the effectiveness of measures to prevent unauthorized data retention and usage. Additionally, it seeks evidence on how organizations can fulfill their legal obligations while supporting innovation in generative AI.

For more information: ICO Website

05/10/2024

British Supervisory Authority | Guidance | Cyber Security Incidents

The British Supervisory Authority (“ICO”) published a report on cyber security incidents.

The report focuses on five main causes of cybersecurity incidents, including phishing, brute force attacks, and denial of service. In particular, it provides case studies based on previous data breach reports received by the ICO and gives practical recommendations to reduce the risk of cyber-attacks.

For more information: ICO Website

04/03/2024

British Supervisory Authority | Strategy | Protection of Children’s Privacy Online

On April 3, 2024, the British Supervisory Authority (“ICO”) released its 2024-2025 Children’s code strategy for protecting children’s privacy online.

Key focuses include defaulting profiles to private settings, restricting profiling for ads, monitoring content feeds, and obtaining parental consent for children under 13. The ICO plans audits on educational technology, engagement with stakeholders, and international collaboration to regulate the internet effectively.

For more information: ICO Website


This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])

Joel Harrison, – Partner, Co-Chair, PCDI Practice, London ([email protected])

Vera Lukic – Partner, Paris ([email protected])

Lore Leitner – Partner, London ([email protected])

Kai Gesing – Partner, Munich ([email protected])

Clémence Pugnet – Associate, Paris ([email protected])

Thomas Baculard – Associate, Paris ([email protected])

Hermine Hubert – Associate, Paris ([email protected])

Billur Cinar – Associate, Paris ([email protected])

Christoph Jacob – Associate, Munich ([email protected])

Yannick Oberacker – Associate, Munich ([email protected])

Sarah Villani – Associate, London ([email protected])

Miles Lynn – Associate, London ([email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Europe

07/25/2024

European Commission | GDPR | Report

On July 25, 2024, the European Commission published the Second Report on the application of the GDPR.

The report highlights a significant uptick in enforcement activity by supervisory authorities in recent years. The report considers that, to ensure strong protection for individuals and the free flow of personal data within and outside the EU, there is a need to focus on, among other things: proactive support by supervisory authorities in compliance efforts; consistent application of the GDPR across the EU; effective cooperation between supervisory authorities; establishing cooperation with sectoral regulators on issues with an impact on data protection; and implementing efficient and targeted working arrangements for guidelines, opinions, and decisions; and prioritizing key issues to reduce the burden on supervisory authorities.

For more information: European Commission Website

07/16/2024

European Data Protection Board | Statement | Role of DPA & EU AI Act

On July 16, 2024, the European Data Protection Board (“EDPB”) adopted a statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework.

The EDPB recommends that Data Protection Authorities (“DPAs”) should be designated as Market Surveillance Authorities (“MSAs”) for the high-risk AI systems mentioned in Article 74(8) of the AI Act. Further, the EDPB recommends that Member States consider appointing DPAs as MSAs for the other high-risk AI systems, particularly where those high-risk AI systems are in sectors likely to impact natural persons’ rights and freedoms with regard to the processing of personal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector).

For more information: EDPB Website

07/16/2024

European Data Protection Board | FAQ | EU-US Data Privacy Framework

On July 16, 2024, the European Data Protection Board (“EDPB”) adopted two Frequently Asked Questions (“FAQ”) documents regarding the EU-U.S. Data Privacy Framework (“DPF”).

The FAQ for individuals provides information on the functioning of the DPF (e.g., how to benefit from it, how to lodge a complaint) and the FAQ for businesses notably explains which U.S. companies are eligible to join the DPF and what to do before transferring personal data to a company in the U.S. which is, or claims to be, certified under the DPF.

For more information: EDPB FAQ for individuals and for businesses

France

07/18/2024

French Supervisory Authority | FAQ | Generative AI

On July 18, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the deployment of generative artificial intelligence.

The FAQ include information on the benefits and limitations of generative AI, the way to implement the use of a generative AI system, and the way to ensure compliance of an AI model with the GDPR and the AI Act.

For more information: CNIL Website

07/12/2024

French Supervisory Authority | FAQ | EU AI Act

On July 12, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the EU Regulation on Artificial Intelligence following its publication in the Official Journal of the European Union.

The FAQ include information on the specific provisions of the AI Act, the compliance monitoring authorities, as well as the interplay between the GDPR and the AI Act.

For more information: CNIL Website

07/10/2024

French Supervisory Authority | Audit results | Dark Patterns

On July 10, 2024, the French Supervisory Authority (“CNIL”) published the results of the Global Privacy Enforcement Network audit.

Twenty-six of the world’s data protection authorities, including the CNIL, members of the Global Privacy Enforcement Network (“GPEN”), audited 1,010 websites and mobile applications as part of a joint operation: the GPEN Sweep. This audit reveals that websites make extensive use of “dark pattern” mechanisms, hindering users’ ability to make informed decisions about privacy protection.

For more information: CNIL Website [FR]

07/04/2024

French Supervisory Authority | Study | Advertising Models

The French Supervisory Authority (“CNIL”) published a study on alternative advertising models.

On July 4, 2024, the CNIL announced that it commissioned an economic study of the possible consequences of the end of third-party cookies for certain browser and presented the main conclusions. The study, among other things, aims to provide indications on what the new advertising business models will be after the removal of third-party cookies and what risks these evolutions entail for data protection.

For more information: CNIL Website [FR]

Germany

07/31/2024

Hamburg Supervisory Authority | “Pay or OK” System

The Hamburg Data Protection Authority (“Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) granted the Spiegel Magazine permission to use the so-called “Pay or OK” system.

With the “Pay or OK” system, visitors to the website either have to consent to the use of their personal data or agree to a paid subscription model. This decision is now being challenged by an affected data subject.

For more information: Hamburg BfDI Website [DE]

07/30/2024

Saxon Data Protection and Transparency Officer | Guideline | Video Surveillance in Private and Public Spaces

On July 30, 2024, the Saxon Supervisory Authority (“LfDI Saxony”) published an updated version of its guideline on the use and regulation of video surveillance both in public and private spaces by private individuals and public authorities.

This new version has been created due to numerous complaints by data subjects. The LfDI Saxony includes examples for possible use cases and their limits in connection with video surveillance.

For more information: LfDI Saxony Website [DE]

07/19/2024

German Data Protection Authorities | Guidance | AI & Data Protection

In July, multiple data protection authorities published information on the AI Act and also discuss the arising responsibilities. In addition, the Baden-Wuerttemberg Supervisory Authority (“LfDI Baden-Wuerttemberg”) published an “Orientation Navigator AI & Data Protection”.

The Federal Commissioner for Data Protection and Information Security (“BfDI”) and the supervisory authority of North Rhine-Westphalia (“LDI North Rhine-Westphalia”) state that new responsibilities and tasks arise for the data protection supervisory authorities under the AI Act. A group of experts from the supervisory authority of Lower Saxony (“LfD Lower Saxony”) has also begun its discussions on data protection compliance of AI training data. In addition, the LfDI Baden-Wuerttemberg published a tool that organizes selected regulatory documents on AI. It is intended as an aid for responsible bodies such as authorities but also for private companies.

For more information: LfDI Baden-Wuerttemberg Website [DE]; BfDI Website [DE]; LDI North Rhine-Westphalia Website [DE]; LfD Lower Saxony [DE]

07/15/2024

Hamburg Supervisory Authority | Discussion Paper | GDPR & Large Language Models

On July 15, 2024, the Hamburg Supervisory Authority (“HmbBfDI”) published a discussion paper on the relationship between the GDPR and Large Language Models (“LLMs”).

The paper aims to support companies and authorities dealing with data protection issues related to LLM technologies and contains an explanation of the technical aspects of LLMs and their evaluation in light of the relevant case law of the Court of Justice of the European Union on personal data under the GDPR. Additionally, the paper discusses the difference between LLMs as an artificial intelligence model and as a component of an AI system in accordance with the AI Act.

For more information: HmbBfDI Website [DE]

Ireland

07/18/2024

Irish Supervisory Authority | Recommendation | AI & Data Protection

On July 18, 2024, the Irish Supervisory Authority (“DPC”) published an article on artificial intelligence, large language models (“LLMs”), and data protection.

The article highlights the increase in popularity of AI, particularly generative AI chatbots. The DPC warns about the inherent risks associated with AI, particularly concerning personal data processing, including: use of large amounts of personal data unnecessarily and without knowledge, agreement, or permission during training phases; issues arising from the accuracy and retention of personal data used or generated by AI systems; risks of personal data being shared without proper security or authorization; potential biases due to inaccurate or incomplete training data, affecting decision-making processes; and exposure to risks when new personal data is incorporated into training datasets for updated models.

For more information: DPC Website

Lithuania

07/02/2024

Lithuanian Supervisory Authority | Sanction | Data Subjects Rights

The Lithuanian Supervisory Authority (“SDPI”) fined an online retail company €2,385,276 million for several breaches relating to the right to be forgotten and the right of access.

The SDPI found that the Company had not dealt fairly and transparently with the deletion requests it had received, by refusing erasure request on the sole grounds that individuals did not cite one of the criteria provided for by the GDPR in their request and, in cases where it refused to erase the data, without informing the individuals of the reasons for such refusal. The SDPI also found that the Company had unlawfully implemented a “shadow blocking” mechanism, making the activity of a user who does not respect the platform’s rules invisible to other users, without the user being notified. In addition, the Company did not take sufficient technical and organizational measures to demonstrate that it had taken (or reasonably refused to take) action regarding right of access.

For more information: SDPI website

Netherlands

07/31/2024

Dutch Supervisory Authority | Guidance | AI

The Dutch Supervisory Authority (“AP”) published a guidance on the EU Artificial Intelligence Act (“AI Act”) for AI developers and users.

The AP clarified that, with the entry into force of the AI Act, various requirements will gradually apply on AI developers and users from February 2025. The AP highlights priorities for AI developers, in particular regarding prohibited AI systems that must be withdrawn from the market and no longer be in use by February 2025 and high-risk AI systems which must comply with specific requirements.

For more information: AP Website [NL]

07/16/2024

Dutch Supervisory Authority | Sanction | Cookies

On July 16, 2024, the Dutch Supervisory Authority (“AP”) announced its decision, as issued on May 2, 2024, to impose a fine of €600,000 on a company regarding its use of cookies.

Following its investigation, the AP determined that cookies were placed on user devices without their knowledge or consent. Due to the specific nature of the products that may be purchased on the website (drugstore products), the AP considered that the company collected and used sensitive data of millions of website visitors in violation of the applicable rules.

For more information: AP Website [NL]

Poland

07/19/2024

Polish Supervisory Authority | Opinion | Data Breach

On July 19, 2024, the Polish Supervisory Authority (“UODO”) issued an opinion advising controllers following the global cloud service outage that occurred on the same date.

The UODO states that not every interruption to personal data access is a personal data breach. Interruption to cloud services’ access and the resulting interruption to data access may, in some situations, result in a violation of the rights and freedoms of individuals. The UODO therefore recommends conducting a risk analysis before reporting the personal data breach to the authority.

For more information: UODO Website [PL]

07/08/2024

Polish Supervisory Authority | Guidance | Children Protection

On July 8, 2024, the Polish Supervisory Authority (“UODO”) published a guide to support institutions and organizations in ensuring better protection for children in the digital age.

The guide, entitled “Children’s Image on the Internet. Publish or not?”, notably includes tips to be used to protect children’s photos and videos on the Internet and the list of potential risks associated with publication of children’s images on the Internet.

For more information: UODO Website [PL]

Spain

07/10/2024

Spanish Supervisory Authority | Report | Addictive patterns

On July 10, 2024, the Spanish Supervisory Authority (“AEPD”) issued a report on addictive patterns in the processing of personal data.

The report highlights how, in many cases, service providers implement misleading and addictive design patterns, including to increase the amount of personal data collected about users. The report emphasizes that the adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children.

For more information: AEPD Website [ES]

United Kingdom

07/23/2024

Ofcom | Discussion Paper | Generative AI

On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on the evaluation of vulnerabilities in Generative Artificial Intelligence models.

The discussion paper discusses “red teaming” as a type of evaluation method that seeks to find vulnerabilities in generative artificial intelligence models to protect users from harmful content.

For more information: Ofcom Website

07/23/2024

Ofcom | Discussion Paper | Deepfake

On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on deepfakes.

Among other things, the discussion paper highlights the different types of deepfakes that can cause harm and the steps organizations can take to mitigate the risks of deepfakes.

For more information: Ofcom Website

07/17/2024

British Government | King’s Speech | Digital Information and Smart Data

The British Government plans to introduce Digital Information and Smart Data Bill.

On July 17, 2024, the Government announced, as part of the King’s Speech, that it planned to introduce the Digital Information and Smart Data Bill. The Government explained that the bill would, among other things, enable new innovative uses of data to be safely developed and deployed, reform data sharing and standards, improve data laws, and give the Information Commissioner’s Office (“ICO”) new, stronger powers.

For more information: Government Website


This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed
Baladi
– Partner, Co-Chair, PCDI Practice, Paris ([email protected])

Joel Harrison, – Partner, Co-Chair, PCDI Practice, London ([email protected])

Vera Lukic – Partner, Paris ([email protected])

Lore Leitner – Partner, London ([email protected])

Kai Gesing – Partner, Munich ([email protected])

Clémence Pugnet – Associate, Paris ([email protected])

Thomas Baculard – Associate, Paris ([email protected])

Hermine Hubert – Associate, Paris ([email protected])

Billur Cinar – Associate, Paris ([email protected])

Christoph Jacob – Associate, Munich ([email protected])

Yannick Oberacker – Associate, Munich ([email protected])

Sarah Villani – Associate, London ([email protected])

Miles Lynn – Associate, London ([email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

We are pleased to provide you with the August edition of Gibson Dunn’s monthly U.S. bank regulatory update. Please feel free to reach out to us to discuss any of the below topics further.

KEY TAKEAWAYS

  • The Board of Governors of the Federal Reserve System (Federal Reserve) and Federal Deposit Insurance Corporation (FDIC) issued final joint guidance on resolution plans for Category II and Category III institutions.
  • Staff of the Federal Reserve published an FAQ clarifying that institutions subject to Regulation YY (12 C.F.R. Part 252) enhanced prudential standards can incorporate—although they should not rely exclusively on—certain non-private market sources in demonstrating plans to monetize highly liquid assets under various internal liquidity stress test scenarios.
  • The FDIC’s recent Notice of Proposed Rulemaking proposing significant changes to its brokered deposits rules was published in the Federal Register on August 23, 2024. Comments are due on the proposed rule by October 22, 2024.
  • On August 21, 2024, a group of eleven financial services trade associations requested that the FDIC withdraw its proposed rule or, alternatively, that the FDIC publish its brokered deposits data and extend the comment period by an additional 60 days. The coalition of trade associations also requested an extension to respond to the FDIC’s request for information on deposits, noting that the FDIC’s request for information requires a significant amount of research and consideration that would be difficult to sufficiently complete within the 60-day comment period. For more information on the proposed rule, please see our Client Alert.

DEEPER DIVES

Federal Reserve and FDIC Issue Joint Final Guidance on Resolution Plans for Category II and Category III Institutions. On August 5, 2024, the Federal Reserve and FDIC issued final joint guidance to help Category II and Category III institutions (i.e., banks with assets exceeding $250 billion but not GSIBs) develop their resolution plans. The joint guidance addresses specific characteristics of Category II and III institutions and is organized around key areas of vulnerability—such as capital, liquidity, and operations.

  • Insights. Although the joint guidance provides color to Category II and III institutions on key risk areas to be considered in connection with the development of resolution plans, uncertainties remain. Notably, Federal Reserve Governor Michelle Bowman’s statement on the final guidance flagged several lingering reservations regarding the guidance, including (i) the lack of justification for requiring holding company-level plans for large banks that predominantly hold assets in a bank subsidiary, (ii) a potentially disjointed rulemaking approach in light of the agencies’ separately proposed long-term debt requirement that could materially impact firms’ resolution strategies, and (iii) the ability of the in-scope institutions to produce useful and reliable “least-cost resolution” analyses based on the revised guidance.

Federal Reserve Clarifies that Firms Can Incorporate Non-Private Market Sources in Regulation YY Liquidity Stress Tests. On August 13, 2024, staff of the Federal Reserve published a new Q&A on its Regulation YY Frequently Asked Questions page. The FAQ confirms that firms subject to Regulation YY enhanced prudential standards can use non-private market sources, such as the Federal Reserve’s discount window, the Standing Repurchase Facility, or Federal Home Loan Bank advances, in addition to private market channels, in demonstrating that the firm can monetize highly liquid assets in response to various internal liquidity stress test (ILST) scenarios. However, the guidance also emphasizes that firms should not rely exclusively on these non-private sources and clarifies that it does not expand the types of assets that qualify for inclusion in a firm’s liquidity buffer.

