Europe
08/06/2024
Council of Europe | Report | Neural data
The Council of Europe reported on the data protection challenges linked to neurotechnology and neural data from the perspective of the Convention 108+.
The report highlights the challenges posed by neural data and neurotechnology, including the impact it may have on human rights and fundamental freedoms, in particular the right to privacy and to the protection of personal data. It provides a legal and technical description of neurotechnology and neural data and suggests solutions to address privacy concerns related to neural data processing.
For further information: Council of Europe Website
08/01/2024
European Commission | EU AI Act
The European Artificial Intelligence Act (“AI Act”) came into force.
The European Commission announced that the AI Act came into force on August 1, 2024. The majority of rules of the AI Act will start applying on August 2, 2026.
For more information: European Commission Website
Belgium
08/23/2024
Belgian Supervisory Authority | Sanction | Access Request
The Belgian Supervisory Authority (“APD”) imposed a fine of €100,000 on a telecom operator for late reply to a right to access request.
The APD determined that the telecom operator failed to appropriately process and reply to the individual’s access request by providing a response 14 months after the access request was submitted.
For more information: EDPB Website
Denmark
08/26/2024
Danish Supervisory Authority | Decision | AI
On August 26, 2024, the Danish Supervisory Authority (“Datatilsynet”) published its decision allowing an insurance company to record and use artificial intelligence for analyzing incoming telephone calls.
Following its investigation in March 2023 on the insurance company and its use of artificial intelligence to analyze customer service calls, the Datatilsynet found that the insurance company complies with GDPR rules. Finally, the Datatilsynet’s decision recalls that the processing must comply with data protection rules, particularly with regard to obtaining consent and the information given to data subjects.
For more information: Datatilsynet Website [DA]
France
08/27/2024
French Supervisory Authority | Monitoring Tool | Binding Corporate Rules
The French Supervisory Authority (“CNIL”) published a monitoring tool for Binding Corporate Rules (“BCR”).
The CNIL makes available to BCR holders a self-assessment tool to verify their level of compliance with BCR requirements and specifies the steps for its deployment.
For more information: CNIL Website
Germany
08/30/2024
Saxony Supervisory Authority | Recommendation | Technical and Organizational Measures
On August 30, 2024, the Saxon Supervisory Authority (“SDTB”) published its recommendation on the redaction of documents.
The SDTB pointed out that it is often necessary to delete or anonymize personal data (for example when publishing documents containing sensitive data) and that, in such cases, technical and organizational measures, including document redaction, must be implemented for data protection. In particular, the recommendation describes the possible sources of error and solutions relating to redaction.
For more information: SDTB Website [DE]
08/28/2024
Rhineland-Palatinate Supervisory Authority | Press Release | Customer Account
The Rhineland-Palatinate Supervisory Authority (“LfDI Rheinland-Pfalz”) announced in a press release that it has sent an information letter to 13 e-shops on the necessity of providing guest access when placing an order.
While recognizing the advantages of creating a customer account (e.g., ordering without having to enter the same data again or reviewing orders), the LfDI Rheinland-Pfalz points out that individuals should always have an equal alternative when shopping online. It further considers that online shops have an obligation to implement a guest ordering process which results from the provisions of Articles 5 and 6 of the GDPR.
For more information: LfDI Rheinland-Pfalz Website [DE]
08/15/2024
BfDI | Press Release | Messenger Services Standard Test Catalogue
The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) has launched a public consultation process on the creation of a uniform test for messenger services regarding their compliance with the GDPR.
The BfDI has initiated the development of a uniform standard test regarding the GDPR compliance of messenger services. This is especially important due to their widespread use both in private life and for work related purposes. So as to create a useful uniform standard test, the BfDI now invites specialist users or deployers and the civil society to comment on and participate in the development of criteria for the published draft test.
For more information: BfDI Website [DE]
08/01/2024
Saxony Supervisory Authority | Guidelines | Data Subject Access Requests
On August 1, 2024, the Saxon Supervisory Authority (“SDTB”) published guidelines for local authorities and administrative bodies on how to handle data subject access requests under Article 15 of the GDPR.
The SDTB’s guidelines are intended to provide guidance on how to comply with requests regarding the right of access of data subjects. It incorporates the latest higher court’s and especially the Court of Justice of the European Union’s case law.
For more information: SDTB Website [DE]
Italy
08/09/2024
Italian Supervisory Authority | Sanction | Unlawful access to a database
The Italian Supervisory Authority (“Garante”) published its decision of June 6, 2024, imposing a fine of €1 million on a financial institution for unlawful processing.
The Garante received a complaint where an individual claimed having been blacklisted and denied financing for a long-term car rental, following verifications in a database. The complainant requested to the car rental company and its parent company, a financial institution, information on the reasons behind the backlisting in the context of a request to exercise his rights under the GDPR but received no response. Upon investigation, the Garante found that the financial institution, which proceeded to verifications on behalf of the car rental company, did not have the authorization from the Ministry of Economy and Finance to access the centralized fraud prevention system (“SCIPAFI”) and concluded that the complainant’s personal data had been unlawfully processed.
For more information: Garante Website [IT]
08/09/2024
Italian Supervisory Authority | FAQ | Right to be forgotten
The Italian Supervisory Authority (“Garante”) announced having released frequently asked questions (“FAQs”) on the “right to be forgotten in oncology”.
The FAQs aim to clarify the provisions of the Law No. 193 of 7 December 2023 on “right to be forgotten in oncology”, which allows individuals who have recovered from an oncological disease not to provide information or be investigated regarding their previous condition to access to banking, financial, investment and insurance services, to insolvency procedures, as well as to employment and professional training. The Garante will be in charge of the enforcement of these provisions.
For more information: Garante Website [IT]
Switzerland
08/14/2024
Swiss Federal Council | Adequacy Decision | Swiss-US Data Privacy Framework
The Swiss Federal Council adopted its decision of adequacy regarding the USA under the Swiss-US Data Privacy Framework (“DPF”).
Over a year after the European Commission, the Swiss Federal Council has now also adopted its adequacy decision for US-companies certified under the DPF and thus facilitates the transfer of personal data to the USA in compliance with data protection regulations. This will enter into force on 15 September 2024.
For more information: Federal Council Website
United Kingdom
08/21/2024
Department for Science, Innovation and Technology | Blog | Privacy-Preserving Federated Learning
The Department for Science, Innovation and Technology (“DSIT”) published a blog post on implementation challenges in Privacy-Preserving Federated Learning (“PPFL”).
The blog highlights challenges to developing deployable PPFL, which are due to several factors such as real-world conditions for deployment (e.g., insufficient computational power) or flaws in the system design which can lead to privacy breaches.
For more information: UK Government Website
08/13/2024
UK Supervisory Authority | Report | Privacy Enhancing Technologies
The UK Supervisory Authority (“ICO”) published a report entitled “Tackling Barriers to Privacy-Enhancing Technologies Adoption”.
Privacy-Enhancing Technologies (“PETs”) are defined by the ICO as technologies supporting data privacy by minimizing the use of personal data and increasing their security. The report explains, in particular, the barriers to adopting such technologies and provides recommendations on how to support and promote their use across organizations.
For more information: ICO Website
08/07/2024
UK Supervisory Authority | Sanction | Ransomware Attack
The UK Supervisory Authority (“ICO”) issued a provisional decision to impose a fine of £6.09 million (approximately €7,14 million) on a software provider following a ransomware attack which occurred in 2022.
The ICO explained that hackers accessed the company’s health and care systems through a customer account which was not protected via multi-factor authentication. The attack led to the exfiltration of personal data from 82,946 individuals, including phone numbers, medical records, and information on how to gain entry to the homes of 890 people receiving home care. Critical services had also been disrupted. The ICO’s findings are provisional, and a final decision has not yet been made. If issued, this will notably be the first time that the ICO issues a fine to a processor for a breach of its obligations under data protection laws.
For more information: ICO Website
08/02/2024
UK Supervisory Authority | Statement | Children protection
The UK Supervisory Authority (“ICO”) issued a statement calling on social media platforms (“SMPs”) and video-sharing platforms (“VSPs”) to improve their children’s data privacy practices.
The ICO stated that it has reviewed 34 SMPs and VSPs focusing on the process children go through to sign-up for accounts. The ICO found different levels of compliance with the Children’s Code, and sent some of the platforms questions on issues relating to default privacy settings, geolocation, age assurance and targeted advertising.
For more information: ICO Website
Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
Joel Harrison – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: This week, the CFTC staff issued a no-action letter regarding swap data reporting and recordkeeping regulations. The no-action letter is comparable to previous letters issued for similarly situated designated contract markets and derivatives clearing organizations.
New Developments
- CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.
- CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market.
- CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s DMO and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK.
- CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (“DCR”) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.
New Developments Outside the U.S.
- Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report stated that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit.
- ESMA Publishes Translations of its Guidelines on Funds’ Names. On August 21, ESMA published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. National competent authorities must notify ESMA by October 21, 2024 whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
- ESAs’ Joint Board of Appeal Allows the Appeal Lodged by NOVIS and Remits the Case to EIOPA. On August 13, the Joint Board of Appeal of the European Supervisory Authorities (“ESAs”) unanimously decided that the appeal brought by NOVIS against the European Insurance and Occupational Pensions Authority (“EIOPA”) is admissible. The appeal was brought in relation to the EIOPA decision not to grant access to documents, which were requested by NOVIS. In its decision, the board of appeal acknowledged that requests for access to documents laid out in Regulation No 1049/2001 can be dismissed by way of exceptions to protect certain public and private interests.
- ESMA Recognizes CDS Clearing and Depository Services as Tier 1 CCP Following MoU with the British Columbia Securities Commission. On August 13, ESMA signed a Memorandum of Understanding (“MoU”) with the British Columbia Securities Commission and updated its list of recognized third-country central counterparties (“CCPs”) under the European Markets Infrastructure Regulation (“EMIR”). The MoU establishes cooperation arrangements, including the exchange of information, regarding CCPs that are established in Canada and authorized or recognized by the British Columbia Securities Commission, and which have applied for EU recognition under EMIR.
New Industry-Led Developments
- ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g. for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.” [NEW]
- ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (212.351.3869, [email protected] )
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki , New York (212.351.4028, [email protected] )
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Personal Data | Cybersecurity | Data Innovation
Europe
03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation
On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.
The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.
For further information: ENISA Website
03/14/2023 – European Parliament | Regulation | Data Act
On 14 March 2023, the European Parliament adopted the draft Data Act.
The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.
For further information: European Parliament Website
02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework
On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.
The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.
For further information: EDPB Website
02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns
On 24 February 2023, the European Data Protection Board published final version of three guidelines.
Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.
For further information: EDPB Website
02/15/2023 – European Commission | Decision | Whistleblowing
On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.
The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.
For further information: European Commission Website
01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce
On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.
The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.
For further information: EDPB Website
01/16/2023 – European Union | Regulation | Digital Operational Resilience Act
The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.
The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.
For further information: Official Journal Website
01/12/2023 – Court of Justice of the European Union | Decision | Right of access
On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.
The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.
For further information: Press Release
Austria
02/01/2023 – Austrian Parliament | National Council | Whistleblowing
On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.
For further information: Austrian Parliament Website
Belgium
02/15/2023 – House of Representatives | Legislation | Whistleblowing
On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.
For further information: Whistleblowing Law
Bulgaria
01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing
On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.
For further information: CPDP Website [BG]
Czech Republic
03/07/2023 – Czech Supervisory Authority | FAQ | Cookies
On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.
For further information: UOOU Website [CZ]
Denmark
02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls
The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.
The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.
For further information: Danish DPA Website [DK]
01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent
On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.
For further information: Danish DPA Website [DK]
Finland
02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation
On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.
In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.
For further information: Finnish DPA Website
France
03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data
On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.
The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.
For further information: CNIL Website
03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras
On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.
The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.
For further information: CNIL Website
02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act
On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.
For further information: CNIL Website
01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence
On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.
The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.
For further information: CNIL Website
01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance
On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.
For further information: LOPMI
01/04/2023 – French Supervisory Authority | Sanction | Consent
On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.
The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.
The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.
For further information: CNIL Website
01/17/2023 – French Supervisory Authority | Sanction | Consent
On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.
The company was using an essentially technical identifier for advertising purposes without the user’s consent.
For further information: CNIL Website
Germany
03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”
The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.
The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.
For further information: DSK Website [DE]
03/15/2023 – Supervisory Authorities| BfDI | Activity Report
The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.
For further information: BfDI [DE]
03/15/2023 – Supervisory Authorities| Activity Reports
The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.
The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.
For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]
03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework
The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.
For further information: Bundestag Website [DE] and BfDI [DE]
02/13/2023 – German Competition Authority | Decision | US Data Transfers
On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.
In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.
For further information: BKartA Website [DE]
02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages
On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.
In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.
Italy
03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot
The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.
The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.
For further information: Garante Website [IT]
03/09/2023 – Council of Ministers | Legislation | Whistleblowing
On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.
The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.
For further information: Governo Italiano Website [IT]
02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices
The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.
For further information: Garante Website [IT]
02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot
The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.
The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.
For further information: Garante Website
Ireland
02/27/2023 – Irish Supervisory Authority | Sanction | Security
On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.
The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.
For further information: #DPC Website
02/23/2023 – Irish Supervisory Authority | Sanction | Security
On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.
The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.
For further information: DPC Website
01/16/2023 – Irish Supervisory Authority | Sanction | CCTV
On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.
For further information: DPC Website
Netherlands
02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings
The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.
For instance, the car may still take camera images, but only when the user activates that function.
For further information: AP Website [NL]
02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing
On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.
For further information: AP Website [NL]
Norway
03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool
On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.
For further information: Datatilsynet Website [NO]
02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation
On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).
For further information: Datatilsynet Website [NO]
Portugal
01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures
The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.
These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.
For further information: Press release [PT]
Romania
03/28/2023 – President of Romania | Legislation | Whistleblowing
The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.
For further information: CDEP Website [RO]
Spain
03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization
The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.
For further information: AEPD Website [ES]
03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation
The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.
In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.
For further information: AEPD Website [ES]
03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability
The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.
For further information: AEPD Website [ES]
03/13/2023 – Spanish Senate | Legislation | Whistleblowing
The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.
For further information: BOE Website [ES]
United Kingdom
03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing
On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.
The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.
For further information: ICO Website
03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations
The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.
The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.
For further information: ICO Website
03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection
The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.
The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.
For further information: ICO Website
03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default
The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.
The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.
For further information: ICO Website
03/08/2023 – UK Government | Legislation | Cookies
The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.
The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.
For further information: UK Government Website
02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children
The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.
For further information: ICO Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
- Ahmed Baladi – Partner, Partner, Co-Chair, PCCP Practice, Paris ([email protected])
- Vera Lukic – Partner, Paris ([email protected])
- Kai Gesing – Partner, Munich ([email protected])
- Joel Harrison – Partner, London ([email protected])
- Alison Beal – Partner, London ([email protected])
- Thomas Baculard – Associate, Paris ([email protected])
- Roxane Chrétien – Associate, Paris ([email protected])
- Christoph Jacob – Associate, Munich ([email protected])
- Yannick Oberacker – Associate, Munich ([email protected])
- Clémence Pugnet – Associate, Paris ([email protected])
© 2023 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.
Personal Data | Cybersecurity | Data Innovation
Europe
08/25/2023 – Digital Services Act | Regulation | Very Large Online Platforms and Very Large Online Search Engines
On 25 August 2023, the Digital Services Act (“DSA”) started to apply to very large online platforms and very large online search engines.
As a reminder, on 25 April 2023, the European Commission designated nineteen providers of very large online platforms and of very large online search engines. The DSA will apply to the designated providers from four months after the notification of the designated decisions
For further information: DSA Regulation; European Commission Website
07/25/2023 – European Consumer Organisation | Position Paper | AI Act
The European Consumer Organisation (“BEUC”) published a position paper urging EU legislators to ensure that consumers can expect a high level of protection when using AI systems as they enter the final legislative stage on the Artificial Intelligence Act (“AI Act”).
For further information: BEUC Website
07/18/2023 – European Data Protection Board | Information note | EU-US Data transfers
The European Data Protection Board (“EDPB”) published an information note on data transfers to the United States after the adoption of the adequacy decision on 10 July 2023.
The EDPB outlines that transfers to entities in the US which are not included in the “Data Privacy Framework List” cannot be based on the adequacy decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g., through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.
For further information: EDPB Website
07/12/2023 – European Commission | Strategy | Metaverse
The European Commission issued its strategy for “Virtual Worlds”, commonly referred to as metaverses.
For further information: European Commission Website
07/10/2023 – European Commission | Press Release | EU-US Data Transfers
The European Commission has formally adopted the adequacy decision for the EU-US Data Privacy Framework.
This decision finds that the EU-US Data Privacy Framework provides an adequate level of protection, comparable to that of the European Union, for data transfers from the EU to US companies under the new framework. As a result, personal data can flow safely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards.
For further information: European Commission Website
07/05/2023 – Council of Europe | Guidelines | Data Processing for Financial Services
The Council published guidelines on data protection for the processing of personal data for Anti-Money Laundering/Countering Financing of Terrorism (“AML/CFT”) purposes.
The purpose of these guidelines is to provide orientation on how to integrate the requirements of Convention 108+ in the area of AML/CFT in order to provide for an appropriate level of data protection while facilitating transborder data flows, and to highlight certain areas in the AML/CFT context where data protection safeguards should be strengthened.
For further information: Council of Europe Website
07/04/2023 – Court of Justice of the European Union | Decision | Antitrust, Competition & GDPR enforcement
The Court of Justice of the European Union (“CJEU”) ruled that a competition authority of a Member State may identify a violation of the GDPR in order to establish the existence of an abuse of a dominant position.
For further information: CJEU decision
07/04/2023 – European Commission | Proposal for Regulation | GDPR Enforcement
The European Commission has proposed to adopt a new regulation “to streamline cooperation between data protection authorities” with regards to GDPR enforcement in cross-border cases.
The regulation aims to further harmonize procedural rules in cross-border cases. It contains provisions regulating the rights of complainants, the rights of the parties under investigation as well as provisions to streamline the cooperation and dispute resolution process. According to the European Commission, the proposed regulation will lead to “swifter resolution of cases” and enhance the efficiency of GDPR enforcement.
For further information: European Commission Website
06/28/2023 – European Parliament/Council of the EU | Regulation | Data Act
The European Parliament and the Council of the EU have reached a political agreement on the European Data Act. This new legislation aims at “boosting” the EU’s data economy by ensuring a competitive European data market.
The proposal contains provisions regulating data access rights, unfair contractual terms as well as rules governing the switch between cloud data-processing service providers among other things. The draft EU Data Act complements the Data Governance Act of November 2020 and is expected to enter into force in late 2024. The next step in the legislative process is the formal passing of the law by the European Parliament and the Council, which is expected later this year.
For further information: European Commission Website
06/22/2023 – Court of Justice of the European Union | Judgement | Data Subject Rights
The Court of Justice of the European Union (“CJEU”) ruled that the fact that a data controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has no effect on the scope of the right granted to the data subject.
For further information: CJEU Website
06/21/2023 – European Data Protection Board | Recommendations | Binding Corporate Rules
The European Data Protection Board (“EDPB”) adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (“BCR-C”).
For further information: EDPB Website
06/07/2023 – European Data Protection Board | Guidelines | Calculation of Administrative Fines
The European Data Protection Board (“EDPB”) adopted a final version of the guidelines 04/2022 on the calculation of administrative fines following public consultation.
For further information: EDPB Website
05/24/2023 – European Commission | News Announcement| EU-ASEAN Data Transfers
The European Commission announced that the EU and the Association of Southeast Asian Nations (“ASEAN”) issued a joint guide identifying commonalities between the EU Standard Contractual Clauses (“SCCs”) and the ASEAN Model Contractual Clauses for cross-border data transfers.
The objective of the guide is to assist companies operating across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses, thereby facilitating compliance with ASEAN and EU data protection laws as applicable.
For further information: European Commission Website
05/22/2023 – European Data Protection Board | Case Digest | Right to Object and Erasure
The European Data Protection Board (“EDPB”) published a case digest on the right to object and erasure.
In particular, the case digest examines a selection of one-stop-shop decisions taken from the EDPB’s public register relating to Articles 17 and 21 of the GDPR. Most of the complaints under those articles concern minor violations where the data controller shows active cooperation, with spontaneous remediation of the infringement. Hence, the decisions analyzed often result in reprimands. Although in some cases the lead supervisory authorities have imposed specific sanctions on data controllers, this is usually due to a large number of infringements of the GDPR, with a minor role played by violations of Articles 17 and 21.
For further information: EDPB Website
05/04/2023 – Court of Justice of the European Union | Decision | Right to Compensation
The Court of Justice of the European Union ruled that a mere infringement of the GDPR does not give rise to a right to compensation.
Overall, the Court stated that the right to compensation under the GDPR is subject to three cumulative conditions: an infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. Moreover, the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. Finally, as the GDPR does not contain any rules governing the assessment of damages, it is for each Member State to prescribe them, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.
For further information: CJEU Website
05/04/2023 – Court of Justice of the European Union | Decision | Data Subjects Rights
The Court of Justice of the European Union ruled that the data subject’s right to obtain from the controller a “copy” of the personal data undergoing processing as per Article 15(3) GDPR means that the data subject must be given a faithful and intelligible reproduction of all those personal data.
In particular, that entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, if the provision of such copy is essential to enable the data subject to exercise effectively the right granted to him/her by that regulation, taking into account the rights and freedoms of others.
For further information: CJEU Website
04/26/2023 – European Union General Court | Decision | Pseudonymized Data
The General Court of the European Union ruled that in order to determine whether information constitutes personal data, it is necessary to determine whether the information relates to “identifiable persons”. The European Data Protection Supervisor (“EDPS”) has appealed this decision before the Court of Justice of the European Union (“CJEU”) on 5 July 2023.
The EDPS argues, that the General Court has not interpreted the relevant provisions correctly. Therefore, the EDPS seeks that the CJEU sets aside the General Court’s judgement in its entirety as well as give a final judgment in the dispute.
For further information: Official Journal of the European Union Website; CJEU Website
04/19/2023 – European Data Protection Board | Report | 101 NOYB Data Transfer Complaints
The European Data Protection Board (“EDPB”) published a report of the work undertaken by the supervisory authorities within the 101 Task Force.
The report sets out the common positions agreed by the supervisory authorities taking part in the task force with a view to handling the “101 complaints” received from NOYB in the aftermath of the Schrems II ruling. Notably, several supervisory authorities have ordered website operators to comply with the requirements of Chapter V of the GDPR, and if necessary, to stop the transfer at stake.
For further information: EDPB Website
04/17/2023 – European Data Protection Board | Guidelines | Right of Access
The European Data Protection Board (“EDPB”) published a final version of the guidelines 01/2022 on data subjects’ right of access, following a public consultation.
For further information: EDPB Website
04/17/2023 –European Data Protection Board | Guidelines | Lead Supervisory Authority
The European Data Protection Board (“EDPB”) published a final version of the guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.
For further information: EDPB Website
04/13/2023 – European Protection Data Board | Guidance | Data Subject Rights
The European Data Protection Board (“EDPB”) published a guide for exercising data subjects’ rights, compiled by the Schengen Information System (“SIS”) II Supervision Coordination Group.
For further information: EDPB Website
04/04/2023 – European Data Protection Board | Guidelines | Personal Data Breach Notification
The European Data Protection Board released a new version of its guidelines 9/2022 on personal data breach notification under the GDPR.
For further information: EDPB Website
04/04/2023 – European Commission | Statement | Japan-EU Mutual Adequacy Arrangement
The European Commission released a joint press statement on the successful conclusion of the first review of the Japan-EU mutual adequacy arrangement.
In 2019, the EU and Japan recognized each other’s data protection systems as “equivalent”, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows.
For further information: European Commission Website
Austria
05/10/2023 – Austrian Supervisory Authority | Sanction | GDPR Violations
The Austrian Supervisory Authority issued a sanction against an American facial recognition company for multiple breaches of the GDPR, but did not issue a fine.
The facial recognition company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources. The complainant found out that his image data was processed by the company and lodged a complaint. In particular, the Austrian Supervisory Authority found that the processing carried out by the company serves a completely different purpose from the original publication of the complainant’s personal data (especially photographs).
For further information: EDPB Website
Belgium
05/24/2023 – Belgian Supervisory Authority | Press Release | Personal Data Transfers
The Belgian Supervisory Authority announced the prohibition of transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance to the US tax authorities under the intergovernmental Foreign Account Tax Compliance Act (“FATCA”) agreement.
The Litigation Chamber of the Belgian Supervisory Authority held that the generalized and undifferentiated transfer of tax data provided under FATCA breaches the principle of purpose limitation (FATCA does not contain exact objectives for the transfer of data), as well as the principles of proportionality and data minimization of the GDPR.
For further information: ADP Website
05/22/2023 – Belgian Supervisory Authority | Announcement | 2022 Annual Activity Report
The Belgian Supervisory Authority announced the publication of its 2022 annual activity report.
In particular, the report highlights that, in 2022 the Authority received 604 complaints and the main topics of the complaints and requests for mediation in 2022 were direct marketing as well as photos and cameras. The Dispute Chamber of the Authority issued 189 decisions in 2022, including fines totaling €738,900. As for data breaches, the Authority opened 1426 data leak files.
For further information: ADP Website [FR]
Denmark
07/13/2023 – Danish Supervisory Authority | Guidance | Right to erasure
The Danish Supervisory Authority expanded its guidance on what applies when an individual wants to have a search result related to him/her deleted from a search engine (e.g. Google and Bing).
For further information: Datatilsynet Website [DK]
06/27/2023 – Danish Supervisory Authority | Guidance | Video Surveillance
The Danish Supervisory Authority published new guidance on video surveillance used by companies.
For further information: Datatilsynet Website [DK]
03/29/2023 – Danish Supervisory Authority | Guidance | Employment Relationships
The Danish Supervisory Authority published an updated guidance on data protection in employment relationships.
For further information: Datatilsynet Website [DK]
Finland
08/08/2023 – Finnish Supervisory Authority | Press Release | Data transfers
The Finnish Supervisory Authority announced that it has issued an order to an international platform which provides taxi services to suspend its data transfers from Finland to Russia temporarily and to cease the processing of the personal data.
The Authority considers that this order is necessary because of a legislative reform that will enter into force in Russia will significantly weaken the protection of customers’ personal data when using the platform. For instance, the Russian intelligence service will have the right to receive data processed in taxi operations.
For further information: Ombudsman Website
France
06/22/2023 – French Supervisory Authority | Sanction | GDPR Violations
The French Supervisory Authority published a decision which was issued on 15 June 2023 and imposed a €40 million fine to an advertising company, for several GDPR violations.
The company specializes in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalized advertisements. In particular, the Authority considered that the advertising company had failed to demonstrate that the data subjects gave their consent.
For further information: CNIL Website
06/15/2023 – French Supervisory Authority | Sanction | GDPR Violations
The French Supervisory Authority published a decision issued on 8 June 2023, imposing a €150,000 fine to a company which provides clairvoyance consultation through its website (by chat or telephone), for failing to comply with its obligations under the GDPR and the French Data Protection Act.
In particular, the Authority found that the company collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.
For further information: CNIL Website
05/26/2023 – French Supervisory Authority | Decision | Consent
The French Supervisory Authority published a decision issued on 11 May 2023, in which it closed the injunction issued on a technology company.
On 19 December 2022, the company was fined 60 million euros by the Authority, which also required the company, within three months, to allow users of its search engine located in France to give their consent to the use of trackers to combat advertising fraud, as soon as they arrived on the website. The company responded within the timeframe and made technical modifications so that tracking linked to the fight against advertising fraud would be inactive in the absence of specific consent from French users.
For further information: CNIL Website
05/17/2023 – French Supervisory Authority | Sanction | Health Data and Cookies
The French Supervisory Authority published a decision issued on 11 May 2023, imposing a €380,000 fine to a health and well-being website for several breaches of the GDPR and of the French Data Protection Act.
Following a complaint by an association, the Authority carried out investigations into the company. The Authority identified several infringements, namely a failure to store data for no longer than necessary, failure to obtain consent from individuals to collect their health data, failure to provide a formal legal framework for the processing operations carried out jointly with another data controller, failure to ensure the security of personal data and a failure to comply with obligations related to the use of cookies.
For further information: CNIL Website
05/16/2023 – French Supervisory Authority | Action Plan | Artificial Intelligence
The French Supervisory Authority published its action plan for the deployment of AI systems that respect individuals’ privacy.
In 2023, the Authority will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: (i) understand the functioning of AI systems and their impact on people, (ii) enable and guide the development of privacy-friendly AI, (iii) federate and support innovative players in the AI ecosystem in France and Europe, and (iv) audit and control AI systems and protect people. This work will also allow to prepare for the entry into application of the draft European AI Regulation currently under discussion.
For further information: CNIL Website
05/10/2023 – French Supervisory Authority | Sanction | Compliance
The French Supervisory Authority published a decision issued on 17 April 2023, imposing a €5,2 million fine to a facial recognition company, for failing to comply with the injunction issued in its October 2022 sanction decision.
The Authority had fined the company €20 million and enjoined the company to refrain from collecting and processing the data of individuals in France without a legal basis, and to delete the data of these individuals after responding to requests for access. The injunction was accompanied by an penalty of 100,000 euros per day of delay at the end of the two-month period. The Authority considered that the company had not complied with the order and imposed an overdue penalty payment.
For further information: CNIL Website [FR]
05/09/2023 – French Supervisory Authority | Publication | Data Protection Officers
The French Supervisory Authority announced that as part of a coordinated enforcement framework at the European level, it is conducting audits on public and private organizations to verify the role and means entrusted to their Data Protection Officer (“DPO”).
For its assessment, the Authority sent a dozen surveys in April to public institutions, local authorities and private companies, particularly in the luxury and transport sectors. The answers provided by the organizations will be analyzed in coordination with the Authority’s European counterparts. Depending on the results of these initial checks, on-site inspections may be carried out to complete the findings.
For further information: CNIL Website [FR]
04/03/2023 – French Supervisory Authority | Guidelines | Security of Personal Data
The French Supervisory Authority published updated guidelines relating to personal data security.
This guidelines aim to support actors dealing with personal data by reminding them of the basic precautions to be taken. The updated guidelines take into account the latest recommendations of the Authority regarding passwords and login.
For further information: CNIL Website [FR]
03/21/2023 – French Supervisory Authority | Publication | Connected Vehicles
The French Supervisory Authority announced the creation of a “compliance club” dedicated to players in the connected vehicle and mobility sectors, as part of its industry support initiative.
This privileged forum for dialogue will enable regular exchanges on issues affecting the daily lives of French individuals, and encourage innovation that respects their privacy.
For further information: CNIL Website [FR]
Germany
08/17/2023 – German Federal Ministry of the Interior and Community | Regulation | Federal Data Protection Act
The German Federal Ministry of the Interior and Community is working on an amendment to the Federal Data Protection Act. The Ministry’s current legislative draft has become public following a request under Germany’s Freedom of Information Act (“IFG”).
The draft is still at a very early stage and aims at institutionalizing the German Data Protection Conference (“Datenschutzkonferenz” / DSK), a body consisting of representatives from each of the German data protection authorities. Additionally, the proposed provisions include various changes, e.g. simplifications in terms of determining which authority is competent.
For further information: FragDenStaat [DE]
08/02/2023 – Berlin Supervisory Authority | Sanction | Data Protection
The Berlin Supervisory Authority announced imposing a €215,000 fine to a company for illegally documenting a list of information about employees on probationary period including sensitive data.
The authority found that in order to determine whether to continue employment of the data subjects, the company was processing health and non-company related justifications that would conflict with flexible shift scheduling.
For further information: BlnBDI [DE]
06/06/2023 – German Federal Labour Court | Decision | Data Protection Officers
The German Federal Labour Court has ruled that a chairman of the works council usually cannot serve as a data protection officer at the same time. The German Federal Labour Court argues, that these positions would typically lead to a conflict of interest.
For further information: German Federal Labour Court Press Release [DE]
06/02/2023 – German Parliament | Regulation | Whistleblowing Directive
The Law to improve the protection of whistleblowers and to implement the directive on the protection of persons who report violations of Union law transposing the Whistleblowing Directive was published in the Federal Gazette.
For further information: Official Gazette [DE]
05/31/2023 – Berlin Supervisory Authority | Sanction | GDPR Violations
The Berlin Supervisory Authority announced issuing a fine of €300,000 on a bank for lack of transparency regarding an automated individual decision.
In particular, the complainant informed the Authority that the bank’s algorithm rejected its application for a credit card without providing any specific justification, preventing the complainant from challenging the automated decision.
For further information: BlnBDI Website [DE]
04/19/2023 – Schleswig-Holstein Supervisory Authority | Questionnaire | Artificial Intelligence Chatbot
The Schleswig-Holstein Supervisory Authority published the questionnaire that was sent by German Supervisory Authorities to an AI chatbot company in relation to its data processing.
For further information: UDL Website [DE]
04/14/2023 – Federal Office for Information Security | Guide | Security and Artificial Intelligence
The Federal Office for Information Security (“BSI”) published a Practical AI-Security guide.
The guide contains a brief and clear presentation of the current state of research in the area of attacks on AI and developers are also presented with possible defenses against attacks.
For further information: BSI Website [DE]
Ireland
08/21 /2023 – Irish Supervisory Authority | Sanction | Data minimization
The Irish Supervisory Authority published a decision imposing a reprimand and corrective measures on an online platform providing intermediation service, for infringing the principle of data minimization.
In particular, the Authority found that the platform’s retention of a copy of the complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimization.
For further information: DPC website
04/28/2023 – Irish Supervisory Authority | Guidance | Data Protection in the Workplace
The Irish Supervisory Authority announced the publication of guidance for employers, regarding data protection in the workplace.
This new guidance is specifically aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing the personal data of their employees, former employees and prospective employees.
For further information: DPC website
04/19/2023 – Irish Supervisory Authority | Guidance | Records of Processing Activities
The Irish Supervisory Authority announced the publication of guidance on records of processing activities.
For further information: DPC website
Italy
07/06/2023 – Italian Supervisory Authority | Annual Report
The Italian Supervisory Authority published its annual report for the year 2022.
The report outlines the need for ensuring the protection of data subjects’ rights and freedoms against the risks resulting from large-scale processing activities based on AI tools, as well as actions of the Authority in this regard.
For further information: Guarante Website [IT]
06/22/2023 – Italian Supervisory Authority | Sanction | GDPR violation
The Italian Supervisory Authority announced that a concessionaire for the construction and management of toll motorways was fined €1 million for violating the GDPR.
In this ruling, the Authority considered that the concessionaries violated the principles of correctness and transparency, given the failure to provide adequate information in relation to the processing, as well as the misclassification of the GDPR status.
For further information: Guarante Website [IT]
06/09/2023 – Italian Supervisory Authority | Sanction | GDPR Violations
The Italian Supervisory Authority published a decision issued on 14 April 2023, in which it imposed a fine of €676,956 to an energy provider company for data protection failures with regard to promotional calls.
The Authority outlined that, by virtue of the principle of accountability and privacy by design, the data controller should prepare suitable measures to guarantee, at any time and, even more so, at the request of the Authority, the traceability of all operations carried out.
For further information: Guarante Website [IT]
04/20/2023 – Italian Supervisory Authority | Press Release | Dark Patterns
The Italian Supervisory Authority published information on deceptive design patterns that can influence online browsing behavior and hinder data protection.
The Authority launched an information page which is part of a large information and awareness project on data protection, digital education and safety, for a conscious use of the Internet and new technologies.
For further information: Guarante Website [IT]
04/14/2023 – Italian Supervisory Authority | Sanction | Unlawful Telemarketing Activities
The Italian Supervisory Authority issued a decision on 13 April 2023 imposing a €7,631,175 fine to a telecommunications company, for multiple GDPR violations.
In particular, the Authority found that the company had failed to reply to data subject access requests, lacked valid documentation demonstrating the consent of the company’s commercial communications, failed to act on a data breach and remained inactive over time.
For further information: Guarante Website [IT]
Netherlands
05/17/2023 – Dutch Supervisory Authority | Annual Plan 2023
The Dutch Supervisory Authority published its annual plan for the year 2023.
In 2023, the Authority will pay particular attention to (i) algorithms & AI, (ii) big tech, and (iii) freedom & security.
For further information: AP Website [NL]
04/13/2023 – Dutch Supervisory Authority | Sanction | Inadequate Identity Checks
The Dutch Supervisory Authority announced imposing a fine of €150,000 on the organization which implements national insurance schemes in the Netherlands, for failure to adequately confirm the identity of callers to its telephone helpdesk and disclosed personal data to unauthorized individuals.
The organization has now taken measures to address the matter.
For further information: AP Website [NL]
Norway
07/27/2023 – Norwegian Supervisory Authority | Advice | Analytics and Tracking
The Norwegian Supervisory Authority published an advice on the use of website analytics and tracking.
As analytics and tracking tools on the market are not all legal, the Authority provides guidance to websites (e.g., regarding cookie banner requirements, the use of consent as a legal basis, data transfers).
For further information: Datatilsynet Website [NO]
Portugal
04/20/2023 – Portuguese Supervisory Authority | Press Release | Security Incidents
The Portuguese Supervisory Authority published an overview of the security incidents in Portugal for the year 2022.
In 2022, 37 security incidents were reported to the Authority by electronic communications network and service companies and impacted approximately 6,4 million subscribers.
For further information: ANACOM Website [PT]
Spain
08/22/2023 – Council of Minister | Authority Appointment | Artificial Intelligence
The Council of Ministers has approved the statute of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA).
With the creation of the AESIA, Spain becomes the first European country to have such an entity and anticipates the entry into force of the European Artificial Intelligence Act.