  • Insights. The guidance issued in the FAQ is significant because it broadens the options that banks have for demonstrating liquidity management under stress, potentially making it easier for them to satisfy their ILST requirements, which, for many banks, can be their most binding liquidity requirements. By clarifying that banks can plan to meet a substantial portion of their projected short-term liquidity needs under stress by borrowing from the Federal Reserve and other non-private market sources, the guidance should also increase banks’ incentives to be prepared to use those facilities when needed.

OTHER NOTABLE ITEMS

Federal Reserve Announces Final Individual Capital Requirements for All Large Banks. On August 28, 2024, the Federal Reserve announced final individual capital requirements for all large banks, effective on October 1. This table shows each large bank’s CET1 capital ratio requirement.

Ninth Circuit Reaffirms Decision Finding National Bank Act Does Not Preempt California’s Interest on Mortgage Escrow Statute. Following the Supreme Court’s recent decision in Cantero v. Bank of America (discussed in our previous Client Alert), a Ninth Circuit Court of Appeals panel reaffirmed the District Court’s opinion in Kivett v. Flagstar Bank that the National Bank Act does not preempt California law requiring banks to pay interest on deposits held in escrow accounts. The Ninth Circuit’s unpublished memorandum disposition is available here. Previously, on June 10, 2024, the Supreme Court vacated the decision in Kivett and remanded to the Ninth Circuit for further consideration in light of Cantero.

FDIC Publishes Questions and Answers Regarding FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC Name or Logo. On August 16, 2024, the FDIC issued FAQs relating to its December 2023 final rule amending Part 328 of its regulations concerning the use of official FDIC signage, advertising statements and representations regarding FDIC insurance coverage. Among the key implementation topics covered, the FAQ spends considerable time addressing digital marketing. The FDIC’s final rule and FAQs reflect a continued focus on representations made by fintech or other non-depository institutions regarding the insured status of customer funds. The final rule follows a wave of FDIC enforcement activity against non-banks making false statements regarding the insured status of customer funds. Financial institutions considering partnering with third parties to offer deposit products should diligence such fintech’s marketing and implement appropriate controls.

CFPB Issues Advisory Opinion and Research Report on Contract for Deed Lending. On August 13, 2024, the Consumer Financial Protection Bureau (CFPB) released an advisory opinion and research report on a form of home seller financing often referred to as contract for deed. The advisory opinion affirms that federal home lending rules and laws, such as the Truth in Lending Act, cover contracts for deed and provide key consumer protections. The advisory opinion clarifies that larger sellers, such as investment groups, are subject to the provisions of the Truth in Lending Act. Accordingly, covered sellers must (i) assess the borrowers’ ability to repay loans; (ii) provide the required disclosures, including the annual percentage rate and payment schedules; and (iii) limit balloon payments on all loans with an interest rate higher than certain published benchmarks.

CFPB Comments on Department of the Treasury’s Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector. On August 12, 2024, the CFPB published its comments to the Department of the Treasury’s June 6, 2024 Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector.


The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Ro Spaziani, Zach Silvers, Karin Thrasher, and Nathan Marak.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or any of the member of the Financial Institutions practice group:

Jason J. Cabral, New York (212.351.6267, [email protected])

Ro Spaziani, New York (212.351.6255, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

M. Kendall Day, Washington, D.C. (202.955.8220, [email protected])

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Sara K. Weed, Washington, D.C. (202.955.8507, [email protected])

Ella Capone, Washington, D.C. (202.887.3511, [email protected])

Rachel Jackson, New York (212.351.6260, [email protected])

Chris R. Jones, Los Angeles (212.351.6260, [email protected])

Zack Silvers, Washington, D.C. (202.887.3774, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This update provides an overview of the major developments in federal and state securities litigation since our Securities Litigation 2023 Year-End Update.

Table of Contents

I.           Filing And Settlement Trends
II.         What To Watch For In The Supreme Court
III.        Delaware Developments
IV.        Federal SPAC Litigation
V.         ESG Civil Litigation
VI.        Cryptocurrency Litigation
VII.      Lorenzo Disseminator Liability
VIII.     Market Efficiency And “Price Impact” Cases
IX.        Other Notable Developments

Gibson Dunn’s 2024 Mid-Year Update covers the following developments:

  • We review the Supreme Court’s decisions in Macquarie Infrastructure Corp. v. Moab Partners, L.P., which recognizes that a suit under Rule 10b-5 cannot be based on pure omissions, and SEC v. Jarkesy, which limits the SEC’s power to conduct administrative enforcement proceedings in certain cases. We also preview two cases that will address pleading standards and the nature of “materially misleading” statements under the PSLRA.
  • We detail significant developments in Delaware corporate law, including a Delaware Supreme Court ruling on advance notice bylaws and a novel ruling on the duties of controlling stockholders when exercising stockholder-level voting power. We also provide updates on Moelis and Tornetta v. Musk.
  • We discuss the SEC’s latest rule applicable to SPACs and its significance along with the fact-specific approach courts have taken in SPAC litigation.
  • A growing number of lawsuits challenge public companies’ environmental, social, and governance (ESG) disclosures and policies. We survey recent developments in this space.
  • Cryptocurrency saw noteworthy developments in private litigation and in actions by the SEC—which has been ramping up enforcement efforts. We discuss these developments along with court rulings and legislative efforts impacting transactions and compliance.
  • We continue to monitor case law developments related to the Supreme Court’s 2019 decision, Lorenzo v. SEC, in which the Supreme Court found that even if the disseminator of a false statement did not “make” or draft that false statement within the meaning of Rule 10b-5(b), the disseminator may still be liable under Rule 10b-5(a) and (c) if they disseminate a false statement with intent to defraud.
  • District courts continue to engage with defendants’ attempts to defeat or limit class certification by rebutting the Basic presumption of reliance with evidence that the alleged misstatements had no impact on the stock price. We review several of these opinions in Section VIII, Market Efficiency And “Price Impact” Cases.
  • Finally, we address several other notable developments including the following: the Seventh Circuit outlining the procedure for reassessment of mootness fees paid to shareholder plaintiffs after a merger following voluntary dismissal of their suit; the Sixth Circuit joining the majority of circuits in holding that the bespeaks caution doctrine survives the PSLRA; the Ninth Circuit providing additional guidance on determining loss causation and alleged misstatements related to COVID-19; and the SEC’s finalization of amendments to Regulation S-P aimed at enhancing data protections.

I. Filing And Settlement Trends
A recent NERA Economic Consulting (NERA) study provides an overview of recent developments in federal securities litigation filings.  This section highlights several notable trends.

A. Filing Trends

Figure 1 below reflects the federal filing rates from 1996 through 2024.  In the first half of 2024, 112 federal cases were filed.  On an annualized basis, that number largely matches the number of federal filings in 2023, but it is considerably lower than in the peak years of 2017-2019.  Note, however, that this figure does not include class action suits filed in state court or state court derivative suits, including those in the Delaware Court of Chancery.

Figure 1:

 

B. Mix Of Cases Filed In 2023

1. Filings By Industry Sector

As shown in Figure 2 below, the distribution of non-merger objections and non-crypto unregistered securities filings in the first half of 2024 varied somewhat from 2023.  Notably, after a dip in 2023, the “Health and Technology Services” sector percentage returned to the percentages seen in 2021 and 2022.  Similarly, the percentage of “Electronic Technology and Technology Services” filings increased in 2024, returning to levels seen in 2021 and 2022.  Together, “Health and Technology Services” and “Electronic Technology and Technology Services” filings once again comprised over 50% of filings after dipping to 41% in 2023.  Meanwhile, “Finance” sector filings decreased from 18% to 11%.

Figure 2:

 

2. Filings By Type

As shown in Figure 3 below, Rule 10b-5 filings make up the vast majority of federal filings so far this year.  In fact, projecting out to a full year, filings of other types are slated to end up at their lowest levels in years.

Figure 3:

3. Filings By Circuit

Figure 4 provides insight into the distribution of federal filings by Circuit.  Most filings occur in the Second and Ninth Circuits.  Notably, the number of filings in the Second Circuit has been trending down since 2021.  By contrast, the number of filings in the Ninth Circuit has stayed steady or increased over that same period.

Figure 4:

4. Event-Driven And Other Special Cases

Figure 5 illustrates trends in the number of event-driven and other special case filings since 2020.  The number of Artificial Intelligence-related filings already equals the total number of such filings in 2023 and 2022.  By contrast, SPAC and Cybersecurity and Customer Privacy Breach filings have decreased steadily since 2021.  And after 11 such filings in 2023, zero Banking Turmoil cases have been filed this year.

Figure 5:

C. Settlement Trends

As reflected in Figure 6 below, the average settlement value so far in 2024 is $26 million.  That is a sizable drop from the past two years.  If it remains at that level, it would be the second-lowest average settlement value on an inflation-adjusted basis in nearly a decade.  (Note that the average settlement value excludes merger-objection cases, crypto unregistered securities cases, and cases settling for more than $1 billion or $0 to the class.)

Figure 6:

As for median settlement value, that value has likewise dropped noticeably from 2022 and 2023.  (Note that median settlement value excludes settlements over $1 billion, merger objection cases, crypto unregistered securities cases, and zero-dollar settlements.)

Figure 7:


II. What To Watch For In The Supreme Court

A. Recent Supreme Court Decisions

1. Macquarie Infrastructure Corp. v. Moab Partners, L.P. – Rule 10b-5 Does Not Support Private Actions Based On Pure Omissions

On April 12, 2024, the Supreme Court unanimously decided Macquarie Infrastructure Corp. v. Moab Partners, L.P., holding that an issuer of securities does not violate Exchange Act Section 10(b) or the SEC’s Rule 10b-5 by pure omission—that is, by mere nondisclosure of material information—unless that omission renders other, affirmative statements by the issuer misleading.  601 U.S. 257, 265 (2024).

Moab Partners, L.P. filed this private securities-fraud action under Section 10(b) and Rule 10b-5 against the defendants, Macquarie Infrastructure Corp. and related individuals and entities, asserting that the nondisclosure of certain information in Macquarie’s SEC filings constituted an actionably misleading omission of material information.  Id. at 261.  The information at issue related to the principal assets of a Macquarie subsidiary, storage terminals for a particular high-sulfur fuel oil.  Id.  The United Nations enacted a 2016 rule that aimed to cap the sulfur content of fuel oil used in shipping, and Macquarie did not disclose in its filings any potential impact of that rule on its subsidiary’s business.  Id.  In February 2018, Macquarie announced that demand for the subsidiary’s storage had decreased due to a decline in the market for the high-sulfur fuel oil, and Macquarie’s stock price dropped by 41%.  Id.

Moab Partners argued that the failure to disclose any risks associated with the 2016 rule violated Macquarie’s duty, under Item 303 of Regulation S-K, to disclose in its annual Form 10-K filing all “known trends or uncertainties that . . . are reasonably likely to have a material . . . impact” on its operations.  Id. at 260, 265.  According to Moab Partners, nondisclosure of a known trend with material implications in violation of Item 303 constituted a materially misleading omission in violation of Rule 10b-5.  See id. at 265.

The Court disagreed, finding no actionable statements or omissions because Moab Partners failed to “plead any statements rendered misleading” by Macquarie’s alleged pure omission.  Id. at 265 (emphasis added).  Because Rule 10b-5 requires only “disclosure of information necessary to ensure that statements already made are clear and complete,” it covers “half-truths,” but not “pure omissions.”  Id. at 264 (emphasis added).  A failure to disclose information required by Item 303 can sustain a Rule 10b-5 claim only when the omission renders other affirmative statements misleading.  Id. at 265.

This holding affirms the longstanding precedent from Basic Inc. v. Levinson that “[s]ilence, absent a duty to disclose, is not misleading under Rule 10b-5.”  Id. (quoting Basic, 485 U.S. 224, 239 n.17 (1988)).  It also clarifies that “[e]ven a duty to disclose . . . does not automatically render silence misleading.”  Id.

2. SEC v. Jarkesy – Successful Constitutional Challenge To SEC’s Method Of Adjudication

On June 28, 2024, the Supreme Court announced its 6-3 decision in SEC v. Jarkesy, holding that the Seventh Amendment right to a jury trial applies in cases where the SEC seeks civil penalties for securities fraud.  144 S. Ct. 2117 (2024).

In the Dodd-Frank Act of 2010, Congress empowered the SEC to seek civil penalties against violators of its antifraud regulations either in federal court or through “in-house” administrative proceedings.  Id. at 2126.  In these in-house proceedings, unlike in federal court, there is no opportunity to have the case heard by a jury, and cases are tried before an SEC-appointed administrative law judge (ALJ), rather than by a Senate-confirmed Article III judge.  Id. at 2125­-26.

Respondents George Jarkesy Jr. and Patriot28 LLC were subject to an SEC enforcement action that sought civil penalties for alleged violations of the federal securities laws’ antifraud provisions.  Id. at 2124.  The SEC proceeded against Jarkesy and Patriot28 before an SEC ALJ, rather than in court.  Id. at 2125.  The ALJ ruled for the agency and against the respondents, and after review of the ALJ’s decision, the SEC imposed a penalty of $300,000, ordered disgorgement against Patriot28, and prohibited Jarkesy from participating in the securities industry.  See id. at 2127.

The respondents sought review by the U.S. Court of Appeals for the Fifth Circuit, raising constitutional procedural and structural objections.  See id.  A divided panel of the Fifth Circuit ruled for the respondents, citing three constitutional infirmities.  First, because enforcement of the antifraud securities laws is “akin to . . . traditional” causes of action involving debts, where a defendant historically would have been entitled to a jury trial, a defendant facing antifraud securities claims is entitled to a jury trial.  Jarkesy v. SEC, 34 F.4th 446, 453-54 (5th Cir. 2022).  Second, Congress’s grant of “unfettered” discretion to the SEC to bring enforcement actions in court or administratively was an unconstitutional delegation of power.  Id. at 459.  Third, the agency structure surrounding ALJs restricted the President’s Article II authority, as it gave ALJs two layers of for-cause protection from removal that blocked the President from exercising “adequate power over . . . removal.”  Id. at 463.

The Supreme Court granted certiorari to review all three of the Fifth Circuit’s holdings.  See Brief for Petitioner at i.  However, the Court declined to reach the nondelegation and ALJ-removal questions, affirming the decision below only on the Seventh Amendment issue.  Jarkesy, 144 S. Ct. at 2127-28.

In holding that the respondents were entitled under the Seventh Amendment to a jury trial on these claims, the Court explained that the securities antifraud provisions were intended to “replicate common law fraud” claims that require a jury trial.  See id. at 2127.  The Seventh Amendment jury right extends to all suits that are “legal in nature”—including those that seek monetary damages in order to punish or deter violations, as distinct from equitable relief like disgorgement.  See id. at 2128­-30.  The antifraud provisions’ resemblance to common-law fraud claims, and the legal nature of the damages remedy, confirmed that the Framers would have intended the jury right to apply to actions enforcing these provisions.  See id. at 2128-31.

The Court rejected the SEC’s argument that the case fell under the “public rights” exception for cases that “historically could have been determined exclusively by the executive and legislative branches.”  See id. at 2132 (cleaned up).  While its public rights doctrine has not always charted a clear course, the Court explained that the doctrine emphasizes that traditional suits at common law should be adjudicated in courts and has maintained a “presumption . . . in favor of Article III courts.”  Id. at 2134.  Thus, even modern regulatory suits modeled after traditional legal claims should remain with Article III courts, no matter where Congress might have assigned them.  See id. at 2131, 2135-36.

As the Court explained in conclusion, “a defendant facing a fraud suit has the right to be tried by a jury of his peers before a neutral adjudicator.”  Id. at 2139.  Because the SEC’s enforcement action against the respondents involved similar fraud-related claims, the proceeding before an SEC ALJ had violated the respondents’ Seventh Amendment rights.

B. Grants Of Certiorari

1. Facebook, Inc. v. Amalgamated Bank – Whether Risk Disclosures Must Acknowledge Past Incidents

On June 10, 2024, the Supreme Court granted the petition for a writ of certiorari in Facebook, Inc. v. Amalgamated Bank, a private securities-fraud class action challenging the adequacy of Facebook’s disclosures about third-party use of personal data.

The plaintiff shareholders allege that Facebook made fraudulent misstatements in filings where it purportedly characterized the risk that third parties might misuse Facebook user data as a “hypothetical” risk.  Petition for Writ of Certiorari at 10, Facebook, Inc. v. Amalgamated Bank, No. 23-980 (Mar. 4, 2024).  The plaintiffs contend the risk had already materialized through third parties’ actual misuse of Facebook user data.  Id.

In the decision below, the Ninth Circuit ruled that a risk disclosure is materially misleading when it fails to disclose that the identified risk has materialized in the past, even if that past event presents no known risk of harm to the company.  In re Facebook, Inc. Sec. Litig., 87 F.4th 934, 949-50 (9th Cir. 2023).  The Circuit explained that “[b]ecause Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the magnitude of the ensuing harm was still unknown.”  Id. at 950.