For further information: Government Website [ES]
08/21/2023 – Spanish Supervisory Authority | Sanction | Sub-processing
The Spanish Supervisory Authority published a decision imposing a €120,000 fine (reduced €72,000) against a transport company for unlawful sub-processing.
The Authority found that it was clear that the subcontracting did not comply with the provisions of the GDPR due to the lack of formalization of contracts or legal acts, as well as the lack of authorizations prior to their formalization.
For further information: AEPD Website [ES]
07/28/2023 – Spanish Supervisory Authority | Sanction | Security
The Authority issued a €2,5 million fine against a bank for failing to implement appropriate security measures.
In particular, the Authority considered that the technical and organizational measures implemented by the bank did not guarantee a level of security appropriate to the risk, due to the nature of the personal data processed, which deserve special protection in terms of their confidentiality and integrity.
For further information: AEPD Website [ES]
07/11/2023 – Spanish Supervisory Authority | Guidance | Cookies
The Spanish Supervisory Authority released an updated cookie guide taking into account the EDPB guidelines on deceptive design patterns.
For further information: AEPD Website [ES]
05/09/2023 – Spanish Supervisory Authority | Guidelines | Encryption
The Spanish Supervisory Authority published guidelines for the validation of cryptographic systems in data protection processing.
For further information: AEPD Website [ES]
Sweden
06/27/2023 – Swedish Supervisory Authority | Press Release | Profiling
The Swedish Supervisory Authority published its decision, issued on 26 June 2023, imposing a fine of SEK 13 million (approx. €1,09 million) on a publishing company, for profiling its customers and web visitors without consent.
For further information: IMY Website
06/12/2023 – Swedish Supervisory Authority | Sanction | GDPR Violations
The Swedish Supervisory Authority issued a decision imposing a SEK 58 million (approx. €4,9 million) fine to a company providing an audio streaming service for shortcomings regarding the right of access.
The Authority considered that the company does not provide information about how it uses the personal data it processes upon a request of access of individuals and specifies that this information must be easy to understand. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. The Authority has further found that the company had failed in its handling of requests for access related to two out of three of the complaints examined.
For further information: NOYB Website
Switzerland
05/11/2023 – Swiss Supervisory Authority | Press Release | Revised Federal Act on Data Protection | Website Update
The Swiss Supervisory Authority updated the content of its website in anticipation of the new Data Protection Act coming into force on 1 September 2023. At the same time, it is launching the “DataBreach Portal” for reporting security vulnerabilities.
For further information: FDPIC Website
United Kingdom
08/30/2023 – UK Supervisory Authority | Guidance | Email Communications
The UK Supervisory Authority published new guidance for organisations sending bulk communications by email.
For further information: ICO Website
08/24/2023 – UK Supervisory Authority | Guidance | Data Scraping
The UK Supervisory Authority released a joint statement on data scraping and the protection of privacy with agencies from Australia, Canada, Hong Kong, Switzerland, Norway, New Zealand, Columbia, Jersey, Morocco, Argentina and Mexico.
The statement calls for the protection of people’s personal data from unlawful data scraping taking place on social media sites. It also sets expectations for how social media companies should protect people’s data from unlawful data scraping.
For further information: ICO Website
08/18/2023 – UK Supervisory Authority | Guidance | Biometric Data
The UK Supervisory Authority published draft guidance on biometric data and biometric technologies, which is open for public consultation until 20 October 2023.
For further information: ICO Website
07/17/2023 – UK Supervisory Authority| Blog | Unlawful Marketing
The UK Supervisory Authority released a blog post on its ongoing work to tackle unlawful marketing calls and messages.
The UK Supervisory Authority has issued more than £2,4 million in fines (approx. €2,8 million) since April 2022, through the enforcement of the UK Privacy and Electronic Communications Regulations 2003, against companies responsible for nuisance calls, texts and emails.
For further information: ICO Website
07/06/2023 – National Cyber Security Centre | Report | Risk Management
The National Cyber Security Centre announced the release of its sixth annual report providing a retrospective summary of the work carried out as part of the Active Cyber Defense program.
For further information: NCSC Website
06/19/2023 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies
The UK Supervisory Authority issued guidance which discusses privacy-enhancing technologies (“PETs”).
As a reminder, PETs are technologies that embody fundamental data protection principles by (i) minimizing personal data use, (ii) maximizing information security, or (iii) empowering people.
For further information: ICO Website
06/08/2023 – UK Supervisory Authority | Sanction | Unlawful Marketing Calls
The UK Supervisory Authority announced it fined two energy companies a total of £250,000 (approx. €291,577) for bombarding people and businesses on the UK’s “do not call” register with unlawful marketing calls.
The UK Supervisory Authority also issued an enforcement notice to both companies to stop calling people and businesses on the UK’s “do not call” register, or who had previously objected to such calls.
For further information: ICO Website
06/08/2023 – UK Government | Press Release | UK-US Data Transfers
The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, that will create a “data bridge” between the two countries.
US companies who are approved to join the framework, would be able to receive UK personal data under the new data bridge.
For further information: UK Government Website
05/30/2023 – UK Supervisory Authority | Guidance | Children Data
The UK Supervisory Authority announced that it updated its guidance on edtech and the Children’s code to clarify when an edtech service may be in the scope of the Children’s code.
For further information: ICO Website
05/24/2023 – UK Supervisory Authority | Guidance | Access Requests and Employers
The UK Supervisory Authority published new guidance for businesses and employers on responding to data subject access requests (“SARs”).
For further information: ICO Website
05/19/2023 – UK High Court of Justice | Decision | Loss Of Control Over Personal Data
The High Court struck out a class action claim for damages in relation to loss of control over personal data against a technology company and its AI company, and ordered summary judgment in their favor.
For further information: Royal Courts of Justice Website
04/14/2023 – UK Supervisory Authority | Sanction | Consent
The UK Supervisory Authority announced imposing a £130,000 (approximately €150,000) fine against a job search website provider for sending 107 million spam emails targeting jobseekers.
The UK Supervisory Authority established in its decision that the company had not obtained valid consent to send direct marketing in accordance with the UK Privacy and Electronic Communications Regulations 2003.
For further information: ICO Website
04/13/2023 – National Cyber Security Centre | Guidance | Security by Design and by Default
On 13 April 2023, the National Cyber Security Centre (“NCSC”) as well as agencies from the US, Australia, Canada, Germany, the Netherlands and New Zealand issued a new joint guide on security by design and by default.
In particular, the guide encourages software manufacturers to embed secure-by-design and by-default principles into their products to help keep customers safe.
For further information: NCSC Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
- Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
- Vera Lukic – Partner, Paris ([email protected])
- Kai Gesing – Partner, Munich ([email protected])
- Joel Harrison – Partner, London ([email protected])
- Alison Beal – Partner, London ([email protected])
- Clémence Pugnet – Associate, Paris ([email protected])
- Roxane Chrétien – Associate, Paris ([email protected])
- Thomas Baculard – Associate, Paris ([email protected])
- Hermine Hubert – Associate, Paris ([email protected])
- Christoph Jacob – Associate, Munich ([email protected])
- Yannick Oberacker – Associate, Munich ([email protected])
- Sarah Villani – Associate, London ([email protected])
© 2023 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
European Data Privacy Newsletter
Europe
12/14/2023
Court of Justice of the European Union | Decision | Misuse of personal data
The Court of Justice of the European Union ruled that the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.
In this case, the Bulgarian Supreme Administrative Court requested clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. The Court emphasized that the mere occurrence of unauthorized disclosure or access to personal data does not automatically imply that the protective measures implemented by the controller were not appropriate, they must be assessed in a concrete manner.
For more information: CJEU Website
12/07/2023
Court of Justice of the European Union | Decision | Automated Individual Decision
The Court of Justice of the European Union issued a significant ruling in cases involving a private credit information agency declaring that “scoring” qualifies as “automated individual decision-making” and is, in principle, prohibited by Article 22 of the GDPR.
While ‘scoring’ is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR. The court emphasized the primacy of data subjects’ rights and interests, asserting their right to prompt deletion when their personal data have been unlawfully processed, i.e. beyond the retention period.
For more information: CJEU Website
12/05/2023
Court of Justice of the European Union | Decision | Calculation of Fines
The Court of Justice of the European Union disclosed two rulings in which it shared an interpretation of the GDPR concerning the assessment and computation of penalties for breaches.
The CJEU clarifies the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the GDPR. In particular, it holds that the imposition of such a fine requires that a wrongful conduct; in other words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the entire group.
For more information: CJEU Website
11/27/2023
European Commission | Data Act
The European Regulation 2023/2854, often referred to as the “Data Act”, has been adopted on 27 November 2023 and entered into force on 11 January 2024.
For more information: Council of the European Union Website
11/16/2023
European Court of Justice | Decision | Indirect exercise of rights
On November 16, 2023, the European Court of Justice ruled that supervisory authority’s decisions in the context of the indirect exercise of the data subject’s rights are legally binding.
As a result, an appeal to the decision is possible, and the authority must provide sufficient information to the data subject to allow him/her to decide whether or not to appeal.
For more information: ECJ Decision
11/16/2023
European Data Protection Board | Guidelines | Tracking technologies
The European Data Protection Board published its guidelines on the application of article 5(3) of the e-Privacy Directive on new tracking technologies.
The guidelines aims to clarify how the e-Privacy Directive applies to innovative technologies. The EDPB is open to comments until January 18, 2024.
For more information: EDPB Guidelines
10/28/2023
European Commission and Japan | Agreement | Cross Border Data flows
On October 28, 2023, the European Commission has reached an agreement with Japan concerning cross-border data flows.
This agreement aims to facilitate efficient data handling between both parties, eliminating burdensome administrative and storage requirements. Notably, the agreement removes the requirement for companies to physically store their data locally. Once ratified, the provisions of this agreement will be incorporated into the EU-Japan Economic Partnership Agreement.
For more information: European Commission Website
10/26/2023
Confederation of European Data Protection Organizations | Paper | Generative AI
The Confederation of European Data Protection Organizations released a paper addressing the data protection implications of Generative AI.
Key issues covered include data-sharing risks, accuracy of personal data, conducting DPIAs on generative AI tools, implementing data protection by design, selecting a lawful basis for training generative AI systems, optimizing organizational structures, applying privacy-enhancing techniques and handling data subject rights within this technological context.
For more information: CEDPO Website
10/26/2023
Court of Justice of the European Union | Decision | CJEU rules on Art. 15 GDPR (right to access)
The CJEU has clarified the rights of data subjects. The court ruled that the controller may only charge a fee for providing a copy under Art. 15 (3) GDPR where the data subject has already obtained a free copy before.
Furthermore, the data subject must receive a full copy of his/her personal data, where the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible.
For more information: CJEU Website
10/17/2023
European Data Protection Board | Announcement | EDPB to launch coordinated enforcement action regarding Art. 15 GDPR
The EDPB selected the topic for its third coordinated enforcement action and announced that it will be launched in 2024. The action will concern the implementation of the right of access by controllers.
For more information: EDPB Website
10/12/2023
Court of Justice of the European Union | Press Release | Data Privacy Framework
The Court of Justice of the European Union (“CJEU”) dismissed a French citizen’s request to suspend the execution of the EU-US Data Privacy Framework’s adequacy decision.
The CJEU considered that the French citizen failed to demonstrate the necessary prerequisites for such request, as he was unable to prove that he would experience significant harm if the execution of the adequacy decision was not suspended.
For more information: CJEU Website
10/05/2023
European Commission | Press Release | Contractual Clauses For AI
The Commission announced the finalization of the EU model contractual AI clauses to use in procurements of AI.
The clauses are developed for pilot use in the procurement of AI with the aim to establish responsibilities for trustworthy, transparent, and accountable development of AI technologies between the supplier and the public organization. The EU model contractual AI clauses contain provisions specific to AI systems and on matters covered by the proposed AI Act, thus excluding other obligations or requirements that may arise under relevant applicable legislation such as the GDPR.
For more information: European Commission Website
09/28/2023
European Data Protection Supervisor | Blog | Data Protection & Cybersecurity
The European Data Protection Supervisor published a blog post on the interplay between data protection and cybersecurity.
The post highlights the need to take into account data protection into cybersecurity strategies, advocating collaboration between data protection officers and IT security departments. Additionally, it discusses the dual role of artificial intelligence in cybersecurity, noting its potential to enhance current cybersecurity solutions and how it also allows, for instance, the production of (fake) pictures, videos, photos, texts, and more, which cybercriminals can exploit to steal someone’s identity as part of social engineering attacks.
For more information: EDPS Website
09/25/2023
European Commission | Data Governance Act
The European Regulation 2022/868, often referred to as the “Data Governance Act”, entered into force on 24 September 2023.
As a reminder, the regulation seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data, notably with public actors.
For more information: European Commission Website
Denmark
12/07/2023
Danish Supervisory Authority | Guide | Access Rights
The Danish Supervisory Authority released guidance on access rights management, emphasizing that it is a collective responsibility within organizations.
The guide highlights that all employees, regardless of their IT security role, share the responsibility of being aware of and respecting their access rights.
For further information: Datatilsynet Website [DA]
11/28/2023
Danish Supervisory Authority | Measures | Data Security
The Danish Supervisory Authority released a catalog outlining technical and organizational measures essential for ensuring security in compliance with Articles 5 and 32 of the GDPR.
The catalog suggests technical measures such as automatic encryption, multi-factor authentication, automatic access control, logging of users’ personal data use, and physical access control. On the organizational front, recommendations include measures such as minimizing privileged access rights, implementing role-based access rights, documenting data access authorizations, and establishing withdrawal procedures.
For further information: Datatilsynet Website [DA]
09/28/2023
Danish Supervisory Authority | Sanction | GDPR Violations
The Danish Supervisory Authority issued a DKK 1 million (approx. €134,000) fine against a hotel group for failure to delete personal data.
For more information: Datatilsynet Website [DK]
Finland
11/08/2023
Finnish Supervisory Authority | Guidance | Security Breach Notification
The Finnish Supervisory Authority published guidance on filing a data breach notification.
The guidance concerns risk assessment which should take into account consequences of the data breach from the point of view of the data subject, communication to the data subject, and completion of the notification to the supervisory authority and compliance with deadlines.
For further information: Ombudsman Website [FI]
France
12/12/2023
French Competition Authority | Joint Declaration | Cooperation in data protection and competition
The French Competition Authority and the French Supervisory Authority signed a joint declaration to enhance cooperation in the areas of data protection and competition.
For more information: CNIL Website [FR]
11/24/2023
French Supervisory Authority | Recommendation | API Data Sharing
The French Supervisory Authority issued a recommendation regarding the use of application programming interfaces (“APIs”) for data sharing.
The recommendation outlines three specific roles involved in the usage of APIs: the data holder, the API manager, and the data re-user. The recommendation also highlights the importance of evaluating the risks associated with APIs, considering factors like the type of database access, the security levels of authentication methods, and the categories of data involved, including sensitive data.
For more information: CNIL Website [FR]
11/15/2023
French Supervisory Authority | Referential | Health Data conservation duration
The French Supervisory Authority published a referential and guidance note on retention period for health data.
For more information : CNIL Website [FR]
11/07/2023
French Supervisory Authority | Sanction | Simplified Procedure
The French Supervisory Authority (“CNIL”) issued ten new decisions under its new simplified sanction procedure, introduced in 2022.
Private and public-sector players were fined a total amount of €97,000 for various violations, including failure to respond to CNIL requests, non-compliance with the principle of data minimization (geolocation and continuous video surveillance of employee), lack of information on the processing carried out and its purposes, and failure to respect individuals’ rights (in particular to respond to a request for objection).
For more information: CNIL Website
10/13/2023
French National Assembly | Clarifying Bill | GDPR Scope
The French National Assembly adopted an amendment to complete the French Data Protection Law in order to clarify the scope of the GDPR and ensure that certain practices are covered by French and European obligations in terms of personal data protection.
The French Supervisory Authority identified a legal gap in the data protection legislation which allows the trading of personal data by entities not established in the EU without the knowledge of individuals. The amendment seeks to supplement French law, ensuring that the GDPR applies effectively.
For more information: French National Assembly Website [FR]
10/11/2023
French Supervisory Authority | Publication | Databases Trainings For AI
The French Supervisory Authority opened to public consultation its first set of guidelines on use of artificial intelligence (AI), regarding the development of learning databases for AI systems.
For more information: CNIL Website [FR]
09/28/2023
French Supervisory Authority | Sanction | GDPR Violations
The French Supervisory Authority (“CNIL”) issued a €200,000 fine against an air freight company.
During the investigation, the CNIL observed some infringements regarding, in particular, an excessive data collection, a non-compliance with the ban on processing sensitive data and data relating to offences and a lack of cooperation with the CNIL services.
For more information: CNIL Website
Germany
11/29/2023
German Supervisory Authority | Opinion | EU AI ACT
The German Supervisory released its stance on the EU AI Act, emphasizing the need for a comprehensive allocation of responsibilities throughout the entire artificial intelligence value chain.
The Authority asserted that the EU AI Act should clearly outline the requirements for all parties involved, including manufacturers and providers of basic AI models. Critically, it argued against a unilateral transfer of legal responsibility to the later stages of the value chain, deeming such a shift as economically unsound and detrimental to data protection. The Authority contended that a balanced distribution of responsibilities is essential to safeguard the fundamental rights of individuals whose data undergoes processing by AI systems.
For more information: DSK Website [DE]
11/02/2023
Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Behavioral Advertising
The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) issued a press release addressing a social media platform’s new business model in light of the European Data Protection Board’s (“EDPB”) binding decision on behavioral advertising.
Following the EDPB’s binding decision, the social media has provided a new option where users can choose between a free version that still includes behavioral advertising, and a paid version without this type of marketing. Referring to the Resolution of the Data Protection Conference (“DSK”) on subscription models, the Hamburg Commissioner for Data Protection and Freedom of Information noted that the social media platform’s payment model will have to fulfill requirements like granularity in consent, transparency, and the avoidance of misleading design tools. The German Supervisory Authority expressed various problems and are now expecting a legal assessment by the lead authority in Ireland.
For more information: HmbBfDI Website [DE]
10/05/2023
German Competition Authority | Press Release | Competition
The German Competition Authority (“Bundeskartellamt”) obtained commitments from an American technology services company to grant users better control of their data.
The Bundeskartellamt conducted a proceeding, based on the new instrument under competition law which allows it to intervene when competition is threatened by large digital companies. In the future, the company will have to provide its users with the possibility to give free, specific, informed and unambiguous consent to the processing of their data across services. For this purpose, the company has to offer corresponding choice options for the combination of data. The choice options must be designed so as not to guide users manipulatively towards cross-service data processing to avoid “dark patterns”. Such an obligation will already result from the Digital Markets Act (“DMA”) for certain company services which have recently been designated by the European Commission and, thus are not covered by the commitments.
For more information: Bundeskartellamt Website
09/26/2023
German Federal Court of Justice | Decision | submits questions to CJEU regarding injunctive relief under the GDPR as well as regarding Art. 82 GDPR
The German Federal Court of Justice (“Bundesgerichtshof”) asked the CJEU under Art. 267 TFEU to provide a preliminary ruling as to whether Art. 17 (right to erasure) or Art. 18 (right to restriction of processing) of the GDPR also provide for a data subject’s right to request from a controller to refrain from any future illegitimate processing of personal data (injunctive relief).
Furthermore, the court asked the CJEU to clarify whether mere negative feelings such as anger, resentment, dissatisfaction, worry and fear, which, in the German court’s view, may be “part of the general risk of life and everyday experience” could constitute an immaterial damage within the meaning of Art. 82 GDPR.
For more information: Bundesgerichtshof Website [DE]
09/19/2023
Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Data Breach Notification
The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) published guidance on handling data breach notifications.
The guidance concerns, for instance, the cases that should be notified, the deadline that applies, and the form to use to notify the German Supervisory Authority.
For more information: HmbBfDI Website [DE]
09/04/2023
Supervisory Authorities | Information Note | Data Protection Framework
The German Data Protection Conference (“DSK”) published an information note to explain the background and content of the EU-U.S. Data Protection Framework.
The note is aimed at both data controllers and processors in Germany who transfer personal data to the U.S. and data subjects. In particular, the note highlights the scope and application of the new framework, the use of alternative instruments for transfers to the U.S., and the scope and enforcement of data subjects’ rights vis-à-vis entities in the U.S.
For more information: DSK Announcement [DE]
Ireland
09/28/2023
Irish Council for Civil Liberties | Statement | Irish Data Protection Commission
The Irish Council for Civil Liberties urged the Government to guarantee no appearance of conflict of interest in the selection of new leaders of the Irish Supervisory Authority.
For more information: ICCL Website
09/11/2023
Irish Supervisory Authority |Press Release | Unlawful Marketing
The Irish Supervisory Authority welcomed the outcome of the prosecution proceedings that were taken against several companies in Ireland for sending unsolicited marketing communications without obtaining consent.
For more information: Irish Supervisory Authority Website
Italy
12/12/2023
Italian Supervisory Authority | Guidelines | Password Storage
The Italian national security agency and the Italian Supervisory Authority jointly released guidelines addressing the technical measures to be adopted for password storage.
The primary goal of the guidelines is to offer recommendations for implementing the most secure technical functions for password storage, with a focus on preventing unauthorized access by cybercriminals. The guidelines outline various techniques and minimum parameters, emphasizing the improvement of password hashing techniques and the utilization of diverse algorithms as key measures to enhance password security. The overarching aim is to bolster the protection of sensitive data and mitigate the risk of unauthorized access.
For more information: Garante Website [IT]
11/22/2023
Italian Supervisory Authority | Investigation | Web scraping
The Italian Supervisory Authority announced the commencement of an investigation into public and private websites.
The aim is to assess the implementation of adequate security measures to prevent the web scraping of personal data for the training of artificial intelligence algorithms by third parties. The investigation targets all entities, acting as controllers, based in Italy or providing services in Italy, that publicly expose personal data online.
For more information: Garante Website [IT]
10/23/2023
Italian Supervisory Authority | Sanction | Inaccurate Personal Data
The Italian Supervisory Authority imposed a €10 million fine on an energy company for the activation of unsolicited contracts with inaccurate and outdated data.
The Authority also ordered corrective actions, such as implementing a contract accuracy verification system, alert systems to identify improper data acquisition, and enhancing audit procedures against sales agencies.
For further information: Garante Website [IT]
Norway
09/29/2023
Norwegian Privacy Appeals Board | Decision | Sensitive Data
The Norwegian Privacy Appeals Board confirmed the decision of the Norwegian Supervisory Authority from December 2021 to issue a NOK 65 million (approx. €5,5 million) fine against a dating application.
The Authority found that the dating application disclosed its users’ personal data such as GPS location, IP address, mobile phone’s advertising ID, age and gender – in addition to the fact that they were using the dating application – to several third parties for behavioral marketing purposes, without a proper legal basis.
Spain
11/23/2023
Spanish Supervisory Authority | Guide | Biometric Data
The Spanish Supervisory Authority issued a guide on the use of biometric data for presence and access control, outlining criteria to ensure compliance with the GDPR and other regulations.
For more information: AEPD Website [ES]
11/02/2023
Spanish Supervisory Authority | Blog Post | Synthetic Data
The Spanish Supervisory Authority (“AEPD”) provided guidance on the use and generation of synthetic data.
According to the AEPD, creation of synthetic data from real personal data is itself a processing governed by the GDPR. Therefore, it is necessary to consider the provisions of the GDPR and in particular the principle of accountability, and the assessment of a possible risk of re-identification from the created synthetic data set.
For more information: AEPD Website
10/20/2023
Spanish Supervisory Authority | Sanction | Cyber Security
The Spanish Supervisory Authority issued a €1 million fine (reduced to €800,000) against a Spanish banking company for insufficiently protecting the personal data of customers.
A customer had reported that its credit card had been stolen, and the bank had not properly taken the information into account, leading to identity theft where hackers took out loans and transferred money in the complainant’s name.
For more information: AEPD Website [ES]
10/05/2023
Spanish Supervisory Authority | Tool | Encryption
The Spanish Supervisory Authority (“AEPD”) released a tool called “ValidaCrypto”, designed to evaluate encryption systems.
ValidaCripto transfers the methodology of the AEPD’s previously released guidelines on cryptographic systems, to an intuitive web tool that helps to visually evaluate encryption systems’ compliance with data protection requirements.
For more information: AEPD Website
09/28/2023
Spanish Supervisory Authority | Blog | Privacy Enhancing Technologies
The Spanish Supervisory Authority published guidance on Privacy Enhancing Technologies.
The Blog emphasizes that the Privacy Enhancing Technologies or PETs allow to implement privacy principles, but the same tools are useful to implement the governance policies that guarantee the trust and data sovereignty in a Data Space. Therefore, PETs should be “dual-use” technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy.
For more information: AEPD Website
United Kingdom
12/15/2023
UK Supervisory Authority | Guidance | Transfer Risk Assessment
The UK Supervisory Authority released guidance on transfer risk assessment for entities transferring personal information to the US using Article 46 of the UK GDPR.
The guidance aims to support organizations engaged in restricted transfers of personal data to the US, employing mechanisms outlined in Article 46 of the UK GDPR. Following the Schrems II case in 2020, the guidance highlights the necessity of conducting a Transfer Risk Assessment before transferring personal data from the UK, emphasizing the importance of Department for Science, Innovation and Technology’s analysis to streamline the process. The Department of Science, Innovation and Technology analysis evaluates US laws concerning access and usage of personal information for national security and law enforcement purposes.
For more information: ICO Website
12/12/2023
UK Supervisory Authority | Draft guidance | Employment practices and data protection
The UK Supervisory Authority released two draft guidance documents on data protection compliance in the areas of “keeping employment records” and “recruitment and selection”.
The guidance for keeping employment records is directed at employers, outlining their obligations under the UK GDPR and the Data Protection Act 2018 concerning the collection and maintenance of worker records. It emphasizes the need for a balance between the necessity of employment records for organizational operations and the privacy rights of workers. The second draft guidance is tailored for employers and entities involved in recruitment processes, including agencies and consultancies. It addresses the intricacies of managing diverse personal data, including sensitive data, during recruitment, with a focus on protecting candidates’ data protection rights. These guidance documents are open for consultation from relevant stakeholders (including employers, professional associations, those representing the interests of staff, recruitment agencies, employment dispute resolution bodies, workers, volunteers and employees, and suppliers of employment technology solutions) until 5 March 2024.
For more information: ICO Website
11/09/2023
Office of Communications | Statement | Online Safety Act
On September 11, 2023, the Office of Communications (“Ofcom”) announced its new role as the regulator for online safety, following the enactment of the Online Safety Act on October 26, 2023.
Ofcom’s role is to make online services safer for the people who use them, by ensuring regulated services take appropriate steps to protect their users. Ofcom will set out codes of practice and guidance for companies falling under the scope of the Online Safety Act. It will have powers to take enforcement action, including issuing fines to services if they fail to comply with their duties. However, Ofcom will not responsible for removing online content, and won’t require companies to remove content, or particular accounts. It should be noted that Ofcom’s powers are not limited to service providers based in the UK.
For more information: Ofcom Website
10/25/2023
Department of Science, Innovation and Technology | Publication | Data Transfers
The Department of Science, Innovation and Technology (“DSIT”) released an executive summary and initial conclusions from the first phase of an evaluation into the implementation of the International Data Transfer Agreement (“IDTA”).
This evaluation started at the beginning of the implementation period of the UK’s new standard data protection clauses, the IDTA and Addendum to the European Commission’s Standard Contractual Clauses for international transfers, which replace the previous EU SCCs for international transfers. The evaluation was meant to assess how businesses experienced the transition to the new clauses. A further phase of this research is planned following the end of the transitional period. DSIT will work with the ICO to reflect on the findings of the research.
For more information: UK Government Website
10/12/2023
UK-US Data Bridge | Entry into Force | Adequate Protection
On October, 12, 2023, the Data Protection Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) entered into effect.
This UK extension to the EU-US Data Privacy Framework allows businesses to transfer personal data to US certified entities listed in the EU-US Data Privacy Framework without additional safeguards. However, UK organizations must update privacy policies and document data transfer methods to comply with this new framework.
For more information: The Data Protection (Adequacy) (United States of America) Regulations 2023
09/20/2023
UK Supervisory Authority | Sanction | Unlawful Marketing practices
The UK Supervisory Authority announced that it issued a fine against five companies totaling £590,000 (approx. €670,000) for unwanted marketing calls which targeted the elderly and people with vulnerabilities.
For more information: ICO Website
- Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
- Vera Lukic – Partner, Paris ([email protected])
- Kai Gesing – Partner, Munich ([email protected])
- Joel Harrison – Partner, London ([email protected])
- Alison Beal – Partner, London ([email protected])
- Clémence Pugnet – Associate, Paris ([email protected])
- Thomas Baculard – Associate, Paris ([email protected])
- Roxane Chrétien – Associate, Paris ([email protected])
- Hermine Hubert – Associate, Paris ([email protected])
- Christoph Jacob – Associate, Munich ([email protected])
- Yannick Oberacker – Associate, Munich ([email protected])
- Sarah Villani – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Q1 and Q2 2024
Europe
07/12/2024
European Union | Artificial Intelligence Regulation | Publication
The AI Act (Regulation 2024/1689) was published in the OJEU today. It will enter into force on 1 August, meaning the 2-year transition period for most of the Act will end on 1 August 2026.
The Act applies to AI providers, deployers, importers, distributors, and manufacturers, with exemptions for military and research uses. It classifies AI systems by risk, prohibits certain practices, and in particular imposes requirements on high-risk systems. Enforcement includes the creation of an AI Office, a scientific panel, an AI Board, and an advisory forum, with possible fines up to €35 million or 7% of global turnover for severe breaches.
For more information: Official Journal of the European Union
06/20/2024
Court of Justice of the European Union | GDPR Violation | Right to Compensation
The Court of Justice of the European Union (“CJEU”) published a judgment on the right to compensation for non-material damage as a result of fear.
In the case C-590/22, the CJEU ruled that an infringement of the GDPR alone does not suffice to establish a right to compensation. The claimant must demonstrate actual damage caused by the infringement, although the damage need not be severe. The CJEU also determined that a claimant’s fear of personal data disclosure to third parties — as a result of a breach of the GDPR — can constitute non-material damage if the fear and its negative consequences are duly demonstrated. Notably, the criteria for administrative fines do not apply to compensation assessments, and compensation is not meant to serve a dissuasive function. Furthermore, violations of national laws that do not specifically relate to the GDPR do not need to be considered when determining compensation amounts.
For more information: CJEU Judgment– C-590/22
06/20/2024
Court of Justice of the European Union | GDPR Violation | Right to Compensation
The Court of Justice of the European Union (“CJEU”) published rulings on the right to compensation for non-material damages based on theft of personal data.
The CJEU made several important rulings regarding compensation under Article 82(1) of the GDPR. First, the court clarified that the right to compensation is intended solely to fully compensate for the damage suffered due to GDPR violations and does not serve a punitive purpose. Second, the severity or intentional nature of the violation does not need to be considered when determining the amount of compensation. Third, the court emphasized that non-material damage from a data breach is not inherently less significant than physical injury. Furthermore, minimal compensation can be awarded for minor damage as long as it fully compensates the harm. Finally, the court stated that for identity theft under the GDPR, actual misuse of stolen data must be shown, but compensation for non-material damage is not limited to cases where identity misuse is proven.
For more information: CJEU Judgment – C-182/22 and C-189/22
04/18/2024
European Data Protection Board | Strategy | Priorities for 2024-2027
On April 18, 2024, the European Data Protection Board (“EDPB”) released its strategy for 2024-2027.
The EDPB aims to support supervisory authorities in enforcing the GDPR and the Law Enforcement Directive, while also facilitating their interaction with new legislation such as the EU AI Act, the Digital Services Act, and the Digital Markets Act. Specifically addressing artificial intelligence, the EDPB plans to offer guidance on data protection and GDPR implementation, focusing on high-risk areas and vulnerable groups, such as children. Regarding the EU-US Data Privacy Framework, the EDPB intends to provide public information and template complaint forms to facilitate the implementation of redress mechanisms.
For more information: EDPB Website
03/14/2024
Court of Justice of the European Union | Personal Data | Powers of the Supervisory Authority
The Court of Justice of the European Union (“CJEU”) ruled that the supervisory authority of a Member State may order, of its own motion, the erasure of personal data in case of unlawful processing.
The CJEU clarified that the supervisory authority is entitled to order the erasure of data in order to ensure that the GDPR is fully enforced, even in the absence of a prior request made by the data subject to that effect. The CJEU further specified that, like other corrective measures, the power of the supervisory authority to order the erasure of data applies regardless of whether the data is collected directly from the data subject or indirectly from another source.
For more information: CJEU Judgment – C-46/23
04/11/2024
Court of Justice of the European Union | Compensation | GDPR Violation
In a ruling issued on April 11, 2024, the Court of Justice of the European Union (“CJEU”) clarified the concept of non-material damage, the conditions for exemption from liability and the criteria for determining the amount of damages.
Referring to its previous case law, the CJEU ruled that the mere infringement of GDPR provisions granting rights to individuals is insufficient to establish non-material damage, unless the individual can prove actual harm, regardless of its severity. The Court emphasized that an organization cannot evade liability simply by attributing the infringement to human error within its operation. Additionally, when assessing compensation for non-material damages under GDPR, the criteria for setting administrative fines are not applicable, nor should the quantity of infringements affect compensation calculations. The judgment asserts the need for full and effective compensation directly proportional to the actual damage suffered, adhering strictly to the compensatory rather than punitive intent of the provision.
For more information: CJEU Judgment – C-741/21
03/07/2024
Court of Justice of the European Union | Personal Data | Online Advertising
The Court of Justice of the European Union (“CJEU”) rendered its judgment in the IAB Europe case and clarified the organization’s status with regard to data processing operations for advertising purposes within the Transparency and Consent Framework (“TCF”).
The TCF is a set of rules established by IAB Europe, consisting of guidelines and technical specifications that enable its members (website or application providers, data brokers, and advertising platforms) to lawfully process the personal data of users of a website or an application. The TCF allows, inter alia, the recording of users’ preferences through Consent Management Platforms, by generating a signal called “TC String”. First, the Court confirmed that the TC String is personal data within the meaning of the GDPR since it contains certain information that can be used to identify a user if associated with an identifier, such as an IP address. Second, the Court held that IAB Europe is a joint controller with its members when the consent preferences are recorded in a TC String. However, the Court stated that IAB Europe cannot be regarded as a controller for the subsequent data processing operations by members.
For more information: CJEU Judgment – inter alia
03/07/2024
Court of Justice of the European Union | Personal Data | Concept of Processing
The Court of Justice of the European Union (“CJEU”) ruled that the oral disclosure of information on possible ongoing or completed criminal proceedings to which a natural person has been subject constitutes processing of personal data.
The CJEU reiterates that since the oral disclosure of personal data constitutes non-automated processing, the personal data subject to such processing must be contained or intended to be contained in a filing system in order for that processing to fall within the material scope of the GDPR. The CJEU states that, in the present case, information on criminal proceedings is contained in a register of persons kept by a court, i.e., a filing system. Therefore, any oral disclosure of its contents may take place only if the conditions imposed by the GDPR are satisfied.
For more information: CJEU Judgment – C-740/22
03/07/2024
Court of Justice of the European Union | Personal Data | Concept of Identifiable Person
The Court of Justice of the European Union (“CJEU”) annulled a judgement issued by the General Court for misinterpreting the concept of “identifiable natural person”.
The case concerns a compensation claim brought before the General Court by a scientist with regard to a press release published by the European Anti-Fraud Office. In its judgement, the General Court had held that information contained in the press release did not constitute personal data since the person concerned was not identifiable with that information alone. The CJEU referred to its previous case law and stated that for information to be considered as “personal data”, it is not required that all the information enabling the identification of the data subject is in the hands of one person. In the present case, the data subject could be identified, in particular, by persons working in the same scientific field.
For more information: CJEU Judgment – C-479/22 P
02/13/2024
European Data Protection Board | Opinion | Notion of Main Establishment
The European Data Protection Board (“EDPB”) adopted an Opinion on the notion of main establishment and the criteria for the application of the One-Stop-Shop mechanism following a request by the French Supervisory Authority.
The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular in cases where decisions regarding the processing are taken outside the EU.
For more information: EDPB Website
01/18/2024
European Data Protection Board | Case Digest | Data Breach
The European Data Protection Board (“EDPB”) published a thematic one-stop-shop case digest on security of processing and data breaches.
The case digest analyses decisions adopted by supervisory authorities under the one-stop-shop mechanism relating to security of personal data and personal data breaches. It is intended to provide insights on how supervisory authorities have applied the relevant GDPR provisions in different data breach scenarios, such as ransomware or accidental data disclosure.
For more information: EDPB Website
01/11/2024
European Union | Regulation | Data Act
The Regulation on harmonized rules on fair access to and use of data (“Data Act”) entered into force.
The Data Act introduces, in particular, new data sharing and contractual obligations for providers of connected devices and related services, as well as cloud computing providers. The Act will become applicable 20 months from the date of entry into force, i.e., from September 12, 2025. Requirements on access to data generated by connected devices will apply to devices placed on the market after September 12, 2026.
For more information: Official Journal of the European Union
01/07/2024
European Union | Regulation | Cybersecurity
The new Cybersecurity Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices, and agencies of the Union entered into force.
The regulation aims to achieve a high common level of cybersecurity within Union entities by introducing an internal risk management, governance, and control framework, and establishing an Interinstitutional Cybersecurity Board to monitor its implementation.
For more information: Official Journal of the European Union
France
06/10/2024
French Supervisory Authority | Public Consultation | Artificial Intelligence
On June 10, 2024, the French Supervisory Authority (“CNIL”) opened a public consultation on its AI recommendations.
The consultation primarily focuses on the legal basis of processing for AI models’ development phase, data scraping for model training, and distribution of open-source AI models. It also covers other GDPR-related issues such as informing data subjects and the management of their rights.
For more information: CNIL Website
05/22/2024
French Parliament | Regulation | SREN Act
The Securing and Regulating the Digital Space Act (“SREN Act”) has been published in the Official Journal.
The SREN Act introduces a wide range of provisions in areas such as online child protection, cloud services, and Jonum (i.e., games offering monetizable digital objects). Additionally, it aims to align French law with the Digital Services Act (“DSA”) and the Digital Markets Act (“DMA”). With regard to the DSA, the Arcom is designated as the “digital services coordinator”. While the DGCCRF will be in charge of monitoring marketplace providers’ compliance with their obligations, the French Supervisory Authority will be responsible for ensuring that platforms comply with requirements related to online advertising. Regarding the DMA, the French Competition Authority and the Ministry of the Economy will be able to investigate and cooperate with the European Commission on gatekeepers’ practices. Furthermore, the SREN Act addresses the adaptation of French law to the Data Act and the Data Governance Act and grants new powers to regulatory bodies.
For more information: Official Journal [FR]
05/14/2024
French Supervisory Authority | Guidance | Traffic Data
On May 14, 2024, the French Supervisory Authority (“CNIL”) issued guidance on providing public internet access, emphasizing legal obligations for retaining traffic data.
Under the French law, organizations providing public internet access must retain IP addresses to identify devices, connection details (date, time, duration), and data identifying communication recipients. In this context, the CNIL reiterated that traffic data, being personal data, should be limited to what is necessary for processing. The retention periods vary according to the concerned data (from 3 months to 5 years).
For more information : CNIL Website [FR]
04/04/2024
French Supervisory Authority | Sanction | Direct Marketing
The French Supervisory Authority (“CNIL”) fined a telecommunications equipment retailer €525,000 for unlawfully processing its prospects’ personal data collected from data brokers for direct marketing.
The CNIL found that the data collection forms used by data brokers were misleading and did not allow the acquisition of free and unambiguous consent to marketing texts by third parties. The French Authority pointed out that contractual obligations imposed on data brokers were not sufficient to ensure that prospects’ consent was validly obtained, and the retailer should have implemented effective controls in this respect. With regard to the legal basis of marketing calls, the CNIL noted that the retailer could not validly rely on legitimate interest since the forms used by data brokers did not systematically mention the retailer in the list of data recipients.
For more information: CNIL Website
Germany
06/17/2024
Bavarian Data Protection Commissioner | Guidance | Joint Controllers
The Bavarian Data Protection Commissioner (“Bavarian DPC”) published guidance on joint controllers.
The Bavarian DPC’s new guidance aims at eliminating uncertainties and inhibitions in connection with joint controllership (Article 26 GDPR), which is always relevant when two or more controllers jointly determine the purposes and means of the processing of personal data. As the Bavarian DPC is the competent authority for public administration, the recommendations for action are primarily directed at stakeholders of the public sector and the examples in the guidelines are selected accordingly.
For more information: Bavarian DPC Website [DE]
05/14/2024
German Parliament | Regulation | Digital Services Act
The German Parliament aligned German law with the EU Digital Services Act (“DSA”).
The German Digital Services Act (Digitale-Dienste-Gesetz, “DDG”) accompanies the DSA and aligns German law with it at the national level. With the DDG entered into force on May 14, 2024, the German Telemedia Act (Telemediengesetz) lost its effect and is now replaced by the DSA and the DDG. In addition, the Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz) has been renamed the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).
For more information: German Federal Government Website [DE]
05/06/2024
German Supervisory Authorities | Guidance | Artificial Intelligence
The German Data Protection Conference (“DSK”) released guidance on artificial intelligence and data protection.
The new guidance focuses on the use of generative AI models by organizations and recalls their obligations in terms of data privacy, such as carrying out a Data Protection Impact Assessment, identifying a proper legal basis, and providing information to data subjects.
For more information: DSK Website [DE]
Italy
06/26/2024
Italian Supervisory Authority | Enforcement | Prospection
The Italian Supervisory Authority (“Garante”) published its decision of June 6, issuing a fine of €6.4 million to an energy company for illicit marketing calls.
The Garante found that marketing calls had been made without data subjects’ consent or despite the registration of their numbers on the Do Not Call List. In addition to the fine, the Garante ordered the company to cease further processing of the complainants’ personal data and to send them the Garante’s decision.
For more information: Garante Website
05/20/2024
Italian Supervisory Authority | Investigation | Web scraping
On May 20, 2024, the Italian Supervisory Authority (“Garante”) issued guidelines on web scraping by public and private entities acting as data controllers.
The guidelines address the indiscriminate collection of online data by third parties, particularly for training generative AI models. The Garante recommends several measures to prevent or hinder web scraping, namely, creating reserved areas that require registration to access data, including anti-scraping clauses in websites’ terms of use, monitoring web traffic to detect abnormal data flows, and implementing technological solutions to block unwanted scraping. The Garante noted that current investigations into the legality of web scraping based on legitimate interests are still pending, and the guidelines are part of interim measures.
For more information: Garante Website [IT]
03/07/2024
Italian Supervisory Authority | Sanction | Personal Data Breach
The Italian Supervisory Authority (“Garante”) imposed a €2.8 million fine on a bank following a cyber-attack that occurred in 2018, and a €800,000 fine on the bank’s service provider in charge of carrying out security tests.
The Garante stated that the cyber-attack had affected the data of approximately 778,000 former and current customers and resulted notably in the identification of over 6,800 customers’ PINs (personal identification number) to the mobile banking portal. The Garante concluded that the bank had not adopted necessary security measures to effectively counter cyber-attacks and had not required its customers to create stronger PINs. The Garante also found that the bank’s service provider had failed to notify the data breach to the bank within the required deadline and had engaged a sub-processor for the performance of security tests without prior consent of the bank.
For further information: Garante Website [IT]
Norway
07/01/2024
Oslo District Court | Judgement | Dating service
The Oslo District Court has confirmed a fine of NOK 65 million (about €5.7 million) imposed by the Norwegian Data Protection Authority on a dating service.
The fine was originally imposed by the Norwegian data protection authority (“Datatilsynet”) in 2020 because the dating service passed on too much information to advertising companies. In particular, GPS-data was affected. According to Datatilsynet, the use of the app itself involves particularly sensitive data, which is why the company has violated Article 9 GDPR. The case was triggered by a complaint from the Norwegian Consumer Council (“Forbrukerradet”). Datatilsynet’s opinion has now been confirmed by the Oslo district court.
For more information: Oslo Tingrett Website [NOR]
Netherlands
06/04/2024
Dutch Supervisory Authority | Guidance | Cookies
The Dutch Supervisory Authority (“AP”) has published guidelines on cookie consent.
In its guidelines, the AP gives guidance on how to design cookie banners to ensure that they comply with consent requirements and provides concrete examples.
For more information: AP Website [NL]
05/01/2024
Dutch Supervisory Authority | Guidelines | Data Scraping
On May 1, 2024, the Dutch Supervisory Authority (“AP”) released guidelines regarding data scraping practices by private individuals and organizations.
The guidelines emphasize GDPR compliance in data scraping endeavors, mandating adherence to the principles of legality, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The AP also clarifies situations where the GDPR does not apply, such as scraping for personal use or targeted scrapping (e.g., an organization scrapes a news media website to get news related to its business).
For more information: AP Website [NL]
Spain
05/14/2024
Spanish Supervisory Authority | Guide | Cookie
On May 14, 2024, the Spanish Supervisory Authority (“AEPD”) released an updated guide on cookie use to align it with Opinion 08/2024 on valid consent in “consent or pay” models by the European Data Protection Board (“EDPB”).
The AEPD incorporates the EDPB’s guidelines into its own guide, and notes that the EDPB plans to issue a comprehensive guide on consent validity in “consent or pay” models by early 2025.
For more information: AEPD Website [ES]
04/12/2024
Spanish Supervisory Authority | Sanction | GDPR violations
On April 12, 2024, the Spanish Supervisory Authority (“AEPD”) fined a financial services company €2 million (later reduced to €1.2 million) for GDPR violations following a complaint.
As part of a verification process, the financial services company requested personal and economic data from the complainant via a form requiring consent for such data collection, without giving an option to decline. When asked for further explanation, the financial services company stated that the complainant’s bank account would be blocked if consent was not provided. The AEPD found this violated GDPR Article 6(1), as the consent was not valid and there was no legal requirement for the data verification method used by the financial services company.
For more information: AEPD Website [ES]
United Kingdom
06/07/2024
UK High Court | Judgment | Data Subject Rights
On June 7, 2024, the High Court ruled in Harrison v Cameron & Another that under the UK GDPR, data subjects have the right to know the specific identities of their personal data recipients, not just the categories.
The High Court ruled that data subjects are entitled to know the specific identities of recipients who have access to their personal data. It is within the data subject’s discretion to request either detailed identities or merely the categories of these recipients.
For more information: UK High Court Judgment
05/13/2024
British Supervisory Authority | Consultation | Generative AI
On May 13, 2024, the UK Data Protection Authority (“ICO”) launched the fourth chapter of its consultation series on generative artificial intelligence (AI), focusing on data subject rights in relation to the training and fine-tuning of generative AI models.
The consultation highlighted several rights that individuals have under the UK GDPR, including: the right to access, the right to rectification, the right to erasure and the right not to be subjected to automated decision-making. These rights apply to personal data in various contexts, including training data, fine-tuning data, outputs of the generative AI model, and user queries. The consultation emphasized that organizations must have processes in place to enable individuals to exercise these rights throughout the AI lifecycle. The consultation outlines several obligations for organizations developing or deploying generative AI models, namely: inform individuals if their data is being processed, provide clear, accessible information about data usage and individuals’ rights, justify any exemptions used and safeguard individuals’ rights and freedoms, and apply privacy-enhancing technologies and techniques to protect data. The consultation also invites feedback on the effectiveness of measures to prevent unauthorized data retention and usage. Additionally, it seeks evidence on how organizations can fulfill their legal obligations while supporting innovation in generative AI.
For more information: ICO Website
05/10/2024
British Supervisory Authority | Guidance | Cyber Security Incidents
The British Supervisory Authority (“ICO”) published a report on cyber security incidents.
The report focuses on five main causes of cybersecurity incidents, including phishing, brute force attacks, and denial of service. In particular, it provides case studies based on previous data breach reports received by the ICO and gives practical recommendations to reduce the risk of cyber-attacks.
For more information: ICO Website
04/03/2024
British Supervisory Authority | Strategy | Protection of Children’s Privacy Online
On April 3, 2024, the British Supervisory Authority (“ICO”) released its 2024-2025 Children’s code strategy for protecting children’s privacy online.
Key focuses include defaulting profiles to private settings, restricting profiling for ads, monitoring content feeds, and obtaining parental consent for children under 13. The ICO plans audits on educational technology, engagement with stakeholders, and international collaboration to regulate the internet effectively.
For more information: ICO Website
Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
Joel Harrison, – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Europe
07/25/2024
European Commission | GDPR | Report
On July 25, 2024, the European Commission published the Second Report on the application of the GDPR.
The report highlights a significant uptick in enforcement activity by supervisory authorities in recent years. The report considers that, to ensure strong protection for individuals and the free flow of personal data within and outside the EU, there is a need to focus on, among other things: proactive support by supervisory authorities in compliance efforts; consistent application of the GDPR across the EU; effective cooperation between supervisory authorities; establishing cooperation with sectoral regulators on issues with an impact on data protection; and implementing efficient and targeted working arrangements for guidelines, opinions, and decisions; and prioritizing key issues to reduce the burden on supervisory authorities.
For more information: European Commission Website
07/16/2024
European Data Protection Board | Statement | Role of DPA & EU AI Act
On July 16, 2024, the European Data Protection Board (“EDPB”) adopted a statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework.
The EDPB recommends that Data Protection Authorities (“DPAs”) should be designated as Market Surveillance Authorities (“MSAs”) for the high-risk AI systems mentioned in Article 74(8) of the AI Act. Further, the EDPB recommends that Member States consider appointing DPAs as MSAs for the other high-risk AI systems, particularly where those high-risk AI systems are in sectors likely to impact natural persons’ rights and freedoms with regard to the processing of personal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector).
For more information: EDPB Website
07/16/2024
European Data Protection Board | FAQ | EU-US Data Privacy Framework
On July 16, 2024, the European Data Protection Board (“EDPB”) adopted two Frequently Asked Questions (“FAQ”) documents regarding the EU-U.S. Data Privacy Framework (“DPF”).
The FAQ for individuals provides information on the functioning of the DPF (e.g., how to benefit from it, how to lodge a complaint) and the FAQ for businesses notably explains which U.S. companies are eligible to join the DPF and what to do before transferring personal data to a company in the U.S. which is, or claims to be, certified under the DPF.
For more information: EDPB FAQ for individuals and for businesses
France
07/18/2024
French Supervisory Authority | FAQ | Generative AI
On July 18, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the deployment of generative artificial intelligence.
The FAQ include information on the benefits and limitations of generative AI, the way to implement the use of a generative AI system, and the way to ensure compliance of an AI model with the GDPR and the AI Act.
For more information: CNIL Website
07/12/2024
French Supervisory Authority | FAQ | EU AI Act
On July 12, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the EU Regulation on Artificial Intelligence following its publication in the Official Journal of the European Union.
The FAQ include information on the specific provisions of the AI Act, the compliance monitoring authorities, as well as the interplay between the GDPR and the AI Act.
For more information: CNIL Website
07/10/2024
French Supervisory Authority | Audit results | Dark Patterns
On July 10, 2024, the French Supervisory Authority (“CNIL”) published the results of the Global Privacy Enforcement Network audit.
Twenty-six of the world’s data protection authorities, including the CNIL, members of the Global Privacy Enforcement Network (“GPEN”), audited 1,010 websites and mobile applications as part of a joint operation: the GPEN Sweep. This audit reveals that websites make extensive use of “dark pattern” mechanisms, hindering users’ ability to make informed decisions about privacy protection.
For more information: CNIL Website [FR]
07/04/2024
French Supervisory Authority | Study | Advertising Models
The French Supervisory Authority (“CNIL”) published a study on alternative advertising models.
On July 4, 2024, the CNIL announced that it commissioned an economic study of the possible consequences of the end of third-party cookies for certain browser and presented the main conclusions. The study, among other things, aims to provide indications on what the new advertising business models will be after the removal of third-party cookies and what risks these evolutions entail for data protection.
For more information: CNIL Website [FR]
Germany
07/31/2024
Hamburg Supervisory Authority | “Pay or OK” System
The Hamburg Data Protection Authority (“Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) granted the Spiegel Magazine permission to use the so-called “Pay or OK” system.
With the “Pay or OK” system, visitors to the website either have to consent to the use of their personal data or agree to a paid subscription model. This decision is now being challenged by an affected data subject.
For more information: Hamburg BfDI Website [DE]
07/30/2024
Saxon Data Protection and Transparency Officer | Guideline | Video Surveillance in Private and Public Spaces
On July 30, 2024, the Saxon Supervisory Authority (“LfDI Saxony”) published an updated version of its guideline on the use and regulation of video surveillance both in public and private spaces by private individuals and public authorities.
This new version has been created due to numerous complaints by data subjects. The LfDI Saxony includes examples for possible use cases and their limits in connection with video surveillance.
For more information: LfDI Saxony Website [DE]
07/19/2024
German Data Protection Authorities | Guidance | AI & Data Protection
In July, multiple data protection authorities published information on the AI Act and also discuss the arising responsibilities. In addition, the Baden-Wuerttemberg Supervisory Authority (“LfDI Baden-Wuerttemberg”) published an “Orientation Navigator AI & Data Protection”.
The Federal Commissioner for Data Protection and Information Security (“BfDI”) and the supervisory authority of North Rhine-Westphalia (“LDI North Rhine-Westphalia”) state that new responsibilities and tasks arise for the data protection supervisory authorities under the AI Act. A group of experts from the supervisory authority of Lower Saxony (“LfD Lower Saxony”) has also begun its discussions on data protection compliance of AI training data. In addition, the LfDI Baden-Wuerttemberg published a tool that organizes selected regulatory documents on AI. It is intended as an aid for responsible bodies such as authorities but also for private companies.
For more information: LfDI Baden-Wuerttemberg Website [DE]; BfDI Website [DE]; LDI North Rhine-Westphalia Website [DE]; LfD Lower Saxony [DE]
07/15/2024
Hamburg Supervisory Authority | Discussion Paper | GDPR & Large Language Models
On July 15, 2024, the Hamburg Supervisory Authority (“HmbBfDI”) published a discussion paper on the relationship between the GDPR and Large Language Models (“LLMs”).
The paper aims to support companies and authorities dealing with data protection issues related to LLM technologies and contains an explanation of the technical aspects of LLMs and their evaluation in light of the relevant case law of the Court of Justice of the European Union on personal data under the GDPR. Additionally, the paper discusses the difference between LLMs as an artificial intelligence model and as a component of an AI system in accordance with the AI Act.
For more information: HmbBfDI Website [DE]
Ireland
07/18/2024
Irish Supervisory Authority | Recommendation | AI & Data Protection
On July 18, 2024, the Irish Supervisory Authority (“DPC”) published an article on artificial intelligence, large language models (“LLMs”), and data protection.
The article highlights the increase in popularity of AI, particularly generative AI chatbots. The DPC warns about the inherent risks associated with AI, particularly concerning personal data processing, including: use of large amounts of personal data unnecessarily and without knowledge, agreement, or permission during training phases; issues arising from the accuracy and retention of personal data used or generated by AI systems; risks of personal data being shared without proper security or authorization; potential biases due to inaccurate or incomplete training data, affecting decision-making processes; and exposure to risks when new personal data is incorporated into training datasets for updated models.
For more information: DPC Website
Lithuania
07/02/2024
Lithuanian Supervisory Authority | Sanction | Data Subjects Rights
The Lithuanian Supervisory Authority (“SDPI”) fined an online retail company €2,385,276 million for several breaches relating to the right to be forgotten and the right of access.
The SDPI found that the Company had not dealt fairly and transparently with the deletion requests it had received, by refusing erasure request on the sole grounds that individuals did not cite one of the criteria provided for by the GDPR in their request and, in cases where it refused to erase the data, without informing the individuals of the reasons for such refusal. The SDPI also found that the Company had unlawfully implemented a “shadow blocking” mechanism, making the activity of a user who does not respect the platform’s rules invisible to other users, without the user being notified. In addition, the Company did not take sufficient technical and organizational measures to demonstrate that it had taken (or reasonably refused to take) action regarding right of access.
For more information: SDPI website
Netherlands
07/31/2024
Dutch Supervisory Authority | Guidance | AI
The Dutch Supervisory Authority (“AP”) published a guidance on the EU Artificial Intelligence Act (“AI Act”) for AI developers and users.
The AP clarified that, with the entry into force of the AI Act, various requirements will gradually apply on AI developers and users from February 2025. The AP highlights priorities for AI developers, in particular regarding prohibited AI systems that must be withdrawn from the market and no longer be in use by February 2025 and high-risk AI systems which must comply with specific requirements.
For more information: AP Website [NL]
07/16/2024
Dutch Supervisory Authority | Sanction | Cookies
On July 16, 2024, the Dutch Supervisory Authority (“AP”) announced its decision, as issued on May 2, 2024, to impose a fine of €600,000 on a company regarding its use of cookies.
Following its investigation, the AP determined that cookies were placed on user devices without their knowledge or consent. Due to the specific nature of the products that may be purchased on the website (drugstore products), the AP considered that the company collected and used sensitive data of millions of website visitors in violation of the applicable rules.
For more information: AP Website [NL]
Poland
07/19/2024
Polish Supervisory Authority | Opinion | Data Breach
On July 19, 2024, the Polish Supervisory Authority (“UODO”) issued an opinion advising controllers following the global cloud service outage that occurred on the same date.
The UODO states that not every interruption to personal data access is a personal data breach. Interruption to cloud services’ access and the resulting interruption to data access may, in some situations, result in a violation of the rights and freedoms of individuals. The UODO therefore recommends conducting a risk analysis before reporting the personal data breach to the authority.
For more information: UODO Website [PL]
07/08/2024
Polish Supervisory Authority | Guidance | Children Protection
On July 8, 2024, the Polish Supervisory Authority (“UODO”) published a guide to support institutions and organizations in ensuring better protection for children in the digital age.
The guide, entitled “Children’s Image on the Internet. Publish or not?”, notably includes tips to be used to protect children’s photos and videos on the Internet and the list of potential risks associated with publication of children’s images on the Internet.
For more information: UODO Website [PL]
Spain
07/10/2024
Spanish Supervisory Authority | Report | Addictive patterns
On July 10, 2024, the Spanish Supervisory Authority (“AEPD”) issued a report on addictive patterns in the processing of personal data.
The report highlights how, in many cases, service providers implement misleading and addictive design patterns, including to increase the amount of personal data collected about users. The report emphasizes that the adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children.
For more information: AEPD Website [ES]
United Kingdom
07/23/2024
Ofcom | Discussion Paper | Generative AI
On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on the evaluation of vulnerabilities in Generative Artificial Intelligence models.
The discussion paper discusses “red teaming” as a type of evaluation method that seeks to find vulnerabilities in generative artificial intelligence models to protect users from harmful content.
For more information: Ofcom Website
07/23/2024
Ofcom | Discussion Paper | Deepfake
On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on deepfakes.
Among other things, the discussion paper highlights the different types of deepfakes that can cause harm and the steps organizations can take to mitigate the risks of deepfakes.
For more information: Ofcom Website
07/17/2024
British Government | King’s Speech | Digital Information and Smart Data
The British Government plans to introduce Digital Information and Smart Data Bill.
On July 17, 2024, the Government announced, as part of the King’s Speech, that it planned to introduce the Digital Information and Smart Data Bill. The Government explained that the bill would, among other things, enable new innovative uses of data to be safely developed and deployed, reform data sharing and standards, improve data laws, and give the Information Commissioner’s Office (“ICO”) new, stronger powers.
For more information: Government Website
Ahmed
Baladi – Partner, Co-Chair, PCDI Practice, Paris ([email protected])
Joel Harrison, – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
We are pleased to provide you with the August edition of Gibson Dunn’s monthly U.S. bank regulatory update. Please feel free to reach out to us to discuss any of the below topics further.
KEY TAKEAWAYS
- The Board of Governors of the Federal Reserve System (Federal Reserve) and Federal Deposit Insurance Corporation (FDIC) issued final joint guidance on resolution plans for Category II and Category III institutions.
- Staff of the Federal Reserve published an FAQ clarifying that institutions subject to Regulation YY (12 C.F.R. Part 252) enhanced prudential standards can incorporate—although they should not rely exclusively on—certain non-private market sources in demonstrating plans to monetize highly liquid assets under various internal liquidity stress test scenarios.
- The FDIC’s recent Notice of Proposed Rulemaking proposing significant changes to its brokered deposits rules was published in the Federal Register on August 23, 2024. Comments are due on the proposed rule by October 22, 2024.
- On August 21, 2024, a group of eleven financial services trade associations requested that the FDIC withdraw its proposed rule or, alternatively, that the FDIC publish its brokered deposits data and extend the comment period by an additional 60 days. The coalition of trade associations also requested an extension to respond to the FDIC’s request for information on deposits, noting that the FDIC’s request for information requires a significant amount of research and consideration that would be difficult to sufficiently complete within the 60-day comment period. For more information on the proposed rule, please see our Client Alert.
DEEPER DIVES
Federal Reserve and FDIC Issue Joint Final Guidance on Resolution Plans for Category II and Category III Institutions. On August 5, 2024, the Federal Reserve and FDIC issued final joint guidance to help Category II and Category III institutions (i.e., banks with assets exceeding $250 billion but not GSIBs) develop their resolution plans. The joint guidance addresses specific characteristics of Category II and III institutions and is organized around key areas of vulnerability—such as capital, liquidity, and operations.
- Insights. Although the joint guidance provides color to Category II and III institutions on key risk areas to be considered in connection with the development of resolution plans, uncertainties remain. Notably, Federal Reserve Governor Michelle Bowman’s statement on the final guidance flagged several lingering reservations regarding the guidance, including (i) the lack of justification for requiring holding company-level plans for large banks that predominantly hold assets in a bank subsidiary, (ii) a potentially disjointed rulemaking approach in light of the agencies’ separately proposed long-term debt requirement that could materially impact firms’ resolution strategies, and (iii) the ability of the in-scope institutions to produce useful and reliable “least-cost resolution” analyses based on the revised guidance.
Federal Reserve Clarifies that Firms Can Incorporate Non-Private Market Sources in Regulation YY Liquidity Stress Tests. On August 13, 2024, staff of the Federal Reserve published a new Q&A on its Regulation YY Frequently Asked Questions page. The FAQ confirms that firms subject to Regulation YY enhanced prudential standards can use non-private market sources, such as the Federal Reserve’s discount window, the Standing Repurchase Facility, or Federal Home Loan Bank advances, in addition to private market channels, in demonstrating that the firm can monetize highly liquid assets in response to various internal liquidity stress test (ILST) scenarios. However, the guidance also emphasizes that firms should not rely exclusively on these non-private sources and clarifies that it does not expand the types of assets that qualify for inclusion in a firm’s liquidity buffer.
- Insights. The guidance issued in the FAQ is significant because it broadens the options that banks have for demonstrating liquidity management under stress, potentially making it easier for them to satisfy their ILST requirements, which, for many banks, can be their most binding liquidity requirements. By clarifying that banks can plan to meet a substantial portion of their projected short-term liquidity needs under stress by borrowing from the Federal Reserve and other non-private market sources, the guidance should also increase banks’ incentives to be prepared to use those facilities when needed.
OTHER NOTABLE ITEMS
Federal Reserve Announces Final Individual Capital Requirements for All Large Banks. On August 28, 2024, the Federal Reserve announced final individual capital requirements for all large banks, effective on October 1. This table shows each large bank’s CET1 capital ratio requirement.
Ninth Circuit Reaffirms Decision Finding National Bank Act Does Not Preempt California’s Interest on Mortgage Escrow Statute. Following the Supreme Court’s recent decision in Cantero v. Bank of America (discussed in our previous Client Alert), a Ninth Circuit Court of Appeals panel reaffirmed the District Court’s opinion in Kivett v. Flagstar Bank that the National Bank Act does not preempt California law requiring banks to pay interest on deposits held in escrow accounts. The Ninth Circuit’s unpublished memorandum disposition is available here. Previously, on June 10, 2024, the Supreme Court vacated the decision in Kivett and remanded to the Ninth Circuit for further consideration in light of Cantero.
FDIC Publishes Questions and Answers Regarding FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC Name or Logo. On August 16, 2024, the FDIC issued FAQs relating to its December 2023 final rule amending Part 328 of its regulations concerning the use of official FDIC signage, advertising statements and representations regarding FDIC insurance coverage. Among the key implementation topics covered, the FAQ spends considerable time addressing digital marketing. The FDIC’s final rule and FAQs reflect a continued focus on representations made by fintech or other non-depository institutions regarding the insured status of customer funds. The final rule follows a wave of FDIC enforcement activity against non-banks making false statements regarding the insured status of customer funds. Financial institutions considering partnering with third parties to offer deposit products should diligence such fintech’s marketing and implement appropriate controls.
CFPB Issues Advisory Opinion and Research Report on Contract for Deed Lending. On August 13, 2024, the Consumer Financial Protection Bureau (CFPB) released an advisory opinion and research report on a form of home seller financing often referred to as contract for deed. The advisory opinion affirms that federal home lending rules and laws, such as the Truth in Lending Act, cover contracts for deed and provide key consumer protections. The advisory opinion clarifies that larger sellers, such as investment groups, are subject to the provisions of the Truth in Lending Act. Accordingly, covered sellers must (i) assess the borrowers’ ability to repay loans; (ii) provide the required disclosures, including the annual percentage rate and payment schedules; and (iii) limit balloon payments on all loans with an interest rate higher than certain published benchmarks.
CFPB Comments on Department of the Treasury’s Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector. On August 12, 2024, the CFPB published its comments to the Department of the Treasury’s June 6, 2024 Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector.
The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Ro Spaziani, Zach Silvers, Karin Thrasher, and Nathan Marak.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or any of the member of the Financial Institutions practice group:
Jason J. Cabral, New York (212.351.6267, [email protected])
Ro Spaziani, New York (212.351.6255, [email protected])
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
M. Kendall Day, Washington, D.C. (202.955.8220, [email protected])
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Sara K. Weed, Washington, D.C. (202.955.8507, [email protected])
Ella Capone, Washington, D.C. (202.887.3511, [email protected])
Rachel Jackson, New York (212.351.6260, [email protected])
Chris R. Jones, Los Angeles (212.351.6260, [email protected])
Zack Silvers, Washington, D.C. (202.887.3774, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
This update provides an overview of the major developments in federal and state securities litigation since our Securities Litigation 2023 Year-End Update.
Table of Contents
I. Filing And Settlement Trends
II. What To Watch For In The Supreme Court
III. Delaware Developments
IV. Federal SPAC Litigation
V. ESG Civil Litigation
VI. Cryptocurrency Litigation
VII. Lorenzo Disseminator Liability
VIII. Market Efficiency And “Price Impact” Cases
IX. Other Notable Developments
Gibson Dunn’s 2024 Mid-Year Update covers the following developments:
- We review the Supreme Court’s decisions in Macquarie Infrastructure Corp. v. Moab Partners, L.P., which recognizes that a suit under Rule 10b-5 cannot be based on pure omissions, and SEC v. Jarkesy, which limits the SEC’s power to conduct administrative enforcement proceedings in certain cases. We also preview two cases that will address pleading standards and the nature of “materially misleading” statements under the PSLRA.
- We detail significant developments in Delaware corporate law, including a Delaware Supreme Court ruling on advance notice bylaws and a novel ruling on the duties of controlling stockholders when exercising stockholder-level voting power. We also provide updates on Moelis and Tornetta v. Musk.
- We discuss the SEC’s latest rule applicable to SPACs and its significance along with the fact-specific approach courts have taken in SPAC litigation.
- A growing number of lawsuits challenge public companies’ environmental, social, and governance (ESG) disclosures and policies. We survey recent developments in this space.
- Cryptocurrency saw noteworthy developments in private litigation and in actions by the SEC—which has been ramping up enforcement efforts. We discuss these developments along with court rulings and legislative efforts impacting transactions and compliance.
- We continue to monitor case law developments related to the Supreme Court’s 2019 decision, Lorenzo v. SEC, in which the Supreme Court found that even if the disseminator of a false statement did not “make” or draft that false statement within the meaning of Rule 10b-5(b), the disseminator may still be liable under Rule 10b-5(a) and (c) if they disseminate a false statement with intent to defraud.
- District courts continue to engage with defendants’ attempts to defeat or limit class certification by rebutting the Basic presumption of reliance with evidence that the alleged misstatements had no impact on the stock price. We review several of these opinions in Section VIII, Market Efficiency And “Price Impact” Cases.
- Finally, we address several other notable developments including the following: the Seventh Circuit outlining the procedure for reassessment of mootness fees paid to shareholder plaintiffs after a merger following voluntary dismissal of their suit; the Sixth Circuit joining the majority of circuits in holding that the bespeaks caution doctrine survives the PSLRA; the Ninth Circuit providing additional guidance on determining loss causation and alleged misstatements related to COVID-19; and the SEC’s finalization of amendments to Regulation S-P aimed at enhancing data protections.
I. Filing And Settlement Trends
A recent NERA Economic Consulting (NERA) study provides an overview of recent developments in federal securities litigation filings. This section highlights several notable trends.
A. Filing Trends
Figure 1 below reflects the federal filing rates from 1996 through 2024. In the first half of 2024, 112 federal cases were filed. On an annualized basis, that number largely matches the number of federal filings in 2023, but it is considerably lower than in the peak years of 2017-2019. Note, however, that this figure does not include class action suits filed in state court or state court derivative suits, including those in the Delaware Court of Chancery.
Figure 1:
B. Mix Of Cases Filed In 2023
1. Filings By Industry Sector
As shown in Figure 2 below, the distribution of non-merger objections and non-crypto unregistered securities filings in the first half of 2024 varied somewhat from 2023. Notably, after a dip in 2023, the “Health and Technology Services” sector percentage returned to the percentages seen in 2021 and 2022. Similarly, the percentage of “Electronic Technology and Technology Services” filings increased in 2024, returning to levels seen in 2021 and 2022. Together, “Health and Technology Services” and “Electronic Technology and Technology Services” filings once again comprised over 50% of filings after dipping to 41% in 2023. Meanwhile, “Finance” sector filings decreased from 18% to 11%.
Figure 2:
2. Filings By Type
As shown in Figure 3 below, Rule 10b-5 filings make up the vast majority of federal filings so far this year. In fact, projecting out to a full year, filings of other types are slated to end up at their lowest levels in years.
Figure 3:
3. Filings By Circuit
Figure 4 provides insight into the distribution of federal filings by Circuit. Most filings occur in the Second and Ninth Circuits. Notably, the number of filings in the Second Circuit has been trending down since 2021. By contrast, the number of filings in the Ninth Circuit has stayed steady or increased over that same period.
Figure 4:
4. Event-Driven And Other Special Cases
Figure 5 illustrates trends in the number of event-driven and other special case filings since 2020. The number of Artificial Intelligence-related filings already equals the total number of such filings in 2023 and 2022. By contrast, SPAC and Cybersecurity and Customer Privacy Breach filings have decreased steadily since 2021. And after 11 such filings in 2023, zero Banking Turmoil cases have been filed this year.
Figure 5:
C. Settlement Trends
As reflected in Figure 6 below, the average settlement value so far in 2024 is $26 million. That is a sizable drop from the past two years. If it remains at that level, it would be the second-lowest average settlement value on an inflation-adjusted basis in nearly a decade. (Note that the average settlement value excludes merger-objection cases, crypto unregistered securities cases, and cases settling for more than $1 billion or $0 to the class.)
Figure 6:
As for median settlement value, that value has likewise dropped noticeably from 2022 and 2023. (Note that median settlement value excludes settlements over $1 billion, merger objection cases, crypto unregistered securities cases, and zero-dollar settlements.)
Figure 7:
II. What To Watch For In The Supreme Court
A. Recent Supreme Court Decisions
1. Macquarie Infrastructure Corp. v. Moab Partners, L.P. – Rule 10b-5 Does Not Support Private Actions Based On Pure Omissions
On April 12, 2024, the Supreme Court unanimously decided Macquarie Infrastructure Corp. v. Moab Partners, L.P., holding that an issuer of securities does not violate Exchange Act Section 10(b) or the SEC’s Rule 10b-5 by pure omission—that is, by mere nondisclosure of material information—unless that omission renders other, affirmative statements by the issuer misleading. 601 U.S. 257, 265 (2024).
Moab Partners, L.P. filed this private securities-fraud action under Section 10(b) and Rule 10b-5 against the defendants, Macquarie Infrastructure Corp. and related individuals and entities, asserting that the nondisclosure of certain information in Macquarie’s SEC filings constituted an actionably misleading omission of material information. Id. at 261. The information at issue related to the principal assets of a Macquarie subsidiary, storage terminals for a particular high-sulfur fuel oil. Id. The United Nations enacted a 2016 rule that aimed to cap the sulfur content of fuel oil used in shipping, and Macquarie did not disclose in its filings any potential impact of that rule on its subsidiary’s business. Id. In February 2018, Macquarie announced that demand for the subsidiary’s storage had decreased due to a decline in the market for the high-sulfur fuel oil, and Macquarie’s stock price dropped by 41%. Id.
Moab Partners argued that the failure to disclose any risks associated with the 2016 rule violated Macquarie’s duty, under Item 303 of Regulation S-K, to disclose in its annual Form 10-K filing all “known trends or uncertainties that . . . are reasonably likely to have a material . . . impact” on its operations. Id. at 260, 265. According to Moab Partners, nondisclosure of a known trend with material implications in violation of Item 303 constituted a materially misleading omission in violation of Rule 10b-5. See id. at 265.
The Court disagreed, finding no actionable statements or omissions because Moab Partners failed to “plead any statements rendered misleading” by Macquarie’s alleged pure omission. Id. at 265 (emphasis added). Because Rule 10b-5 requires only “disclosure of information necessary to ensure that statements already made are clear and complete,” it covers “half-truths,” but not “pure omissions.” Id. at 264 (emphasis added). A failure to disclose information required by Item 303 can sustain a Rule 10b-5 claim only when the omission renders other affirmative statements misleading. Id. at 265.
This holding affirms the longstanding precedent from Basic Inc. v. Levinson that “[s]ilence, absent a duty to disclose, is not misleading under Rule 10b-5.” Id. (quoting Basic, 485 U.S. 224, 239 n.17 (1988)). It also clarifies that “[e]ven a duty to disclose . . . does not automatically render silence misleading.” Id.
2. SEC v. Jarkesy – Successful Constitutional Challenge To SEC’s Method Of Adjudication
On June 28, 2024, the Supreme Court announced its 6-3 decision in SEC v. Jarkesy, holding that the Seventh Amendment right to a jury trial applies in cases where the SEC seeks civil penalties for securities fraud. 144 S. Ct. 2117 (2024).
In the Dodd-Frank Act of 2010, Congress empowered the SEC to seek civil penalties against violators of its antifraud regulations either in federal court or through “in-house” administrative proceedings. Id. at 2126. In these in-house proceedings, unlike in federal court, there is no opportunity to have the case heard by a jury, and cases are tried before an SEC-appointed administrative law judge (ALJ), rather than by a Senate-confirmed Article III judge. Id. at 2125-26.
Respondents George Jarkesy Jr. and Patriot28 LLC were subject to an SEC enforcement action that sought civil penalties for alleged violations of the federal securities laws’ antifraud provisions. Id. at 2124. The SEC proceeded against Jarkesy and Patriot28 before an SEC ALJ, rather than in court. Id. at 2125. The ALJ ruled for the agency and against the respondents, and after review of the ALJ’s decision, the SEC imposed a penalty of $300,000, ordered disgorgement against Patriot28, and prohibited Jarkesy from participating in the securities industry. See id. at 2127.