According to the petition, this holding placed the Ninth Circuit at odds with its sister circuits.  As Facebook argued, the First, Second, Third, Fifth, Tenth, and D.C. Circuits have all held that companies must disclose risks that materialize only when the company knows, or believes with near certainty, that the materialized risk will harm the business.  Petition at 19-22.  The Sixth Circuit, on the other hand, has held that companies are not required to disclose when risks materialized in the past because “[r]isk disclosures like the ones accompanying 10-Qs and other SEC filings are inherently prospective in nature.”  Id. at 18 (quoting Bondali v. Yum! Brands, Inc., 620 F. App’x 483, 491 (6th Cir. 2015)).

Gibson Dunn represents the petitioners in this case, which has been scheduled for oral argument on November 6, 2024.

2. NVIDIA Corp. v. E. Ohman J:or Fonder AB – PSLRA Pleading Standards For Scienter and Falsity

On June 17, 2024, the Supreme Court granted the petition for a writ of certiorari in NVIDIA Corp. v. E. Ohman J:or Fonder AB, another private securities-fraud class action originating in the Ninth Circuit involving alleged violations of Section 10(b) and Rule 10b-5.  This case raises two questions regarding the pleading standard for private class actions under the Private Securities Litigation Reform Act of 1995 (PSLRA).

This case was brought by investment management fund E. Öhman J:or Fonder AB and other investors against NVIDIA, a producer of graphics processing units (GPUs).  As alleged in the plaintiffs’ complaint, NVIDIA’s GPUs include the “GeForce” branded GPU, which is designed and marketed for use in video gaming, but which began around 2017 to also be used for mining cryptocurrency.  E. Ohman J:or Fonder AB v. NVIDIA Corp., 81 F.4th 918, 924-27 (9th Cir. 2023); Petition for Writ of Certiorari at 8, NVIDIA Corp. v. E. Ohman J:or Fonder AB, No. 23-970 (Mar. 4, 2024).  Plaintiffs alleged that NVIDIA’s CEO and other defendants made statements that misrepresented the connection between the company’s increased revenues and the fact that cryptocurrency miners—not just video game players—were purchasing GeForce GPUs.  E. Ohman J:or Fonder AB, 81 F.4th at 925.  Because the demand for GPUs tied to cryptocurrency mining has been “extremely volatile,” subject to changes in the price of cryptocurrency, the company’s denials of a link between its growth and cryptocurrency-related usage were allegedly material to investors and analysts.  See id. at 924-27.   

To support their claims that NVIDIA had knowingly or recklessly misled investors about the source of demand for GeForce GPUs, plaintiffs’ amended complaint relied heavily on witness statements from former NVIDIA employees and the independent analysis of an expert consulting firm.  Id. at 929-30, 937-39.  The district court dismissed the amended complaint, finding the plaintiffs had not adequately pleaded the element of scienter under the PSLRA, specifically that plaintiffs’ allegations that NVIDIA as a company had access to certain sales and usage data did not plausibly show that each individual defendant had access to that data, and thus spoke with knowledge or recklessness of falsity.  Iron Workers Local 580 Joint Funds v. NVIDIA Corp., 522 F. Supp. 3d 660, 674-75 (N.D. Cal. 2021).  The Ninth Circuit reversed, reinstating the amended complaint as to NVIDIA’s CEO based on specific statements from former employees about the company and the CEO’s practices.  E. Ohman J:or Fonder AB, 81 F.4th at 937-40.  The Ninth Circuit also held that the amended complaint adequately alleged falsity, where it relied primarily on a post hoc expert analysis of NVIDIA’s reported revenues compared to the statements by company insiders at the time.  Id. at 930-32.

In NVIDIA, the Supreme Court will consider two questions regarding pleading standards under the PSLRA.  First, petitioners, NVIDIA and its CEO, argue one existing circuit split exists on the standard for pleading scienter:  namely, whether plaintiffs who seek to rely on “internal company documents must plead with particularity the contents of these documents.”  Petition at i.  Second, petitioners also claim to identify a new circuit split, created by the decision below, on the element of falsity:  whether the PSLRA’s falsity requirement may be satisfied at the pleading stage by expert opinions, in lieu of particularized allegations of fact.  Id.

Oral argument in NVIDIA is scheduled to be held on November 13, 2024.

III. Delaware Developments

A. The Delaware Supreme Court Underscores The Importance Of Fully Informed Stockholders Under MFW

Two recent Delaware Supreme Court cases emphasize (1) the importance of disclosing conflicts of interest when seeking to fully inform stockholders, and (2) that Delaware courts pay close attention to claims that a minority was fully informed when an entity seeks to obtain business judgment review by employing the procedural devices set forth in Kahn v. M&F Worldwide Corp., 88 A.3d 635 (Del. 2014) (MFW).

In City of Dearborn Police & Fire Revised Retirement System v. Brookfield Asset Management Inc., plaintiffs brought breach of fiduciary duty claims related to a squeeze-out merger.  314 A.3d 1108, 1113 (Del. 2024) (en banc).  The trial court dismissed plaintiff’s complaint after concluding defendants complied with MFW’s requirements and applying the business judgment rule.  Relevant here, plaintiffs claimed on appeal that the “trial court erred in finding that MFW was satisfied because they failed to adequately plead that the proxy statement was materially deficient.”  Id.

Affirming in part and reversing in part, the en banc Supreme Court agreed that the proxy statement omitted important information.  Among other things, it held that the “minority stockholders were not adequately informed of certain alleged conflicts of interest between the special committee’s advisors and the counterparty to the Merger.”  Id.  For example, the proxy failed to disclose that Morgan Stanley—which the controlled target entity’s (TerraForm) special committee retained—had a $470 million stake in Brookfield (TerraForm’s controller).  In the Supreme Court’s view, “the $470 million investment, when viewed from the perspective of a reasonable stockholder, was material and should have been disclosed.”  Id. at 1133.  Similarly, the proxy failed to disclose that Kirkland & Ellis LLP—the law firm TerraForm’s special committee retained—had previously represented “Brookfield and its affiliates” and was “concurrent[ly] represent[ing] . . . a Brookfield affiliate on an unrelated transaction.”  Id. at 1134.  And, again, the Supreme Court held that “it [wa]s reasonably conceivable that the details of Kirkland’s conflicts, and particularly, the concurrent conflict, were material facts for stockholders that required disclosure.”  Id.

City of Sarasota Firefighters’ Pension Fund v. Inovalon Holdings, Inc. is similar in several respects.  2024 WL 1896096 (Del. May 1, 2024) (en banc).  There, plaintiffs “asserted several breach of fiduciary duty claims, an unjust enrichment claim, and a claim alleging a breach of the Company’s charter” in connection with “an acquisition of Inovalon Holdings, Inc. . . . by a private equity consortium led by Nordic Capital.”  Id. at *1.  As in Brookfield, the Court of Chancery dismissed the complaint after finding “the requirements of MFW were met.”  Id. at *8.  And, as in Brookfield, the Delaware Supreme Court disagreed.  Among other things, the Supreme Court explained that the proxy failed to adequately disclose the special committee’s advisors’ conflicts of interest.  Id. at *15.  Inovalon further underscores the importance of disclosing a special committee’s advisors’ conflicts of interest if an entity wishes to benefit from MFW and the business judgment rule.

B. The Delaware Supreme Court Addresses Advance Notice Bylaws

In Kellner v. AIM ImmunoTech, Inc., the Delaware Supreme Court provided helpful insight into how Delaware courts will review advance notice bylaws.  __ A.3d __ , 2024 WL 3370273 (Del. 2024).  As explained in our 2023 Year-End Update, the Court of Chancery invalidated several advance notice bylaws that AIM’s Board adopted in connection with a group of stockholders’ activism campaign and proxy contest efforts, reinstated a prior version of one of the bylaws, and then “upheld the board’s rejection of [a stockholder’s] third nomination notice because it failed to comply with the two advance notice bylaws left standing.”  Id. at *1.

On appeal, the Delaware Supreme Court affirmed in part and reversed in part.  It began by noting the two-part inquiry for assessing challenges to “the adoption, amendment, or enforcement of a Delaware corporation’s advance notice bylaws”: (1) “whether the advance notice bylaws are valid as consistent with the certificate of incorporation, not prohibited by law, and address a proper subject matter,” and (2) “whether the board’s adoption, amendment, or application of the advance notice bylaws were equitable under the circumstances of the case.”  Id.  The Supreme Court then analyzed the trial record and concluded the advance notice bylaws at issue on appeal were invalid or unenforceable.  Id. at *2.

On validity, the Court explained, among other things, that the “DGCL places minimal procedural and substantive requirements on stockholders and directors when addressing bylaws,” that bylaws are “presumed to be valid,” and that a plaintiff challenging a bylaw “must demonstrate that the bylaw cannot operate lawfully under any set of circumstances.”  Id. at *9-11.  Measured against that lenient standard, the Supreme Court concluded that one bylaw, composed of a 1,099-word single-sentence, was unintelligible and thus invalid, as “[a]n unintelligible bylaw is invalid under ‘any circumstances.’”  Id. at *15 (citation omitted).  By contrast, the Supreme Court had “no trouble” concluding the remaining bylaws were valid “because they [we]re consistent with the certificate of incorporation, not prohibited by law, and address[ing] a proper subject matter.”  Id. at *2, *15.

On enforceability, the Supreme Court reiterated that a finding of facial validity does not preclude a finding of inequity.  The Supreme Court then concluded that the board’s actions were inequitable because “it adopted the amended bylaws for the primary purpose of interfering with, and ultimately rejecting, [the at-issue] nominations.”  Id. at *2.  For example, the Supreme Court reviewed the “agreement, arrangement, or understanding” (AAU) provision and agreed with the Court of Chancery that the “SAP [stockholder associated person] term” included in the AAU provision was unreasonable.  That provision “require[d] a nominator to disclose not only personal knowledge but also to take steps to gather information about agreements and understandings between any members of potentially limitless class of third parties and individuals unknown to the nominator.”  Id. at *16-17.  In other words, “the nominating stockholder must not only respond based on personal knowledge, but also an ill-defined daisy chain of persons.”  Id. at *18.  The AAU provision thus “functioned as a ‘tripwire’ rather than an information-gathering tool and ‘suggest[ed] an intention to block the ’dissident’s effort.’”  Id. at *17 (quoting Kellner v. AIM ImmunoTech Inc., 307 A.3d 998, 1031 (Del. Ch. 2023)).  Indeed, the SAP term affected all the valid bylaws, rendering each problematic.  Id. at *17-18.  Nonetheless, in light of the Court of Chancery’s “findings about [a stockholder’s] and his nominees’ deceptive conduct,” the Supreme Court concluded that “no further action [wa]s warranted.”  Id. at *18.

C. Court Of Chancery Issues Novel Ruling Regarding The Exercise Of Stockholder-Level Voting Power By A Controller

On January 4, 2024, the Delaware Court of Chancery issued a novel post-trial decision addressing what it described as “fascinating” dynamics related to a controlling stockholder and a special committee.  In re Sears Hometown & Outlet Stores, Inc. S’holder Litig., 309 A.3d 474, 483 (Del. Ch. 2024).

Sears Hometown and Outlet Stores, Inc., a controlled public company, had two business segments, one of which was “good” and one of which was “bad.”  Id. at 483.  When the controller and a special committee disagreed over how to deal with that divergence, the controller “used his voting power as a stockholder to adopt a bylaw amendment” that complicated—but did not preclude—the special committee’s ability to implement its preferred plan (liquidation of the “bad” business).  Id.  As the Court explained, the bylaw “ensured that the controller [would] ha[ve] a window to act . . . if the board pursued it[s plan].”  Id.  In addition, the controller removed “two of the three members of the [s]pecial [c]ommittee” who had “been the most vocal” about the liquidation and replaced them with two individuals he “could be confident . . . . would support his interests.”  Id. at 519.  As the controller acknowledged at trial, “he had no intention of letting the liquidation plan become reality.”  Id. at 483.

With the special committee’s preferred plan effectively off the table, the controller negotiated a transaction with the special committee that ended up eliminating the minority stockholders’ interest in the company.  Id. at 502-03.  The transaction was not conditioned on a majority of the minority vote, and the board was not permitted to “terminate the agreement to accept a superior proposal.”  Id. at 503.

In assessing the events that transpired, the Court noted that, until its decision, “Delaware law [had] not clearly state[d] what standard of review (if any) applies to a controller’s exercise of stockholder voting power.”  Id. at 483.  To the contrary, “[s]ome authorities suggest[ed] a controller owes no fiduciary duties when voting,” while “[o]ther authorities appl[ied] a fiduciary framework without spelling out the details.”  Id.

Ultimately, the Court decided: (1) “[a] controller does not owe any enforceable duties when declining to vote or when voting against a change to the status quo”; (2) “when exercising stockholder-level voting power” to change the status quo, “a controller owes a duty of good faith that demands the controller not harm the corporation or its minority stockholders intentionally”; (3) a “controller . . .  owes a duty of care that demands the controller not harm the corporation or its minority stockholders through grossly negligent action”; and (4) “enhanced scrutiny should apply” when a “controller t[akes] action that invade[s] the space typically reserved for the board of directors.”  Id. at 483-84, 510, 512.

The Court also contrasted a controller’s duties with those of a director.  It noted that whereas “[d]irectors . . . must act affirmatively to promote the best interests of the corporation, and they must subjectively believe that the actions they take serve that end,” “[a] controller need not meet that higher standard when exercising stockholder-level voting rights.”  Id.

Applying these principles to the facts of the case, the Court concluded first that the controller “did not breach his fiduciary duties when he engaged in” the interventions discussed above, as he “acted in good faith to protect the Company from a threat of value-destruction,” “identified that threat in good faith, after a reasonable investigation,” and “then responded with a means that fell within the range of reasonableness.”  Id. at 519.  As the Court explained, “[i]f nothing else had happened, and if the Company had merely continued operating as it had before the [c]ontroller [i]nterven[ed], then judgment would [have] be[en] entered for the defendants.”  Id.

But something else did happen.  The controller ended up “acquiring the [c]ompany and eliminating the minority stockholders from the enterprise” in the process.  Id.  Given this, the Court evaluated the transaction under the entire fairness standard.  Id. at 519-20.  Under that standard, the Court concluded that both the price and process were unfair and held the controller his co-defendants jointly and severally liable for “the difference between the transaction price and the ‘true’ value of the firm.”  Id. at 539-41.

D. Court Of Chancery Concludes Plaintiff Failed To Allege Owner Of 26.7% Of Common Stock Was A Controller

In Sciannella v. AstraZeneca UK Limited, the Court of Chancery dismissed a putative class action brought by a former stockholder of Viela Bio, Inc. alleging fiduciary duty breaches by the directors, officers, and former parent company of Viela in connection with their roles “in selling [Viela] to affiliates of Horizon Therapeutics plc.”  2024 WL 3327765, at *1 (Del. Ch. July 8, 2024).  One central issue was whether AstraZeneca, “which owned 26.7% of Viela’s outstanding common stock,” “was a controlling stockholder at the time of the [at-issue] transaction.”  Id.

In its opinion, the Court found that the “complaint fail[ed] to plead facts to support a reasonable inference” that AstraZeneca was a controlling stockholder.  Id.  To that end, the Court rejected plaintiff’s claim that the combination of various factors demonstrated that AstraZeneca exercised both general and transaction-specific control.

For example, plaintiff claimed that “AstraZeneca’s equity stake” and “blocking rights” indicated AstraZeneca was a controller.  Id. at *17-18.  The Court disagreed, finding that a 25% stake and certain blocking rights did not “contribute to an inference of control” because “AstraZeneca only had the right to veto bylaw amendments initiated by stockholders, and then only if the Board did not recommend them.”  Id.

Plaintiff also pointed to AstraZeneca having appointed two of Viela’s eight directors and the fact that other defendants had relationships with AstraZeneca, such as by investing in Viela and being previously employed by AstraZeneca.  Id. at *19.  Again, the Court found these allegations inadequate, either because they were conclusory or insufficient to support a reasonable inference that AstraZeneca dominated the decision-making process.  Id. at *19-20.

Plaintiff also highlighted “Support Agreements,” through which AstraZeneca provided support to Viela’s day-to-day operations, including through supply, licensing, and transition services agreements.  Id. at *21.  Although the Court agreed that these agreements meant “Viela substantially depended on AstraZeneca” in various respects, it nonetheless concluded that plaintiff has not alleged “facts from which it is reasonable to infer that [AstraZeneca] could prevent the [Viela Board] from freely exercising its independent judgment in considering the proposed [M]erger.”  Id. at *22 (citation omitted) (alterations in original).

E. Court Of Chancery Issues Opinion In A Suit Alleging Fiduciary Duty Breaches In Connection With Conversion

Palkon v. Maffei addressed the decisions of two Delaware corporations—both of which were controlled by Gregory B. Maffei—”to convert . . . into . . . Nevada corporation[s].”  311 A.3d 255, 261 (Del. Ch. 2024), cert. denied, 2024 WL 1211688 (Del. Ch. Mar. 21, 2024).  The two entities were TripAdvisor and Liberty TripAdvisor Holdings, Inc.  Liberty owned all of TripAdvisor’s Class B common stock and 21% of its Class A Shares.  Id. at 264.  As a result, it “exercise[d] 56% of the [TripAdvisor’s] outstanding voting power.”  Id.  Maffei, Liberty’s CEO and Chairman, “beneficially own[ed] Series B shares carrying 43% of [its] voting power.”  Id.  For purposes of the motion to dismiss, “defendants concede[d] that Maffei control[ed] both [Liberty] and TripAdvisor.”  Id.