The respondents sought review by the U.S. Court of Appeals for the Fifth Circuit, raising constitutional procedural and structural objections. See id. A divided panel of the Fifth Circuit ruled for the respondents, citing three constitutional infirmities. First, because enforcement of the antifraud securities laws is “akin to . . . traditional” causes of action involving debts, where a defendant historically would have been entitled to a jury trial, a defendant facing antifraud securities claims is entitled to a jury trial. Jarkesy v. SEC, 34 F.4th 446, 453-54 (5th Cir. 2022). Second, Congress’s grant of “unfettered” discretion to the SEC to bring enforcement actions in court or administratively was an unconstitutional delegation of power. Id. at 459. Third, the agency structure surrounding ALJs restricted the President’s Article II authority, as it gave ALJs two layers of for-cause protection from removal that blocked the President from exercising “adequate power over . . . removal.” Id. at 463.
The Supreme Court granted certiorari to review all three of the Fifth Circuit’s holdings. See Brief for Petitioner at i. However, the Court declined to reach the nondelegation and ALJ-removal questions, affirming the decision below only on the Seventh Amendment issue. Jarkesy, 144 S. Ct. at 2127-28.
In holding that the respondents were entitled under the Seventh Amendment to a jury trial on these claims, the Court explained that the securities antifraud provisions were intended to “replicate common law fraud” claims that require a jury trial. See id. at 2127. The Seventh Amendment jury right extends to all suits that are “legal in nature”—including those that seek monetary damages in order to punish or deter violations, as distinct from equitable relief like disgorgement. See id. at 2128-30. The antifraud provisions’ resemblance to common-law fraud claims, and the legal nature of the damages remedy, confirmed that the Framers would have intended the jury right to apply to actions enforcing these provisions. See id. at 2128-31.
The Court rejected the SEC’s argument that the case fell under the “public rights” exception for cases that “historically could have been determined exclusively by the executive and legislative branches.” See id. at 2132 (cleaned up). While its public rights doctrine has not always charted a clear course, the Court explained that the doctrine emphasizes that traditional suits at common law should be adjudicated in courts and has maintained a “presumption . . . in favor of Article III courts.” Id. at 2134. Thus, even modern regulatory suits modeled after traditional legal claims should remain with Article III courts, no matter where Congress might have assigned them. See id. at 2131, 2135-36.
As the Court explained in conclusion, “a defendant facing a fraud suit has the right to be tried by a jury of his peers before a neutral adjudicator.” Id. at 2139. Because the SEC’s enforcement action against the respondents involved similar fraud-related claims, the proceeding before an SEC ALJ had violated the respondents’ Seventh Amendment rights.
B. Grants Of Certiorari
1. Facebook, Inc. v. Amalgamated Bank – Whether Risk Disclosures Must Acknowledge Past Incidents
On June 10, 2024, the Supreme Court granted the petition for a writ of certiorari in Facebook, Inc. v. Amalgamated Bank, a private securities-fraud class action challenging the adequacy of Facebook’s disclosures about third-party use of personal data.
The plaintiff shareholders allege that Facebook made fraudulent misstatements in filings where it purportedly characterized the risk that third parties might misuse Facebook user data as a “hypothetical” risk. Petition for Writ of Certiorari at 10, Facebook, Inc. v. Amalgamated Bank, No. 23-980 (Mar. 4, 2024). The plaintiffs contend the risk had already materialized through third parties’ actual misuse of Facebook user data. Id.
In the decision below, the Ninth Circuit ruled that a risk disclosure is materially misleading when it fails to disclose that the identified risk has materialized in the past, even if that past event presents no known risk of harm to the company. In re Facebook, Inc. Sec. Litig., 87 F.4th 934, 949-50 (9th Cir. 2023). The Circuit explained that “[b]ecause Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the magnitude of the ensuing harm was still unknown.” Id. at 950.
According to the petition, this holding placed the Ninth Circuit at odds with its sister circuits. As Facebook argued, the First, Second, Third, Fifth, Tenth, and D.C. Circuits have all held that companies must disclose risks that materialize only when the company knows, or believes with near certainty, that the materialized risk will harm the business. Petition at 19-22. The Sixth Circuit, on the other hand, has held that companies are not required to disclose when risks materialized in the past because “[r]isk disclosures like the ones accompanying 10-Qs and other SEC filings are inherently prospective in nature.” Id. at 18 (quoting Bondali v. Yum! Brands, Inc., 620 F. App’x 483, 491 (6th Cir. 2015)).
Gibson Dunn represents the petitioners in this case, which has been scheduled for oral argument on November 6, 2024.
2. NVIDIA Corp. v. E. Ohman J:or Fonder AB – PSLRA Pleading Standards For Scienter and Falsity
On June 17, 2024, the Supreme Court granted the petition for a writ of certiorari in NVIDIA Corp. v. E. Ohman J:or Fonder AB, another private securities-fraud class action originating in the Ninth Circuit involving alleged violations of Section 10(b) and Rule 10b-5. This case raises two questions regarding the pleading standard for private class actions under the Private Securities Litigation Reform Act of 1995 (PSLRA).
This case was brought by investment management fund E. Öhman J:or Fonder AB and other investors against NVIDIA, a producer of graphics processing units (GPUs). As alleged in the plaintiffs’ complaint, NVIDIA’s GPUs include the “GeForce” branded GPU, which is designed and marketed for use in video gaming, but which began around 2017 to also be used for mining cryptocurrency. E. Ohman J:or Fonder AB v. NVIDIA Corp., 81 F.4th 918, 924-27 (9th Cir. 2023); Petition for Writ of Certiorari at 8, NVIDIA Corp. v. E. Ohman J:or Fonder AB, No. 23-970 (Mar. 4, 2024). Plaintiffs alleged that NVIDIA’s CEO and other defendants made statements that misrepresented the connection between the company’s increased revenues and the fact that cryptocurrency miners—not just video game players—were purchasing GeForce GPUs. E. Ohman J:or Fonder AB, 81 F.4th at 925. Because the demand for GPUs tied to cryptocurrency mining has been “extremely volatile,” subject to changes in the price of cryptocurrency, the company’s denials of a link between its growth and cryptocurrency-related usage were allegedly material to investors and analysts. See id. at 924-27.
To support their claims that NVIDIA had knowingly or recklessly misled investors about the source of demand for GeForce GPUs, plaintiffs’ amended complaint relied heavily on witness statements from former NVIDIA employees and the independent analysis of an expert consulting firm. Id. at 929-30, 937-39. The district court dismissed the amended complaint, finding the plaintiffs had not adequately pleaded the element of scienter under the PSLRA, specifically that plaintiffs’ allegations that NVIDIA as a company had access to certain sales and usage data did not plausibly show that each individual defendant had access to that data, and thus spoke with knowledge or recklessness of falsity. Iron Workers Local 580 Joint Funds v. NVIDIA Corp., 522 F. Supp. 3d 660, 674-75 (N.D. Cal. 2021). The Ninth Circuit reversed, reinstating the amended complaint as to NVIDIA’s CEO based on specific statements from former employees about the company and the CEO’s practices. E. Ohman J:or Fonder AB, 81 F.4th at 937-40. The Ninth Circuit also held that the amended complaint adequately alleged falsity, where it relied primarily on a post hoc expert analysis of NVIDIA’s reported revenues compared to the statements by company insiders at the time. Id. at 930-32.
In NVIDIA, the Supreme Court will consider two questions regarding pleading standards under the PSLRA. First, petitioners, NVIDIA and its CEO, argue one existing circuit split exists on the standard for pleading scienter: namely, whether plaintiffs who seek to rely on “internal company documents must plead with particularity the contents of these documents.” Petition at i. Second, petitioners also claim to identify a new circuit split, created by the decision below, on the element of falsity: whether the PSLRA’s falsity requirement may be satisfied at the pleading stage by expert opinions, in lieu of particularized allegations of fact. Id.
Oral argument in NVIDIA is scheduled to be held on November 13, 2024.
A. The Delaware Supreme Court Underscores The Importance Of Fully Informed Stockholders Under MFW
Two recent Delaware Supreme Court cases emphasize (1) the importance of disclosing conflicts of interest when seeking to fully inform stockholders, and (2) that Delaware courts pay close attention to claims that a minority was fully informed when an entity seeks to obtain business judgment review by employing the procedural devices set forth in Kahn v. M&F Worldwide Corp., 88 A.3d 635 (Del. 2014) (MFW).
In City of Dearborn Police & Fire Revised Retirement System v. Brookfield Asset Management Inc., plaintiffs brought breach of fiduciary duty claims related to a squeeze-out merger. 314 A.3d 1108, 1113 (Del. 2024) (en banc). The trial court dismissed plaintiff’s complaint after concluding defendants complied with MFW’s requirements and applying the business judgment rule. Relevant here, plaintiffs claimed on appeal that the “trial court erred in finding that MFW was satisfied because they failed to adequately plead that the proxy statement was materially deficient.” Id.
Affirming in part and reversing in part, the en banc Supreme Court agreed that the proxy statement omitted important information. Among other things, it held that the “minority stockholders were not adequately informed of certain alleged conflicts of interest between the special committee’s advisors and the counterparty to the Merger.” Id. For example, the proxy failed to disclose that Morgan Stanley—which the controlled target entity’s (TerraForm) special committee retained—had a $470 million stake in Brookfield (TerraForm’s controller). In the Supreme Court’s view, “the $470 million investment, when viewed from the perspective of a reasonable stockholder, was material and should have been disclosed.” Id. at 1133. Similarly, the proxy failed to disclose that Kirkland & Ellis LLP—the law firm TerraForm’s special committee retained—had previously represented “Brookfield and its affiliates” and was “concurrent[ly] represent[ing] . . . a Brookfield affiliate on an unrelated transaction.” Id. at 1134. And, again, the Supreme Court held that “it [wa]s reasonably conceivable that the details of Kirkland’s conflicts, and particularly, the concurrent conflict, were material facts for stockholders that required disclosure.” Id.
City of Sarasota Firefighters’ Pension Fund v. Inovalon Holdings, Inc. is similar in several respects. 2024 WL 1896096 (Del. May 1, 2024) (en banc). There, plaintiffs “asserted several breach of fiduciary duty claims, an unjust enrichment claim, and a claim alleging a breach of the Company’s charter” in connection with “an acquisition of Inovalon Holdings, Inc. . . . by a private equity consortium led by Nordic Capital.” Id. at *1. As in Brookfield, the Court of Chancery dismissed the complaint after finding “the requirements of MFW were met.” Id. at *8. And, as in Brookfield, the Delaware Supreme Court disagreed. Among other things, the Supreme Court explained that the proxy failed to adequately disclose the special committee’s advisors’ conflicts of interest. Id. at *15. Inovalon further underscores the importance of disclosing a special committee’s advisors’ conflicts of interest if an entity wishes to benefit from MFW and the business judgment rule.
B. The Delaware Supreme Court Addresses Advance Notice Bylaws
In Kellner v. AIM ImmunoTech, Inc., the Delaware Supreme Court provided helpful insight into how Delaware courts will review advance notice bylaws. __ A.3d __ , 2024 WL 3370273 (Del. 2024). As explained in our 2023 Year-End Update, the Court of Chancery invalidated several advance notice bylaws that AIM’s Board adopted in connection with a group of stockholders’ activism campaign and proxy contest efforts, reinstated a prior version of one of the bylaws, and then “upheld the board’s rejection of [a stockholder’s] third nomination notice because it failed to comply with the two advance notice bylaws left standing.” Id. at *1.
On appeal, the Delaware Supreme Court affirmed in part and reversed in part. It began by noting the two-part inquiry for assessing challenges to “the adoption, amendment, or enforcement of a Delaware corporation’s advance notice bylaws”: (1) “whether the advance notice bylaws are valid as consistent with the certificate of incorporation, not prohibited by law, and address a proper subject matter,” and (2) “whether the board’s adoption, amendment, or application of the advance notice bylaws were equitable under the circumstances of the case.” Id. The Supreme Court then analyzed the trial record and concluded the advance notice bylaws at issue on appeal were invalid or unenforceable. Id. at *2.
On validity, the Court explained, among other things, that the “DGCL places minimal procedural and substantive requirements on stockholders and directors when addressing bylaws,” that bylaws are “presumed to be valid,” and that a plaintiff challenging a bylaw “must demonstrate that the bylaw cannot operate lawfully under any set of circumstances.” Id. at *9-11. Measured against that lenient standard, the Supreme Court concluded that one bylaw, composed of a 1,099-word single-sentence, was unintelligible and thus invalid, as “[a]n unintelligible bylaw is invalid under ‘any circumstances.’” Id. at *15 (citation omitted). By contrast, the Supreme Court had “no trouble” concluding the remaining bylaws were valid “because they [we]re consistent with the certificate of incorporation, not prohibited by law, and address[ing] a proper subject matter.” Id. at *2, *15.
On enforceability, the Supreme Court reiterated that a finding of facial validity does not preclude a finding of inequity. The Supreme Court then concluded that the board’s actions were inequitable because “it adopted the amended bylaws for the primary purpose of interfering with, and ultimately rejecting, [the at-issue] nominations.” Id. at *2. For example, the Supreme Court reviewed the “agreement, arrangement, or understanding” (AAU) provision and agreed with the Court of Chancery that the “SAP [stockholder associated person] term” included in the AAU provision was unreasonable. That provision “require[d] a nominator to disclose not only personal knowledge but also to take steps to gather information about agreements and understandings between any members of potentially limitless class of third parties and individuals unknown to the nominator.” Id. at *16-17. In other words, “the nominating stockholder must not only respond based on personal knowledge, but also an ill-defined daisy chain of persons.” Id. at *18. The AAU provision thus “functioned as a ‘tripwire’ rather than an information-gathering tool and ‘suggest[ed] an intention to block the ’dissident’s effort.’” Id. at *17 (quoting Kellner v. AIM ImmunoTech Inc., 307 A.3d 998, 1031 (Del. Ch. 2023)). Indeed, the SAP term affected all the valid bylaws, rendering each problematic. Id. at *17-18. Nonetheless, in light of the Court of Chancery’s “findings about [a stockholder’s] and his nominees’ deceptive conduct,” the Supreme Court concluded that “no further action [wa]s warranted.” Id. at *18.
C. Court Of Chancery Issues Novel Ruling Regarding The Exercise Of Stockholder-Level Voting Power By A Controller
On January 4, 2024, the Delaware Court of Chancery issued a novel post-trial decision addressing what it described as “fascinating” dynamics related to a controlling stockholder and a special committee. In re Sears Hometown & Outlet Stores, Inc. S’holder Litig., 309 A.3d 474, 483 (Del. Ch. 2024).
Sears Hometown and Outlet Stores, Inc., a controlled public company, had two business segments, one of which was “good” and one of which was “bad.” Id. at 483. When the controller and a special committee disagreed over how to deal with that divergence, the controller “used his voting power as a stockholder to adopt a bylaw amendment” that complicated—but did not preclude—the special committee’s ability to implement its preferred plan (liquidation of the “bad” business). Id. As the Court explained, the bylaw “ensured that the controller [would] ha[ve] a window to act . . . if the board pursued it[s plan].” Id. In addition, the controller removed “two of the three members of the [s]pecial [c]ommittee” who had “been the most vocal” about the liquidation and replaced them with two individuals he “could be confident . . . . would support his interests.” Id. at 519. As the controller acknowledged at trial, “he had no intention of letting the liquidation plan become reality.” Id. at 483.
With the special committee’s preferred plan effectively off the table, the controller negotiated a transaction with the special committee that ended up eliminating the minority stockholders’ interest in the company. Id. at 502-03. The transaction was not conditioned on a majority of the minority vote, and the board was not permitted to “terminate the agreement to accept a superior proposal.” Id. at 503.
In assessing the events that transpired, the Court noted that, until its decision, “Delaware law [had] not clearly state[d] what standard of review (if any) applies to a controller’s exercise of stockholder voting power.” Id. at 483. To the contrary, “[s]ome authorities suggest[ed] a controller owes no fiduciary duties when voting,” while “[o]ther authorities appl[ied] a fiduciary framework without spelling out the details.” Id.
Ultimately, the Court decided: (1) “[a] controller does not owe any enforceable duties when declining to vote or when voting against a change to the status quo”; (2) “when exercising stockholder-level voting power” to change the status quo, “a controller owes a duty of good faith that demands the controller not harm the corporation or its minority stockholders intentionally”; (3) a “controller . . . owes a duty of care that demands the controller not harm the corporation or its minority stockholders through grossly negligent action”; and (4) “enhanced scrutiny should apply” when a “controller t[akes] action that invade[s] the space typically reserved for the board of directors.” Id. at 483-84, 510, 512.
The Court also contrasted a controller’s duties with those of a director. It noted that whereas “[d]irectors . . . must act affirmatively to promote the best interests of the corporation, and they must subjectively believe that the actions they take serve that end,” “[a] controller need not meet that higher standard when exercising stockholder-level voting rights.” Id.
Applying these principles to the facts of the case, the Court concluded first that the controller “did not breach his fiduciary duties when he engaged in” the interventions discussed above, as he “acted in good faith to protect the Company from a threat of value-destruction,” “identified that threat in good faith, after a reasonable investigation,” and “then responded with a means that fell within the range of reasonableness.” Id. at 519. As the Court explained, “[i]f nothing else had happened, and if the Company had merely continued operating as it had before the [c]ontroller [i]nterven[ed], then judgment would [have] be[en] entered for the defendants.” Id.
But something else did happen. The controller ended up “acquiring the [c]ompany and eliminating the minority stockholders from the enterprise” in the process. Id. Given this, the Court evaluated the transaction under the entire fairness standard. Id. at 519-20. Under that standard, the Court concluded that both the price and process were unfair and held the controller his co-defendants jointly and severally liable for “the difference between the transaction price and the ‘true’ value of the firm.” Id. at 539-41.
D. Court Of Chancery Concludes Plaintiff Failed To Allege Owner Of 26.7% Of Common Stock Was A Controller
In Sciannella v. AstraZeneca UK Limited, the Court of Chancery dismissed a putative class action brought by a former stockholder of Viela Bio, Inc. alleging fiduciary duty breaches by the directors, officers, and former parent company of Viela in connection with their roles “in selling [Viela] to affiliates of Horizon Therapeutics plc.” 2024 WL 3327765, at *1 (Del. Ch. July 8, 2024). One central issue was whether AstraZeneca, “which owned 26.7% of Viela’s outstanding common stock,” “was a controlling stockholder at the time of the [at-issue] transaction.” Id.
In its opinion, the Court found that the “complaint fail[ed] to plead facts to support a reasonable inference” that AstraZeneca was a controlling stockholder. Id. To that end, the Court rejected plaintiff’s claim that the combination of various factors demonstrated that AstraZeneca exercised both general and transaction-specific control.
For example, plaintiff claimed that “AstraZeneca’s equity stake” and “blocking rights” indicated AstraZeneca was a controller. Id. at *17-18. The Court disagreed, finding that a 25% stake and certain blocking rights did not “contribute to an inference of control” because “AstraZeneca only had the right to veto bylaw amendments initiated by stockholders, and then only if the Board did not recommend them.” Id.
Plaintiff also pointed to AstraZeneca having appointed two of Viela’s eight directors and the fact that other defendants had relationships with AstraZeneca, such as by investing in Viela and being previously employed by AstraZeneca. Id. at *19. Again, the Court found these allegations inadequate, either because they were conclusory or insufficient to support a reasonable inference that AstraZeneca dominated the decision-making process. Id. at *19-20.
Plaintiff also highlighted “Support Agreements,” through which AstraZeneca provided support to Viela’s day-to-day operations, including through supply, licensing, and transition services agreements. Id. at *21. Although the Court agreed that these agreements meant “Viela substantially depended on AstraZeneca” in various respects, it nonetheless concluded that plaintiff has not alleged “facts from which it is reasonable to infer that [AstraZeneca] could prevent the [Viela Board] from freely exercising its independent judgment in considering the proposed [M]erger.” Id. at *22 (citation omitted) (alterations in original).
E. Court Of Chancery Issues Opinion In A Suit Alleging Fiduciary Duty Breaches In Connection With Conversion
Palkon v. Maffei addressed the decisions of two Delaware corporations—both of which were controlled by Gregory B. Maffei—”to convert . . . into . . . Nevada corporation[s].” 311 A.3d 255, 261 (Del. Ch. 2024), cert. denied, 2024 WL 1211688 (Del. Ch. Mar. 21, 2024). The two entities were TripAdvisor and Liberty TripAdvisor Holdings, Inc. Liberty owned all of TripAdvisor’s Class B common stock and 21% of its Class A Shares. Id. at 264. As a result, it “exercise[d] 56% of the [TripAdvisor’s] outstanding voting power.” Id. Maffei, Liberty’s CEO and Chairman, “beneficially own[ed] Series B shares carrying 43% of [its] voting power.” Id. For purposes of the motion to dismiss, “defendants concede[d] that Maffei control[ed] both [Liberty] and TripAdvisor.” Id.
Plaintiffs sued, alleging fiduciary duty breaches in connection with the conversion. Id. at 268. They also sought an injunction. Id. at 266. The Court of Chancery denied defendants motion to dismiss after determining entire fairness was the appropriate standard of review while also denying plaintiff’s request for an injunction. Id. at 262.
Accepting the allegations in complaint, the Court explained Maffei effectuated a transaction through which he and the directors received a non-ratable benefit—namely, a “reduction in the unaffiliated stockholders’ litigation rights.” Id. at 261. The absence of a “price” was irrelevant in the Court’s view because entire fairness considers substantive fairness and procedural fairness, and the “floor for substantive fairness is whether stockholders receive at least the substantial equivalent in value of what they had before”—meaning no price is necessary. Id. at 262.
The Court then concluded the plaintiff had pled facts making it reasonably conceivable that the transaction was both substantively and procedurally unfair. On the former, the Court explained that “the stockholders held shares carrying the bundle of rights afforded by Delaware law, including a set of litigation rights” before the conversion, and, “[a]fter the conversion, the stockholders owned shares carrying a different bundle of rights afforded by Nevada law, including a[n allegedly] lesser set of litigation rights.” Id. On the latter, the Court explained that “the goal of procedural fairness is to replicate arm’s length bargaining,” but that defendants made no “effort to replicate arm’s length bargaining.” Id. at 281. Instead, “[m]anagement proposed the conversions, the Board recommended them, and [Liberty] and Maffei approved them.” Id.
The Court nonetheless denied plaintiffs’ requests for an injunction. It found, under the circumstances of the case, that other remedies, such as money damages, could adequately compensate plaintiffs for any losses. Id. at 286-87.
F. Executive Compensation And Post-Trial Ratification – Tornetta v. Musk And Subsequent Developments
The Court of Chancery in Tornetta v. Musk ordered the rescission of Elon Musk’s compensation plan after concluding Musk controlled Tesla with respect to the compensation plan and that defendants failed to prove that Musk’s 2018 compensation plan was entirely fair. 310 A.3d 430 (Del. Ch. 2024). For further details, please see Gibson Dunn’s February 5, 2024 Client Alert.
Several months after the Court’s decision, at its annual stockholders’ meeting, Tesla stockholders approved the ratification of Musk’s pay package. See Press Release, Tesla Releases Results of 2024 Annual Meeting of Stockholders, Tesla (June 13, 2024), https://ir.tesla.com/press-release/tesla-releases-results-2024-annual-meeting-stockholders. The Court has ordered expedited briefing “on the effect of the Tesla stockholders’ June 13, 2024, vote on this action.” Tornetta v. Musk, 2024 WL 3200483, at *1 (Del. Ch. June 27, 2024). With many questions yet to be answered, Gibson Dunn will continue monitoring the case and report on any future developments.
G. Stockholder Agreements And DGCL Section 141 – Moelis And Its Aftermath
As discussed in our February 28, 2024 Client Alert, the Court of Chancery, in West Palm Beach Firefighters’ Pension Fund v. Moelis & Company, ruled on the validity of pre-approval requirements and board- and committee-related designation rights included in a stockholder agreement between a public company and its founder that was entered into before the company went public. 311 A.3d 809 (Del. Ch. 2024). In short, the Court held that the pre-approval requirements and board- and committee-related designation provisions violated one or more subsections of Section 141 of the DGCL because they had “the effect of removing from directors in a very substantial way their duty to use their own best judgment on management matters” or “tend[ed] to limit in a substantial way the freedom of director decisions on matters of management policy.” Id. at 818 (quoting Abercrombie v. Davies, 123 A.2d 893, 899 (Del. Ch. 1956), rev’d on other grounds, 130 A.2d 338 (Del. 1957)).
At the close of its opinion, the Court noted that the Delaware “General Assembly could enact a provision stating what stockholder agreements can do.” Id. at 881. The General Assembly seemingly took heed. In July 2024, the General Assembly passed S.B. 313, which contained what is now Section 122(18) of the DGCL. As set forth in the bill’s synopsis, Section 122(18) “specifically authorizes a corporation to enter into contracts with one or more of its stockholders or beneficial owners of its stock, for such minimum consideration as approved by its board of directors, and provides a non-exclusive list of contract provisions by which a corporation may agree to.”
In the first half of 2024, the number of SPAC IPOs and the value of de-SPAC transactions have decreased significantly since their peak in 2021 (as noted in our Securities Litigation 2023 Mid-Year Update), with only 20 SPAC IPOs as of end of July (see SPAC Statistics by SPAC Insiders). De-SPAC transactions, however, have given rise to significantly more securities class actions than other IPOs (see Securities Class Action Trends 2023: Not a Repeat of Year 2022). In this mid-year update, we first discuss the SEC’s latest rule applicable to SPACs, which has likely changed the litigation landscape moving forward. Next, we look back to the first half of 2024, which many courts have taken a fact-specific approach to SPAC litigation and have not announced any broadly applicable legal doctrines specific to SPAC litigation.
A. SEC’s Special Purpose Acquisition Companies, Shell Companies, and Projections Final Rule
On January 24, 2024, the U.S. Securities and Exchange Commission (the “Commission”), by a three-to-two vote, adopted new rules, most notably a new subpart 1600 to Regulation S-K, and amendments to certain existing rules under Securities Act, Securities Exchange Act, Regulation S-K, Regulation S-T, and Regulation S-X to enhance disclosure and investor protections in SPAC IPOs and subsequent de-SPAC transactions. Special Purpose Acquisition Companies, Shell Companies, and Projections, 17 C.F.R. §§ 210, 229, 230, 232, 240, 249 (2024) (SPAC Rule). The Gibson Dunn team provided its analysis on the Final Rules earlier this year. See Feb. 2, 2024 Client Alert.
1. Key Provisions
The Final Rules overhaul the protections previously available in SPAC IPOs. The four key components of the Final Rules are as follows:
- Disclosure and Investor Protection. The Final Rules impose specific disclosure requirements with respect to, among other things, compensation paid to sponsors, potential conflicts of interest, shareholder dilution, and the fairness of the business combination, for both SPAC IPOs and de‑SPAC transactions.
- Business Combinations Involving Shell Companies. Under the Final Rules, the Commission now deems a business combination transaction involving a reporting shell company and a private operating company as a “sale” of securities under the Securities Act of 1933, as amended (the “Securities Act”). The Final Rules also amend the financial statement requirements applicable to transactions involving shell companies, and amend the previous “blank check company” definition to make clear that SPACs cannot rely on the safe harbor provision against a private right of action for forward-looking statements under the Private Securities Litigation Reform Act of 1995, as amended (the PSLRA), when marketing a de-SPAC transaction.
- The Final Rules amend the Commission’s guidance on the presentation of projections in any filings with the Commission (not only on de-SPAC transactions, but affecting all projections disclosed in reports filed with the Commission) and adds new guidance only for de-SPAC transactions, in both instances to address the reliability of such projections.
- Status of SPACs under the Investment Company Act of 1940. The Commission did not adopt its proposed safe harbor rule under the Investment Company Act, which would have exempted a SPAC from being treated as an “investment company” as long as the SPAC met certain subjective criteria, related to, among other things, the nature and management of the assets held by the SPAC, and the SPAC’s general purpose. Instead, the Commission takes the position that whether a SPAC falls under the definition of investment company depends on specific facts and circumstances, and provides general guidance on what actions might cause a SPAC to be an “investment company.”
2. SPAC Rule In Securities Litigation
Since the Final Rules were announced in January 2024, even before they went into effect in July, some litigants have sought to use the Rules to advance their positions in ongoing cases. For instance, multiple SPAC defendants facing challenges to their financial disclosures have argued that the Final Rules excuse SPAC companies from having to disclose their “net-cash per share” calculation. See, e.g., Opening Br. in Supp. of Def.’s Mot. to Dismiss, In re AST SPACEMOBILE, INC., S’holder Litig., No. 2023-1292, at *48-49 (Del. Ch. Mar. 15, 2024) (highlighting that the SEC “has reevaluated its SPAC-related disclosure requirements and explicitly rejected net cash per share as a required calculation,” because “‘[n]et cash per share has aspects that make it less useful for investors’ than other measures of dilution”); Def.’s Br. in Supp. of their Am. Mot. to Dismiss the Verified Am. Class Action Compl., Schacter v. N. Genesis Sponsor, LLC, No. 2023-1112, at *14 n.8 (Del. Ch. Apr. 25, 2024) (noting the Final Rules are not adding an “explicit net cash per share disclosure requirement,” but only requiring that shareholders “should have the information to perform this calculation based on the disclosure provided in connection with net tangible book value per share, as adjusted”).
Other parties have relied on the Final Rules to clarify that the PSLRA’s safe harbor, 15 U.S.C § 78u–5, which protects forward-looking statements “accompanied by meaningful cautionary language,” no longer applies to SPACs. See, e.g., Appellant’s Reply Br., In re Danimer Scientific, Inc., No. 23-7674, at *20 (2d Cir. Apr. 10, 2024) (arguing the safe harbor is not available to defendants because the Final Rules “[m]ake the PSLRA safe harbor unavailable to SPACs . . . by defining ‘blank check company’ to encompass SPACs (and other companies that would be blank check companies but for the fact that they do not sell penny stock)”). The rule does not have retroactive effect, see 89 Fed. Reg. at 14158, and some Courts have analyzed whether cautionary statements found in SPAC’s proxy statements were protected forward-looking statements—albeit prior to the Final Rule taking effect. For instance, in In re Grab Holdings Ltd. Securities Litigation, the Court analyzed whether the PSLRA safe harbor applied to the seven pre-merger statements contained in a SPAC’s proxy statement. 2024 WL 1076277, at *1 (S.D.N.Y. Mar. 12, 2024). The Court found that, although some of the statements were forward-looking and cautionary, the safe harbor did not extend to statements about future risk when plaintiff failed to disclose that the risk had transpired. See id. at *18. Notably, it is too early to determine the consequences the Final Rules will have on SPAC litigation: the Final Rules do not have retroactive effect and went into effect recently, on July 1, 2024. 89 Fed. Reg. at 14158. We will continue to analyze the Final Rules’ effect in future securities litigation updates.
B. 2024 SPAC-related Securities Litigation
Although the filing of SPAC-related litigation has slowed, courts have issued at least eight SPAC-related opinions in the first half of 2024. Of those cases, three have been dismissed entirely for failing to allege a securities claim. Five of those cases have survived a motion to dismiss. In the below sections, we highlight some of these district court cases.
1. SPAC Claims Dismissed
In cases dismissing SPAC-related securities fraud, courts have thus far rejected plaintiffs’ attempts to develop any hard and fast SPAC laws. For instance, in In re Lottery.com, Inc. Securities Litigation, a district court in the Southern District of New York noted plaintiffs’ arguments that “SPACs are uniquely fraud-enabling” but ultimately rejected finding scienter on that basis alone, saying that it was “unprepared to hold here that SPACs are an exception to the general principle that the prospect of a public offering, standing alone, is insufficient to establish motive.” 2024 WL 454298, at *32 (S.D.N.Y. Feb. 6, 2024). Likewise, in Shafer v. Lightning Emotors, Inc., the Court found plaintiffs failed to allege the pre-de-SPAC transaction statements were false when made, and otherwise found nothing inherently fraudulent about the de-SPAC transaction. 2024 WL 691458, at *6-20 (D. Colo. Feb. 20, 2024), report and recommendation adopted, 2024 WL 1509166, at *1 (D. Colo. Mar. 26, 2024). In Mehedi v. View, Inc., the Northern District of California dismissed plaintiffs’ Sections 10(b) and 14(a) claims because plaintiffs could not allege that their harms were caused by the alleged misleading proxy statement connected with a de-SPAC transaction. 2024 WL 3236706, at *7–20 (N.D. Cal. June 28, 2024). In one derivative action, a California district court found that when a plaintiff owned stock in a SPAC prior to its acquisition of a company in a de-SPAC transaction, plaintiff had standing to bring a derivative claim on behalf of the acquired entity. In re Faraday Future Intelligent Elec. Inc. Derivative Litig., 2024 WL 404495, at *1 (C.D. Cal. Jan. 22, 2024). The Court dismissed the derivative claim, however, because plaintiffs failed to bring a pre-litigation demand to the company. Id. at *14. Below we include more thorough case descriptions.
In re Lottery.com, Inc. Sec. Litig., 2024 WL 454298 (S.D.N.Y. Feb. 6, 2024): Investors filed an action against a SPAC (Trident), the online lottery company that merged with Trident (Lottery), and certain of the SPAC’s and company’s current and former officers. Id. at *1-2. Investors alleged that Lottery and its officers made false statements, both before and after the merger, regarding its internal financial controls and its financial performance. Id. at *6-10. Plaintiffs brought claims pursuant to Section 10(b), Section 20(a), and Section 14(a). Id at *1. Defendants moved to dismiss the Section 10(b) claim, arguing that plaintiffs had failed to establish falsity and scienter. Id. at *13. As to falsity, the Court dismissed claims based on the pre-merger compliance statements, finding they were “akin to other statements about regulatory compliance and integrity that courts have deemed non-actionable puffery,” id. at *16, and dismissed claims based on the pre-merger financial statements as they were “forward looking statements . . . accompanied by sufficient cautionary language,” id. at *17. As to the post-merger financial statements, the Court held for plaintiffs finding that “each of the post-merger financial-performance-related statements was false [or misleading] at the time it was made,” based on Lottery’s own admission in a later-filed Form 8-K that the post-merger financial statements at issue “overstated [the] available unrestricted cash balance,” “improperly recognized revenue in the same amount,” and thus “should no longer be relied upon.” Id. at *22 (cleaned up). Importantly, the Court refused to hold, as defendants wished, that “a statement believed to be true when made, but later shown to be false, is insufficient to establish that a statement of fact is false for purposes of Section 10(b) and Rule 10b-5.” Id. at *21 (internal quotations omitted). In other words, “[w]hether Defendants knew of their falsity when making the statements is the scienter question, not the falsity question.” Id. at *22 (internal quotations omitted). However, the Court found that plaintiffs had failed to adequately plead scienter as to all the statements, finding that “‘[t]he existence, without more, of executive compensation dependent upon stock value does not give rise to a strong inference of scienter.’” Id. at *31 (quoting Acito v. IMCERA Grp., Inc., 47 F.3d 47, 54 (2d Cir. 1995)). “The Court does not ignore Plaintiffs’ allegations that SPACs are uniquely fraud-enabling . . . [but] is unprepared to hold that SPACs are an exception to the general principle that the prospect of a public offering, standing alone, is insufficient to establish motive.” Id. at *32. The Court also did not find plaintiffs had sufficiently pled conscious misbehavior or recklessness on the part of defendants. Id. at *35. The Court dismissed the complaint but granted leave to amend. Id. at *37.
Shafer v. Lightning eMotors, Inc., 2024 WL 691458 (D. Colo. Feb. 20, 2024), report and recommendation adopted, 2024 WL 1509166 (D. Colo. Mar. 26, 2024): Plaintiffs brought a securities fraud class action on behalf of investors in Lightning eMotors against Lightning, “certain of its officers and directors, and the officers, directors, and certain affiliates of the company’s predecessor entity, GigCapital3, Inc.” Id. at *1. Investors alleged that defendants “attempted to set their SPAC apart by selling investors on what they referred to as their ‘unique’ approach to private equity in the SPAC’s registration statement and prospectus filed with the SEC.” Id. at *2. The complaint alleged “plaintiffs state[d] that this strategy worked as GigCapital3 successfully raised $200 million through its IPO” before merging with Lighting Systems through a de-SPAC transaction. Id. “Defendants allegedly sold the deal with Lightning Systems to investors as an ideal match: not only was Lightning Systems’ management a good candidate for the ‘Mentor-Investor’ approach supposedly employed by the GigCapital team, but the company itself was on the cusp of massive growth.” Id. Defendants allegedly continued to make misleading statements until “GigCapital3 issued and disseminated the definitive proxy requesting that eligible shareholders vote to approve the business combination with Lightning Systems.” Id. Plaintiffs alleged that, in truth, “Lightning Systems was not well-positioned to rapidly scale its operations” and that defendants “knew or were reckless in not knowing” its projected financials were unachievable. Id. at *3. So too were representations that “the GigCapital3 team would remain engaged in the post-combination company.” Id. at *2. The Court granted the motion to dismiss finding that plaintiffs failed to adequately allege that the statements at issue were false or materially misleading when made. Id. at *6-18. Further, the Court dismissed plaintiffs’ claim that defendants’ misstatements were part of a fraudulent scheme to unfairly profit from a business combination in violation of Rules 10b-5(a) and 10b-5(c) under the Exchange Act, first and foremost because “it [was] unclear what fraudulent or deceitful conduct [independent of the misleading statements] occurred.” Id. at *20 (emphasis in original).
Mehedi v. View, Inc., 2024 WL 3236706 (N.D. Cal. June 28, 2024): This is a securities fraud suit brought by investors against the View, Inc., which went public through a de-SPAC transaction with CF II (the SPAC), and certain officers and directors of View and CF II. “Plaintiffs allege that Defendants made material misrepresentations to investors concerning a materially misstated and understated warranty accrual related to Legacy View’s ‘smart panels.’” Id. at *1. We first discussed Mehedi in our 2023 Mid-Year Update when the Court granted defendant’s motions to dismiss.