Plaintiffs sued, alleging fiduciary duty breaches in connection with the conversion.  Id. at 268.  They also sought an injunction.  Id. at 266.  The Court of Chancery denied defendants motion to dismiss after determining entire fairness was the appropriate standard of review while also denying plaintiff’s request for an injunction.  Id. at 262.

Accepting the allegations in complaint, the Court explained Maffei effectuated a transaction through which he and the directors received a non-ratable benefit—namely, a “reduction in the unaffiliated stockholders’ litigation rights.”  Id. at 261.  The absence of a “price” was irrelevant in the Court’s view because entire fairness considers substantive fairness and procedural fairness, and the “floor for substantive fairness is whether stockholders receive at least the substantial equivalent in value of what they had before”—meaning no price is necessary.  Id. at 262.

The Court then concluded the plaintiff had pled facts making it reasonably conceivable that the transaction was both substantively and procedurally unfair.  On the former, the Court explained that “the stockholders held shares carrying the bundle of rights afforded by Delaware law, including a set of litigation rights” before the conversion, and, “[a]fter the conversion, the stockholders owned shares carrying a different bundle of rights afforded by Nevada law, including a[n allegedly] lesser set of litigation rights.”  Id.  On the latter, the Court explained that “the goal of procedural fairness is to replicate arm’s length bargaining,” but that defendants made no “effort to replicate arm’s length bargaining.”  Id. at 281.  Instead, “[m]anagement proposed the conversions, the Board recommended them, and [Liberty] and Maffei approved them.”  Id.

The Court nonetheless denied plaintiffs’ requests for an injunction.  It found, under the circumstances of the case, that other remedies, such as money damages, could adequately compensate plaintiffs for any losses.  Id. at 286-87.

F. Executive Compensation And Post-Trial Ratification – Tornetta v. Musk And Subsequent Developments

The Court of Chancery in Tornetta v. Musk ordered the rescission of Elon Musk’s compensation plan after concluding Musk controlled Tesla with respect to the compensation plan and that defendants failed to prove that Musk’s 2018 compensation plan was entirely fair.  310 A.3d 430 (Del. Ch. 2024).  For further details, please see Gibson Dunn’s February 5, 2024 Client Alert.

Several months after the Court’s decision, at its annual stockholders’ meeting, Tesla stockholders approved the ratification of Musk’s pay package.  See Press Release, Tesla Releases Results of 2024 Annual Meeting of Stockholders, Tesla (June 13, 2024), https://ir.tesla.com/press-release/tesla-releases-results-2024-annual-meeting-stockholders.  The Court has ordered expedited briefing “on the effect of the Tesla stockholders’ June 13, 2024, vote on this action.”  Tornetta v. Musk, 2024 WL 3200483, at *1 (Del. Ch. June 27, 2024).  With many questions yet to be answered, Gibson Dunn will continue monitoring the case and report on any future developments.

G. Stockholder Agreements And DGCL Section 141 – Moelis And Its Aftermath

As discussed in our February 28, 2024 Client Alert, the Court of Chancery, in West Palm Beach Firefighters’ Pension Fund v. Moelis & Company, ruled on the validity of pre-approval requirements and board- and committee-related designation rights included in a stockholder agreement between a public company and its founder that was entered into before the company went public.  311 A.3d 809 (Del. Ch. 2024).  In short, the Court held that the pre-approval requirements and board- and committee-related designation provisions violated one or more subsections of Section 141 of the DGCL because they had “the effect of removing from directors in a very substantial way their duty to use their own best judgment on management matters” or “tend[ed] to limit in a substantial way the freedom of director decisions on matters of management policy.”  Id. at 818 (quoting Abercrombie v. Davies, 123 A.2d 893, 899 (Del. Ch. 1956), rev’d on other grounds, 130 A.2d 338 (Del. 1957)).

At the close of its opinion, the Court noted that the Delaware “General Assembly could enact a provision stating what stockholder agreements can do.”  Id. at 881.  The General Assembly seemingly took heed.  In July 2024, the General Assembly passed S.B. 313, which contained what is now Section 122(18) of the DGCL.  As set forth in the bill’s synopsis, Section 122(18) “specifically authorizes a corporation to enter into contracts with one or more of its stockholders or beneficial owners of its stock, for such minimum consideration as approved by its board of directors, and provides a non-exclusive list of contract provisions by which a corporation may agree to.”

IV. Federal SPAC Litigation

In the first half of 2024, the number of SPAC IPOs and the value of de-SPAC transactions have decreased significantly since their peak in 2021 (as noted in our Securities Litigation 2023 Mid-Year Update), with only 20 SPAC IPOs as of end of July (see SPAC Statistics by SPAC Insiders).  De-SPAC transactions, however, have given rise to significantly more securities class actions than other IPOs (see Securities Class Action Trends 2023: Not a Repeat of Year 2022).  In this mid-year update, we first discuss the SEC’s latest rule applicable to SPACs, which has likely changed the litigation landscape moving forward.  Next, we look back to the first half of 2024, which many courts have taken a fact-specific approach to SPAC litigation and have not announced any broadly applicable legal doctrines specific to SPAC litigation.

A. SEC’s Special Purpose Acquisition Companies, Shell Companies, and Projections Final Rule

On January 24, 2024, the U.S. Securities and Exchange Commission (the “Commission”), by a three-to-two vote, adopted new rules, most notably a new subpart 1600 to Regulation S-K, and amendments to certain existing rules under Securities Act, Securities Exchange Act, Regulation S-K, Regulation S-T, and Regulation S-X to enhance disclosure and investor protections in SPAC IPOs and subsequent de-SPAC transactions.  Special Purpose Acquisition Companies, Shell Companies, and Projections, 17 C.F.R. §§ 210, 229, 230, 232, 240, 249 (2024) (SPAC Rule).  The Gibson Dunn team provided its analysis on the Final Rules earlier this year.  See Feb. 2, 2024 Client Alert.

1. Key Provisions

The Final Rules overhaul the protections previously available in SPAC IPOs.  The four key components of the Final Rules are as follows:

  • Disclosure and Investor Protection. The Final Rules impose specific disclosure requirements with respect to, among other things, compensation paid to sponsors, potential conflicts of interest, shareholder dilution, and the fairness of the business combination, for both SPAC IPOs and de‑SPAC transactions.
  • Business Combinations Involving Shell Companies. Under the Final Rules, the Commission now deems a business combination transaction involving a reporting shell company and a private operating company as a “sale” of securities under the Securities Act of 1933, as amended (the “Securities Act”).  The Final Rules also amend the financial statement requirements applicable to transactions involving shell companies, and amend the previous “blank check company” definition to make clear that SPACs cannot rely on the safe harbor provision against a private right of action for forward-looking statements under the Private Securities Litigation Reform Act of 1995, as amended (the PSLRA), when marketing a de-SPAC transaction.
  • The Final Rules amend the Commission’s guidance on the presentation of projections in any filings with the Commission (not only on de-SPAC transactions, but affecting all projections disclosed in reports filed with the Commission) and adds new guidance only for de-SPAC transactions, in both instances to address the reliability of such projections.
  • Status of SPACs under the Investment Company Act of 1940. The Commission did not adopt its proposed safe harbor rule under the Investment Company Act, which would have exempted a SPAC from being treated as an “investment company” as long as the SPAC met certain subjective criteria, related to, among other things, the nature and management of the assets held by the SPAC, and the SPAC’s general purpose. Instead, the Commission takes the position that whether a SPAC falls under the definition of investment company depends on specific facts and circumstances, and provides general guidance on what actions might cause a SPAC to be an “investment company.”

2. SPAC Rule In Securities Litigation

Since the Final Rules were announced in January 2024, even before they went into effect in July, some litigants have sought to use the Rules to advance their positions in ongoing cases.  For instance, multiple SPAC defendants facing challenges to their financial disclosures have argued that the Final Rules excuse SPAC companies from having to disclose their “net-cash per share” calculation.  See, e.g., Opening Br. in Supp. of Def.’s Mot. to Dismiss, In re AST SPACEMOBILE, INC., S’holder Litig., No. 2023-1292, at *48-49 (Del. Ch. Mar. 15, 2024) (highlighting that the SEC “has reevaluated its SPAC-related disclosure requirements and explicitly rejected net cash per share as a required calculation,” because “‘[n]et cash per share has aspects that make it less useful for investors’ than other measures of dilution”); Def.’s Br. in Supp. of their Am. Mot. to Dismiss the Verified Am. Class Action Compl., Schacter v. N. Genesis Sponsor, LLC, No. 2023-1112, at *14 n.8 (Del. Ch. Apr. 25, 2024) (noting the Final Rules are not adding an “explicit net cash per share disclosure requirement,” but only requiring that shareholders “should have the information to perform this calculation based on the disclosure provided in connection with net tangible book value per share, as adjusted”).

Other parties have relied on the Final Rules to clarify that the PSLRA’s safe harbor, 15 U.S.C § 78u–5, which protects forward-looking statements “accompanied by meaningful cautionary language,” no longer applies to SPACs.  See, e.g., Appellant’s Reply Br., In re Danimer Scientific, Inc., No. 23-7674, at *20 (2d Cir. Apr. 10, 2024) (arguing the safe harbor is not available to defendants because the Final Rules “[m]ake the PSLRA safe harbor unavailable to SPACs . . . by defining ‘blank check company’ to encompass SPACs (and other companies that would be blank check companies but for the fact that they do not sell penny stock)”).  The rule does not have retroactive effect, see 89 Fed. Reg. at 14158, and some Courts have analyzed whether cautionary statements found in SPAC’s proxy statements were protected forward-looking statements—albeit prior to the Final Rule taking effect.  For instance, in In re Grab Holdings Ltd. Securities Litigation, the Court analyzed whether the PSLRA safe harbor applied to the seven pre-merger statements contained in a SPAC’s proxy statement.  2024 WL 1076277, at *1 (S.D.N.Y. Mar. 12, 2024).  The Court found that, although some of the statements were forward-looking and cautionary, the safe harbor did not extend to statements about future risk when plaintiff failed to disclose that the risk had transpired.  See id. at *18.  Notably, it is too early to determine the consequences the Final Rules will have on SPAC litigation: the Final Rules do not have retroactive effect and went into effect recently, on July 1, 2024.  89 Fed. Reg. at 14158.  We will continue to analyze the Final Rules’ effect in future securities litigation updates.

B. 2024 SPAC-related Securities Litigation

Although the filing of SPAC-related litigation has slowed, courts have issued at least eight SPAC-related opinions in the first half of 2024.  Of those cases, three have been dismissed entirely for failing to allege a securities claim.  Five of those cases have survived a motion to dismiss.  In the below sections, we highlight some of these district court cases.

1. SPAC Claims Dismissed

In cases dismissing SPAC-related securities fraud, courts have thus far rejected plaintiffs’ attempts to develop any hard and fast SPAC laws.  For instance, in In re Lottery.com, Inc. Securities Litigation, a district court in the Southern District of New York noted plaintiffs’ arguments that “SPACs are uniquely fraud-enabling” but ultimately rejected finding scienter on that basis alone, saying that it was “unprepared to hold here that SPACs are an exception to the general principle that the prospect of a public offering, standing alone, is insufficient to establish motive.”  2024 WL 454298, at *32 (S.D.N.Y. Feb. 6, 2024).  Likewise, in Shafer v. Lightning Emotors, Inc., the Court found plaintiffs failed to allege the pre-de-SPAC transaction statements were false when made, and otherwise found nothing inherently fraudulent about the de-SPAC transaction.  2024 WL 691458, at *6-20 (D. Colo. Feb. 20, 2024), report and recommendation adopted, 2024 WL 1509166, at *1 (D. Colo. Mar. 26, 2024).  In Mehedi v. View, Inc., the Northern District of California dismissed plaintiffs’ Sections 10(b) and 14(a) claims because plaintiffs could not allege that their harms were caused by the alleged misleading proxy statement connected with a de-SPAC transaction.  2024 WL 3236706, at *7–20 (N.D. Cal. June 28, 2024).  In one derivative action, a California district court found that when a plaintiff owned stock in a SPAC prior to its acquisition of a company in a de-SPAC transaction, plaintiff had standing to bring a derivative claim on behalf of the acquired entity.  In re Faraday Future Intelligent Elec. Inc. Derivative Litig., 2024 WL 404495, at *1 (C.D. Cal. Jan. 22, 2024).  The Court dismissed the derivative claim, however, because plaintiffs failed to bring a pre-litigation demand to the company.  Id. at *14.  Below we include more thorough case descriptions.

In re Lottery.com, Inc. Sec. Litig., 2024 WL 454298 (S.D.N.Y. Feb. 6, 2024): Investors filed an action against a SPAC (Trident), the online lottery company that merged with Trident (Lottery), and certain of the SPAC’s and company’s current and former officers.  Id. at *1-2.  Investors alleged that Lottery and its officers made false statements, both before and after the merger, regarding its internal financial controls and its financial performance.  Id. at *6-10.  Plaintiffs brought claims pursuant to Section 10(b), Section 20(a), and Section 14(a).  Id at *1.  Defendants moved to dismiss the Section 10(b) claim, arguing that plaintiffs had failed to establish falsity and scienter.  Id. at *13.  As to falsity, the Court dismissed claims based on the pre-merger compliance statements, finding they were “akin to other statements about regulatory compliance and integrity that courts have deemed non-actionable puffery,” id. at *16, and dismissed claims based on the pre-merger financial statements as they were “forward looking statements . . . accompanied by sufficient cautionary language,” id. at *17.  As to the post-merger financial statements, the Court held for plaintiffs finding that “each of the post-merger financial-performance-related statements was false [or misleading] at the time it was made,” based on Lottery’s own admission in a later-filed Form 8-K that the post-merger financial statements at issue “overstated [the] available unrestricted cash balance,” “improperly recognized revenue in the same amount,” and thus “should no longer be relied upon.”  Id. at *22 (cleaned up).  Importantly, the Court refused to hold, as defendants wished, that “a statement believed to be true when made, but later shown to be false, is insufficient to establish that a statement of fact is false for purposes of Section 10(b) and Rule 10b-5.”  Id. at *21 (internal quotations omitted).  In other words, “[w]hether Defendants knew of their falsity when making the statements is the scienter question, not the falsity question.”  Id. at *22 (internal quotations omitted).  However, the Court found that plaintiffs had failed to adequately plead scienter as to all the statements, finding that “‘[t]he existence, without more, of executive compensation dependent upon stock value does not give rise to a strong inference of scienter.’”  Id. at *31 (quoting Acito v. IMCERA Grp., Inc., 47 F.3d 47, 54 (2d Cir. 1995)).  “The Court does not ignore Plaintiffs’ allegations that SPACs are uniquely fraud-enabling . . . [but] is unprepared to hold that SPACs are an exception to the general principle that the prospect of a public offering, standing alone, is insufficient to establish motive.”  Id. at *32.  The Court also did not find plaintiffs had sufficiently pled conscious misbehavior or recklessness on the part of defendants.  Id. at *35.  The Court dismissed the complaint but granted leave to amend.  Id. at *37.

Shafer v. Lightning eMotors, Inc., 2024 WL 691458 (D. Colo. Feb. 20, 2024), report and recommendation adopted, 2024 WL 1509166 (D. Colo. Mar. 26, 2024): Plaintiffs brought a securities fraud class action on behalf of investors in Lightning eMotors against Lightning, “certain of its officers and directors, and the officers, directors, and certain affiliates of the company’s predecessor entity, GigCapital3, Inc.”  Id. at *1.  Investors alleged that defendants “attempted to set their SPAC apart by selling investors on what they referred to as their ‘unique’ approach to private equity in the SPAC’s registration statement and prospectus filed with the SEC.”  Id. at *2.  The complaint alleged “plaintiffs state[d] that this strategy worked as GigCapital3 successfully raised $200 million through its IPO” before merging with Lighting Systems through a de-SPAC transaction.  Id.  “Defendants allegedly sold the deal with Lightning Systems to investors as an ideal match: not only was Lightning Systems’ management a good candidate for the ‘Mentor-Investor’ approach supposedly employed by the GigCapital team, but the company itself was on the cusp of massive growth.”  Id.  Defendants allegedly continued to make misleading statements until “GigCapital3 issued and disseminated the definitive proxy requesting that eligible shareholders vote to approve the business combination with Lightning Systems.”  Id.  Plaintiffs alleged that, in truth, “Lightning Systems was not well-positioned to rapidly scale its operations” and that defendants “knew or were reckless in not knowing” its projected financials were unachievable.  Id. at *3.  So too were representations that “the GigCapital3 team would remain engaged in the post-combination company.”  Id. at *2.  The Court granted the motion to dismiss finding that plaintiffs failed to adequately allege that the statements at issue were false or materially misleading when made.  Id. at *6-18.  Further, the Court dismissed plaintiffs’ claim that defendants’ misstatements were part of a fraudulent scheme to unfairly profit from a business combination in violation of Rules 10b-5(a) and 10b-5(c) under the Exchange Act, first and foremost because “it [was] unclear what fraudulent or deceitful conduct [independent of the misleading statements] occurred.”  Id. at *20 (emphasis in original).

Mehedi v. View, Inc., 2024 WL 3236706 (N.D. Cal. June 28, 2024): This is a securities fraud suit brought by investors against the View, Inc., which went public through a de-SPAC transaction with CF II (the SPAC), and certain officers and directors of View and CF II.  “Plaintiffs allege that Defendants made material misrepresentations to investors concerning a materially misstated and understated warranty accrual related to Legacy View’s ‘smart panels.’”  Id. at *1.  We first discussed Mehedi in our 2023 Mid-Year Update when the Court granted defendant’s motions to dismiss.

Plaintiffs have since amended their complaint, and the Court again dismissed most of the claims with the exception of plaintiffs’ Section 20(a) claims against certain directors and officers at View and CF II.  Id. at *22.  “On August 16, 2021, five months after going public, View announced that its Audit Committee began an independent investigation concerning the adequacy of the company’s previously disclosed warranty accrual and that View would not file its Form 10-Q for the second fiscal quarter of 2021.”  Id. at *1 (internal citations omitted).  “On November 9, 2021, View announced that the Audit Committee ha[d] now substantially completed its independent investigation and has concluded that the Company’s previously reported liabilities associated with all warranty-related obligations and the cost of revenue associated with the recognition of those liabilities were materially misstated.”  Id. (internal citations omitted).  View also announced that it would release updated financial statements and that its CFO resigned.  Id.  The lead plaintiff, Stadium Capital, sold all of its stock on September 24, 2021.  Id. at *8.  In its motion to dismiss opinion, the Court held that Stadium Capital could not attribute its losses to the August 16, 2021 announcement because the “initial disclosure of an investigation can[not] qualify as a corrective disclosure” and further because Stadium Capital sold its stock before the truth was revealed, and thus it cannot plead loss causation.  Id. at *9.  Plaintiffs’ Section 10(b) claims were accordingly dismissed.  Id. at *12.  Regarding plaintiffs’ Section 14(a) claim, the Court found that “Stadium Capital sold all of” the shares it purchased pursuant to the Proxy Statement “on March 9, 2021, well before the truth of any alleged misstatements was revealed.” Id. at *16.  “Although Stadium Capital bought more View stock, any alleged economic harm from those purchases was not caused by the Proxy Statement because those purchases occurred after the vote solicited by the Proxy Statement.”  Id.  “Thus, any loss that Stadium Capital suffered was not caused by any alleged misstatements in the Proxy Statement, and Stadium Capital has failed to allege loss causation.”  Id.

In re Faraday Future Intelligent Elec. Inc. Derivative Litig., 2024 WL 404495 (C.D. Cal. Jan. 22, 2024): Two investors brought a derivative suit on behalf of the corporation (Faraday) that went public via a de-SPAC transaction.  They originally pursued a mix of federal securities fraud and state law claims, but they “app[arently] conceding[d]” that the only claim at-issue was for alleged violations of Section 14(a) of the Exchange Act against officers and directors of the SPAC (Property Solutions Acquisition Corp or “PSAC”).  Id. at *1-4.  Defendants argued that plaintiffs lack standing to bring claims because “neither of the named plaintiffs plead[ed] he ever owned PSAC stock prior to the merger.”  Id. at *4 (internal quotations omitted).  Defendants further argued that “any derivative liability would have been extinguished at the time the [m]erger was complete because former shareholders of a merged corporation can no longer satisfy the continuous ownership requirement of FRCO 23.1.”  Id. at *5. (internal quotations omitted).  Plaintiffs in turn argued, inter alia, that “their complaint sufficiently alleges that each plaintiff were current shareholders of Faraday Future and held Faraday Future common stock at all relevant times.”  Id. (cleaned up).  Additionally, plaintiffs contended that a plaintiffs who did not own Faraday stock prior to the merger nonetheless had standing under the “continuous wrong” doctrine.  Id.  The Court found that one plaintiff “first purchased [PSAC] stock . . . on January 11, 2021, before the defined relevant period in the Derivative Action began and has continuously owned thousands of PSAC shares since February 22, 2021.”  Id.  The Court found this was sufficient to have standing to bring a derivative claim.  Id.  However, the Court found that the other plaintiff, who acquired PSAC shares after the merger was consummated, lacked standing and the continuous wrong doctrine did not save his claims because “Delaware law makes it clear that what must be decided is when the specific acts of alleged wrongdoing occur, and not when their effect is felt.”  Id. at *6.  The Court nonetheless dismissed the complaint because plaintiffs failed to plead that they were excused from making a pre-litigation demand on the board.  Id. at *13.

2. SPAC Claims That Survived A Motion to Dismiss

Several SPAC cases have survived motions to dismiss, and we highlight a few here.  Most notable of these 2024 opinions is Alta Partners, LLC v. Forge Global Holdings, Inc., where plaintiff’s Section 11 claim survived a motion to dismiss on the grounds, among others, that plaintiff could not trace the purchase of a security to the allegedly defective registration statement at issue.  2024 WL 1116682, at *6-8 (S.D.N.Y. Mar. 13, 2024).  The Court in Atla Partners disagreed with defendant and found that a plaintiff who purchased Public Warrants from a SPAC prior to its de-SPAC transaction could sufficiently trace its purchases to the S-4 registration statement despite the company’s claim that the warrants were not exercisable until a S-1 registration statement became effective.  Id.  In other cases, courts have found that material omissions in SPAC proxy statements are actionable, see, e.g., In re Grab Holdings Ltd. Sec. Litig., 2024 WL 1076277 (S.D.N.Y. Mar. 12, 2024), and, similarly, omissions in SPAC merger pitches are actionable as securities fraud, see, e.g., Felipe v. Playstudios Inc, 2024 WL 1380802 (D. Nev. Mar. 31, 2024).

Alta Partners, LLC v. Forge Glob. Holdings, Inc., 2024 WL 1116682 (S.D.N.Y. Mar. 13, 2024): Plaintiff Alta brought claims under Section 11 and for breach of contract and the implied covenant of good faith and fair dealing against Forge in connection with public warrants issued by the SPAC, which ultimately merged with Forge.  Id. at *1.  Alta alleged that Forge improperly prevented Alta from exercising its warrants and then redeemed the outstanding warrants at a nominal price.  See id.  Under the agreement governing the warrants, public warrants became exercisable thirty days after the business combination, provided that the warrants were registered on a registration statement and there was a current prospectus.  Id. at *2.  The warrant agreement also provided that Forge could redeem all outstanding warrants when (1) “the shares were exercisable”“; (2) the “Reference Value” calculated based on Forge’s stock price during a thirty-day period exceeded $18.00 per share; and (3) “an effective registration statement and current prospectus were in place for the underlying shares” for the thirty-day period.  Id.  Alta alleged it purchased public warrants issued pursuant to or traceable to the Form S-4 registration statement, which became effective on February 14, 2022.  Id. at *12.  Beginning on April 21, 2022 (thirty days after the completion of the merger on March 21, 2022), Alta repeatedly sought to exercise its warrants while Forge’s stock price skyrocketed, but Forge replied that warrants were not yet registered on the Form S-4, and could not be exercised as until Forge’s later-filed Form S-1 became effective.  Id. at *2-3.  The Form S-1 was declared effective on June 8, 2022, by which point the share price was below the exercise price of $11.50.  Id. at *3.  The following day, Forge noticed redemptions of the warrants for $.01 apiece and redeemed the warrants on July 11.  Id.  As a result, public warrant holders like Alta were never able to exercise the warrants when the stock price was trading above the warrant exercise price, thereby profiting from the exercise.  Id.  The Court dismissed Alta’s claim that Forge breached the warrant agreement by redeeming the warrants before all required conditions were met.  It explained that Alta was reading in a contractual obligation unsupported by unambiguous terms of the warrant agreement.  Id. at *4-5.  The Court also dismissed Alta’s breach of implied covenant claim because it was “based on conduct permitted under the contract” and was based on the same set of facts as its breach of contract claim in any event.  Id. at *6.  However, the Court refused to dismiss plaintiff’s Section 11 claim in its entirety.  In relevant part, it found that defendants’ representations “would mislead a reasonable investor to believe that the registration was sufficient to permit exercise” of the warrants.  Id. at *7 (internal quotations omitted).

Felipe v. Playstudios Inc., 2024 WL 1380802 (D. Nev. Mar. 31, 2024): Plaintiff brought a securities fraud action against Playstudios, a mobile game company that went public via a de-SPAC transaction, alleging that the company misled investors (including through statements in its Proxy) about the prospects of one of its videogames, Kingdom Boss, even though the company had no experience with games of this genre (role playing games or “RPGs”).  Id. at *1-4.  Plaintiff alleged that the “launch of Kingdom Boss and expansion into the RPG category was a significant component of the Acies-Playstudios merger pitch.”  Id. at *3.  In a post-merger press release, Playstudios announced that its revenues had missed the low end of its previous estimates and, on a conference call on the same day, announced that it was suspending the development of Kingdom Boss all together.  Id. at *3.  The Court found all but one of the statements misleading “because they failed to disclose any of the risks associated with the severe playability issues that had materialized as early as [six months prior.]”  Id. at *10.  The Court found that “Defendants had multiple opportunities to make such disclosures in order to avoid misleading investors . . . [and that] Defendants could have made these disclosures in June prior to the merger vote.”  Id. at *10.  The Court also found “the omission of these specific risks . . . material” because Playstudios ability to scale the game and generate revenue was a central part of its pitch for the de-SPAC transaction.  Id. at *11.  The Court denied the motion to dismiss except as to one non-actionable statement.  Id. at *21.

In re Grab Holdings Ltd. Sec. Litig., 2024 WL 1076277 (S.D.N.Y. Mar. 12, 2024): Investors filed a securities fraud action against Grab, a “mobile application [provider] . . . that [provides] . . . consumers with ride-hailing services, food-delivery services, business services, and a digital wallet[,]” and certain of its officers pursuant to Sections 11 and 15 of the Securities Act and Sections 14(a), 10(b), and 20(a) of the Exchange Act.  Id. at *2.  The complaint alleged that defendants misled investors, in connection with a de-SPAC transaction, about Grab’s use of driver and consumer incentives, which negatively impacted the company’s financial performance.  Id. at *1-10.  The challenged statements were made both pre- and post-merger.  Id.  Defendants moved to dismiss.  Id. at *10.  The Court found that plaintiffs had sufficiently pled that a series of pre-merger statements contained in the Proxy Statement were material and misleading.  Id. at *24.  The Court reasoned, inter alia, that “cautionary words about future risk cannot insulate from liability the failure to disclose risk that has transpired.”  Id. at *16 (citation omitted).  Further, the Court also found that “by putting the issues of driver retention and incentive amounts in play, defendants assumed ‘a duty to tell the whole truth.’”  Id. at *16 (quoting Meyer v. Jinkosolar Holdings Co., 761 F.3d 245, 250 (2d Cir. 2014)).  The Court held that none of the remaining pre-merger statements were actionable, including the post-merger statements by Grab’s CEO during a Squawk Box interview on CNBC.  Id. at *19-24.  The Court granted leave to amend.  Id. at *26.

We will continue to monitor the evolution of SPAC litigation and the effect of the SEC’s SPAC Rule.

V. ESG Civil Litigation

An increasing number of lawsuits challenge public companies’ environmental, social, and governance (ESG) disclosures and policies.  The following section surveys notable developments in pending cases that involve ESG allegations.

In re Oatly Group AB Securities Litigation, No. 21-cv-06360 (S.D.N.Y. July 26, 2021): We reported on this case in our Securities Litigation 2023 Year-End Update.  A class of investors sued Oatly Group AB, the world’s largest oat milk company, and several of its officers and directors for “greenwashing” in public disclosures.  ECF No. 1 ¶¶ 1-2, 52.  Plaintiffs allege that Oatly made false or misleading statements that overstated the sustainability of its product and minimized its environmental impact, thereby artificially inflating Oatly’s share price.  ECF No. 1 ¶¶ 43-45.  On November 3, 2023, the parties disclosed an intent to settle the litigation.  The Court approved the $9.25 million settlement on July 17, 2024.  ECF No. 120.

General Retirement System of the City of Detroit v. Verizon Communications Inc., No. 23-cv-05218 (D.N.J. Aug 18, 2023): We first reported on this case in our Securities Litigation 2023 Year-End Update.  Plaintiffs allege that Verizon made false or misleading statements regarding its “extensive network of lead cables, the dangers they were posing to people and to the environment, and the costs associated with cleaning up the cables and compensating for any human injuries.”  ECF No. 57 ¶ 16.  Plaintiffs further allege that Verizon’s stock price dropped after The Wall Street Journal released an article profiling workers who claimed they were suffering from lead exposure.  Id. ¶ 306.  On April 24, 2024, defendants filed a motion to dismiss, arguing that plaintiffs failed to properly allege materiality and scienter because defendants did not know “the cables posed material risks not understood by the market” and understood that the “public and market at large were aware of the lead-sheathed cables’ existence.”  ECF No. 58-1 at 2-3.  Defendants also argued the challenged statements were “honestly held opinions” and “too general to be misleading.”  Id. at 3.  The motion to dismiss remains pending.

Exxon Mobile Corp. v. Arjuna Capital, No. 24-cv-00069 (N.D. Tex. Jan. 21, 2024): We first reported on this case in our Securities Litigation 2023 Year-End Update.  In January 2024, Exxon filed a lawsuit seeking a declaratory judgment that would allow it to exclude from its proxy statement a shareholder proposal by two activist investors.  Exxon alleged that defendants’ proposal, which asked Exxon to reduce its greenhouse gas emissions more rapidly, “d[id] not seek to improve ExxonMobil’s economic performance or create shareholder value.”  ECF No. 1 ¶ 11.  Exxon further contended that it could properly exclude defendants’ proposal under the ordinary business (Rule 14a-8(i)(7)) and resubmission exclusions ((i)(12)).  Id. ¶¶ 16-17.  On May 22, 2024, the Court held that Exxon’s lawsuit was able to proceed against the United States-based Defendant, Arjuna Capital.  ECF No. 37.  On June 17, 2024, Arjuna Capital agreed to withdraw its proposal and “unconditionally and irrevocably” agreed not to submit any similar proposal.  ECF No. 52 at 1.  The Court determined that this agreement mooted Exxon’s claim, and the case was dismissed without prejudice.  Id.  Gibson Dunn represents plaintiff in this action.

Securities Industry & Financial Markets Association v. Ashcroft, No. 23-cv-04154 (W.D. Mo. Aug. 10, 2023): We reported on this case in our Securities Litigation 2023 Year-End Update.  In June 2023, the Missouri Securities Division adopted new rules requiring investment professionals to obtain client signatures before providing advice that “incorporates a social objective or other nonfinancial objective.”  ECF No. 24 ¶¶ 69, 78.  In August 2023, plaintiff, the Securities Industry and Financial Markets Association (SIFMA), filed a lawsuit against Missouri Secretary of State John Ashcroft and Missouri Securities Commissioner Douglas Jacoby, challenging these rules.  ECF No. 1 at 41.  Plaintiff alleged that the rules are preempted by the National Securities Markets Improvement Act of 1996 and the Employee Retirement Income Security Act, violate the First Amendment, and are unconstitutionally vague.  ECF No. 24 ¶¶ 118-47-42.  On January 5, 2024, the Court denied defendants’ motion to dismiss.  ECF No. 39 at 1.  On June 10, 2024, both parties filed motions for summary judgment as to all the claims at issue.  ECF Nos. 69, 71.  On August 14, 2024, the court granted the plaintiff’s motion for summary judgment (and rejected defendant’s cross-motion for summary judgment), finding that the rules do in fact violate the First Amendment, are unconstitutionally vague, and are preempted by federal laws, namely, the National Securities Markets Improvement Act of 1996 and the Employment Retirement Income Security Act of 1974.  ECF No. 115.  The judge concluded that the rules carried a significant risk of harm justifying a permanent injunction prohibiting their enforcement.  Id. at 20-22.

Browning v. Alexander, et al., No. 23-cv-03293 (D. Md. Dec. 5, 2023): Investors in Enviva Inc., an energy company that manufactures wood pellets used to substitute coal in power generation, filed a shareholder derivative complaint on December 5, 2023.  Plaintiff alleged defendants, who include the company’s CEO and co-founder as well as several board members, caused Enviva to make false and misleading statements about the company’s commitment to ESG policies.  ECF No. 1 ¶¶ 1-4, 171-78.  As one example, plaintiff alleged Enviva’s practice of procuring wood pellets “drives demand for deforestation,” contrary to defendants’ representation that harvesting forests for wood pellets is “sustainable.”  Id. ¶ 98.  Enviva has since filed for Chapter 11 bankruptcy, and on April 15, 2024, the Court issued a stay for the pendency of Enviva’s bankruptcy proceedings.  ECF No. 24.