Plaintiffs have since amended their complaint, and the Court again dismissed most of the claims with the exception of plaintiffs’ Section 20(a) claims against certain directors and officers at View and CF II. Id. at *22. “On August 16, 2021, five months after going public, View announced that its Audit Committee began an independent investigation concerning the adequacy of the company’s previously disclosed warranty accrual and that View would not file its Form 10-Q for the second fiscal quarter of 2021.” Id. at *1 (internal citations omitted). “On November 9, 2021, View announced that the Audit Committee ha[d] now substantially completed its independent investigation and has concluded that the Company’s previously reported liabilities associated with all warranty-related obligations and the cost of revenue associated with the recognition of those liabilities were materially misstated.” Id. (internal citations omitted). View also announced that it would release updated financial statements and that its CFO resigned. Id. The lead plaintiff, Stadium Capital, sold all of its stock on September 24, 2021. Id. at *8. In its motion to dismiss opinion, the Court held that Stadium Capital could not attribute its losses to the August 16, 2021 announcement because the “initial disclosure of an investigation can[not] qualify as a corrective disclosure” and further because Stadium Capital sold its stock before the truth was revealed, and thus it cannot plead loss causation. Id. at *9. Plaintiffs’ Section 10(b) claims were accordingly dismissed. Id. at *12. Regarding plaintiffs’ Section 14(a) claim, the Court found that “Stadium Capital sold all of” the shares it purchased pursuant to the Proxy Statement “on March 9, 2021, well before the truth of any alleged misstatements was revealed.” Id. at *16. “Although Stadium Capital bought more View stock, any alleged economic harm from those purchases was not caused by the Proxy Statement because those purchases occurred after the vote solicited by the Proxy Statement.” Id. “Thus, any loss that Stadium Capital suffered was not caused by any alleged misstatements in the Proxy Statement, and Stadium Capital has failed to allege loss causation.” Id.
In re Faraday Future Intelligent Elec. Inc. Derivative Litig., 2024 WL 404495 (C.D. Cal. Jan. 22, 2024): Two investors brought a derivative suit on behalf of the corporation (Faraday) that went public via a de-SPAC transaction. They originally pursued a mix of federal securities fraud and state law claims, but they “app[arently] conceding[d]” that the only claim at-issue was for alleged violations of Section 14(a) of the Exchange Act against officers and directors of the SPAC (Property Solutions Acquisition Corp or “PSAC”). Id. at *1-4. Defendants argued that plaintiffs lack standing to bring claims because “neither of the named plaintiffs plead[ed] he ever owned PSAC stock prior to the merger.” Id. at *4 (internal quotations omitted). Defendants further argued that “any derivative liability would have been extinguished at the time the [m]erger was complete because former shareholders of a merged corporation can no longer satisfy the continuous ownership requirement of FRCO 23.1.” Id. at *5. (internal quotations omitted). Plaintiffs in turn argued, inter alia, that “their complaint sufficiently alleges that each plaintiff were current shareholders of Faraday Future and held Faraday Future common stock at all relevant times.” Id. (cleaned up). Additionally, plaintiffs contended that a plaintiffs who did not own Faraday stock prior to the merger nonetheless had standing under the “continuous wrong” doctrine. Id. The Court found that one plaintiff “first purchased [PSAC] stock . . . on January 11, 2021, before the defined relevant period in the Derivative Action began and has continuously owned thousands of PSAC shares since February 22, 2021.” Id. The Court found this was sufficient to have standing to bring a derivative claim. Id. However, the Court found that the other plaintiff, who acquired PSAC shares after the merger was consummated, lacked standing and the continuous wrong doctrine did not save his claims because “Delaware law makes it clear that what must be decided is when the specific acts of alleged wrongdoing occur, and not when their effect is felt.” Id. at *6. The Court nonetheless dismissed the complaint because plaintiffs failed to plead that they were excused from making a pre-litigation demand on the board. Id. at *13.
2. SPAC Claims That Survived A Motion to Dismiss
Several SPAC cases have survived motions to dismiss, and we highlight a few here. Most notable of these 2024 opinions is Alta Partners, LLC v. Forge Global Holdings, Inc., where plaintiff’s Section 11 claim survived a motion to dismiss on the grounds, among others, that plaintiff could not trace the purchase of a security to the allegedly defective registration statement at issue. 2024 WL 1116682, at *6-8 (S.D.N.Y. Mar. 13, 2024). The Court in Atla Partners disagreed with defendant and found that a plaintiff who purchased Public Warrants from a SPAC prior to its de-SPAC transaction could sufficiently trace its purchases to the S-4 registration statement despite the company’s claim that the warrants were not exercisable until a S-1 registration statement became effective. Id. In other cases, courts have found that material omissions in SPAC proxy statements are actionable, see, e.g., In re Grab Holdings Ltd. Sec. Litig., 2024 WL 1076277 (S.D.N.Y. Mar. 12, 2024), and, similarly, omissions in SPAC merger pitches are actionable as securities fraud, see, e.g., Felipe v. Playstudios Inc, 2024 WL 1380802 (D. Nev. Mar. 31, 2024).
Alta Partners, LLC v. Forge Glob. Holdings, Inc., 2024 WL 1116682 (S.D.N.Y. Mar. 13, 2024): Plaintiff Alta brought claims under Section 11 and for breach of contract and the implied covenant of good faith and fair dealing against Forge in connection with public warrants issued by the SPAC, which ultimately merged with Forge. Id. at *1. Alta alleged that Forge improperly prevented Alta from exercising its warrants and then redeemed the outstanding warrants at a nominal price. See id. Under the agreement governing the warrants, public warrants became exercisable thirty days after the business combination, provided that the warrants were registered on a registration statement and there was a current prospectus. Id. at *2. The warrant agreement also provided that Forge could redeem all outstanding warrants when (1) “the shares were exercisable”“; (2) the “Reference Value” calculated based on Forge’s stock price during a thirty-day period exceeded $18.00 per share; and (3) “an effective registration statement and current prospectus were in place for the underlying shares” for the thirty-day period. Id. Alta alleged it purchased public warrants issued pursuant to or traceable to the Form S-4 registration statement, which became effective on February 14, 2022. Id. at *12. Beginning on April 21, 2022 (thirty days after the completion of the merger on March 21, 2022), Alta repeatedly sought to exercise its warrants while Forge’s stock price skyrocketed, but Forge replied that warrants were not yet registered on the Form S-4, and could not be exercised as until Forge’s later-filed Form S-1 became effective. Id. at *2-3. The Form S-1 was declared effective on June 8, 2022, by which point the share price was below the exercise price of $11.50. Id. at *3. The following day, Forge noticed redemptions of the warrants for $.01 apiece and redeemed the warrants on July 11. Id. As a result, public warrant holders like Alta were never able to exercise the warrants when the stock price was trading above the warrant exercise price, thereby profiting from the exercise. Id. The Court dismissed Alta’s claim that Forge breached the warrant agreement by redeeming the warrants before all required conditions were met. It explained that Alta was reading in a contractual obligation unsupported by unambiguous terms of the warrant agreement. Id. at *4-5. The Court also dismissed Alta’s breach of implied covenant claim because it was “based on conduct permitted under the contract” and was based on the same set of facts as its breach of contract claim in any event. Id. at *6. However, the Court refused to dismiss plaintiff’s Section 11 claim in its entirety. In relevant part, it found that defendants’ representations “would mislead a reasonable investor to believe that the registration was sufficient to permit exercise” of the warrants. Id. at *7 (internal quotations omitted).
Felipe v. Playstudios Inc., 2024 WL 1380802 (D. Nev. Mar. 31, 2024): Plaintiff brought a securities fraud action against Playstudios, a mobile game company that went public via a de-SPAC transaction, alleging that the company misled investors (including through statements in its Proxy) about the prospects of one of its videogames, Kingdom Boss, even though the company had no experience with games of this genre (role playing games or “RPGs”). Id. at *1-4. Plaintiff alleged that the “launch of Kingdom Boss and expansion into the RPG category was a significant component of the Acies-Playstudios merger pitch.” Id. at *3. In a post-merger press release, Playstudios announced that its revenues had missed the low end of its previous estimates and, on a conference call on the same day, announced that it was suspending the development of Kingdom Boss all together. Id. at *3. The Court found all but one of the statements misleading “because they failed to disclose any of the risks associated with the severe playability issues that had materialized as early as [six months prior.]” Id. at *10. The Court found that “Defendants had multiple opportunities to make such disclosures in order to avoid misleading investors . . . [and that] Defendants could have made these disclosures in June prior to the merger vote.” Id. at *10. The Court also found “the omission of these specific risks . . . material” because Playstudios ability to scale the game and generate revenue was a central part of its pitch for the de-SPAC transaction. Id. at *11. The Court denied the motion to dismiss except as to one non-actionable statement. Id. at *21.
In re Grab Holdings Ltd. Sec. Litig., 2024 WL 1076277 (S.D.N.Y. Mar. 12, 2024): Investors filed a securities fraud action against Grab, a “mobile application [provider] . . . that [provides] . . . consumers with ride-hailing services, food-delivery services, business services, and a digital wallet[,]” and certain of its officers pursuant to Sections 11 and 15 of the Securities Act and Sections 14(a), 10(b), and 20(a) of the Exchange Act. Id. at *2. The complaint alleged that defendants misled investors, in connection with a de-SPAC transaction, about Grab’s use of driver and consumer incentives, which negatively impacted the company’s financial performance. Id. at *1-10. The challenged statements were made both pre- and post-merger. Id. Defendants moved to dismiss. Id. at *10. The Court found that plaintiffs had sufficiently pled that a series of pre-merger statements contained in the Proxy Statement were material and misleading. Id. at *24. The Court reasoned, inter alia, that “cautionary words about future risk cannot insulate from liability the failure to disclose risk that has transpired.” Id. at *16 (citation omitted). Further, the Court also found that “by putting the issues of driver retention and incentive amounts in play, defendants assumed ‘a duty to tell the whole truth.’” Id. at *16 (quoting Meyer v. Jinkosolar Holdings Co., 761 F.3d 245, 250 (2d Cir. 2014)). The Court held that none of the remaining pre-merger statements were actionable, including the post-merger statements by Grab’s CEO during a Squawk Box interview on CNBC. Id. at *19-24. The Court granted leave to amend. Id. at *26.
We will continue to monitor the evolution of SPAC litigation and the effect of the SEC’s SPAC Rule.
An increasing number of lawsuits challenge public companies’ environmental, social, and governance (ESG) disclosures and policies. The following section surveys notable developments in pending cases that involve ESG allegations.
In re Oatly Group AB Securities Litigation, No. 21-cv-06360 (S.D.N.Y. July 26, 2021): We reported on this case in our Securities Litigation 2023 Year-End Update. A class of investors sued Oatly Group AB, the world’s largest oat milk company, and several of its officers and directors for “greenwashing” in public disclosures. ECF No. 1 ¶¶ 1-2, 52. Plaintiffs allege that Oatly made false or misleading statements that overstated the sustainability of its product and minimized its environmental impact, thereby artificially inflating Oatly’s share price. ECF No. 1 ¶¶ 43-45. On November 3, 2023, the parties disclosed an intent to settle the litigation. The Court approved the $9.25 million settlement on July 17, 2024. ECF No. 120.
General Retirement System of the City of Detroit v. Verizon Communications Inc., No. 23-cv-05218 (D.N.J. Aug 18, 2023): We first reported on this case in our Securities Litigation 2023 Year-End Update. Plaintiffs allege that Verizon made false or misleading statements regarding its “extensive network of lead cables, the dangers they were posing to people and to the environment, and the costs associated with cleaning up the cables and compensating for any human injuries.” ECF No. 57 ¶ 16. Plaintiffs further allege that Verizon’s stock price dropped after The Wall Street Journal released an article profiling workers who claimed they were suffering from lead exposure. Id. ¶ 306. On April 24, 2024, defendants filed a motion to dismiss, arguing that plaintiffs failed to properly allege materiality and scienter because defendants did not know “the cables posed material risks not understood by the market” and understood that the “public and market at large were aware of the lead-sheathed cables’ existence.” ECF No. 58-1 at 2-3. Defendants also argued the challenged statements were “honestly held opinions” and “too general to be misleading.” Id. at 3. The motion to dismiss remains pending.
Exxon Mobile Corp. v. Arjuna Capital, No. 24-cv-00069 (N.D. Tex. Jan. 21, 2024): We first reported on this case in our Securities Litigation 2023 Year-End Update. In January 2024, Exxon filed a lawsuit seeking a declaratory judgment that would allow it to exclude from its proxy statement a shareholder proposal by two activist investors. Exxon alleged that defendants’ proposal, which asked Exxon to reduce its greenhouse gas emissions more rapidly, “d[id] not seek to improve ExxonMobil’s economic performance or create shareholder value.” ECF No. 1 ¶ 11. Exxon further contended that it could properly exclude defendants’ proposal under the ordinary business (Rule 14a-8(i)(7)) and resubmission exclusions ((i)(12)). Id. ¶¶ 16-17. On May 22, 2024, the Court held that Exxon’s lawsuit was able to proceed against the United States-based Defendant, Arjuna Capital. ECF No. 37. On June 17, 2024, Arjuna Capital agreed to withdraw its proposal and “unconditionally and irrevocably” agreed not to submit any similar proposal. ECF No. 52 at 1. The Court determined that this agreement mooted Exxon’s claim, and the case was dismissed without prejudice. Id. Gibson Dunn represents plaintiff in this action.
Securities Industry & Financial Markets Association v. Ashcroft, No. 23-cv-04154 (W.D. Mo. Aug. 10, 2023): We reported on this case in our Securities Litigation 2023 Year-End Update. In June 2023, the Missouri Securities Division adopted new rules requiring investment professionals to obtain client signatures before providing advice that “incorporates a social objective or other nonfinancial objective.” ECF No. 24 ¶¶ 69, 78. In August 2023, plaintiff, the Securities Industry and Financial Markets Association (SIFMA), filed a lawsuit against Missouri Secretary of State John Ashcroft and Missouri Securities Commissioner Douglas Jacoby, challenging these rules. ECF No. 1 at 41. Plaintiff alleged that the rules are preempted by the National Securities Markets Improvement Act of 1996 and the Employee Retirement Income Security Act, violate the First Amendment, and are unconstitutionally vague. ECF No. 24 ¶¶ 118-47-42. On January 5, 2024, the Court denied defendants’ motion to dismiss. ECF No. 39 at 1. On June 10, 2024, both parties filed motions for summary judgment as to all the claims at issue. ECF Nos. 69, 71. On August 14, 2024, the court granted the plaintiff’s motion for summary judgment (and rejected defendant’s cross-motion for summary judgment), finding that the rules do in fact violate the First Amendment, are unconstitutionally vague, and are preempted by federal laws, namely, the National Securities Markets Improvement Act of 1996 and the Employment Retirement Income Security Act of 1974. ECF No. 115. The judge concluded that the rules carried a significant risk of harm justifying a permanent injunction prohibiting their enforcement. Id. at 20-22.
Browning v. Alexander, et al., No. 23-cv-03293 (D. Md. Dec. 5, 2023): Investors in Enviva Inc., an energy company that manufactures wood pellets used to substitute coal in power generation, filed a shareholder derivative complaint on December 5, 2023. Plaintiff alleged defendants, who include the company’s CEO and co-founder as well as several board members, caused Enviva to make false and misleading statements about the company’s commitment to ESG policies. ECF No. 1 ¶¶ 1-4, 171-78. As one example, plaintiff alleged Enviva’s practice of procuring wood pellets “drives demand for deforestation,” contrary to defendants’ representation that harvesting forests for wood pellets is “sustainable.” Id. ¶ 98. Enviva has since filed for Chapter 11 bankruptcy, and on April 15, 2024, the Court issued a stay for the pendency of Enviva’s bankruptcy proceedings. ECF No. 24.
Alliance for Fair Board Recruitment v. SEC, No. 21-60626 (5th Cir. 2021): The petitioners sued the SEC, alleging that Nasdaq’s Board Diversity Rules are unconstitutional and contrary to federal statutes. ECF No. 1. The Board Diversity Rules, which the SEC approved, require companies that list shares on Nasdaq’s exchange to (1) disclose aggregated information about board members’ diversity characteristics (including race, gender, and sexual orientation) and (2) provide an explanation if less than two board members are diverse. Id. at 3-4. On October 18, 2023, a unanimous Fifth Circuit panel rejected the petitioners’ challenges (ECF No. 289) after which the petitioners sought rehearing en banc (ECF No. 297). The en banc panel of the Fifth Circuit held oral argument on May 14, 2024. ECF No. 508. On July 18, 2024, the Court requested supplemental briefing regarding the operation of one of the Rules at issue, and on July 25, 2024, the parties filed supplemental briefs. ECF Nos. 519, 520. Both Nasdaq and the SEC contend in their briefs that the deadline for companies to request access to a board-recruiting service has expired and that this moots the petitioners’ challenge to the Board Recruiting Service Rule. ECF Nos. 517, 519. The petitioners, the National Center for Public Policy Research and Alliance for Fair Board Recruitment, argued in their own July 25 briefs that the deadline has passed but that this does not affect the justiciability of the case before the Fifth Circuit. ECF Nos. 520, 522. The Fifth Circuit has not yet issued an opinion in connection with its rehearing en banc. Gibson Dunn represents Nasdaq in this action, which intervened as an interested party to defend the Board Diversity Rules.
The cryptocurrency space has seen considerable activity since our last Update. Below, we discuss significant rulings in private lawsuits and lawsuits brought by the SEC, as well as additional developments that may impact cryptocurrencies going forward.
A. Class Actions
Golubowski v. Robinhood Markets, Inc., 2024 WL 269507 (N.D. Cal. Jan. 24, 2024): On January 24, 2024, the district court dismissed without leave to amend a class action complaint against Robinhood Markets, Inc., a crypto and securities trading platform. ECF No. 106 at 1. The same court previously granted Robinhood’s motion to dismiss plaintiffs’ first amended complaint, finding that plaintiffs failed to plead a violation of Section 11 or 12(a) of the Securities Act. ECF No. 90. In their second amended complaint, plaintiffs asserted a new theory for why Robinhood’s offering documents were false or misleading, alleging that the declines in key performance indicators and revenue sources were undisclosed and misrepresented by the offering documents. ECF No. 92. In its January 24, 2024 decision, the Court again dismissed plaintiffs’ claims, finding that Robinhood made adequate disclosures that put investors on notice of lower trading revenues in the second and third quarters of 2021, the “possibility of downward trends,” and the fact that “Robinhood’s business had substantially shifted to rely more on cryptocurrency trading[.]” ECF No. 106 at *12, *14, *16. The Court also found that leave to amend was not warranted as it “would be futile.” Id. at *19.
Williams v. Binance, 96 F. 4th 129 (2d Cir. 2024): On March 8, 2024, the Second Circuit reversed the district court’s dismissal of a putative class action lawsuit against crypto exchange Binance and its CEO. Plaintiffs asserted numerous causes of action under the Securities Act, the Exchange Act, and the Blue Sky statutes of different states and territories, including that defendants offered and sold unregistered securities. ECF No. 82 at 133, 135. Plaintiffs—purchasers of crypto assets on the Binance international electronic exchange—claimed that Binance unlawfully promoted, offered, and sold billions of dollars’ worth of crypto “tokens,” which were not registered as securities. Id. at 132. The U.S. District Court for the Southern District of New York dismissed plaintiffs’ claims, finding that they were impermissibly extraterritorial, that the federal claims were untimely, and that claims under Blue Sky laws of states where none of the named class members resided lacked a sufficient nexus with the allegations. Id. at 135; ECF No. 77. The Second Circuit reversed and remanded, finding that plaintiffs plausibly alleged that class members engaged in domestic transactions, that a narrow subset of the federal claims were timely, and that state law claims brought on behalf of absent putative class members should not have been dismissed at that stage. ECF No. 82 at 136-45. On May 13, 2024, plaintiffs filed a third amended complaint, alleging 11 causes of action, including under Sections 5, 12, and 15 of the Securities Act. ECF No. 104. Gibson Dunn is co-counsel for Binance in this action.
Oberlander v. Coinbase Glob., Inc., 2024 WL 1478773 (2d Cir. Apr. 5, 2024): As reported in our 2023 Mid-Year Litigation Update, in February 2023, the U.S. District Court for the Southern District of New York dismissed a class action lawsuit against the crypto exchange Coinbase and its CEO on the basis that Coinbase was not the “statutory seller” of the allegedly unregistered tokens at issue. Coinbase operates online trading platforms where users can buy and sell digital assets. ECF No. 74 at *1. The nationwide class consists of all persons or entities who bought or sold certain digital assets on the Coinbase trading platforms from October 8, 2019, to March 11, 2022, and it asserted a mix of claims under the Securities Act, the Exchange Act, and the state securities laws of California, Florida, and New Jersey. Id. On April 5, 2024, the Second Circuit concluded that plaintiffs adequately pleaded that Coinbase held title to digital assets traded on its platform and thus plausibly alleged claims under Section 12(a) of the Securities Act. Id. at *3-4. At the same time, the Court affirmed the district court’s dismissal of the Exchange Act claims, concluding the allegations were repetitive and conclusory, and found that the district court erred in dismissing the state law claims on jurisdictional grounds. Id. at *4-5. On July 29, 2024, defendants moved for judgment on the pleadings. ECF No. 83.
In re Ripple Labs, Inc. Litig., 2024 WL 3074379 (N.D. Cal. June 20, 2024): A putative class of plaintiffs, who purchased Ripple Labs’ cryptocurrency XRP, brought federal and California state securities law claims against Ripple Labs, XRP II, and the CEO of Ripple. Plaintiffs alleged “a scheme by Defendants to raise hundreds of millions of dollars through sales of XRP—an unregistered security—to retail investors in violation of the registration provisions of federal and state securities laws” and sought to “drive demand for and thereby increase profits from the sale of XRP” using “a litany of false and misleading statements regarding XRP.” ECF No. 87, at ¶¶ 1-2. The Court had previously dismissed Plaintiffs’ misrepresentation, consumer-protection, and professional conduct claims under California state law. ECF No. 85, at 2-3, 40. At the summary judgment stage, only five claims remained. ECF No. 419 at 1.
On summary judgment, defendants emphasized that the Court had already found in a parallel action that “XRP, as a digital token, is not in and of itself a ‘contract, transaction[,] or scheme’ that embodies the Howey requirements of an investment contract.” ECF No. 339 at 2; see also SEC v. Ripple Labs, Inc., 2023 WL 4507900 (S.D.N.Y. July 13, 2023) (granting partial summary judgment in favor of Ripple and concluding that institutional buyers had an expectation of profit whereas programmatic buyers had no such expectation). The District Court for the Northern District of California granted in part defendants’ motion for summary judgment on federal and most state class claims but denied it as to one plaintiff’s individual claims under California law. ECF No. 419. The Court found that the statute of repose barred the federal securities claims and that plaintiff failed to raise a triable issue as to California state law’s privity requirement. Id. at *4. That said, the Court found that the cause of action for misleading statements should proceed to trial. Id. at *10. The trial date is currently set for January 21, 2025. ECF No. 434.
Dufoe v. DraftKings Inc., 2024 WL 3278637 (D. Mass. July 2, 2024): On July 2, 2024, the U.S. District Court for the District of Massachusetts denied DraftKings’ motion to dismiss a putative class action for violations of federal securities law and found that DraftKings Non-Fungible Tokens (NFTs) were securities. ECF No. 60 at *21. DraftKings operates the DraftKings Marketplace where individuals can buy and sell DraftKings NFTs with images of professional athletes. Id. at *3. In its motion to dismiss, DraftKings argued that its NFTs were not securities. Id. at *7. The Court rejected this argument, finding that plaintiffs plausibly alleged commonality and reasonable expectation of profits under the Howey test and therefore plausibly pled that the NFTs were securities. Id. at *7-21.
B. Regulatory Lawsuits
SEC v. Genesis Glob. Cap., LLC, 2024 WL 1116877 (S.D.N.Y. Mar. 13, 2024): On January 12, 2023, the SEC filed a complaint alleging that Genesis—a company that pooled crypto assets and lent them to institutional investors—violated the securities laws when it worked with Gemini—a limited liability trust company—to extend its lending and pooling practices to Gemini’s customers, including U.S. retail investors, through the “Gemini Earn” program. ECF No. 1; see also id. at *1-2. The complaint alleged that Gemini and Genesis violated the securities laws under two theories. The SEC’s first theory was that the Gemini Earn program was an unregistered security under the Supreme Court’s Howey test. ECF No. 1 at 17-19. The second theory alleged that the agreements were “notes,” using the Supreme Court’s Reves test. Id. at 13-17. On March 13, 2024, the Court denied a motion to dismiss and allowed the SEC’s complaint against Genesis and Gemini to proceed. ECF No. 54. The district court found that the SEC plausibly alleged both theories. ECF No. 54 at 31. The Court also rejected defendants’ motions to strike the SEC’s requests for a permanent injunction of the companies’ activities and for disgorgement. Id. at 29-31. Following the Court’s March 13 Order, Genesis agreed to a $21 million civil penalty as well as a permanent injunction. ECF No. 56. These actions come after Genesis and two affiliates filed for Chapter 11 bankruptcy in the U.S. District Court for the Southern District of New York on January 12, 2023. The SEC will not receive portions of the civil penalty until the bankruptcy court resolves all claims, including those claims from retail investors. SEC, Genesis Agrees to Pay $21 Million Penalty to Settle SEC Charges (Mar. 19, 2024). As we reported in our May 2024 Digital Assets Recent Updates newsletter, Genesis also agreed to a $2 billion settlement with the New York Attorney General’s Office to compensate defrauded investors on May 20, 2024.
SEC v. Coinbase, Inc., 2024 WL 1304037 (S.D.N.Y. Mar. 27, 2024): On March 27, 2024, the Court presiding over an enforcement action brought by the SEC against Coinbase, one of the world’s largest cryptocurrency trading platforms, granted in part, and denied in part Coinbase’s motion to dismiss the complaint. ECF No. 105. The Court dismissed the SEC’s claim that Coinbase acted as an unregistered broker with respect to Coinbase’s “Wallet” application because the SEC failed to sufficiently allege that Coinbase acted as a broker with respect to its self-custodial digital wallet. Id. at 78-84. The Court refused to dismiss the remaining claims, finding that the SEC sufficiently pleaded that Coinbase operated as an unregistered broker, unregistered exchange, and unregistered clearing agency with respect to certain other products and services, and that at least some digital assets offered on its platform were investment-contract securities under the Supreme Court’s Howey test. Id. at 84. The Court also held that the SEC adequately alleged that Coinbase Global was a control person of Coinbase. Id. at 60-78. The case is now in discovery regarding the remaining claims. Coinbase also asked the district court to certify an interlocutory appeal that would allow the Second Circuit to immediately consider whether the SEC may regulate as “investment contracts” digital asset transactions that involve no obligation running to the purchaser beyond the point of sale. That motion is fully briefed and remains pending.
SEC v. Terraform Labs Pte. Ltd., 2023 WL 8944860 (S.D.N.Y. April 5, 2024): On April 5, 2024, after a nine-day trial, a jury found Terraform Labs and its founder, Do Kwon, liable for securities fraud. SEC, Statement on Jury’s Verdict in Trial of Terraform Labs PTE Ltd. and Do Kwon (Apr. 5, 2024). As reported in our Securities Litigation 2023 Mid-Year Update, the SEC brought claims against Terraform and Kwon under the federal securities laws for sales of unregistered securities and fraud related to Terraform’s crypto assets. ECF No. 1. Defendants moved to dismiss, arguing that none of the crypto assets were securities, but the Court denied the motion. ECF No. 51. And, as reported in our Securities Litigation 2023 Year-End Update, on December 28, 2023, the U.S. District Court for the Southern District of New York granted summary judgment for the SEC on the claim that defendants violated Sections 5(a) and 5(c) of the Securities Act and granted summary judgment for defendants on the claims involving unregistered transactions in security-based swaps. ECF No. 149. Still, the SEC’s fraud claims proceeded to trial. After a trial in late March 2024, a unanimous jury found defendants liable on both claims, under Section 17 of the Securities Act and the anti-fraud provisions of the Exchange Act, and that Kwon was liable as control person. ECF No. 229. On June 12, 2024, the Court entered a final judgment against Terraform for $4.47 billion and against Kwon for $204 million. ECF No. 273. As part of the final judgment, Terraform agreed to waive any right to appeal. Id. at 2.
SEC v. Balina, No. 22-cv-00950 (W.D. Tex.): On May 22, 2024, the Court granted, in part, and denied, in part, the SEC’s motion for summary judgment, and denied defendant Ian Balina’s motion for summary judgment. The SEC alleged that Balina, a cryptocurrency investor, signed a contract to invest $5 million in an offering of Sparkster (SPRK)—a crypto asset—but sold SPRK tokens without disclosing his compensation, violating Section 5(a), 5(c), and 17(b) of the Securities Act. ECF No. 1. The SEC separately accused Sparkster of offering SPRK tokens without registering and sought civil penalties. Id. Balina moved for summary judgment, arguing that he did not violate Section 5 and Section 17, that the SPRK tokens were not a security and the alleged promotions and transactions occurred outside the United States. SEC v. Balina, 2024 WL 2332965, at *4 (W.D. Tex. May 22, 2024). Balina also argued that he did not sell SPRK tokens, that he did not agree to accept compensation, and that any purported sales or offers to sell would be exempt under Section 4(a)(1) of the Securities Act. Id. The SEC argued that SPRK tokens are securities, that U.S. securities laws apply because Balina targeted U.S. investors on U.S. social media platforms, and that it established as a matter of law that Balina violated Section 5. Id. at *5. The district court found that the Securities Act would apply to Balina’s conduct and that SPRK tokens were securities as a matter of law. Id. at *8, *11. The Court declined to decide the Section 17(b) issue on summary judgment. Id. at *11. However, the Court agreed with the SEC that Balina violated Section 5(a) and 5(c) of the Securities Act by selling SPRK tokens and that Balina was not exempt under Section 4(a)(1). Id. at *13. Trial has been set for January 13, 2025. ECF No. 50.
SEC v. Binance Holdings Ltd., No. 23-cv-01559 (D.D.C.): As reported in our Securities Litigation 2023 Year-End Update, on June 5, 2023, the SEC filed an action against Binance Holdings Limited, BAM Trading Services Inc., BAM Management Holdings, and Changpeng Zhao in the U.S. District Court for the District of Columbia. The SEC accused Binance and its subsidiaries of engaging in the unregistered offer and sale of crypto asset securities and of making false statements to investors. On June 28, 2024, the Court granted in part and denied in part defendants’ motion to dismiss. It found that the SEC plausibly alleged that Binance directly offered and sold its cryptocurrency, the Binance coin (BNB), to investors as an investment contract. SEC v. Binance Holdings Ltd., 2024 WL 3225974, at *14-15 (D.D.C. June 28, 2024). However, the Court found that the SEC did not sufficiently allege that secondary sales of BNB were investment contracts, or that Binance offered and sold BUSD, a stablecoin, as an investment contract. Id. at *24. In doing so, the Court rejected the SEC’s theory that the BNB token “embodied” an investment contract. The court expressed frustration with the SEC’s strategy to regulate the cryptocurrency industry through case-by-case, “coin by coin” litigation, noting that such an approach “risks inconsistent results that may leave the relevant parties and their potential customers without clear guidance.” Id. at *11. The court similarly rejected the SEC’s allegations as to some of Binance’s online programs including “Simple Earn,” which allegedly allowed investors who lent their crypto assets to Binance to receive variable rates of interest over time. Id. at *26. The Court also held that claims against BAM Trading Services and BAM Management Holdings could proceed, including a count that alleged statutory violations of the anti-fraud provisions of the Securities Act and a count alleging that a staking program was an investment contract. The Court found that most of the remaining counts of the complaint, which involved registration violations based on the operation of an online exchange, could proceed based on the SEC’s allegations concerning direct sales of BNB, the BNB Vault program, and the staking program allegedly offered by BAM Trading Services and BAM Management Holdings. Gibson Dunn represents Binance Holdings Limited in this action.
SEC v. Consensys Software Inc., No. 24-cv-04578 (E.D.N.Y.): In April 2024, Consensys—which allows trading of the cryptocurrency Ether (ETH)—brought a pre-enforcement challenge in the Northern District of Texas after receiving a Wells notice from the SEC that it intended to bring an enforcement action against Consensys for violating federal securities laws as an unregistered broker-dealer. Consensys Software Inc. v. Gensler, No. 24-cv-369, ECF No. 1 ¶¶ 3, 68, 121 (N.D. Tex. filed Apr. 25, 2024). Consensys sought a declaratory judgment that the SEC lacks authority over ETH because ETH is not a security and that the SEC violated the APA by changing its position on whether ETH is a security. Id. ¶ 121. It also sought a permanent injunction prohibiting the SEC from pursuing enforcement. Id.
On June 28, 2024, the SEC filed a complaint in the U.S. District Court for the Eastern District of New York against Consensys Software Inc., alleging that the company violated the federal securities laws by failing to register as a broker of crypto asset staking platforms. SEC v. Consensys Software Inc., No. 24-cv-04578 (E.D.N.Y.). Specifically, the SEC alleged that Consensys acted as a broker by creating and managing the “MetaMask Swaps” digital platform. Id. at 2. The SEC also alleged that the platform allowed Consensys to offer and sell Lido and RocketPool, two crypto assets that would offer a crypto staking program that the Commission classified as an investment contract. Id. at 4. Consequently, the SEC seeks a final judgment permanently enjoining Consensys from acting as a broker or underwriter and ordering the company to pay civil penalties. Id. at 6. Defendants have since moved to dismiss or, in the alternative, transfer the case to the Northern District of Texas. Consensys Software Inc. v. SEC, No. 4:24-cv-00369-O (N.D. Tex. July 7, 2024), ECF No. 37.
C. Other Developments
1. Crypto Participants And Associations Challenge The SEC’s Authority
Thus far in 2024, four lawsuits have been filed challenging the SEC’s authority to regulate digital assets.
In February 2024, LEJILEX—an operator of a developing a decentralized exchange—and the Crypto Freedom Alliance of Texas (CFAT) filed suit in the Northern District of Texas, seeking a declaration that secondary-market sales of digital assets are not securities, as well as an injunction against the SEC’s bringing an enforcement action against LEJILEX or other CFAT members. LEJILEX v. SEC, No. 24-cv-168, ECF No. 1 at 50, ECF No. 53 at 2 (N.D. Tex. filed Feb. 21, 2024). Plaintiffs argued that digital assets generally are not investment contracts and that the major questions doctrine prevents the SEC from regulating digital assets. ECF No. 35 at 22-31. On June 26, 2024, the SEC sought dismissal or, in the alternative, summary judgment, arguing that the Court lacked jurisdiction and that plaintiffs failed to show that secondary-market digital-asset transactions cannot qualify as securities. ECF No. 38 at 19-25.
In March 2024, Beba, an apparel company that created the “BEBA token,” which is used to redeem an exclusive product from its online store, sought a declaratory judgment that, inter alia, (1) Beba is not engaged in unregistered distribution of securities, and (2) the distribution of BEBA tokens does not constitute an investment contract or securities contract between Beba and token holders. Beba LLC v. SEC, No. 24-cv-153, ECF No. 1 ¶¶ 3, 6, 60, 179-92 (W.D. Tex. filed Mar. 25, 2024). Beba also argued the SEC adopted a “new policy” of alleging that digital assets are investment contracts without going through required notice and comment procedures under the Administrative Procedure Act. Id. ¶¶ 4, 6, 8. After the SEC first moved to dismiss, (ECF No. 22), Plaintiffs filed an amended complaint, (ECF No. 24).
On April 23, 2024, CFAT and the Blockchain Association filed an action challenging the SEC’s Dealer Rule. Crypto Freedom Alliance of Texas v. SEC, No. 24-cv-361, ECF No. 1, ¶¶ 4, 7 (N.D. Tex. filed Apr. 23, 2024). Plaintiffs argued that the SEC exceeded its authority in changing the definition of “dealer” and that the SEC’s failure to address concerns by the digital assets industry was arbitrary and capricious. Id. ¶ 12. On May 17, 2024, plaintiffs moved for summary judgment, arguing that the SEC’s departure from the meaning of the word “dealer” exceeds its statutory authority and that it acted arbitrarily and capriciously in violation of the Administrative Procedure Act. ECF No. 29 at 18-44. The SEC cross-moved for summary judgment, arguing that it acted within its statutory authority, that its rule was reasonable (and reasonably explained), and that it had provided adequate notice its rule would apply to “crypto asset securities.” ECF No. 39 at 14-47. Gibson Dunn represents the plaintiffs in a related lawsuit challenging the same SEC Rule. See National Association of Private Fund Managers v. SEC, No. 24-cv-00250 (N.D. Tex. Mar. 18, 2024).
2. SEC Approves Spot Ethereum Exchange-Traded Funds (ETFs)
On May 23, 2024, the SEC approved eight spot Ethereum ETFs from major financial institutions—including BlackRock, Fidelity, and others. Tim Copeland & Sarah Wynn, SEC Approves 8 Ethereum ETFs including BlackRock and Fidelity, The Block (May 23, 2024). This approval comes four months after the SEC’s first approval of spot Bitcoin ETFs, as discussed in our Securities Litigation 2023 Year-End Update, and shows increased institutional acceptance and regulatory clarity for Ether-based digital assets.
3. SEC May Target Decentralized Exchanges
On April 10, 2024, Uniswap Labs, which created the Uniswap Protocol on a decentralized Ethereum blockchain, shared that it received a Wells notice from the SEC. Uniswap, Fighting for DeFi, Uniswap Labs Blog (Apr. 10, 2024). Uniswap claimed that the SEC lacks authority as the Uniswap Protocol does not meet the legal definitions of securities exchange or broker and that its UNI token is not a security. Id. Uniswap compared Uniswap to Bitcoin and Ethereum, which the CFTC has said are not securities. Id.