Alliance for Fair Board Recruitment v. SEC, No. 21-60626 (5th Cir. 2021): The petitioners sued the SEC, alleging that Nasdaq’s Board Diversity Rules are unconstitutional and contrary to federal statutes.  ECF No. 1.  The Board Diversity Rules, which the SEC approved, require companies that list shares on Nasdaq’s exchange to (1) disclose aggregated information about board members’ diversity characteristics (including race, gender, and sexual orientation) and (2) provide an explanation if less than two board members are diverse.  Id. at 3-4.  On October 18, 2023, a unanimous Fifth Circuit panel rejected the petitioners’ challenges (ECF No. 289) after which the petitioners sought rehearing en banc (ECF No. 297).  The en banc panel of the Fifth Circuit held oral argument on May 14, 2024.  ECF No. 508.  On July 18, 2024, the Court requested supplemental briefing regarding the operation of one of the Rules at issue, and on July 25, 2024, the parties filed supplemental briefs.  ECF Nos. 519, 520.  Both Nasdaq and the SEC contend in their briefs that the deadline for companies to request access to a board-recruiting service has expired and that this moots the petitioners’ challenge to the Board Recruiting Service Rule.  ECF Nos. 517, 519.  The petitioners, the National Center for Public Policy Research and Alliance for Fair Board Recruitment, argued in their own July 25 briefs that the deadline has passed but that this does not affect the justiciability of the case before the Fifth Circuit.  ECF Nos. 520, 522.  The Fifth Circuit has not yet issued an opinion in connection with its rehearing en banc.  Gibson Dunn represents Nasdaq in this action, which intervened as an interested party to defend the Board Diversity Rules.

VI. Cryptocurrency Litigation

The cryptocurrency space has seen considerable activity since our last Update.  Below, we discuss significant rulings in private lawsuits and lawsuits brought by the SEC, as well as additional developments that may impact cryptocurrencies going forward.

A. Class Actions

Golubowski v. Robinhood Markets, Inc., 2024 WL 269507 (N.D. Cal. Jan. 24, 2024): On January 24, 2024, the district court dismissed without leave to amend a class action complaint against Robinhood Markets, Inc., a crypto and securities trading platform.  ECF No. 106 at 1.  The same court previously granted Robinhood’s motion to dismiss plaintiffs’ first amended complaint, finding that plaintiffs failed to plead a violation of Section 11 or 12(a) of the Securities Act.  ECF No. 90.  In their second amended complaint, plaintiffs asserted a new theory for why Robinhood’s offering documents were false or misleading, alleging that the declines in key performance indicators and revenue sources were undisclosed and misrepresented by the offering documents.  ECF No. 92.  In its January 24, 2024 decision, the Court again dismissed plaintiffs’ claims, finding that Robinhood made adequate disclosures that put investors on notice of lower trading revenues in the second and third quarters of 2021, the “possibility of downward trends,” and the fact that “Robinhood’s business had substantially shifted to rely more on cryptocurrency trading[.]”  ECF No. 106 at *12, *14, *16.  The Court also found that leave to amend was not warranted as it “would be futile.”  Id. at *19.

Williams v. Binance, 96 F. 4th 129 (2d Cir. 2024): On March 8, 2024, the Second Circuit reversed the district court’s dismissal of a putative class action lawsuit against crypto exchange Binance and its CEO.  Plaintiffs asserted numerous causes of action under the Securities Act, the Exchange Act, and the Blue Sky statutes of different states and territories, including that defendants offered and sold unregistered securities.  ECF No. 82 at 133, 135.  Plaintiffs—purchasers of crypto assets on the Binance international electronic exchange—claimed that Binance unlawfully promoted, offered, and sold billions of dollars’ worth of crypto “tokens,” which were not registered as securities.  Id. at 132.  The U.S. District Court for the Southern District of New York dismissed plaintiffs’ claims, finding that they were impermissibly extraterritorial, that the federal claims were untimely, and that claims under Blue Sky laws of states where none of the named class members resided lacked a sufficient nexus with the allegations.  Id. at 135; ECF No. 77.  The Second Circuit reversed and remanded, finding that plaintiffs plausibly alleged that class members engaged in domestic transactions, that a narrow subset of the federal claims were timely, and that state law claims brought on behalf of absent putative class members should not have been dismissed at that stage.  ECF No. 82 at 136-45.  On May 13, 2024, plaintiffs filed a third amended complaint, alleging 11 causes of action, including under Sections 5, 12, and 15 of the Securities Act.  ECF No. 104.  Gibson Dunn is co-counsel for Binance in this action.

Oberlander v. Coinbase Glob., Inc., 2024 WL 1478773 (2d Cir. Apr. 5, 2024): As reported in our 2023 Mid-Year Litigation Update, in February 2023, the U.S. District Court for the Southern District of New York dismissed a class action lawsuit against the crypto exchange Coinbase and its CEO on the basis that Coinbase was not the “statutory seller” of the allegedly unregistered tokens at issue.  Coinbase operates online trading platforms where users can buy and sell digital assets.  ECF No. 74 at *1.  The nationwide class consists of all persons or entities who bought or sold certain digital assets on the Coinbase trading platforms from October 8, 2019, to March 11, 2022, and it asserted a mix of claims under the Securities Act, the Exchange Act, and the state securities laws of California, Florida, and New Jersey.  Id.  On April 5, 2024, the Second Circuit concluded that plaintiffs adequately pleaded that Coinbase held title to digital assets traded on its platform and thus plausibly alleged claims under Section 12(a) of the Securities Act.  Id. at *3-4.  At the same time, the Court affirmed the district court’s dismissal of the Exchange Act claims, concluding the allegations were repetitive and conclusory, and found that the district court erred in dismissing the state law claims on jurisdictional grounds.  Id. at *4-5.  On July 29, 2024, defendants moved for judgment on the pleadings.  ECF No. 83.

In re Ripple Labs, Inc. Litig., 2024 WL 3074379 (N.D. Cal. June 20, 2024): A putative class of plaintiffs, who purchased Ripple Labs’ cryptocurrency XRP, brought federal and California state securities law claims against Ripple Labs, XRP II, and the CEO of Ripple.  Plaintiffs alleged “a scheme by Defendants to raise hundreds of millions of dollars through sales of XRP—an unregistered security—to retail investors in violation of the registration provisions of federal and state securities laws” and sought to “drive demand for and thereby increase profits from the sale of XRP” using “a litany of false and misleading statements regarding XRP.”  ECF No. 87, at ¶¶ 1-2.  The Court had previously dismissed Plaintiffs’ misrepresentation, consumer-protection, and professional conduct claims under California state law.  ECF No. 85, at 2-3, 40.  At the summary judgment stage, only five claims remained.  ECF No. 419 at 1.

On summary judgment, defendants emphasized that the Court had already found in a parallel action that “XRP, as a digital token, is not in and of itself a ‘contract, transaction[,] or scheme’ that embodies the Howey requirements of an investment contract.”  ECF No. 339 at 2; see also SEC v. Ripple Labs, Inc., 2023 WL 4507900 (S.D.N.Y. July 13, 2023) (granting partial summary judgment in favor of Ripple and concluding that institutional buyers had an expectation of profit whereas programmatic buyers had no such expectation).  The District Court for the Northern District of California granted in part defendants’ motion for summary judgment on federal and most state class claims but denied it as to one plaintiff’s individual claims under California law.  ECF No. 419.  The Court found that the statute of repose barred the federal securities claims and that plaintiff failed to raise a triable issue as to California state law’s privity requirement.  Id. at *4.  That said, the Court found that the cause of action for misleading statements should proceed to trial.  Id. at *10.  The trial date is currently set for January 21, 2025.  ECF No. 434.

Dufoe v. DraftKings Inc., 2024 WL 3278637 (D. Mass. July 2, 2024): On July 2, 2024, the U.S. District Court for the District of Massachusetts denied DraftKings’ motion to dismiss a putative class action for violations of federal securities law and found that DraftKings Non-Fungible Tokens (NFTs) were securities.  ECF No. 60 at *21.  DraftKings operates the DraftKings Marketplace where individuals can buy and sell DraftKings NFTs with images of professional athletes.  Id. at *3.  In its motion to dismiss, DraftKings argued that its NFTs were not securities.  Id. at *7.  The Court rejected this argument, finding that plaintiffs plausibly alleged commonality and reasonable expectation of profits under the Howey test and therefore plausibly pled that the NFTs were securities.  Id. at *7-21.

B. Regulatory Lawsuits

SEC v. Genesis Glob. Cap., LLC, 2024 WL 1116877 (S.D.N.Y. Mar. 13, 2024): On January 12, 2023, the SEC filed a complaint alleging that Genesis—a company that pooled crypto assets and lent them to institutional investors—violated the securities laws when it worked with Gemini—a limited liability trust company—to extend its lending and pooling practices to Gemini’s customers, including U.S. retail investors, through the “Gemini Earn” program.  ECF No. 1; see also id. at *1-2.  The complaint alleged that Gemini and Genesis violated the securities laws under two theories.  The SEC’s first theory was that the Gemini Earn program was an unregistered security under the Supreme Court’s Howey test.  ECF No. 1 at 17-19.  The second theory alleged that the agreements were “notes,” using the Supreme Court’s Reves test.  Id. at 13-17.  On March 13, 2024, the Court denied a motion to dismiss and allowed the SEC’s complaint against Genesis and Gemini to proceed.  ECF No. 54.  The district court found that the SEC plausibly alleged both theories.  ECF No. 54 at 31.  The Court also rejected defendants’ motions to strike the SEC’s requests for a permanent injunction of the companies’ activities and for disgorgement.  Id. at 29-31.  Following the Court’s March 13 Order, Genesis agreed to a $21 million civil penalty as well as a permanent injunction.  ECF No. 56.  These actions come after Genesis and two affiliates filed for Chapter 11 bankruptcy in the U.S. District Court for the Southern District of New York on January 12, 2023.  The SEC will not receive portions of the civil penalty until the bankruptcy court resolves all claims, including those claims from retail investors.  SEC, Genesis Agrees to Pay $21 Million Penalty to Settle SEC Charges (Mar. 19, 2024).  As we reported in our May 2024 Digital Assets Recent Updates newsletter, Genesis also agreed to a $2 billion settlement with the New York Attorney General’s Office to compensate defrauded investors on May 20, 2024.

SEC v. Coinbase, Inc., 2024 WL 1304037 (S.D.N.Y. Mar. 27, 2024): On March 27, 2024, the Court presiding over an enforcement action brought by the SEC against Coinbase, one of the world’s largest cryptocurrency trading platforms, granted in part, and denied in part Coinbase’s motion to dismiss the complaint.  ECF No. 105The Court dismissed the SEC’s claim that Coinbase acted as an unregistered broker with respect to Coinbase’s “Wallet” application because the SEC failed to sufficiently allege that Coinbase acted as a broker with respect to its self-custodial digital wallet.  Id. at 78-84.  The Court refused to dismiss the remaining claims, finding that the SEC sufficiently pleaded that Coinbase operated as an unregistered broker, unregistered exchange, and unregistered clearing agency with respect to certain other products and services, and that at least some digital assets offered on its platform were investment-contract securities under the Supreme Court’s Howey test.  Id. at 84.  The Court also held that the SEC adequately alleged that Coinbase Global was a control person of Coinbase.  Id. at 60-78.  The case is now in discovery regarding the remaining claims.  Coinbase also asked the district court to certify an interlocutory appeal that would allow the Second Circuit to immediately consider whether the SEC may regulate as “investment contracts” digital asset transactions that involve no obligation running to the purchaser beyond the point of sale.  That motion is fully briefed and remains pending.

SEC v. Terraform Labs Pte. Ltd., 2023 WL 8944860 (S.D.N.Y. April 5, 2024): On April 5, 2024, after a nine-day trial, a jury found Terraform Labs and its founder, Do Kwon, liable for securities fraud.  SEC, Statement on Jurys Verdict in Trial of Terraform Labs PTE Ltd. and Do Kwon (Apr. 5, 2024).  As reported in our Securities Litigation 2023 Mid-Year Update, the SEC brought claims against Terraform and Kwon under the federal securities laws for sales of unregistered securities and fraud related to Terraform’s crypto assets.  ECF No. 1.  Defendants moved to dismiss, arguing that none of the crypto assets were securities, but the Court denied the motion.  ECF No. 51.  And, as reported in our Securities Litigation 2023 Year-End Update, on December 28, 2023, the U.S. District Court for the Southern District of New York granted summary judgment for the SEC on the claim that defendants violated Sections 5(a) and 5(c) of the Securities Act and granted summary judgment for defendants on the claims involving unregistered transactions in security-based swaps.  ECF No. 149.  Still, the SEC’s fraud claims proceeded to trial.  After a trial in late March 2024, a unanimous jury found defendants liable on both claims, under Section 17 of the Securities Act and the anti-fraud provisions of the Exchange Act, and that Kwon was liable as control person.  ECF No. 229.  On June 12, 2024, the Court entered a final judgment against Terraform for $4.47 billion and against Kwon for $204 million.  ECF No. 273.  As part of the final judgment, Terraform agreed to waive any right to appeal.  Id. at 2.

SEC v. Balina, No. 22-cv-00950 (W.D. Tex.): On May 22, 2024, the Court granted, in part, and denied, in part, the SEC’s motion for summary judgment, and denied defendant Ian Balina’s motion for summary judgment.  The SEC alleged that Balina, a cryptocurrency investor, signed a contract to invest $5 million in an offering of Sparkster (SPRK)—a crypto asset—but sold SPRK tokens without disclosing his compensation, violating Section 5(a), 5(c), and 17(b) of the Securities Act.  ECF No. 1.  The SEC separately accused Sparkster of offering SPRK tokens without registering and sought civil penalties.  Id.  Balina moved for summary judgment, arguing that he did not violate Section 5 and Section 17, that the SPRK tokens were not a security and the alleged promotions and transactions occurred outside the United States.  SEC v. Balina, 2024 WL 2332965, at *4 (W.D. Tex. May 22, 2024).  Balina also argued that he did not sell SPRK tokens, that he did not agree to accept compensation, and that any purported sales or offers to sell would be exempt under Section 4(a)(1) of the Securities Act.  Id.  The SEC argued that SPRK tokens are securities, that U.S. securities laws apply because Balina targeted U.S. investors on U.S. social media platforms, and that it established as a matter of law that Balina violated Section 5.  Id. at *5.  The district court found that the Securities Act would apply to Balina’s conduct and that SPRK tokens were securities as a matter of law.  Id. at *8, *11.  The Court declined to decide the Section 17(b) issue on summary judgment.  Id. at *11.  However, the Court agreed with the SEC that Balina violated Section 5(a) and 5(c) of the Securities Act by selling SPRK tokens and that Balina was not exempt under Section 4(a)(1).  Id. at *13.  Trial has been set for January 13, 2025.  ECF No. 50.

SEC v. Binance Holdings Ltd., No. 23-cv-01559 (D.D.C.): As reported in our Securities Litigation 2023 Year-End Update, on June 5, 2023, the SEC filed an action against Binance Holdings Limited, BAM Trading Services Inc., BAM Management Holdings, and Changpeng Zhao in the U.S. District Court for the District of Columbia.  The SEC accused Binance and its subsidiaries of engaging in the unregistered offer and sale of crypto asset securities and of making false statements to investors.  On June 28, 2024, the Court granted in part and denied in part defendants’ motion to dismiss.  It found that the SEC plausibly alleged that Binance directly offered and sold its cryptocurrency, the Binance coin (BNB), to investors as an investment contract.  SEC v. Binance Holdings Ltd., 2024 WL 3225974, at *14-15 (D.D.C. June 28, 2024).  However, the Court found that the SEC did not sufficiently allege that secondary sales of BNB were investment contracts, or that Binance offered and sold BUSD, a stablecoin, as an investment contract.  Id. at *24.  In doing so, the Court rejected the SEC’s theory that the BNB token “embodied” an investment contract.  The court expressed frustration with the SEC’s strategy to regulate the cryptocurrency industry through case-by-case, “coin by coin” litigation, noting that such an approach “risks inconsistent results that may leave the relevant parties and their potential customers without clear guidance.”  Id. at *11.  The court similarly rejected the SEC’s allegations as to some of Binance’s online programs including “Simple Earn,” which allegedly allowed investors who lent their crypto assets to Binance to receive variable rates of interest over time.  Id. at *26.  The Court also held that claims against BAM Trading Services and BAM Management Holdings could proceed, including a count that alleged statutory violations of the anti-fraud provisions of the Securities Act and a count alleging that a staking program was an investment contract.  The Court found that most of the remaining counts of the complaint, which involved registration violations based on the operation of an online exchange, could proceed based on the SEC’s allegations concerning direct sales of BNB, the BNB Vault program, and the staking program allegedly offered by BAM Trading Services and BAM Management Holdings.  Gibson Dunn represents Binance Holdings Limited in this action.