4. U.S. House Of Representatives Passes Crypto Bill
On May 22, 2024, the U.S. House of Representatives passed the Financial Innovation and Technology for the 21st Century Act (FIT21), which marks the first time that the House has passed a significant crypto bill. Jesse Hamilton & Nikhilesh De, U.S. House Approves Crypto FIT21 Bill With Wave of Democratic Support, CoinDesk (May 22, 2024). The legislation aims to regulate U.S. crypto markets, makes the CFTC the leading regulator of digital assets, and implements new rules to determine whether an asset is subject to federal securities laws. Id. SEC Chair Gary Gensler fiercely opposed the bill, stating that the bill “would create new regulatory gaps and undermine decades of precedent regarding the oversight of investment contracts, putting investors and capital markets at immeasurable risk.” Statement on the Financial Innovation and Technology for the 21st Century Act, SEC (May 22, 2024).
VII. Lorenzo Disseminator Liability
As previously discussed in our Mid-Year and Year-End Updates, in Lorenzo, the Supreme Court expanded the scope of scheme liability under Rule 10b-5(a) and (c) to individuals who disseminate false or misleading information but are not the “makers” of the misstatement(s). Following Lorenzo, the Second Circuit in Rio Tinto held that defendants must do “something beyond” making material misstatements or omissions to be subject to scheme liability. SEC v. Rio Tinto plc, 41 F.4th 47, 49 (2d Cir. 2022). In other words, the Court in Rio Tinto noted that while those who disseminate false or misleading information may be liable, misstatements alone are not sufficient to trigger scheme liability. Although it has now been five years since Lorenzo was decided, the Supreme Court has yet to clarify the requirements for scheme liability; accordingly, the lower courts are left to shape the contours of scheme liability claims. Since our last update, the Sixth Circuit has implicitly adopted the Second Circuit’s “something beyond” requirement but there is a growing divide among the district courts.
In Teamsters Local 237 Welfare Fund v. ServiceMaster Global Holdings, Inc., the Sixth Circuit embraced the Second Circuit’s test for scheme liability claims and held that “a plaintiff must show: ‘(1) that the defendant committed a deceptive or manipulative act, (2) in furtherance of the alleged scheme to defraud, (3) with scienter, and (4) reliance.’” 83 F.4th 514, 525 (6th Cir. 2023) (quoting Plumber & Steamfitters Local 773 Pension Fund v. Danske Bank A/S, 11 F.4th 90, 105 (2d Cir. 2021)). In ServiceMaster, plaintiff alleged that ServiceMaster violated Section 10(b) “by engaging in a series of misrepresentations and omissions” and “that the Defendants violated Rule 10b-5 (a) and (c) by engaging in a fraudulent scheme to mislead investors about the true nature” of the business. Id. at 522-23. In analyzing plaintiff’s scheme claim, the Sixth Circuit noted that although “[o]ur court has not defined the elements to state a claim for scheme liability . . . the Second Circuit has.” Id. at 525. Relying on the Second Circuit’s articulation of the elements required for a scheme claim, the Sixth Circuit analyzed plaintiff’s scienter allegations because it was “the only disputed element.” Id. The Court held that plaintiff failed to allege a strong inference of scienter. Id. at 529-33. The Court then explained that although a “scheme-liability claim encompasses conduct beyond disclosure violations,” id. at 525 (citing Benzon v. Morgan Stanley Distribs., Inc., 420 F.3d 598, 610 (6th Cir. 2005)), a scheme liability claim is “different and separate from a nondisclosure claim,” id. (citing Rio Tinto, 41 F.4th at 49, 53). Nevertheless, because “the [plaintiff] relie[d] on the same factual circumstances to make out both claims in this case,” plaintiff’s showing of scienter was therefore “no stronger with respect to the scheme-liability claim than it is for the Rule 10b-5 claim.” Id. at 533.
Not all Circuit courts have considered Rio Tinto’s distinction between misstatement and scheme claims. However, certain lower courts outside the Second Circuit have indicated a willingness to adopt the “something beyond” requirement. For example, in SEC v. Westhead, the Southern District of Florida held that the SEC adequately pleaded a scheme liability claim by alleging defendant disseminated the misstatements in the form of private placement memorandums. 2024 WL 3327804, at *10 (S.D. Fla. May 3, 2024). The Court arrived at its decision citing Rio Tinto and SteamMaster, explaining that with “this case law in mind,” dismissal of the SEC’s scheme liability claim was not appropriate because under the “Defendants’ own precedent, [dissemination] is sufficient to survive a motion to dismiss.” Id. (citing Rio Tinto, 41 F.4th at 53). Similarly, in SEC v. Jaitley, the Western District of Texas explained that scheme liability is distinct deceptive conduct from an alleged misstatement. 2023 WL 9105678, at *6-7 (W.D. Tex. Nov. 13, 2023) (holding that defendant furthered a scheme by directing “[c]lients to post fake, favorable reviews” or “posting false reviews herself”).
District courts within the Second Circuit also continue to provide examples of how to apply Rio Tinto’s “something beyond” requirement. In a recent case in the Southern District of New York, SEC v. Rogas, the Court denied a motion to dismiss scheme liability claims against a former executive of NS8, Inc. 2024 WL 1120558 (S.D.N.Y. Mar. 14, 2024). The complaint alleged defendant knew “the revenue numbers used by NS8 and provided to investors were falsified” and continued to solicit numerous potential investors, assisted in a “secondary offering between two NS8 investors,” and devised a scheme to “offload his shares in NS8 in a transaction funded by a third-party investor.” Id. at *1. The Court found that the SEC successfully pled defendant “committed [] manipulative or deceptive act[s]” that were “something beyond misstatements and omissions” as in Rio Tinto. Id. at *5. Specifically, the Court found that (1) initiating six investor transactions while knowing that the revenue numbers were falsified, (2) seeking “additional investors and transactions even after [defendant] became aware” that NS8 had very little money left and only some employees received “real data” about the sales team, and (3) selling shares in a secondary offering after acknowledging revenues were not correct, made out a scheme liability claim. Id. at *5.
In SEC v. City of Rochester, a district court in the Western District of New York, citing positively to Rio Tinto, denied defendants’ motion to dismiss scheme liability claims. 2024 WL 909475 at *9-10 (W.D.N.Y. Mar. 4, 2024). The SEC alleged that defendants made “materially misleading statements and omissions in the offering documents used to sell roughly $119 million in municipal bonds to investors.” Id. at *1. The SEC’s scheme allegations included that the “City Defendants disseminated the false statements in the offering documents sent to investors,” the City’s director of finance “executed separate certifications attesting to the accuracy of the offering documents in furtherance of the scheme,” and “the City Defendants facilitated the sale of the bonds.” Id. at *10. The Court sustained the scheme liability claims noting that statements regarding the reason for the RAN were incomplete and thus misleading. Id.
In the Third Circuit, the District of New Jersey found that the SEC sufficiently alleged scheme liability under Rule 10b-5(a) and (c), citing to Rio Tinto. SEC v. Mintz, 2024 WL 1173096, at *15, 18 (D.N.J. Mar. 18, 2024). Specifically, the SEC alleged that defendants submitted “misleading trade order instructions or false and misleading representations concerning the number of ‘locates.’” Id. at *15. The Court determined that the submission of those transactions and the “repeated circumvention of Regulation SHO and efforts to conceal Defendants’ scheme” were sufficient to constitute “deceptive conduct independent of its allegations that Defendants made false or misleading statements.” Id. at *15.
Certain lower courts within the Ninth Circuit, however, have disagreed with the Second Circuit’s approach and declined to apply the “something beyond” requirement. In SEC v. Prakash, the Northern District of California emphasized that the Ninth Circuit has not adopted the “something beyond” requirement set forth in Rio Tinto. 2024 WL 781037, at *6 (N.D. Cal. Feb. 26, 2024). Rather, the Court found that “to the extent that [defendant] argues that scheme liability claims require conduct beyond misstatements, the Court finds that this argument is foreclosed by Lorenzo and Ninth Circuit precedent.” Id. The Court explained that the Supreme Court in Lorenzo rejected the argument that Rule 10b-5(a) and (c) concern “scheme liability claims ‘that are violated only when conduct other than misstatements are involved.’” Id. Similarly, the Ninth Circuit previously held that its “prior holding that ‘[a] defendant may only be liable as part of a fraudulent scheme based upon misrepresentations and omissions . . . when the scheme also encompasses conduct beyond those misrepresentations or omissions’” was abrogated by Lorenzo. Id. (citing In re Alphabet, Inc. Sec. Litig., 1 F.4th 687, 709 n.10 (9th Cir. 2021)). Thus, the Court read Lorenzo as holding that 10b-5 “covers a broad range of conduct” and its subsections are not “mutually exclusive.” Id.
Similarly, in In re AGS, Inc. Securities Litigation, the District of Nevada explained that “in Lorenzo, the Supreme Court explained that considerable overlap exists.” 2024 WL 581124, at *5 (D. Nev. Feb. 12, 2024) (citing Lorenzo, 139 S. Ct. at 1101-02). “The various subsections thus merely describe subsets of a broader category—fraud.” Id. (emphasis in original). Ultimately, the only difference between a scheme liability claim verses a misrepresentation claim is “not that they proscribe mutually exclusive . . . conduct,” rather, the conduct in scheme claims is made in furtherance of a scheme “while the latter doesn’t involve a scheme.” Id. And because plaintiff’s cause of action could be construed as either a misrepresentation claim or a scheme liability claim, the Court held that plaintiff failed to state a claim under any subsection of Rule 10b-5 because when a scheme claim is based on the same set of facts as a misrepresentation claim, and “those facts do not sufficiently allege fraud . . . [under the] the misrepresentation claim, then the scheme claim necessarily fails.” Id.
VIII. Market Efficiency And “Price Impact” Cases
District courts continue to engage with defendants’ attempts to defeat or limit class certification by rebutting the Basic presumption of reliance with evidence that the alleged misstatements had no impact on the stock price. These developments occur against the backdrop of the Second Circuit’s 2023 decision in Arkansas Teacher Retirement System v. Goldman Sachs Group, Inc., 77 F.4th 74, 105 (2d Cir. 2023) (ATRS), covered in our 2023 Year-End Update and discussed in more detail in our Client Alert. The Second Circuit continues to be the only circuit court to address substantively the “price impact” issue following the Supreme Court’s guidance in Goldman Sachs Group, Inc. v. Arkansas Teacher Retirement System, 594 U.S. 113 (2021) (Goldman).
To refresh, in Goldman, the Supreme Court held that courts analyzing whether to grant class certification must consider all evidence regarding price impact—even if the evidence overlaps with merits questions such as materiality. 594 U.S. at 121-22. The Court explained that where a plaintiff’s price impact theory is based on “inflation-maintenance,” i.e., where price impact of the challenged statement is shown indirectly by a drop in the company’s stock price following a corrective disclosure on the theory that “price inflation [had been] maintained by an alleged misrepresentation,” a court must consider whether there is a “mismatch” between the alleged corrective disclosure(s) and challenged statement(s). Id. at 123. That is because a “mismatch” between the misrepresentation and the corrective disclosure “starts to break down” the inference of front-end price inflation. Id. In ATRS, the Second Circuit studied the mismatch between the generic challenged statements (e.g., statements about business principles) and more specific alleged corrective disclosures (e.g., reports of government investigations into specified employees and transactions) and held that defendants had “sever[ed] the link” between the challenged statements and the price drop. ATRS, 77 F.4th at 104. In reaching this conclusion, the Court was clear that “all record evidence relevant to price impact” should be considered. Id. at 103 n.15 (internal citations omitted).
Lower courts continue to scrutinize price impact arguments, particularly the potential “mismatch” between the alleged corrective disclosures and the challenged statements. See, e.g., Sjunde AP-Fonden v. Goldman Sachs Grp., Inc., 2024 WL 1497110, at *17 (S.D.N.Y. Apr. 5, 2024) (finding “no match” between 11 out of 13 alleged misstatements and the corrective disclosure); In re Apache Corp. Sec. Litig., 2024 WL 532315, at *6 (S.D. Tex. Feb. 9, 2024) (finding no price impact for 12 out of 13 alleged misrepresentations and limiting the class period accordingly); In re Kirkland Lake Gold Ltd. Sec. Litig., 2024 WL 1342800, at *12 (S.D.N.Y. Mar. 29, 2024) (finding no price impact and declining to certify the class).
For example, in Kirkland Lake, the Court denied class certification, finding that defendants had rebutted the Basic presumption of class-wide reliance with evidence showing that all three alleged misstatements did not impact the stock’s price. 2024 WL 1342800, at *9-12. For the first two alleged misstatements, the Court found them to be “fairly broad and generic statements about the company’s growth strategy,” and that there was a “considerable gap in genericness between the earlier statements and the corrective disclosure.” Id. at *8. In conducting its analysis, the Court considered contemporaneous analyst reports and the opinions of defendants’ mining industry and economics experts. Id.
As to the third statement, which the Court described as “quite specific,” the Court compared the alleged misstatement and corrective disclosure “to determine ‘whether there [was] a basis to infer that the back-end price [drop] equals front-end inflation.’” Id. at *11 (citing ARTS, 77 F.4th at 99 n.11). The Court determined that there was a different kind of substantive mismatch because the challenged statement “referred to future targets” and the corrective disclosure reflected only information at the time of acquisition. Id.
In Sjunde AP-Fonden, the Court declined to find a match between 11 of 13 alleged misstatements and the corrective disclosure. 2024 WL 1497110, at *16. The Court concluded that the corrective disclosure “d[id] not even address” or “d[id] not mention [] at all” the same issues as several of the alleged misstatements, so the Basic presumption was inapplicable to those statements. Id. at *16-17. For other challenged statements, the Court found in defendants’ favor because the corrective disclosure did “not necessarily render false the [challenged] statements.” Id. at *16. For the remaining two statements, the Court held the statements were appropriately specific and were “render[ed] false” by the disclosure. Id. at *15-16.
Recent decisions also emphasize the more basic requirement that a later stock price decline is only evidence of an earlier statement’s price impact, if it, in fact, reveals new information contrary to the challenged statements. See In re FibroGen Sec. Litig., 2024 WL 1064665, at *12-15 (N.D. Cal. Mar. 11, 2024) (“revelations that are not ‘corrective’ cannot form the basis for a corrective disclosure”).
We will continue to monitor developments in this area.
IX. Other Notable Developments
A. Seventh Circuit Determines Procedure For District Courts To Evaluate Suits Resulting In Mootness Fees
In Alcarez v. Akorn Inc., the Seventh Circuit set forth the proper procedure for a district court to evaluate mootness fees paid to shareholder plaintiffs after the voluntary dismissal of an action brought under Section 14(a) of the Securities Exchange Act challenging a public company merger. 99 F.4th 368 (7th Cir. 2024).
After Akorn Inc. announced a merger, shareholders brought six individual and putative class actions against Akorn, asserting its proxy statement was inadequate and in violation of Section 14(a). Alcarez, 99 F.4th at 372. After Akorn amended its proxy statement with additional disclosures, all plaintiffs voluntarily dismissed the complaint and Akorn agreed to pay plaintiffs’ counsel a $322,500 mootness fee. Id. A different Akorn shareholder moved to intervene to force plaintiffs’ counsel to return the mootness fee, arguing that the suits’ only goal was to extract money for counsel. Id. A district court in the Eastern District of Illinois denied the motion to intervene but agreed with the shareholder’s broader argument. Id. at 373. The district court thus exercised its “inherent authority” to reopen the suit, determined the complaints were frivolous, and then abrogated the settlement and ordered plaintiffs’ counsel to return the mootness fee. Id. Plaintiffs appealed, arguing that the district court lacked authority to reopen the case and lacked jurisdiction to review the mootness fee after the voluntary dismissal. Id. at 374.
The Seventh Circuit vacated the opinion and remanded with instructions. It first determined that the district court lacked inherent authority to reopen the voluntarily dismissed case without a motion under Federal Rule of Civil Procedure 60(b). Id. at 374. However, it further held that the shareholder in question should have been allowed to intervene and file a motion to reopen. Id. The Court reasoned that the shareholder had a common claim with the main action since he was “an investor in Akorn whose shares’ value was affected by the merger and the mootness fees” and “class counsel and Akorn [we]re looking out for their own interests rather than those of the class” making intervention “appropriate.” Id. at 375.
The Seventh Circuit further determined that the district court had “inherent authority” to evaluate the suits under 15 U.S.C. § 78u-4(c)(1) and Federal Rule of Civil Procedure 11. Id. at 377. The statute, the Court reasoned, applies to all suits arising under the Exchange Act and mandates that courts assess compliance with Rule 11(b) upon “final adjudication of the action” which includes voluntary dismissal. Id. at 376.
The cases were remanded to the district court with instructions to treat the shareholder as an intervenor, to allow him to make a Rule 60(b) motion, and to decide appropriate relief. Id. at 378.
B. Sixth Circuit Joins Majority Of Circuits In Holding The Bespeaks Caution Doctrine Survived Codification Of The PSLRA
Joining other circuits, the Sixth Circuit held that the bespeaks caution doctrine still applies to statements contained in offering documents outside of the PSLRA’s safe harbor provisions for forward-looking statements. Kolominsky v. Root, Inc., 100 F.4th 675, 687-88 (6th Cir. 2024); see 15 U.S.C. § 78u-5(c).
Root, Inc., an insurance company primarily focused on automobile insurance, purportedly attracted investors with its low customer-acquisition cost (CAC). Plaintiffs alleged that certain statements in Root’s registration statement were misleading or omitted material facts about Root’s CAC because, at the time of Root’s IPO, the CAC was higher than its historic average. Id. at 681. The district court dismissed all claims for failure to state a claim. Plaintiffs appealed three of their dismissed claims: those under Sections 11, 12(a)(2), and 15 of the Securities Act. Id.
The Sixth Circuit affirmed. One of the three allegedly misleading statements implicated the bespeaks caution doctrine. The challenged statement contained in Root’s registration statement provided that “[a]s we grow, we may struggle to maintain cost-effective marketing strategies, and our customer acquisition costs could rise substantially.” Id. at 682, 687. The district court had determined that the “statement was not actionable because it was a forward-looking statement labeled as a risk factor.” Id. at 687. The Sixth Circuit agreed, concluding that the statement fell “squarely within the bespeaks caution doctrine’s protection.” Id. at 689.
The Sixth Circuit determined that Congress did not intend for the safe harbor provisions of the PSLRA to replace the bespeaks caution doctrine, which “shields companies . . . from liability when they make statements that are forward-looking and accompanied by meaningful cautionary language.” Kolominsky, 100 F.4th at 688. The Sixth Circuit therefore joined the majority of circuits—namely the First, Second, Third, Fifth, Eighth, Ninth, Tenth, and Eleventh Circuits—that previously reached a similar conclusion about the doctrine’s post-PSLRA status. Id. at 687-88.
C. Ninth Circuit Provides Additional Guidance On Determining Loss Causation
On April 5, 2024, the Ninth Circuit provided additional guidance on determining loss causation in a securities fraud case, explaining that a plaintiff does not necessarily need to show a stock price increase on the heels of a misstatement but may “plausibly show that the misstatement inflated the stock’s price.” In re Genius Brands Int’l, Inc. Sec. Litig., 97 F.4th 1171, 1185 (9th Cir. 2024) (emphasis added).
In 2019, the price per share of children’s entertainment company Genius Brands International, Inc. fell below the NASDAQ minimum trading requirement. Id. at 1177. Subsequently, a group of shareholders alleged that the company had made certain false statements regarding (1) how frequently its flagship children’s television show would air per week; (2) the possibility of Disney or Netflix acquiring the company; and (3) the company’s rights to the works of comic book author Stan Lee. Id. at 1179. The shareholders alleged that the company and its officers violated Sections 10(b) and 20(a) of the Exchange Act and Rule 10b-5(a)-(c). Id. at 1177, 1179. The district court dismissed the shareholders’ suit with prejudice for failure to adequately plead falsity and loss causation. Id. at 1179-80. The district court dismissed two of the claims for a “failure to allege an initial price increase.” Id.
The Ninth Circuit reversed in part and affirmed in part. On loss causation, the Ninth Circuit’s opinion emphasized that “a price increase is one way of demonstrating that ‘the price was higher than it would have been,’ but it is not the only way.” In re Genius Brands Int’l, Inc., 97 F.4th at 1185 (quoting In re BofI Holding, Inc., 977 F.3d at 789) (emphasis added). Accordingly, it “suffices to plausibly allege that the stock price was higher than it would have been but for the defendant’s statement—whether because the statement increased the stock price, maintained the stock price, or prevented a greater decrease in the stock price.” Id. at 1187. On two of the claims, the Ninth Circuit reasoned that the district court had “impermissibly conflated an initial price increase with initial price inflation.” Id. at 1185. The case was remanded for further proceedings. Id. at 1190.
D. Companies Continue To Litigate Alleged Misrepresentations Related To COVID-19
More than four years removed from the initial COVID-19 outbreak, coronavirus-related securities litigation continues to be active. As we last discussed in our Securities Litigation 2022 Mid-Year Update, a class-action complaint was filed in May 2020 against biopharmaceutical company Sorrento Therapeutics (Sorrento) and its officers on behalf of all shareholders who had purchased Sorrento stock in the week following the company’s May 15, 2020, press release. In re Sorrento Therapeutics, Inc. Sec. Litig., 97 F.4th 634, 637-38 (9th Cir. 2024). Early in the COVID-19 pandemic, Sorrento announced the discovery of an antibody showing “100% inhibition” of COVID-19 infection. Id. at 641. Some Sorrento officers claimed the antibody would “completely prevent infection” and provided a COVID-19 “cure.” Id. at 639 & n.3. As the market responded to this information, Sorrento’s stock more than tripled in value. Id. at 638. Sorrento’s stock value eventually declined, however, as outsiders publicly began to scrutinize and critique Sorrento’s development. Id.
The complaint alleged that Sorrento purposefully misled investors and falsely claimed to have a COVID-19 cure in violation of Sections 10(b) and 20(a) and Rule 10b-5. Id. at 638-39. The district court dismissed the complaint, concluding that plaintiffs failed to plausibly allege falsity because Sorrento had disclosed in the press release that the antibody remained in preclinical stage, the officers’ statements were “corporate optimism” rather than an “actionable material misstatement of fact,” and Sorrento’s need to fundraise did “not give rise to a strong inference of scienter.” Id. at 639-40.
The Ninth Circuit affirmed. On falsity, the Court held that Sorrento’s “overblown” statements did not rise to the level of “materially misleading” investors considering Sorrento’s contemporaneous disclosures about the antibody’s early developmental status. Id. at 641. A reasonable person, knowing that the antibody required further testing after reading the press release, would not understand the press release to mean that Sorrento had “an immediate 100% cure” for COVID-19. Id. The Court rejected the argument that Sorrento could not, in good faith, have believed that it had a cure given the fact that there still is no cure for COVID-19. Id. at 641-42.
On the issue of scienter, the Court concluded that “although Sorrento’s financial situation was clearly helped by the market’s response to the [antibody] announcement,” Sorrento had resorted to other measures to mitigate its “dire financial situation” far in advance of the announcement. Id. at 642-43. A need to fundraise, accordingly, did not adequately establish motive for fraud. Plaintiffs’ argument also failed to “allege any particular improper or inflated sales” and such a “showing of trading history [was] necessary to raise an inference of scienter.” Id. at 643.
E. SEC Adopts Amendments To Regulation S-P, Requiring Covered Firms To Take Additional Customer Data Protection Measures
In May, the SEC adopted amendments to Regulation S-P, which require covered financial firms to provide certain protections for personally identifiable information of customers and consumers. 17 C.F.R. § 248.30; see also Mark T. Uyeda, Comm’r, Sec. & Exch. Comm’n, Statement on the Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (May 16, 2024) https://www.sec.gov/newsroom/speeches-statements/uyeda-statement-reg-s-p-051624 (“Comm’r Uyeda, Statement on the Amendments to Regulation S-P”). Initially adopted in 2000, Regulation S-P set standard for firms’ treatment of customers’ nonpublic personal information. See id. Due to the evolving nature and impact of data breaches, the amendments require “covered institutions to adopt written policies and procedures that provide for an incident response program to protect customer information from unauthorized access.” Id.
The “incident response program” requires covered firms to “assess the nature and scope” of the incident, take “appropriate steps to contain and control such incidents,” and provide notice to “each affected individual.” 17 C.F.R. § 248.30(a)(3)(i)-(iii). The amendments provide detailed requirements of these notices. For example, notice may not be required if a covered firm determines, after a reasonable investigation, that the “sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.” Id. § 248.30(a)(4)(i). Notice may also be required to be sent to non-customers, as the amendments also define “customer information” to include information that (1) is within the covered firm’s possession regardless of whether there is a “customer relationship”; and (2) pertains to “the customers of other financial institutions where such information has been provided to the covered institution.” Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. 47688, 47714 & n.290 (June 3, 2024) (emphasis added); see also 17 C.F.R. § 248.30(d)(5)(i).
In terms of timing, notice must be sent “as soon as practicable, but generally not later than 30 days after the financial institution becomes aware that there has been an unauthorized breach of customer information.” Comm’r Uyeda, Statement on the Amendments to Regulation S-P. Covered firms are not required to contract with service providers to deliver data breach notices, but remain responsible “regardless of which entity sends the notice.” Id.
Additionally, the amendments extend Regulation S-P’s safeguard and disposal requirements to transfer agents registered with the Commission or another appropriate regulatory agency. Id.
The amendments provide for an 18-month compliance period for larger entities after the date of publication and a 24-month compliance period for smaller entities. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. at 47723-24.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Securities Litigation practice group:
Christopher D. Belelieu – New York (+1 212.351.3801, [email protected])
Jefferson Bell – New York (+1 212.351.2395, [email protected])
Michael D. Celio – Palo Alto (+1 650.849.5326, [email protected])
Jonathan D. Fortney – New York (+1 212.351.2386, [email protected])
Monica K. Loseman – Co-Chair, Denver (+1 303.298.5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco (+1 415.393.8379, [email protected])
Mary Beth Maloney – New York (+1 212.351.2315, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202.887.3726, [email protected])
Alex Mircheff – Los Angeles (+1 213.229.7307, [email protected])
Lissa M. Percopo – Washington, D.C. (+1 202.887.3770, [email protected])
Jessica Valenzuela – Palo Alto (+1 650.849.5282, [email protected])
Craig Varnen – Co-Chair, Los Angeles (+1 213.229.7922, [email protected])
Allison K. Kostecka – Denver (+1 303.298.5718, [email protected])
Mark H. Mixon, Jr. – New York (+1 212.351.2394, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: The CFTC announced that it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act.
New Developments
- CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market. [NEW]
- CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s Division of Market Oversight (“DMO”) and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK. [NEW]
- CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (DCR) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.
- CFTC Approves a Joint Rule Proposal to Establish Technical Data Reporting Standards. On August 8, the CFTC voted to jointly propose and request public comment on the establishment of technical data reporting standards with other financial regulatory agencies. The proposal would establish uniform data standards for the collections of information reported to the CFTC, Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Consumer Financial Protection Bureau, Federal Housing Finance Agency, Securities and Exchange Commission, and the Department of the Treasury. The proposal would also establish uniform data standards for data collected from these financial regulatory agencies on behalf of the Financial Stability Oversight Council. According to the CFTC, the proposed standards would promote interoperability of financial regulatory data across the financial regulatory agencies through the adoption of common identifiers for legal entities, financial instruments, and other data. In addition to proposing the use of common identifiers, the proposal would also further standardize the format and transmission of data to financial regulatory agencies. The CFTC explained that the proposed rule is part of the implementation of the Financial Data Transparency Act of 2022 (“FDTA”); although the CFTC is not specifically referenced in the FDTA, the Secretary of the Treasury designated the CFTC as a covered agency on May 3, 2024. Comments on the proposal are due 60 days following publication in the Federal Register.
New Developments Outside the U.S.
- Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report state that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit. [NEW]
- ESMA Publishes Translations of its Guidelines on Funds’ Names. On August 21, ESMA published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. National competent authorities must notify ESMA by October 21 2024 whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
- ESAs’ Joint Board of Appeal Allows the Appeal Lodged by NOVIS and Remits the Case to EIOPA. On August 13, the Joint Board of Appeal of the European Supervisory Authorities (“ESAs”) unanimously decided that the appeal brought by NOVIS against the European Insurance and Occupational Pensions Authority (“EIOPA”) is admissible. The appeal was brought in relation to the EIOPA decision not to grant access to documents, which were requested by NOVIS. In its decision, the board of appeal acknowledged that requests for access to documents laid out in Regulation No 1049/2001 can be dismissed by way of exceptions to protect certain public and private interests.
- ESMA Recognizes CDS Clearing and Depository Services as Tier 1 CCP Following MoU with the British Columbia Securities Commission. On August 13, ESMA signed a Memorandum of Understanding (“MoU”) with the British Columbia Securities Commission and updated its list of recognized third-country central counterparties (“CCPs”) under the European Markets Infrastructure Regulation (“EMIR”). The MoU establishes cooperation arrangements, including the exchange of information, regarding CCPs that are established in Canada and authorized or recognized by the British Columbia Securities Commission, and which have applied for EU recognition under EMIR.
- ESAs’ Joint Board of Appeal Dismisses Appeal by Euroins Insurance Group AD Against the European Insurance and Occupational Pensions Authority. On August 7, the Joint Board of Appeal of the ESAs unanimously decided that the appeal brought by Euroins Insurance Group AD (“Euroins”) against the EIOPA is inadmissible. In its decision, the board of appeal found that EIOPA’s power to initiate an investigation is of an entirely discretionary nature. Furthermore, the board of appeal also asserted that the EIOPA Chairperson’s decision to initiate an investigation is not subject to the board of appeal’s review. Finally, the decision clarified that the board of appeal does not have the power to order EIOPA to re-assess an appellant’s request to open an investigation.
New Industry-Led Developments
- ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices. [NEW]
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (212.351.3869, [email protected] )
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki , New York (212.351.4028, [email protected] )
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
We are pleased to provide you with the August 2024 edition of Gibson Dunn’s digital assets regular update. This update covers recent legal news regarding all types of digital assets, including cryptocurrencies, stablecoins, CBDCs, and NFTs, as well as other blockchain and Web3 technologies. Thank you for your interest.
ENFORCEMENT ACTIONS
UNITED STATES
- OpenSea Receives Wells Notice from SEC
On August 28, Devin Finzer, the CEO of NFT marketplace OpenSea posted on social media that the company had received a Wells notice from the SEC, which indicates that the agency is considering whether to pursue an enforcement action against the company. According to Finzer, the SEC’s contemplated enforcement action is premised on the agency’s belief that NFTs on the OpenSea platform are securities. Finzer called the Wells notice a “sweeping move against creators and artists” and pledged to “stand up and fight” while offering $5 million to cover legal fees for NFT creators who may receive similar notices. Coindesk; X. - Kraken’s Motion to Dismiss SEC Lawsuit Denied
On August 23, Judge William H. Orrick of the Northern District of California denied crypto exchange Kraken’s motion to dismiss a lawsuit brought by the SEC, which alleged that Kraken acts as a broker, dealer, exchange, and clearing agency in violation of Sections 5, 15(a) and 17(A)(b) of the Securities Act. Applying the Howey test, the court held that although digital assets themselves are not investment-contract securities, the SEC plausibly alleged that Kraken facilitates transactions involving investment contracts. August 23 Order; Bloomberg; CoinTelegraph. - Abra Settles Charges with SEC over Abra Earn
On August 26, the SEC filed settled charges against Plutus Lending LLC, known as Abra, alleging that the company improperly offered its Abra Earn product as an unregistered security and operated an unregistered investment company. The company agreed to cease violations of the registration provisions of the Securities Act and the Investment Company Act and pay civil penalties in an amount to be determined by a court. In 2020, Abra settled with the SEC and Commodities Future Trading Commission (CFTC) to end an investigation into its swaps product. SEC Press Release; CoinDesk. - Federal Prosecutors Indict Michelle Bond for Campaign Finance Violations
On August 22, prosecutors in the Southern District of New York unsealed an indictment against former Republican congressional candidate Michelle Bond. She was charged with conspiring with FTX executives to engage in an unlawful campaign-finance scheme. Prosecutors alleged that Bond and Ryan Salame, an executive at FTX, orchestrated a sham consulting agreement through which Bond received $400,000 to finance her congressional campaign. Bond is charged with one count of conspiracy to cause unlawful campaign contributions; one count of causing and accepting excessive campaign contributions; one count of causing and receiving an unlawful corporate contribution; and one count of causing and receiving a conduit contribution. Each count carries a maximum sentence of five years in prison. The Block; DOJ Press Release. - Telegram Founder Arrested in France
On August 24, Pavel Durov, the founder and CEO of Telegram was detained by French authorities in Paris, reportedly in connection with an investigation into the app’s role in failing to moderate criminal activity on the platform, including drug trafficking, child pornography, and money laundering. This detention has sparked tensions between France and Russia, as Telegram is a crucial communication platform in post-Soviet nations, used by both government authorities and opposition groups. The arrest has drawn criticism from Russian officials, who are demanding consular access to Durov, who holds citizenship in the UAE and France. BBC. - FTX and Alameda Pay $12.7 Billion to End CFTC Lawsuit
On August 7, U.S. District Judge P. Kevin Castel approved a settlement between FTX and its sister company Alameda Research to pay $12.7 billion to their customers, investors, and creditors. Under the consent order, FTX and Alameda will pay $8.7 billion in restitution to investors who sustained losses proximately caused by violations of the Commodity Exchange Act and $4 billion in disgorgement for gains received from misconduct. The repayment order implements a settlement between the CFTC and the bankrupt crypto exchange, which has committed to a bankruptcy liquidation that will repay customers whose deposits were locked during its 2022 collapse. Judge Castel also found that FTX violated the Commodity Exchange Act, concluding that the exchange misled investors by representing itself as a safe place to buy and sell cryptocurrency while co-mingling assets between the exchange and the hedge fund, Alameda. Bloomberg Law; PYMNTS; Reuters; Washington Post. - Federal Reserve Board Issues Enforcement Action with Crypto-Friendly Bank
On August 5, the U.S. Federal Reserve (Fed) entered into a written agreement with Customers Bancorp and its subsidiary bank, Customers Bank, relating to “significant deficiencies” around the bank’s risk-management and anti-money laundering practices. The enforcement action against the Pennsylvania-based bank, which provides digital-asset services and a tokenized instant payments platform, stemmed from a recent joint examination by the Fed and Commonwealth of Pennsylvania Department of Banking and Securities (Department). The consent order does not include a fine but directs the bank to overhaul its policies and internal controls to address identified shortcomings in its compliance with Bank Secrecy Act, anti-money laundering, and Office of Foreign Asset Control regulations and to periodically report its progress to regulators. On the same date, Customers Bank also entered into a Consent Order with the Department. FRB Agreement; Blockworks; PA Consent Order; CryptoNewsZ; Reuters. - SEC Files Fraud Charges Against Promoters of NovaTech
On August 12, following an earlier suit by the New York Attorney General, the SEC filed a complaint against NovaTech alleging that the company and eight of its promoters stole $650 million from 200,000 investors in a Ponzi scheme that used new investors’ money to make payments to earlier investors. According to the SEC, NovaTech’s marketing materials promised investors 2-3% returns per week and purportedly never posted a weekly trading loss, but only a small fraction of investors’ money was ever actually invested and the money that was invested suffered “significant trading losses.” SEC Press Release; CoinDesk. - CFTC Announces $1 Million Award to Whistleblower
On August 7, the CFTC announced that a whistleblower who assisted the regulator in an enforcement action “connected to digital asset markets” would receive a $1 million award. The CTFC said that it had brought an enforcement action against a firm connected to the digital-asset space based on “information about improper trading” provided by a whistleblower but did not name the whistleblower or the digital-asset firm. The CFTC filing stated that six claimants initially applied to provide information about the digital asset enforcement case, but only one claimant, whose information the CFTC described as “sufficiently specific, credible, and timely” and critical to opening its investigation, received a percentage of the monetary sanctions from the unnamed company. CFTC Notice; CoinTelegraph; The Defiant. - CluCoin Founder Pleads Guilty to Wire Fraud Scheme
On August 21, Austin Michael Taylor, the founder of crypto project CluCoin, pleaded guilty to a wire fraud scheme involving the transfer of $1,140,000 of CluCoin investor funds to Taylor’s personal account. Although he faces a maximum sentence of 20 years in prison at his sentencing hearing scheduled for October 31, U.S. Sentencing Guidelines likely will guide the sentencing judge to a much less punitive result. DOJ Press Release; CoinDesk.
INTERNATIONAL
- Australian Market Regulator Sues Australian Stock Exchange over Blockchain Upgrade
On August 13, Australia’s Securities and Investment Commission sued the Australian Securities Exchange (ASX), Australia’s leading stock exchange, for making allegedly misleading statements related to its efforts to replace its systems with blockchain technology. The Australian regulator alleges that in a February 10, 2022, announcement, ASX stated that the blockchain-based replacement for its settlement of share transactions and record shareholdings was on track to go live in April 2023. The regulator claims that the project was not progressing as stated and that the delay and subsequent pause of the project caused significant cost to ASX and market participants who relied on assurances regarding the project’s progress and scheduled go-live date. Financial Times; Reuters; CoinGeek.