SEC v. Consensys Software Inc., No. 24-cv-04578 (E.D.N.Y.): In April 2024, Consensys—which allows trading of the cryptocurrency Ether (ETH)—brought a pre-enforcement challenge in the Northern District of Texas after receiving a Wells notice from the SEC that it intended to bring an enforcement action against Consensys for violating federal securities laws as an unregistered broker-dealer.  Consensys Software Inc. v. Gensler, No. 24-cv-369, ECF No. 1 ¶¶ 3, 68, 121 (N.D. Tex. filed Apr. 25, 2024).  Consensys sought a declaratory judgment that the SEC lacks authority over ETH because ETH is not a security and that the SEC violated the APA by changing its position on whether ETH is a security.  Id. ¶ 121.  It also sought a permanent injunction prohibiting the SEC from pursuing enforcement.  Id.

On June 28, 2024, the SEC filed a complaint in the U.S. District Court for the Eastern District of New York against Consensys Software Inc., alleging that the company violated the federal securities laws by failing to register as a broker of crypto asset staking platforms.  SEC v. Consensys Software Inc., No. 24-cv-04578 (E.D.N.Y.).  Specifically, the SEC alleged that Consensys acted as a broker by creating and managing the “MetaMask Swaps” digital platform.  Id. at 2.  The SEC also alleged that the platform allowed Consensys to offer and sell Lido and RocketPool, two crypto assets that would offer a crypto staking program that the Commission classified as an investment contract.  Id. at 4.  Consequently, the SEC seeks a final judgment permanently enjoining Consensys from acting as a broker or underwriter and ordering the company to pay civil penalties.  Id. at 6.  Defendants have since moved to dismiss or, in the alternative, transfer the case to the Northern District of Texas.  Consensys Software Inc. v. SEC, No. 4:24-cv-00369-O (N.D. Tex. July 7, 2024), ECF No. 37.

C. Other Developments

1. Crypto Participants And Associations Challenge The SEC’s Authority

Thus far in 2024, four lawsuits have been filed challenging the SEC’s authority to regulate digital assets.

In February 2024, LEJILEX—an operator of a developing a decentralized exchange—and the Crypto Freedom Alliance of Texas (CFAT) filed suit in the Northern District of Texas, seeking a declaration that secondary-market sales of digital assets are not securities, as well as an injunction against the SEC’s bringing an enforcement action against LEJILEX or other CFAT members.  LEJILEX v. SEC, No. 24-cv-168, ECF No. 1 at 50, ECF No. 53 at 2 (N.D. Tex. filed Feb. 21, 2024).  Plaintiffs argued that digital assets generally are not investment contracts and that the major questions doctrine prevents the SEC from regulating digital assets.  ECF No. 35 at 22-31.  On June 26, 2024, the SEC sought dismissal or, in the alternative, summary judgment, arguing that the Court lacked jurisdiction and that plaintiffs failed to show that secondary-market digital-asset transactions cannot qualify as securities.  ECF No. 38 at 19-25.

In March 2024, Beba, an apparel company that created the “BEBA token,” which is used to redeem an exclusive product from its online store, sought a declaratory judgment that, inter alia, (1) Beba is not engaged in unregistered distribution of securities, and (2) the distribution of BEBA tokens does not constitute an investment contract or securities contract between Beba and token holders.  Beba LLC v. SEC, No. 24-cv-153, ECF No. 1 ¶¶ 3, 6, 60, 179-92 (W.D. Tex. filed Mar. 25, 2024).  Beba also argued the SEC adopted a “new policy” of alleging that digital assets are investment contracts without going through required notice and comment procedures under the Administrative Procedure Act.  Id. ¶¶ 4, 6, 8.  After the SEC first moved to dismiss, (ECF No. 22), Plaintiffs filed an amended complaint, (ECF No. 24).

On April 23, 2024, CFAT and the Blockchain Association filed an action challenging the SEC’s Dealer RuleCrypto Freedom Alliance of Texas v. SEC, No. 24-cv-361, ECF No. 1, ¶¶ 4, 7 (N.D. Tex. filed Apr. 23, 2024).  Plaintiffs argued that the SEC exceeded its authority in changing the definition of “dealer” and that the SEC’s failure to address concerns by the digital assets industry was arbitrary and capricious.  Id. ¶ 12.  On May 17, 2024, plaintiffs moved for summary judgment, arguing that the SEC’s departure from the meaning of the word “dealer” exceeds its statutory authority and that it acted arbitrarily and capriciously in violation of the Administrative Procedure Act.  ECF No. 29 at 18-44.  The SEC cross-moved for summary judgment, arguing that it acted within its statutory authority, that its rule was reasonable (and reasonably explained), and that it had provided adequate notice its rule would apply to “crypto asset securities.”  ECF No. 39 at 14-47.  Gibson Dunn represents the plaintiffs in a related lawsuit challenging the same SEC Rule.  See National Association of Private Fund Managers v. SEC, No. 24-cv-00250 (N.D. Tex. Mar. 18, 2024).

2. SEC Approves Spot Ethereum Exchange-Traded Funds (ETFs)

On May 23, 2024, the SEC approved eight spot Ethereum ETFs from major financial institutions—including BlackRock, Fidelity, and others.  Tim Copeland & Sarah Wynn, SEC Approves 8 Ethereum ETFs including BlackRock and Fidelity, The Block (May 23, 2024).  This approval comes four months after the SEC’s first approval of spot Bitcoin ETFs, as discussed in our Securities Litigation 2023 Year-End Update, and shows increased institutional acceptance and regulatory clarity for Ether-based digital assets.

3. SEC May Target Decentralized Exchanges

On April 10, 2024, Uniswap Labs, which created the Uniswap Protocol on a decentralized Ethereum blockchain, shared that it received a Wells notice from the SEC.  Uniswap, Fighting for DeFi, Uniswap Labs Blog (Apr. 10, 2024).  Uniswap claimed that the SEC lacks authority as the Uniswap Protocol does not meet the legal definitions of securities exchange or broker and that its UNI token is not a security.  Id.  Uniswap compared Uniswap to Bitcoin and Ethereum, which the CFTC has said are not securities.  Id.

4. U.S. House Of Representatives Passes Crypto Bill

On May 22, 2024, the U.S. House of Representatives passed the Financial Innovation and Technology for the 21st Century Act (FIT21), which marks the first time that the House has passed a significant crypto bill.  Jesse Hamilton & Nikhilesh De, U.S. House Approves Crypto FIT21 Bill With Wave of Democratic Support, CoinDesk (May 22, 2024).  The legislation aims to regulate U.S. crypto markets, makes the CFTC the leading regulator of digital assets, and implements new rules to determine whether an asset is subject to federal securities laws.  Id.  SEC Chair Gary Gensler fiercely opposed the bill, stating that the bill “would create new regulatory gaps and undermine decades of precedent regarding the oversight of investment contracts, putting investors and capital markets at immeasurable risk.”  Statement on the Financial Innovation and Technology for the 21st Century Act, SEC (May 22, 2024).

VII. Lorenzo Disseminator Liability

As previously discussed in our Mid-Year and Year-End Updates, in Lorenzo, the Supreme Court expanded the scope of scheme liability under Rule 10b-5(a) and (c) to individuals who disseminate false or misleading information but are not the “makers” of the misstatement(s).  Following Lorenzo, the Second Circuit in Rio Tinto held that defendants must do “something beyond” making material misstatements or omissions to be subject to scheme liability.  SEC v. Rio Tinto plc, 41 F.4th 47, 49 (2d Cir. 2022).  In other words, the Court in Rio Tinto noted that while those who disseminate false or misleading information may be liable, misstatements alone are not sufficient to trigger scheme liability.  Although it has now been five years since Lorenzo was decided, the Supreme Court has yet to clarify the requirements for scheme liability; accordingly, the lower courts are left to shape the contours of scheme liability claims.  Since our last update, the Sixth Circuit has implicitly adopted the Second Circuit’s “something beyond” requirement but there is a growing divide among the district courts.

In Teamsters Local 237 Welfare Fund v. ServiceMaster Global Holdings, Inc., the Sixth Circuit embraced the Second Circuit’s test for scheme liability claims and held that “a plaintiff must show: ‘(1) that the defendant committed a deceptive or manipulative act, (2) in furtherance of the alleged scheme to defraud, (3) with scienter, and (4) reliance.’”  83 F.4th 514, 525 (6th Cir. 2023) (quoting Plumber & Steamfitters Local 773 Pension Fund v. Danske Bank A/S, 11 F.4th 90, 105 (2d Cir. 2021)).  In ServiceMaster, plaintiff alleged that ServiceMaster violated Section 10(b) “by engaging in a series of misrepresentations and omissions” and “that the Defendants violated Rule 10b-5 (a) and (c) by engaging in a fraudulent scheme to mislead investors about the true nature” of the business.  Id. at 522-23.  In analyzing plaintiff’s scheme claim, the Sixth Circuit noted that although “[o]ur court has not defined the elements to state a claim for scheme liability . . . the Second Circuit has.”  Id. at 525.  Relying on the Second Circuit’s articulation of the elements required for a scheme claim, the Sixth Circuit analyzed plaintiff’s scienter allegations because it was “the only disputed element.”  Id.  The Court held that plaintiff failed to allege a strong inference of scienter.  Id. at 529-33.  The Court then explained that although a “scheme-liability claim encompasses conduct beyond disclosure violations,” id. at 525 (citing Benzon v. Morgan Stanley Distribs., Inc., 420 F.3d 598, 610 (6th Cir. 2005)), a scheme liability claim is “different and separate from a nondisclosure claim,” id. (citing Rio Tinto, 41 F.4th at 49, 53).  Nevertheless, because “the [plaintiff] relie[d] on the same factual circumstances to make out both claims in this case,” plaintiff’s showing of scienter was therefore “no stronger with respect to the scheme-liability claim than it is for the Rule 10b-5 claim.”  Id. at 533.

Not all Circuit courts have considered Rio Tinto’s distinction between misstatement and scheme claims.  However, certain lower courts outside the Second Circuit have indicated a willingness to adopt the “something beyond” requirement.  For example, in SEC v. Westhead, the Southern District of Florida held that the SEC adequately pleaded a scheme liability claim by alleging defendant disseminated the misstatements in the form of private placement memorandums.  2024 WL 3327804, at *10 (S.D. Fla. May 3, 2024).  The Court arrived at its decision citing Rio Tinto and SteamMaster, explaining that with “this case law in mind,” dismissal of the SEC’s scheme liability claim was not appropriate because under the “Defendants’ own precedent, [dissemination] is sufficient to survive a motion to dismiss.”  Id. (citing Rio Tinto, 41 F.4th at 53).  Similarly, in SEC v. Jaitley, the Western District of Texas explained that scheme liability is distinct deceptive conduct from an alleged misstatement.  2023 WL 9105678, at *6-7 (W.D. Tex. Nov. 13, 2023) (holding that defendant furthered a scheme by directing “[c]lients to post fake, favorable reviews” or “posting false reviews herself”).

District courts within the Second Circuit also continue to provide examples of how to apply Rio Tinto’s “something beyond” requirement.  In a recent case in the Southern District of New York, SEC v. Rogas, the Court denied a motion to dismiss scheme liability claims against a former executive of NS8, Inc.  2024 WL 1120558 (S.D.N.Y. Mar. 14, 2024).  The complaint alleged defendant knew “the revenue numbers used by NS8 and provided to investors were falsified” and continued to solicit numerous potential investors, assisted in a “secondary offering between two NS8 investors,” and devised a scheme to “offload his shares in NS8 in a transaction funded by a third-party investor.”  Id. at *1.  The Court found that the SEC successfully pled defendant “committed [] manipulative or deceptive act[s]” that were “something beyond misstatements and omissions” as in Rio TintoId. at *5.  Specifically, the Court found that (1) initiating six investor transactions while knowing that the revenue numbers were falsified, (2) seeking “additional investors and transactions even after [defendant] became aware” that NS8 had very little money left and only some employees received “real data” about the sales team, and (3) selling shares in a secondary offering after acknowledging revenues were not correct, made out a scheme liability claim.  Id. at *5.

In SEC v. City of Rochester, a district court in the Western District of New York, citing positively to Rio Tinto, denied defendants’ motion to dismiss scheme liability claims.  2024 WL 909475 at *9-10 (W.D.N.Y. Mar. 4, 2024).  The SEC alleged that defendants made “materially misleading statements and omissions in the offering documents used to sell roughly $119 million in municipal bonds to investors.”  Id. at *1.  The SEC’s scheme allegations included that the “City Defendants disseminated the false statements in the offering documents sent to investors,” the City’s director of finance “executed separate certifications attesting to the accuracy of the offering documents in furtherance of the scheme,” and “the City Defendants facilitated the sale of the bonds.”  Id. at *10.  The Court sustained the scheme liability claims noting that statements regarding the reason for the RAN were incomplete and thus misleading.  Id.

In the Third Circuit, the District of New Jersey found that the SEC sufficiently alleged scheme liability under Rule 10b-5(a) and (c), citing to Rio TintoSEC v. Mintz, 2024 WL 1173096, at *15, 18 (D.N.J. Mar. 18, 2024).  Specifically, the SEC alleged that defendants submitted “misleading trade order instructions or false and misleading representations concerning the number of ‘locates.’”  Id. at *15.  The Court determined that the submission of those transactions and the “repeated circumvention of Regulation SHO and efforts to conceal Defendants’ scheme” were sufficient to constitute “deceptive conduct independent of its allegations that Defendants made false or misleading statements.”  Id. at *15.

Certain lower courts within the Ninth Circuit, however, have disagreed with the Second Circuit’s approach and declined to apply the “something beyond” requirement.  In SEC v. Prakash, the Northern District of California emphasized that the Ninth Circuit has not adopted the “something beyond” requirement set forth in Rio Tinto.  2024 WL 781037, at *6 (N.D. Cal. Feb. 26, 2024).  Rather, the Court found that “to the extent that [defendant] argues that scheme liability claims require conduct beyond misstatements, the Court finds that this argument is foreclosed by Lorenzo and Ninth Circuit precedent.”  Id.  The Court explained that the Supreme Court in Lorenzo rejected the argument that Rule 10b-5(a) and (c) concern “scheme liability claims ‘that are violated only when conduct other than misstatements are involved.’”  Id.  Similarly, the Ninth Circuit previously held that its “prior holding that ‘[a] defendant may only be liable as part of a fraudulent scheme based upon misrepresentations and omissions . . . when the scheme also encompasses conduct beyond those misrepresentations or omissions’” was abrogated by LorenzoId. (citing In re Alphabet, Inc. Sec. Litig., 1 F.4th 687, 709 n.10 (9th Cir. 2021)).  Thus, the Court read Lorenzo as holding that 10b-5 “covers a broad range of conduct” and its subsections are not “mutually exclusive.”  Id.

Similarly, in In re AGS, Inc. Securities Litigation, the District of Nevada explained that “in Lorenzo, the Supreme Court explained that considerable overlap exists.”  2024 WL 581124, at *5 (D. Nev. Feb. 12, 2024) (citing Lorenzo, 139 S. Ct. at 1101-02).  “The various subsections thus merely describe subsets of a broader category—fraud.”  Id. (emphasis in original).  Ultimately, the only difference between a scheme liability claim verses a misrepresentation claim is “not that they proscribe mutually exclusive . . . conduct,” rather, the conduct in scheme claims is made in furtherance of a scheme “while the latter doesn’t involve a scheme.”  Id.  And because plaintiff’s cause of action could be construed as either a misrepresentation claim or a scheme liability claim, the Court held that plaintiff failed to state a claim under any subsection of Rule 10b-5 because when a scheme claim is based on the same set of facts as a misrepresentation claim, and “those facts do not sufficiently allege fraud . . . [under the] the misrepresentation claim, then the scheme claim necessarily fails.”  Id.

VIII. Market Efficiency And “Price Impact” Cases

District courts continue to engage with defendants’ attempts to defeat or limit class certification by rebutting the Basic presumption of reliance with evidence that the alleged misstatements had no impact on the stock price.  These developments occur against the backdrop of the Second Circuit’s 2023 decision in Arkansas Teacher Retirement System v. Goldman Sachs Group, Inc., 77 F.4th 74, 105 (2d Cir. 2023) (ATRS), covered in our 2023 Year-End Update and discussed in more detail in our Client Alert.  The Second Circuit continues to be the only circuit court to address substantively the “price impact” issue following the Supreme Court’s guidance in Goldman Sachs Group, Inc. v. Arkansas Teacher Retirement System, 594 U.S. 113 (2021) (Goldman).