REGULATION AND LEGISLATION
UNITED STATES
- IRS Releases New Draft Digital-Asset Tax Form
On August 9, the IRS posted an updated draft of Form 1099-DA, which will allow “brokers” to report certain digital asset sale and exchange transactions for calendar year 2025. Beginning in 2026 and for transactions occurring in 2025, regulations finalized in July will require centralized crypto exchanges to issue Forms 1099-DA reporting certain digital-asset sale and exchange transactions. The form updates a draft published by the IRS in April. It requires less data reporting and addresses some privacy concerns by removing requirements to include investors’ wallet addresses and certain transaction details in the reports, among other things. The IRS accompanied the draft with instructions for recipients of the form. The agency expects to release draft filer instructions soon, at which point the agency will publish a notice in the Federal Register and allow for a 30-day public-comment period. IRS Press Release; CoinDesk. - Financial Regulatory Agencies Propose Joint Data Standards
On August 2, the U.S. Securities Exchange Commission announced that it and eight other agencies were set to propose joint data standards under the Financial Data Transparency Act of 2022. The standards will establish technical standards for data submitted to financial regulatory agencies. The proposed standards are intended to promote interoperability of financial regulatory data across the agencies by establishing common identifiers for entities and geographic locations. The rules establish a Financial Instrument Global Identifier (FIGI) that can be used for all classes of financial instruments, including digital assets. The eight other agencies set to propose standards include the Board of Governors of the Federal Reserve, the Commodity Futures Trading Commission, the Consumer Financial Protection Bureau, the Department of the Treasury, the Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, the National Credit Union Administration, and the Office of the Comptroller of the Currency. SEC Press Release; PYMNTS.
INTERNATIONAL
- Hong Kong Plans to Increase Digital Asset Regulation in the Next 18 Months
On August 11, Hong Kong Legislative Council member David Chiu announced that Hong Kong planned to introduce enhanced digital-asset regulations within the next 18 months. The regulations would be part of the jurisdiction’s efforts to become a global hub for financial technology by attracting technology experts, building new infrastructure, and strengthening laws around digital assets. According to Chiu, Hong Kong aims to enhance supervision and enforcement of legislation related to digital assets, including stablecoins. CoinGeek; CoinTelegraph; Crypto Times. - Bank of Ghana Issues Proposed Crypto Regulatory Framework
On August 16, the Bank of Ghana introduced draft rules for crypto exchanges. The Central Bank said that its regulations followed an “extensive internal review of the surging popularity of digital assets.” The regulatory approach would require exchanges to perform customer due diligence, comply with new reporting and registration requirements, and conduct comprehensive risk assessments. The proposed regulations would also create a pathway for crypto companies to access traditional banking services. Draft Rules; CoinTelegraph.
CIVIL LITIGATION
UNITED STATES
- Bitboy and Jimmy Butler Settle Securities Lawsuit
On August 21, YouTube Influencer Ben Armstrong (aka Bitboy) and Miami Heat basketball star Jimmy Butler agreed to pay $340,000 to settle a class action lawsuit brought in March 2023, which alleged that Armstrong and Butler promoted the sale of unregistered securities. Decrypt; Bloomberg; CoinGape. - Celsius Sues Tether for Liquidating Celsius Loan Collateral
On August 9, administrators of bankrupt crypto lender Celsius sued Tether to recover 57,428 bitcoin (worth approximately $3.5 billion). Celsius’s bankruptcy administrators claim that Celsius struck a “token agreement” with Tether in February 2020, which allowed Celsius to borrow U.S. dollars by posting bitcoin as collateral. The administrators’ complaint alleges that in June 2022, when the crypto market was in sharp decline, Tether fraudulently and preferentially applied Celsius’s bitcoin against obligations owed to Tether for an average price considerably less than bitcoin’s market closing price. Tether has responded that its liquidation of Celsius’ bitcoin was done in accordance with the token agreement. Complaint; CoinDesk; CoinGeek. - Sixth Circuit Allows Constitutional Challenge to Proceed Against IRS
On August 9, a Sixth Circuit panel vacated a decision by a district judge in the Eastern District of Kentucky barring crypto think tank Coin Center’s claims alleging that a 2021 amendment to the U.S. tax code was unconstitutional. Coin Center alleges that the amendment to the tax code is unconstitutionally vague in violation of the First Amendment, exceeds the scope of Congress’s enumerated powers, and violates taxpayers’ privacy rights under the Fourth and Fifth Amendments. The Sixth Circuit reversed the district court’s ruling that Coin Center’s claims were not ripe and therefore not justiciable and remanded the case for further proceedings. Opinion; CoinDesk.
SPEAKER’S CORNER
UNITED STATES
- Senator Schumer Plans to Pass Crypto Legislation in 2024
On August 14, during a crypto-related town hall, U.S. Senator Chuck Schumer (D-NY) said that his goal is to pass crypto legislation before the end of this year. He said that he believes it is Congress’s responsibility to “provide common sense and sound regulation” and that he would like to see legislation that strikes a “balance for crypto between promoting innovation and providing common sense guardrails.” Schumer did not express support for any particular bill currently under consideration in Congress. The Block; Stablecoin Act Press Release; FIT21; The Block. - Senator Scott Signals Interest in Forming Crypto-Focused Senate Subcommittee
On August 21, at a meeting of the Wyoming Blockchain Symposium, U.S. Senator Tim Scott (R-SC) suggested that he would consider creating a panel of the Senate Banking committee focused on digital assets if Republicans win the Senate and he becomes Committee Chair next year. The Block.
OTHER NOTABLE NEWS
- SEC Crypto Head Leaves for Private Practice
David Hirsch, the former head of the Securities Exchange Commission’s crypto and cyber security division, has left the SEC to join a private law firm. He will be leading the firm’s securities enforcement and regulatory counseling practice. The Block.
FinTech and Digital Assets Group Leaders / Members:
Ashlie Beringer, Palo Alto (+1 650.849.5327, [email protected])
Michael D. Bopp, Washington, D.C. (+1 202.955.8256, [email protected]
Stephanie L. Brooker, Washington, D.C. (+1 202.887.3502, [email protected])
Jason J. Cabral, New York (+1 212.351.6267, [email protected])
Ella Alves Capone, Washington, D.C. (+1 202.887.3511, [email protected])
M. Kendall Day, Washington, D.C. (+1 202.955.8220, [email protected])
Michael J. Desmond, Los Angeles/Washington, D.C. (+1 213.229.7531, [email protected])
Sébastien Evrard, Hong Kong (+852 2214 3798, [email protected])
William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])
Martin A. Hewett, Washington, D.C. (+1 202.955.8207, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Stewart McDowell, San Francisco (+1 415.393.8322, [email protected])
Mark K. Schonfeld, New York (+1 212.351.2433, [email protected])
Orin Snyder, New York (+1 212.351.2400, [email protected])
Ro Spaziani, New York (+1 212.351.6255, [email protected])
Jeffrey L. Steiner, Washington, D.C. (+1 202.887.3632, [email protected])
Eric D. Vandevelde, Los Angeles (+1 213.229.7186, [email protected])
Benjamin Wagner, Palo Alto (+1 650.849.5395, [email protected])
Sara K. Weed, Washington, D.C. (+1 202.955.8507, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Gibson Dunn’s Workplace DEI Task Force aims to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).
Key Developments:
On July 23, 2024, America First Legal (AFL), the organization founded and run by former Trump policy advisor Stephen Miller, announced that it had filed a federal civil rights complaint with the EEOC against CrowdStrike. AFL alleges that “prohibited characteristics” are motivating CrowdStrike’s employment decisions under the guise of DEI, in violation of Title VII. The complaint points to CrowdStrike’s nine employee resource groups, including Women of CrowdStrike and Communidad. AFL contends that the lack of a resource group for “Men of CrowdStrike” or white employees is discriminatory. AFL also highlights CrowdStrike’s public proxy statement, which includes a “Board Diversity Matrix” that tracks the sex, gender identity, race, and ethnicity of its current directors. AFL sent a corresponding letter to CrowdStrike’s board of directors demanding that the company end its allegedly discriminatory workplace practices.
On July 29, 2024, Auburn University announced it will dissolve its Office of Inclusion and Diversity by August 15, 2024. Established in 2016 at the recommendation of students and staff, the office aimed to enhance the recruitment and retention of underrepresented groups and oversee educational and cultural programs. Auburn now joins four other Alabama state colleges in closing their diversity offices after Governor Kay Ivey signed a law banning DEI programs and the teaching of certain “divisive concepts” on March 19, 2024. One day later, on July 30, 2024, the University of Missouri also announced it will dissolve its Division for Inclusion, Diversity and Equity (IDE) by August 15, 2024.
On July 30, 2024, the court granted Starbucks’ motion to dismiss in Langan v. Starbucks Corporation, No. 3:23-cv-05056 (D.N.J. July 30, 2024). Langan, a white female former employee, filed a complaint against Starbucks claiming that she was wrongfully accused of racism and terminated after she rejected Starbucks’ attempt to deliver “Black Lives Matter” T-shirts to her store. The plaintiff brought claims for discrimination under Title VII, Section 1981, the New Jersey Law Against Discrimination (NJLAD), the Americans with Disabilities Act, and the Age Discrimination in Employment Act, as well as retaliation in violation of Title VII and the NJLAD and various torts. On December 8, 2023, Starbucks moved to dismiss the plaintiff’s NJLAD claims on the basis that they were barred by the statute of limitations. Starbucks also moved to dismiss the plaintiff’s tort claims and Section 1981 discrimination claim for failure to state a claim. In the ruling last week, the court granted Starbucks’ motion to dismiss in its entirety, agreeing that the NJLAD claims were untimely and that the plaintiff had failed to state her tort or Section 1981 claims. As to her Section 1981 claim, the court held that the plaintiff had not alleged that her termination was based on anything other than her “egregious” discriminatory comments and her violation of the company’s anti-harassment policy. The court granted the plaintiff leave to amend, and the plaintiff filed an amended complaint on August 11.
On July 29, 2024, the Equal Protection Project (EPP) filed a complaint with the U.S. Department of Education’s Office for Civil Rights (OCR) against the Mitchell Hamline School of Law (Hamline Law) in St. Paul, Minnesota. EPP alleges that Hamline Law’s hosting of the Minnesota Association of Black Lawyers (MABL) Law School Pathways mentorship program constitutes racial discrimination in violation of Title VI of the Civil Rights Act, as the program is exclusively available to Black students. The program selects ten to twenty juniors, seniors, and alumni from Minnesota universities and colleges each year as “MABL Pathways Scholars.” These scholars receive pre-law school programming, LSAT preparation, and academic mentoring in order “to empower Black students in Minnesota to succeed in law school and the legal profession.” In response to EPP’s complaint, Hamline Law said that it only hosts the program and does not administer it.
On July 29, 2024, Judge Trina Thompson in the Northern District of California denied a motion to dismiss a proposed securities class action against Wells Fargo in SEB Investment Management AB v. Wells Fargo & Co., No. 22-cv-03811-TLT (N.D. Cal. July 29, 2024). The lawsuit alleged that Wells Fargo engaged in sham practices related to interviewing diverse candidates, including interviewing candidates for positions that had already been filled. To support their allegations that Wells Fargo violated Section 10(b) of the Securities Act and Rule 10b-5, the plaintiffs identified eleven allegedly false or misleading statements related to Wells Fargo’s hiring program dating back to 2020. Wells Fargo argued that the plaintiffs had not adequately pled scienter, but the court held that plaintiffs had sufficiently alleged that Wells Fargo knowingly made false statements about its hiring practices sufficient to raise a strong inference of scienter. The court therefore denied Wells Fargo’s motion to dismiss.
On July 31, 2024, a three-judge panel of the Eleventh Circuit overturned the district court’s dismissal of a complaint of race discrimination against a City Commission and its Chairman in McCarthy v. City of Cordele, No. 23-11036 (11th Cir. July 31, 2024). The plaintiff sued the City Commission of Cordele, Georgia, and the newly-elected Chairman of the Commission, alleging that he was fired from his position as City Manager because he was white, in violation of Section 1981, Section 1983, Title VII, and the Equal Protection Clause of the Fourteenth Amendment. The district court granted the defendants’ motion to dismiss, holding that the plaintiff’s allegations did not support an inference of a racially discriminatory motive because the plaintiff did not adequately allege that the Commissioners who voted to fire him acted with a discriminatory intent, even though they were acting at the urging of the non-voting Chairman. The Eleventh Circuit found that the district court erred in separating the official actions of the Chairman from those of the Commission but that it correctly dismissed the claims against the Chairman in his individual capacity. The court therefore reversed the district court in part and remanded for further proceedings.
Media Coverage and Commentary:
Below is a selection of recent media coverage and commentary on these issues:
- Wall Street Journal, “The Activist Pushing Companies to Ditch Their Diversity Policies” (August 3): The Wall Street Journal’s Joseph Pisani and Chip Cutter profile conservative activist Robby Starbuck, who has leveraged his 500,000 followers on X to rally opposition against DEI initiatives at various companies. Pisani and Cutter report that Starbuck’s criticism has led companies such as Tractor Supply and John Deere to scale back their DEI efforts, and that his newest target is Harley-Davidson, with additional companies also in his sights. In his campaign against Harley-Davidson, Starbuck criticized the company for its support of LGBTQ+ causes and its “total commitment to DEI policies.” According to Starbuck, “Everybody should just go to work, do their job, go home. You want to be an activist in your personal time? That’s your business.”
- Forbes, “Amid DEI Backlash, Support From Workers Drops Slightly – But Remains Strong” (August 5): Forbes’ Jena McGregor reports on a recent shift in support for DEI initiatives amid growing political scrutiny. McGregor highlights a survey conducted by Seramount, a DEI consulting firm, which queried 3,000 employees about their perspectives on DEI efforts. McGregor says the survey reveals that while overall support for DEI remains robust, with 76% of respondents expressing a personal commitment to advancing DEI in their workplaces, this figure has decreased from 83% in 2021. Additionally, McGregor reports that Black employees’ views of their managers’ inclusion efforts have improved, with 70% describing their managers as inclusive in 2024, up from 65% in 2021. In contrast, the percentage of white employees who view their managers as inclusive fell from 74% in 2021 to 68% this year.
- Wall Street Journal, “The Fight Against DEI Programs Shifts to Medical Care” (August 14): The Wall Street Journal’s Theo Francis and Melanie Evans report on a civil rights complaint filed against the Cleveland Clinic by Wisconsin Institute for Law and Liberty (WILL). The complaint alleges that the Cleveland Clinic discriminates on the basis of race by operating a program to prevent and treat strokes and other conditions in Black and Latino patients. WILL filed the complaint on behalf of Do No Harm, a “membership group for medical professionals and others opposing diversity, equity and inclusion initiatives.” Francis and Evans note that “[t]he allegation pushes the fight against race-based programs into untested legal territory, arguing that healthcare providers can’t use racial and ethnic demographics to target treatment, preventive care or patient education.” According to Gibson Dunn partner and co-head of the firm’s Labor and Employment practice group Jason Schwartz, telling medical institutions that they cannot help minority populations address significant medical risks could prove to be a tough sell. Schwartz says “[t]he rule is not that you have to help everyone or no one, whether it’s a charitable endeavor or a public health priority. That would shut down an awful lot of good works.”
Case Updates:
Below is a list of updates in new and pending cases:
1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:
- Do No Harm v. American Association of University Women, No. 1:24-cv-01782 (D.D.C. 2024): On June 20, 2024, Do No Harm filed a complaint against the American Association of University Women (AAUW), alleging that the organization is violating Section 1981 by providing “Focus Group Professions Fellowships” to only “women from ethnic minority groups historically underrepresented in certain fields within the United States: Black or African American, Hispanic or Latino/a, American Indian or Alaskan Native, Asian, and Native Hawaiian or Other Pacific Islander.” Do No Harm is seeking a temporary restraining order and preliminary injunction prohibiting AAUW from closing the application window for the fellowships, and a permanent injunction prohibiting AAUW from considering race when selecting grant recipients.
- Latest update: On August 2, 2024, AAUW filed its opposition to the plaintiff’s motion for a TRO and preliminary injunction, arguing that Do No Harm lacks standing, that the fellowship program is protected by the First Amendment, and that the program is a valid affirmative action program.
- Do No Harm v. Gianforte, No. 6:24-cv-00024-BMM-KLD (D. Mont. 2024):On March 12, 2024, Do No Harm filed a complaint on behalf of “Member A,” a white female dermatologist in Montana, alleging that a Montana law violates the Equal Protection Clause by requiring the governor to “take positive action to attain gender balance and proportional representation of minorities resident in Montana to the greatest extent possible” when making appointments to the twelve-member Medical Board. Do No Harm alleges that since the ten already-filled seats are currently held by six women and four men, Montana law requires that the remaining two seats be filled by men, which would preclude Member A from holding the seat. On May 3, 2024, Governor Gianforte moved to dismiss the complaint for lack of subject matter jurisdiction, arguing that Do No Harm lacks standing because Member A has not applied for or been denied any position. Gianforte also argued that the plaintiff’s pre-enforcement challenge was not ripe because his administration does not interpret the statute as a quota. On May 24, 2024, Do No Harm filed an amended complaint, describing additional Members B, C, and D, who are each “qualified, ready, willing, and able to be appointed” to the board. On June 7, Gianforte moved to dismiss the amended complaint, arguing again that the pseudonymous members lacked standing and that the case still was not ripe because the statute imposed only reporting requirements regarding diversity, so it posed no threat to the new members. On June 28, Do No Harm opposed the motion, asserting that the case is ripe and the members have standing because they will be disadvantaged in applications for upcoming openings, given the existing composition of the Board and the statute’s requirement to take “positive action” to achieve gender and racial balance.
- Latest update: On July 26, 2024, Governor Gianforte filed a reply in support of his motion to dismiss, reiterating his standing and ripeness arguments.
2. Employment discrimination and related claims:
- Wood v. Red Hat, Inc., No. 2:24-cv-237-REP (D. Idaho 2024): On May 8, 2024, a white male former employee sued Red Hat, Inc., a subsidiary of IBM. In his complaint, the plaintiff alleges that his role was terminated “as a direct result of Red Hat’s DEI policies and efforts to diversify the workforce” and claims that, of the group of employees who were terminated at the same time, “21 of the total 22 individuals were white, and 21 were male.” The plaintiff alleges that he was retaliated against for opposing his employer’s stated goals of increasing diversity, which included setting hiring quotas of 30% female employees globally and 30% employees of color in the United States by 2028. The plaintiff brought claims under Title VII, Section 1981, and the Family and Medical Leave Act.
- Latest update: On July 29, 2024, the defendant filed a motion to compel arbitration and stay proceedings, arguing that the parties had a valid arbitration agreement that covers the dispute.
- Beneker v. CBS Studios, Inc., et al., No. 2:24-cv-01659 (C.D. Cal. 2024): On February 29, 2024, a heterosexual, white male writer represented by AFL, sued CBS, alleging that its de facto hiring policy discriminated against him on the bases of sex, race, and sexual orientation. In his complaint, the plaintiff alleges that CBS violated Section 1981 and Title VII by refusing to hire him as a staff writer on the TV show “Seal Team,” instead hiring several black writers, female writers, and a lesbian writer. The plaintiff is requesting a declaratory judgment that CBS’s de facto hiring policy violates Section 1981 and/or Title VII, injunctions barring CBS from continuing to violate Section 1981 and Title VII and requiring CBS to offer him a full-time job as a producer, and damages. CBS filed a motion to dismiss on June 24, 2024, arguing that the First Amendment protects its hiring choices and that two out of three of the plaintiff’s Section 1981 claims were untimely. The plaintiff opposed on July 15, 2024, arguing that the First Amendment does not protect hiring decisions, even if CBS is engaged in a creative enterprise.
- Latest update: On July 29, 2024, CBS filed a reply in support of its motion to dismiss, reiterating its First Amendment and Section 1981 arguments.
- Peters v. Federal Reserve Bank of Cleveland, No. 1:24-cv-01314 (N.D. Ohio 2024): On July 31, 2024, a plaintiff filed a lawsuit under Title VII alleging that the Federal Reserve Bank of Cleveland had denied him a series of promotions and instead promoted candidates from minority backgrounds, even though he was more qualified than those candidates. The plaintiff is seeking a permanent injunction preventing the bank from continuing to implement its allegedly discriminatory policies and ordering the bank to promote the plaintiff and pay him monetary damages.
- Latest update: The docket does not reflect that the defendant has been served.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:
Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])
Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])
Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])
Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])
Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])
Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Trey Cox is the author of “How the COVID Experience is Transforming Juror Attitudes Toward Corporate Defendants and What Lawyers Can Do About It” [PDF] published by The Texas Lawbook on August 22, 2024.
Jason Cabral, Matt Gregory and Rosemary Spaziani are the authors of “Key Concerns To Confront In FDIC Brokered Deposit Proposal” [PDF] published by Law360 on August 23, 2024.
In re Dallas County, No. 24-0426 – Decided August 23, 2024
Today, the Texas Supreme Court rejected a challenge to the constitutionality of the new Fifteenth Court of Appeals, which has exclusive, statewide jurisdiction over appeals involving the State and from the State’s new Business Court.
“Given the text, as well as our constitutional history and tradition, we cannot conclude that the legislature exceeded its authority in enacting S.B. 1045 and creating the Fifteenth Court.”
Justice Young, writing for the Court
Background:
In 2023, the Texas Legislature passed S.B. 1045, which created the Fifteenth Court of Appeals—a new intermediate appellate court with exclusive, statewide jurisdiction over appeals (1) involving the State, and (2) from Texas’s newly created Business Court.
In March 2023, Dallas County and its sheriff sued the Texas Health and Human Services Commission over the agency’s alleged failure to transfer inmates adjudicated incompetent to stand trial to state hospitals. The State appealed the denial of its plea to the jurisdiction to the Third Court of Appeals. Seeking to block the transfer of the State’s appeal to the Fifteenth Court, Dallas County filed a writ of injunction in the Texas Supreme Court, arguing that the Legislature’s creation of the new court violated several provisions of the Texas Constitution.
Issue:
Did the Legislature exceed its constitutional authority in enacting S.B. 1045 and creating an intermediate appellate court with exclusive, statewide jurisdiction over appeals involving the State and from the Business Court?
Court’s Holdings:
No. The Legislature’s creation of a specialized court of appeals with exclusive, statewide jurisdiction was entirely consistent with the Texas Constitution’s text and history.
What It Means:
- The Fifteenth Court—composed of Chief Justice Scott Brister and Justices Scott Field and April Farris—will open for business as planned in September.
- Initially, the court’s docket will comprise appeals of cases brought by or against the State. Under Texas Rule of Appellate Procedure 27a, all such appeals filed after September 1, 2023 will be automatically transferred to the Fifteenth Court on August 30.
- The Fifteenth Court will also have exclusive jurisdiction over appeals from the newly created Business Court, which will begin hearing cases September 1.
Gibson Dunn lawyers Brad Hubbard, Kathryn Cherry, John Adams, Elizabeth A. Kiernan, Stephen Hammer, Jessica Lee, Zachary Carstens, and Jaime Barrios submitted an amicus brief on behalf of the Texas Business Law Foundation in support of Real Parties in Interest: In re Dallas County
The Court’s opinion is available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Texas Supreme Court. Please feel free to contact the following practice group leaders:
Appellate and Constitutional Law Practice
| Thomas H. Dupree Jr. +1 202.955.8547 [email protected] |
Allyson N. Ho +1 214.698.3233 [email protected] |
Julian W. Poon +1 213.229.7758 [email protected] |
| Brad G. Hubbard +1 214.698.3326 [email protected] |
Related Practice: Texas General Litigation
| Trey Cox +1 214.698.3256 [email protected] |
Collin Cox +1 346.718.6604 [email protected] |
Gregg Costa +1 346.718.6649 [email protected] |
| Andrew LeGrand +1 214.698.3405 [email protected] |
Russ Falconer +1 346.718.3170 [email protected] |
This alert was prepared by Texas associates Elizabeth Kiernan, Stephen Hammer, Jessica Lee, Zachary Carstens, and Jaime Barrios.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: This week, ESMA published the Guidelines on funds’ names using sustainability-related terms in all official EU languages. National competent authorities must inform ESMA by October 21 of their compliance with the Guidelines.
New Developments
- CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (DCR) issued a no-action letter to address the applicability of certain CFTC regulations to registered derivatives clearing organizations (“DCOs”) based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit. [NEW]
- CFTC Approves a Joint Rule Proposal to Establish Technical Data Reporting Standards. On August 8, the CFTC voted to jointly propose and request public comment on the establishment of technical data reporting standards with other financial regulatory agencies. The proposal would establish uniform data standards for the collections of information reported to the CFTC, Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Consumer Financial Protection Bureau, Federal Housing Finance Agency, Securities and Exchange Commission, and the Department of the Treasury. The proposal would also establish uniform data standards for data collected from these financial regulatory agencies on behalf of the Financial Stability Oversight Council. According to the CFTC, the proposed standards would promote interoperability of financial regulatory data across the financial regulatory agencies through the adoption of common identifiers for legal entities, financial instruments, and other data. In addition to proposing the use of common identifiers, the proposal would also further standardize the format and transmission of data to financial regulatory agencies. The CFTC explained that the proposed rule is part of the implementation of the Financial Data Transparency Act of 2022 (“FDTA”); although the CFTC is not specifically referenced in the FDTA, the Secretary of the Treasury designated the CFTC as a covered agency on May 3, 2024. Comments on the proposal are due 60 days following publication in the Federal Register.
- CFTC Exempts Additional Singapore Recognized Market Operators from SEF Registration Requirements. On August 2, the CFTC announced it unanimously approved an amended order that exempts two recognized market operators (“RMO”s) authorized within Singapore from CFTC swap execution facility (“SEF”) registration requirements. The exempted RMOs are FMX Securities (Singapore) Pte. Limited and LMAX Pte. Ltd. Section 5h(g) of the Commodity Exchange Act provides that the CFTC may grant such an exemption if it finds that a foreign SEF is subject to comparable, comprehensive supervision and regulation by the appropriate governmental authorities in the facility’s home country. Likewise, the CFTC may revoke exempt status when a facility is no longer authorized or in good standing in its home country.
New Developments Outside the U.S.
- ESMA Publishes Translations of its Guidelines on Funds’ Names. On August 21, ESMA published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. National competent authorities must notify ESMA by October 21 2024 whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines. [NEW]
- ESAs’ Joint Board of Appeal Allows the Appeal Lodged by NOVIS and Remits the Case to EIOPA. On August 13, the Joint Board of Appeal of the European Supervisory Authorities (“ESAs”) unanimously decided that the appeal brought by NOVIS against the European Insurance and Occupational Pensions Authority (“EIOPA”) is admissible. The appeal was brought in relation to the EIOPA decision not to grant access to documents, which were requested by NOVIS. In its decision, the board of appeal acknowledged that requests for access to documents laid out in Regulation No 1049/2001 can be dismissed by way of exceptions to protect certain public and private interests.
- ESMA Recognizes CDS Clearing and Depository Services as Tier 1 CCP Following MoU with the British Columbia Securities Commission. On August 13, ESMA signed a Memorandum of Understanding (“MoU”) with the British Columbia Securities Commission and updated its list of recognized third-country central counterparties (“CCPs”) under the European Markets Infrastructure Regulation (“EMIR”). The MoU establishes cooperation arrangements, including the exchange of information, regarding CCPs that are established in Canada and authorized or recognized by the British Columbia Securities Commission, and which have applied for EU recognition under EMIR.
- ESAs’ Joint Board of Appeal Dismisses Appeal by Euroins Insurance Group AD Against the European Insurance and Occupational Pensions Authority. On August 7, the Joint Board of Appeal of the ESAs unanimously decided that the appeal brought by Euroins Insurance Group AD (“Euroins”) against the EIOPA is inadmissible. In its decision, the board of appeal found that EIOPA’s power to initiate an investigation is of an entirely discretionary nature. Furthermore, the board of appeal also asserted that the EIOPA Chairperson’s decision to initiate an investigation is not subject to the board of appeal’s review. Finally, the decision clarified that the board of appeal does not have the power to order EIOPA to re-assess an appellant’s request to open an investigation.
- ESMA Publishes Data for Quarterly Bond Liquidity Assessment and the Systematic Internalizer Calculations. On August 1, ESMA published the new quarterly liquidity assessment of bonds and the data for the quarterly systematic internalizer calculations for equity, equity-like instruments, bonds and for other non-equity instruments under MiFID II and MiFIR.
New Industry-Led Developments
- ISDA Letter on FICC’s Proposed Rulebook Changes. On August 1, ISDA submitted a letter to the SEC in response to the Fixed Income Clearing Corporation’s (“FICC”) proposed changes to its Government Securities Division Rulebook in accordance with the Securities Exchange Act of 1934. The comment letter addresses FICC’s proposal to modify its trade submission rules in relation to mandatory clearing of certain US Treasury transactions. The proposed rule changes: (i) adopt a requirement that each netting member must submit all eligible secondary market transactions to which it is a counterparty to FICC for clearance and settlement; (ii) adopt new initial and ongoing membership requirements and other measures to facilitate FICC’s ability to monitor a netting member’s compliance with the trade submission requirement; (iii) adopt disciplinary measures to address a netting member’s failure to comply with the trade submission requirement; and (iv) modify the FICC rules to facilitate the trade submission requirement.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (212.351.3869, [email protected] )
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki , New York (212.351.4028, [email protected] )
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
City of Los Angeles v. PricewaterhouseCoopers LLP, S277211 – Decided August 22, 2024
The California Supreme Court unanimously rejected the argument that courts may impose monetary sanctions only for discrete instances of misconduct outlined in the provisions of the Civil Discovery Act governing specific discovery methods. It held that the Act instead gives courts independent authority to impose sanctions for discovery abuses and patterns of discovery abuse beyond those specific provisions.
“Under the general sanctions provisions of the Civil Discovery Act, Code of Civil Procedure sections 2023.010 and 2023.030, the trial court had the authority to impose monetary sanctions for the City’s pattern of discovery abuse. The court was not limited to imposing sanctions for each individual violation of the rules governing depositions or other methods of discovery.”
Justice Kruger, writing for the Court
Background:
The Civil Discovery Act contains several provisions authorizing courts to impose sanctions on parties engaged in particular forms of discovery misconduct, such as unsuccessfully opposing a motion to compel interrogatory responses or responses to a demand for inspection. It also contains a more general provision, in addition to those method-specific provisions, stating that a “court may impose a monetary sanction ordering that one engaging in the misuse of the discovery process” “pay the reasonable expenses, including attorney’s fees, incurred by anyone as a result of that conduct.” Cal. Civ. Code § 2023.030. The statute includes a non-exhaustive list of discovery abuses, such as making an evasive response or disobeying a court order to provide discovery. Id. § 2023.010.
In 2010, the City of Los Angeles retained PwC to modernize the City’s Department of Water and Power (LADWP) billing system. After several LADWP customers sued the City for billing errors, the City sued PwC, alleging that PwC had misrepresented its qualifications to undertake the project. One month after the City filed its lawsuit, a putative class action was filed against the City on behalf of overbilled LADWP customers. Shortly thereafter, the City entered into a settlement with the putative class in which it agreed to pay the costs of remediating billing errors and $19 million in attorney’s fees.
It was eventually revealed that counsel for the City had engineered the class litigation and sham settlement to extort tens of millions of dollars from PwC. Yet the City engaged in more than two and a half years of discovery misconduct, such as asserting privileges in bad faith, refusing to comply with court orders requiring the production of documents, and lying to the court and to opposing counsel, in a concerted effort to cover up its fraudulent scheme—misconduct that has led to the federal guilty pleas and convictions of several former officials and lawyers for the City. After its discovery misconduct came to light and on the cusp of having to disclose further evidence of its wrongdoing, the City dismissed with prejudice its claims against PwC.
The trial court awarded PwC $2.5 million in sanctions under Code of Civil Procedure sections 2023.030 and 2023.010, as well as the court’s inherent authority. But the Court of Appeal majority, over a dissent by Justice Grimes, reversed, holding that the Civil Discovery Act gives courts authority to impose monetary sanctions only for conduct described by other, method-specific provisions of the Civil Discovery Act that authorize sanctions for particular misuses of the discovery process.
Issue Presented:
Is courts’ authority to impose monetary sanctions for misuse of the discovery process limited to the particular circumstances expressly delineated in a method-specific provision of the Civil Discovery Act authorizing sanctions for particular forms of discovery misuse?
Court’s Holding:
No. When confronted with a form or pattern of discovery abuse not addressed by a method-specific provision of the Civil Discovery Act authorizing sanctions for a particular form of discovery misuse, courts may impose monetary sanctions under sections 2023.030 and 2023.010, which give courts independent sanctioning authority.
What It Means:
- Under the Court’s decision, courts are independently authorized to impose monetary sanctions for discovery abuses, especially systemic patterns of abuse, extending beyond the discrete forms of misconduct identified in method-specific provisions of the Civil Discovery Act, such as unsuccessfully opposing a motion to compel interrogatory responses or responses to a demand for inspection.
- The Court clarified, however, that courts should ordinarily look to the particular limitations and procedures set forth in method-specific provisions of the Act, and should invoke their independent authority to impose monetary sanctions under sections 2023.010 and 2023.030 to redress forms of discovery abuse, or patterns of abuse, not addressed or adequately addressed by a method-specific provision of the Act authorizing sanctions for a particular form of discovery misuse.
- Before imposing monetary sanctions, courts should abide by the procedures outlined elsewhere in the Act, such as affording the party accused of engaging in discovery misconduct notice and an opportunity to be heard and considering whether the party had acted with substantial justification.
- Although the Court did not address whether courts also had the inherent authority to impose monetary sanctions for discovery misconduct, it disapproved one Court of Appeal decision holding that courts lack inherent authority to impose monetary sanctions for discovery abuses.
Gibson Dunn lawyers Julian W. Poon, Daniel J. Thomasch, Samuel Eckman, and Ryan Azad represented PricewaterhouseCoopers LLP.
The Court’s opinion is available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the California Supreme Court. Please feel free to contact the following practice group leaders:
Appellate and Constitutional Law Practice
| Thomas H. Dupree Jr. +1 202.955.8547 [email protected] |
Allyson N. Ho +1 214.698.3233 [email protected] |
Julian W. Poon +1 213.229.7758 [email protected] |
| Lucas C. Townsend +1 202.887.3731 [email protected] |
Bradley J. Hamburger +1 213.229.7658 [email protected] |
Michael J. Holecek +1 213.229.7018 [email protected] |
Related Practice: Litigation
| Theodore J. Boutrous, Jr. +1 213.229.7804 [email protected] |
Theane Evangelis +1 213.229.7726 [email protected] |
This alert was prepared by Julian W. Poon, Samuel Eckman, Daniel R. Adler, Ryan Azad, Matt Aidan Getz, and Lindsay Laird.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
A dichotomy in enforcement: a continued aggressive enforcement agenda tempered by litigation setbacks.
I. INTRODUCTION
The first half of 2024 reflected a dichotomy in SEC enforcement. On one hand, the Enforcement Division continued to pursue an aggressive enforcement agenda, including a number of notable enforcement actions, and continued demand for heightened penalties. On the other hand, the Commission incurred a number of significant litigation setbacks with potentially broad implications for the SEC’s enforcement program.
A. Notable Enforcement Activity
In the first half of 2024, the SEC won a significant insider trading litigation and continued to recover unprecedent penalties as part of its sweep activities relating to recordkeeping and whistleblower protections rules.
Shadow Trading Victory
In April 2024, the SEC won its trial against Matthew Panuwat, in a highly publicized insider trading case relating to a novel “shadow trading” theory. The SEC alleged that Panuwat’s trading in a competitor company (Incyte)—which was critically not the subject of the inside information that he received concerning the proposed acquisition of his company (Medivation)—constituted trading on the basis of material non-public information. In denying Panuwat’s motion for summary judgment, the Court held that a jury could find that information concerning Medivation was material to Incyte on the basis that Incyte had a “market connection” to Medivation. The Court also held that a jury could find that Panuwat breached a fiduciary duty when trading (a necessary component of a misappropriation theory of insider trading) on three potential grounds: (i) Medivation’s insider trading policy, which broadly prohibited trading in any company on the basis of confidential information; (ii) Medivation’s confidentiality policy; and (iii) Panuwat’s general duties as an employee of Medivation. As we described in our alert, although the SEC described its theory as standard insider trading, there is no doubt that Panuwat expanded potential insider trading liability, with broad implications for future civil and criminal enforcement.
Recordkeeping
To date, in 2024, the SEC has brought three additional rounds of settlements with broker-dealers and investment advisers as part of its ongoing sweep relating to recordkeeping and off-channel communications. Firms have paid a combined total of over $480 million in penalties in 2024, and over $3 billion in fines as part of the overall sweep. Each of the firms have also agreed to retain independent compliance consultants to conduct comprehensive reviews of their implementation and enforcement of policies and procedures related to the retention of electronic communications on personal devices. Notably, the firms admitted the facts in the SEC’s orders.
- In February, the SEC announced settled charges against five broker-dealers, seven dually registered broker-dealers and investment advisers, and four affiliated investment advisers for failing to maintain and preserve electronic communications.[1]
- In April, the SEC announced settled enforcement charges against a registered investment adviser for alleged recordkeeping and ethics code violations.[2]
- In August, the SEC announced settled charges against 26 broker-dealers, investment advisers, and dually-registered broker-dealers and investment advisers.[3]
The SEC has used its recordkeeping sweep enforcement efforts as an example of the benefits of cooperation. In his remarks at SEC Speaks in April, Deputy Director of Enforcement Sanjay Wadhwa noted that self-reporting is “the most significant factor in moving the needle on penalties” in the recordkeeping matters.[4] In its August announcement, the SEC noted that three of the firms paid significantly lower civil penalties, ranging from $400,000 to $1.6 million, as a result of self-reporting, which Director of Enforcement Gurbir Grewal described as “demonstrating once again the real benefits of proactive cooperation.”[5]
Whistleblower Protection
In 2024, the SEC has also continued to expand the scope of what it interprets as a violation of whistleblower protection rules under Exchange Act Rule 21F. In January, the SEC announced settled charges against a broker-dealer for allegedly violating Rule 21F not with respect to its employees, but to its clients.[6] Moreover, the information that the broker-dealer allegedly forbade individuals from disclosing did not relate broadly to the broker-dealer’s operations or financial undertakings, but instead related narrowly to the contents of specific release agreements between the clients and the broker-dealer. The SEC order alleged that, from March 2020 to July 2023, the broker-dealer asked retail clients to sign release agreements through which clients promised “not to sue or solicit others to institute any action or proceeding against [the broker-dealer] arising out of events concerning the Account.” With respect to the alleged Rule 21F violations, the release agreements included a clause requiring clients to “keep t[he] Agreement confidential and not use or disclose the allegations, facts, contentions, liability, damages, or other information relating in any way to the Account, including but not limited to, the existence or terms of t[he] Agreement.” Though the clause also included a carveout that “neither prohibited nor restricted [clients] from responding to any inquiry about t[he] settlement or its underlying facts by FINRA, the SEC, or any other government entity,” the SEC alleged that the carveout was not expansive enough, and that the release agreements nonetheless prohibited clients from “affirmatively reporting” information to the Commission staff. Without admitting or denying the SEC’s findings, the broker-dealer agreed to pay an $18 million civil penalty.