To refresh, in Goldman, the Supreme Court held that courts analyzing whether to grant class certification must consider all evidence regarding price impact—even if the evidence overlaps with merits questions such as materiality.  594 U.S. at 121-22.  The Court explained that where a plaintiff’s price impact theory is based on “inflation-maintenance,” i.e., where price impact of the challenged statement is shown indirectly by a drop in the company’s stock price following a corrective disclosure on the theory that “price inflation [had been] maintained by an alleged misrepresentation,” a court must consider whether there is a “mismatch” between the alleged corrective disclosure(s) and challenged statement(s).  Id. at 123.  That is because a “mismatch” between the misrepresentation and the corrective disclosure “starts to break down” the inference of front-end price inflation.  Id.  In ATRS, the Second Circuit studied the mismatch between the generic challenged statements (e.g., statements about business principles) and more specific alleged corrective disclosures (e.g., reports of government investigations into specified employees and transactions) and held that defendants had “sever[ed] the link” between the challenged statements and the price drop.  ATRS, 77 F.4th at 104.  In reaching this conclusion, the Court was clear that “all record evidence relevant to price impact” should be considered.  Id. at 103 n.15 (internal citations omitted).

Lower courts continue to scrutinize price impact arguments, particularly the potential “mismatch” between the alleged corrective disclosures and the challenged statements.  See, e.g., Sjunde AP-Fonden v. Goldman Sachs Grp., Inc., 2024 WL 1497110, at *17 (S.D.N.Y. Apr. 5, 2024) (finding “no match” between 11 out of 13 alleged misstatements and the corrective disclosure); In re Apache Corp. Sec. Litig., 2024 WL 532315, at *6 (S.D. Tex. Feb. 9, 2024) (finding no price impact for 12 out of 13 alleged misrepresentations and limiting the class period accordingly); In re Kirkland Lake Gold Ltd. Sec. Litig., 2024 WL 1342800, at *12 (S.D.N.Y. Mar. 29, 2024) (finding no price impact and declining to certify the class).

For example, in Kirkland Lake, the Court denied class certification, finding that defendants had rebutted the Basic presumption of class-wide reliance with evidence showing that all three alleged misstatements did not impact the stock’s price.  2024 WL 1342800, at *9-12.  For the first two alleged misstatements, the Court found them to be “fairly broad and generic statements about the company’s growth strategy,” and that there was a “considerable gap in genericness between the earlier statements and the corrective disclosure.”  Id. at *8.  In conducting its analysis, the Court considered contemporaneous analyst reports and the opinions of defendants’ mining industry and economics experts.  Id. 

As to the third statement, which the Court described as “quite specific,” the Court compared the alleged misstatement and corrective disclosure “to determine ‘whether there [was] a basis to infer that the back-end price [drop] equals front-end inflation.’”  Id. at *11 (citing ARTS, 77 F.4th at 99 n.11).  The Court determined that there was a different kind of substantive mismatch because the challenged statement “referred to future targets” and the corrective disclosure reflected only information at the time of acquisition.  Id.

In Sjunde AP-Fonden, the Court declined to find a match between 11 of 13 alleged misstatements and the corrective disclosure.  2024 WL 1497110, at *16.  The Court concluded that the corrective disclosure “d[id] not even address” or “d[id] not mention [] at all” the same issues as several of the alleged misstatements, so the Basic presumption was inapplicable to those statements.  Id. at *16-17.  For other challenged statements, the Court found in defendants’ favor because the corrective disclosure did “not necessarily render false the [challenged] statements.”  Id. at *16.  For the remaining two statements, the Court held the statements were appropriately specific and were “render[ed] false” by the disclosure.  Id. at *15-16.

Recent decisions also emphasize the more basic requirement that a later stock price decline is only evidence of an earlier statement’s price impact, if it, in fact, reveals new information contrary to the challenged statements.  See In re FibroGen Sec. Litig., 2024 WL 1064665, at *12-15 (N.D. Cal. Mar. 11, 2024) (“revelations that are not ‘corrective’ cannot form the basis for a corrective disclosure”).

We will continue to monitor developments in this area.

IX. Other Notable Developments

A. Seventh Circuit Determines Procedure For District Courts To Evaluate Suits Resulting In Mootness Fees

In Alcarez v. Akorn Inc., the Seventh Circuit set forth the proper procedure for a district court to evaluate mootness fees paid to shareholder plaintiffs after the voluntary dismissal of an action brought under Section 14(a) of the Securities Exchange Act challenging a public company merger.  99 F.4th 368 (7th Cir. 2024).

After Akorn Inc. announced a merger, shareholders brought six individual and putative class actions against Akorn, asserting its proxy statement was inadequate and in violation of Section 14(a).  Alcarez, 99 F.4th at 372.  After Akorn amended its proxy statement with additional disclosures, all plaintiffs voluntarily dismissed the complaint and Akorn agreed to pay plaintiffs’ counsel a $322,500 mootness fee.  Id.  A different Akorn shareholder moved to intervene to force plaintiffs’ counsel to return the mootness fee, arguing that the suits’ only goal was to extract money for counsel.  Id.  A district court in the Eastern District of Illinois denied the motion to intervene but agreed with the shareholder’s broader argument.  Id. at 373.  The district court thus exercised its “inherent authority” to reopen the suit, determined the complaints were frivolous, and then abrogated the settlement and ordered plaintiffs’ counsel to return the mootness fee.  Id.  Plaintiffs appealed, arguing that the district court lacked authority to reopen the case and lacked jurisdiction to review the mootness fee after the voluntary dismissal.  Id. at 374.

The Seventh Circuit vacated the opinion and remanded with instructions.  It first determined that the district court lacked inherent authority to reopen the voluntarily dismissed case without a motion under Federal Rule of Civil Procedure 60(b).  Id. at 374.  However, it further held that the shareholder in question should have been allowed to intervene and file a motion to reopen.  Id.  The Court reasoned that the shareholder had a common claim with the main action since he was “an investor in Akorn whose shares’ value was affected by the merger and the mootness fees” and “class counsel and Akorn [we]re looking out for their own interests rather than those of the class” making intervention “appropriate.”  Id.  at 375.

The Seventh Circuit further determined that the district court had “inherent authority” to evaluate the suits under 15 U.S.C. § 78u-4(c)(1) and Federal Rule of Civil Procedure 11.  Id. at 377.  The statute, the Court reasoned, applies to all suits arising under the Exchange Act and mandates that courts assess compliance with Rule 11(b) upon “final adjudication of the action” which includes voluntary dismissal.  Id. at 376.

The cases were remanded to the district court with instructions to treat the shareholder as an intervenor, to allow him to make a Rule 60(b) motion, and to decide appropriate relief.  Id. at 378.

B. Sixth Circuit Joins Majority Of Circuits In Holding The Bespeaks Caution Doctrine Survived Codification Of The PSLRA

Joining other circuits, the Sixth Circuit held that the bespeaks caution doctrine still applies to statements contained in offering documents outside of the PSLRA’s safe harbor provisions for forward-looking statements.  Kolominsky v. Root, Inc., 100 F.4th 675, 687-88 (6th Cir. 2024); see 15 U.S.C. § 78u-5(c).

Root, Inc., an insurance company primarily focused on automobile insurance, purportedly attracted investors with its low customer-acquisition cost (CAC).  Plaintiffs alleged that certain statements in Root’s registration statement were misleading or omitted material facts about Root’s CAC because, at the time of Root’s IPO, the CAC was higher than its historic average.  Id. at 681.  The district court dismissed all claims for failure to state a claim.  Plaintiffs appealed three of their dismissed claims: those under Sections 11, 12(a)(2), and 15 of the Securities Act.  Id.

The Sixth Circuit affirmed.  One of the three allegedly misleading statements implicated the bespeaks caution doctrine.  The challenged statement contained in Root’s registration statement provided that “[a]s we grow, we may struggle to maintain cost-effective marketing strategies, and our customer acquisition costs could rise substantially.”  Id. at 682, 687.  The district court had determined that the “statement was not actionable because it was a forward-looking statement labeled as a risk factor.”  Id. at 687.  The Sixth Circuit agreed, concluding that the statement fell “squarely within the bespeaks caution doctrine’s protection.”  Id. at 689.

The Sixth Circuit determined that Congress did not intend for the safe harbor provisions of the PSLRA to replace the bespeaks caution doctrine, which “shields companies . . . from liability when they make statements that are forward-looking and accompanied by meaningful cautionary language.”  Kolominsky, 100 F.4th at 688.  The Sixth Circuit therefore joined the majority of circuits—namely the First, Second, Third, Fifth, Eighth, Ninth, Tenth, and Eleventh Circuits—that previously reached a similar conclusion about the doctrine’s post-PSLRA status.  Id. at 687-88.

C. Ninth Circuit Provides Additional Guidance On Determining Loss Causation

On April 5, 2024, the Ninth Circuit provided additional guidance on determining loss causation in a securities fraud case, explaining that a plaintiff does not necessarily need to show a stock price increase on the heels of a misstatement but may “plausibly show that the misstatement inflated the stock’s price.”  In re Genius Brands Int’l, Inc. Sec. Litig., 97 F.4th 1171, 1185 (9th Cir. 2024) (emphasis added).

In 2019, the price per share of children’s entertainment company Genius Brands International, Inc. fell below the NASDAQ minimum trading requirement.  Id. at 1177.  Subsequently, a group of shareholders alleged that the company had made certain false statements regarding (1) how frequently its flagship children’s television show would air per week; (2) the possibility of Disney or Netflix acquiring the company; and (3) the company’s rights to the works of comic book author Stan Lee.  Id. at 1179.  The shareholders alleged that the company and its officers violated Sections 10(b) and 20(a) of the Exchange Act and Rule 10b-5(a)-(c).  Id. at 1177, 1179.  The district court dismissed the shareholders’ suit with prejudice for failure to adequately plead falsity and loss causation.  Id. at 1179-80.  The district court dismissed two of the claims for a “failure to allege an initial price increase.”  Id.

The Ninth Circuit reversed in part and affirmed in part.  On loss causation, the Ninth Circuit’s opinion emphasized that “a price increase is one way of demonstrating that ‘the price was higher than it would have been,’ but it is not the only way.”  In re Genius Brands Int’l, Inc., 97 F.4th at 1185 (quoting In re BofI Holding, Inc., 977 F.3d at 789) (emphasis added).  Accordingly, it “suffices to plausibly allege that the stock price was higher than it would have been but for the defendant’s statement—whether because the statement increased the stock price, maintained the stock price, or prevented a greater decrease in the stock price.”  Id. at 1187.  On two of the claims, the Ninth Circuit reasoned that the district court had “impermissibly conflated an initial price increase with initial price inflation.”  Id. at 1185.  The case was remanded for further proceedings.  Id. at 1190.

D. Companies Continue To Litigate Alleged Misrepresentations Related To COVID-19

More than four years removed from the initial COVID-19 outbreak, coronavirus-related securities litigation continues to be active.  As we last discussed in our Securities Litigation 2022 Mid-Year Update, a class-action complaint was filed in May 2020 against biopharmaceutical company Sorrento Therapeutics (Sorrento) and its officers on behalf of all shareholders who had purchased Sorrento stock in the week following the company’s May 15, 2020, press release.  In re Sorrento Therapeutics, Inc. Sec. Litig., 97 F.4th 634, 637-38 (9th Cir. 2024).  Early in the COVID-19 pandemic, Sorrento announced the discovery of an antibody showing “100% inhibition” of COVID-19 infection.  Id. at 641.  Some Sorrento officers claimed the antibody would “completely prevent infection” and provided a COVID-19 “cure.”  Id. at 639 & n.3.  As the market responded to this information, Sorrento’s stock more than tripled in value.  Id. at 638.  Sorrento’s stock value eventually declined, however, as outsiders publicly began to scrutinize and critique Sorrento’s development.  Id.

The complaint alleged that Sorrento purposefully misled investors and falsely claimed to have a COVID-19 cure in violation of Sections 10(b) and 20(a) and Rule 10b-5.  Id. at 638-39.  The district court dismissed the complaint, concluding that plaintiffs failed to plausibly allege falsity because Sorrento had disclosed in the press release that the antibody remained in preclinical stage, the officers’ statements were “corporate optimism” rather than an “actionable material misstatement of fact,” and Sorrento’s need to fundraise did “not give rise to a strong inference of scienter.”  Id. at 639-40.

The Ninth Circuit affirmed.  On falsity, the Court held that Sorrento’s “overblown” statements did not rise to the level of “materially misleading” investors considering Sorrento’s contemporaneous disclosures about the antibody’s early developmental status.  Id. at 641.  A reasonable person, knowing that the antibody required further testing after reading the press release, would not understand the press release to mean that Sorrento had “an immediate 100% cure” for COVID-19.  Id.  The Court rejected the argument that Sorrento could not, in good faith, have believed that it had a cure given the fact that there still is no cure for COVID-19.  Id. at 641-42.

On the issue of scienter, the Court concluded that “although Sorrento’s financial situation was clearly helped by the market’s response to the [antibody] announcement,” Sorrento had resorted to other measures to mitigate its “dire financial situation” far in advance of the announcement.  Id. at 642-43.  A need to fundraise, accordingly, did not adequately establish motive for fraud.  Plaintiffs’ argument also failed to “allege any particular improper or inflated sales” and such a “showing of trading history [was] necessary to raise an inference of scienter.”  Id. at 643.

E. SEC Adopts Amendments To Regulation S-P, Requiring Covered Firms To Take Additional Customer Data Protection Measures

In May, the SEC adopted amendments to Regulation S-P, which require covered financial firms to provide certain protections for personally identifiable information of customers and consumers.  17 C.F.R. § 248.30; see also Mark T. Uyeda, Comm’r, Sec. & Exch. Comm’n, Statement on the Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (May 16, 2024) https://www.sec.gov/newsroom/speeches-statements/uyeda-statement-reg-s-p-051624 (“Comm’r Uyeda, Statement on the Amendments to Regulation S-P”).  Initially adopted in 2000, Regulation S-P set standard for firms’ treatment of customers’ nonpublic personal information.  See id.  Due to the evolving nature and impact of data breaches, the amendments require “covered institutions to adopt written policies and procedures that provide for an incident response program to protect customer information from unauthorized access.”  Id.

The “incident response program” requires covered firms to “assess the nature and scope” of the incident, take “appropriate steps to contain and control such incidents,” and provide notice to “each affected individual.”  17 C.F.R. § 248.30(a)(3)(i)-(iii).  The amendments provide detailed requirements of these notices.  For example, notice may not be required if a covered firm determines, after a reasonable investigation, that the “sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.”  Id. § 248.30(a)(4)(i).  Notice may also be required to be sent to non-customers, as the amendments also define “customer information” to include information that (1) is within the covered firm’s possession regardless of whether there is a “customer relationship”; and (2) pertains to “the customers of other financial institutions where such information has been provided to the covered institution.”  Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. 47688, 47714 & n.290 (June 3, 2024) (emphasis added); see also 17 C.F.R. § 248.30(d)(5)(i).

In terms of timing, notice must be sent “as soon as practicable, but generally not later than 30 days after the financial institution becomes aware that there has been an unauthorized breach of customer information.”  Comm’r Uyeda, Statement on the Amendments to Regulation S-P.  Covered firms are not required to contract with service providers to deliver data breach notices, but remain responsible “regardless of which entity sends the notice.”  Id. 

Additionally, the amendments extend Regulation S-P’s safeguard and disposal requirements to transfer agents registered with the Commission or another appropriate regulatory agency.  Id.

The amendments provide for an 18-month compliance period for larger entities after the date of publication and a 24-month compliance period for smaller entities.  Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. at 47723-24.


The following Gibson Dunn lawyers participated in preparing this update: Monica K. Loseman, Brian M. Lutz, Craig Varnen, Jefferson E. Bell, Christopher D. Belelieu, Michael D. Celio, Mary Beth Maloney, Lissa M. Percopo, Jessica Valenzuela, Allison Kostecka, Mark H. Mixon, Jr., Chase Weidner, Luke A. Dougherty, Tim Kolesk, Trevor Gopnik, Dillon M. Westfall, Raena Ferrer Calubaquib, Megan R. Murphy, Kevin Reilly, Tawkir Chowdhury, Dasha Dubinsky, Pleasant N. Garner, Zachary Goldstein, Amir Heidari, John Ito, Joel A. Kagan, Lindsay Laird, Tin Le, Jerelyn Luther, Brianna Rauenzahn, Ty Shockley, Alon Sugarman, Yixian Sun, and Anna D. Ziv.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Securities Litigation practice group:

Christopher D. Belelieu – New York (+1 212.351.3801, [email protected])
Jefferson Bell – New York (+1 212.351.2395, [email protected])
Michael D. Celio – Palo Alto (+1 650.849.5326, [email protected])
Jonathan D. Fortney – New York (+1 212.351.2386, [email protected])
Monica K. Loseman – Co-Chair, Denver (+1 303.298.5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco (+1 415.393.8379, [email protected])
Mary Beth Maloney – New York (+1 212.351.2315, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202.887.3726, [email protected])
Alex Mircheff – Los Angeles (+1 213.229.7307, [email protected])
Lissa M. Percopo – Washington, D.C. (+1 202.887.3770, [email protected])
Jessica Valenzuela – Palo Alto (+1 650.849.5282, [email protected])
Craig Varnen – Co-Chair, Los Angeles (+1 213.229.7922, [email protected])
Allison K. Kostecka – Denver (+1 303.298.5718, [email protected])
Mark H. Mixon, Jr. – New York (+1 212.351.2394, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.