The above enforcement action marks yet another instance where the SEC expanded the scope of the types of conduct it perceives as violating Rule 21F. For example, even confidentiality agreements between an entity and its external clients (as opposed to internal employees with more intimate knowledge of the entity) are subject to the rule. Moreover, it seems that any confidentiality clause, regardless of how narrow its scope, may fall within the seemingly expanding contours of whistleblower protection. Though it is unclear from publicly available materials whether the confidentiality clause in the above action related narrowly to the information in the release agreement and its underlying facts, or more broadly to any information about the clients’ accounts, the SEC’s discussion throughout the order implied that the Commission may require whistleblower carveout clauses for any confidentiality agreement, no matter how narrow.
B. Litigation Setbacks
In June and July 2024, the SEC suffered a number of notable litigation setbacks, including decisive decisions vacating the SEC’s proposed private funds rule and prohibiting the use of the SEC’s in-house courts when seeking civil penalties for fraud. A recent ruling in the SolarWinds case also casts doubt—echoing the sentiments voiced by Commissioners Peirce and Uyeda—on the SEC’s ability to continue to use the internal accounting controls provision as a wide-ranging hammer in enforcement matters.
Private Funds Rule
In June, a unanimous panel of the Fifth Circuit vacated the SEC’s proposed private funds rule. As described in our alert on the ruling, the Court held that the rule exceeded the SEC’s statutory authority. The SEC’s proposed rule would have required a host of restrictions on private funds. Gibson Dunn represented the petitioners in the Fifth Circuit case.
In-House Courts
Also in June, the Supreme Court held 7-3 in SEC v. Jarkesy that the Seventh Amendment requires the SEC to sue in federal court when seeking civil penalties for fraud. As described in our 2023 Mid-Year alert, the Court held that the SEC’s prior use of its in-house adjudication process was unconstitutional. Although the decision may have little impact on pending enforcement actions (given that the SEC has not recently pursued actions in its in-house tribunals), there is no doubt that the decision alters the calculus going forward of whether to settle with the SEC by putting defendants on equal footing with the government before a federal court.
Internal Accounting Controls
In June 2024, the SEC announced settled charges against a public company that was the subject of a ransomware attack for alleged violations of the internal accounting controls and disclosure controls provisions of the federal securities laws.[7] As we described in our alert regarding the action, the SEC’s order, which alleged that the company failed to develop and maintain a system of cybersecurity-related internal accounting controls sufficient to prevent unauthorized access to the company’s information technology systems and networks, is notable for extending the internal controls provisions of Section 13(b)(2)(B) of the Exchange Act to a company’s IT systems. The SEC had previously brought actions in 2020 and 2023 using the same provision to bring cases relating to stock buybacks and Rule 10b5-1 plans. As with those cases, the action brought a strongly-worded dissent from Commissioners Hester Peirce and Mark Uyeda criticizing “the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack.”[8]
One month later, in a separate ongoing litigation, the United States District Court for the Southern District of New York largely granted SolarWinds’ motion to dismiss the SEC’s claims in a litigation against the company and its former Chief Information Security Officer (CISO) propounding a similar theory of liability. Specifically, as described in our alert concerning the case, the Court dismissed the SEC’s claim that cybersecurity-related deficiencies are actionable under rules relating to internal accounting and disclosure controls. The Court echoed the prior views of Commissioners Peirce and Uyeda, noting that “[a]s a matter of statutory construction, [the SEC’s] reading is not tenable.” The Court’s decision calls into question the SEC’s attempts to adopt an expansive reading of its rules relating to internal accounting controls and disclosure controls.
C. Senior Staffing Update
The Commission has already announced notable staff updates in Fiscal Year 2024 and has also publicized plans to shut down one of its regional offices.
Just before the turn of the year, Mark T. Uyeda was sworn in as a Commissioner for a second term, which expires in 2028.[9] Commissioner Uyeda first joined the SEC in 2006 as a staff member, and subsequently served in various roles—including as Senior Advisor to Chairman Jay Clayton, Senior Advisor to Acting Chairman Michael S. Piwowar, and Counsel to Commissioner Paul S. Atkins—before becoming a Commissioner in 2022. Prior to his service with the SEC, Commissioner Uyeda served as Chief Advisor to the California Corporations Commissioner and worked as an attorney for several law firms.
In June, the SEC announced the appointment of Erica Y. Williams to a second term as Chair of the Public Company Accounting Oversight Board (PCAOB), which will run from October 25, 2024, and through October 24, 2029.[10] Prior to joining the PCAOB in January 2022, Chair Williams was a litigation partner at a law firm, and had previously served in various roles at the SEC, including as Deputy Chief of Staff to three former SEC Chairs and Assistant Chief Litigation Counsel in the SEC’s Division of Enforcement trial unit. Chair Williams also served as Special Assistant and Associate Counsel to President Barack Obama.
There were also several changes at the senior staff level and in regional leadership, including within the Division of Investment Management, Office of the Advocate for Small Business Capital Formation, Office of Minority and Women Inclusion, and other policy and office directors:
- In January, Stacey Bowers was named director of the SEC’s Office of the Advocate for Small Business Capital Formation (OASB), which was formed in January 2019 as an independent office aimed to promote the interests of small businesses and their investors during the capital formation process.[11] This is not Ms. Bowers’ first time serving with the Commission; she began her legal career at the SEC as a staff attorney in the Division of Corporation Finance before leaving for private practice. From 2007 until becoming the Director of OASB, Ms. Bowers was a law professor at the University of Denver’s Sturm College of Law and served as the Director of the Corporate and Commercial Law Program since 2018.
- In March, Natasha Vij Greiner, the former Deputy Director of the Division of Examinations, became Director of the Division of Investment Management, which regulates investment advisers and investment companies.[12] Greiner has served in various roles in the SEC for over 22 years including Acting Chief Counsel and Assistant Chief Counsel in the Division of Trading and Markets. As Director of the Division of Investment Management, Ms. Greiner replaced William Birdthistle, who joined the SEC in December 2021 and oversaw the adoption of major rulemakings related to public and private funds. Mr. Birdthistle left the SEC to teach law at the University of Chicago.
- In May, the SEC announced the appointment of Nathaniel H. Benjamin to be the Director of the Office of Minority and Women Inclusion (OMWI) and replace Allison Wise, who is OMWI’s Deputy Director and had been serving as Acting Director since October 2023.[13] Benjamin previously served as Chief Diversity and Inclusion Officer of AmeriCorps and Deputy Chief Human Capital Officer at the Department of Education, and also served in similar roles at the Office of Management and Budget and the U.S. Department of State.
- In May, the SEC named Tina Diamantopoulos as Director of the Chicago Regional Office.[14] Diamantopoulos joined the Enforcement Division in the Chicago Regional Office in 1994, and has since served in various roles, including Branch Chief, Senior Special Counsel in the Examinations Division, Counsel to the Regional Director, and Associate Director for the regional broker-dealer examination program.
- In May, the SEC announced the departure of Policy Director Heather Slavkin Corzo, who joined the SEC in April 2021 to lead the policy team, and who oversaw the proposal and adoption of almost 40 rulemakings.[15] Corey Klemmer, who joined the SEC in 2021 and served as the former Corporation Finance Counsel to Chairman Gary Gensler, was appointed to fill Ms. Corzo’s role.
Separately, the SEC announced the pending closure of its Salt Lake Regional Office (SLRO), which is expected to occur later this year due to budget and organizational efficiency concerns.[16] Current SLRO staff will be aligned to existing SEC organizational components upon the office’s closure, and the enforcement jurisdiction over the state of Utah will be shifted to the SEC’s Denver Regional Office. The Commission said it has no plans to close any additional regional offices.
II. PUBLIC COMPANY ACCOUNTING, FINANCIAL REPORTING, AND DISCLOSURE
A. Financial Reporting
In February, the SEC announced settled accounting fraud charges against a China-based technology company, whose American depositary shares formerly traded on the New York Stock Exchange, for allegedly violating antifraud, reporting, recordkeeping, and internal controls provisions of the federal securities laws.[17] According to the SEC’s order, from May 2021 through February 2022, two senior managers of the company allegedly orchestrated a fraudulent scheme to prematurely recognize revenue on service contracts, and to improperly recognize revenue on contracts for which the company had not completed work. The SEC alleged that as a result of the managers’ alleged misconduct, the company overstated its unaudited financial results for the second and third quarters of 2021 and its announced revenue guidance for the fourth quarter of 2021. Without admitting or denying the allegations, the company agreed to cease and desist from further violations of the charged securities laws. The SEC did not impose civil penalties because the company self-reported the accounting issues, provided extensive cooperation, and took remedial measures, including firing or disciplining those involved in the alleged scheme, reorganizing departments engaged in the misconduct, strengthening accounting controls, and recruiting new finance and accounting staff.
In March, the SEC announced settled charges against a California-based footwear company for violations of related person transaction disclosure requirements, as well as reporting and proxy solicitation provisions, of the federal securities laws.[18] The SEC’s order alleged that, from 2019 through 2022, the company allegedly failed to disclose payments for the benefit of its executives and their immediate family members, the company’s employment of two relatives of its executives, and a consulting relationship involving an individual sharing a household with a company executive. The company allegedly further failed to disclose that two of its four executives owed more than $120,000 to the company for multiple years in relation to personal expenses paid for by the company, but subject to reimbursement by the executives. Without admitting or denying the SEC’s allegations, the company agreed to pay a $1.25 million civil penalty.
B. Public Statements and Disclosures
In January, the SEC announced settled charges against a U.S.-based special purpose acquisition company (SPAC) for allegedly making misleading statements in forms filed with the SEC as part of its January 2021 initial public offering (IPO).[19] The SEC’s order alleged that, despite a statement in the SPAC’s SEC filings that the company had not initiated any substantive discussions with potential target companies prior to the IPO, the SPAC discussed a potential business combination with a target company starting in December 2020. The SEC’s order further alleged that, after announcing a merger agreement with the target company, the SPAC did not adequately disclose its interactions with the target company in its Form S-4 filings. Without admitting or denying the allegations, the SPAC agreed to pay a $1.5 million penalty in the event it closes a merger transaction.
In February, the SEC filed fraud charges against the former CEO and co-founder of a Florida-based advertising technology company for allegedly making materially misleading false statements on social media regarding the company’s financial and performance metrics to elevate the company’s stock price.[20] The SEC’s complaint alleges that, shortly after the company’s May 2021 initial public offering, the former CEO submitted a post on social media that misrepresented company revenues to be between $10 million and $20 million, even though the company was set to report $17,450 in revenue for 2021. Soon thereafter, the former CEO allegedly falsely misrepresented in a YouTube interview that the company was entering into a new contract with the founder of a restaurant chain, though no contract existed and no related discussions had taken place. The SEC’s complaint further alleges that, in August 2021 when the company’s stock price opened at its lowest level in almost two months, the former CEO made misleading false statements on social media and in a company-issued press release that the company’s projected available advertising inventory for 2021 as more than $100 million, when at the time the company had less than $5 million in advertising inventory. The SEC‘s complaint, which is continuing to litigations, seeks a permanent injunction, an officer-and-director bar, and a civil penalty against the former CEO.
In late February, the SEC announced settled charges against an American electric vehicle automaker for violations of antifraud, proxy, and reporting provisions of the federal securities laws by allegedly misleading investors about the company’s flagship electric vehicle.[21] The SEC’s order alleged that the company exaggerated demand for the vehicle by obtaining over 100,000 “pre-orders” from non-serious customers that never intended to purchase the vehicles. The SEC’s order also alleged that the company misrepresented the delivery timeline for the vehicle by failing to account for production delays, partially due to the company’s inability to access critical parts. Though the SEC’s investigation remains ongoing, the company agreed—without admitting or denying the SEC’s findings—to pay disgorgement of $25.5 million, subject to bankruptcy court approval.
The SEC also announced settled charges in a related administrative proceeding against the company’s former auditor for violating auditor independence standards.[22] The SEC’s order alleged that, prior to the company becoming public in 2020 through merging with a SPAC, the auditor provided certain non-audit services, including financial statement services and bookkeeping, during the company’s audit. The auditor then audited the same financial statements related to the company’s merger with the SPAC, thus allegedly violating auditor independence standards of the SEC and the PCAOB. Without admitting or denying the allegations, the auditor agreed to a censure, a cease-and-desist order, payment of over $80,000 in civil penalties, disgorgement, and certain undertakings to improve policies and procedures.
C. Auditors and Accountants
In May, the SEC announced settled charges against a Colorado-based audit firm and its owner for violations of antifraud, recordkeeping, and other provisions of the federal securities laws, by allegedly failing to comply with PCAOB standards in hundreds of audits and reviews, and in thousands of SEC filings, on behalf of hundreds of clients from January 2021 through June 2023.[23] The SEC’s order alleged that the audit firm and owner misrepresented to clients their compliance with PCAOB standards, fabricated documents to appear compliant, and falsely claimed adequate compliance in over 500 public company SEC filings. With respect to the owner, the SEC’s order alleged that he failed to adequately prepare and maintain audit documentation, resulting in the firm’s lack of quality reviews of audits, and the false documentation of uncompleted work. Without admitting or denying the SEC’s findings, the audit firm and owner settled the charges—agreeing to pay civil penalties of $12 million and $2 million, respectively, and to a permanent accounting bar.
III. INVESTMENT ADVISERS
A. Misleading Statements and Disclosures
In January, the SEC announced settled charges against a Chicago-based registered investment adviser and one of its former partners for allegedly misleading a client regarding investment returns.[24] The SEC order alleged that, in June 2020, the company and the partner misled a public-school pension fund as to the reason for a discrepancy between investment returns. Without admitting or denying the SEC’s findings, the company agreed to settle the charges and pay over $1.5 million in penalties and disgorgement, and the former partner agreed to settle the charges and pay a civil penalty of $30,000.
In February, the SEC announced settled charges against a registered investment adviser for failing to disclose certain details to a client about how it planned to launch the client’s product.[25] The SEC order alleged that, in March 2021, the adviser failed to inform the Board of an exchange-traded fund (ETF) about a social media influencer’s role in the launch of the ETF. The investment adviser also allegedly did not inform the ETF Board about the sliding-scale fee structure under which the provider of the ETF-tracked index would receive a greater proportion of the ETF-paid management fees based on how much the fund grew. Without admitting or denying the SEC’s findings, the investment adviser agreed to settle the charges and pay a $1.75 million civil penalty.
In June, the SEC filed charges against an investment management firm and its founder for allegedly defrauding investors of at least $3 million.[26] The SEC’s complaint alleged that, from 2020 to 2023, the firm and its founder raised at least $3 million from investors by lying about nearly every aspect of the fund, and then used over $1 million on personal expenses, lost more than $1.7 million on high-risk trading and speculative investments, and falsified documents to conceal the trading losses from investors. The firm and its founder settled the civil charges, agreeing to permanent injunctions and to pay disgorgement and civil penalties determined by the court. The company’s founder has also pleaded guilty to related criminal charges brought against him by the U.S. Attorney’s Office for the District of New Jersey.
B. Marketing Rule
In April, the SEC announced settled charges against five registered investment advisers for Marketing Rule violations.[27] The SEC’s orders alleged that the five firms advertised hypothetical performance to the general public on their websites without adopting and implementing policies and procedures reasonably designed to ensure that the hypothetical performance was relevant to the likely financial situation and investment objectives of each advertisement’s intended audience, as required by the Marketing Rule. One of the firms allegedly committed additional securities laws violations by making false and misleading statements in advertisements, failing to enter into written agreements with people it compensated for endorsements, and committing recordkeeping and compliance violations. Without admitting or denying the SEC’s findings, all five firms agreed to settle the charges regarding alleged violations of the Investment Advisers Act of 1940, to pay civil penalties totaling $200,000, and to comply with certain undertakings. Four of the firms received reduced penalties for taking corrective steps in advance of being contacted by the SEC, and they resultingly paid civil penalties ranging from $20,000 to $30,000. The other firm, which was the firm alleged to have committed additional regulatory violations beyond the Marketing Rule violations, agreed to pay a civil penalty of $100,000.
C. Conflicts of Interest
In May, the SEC announced settled charges against a New York-based registered investment adviser and its owner for breaching fiduciary duties by allegedly failing to disclose conflicts of interest and making misleading statements to clients.[28] The SEC’s order alleged that, between September 2017 and October 2021, the company and the owner advised certain clients to invest in films produced by a particular film production company without disclosing that the adviser would receive payments from the production company in exchange for the money the clients invested in the films. The adviser and owner then later allegedly misrepresented to clients that such payments to the owner were for work as an executive producer on the films. The SEC’s order also alleged that the firm and its owner satisfied a redemption request from one client but not from several others submitted at the same time, and that by preferencing one client over the others they violated their fiduciary duties to the other clients. The adviser and owner agreed to settle the charges, which involved alleged violations of the antifraud provisions of the Investment Advisers Act—with the firm agreeing to pay a civil penalty of $200,000, and the owner agreeing to pay disgorgement and penalties totaling more than $750,000.
Also in May, the SEC announced settled charges against a New York-based, formerly registered investment adviser and its co-founder and CEO for making false and misleading statements to investors.[29] The SEC’s orders alleged that, from 2020 to 2022, the firm made a series of materially false and misleading statements about its flagship opportunity fund’s holdings and exposures. The SEC’s orders alleged that these statements were the result of modifications the co-founder and CEO made to underlying portfolio data which was then included in various investor communications. The firm allegedly also did not report to investors a conflict of interest arising from its other co-founder’s operation of a separate hedge fund in China. Without admitting or denying the SEC’s findings, the firm and the co-founder and CEO agreed to settle the charges, which involved alleged violations of the antifraud and compliance provisions of the Investment Advisers Act—with the firm agreeing to pay a civil penalty of $350,000, and the co-founder and CEO agreeing to pay a civil penalty of $250,000 and undergo a 12-month suspension from industry-related work.
D. Beneficial Ownership Rules
In March, the SEC announced settled charges against a New York-based investment adviser for its alleged failure to make timely ownership disclosures in the lead-up to its May 2022 acquisition bid for a publicly traded trucking fleet company.[30] The SEC’s order alleged that the investment adviser increased its position in the trucking company and formed a control purpose no later than April 26, 2022, requiring it to report that information by May 6, 2022, but that it did not do so until May 13, 2022. Additionally, before the time it reported its control purpose, the investment adviser allegedly purchased swap agreements giving it economic exposure to the equivalent of 450,000 more shares of the trucking fleet company’s stock. Further, according to the order, when the investment adviser eventually reported the information, it allegedly proposed to buy all the trucking fleet company’s shares for a sizable premium over the trading price, and the trucking company’s stock price increased significantly. Without admitting or denying the SEC’s findings, the investment adviser settled the charges alleging violations of the beneficial ownership provisions of the Securities Exchange Act of 1934, and agreed to pay a $950,000 civil penalty.
IV. BROKER-DEALERS
A. Regulation Best Interest and Pricing
In February, the SEC announced settled charges against a broker-dealer for failing to comply with Regulation Best Interest (Reg BI), allegedly causing investors to collectively incur hundreds of thousands of dollars in combined expenses.[31] According to the SEC order, the broker-dealer allegedly disclosed to investors that for certain funds it only offered certain share classes, and failed to inform investors that equivalent, lower-cost share classes for affiliated funds were also available. As a result, a portion of investors paid higher expenses for certain funds that they could have avoided by purchasing substantially similar funds. Without admitting or denying the findings, the broker-dealer agreed to pay a combined total of $2.2 million in disgorgement and civil penalties.
We predicted in an alert in June that the SEC would pursue more Reg BI cases, particularly on the conflicts and duty of care elements of the Rule. In late July, the SEC charged a dual registrant for “a risky day trading strategy” one of its registered representatives employed for several of his customers.[32] The trading strategy involved the purchase and sale of options contracts for customers, some of whom had “moderate to conservative risk profiles.” The SEC imposed a relatively small penalty of $140,000, but specifically noted (1) the firm’s cooperation (e.g., disclosing information about conduct the Staff had not yet uncovered, conducting an internal investigation, regularly briefing the Staff regarding its investigation, identifying key documents found in its investigation, and voluntarily providing tables summarizing information from these documents), and (2) the firm’s remediation, including “changes to senior management, the $9 million in financial remediation paid to affected customers, and substantive improvements in [the firm’s] policies and procedures,” as mitigating factors.
B. Disclosure Obligations
In May, the SEC announced settled charges against an American multinational financial services company and nine of its affiliates.[33] According to the SEC order, following a cyber intrusion, the company allegedly failed to alert the appropriate legal and compliance officials promptly. As a result, the company and its affiliates allegedly did not inform the Commission within the required period, violating regulatory disclosure obligations. Without admitting or denying the Commission’s findings, the company and its affiliates consented to the SEC’s order and agreed to pay a $10 million penalty.
In June, the SEC charged three individuals who allegedly engaged in a multi-year scheme defrauding investors by selling unregistered membership interests in LLCs investing in shares of two pre-IPO companies.[34] The complaint alleged that from mid-2019 to early 2022, the individuals directed an unregistered sales force to pressure investors into making investments without disclosing substantial markups on the shares. The individuals further allegedly misled investors by overstating their research capabilities and market projections, violating antifraud and other provisions of the federal securities laws. The complaint seeks permanent injunctive relief, disgorgement, and civil penalties, and litigation is ongoing.
V. CRYPTOCURRENCY AND ARTIFICIAL INTELLIGENCE
The SEC’s enforcement activity in the crypto space has remained active but has slowed compared to past periods and has changed form. In the past, the Commission focused its efforts on enforcing what it does, and does not, believe qualifies as a security under the securities laws. Such enforcement efforts have remained in place, but the SEC now has seemingly begun to shift its enforcement efforts toward entities and individuals it believes are taking advantage of the novelty of the crypto space, and other emerging informational and technological advances, such as artificial intelligence, to secure improper investments and investor proceeds.
A. Cryptocurrency
In January, the SEC charged two individuals with violating the antifraud and registration provisions of the federal securities laws for allegedly operating a crypto asset pyramid scheme.[35] According to the SEC’s complaint, from mid-2020 to early 2022, both individuals allegedly lured investors with promises of high profits despite lacking any genuine revenue source other than the funds received from investors. The complaint seeks permanent injunctive relief, conduct-based injunctions prohibiting the defendants from engaging in multi-level marketing or offering crypto assets, disgorgement, and civil penalties. One of the individuals settled the charges and agreed to pay disgorgement and civil penalties to be announced at a later court date.
In February, the SEC charged a company and its founder with violating the antifraud provisions under the federal securities laws through an alleged scheme targeting students of the founder’s online crypto trading course.[36] From early 2018 to mid-2019, the founder allegedly encouraged hundreds of students to invest in the founder’s hedge fund he claimed would utilize advanced strategies to secure profits. The SEC alleged that the founder never launched the fund or executed the advertised strategies, instead holding the invested money in bitcoin. Without admitting or denying the allegations, the defendants consented to injunctive relief and agreed to pay $1.2 million in disgorgement and civil penalties.
Also in February, the SEC announced settled charges against a broker-dealer for allegedly failing to register the offer and sale of a crypto lending product that allowed investors to deposit or purchase crypto assets in their account in exchange for the company’s promise to pay interest.[37] According to the SEC order, from late 2020 to early 2022, the broker-dealer allegedly offered a crypto lending product intended to generate revenue to pay interest to investors. However, the broker-dealer allegedly sold this product as a security without registering it, violating registration provisions of the federal security laws. Without admitting or denying the SEC’s findings, the broker-dealer agreed to pay $1.5 million in civil penalties.
In March, the SEC announced final judgment against a financial services company for violating disclosure requirements by allegedly failing to register its retail crypto lending product before offering it to the public.[38] The SEC further alleged that the company was unable to liquidate its assets when investors sought to withdraw their funds due to the volatility of the crypto market. Without admitting or denying the allegations, the company settled charges and agreed to pay $21 million in civil penalties.
In June, the SEC announced settled fraud charges against a publicly traded South Korean crypto asset company and its co-founder.[39] According to the SEC’s order, the company allegedly misrepresented the use of its blockchain for transaction settlements and the stability of its crypto asset security, violating antifraud provisions of the federal securities laws. The SEC further alleged that in May 2022, after the company’s token asset de-pegged from the U.S. dollar, the value of the token and the company’s other tokens plummeted to near zero, allegedly wiping out $40 billion in market value overnight and causing significant losses to investors. The company settled the charges, which included allegations of securities fraud and the offering and selling of securities in unregistered transactions, agreeing to pay a combined total of $4.5 billion in disgorgement and civil penalties. The company also agreed to cease the sale of its crypto asset securities, wind down its operations, replace two of its directors, and distribute its remaining assets to investor victims and creditors. The company’s co-founder also settled charges and agreed to pay a combined total of $204 million in disgorgement and civil penalties.
B. Artificial Intelligence
In March, the SEC announced settled charges against two investment advisers, one Toronto-based and the other San Francisco-based, for allegedly making false and misleading statements about their purported use of artificial intelligence (AI).[40] The SEC’s order against the Toronto-based firm alleged that, from 2019 to 2023, it violated the marketing rule and made false and misleading statements in its SEC filings, in a press release, and on its website regarding its purported use of AI and machine learning capabilities that it did not in fact have. The SEC’s order against the San Francisco-based firm similarly alleged that the firm made false and misleading claims in 2023 on its website and on social media about its purported use of AI, and that it violated the Marketing Rule by, among other things, falsely claiming it offered tax-loss harvesting services. Without admitting or denying the SEC’s findings, both firms agreed to settle the charges against them, which involved violations of the Advisers Act—with the Toronto-based firm agreeing to pay a civil penalty of $225,000, and the San Francisco-based firm agreeing to pay a civil penalty of $175,000.
In June, the SEC charged the CEO of an artificial intelligence recruitment startup who allegedly made false and misleading statements in a multi-year scheme that defrauded investors.[41] According to the complaint, from 2018 to mid-2023, the CEO allegedly lied to investors about the quantity and quality of customers, the number of candidates on the platform, and the company’s revenue, violating the antifraud provisions of the federal securities laws. The complaint seeks a permanent injunction, civil monetary penalties, disgorgement, and an officer-and-director bar against the company’s CEO. Additionally, the U.S. Attorney’s Office for the Southern District of New York brought criminal charges against the CEO in a parallel action.
VI. INSIDER TRADING AND MARKET MANIPULATION
The SEC has continued to aggressively investigate potential insider trading. The Commission’s enforcement in this area will likely maintain its pace, given not only the trends that are prevalent, but also the SEC’s victory at trial in April 2024 in the Panuwat case discussed supra.
In January, the SEC announced settled charges against an investment bank and its former head of equity syndicate chair for their alleged involvement in an alleged multi-year fraud related to the disclosure of purportedly confidential information about block trades and alleged failure to enforce policies regarding the misuse of material non-public information related to the block-trades.[42] According to the SEC’s order, from mid-2018 to mid-2021, the investment bank and former head allegedly disseminated non-public information concerning upcoming block trades, violating federal securities laws. The SEC further alleged that the investment bank failed to enforce information barriers that would have prevented the former head from disseminating the information. Both the investment bank and the former equity syndicate chair settled the charges; the bank agreed to pay a combined total of $249 million in disgorgement and civil penalties (which were partially satisfied by payments in a parallel action brought by the U.S. Attorney’s Office for the Southern District of New York). The Southern District of New York resolved its criminal investigation pursuant to a Non-Prosecution Agreement with the bank, and Deferred Prosecution Agreement with the former equity syndicate chair.
Also in January, the SEC charged the CEO of a China-based FinTech company with violating the antifraud and beneficial ownership provisions of the Securities Exchange Act of 1934.[43] The SEC’s complaint alleged that the CEO manipulatively traded company stock through an offshore account prior to becoming CEO in 2020 to raise the company stock price, and that the CEO failed to disclose his beneficial ownership of, and transactions in, company stock. According to the complaint, in late 2019 or early 2020, the founder and former CEO of the company approached the current CEO with the prospect of taking over the CEO position. At that time, the company risked delisting from NASDAQ due to its stock price falling below the minimum $1.00 per share bid price requirement. Beginning in January 2020 and prior to becoming CEO, the current CEO allegedly traded company stock through a Hong Kong account, purchasing more than 530,000 shares of company stock over the next two-month period—allegedly making nonsensical trades at such a high volume that they comprised a high percentage of daily volume of company stock transactions—with the intent and eventual effect of driving the stock price up. Then, upon becoming CEO in March 2020, the CEO allegedly failed to file change of ownership forms regarding his holdings of company stock. Similarly, the following year after he allegedly no longer owned any company stock, the CEO belatedly filed a misleading initial form representing that he owned no company stock. The SEC is seeking permanent injunctive relief, a civil penalty, and an officer-and-director bar, in the ongoing litigation.
In February, the SEC filed charges against the husband of an energy company manager for allegedly trading on material, nonpublic information about a proposed acquisition the energy company planned to execute.[44] The individual allegedly overheard his wife’s work-related conversations about the proposed acquisition and executed trades based on that information in February 2023 without his wife’s knowledge, for a profit of $1.76 million. The individual agreed to the entry of a partial judgment permanently enjoining him from violating the antifraud provisions of the federal securities laws, barring him from acting as an officer or director of a public company, and requiring him to pay disgorgement and an undetermined civil penalty. The SEC’s investigation is still ongoing, and the U.S. Attorney’s Officer for the Southern District of Texas has brought charges against the individual in a parallel action.
In March, the SEC announced charges against a former board member of an energy company, along with four of his associates, for allegedly trading on material nonpublic information.[45] According to the complaint, in July 2019, the former board member learned of a pending investment offered to privatize the energy company. The former board member and four of his associates then allegedly purchased company securities prior to the public announcement of the offer, and then traded the shares to earn gains totaling tens of thousands of dollars. The former board member settled with the SEC, agreeing to a $801,742 civil penalty plus disgorgement, along with an officer and director bar. The four other defendants each agreed to pay civil penalties plus disgorgement.
In March, the SEC filed insider trading charges against the founder of a technology company regarding trades he made in July 2019 that earned profits of $415,726.[46] The individual allegedly learned from a friend about a multinational technology company’s pending acquisition of a communications equipment company, and then he allegedly traded options for the target company through a close relative and an associate. The individual settled with the SEC and agreed to a civil penalty of $923,740 and a five-year officer and director bar.
In May, the SEC charged an individual with violations of the securities laws for allegedly trading on inside information about a publicly traded company that resulted in profits of more than $800,000.[47] According to the complaint, between November 2019 and May 2021, the individual solicited updates from a company employee on the company’s performance. Then, despite requests from the employee not to trade company securities, the individual allegedly used the information to trade in the company’s securities. The individual settled with the SEC and agreed to pay disgorgement, prejudgment interest, and a civil penalty to be determined by the U.S. District Court for the Western District of Pennsylvania. The U.S. Attorney’s Office for the Western District of Pennsylvania also brought criminal charges against the individual in a parallel action.
In May, the SEC charged a Massachusetts-based venture investment company and its founder with violations of antifraud provisions under the federal securities laws arising from an alleged scheme to artificially inflate the stock price of a Seattle-based visual media company.[48] The SEC’s complaint alleged that in April 2023, the founder and venture investment company issued a press release offering to purchase all outstanding stock of the media company for $10 a share, almost double the closing price of the previous trading day, which allegedly caused the company’s stock price to spike. Though the founder and his company allegedly pledged in the press release to hold their shares, they allegedly began liquidating stock in the visual media company shortly after the market opened on April 24, 2023, before the media company responded to the offer. The founder and venture investment company settled the charges—agreeing to pay civil penalties and disgorgement to be determined by the court, along with an officer and director bar. In a parallel action, the U.S. Attorney’s Office for the District of Massachusetts announced criminal charges against the founder of the venture investment company.
[1] SEC Press Release, Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures (February. 9, 2024), available at https://www.sec.gov/news/press-release/2024-18.
[2] SEC Press Release, SEC Charges Advisory Firm Senvest Management with Recordkeeping and Other Failures (Apr. 3, 2024), available at https://www.sec.gov/news/press-release/2024-44.
[3] SEC Press Release, Twenty-Six Firms to Pay More Than $390 Million Combined to Settle SEC’s Charges for Widespread Recordkeeping Failures (Aug. 14, 2024), available at https://www.sec.gov/newsroom/press-releases/2024-98.
[4] SEC Speech, Remarks at SEC Speaks 2024, Sanjay Wadhwa, Deputy Director, Division of Enforcement (Apr. 3, 2024), available at https://www.sec.gov/newsroom/speeches-statements/sanjay-wadhwa-sec-speaks-2024-04032024.
[5] SEC Press Release, Twenty-Six Firms to Pay More Than $390 Million Combined to Settle SEC’s Charges for Widespread Recordkeeping Failures (Aug. 14, 2024), available at https://www.sec.gov/newsroom/press-releases/2024-98.
[6] SEC Press Release, J.P. Morgan to Pay $18 Million for Violating Whistleblower Protection Rule (Jan. 16, 2024), available at https://www.sec.gov/news/press-release/2024-7.
[7] SEC Press Release, SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations (June 18, 2024), available at https://www.sec.gov/news/press-release/2024-75.
[8] SEC Statement, Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co., Commissioners Hester M. Peirce and Mark T. Uyeda (June 18, 2024), available at https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-rr-donnelley-061824.
[9] SEC Press Release, Mark Uyeda Sworn in for Second Term as SEC Commissioner (Jan. 3, 2024), available at https://www.sec.gov/news/press-release/2024-1.
[10] SEC Press Release, SEC Appoints Erica Y. Williams to a Second Term as PCAOB Chairperson (Jun. 11, 2024), available at https://www.sec.gov/news/press-release/2024-71.
[11] SEC Press Release, SEC Appoints Stacey Bowers as Small Business Advocate (Jan. 5, 2024), available at https://www.sec.gov/news/press-release/2024-3.
[12] SEC Press Release, SEC Announces Departure of William Birdthistle; Natasha Vij Greiner Named Director of the Division of Investment Management (Feb. 28, 2024), available at https://www.sec.gov/news/press-release/2024-27.
[13] SEC Press Release, SEC Names Nathaniel H. Benjamin as Director of the Office of Minority and Women Inclusion (May 3, 2024), available at https://www.sec.gov/news/press-release/2024-52.
[14] SEC Press Release, Tina Diamantopoulos Named Regional Director of Chicago Office (May 16, 2024), available at https://www.sec.gov/news/press-release/2024-59.
[15] SEC Press Release, SEC Announces Departure of Policy Director Heather Slavkin Corzo and Appointment of Corey Klemmer to the Role (May 17, 2024), available at https://www.sec.gov/news/press-release/2024-60.
[16] SEC Press Release, SEC to Close Salt Lake Regional Office (Jun. 4, 2024), available at https://www.sec.gov/news/press-release/2024-67.
[17] SEC Press Release, SEC Charges China-Based Tech Company Cloopen Group with Accounting Fraud (Feb. 6, 2024), available at https://www.sec.gov/news/press-release/2024-15.
[18] SEC Press Release, SEC Charges Skechers with Making Undisclosed Payments to Executives’ Family Members (Mar. 7, 2024), available at https://www.sec.gov/news/press-release/2024-33.
[19] SEC Press Release, SEC Charges Northern Star SPAC for Material Misrepresentations in its IPO-Related Disclosures (Jan. 25, 2024), available at https://www.sec.gov/news/press-release/2024-10.
[20] SEC Press Release, SEC Charges Former Alfi CEO Paul Pereira with Fraud for Making False Statements on Social Media (Feb. 27, 2024), available at https://www.sec.gov/news/press-release/2024-26.
[21] SEC Press Release, SEC Charges Lordstown Motors with Misleading Investors about Company’s Flagship Electric Vehicle (Feb. 29, 2024), available at https://www.sec.gov/news/press-release/2024-29.
[22] Id.
[23] SEC Press Release, SEC Charges Audit Firm BF Borgers and Its Owner with Massive Fraud Affecting More Than 1,500 SEC Filings (May 3, 2024), available at https://www.sec.gov/news/press-release/2024-51.
[24] SEC Press Release, SEC Charges Chicago-based Aon Investments and Former Partner with Misleading Pennsylvania Public Employees’ Pension Fund (Jan. 25, 2024), available at https://www.sec.gov/news/press-release/2024-9.
[25] SEC Press Release, SEC Charges Van Eck Associates for Failing to Disclose Influencer’s Role in Connection with ETF Launch (Feb. 16, 2024), available at https://www.sec.gov/news/press-release/2024-20.
[26] SEC Press Release, SEC Charges JAG Capital Advisors and its Founder Joshua Goltry with Defrauding Investors (Jun. 12, 2024), available at https://www.sec.gov/news/press-release/2024-72; DOJ Press Release, New York Fund Manager Admits Multimillion-Dollar Investment Fraud Scheme (June 12, 2024), available at https://www.justice.gov/usao-nj/pr/new-york-fund-manager-admits-multimillion-dollar-investment-fraud-scheme.
[27] SEC Press Release, SEC Charges Five Investment Advisers for Marketing Rule Violations (Apr. 12, 2024), available at https://www.sec.gov/news/press-release/2024-46.
[28] SEC Press Release, SEC Charges Hudson Valley Wealth Management Advisory Firm and Founder for Failing to Disclose Conflicts of Interest (May 14, 2024), available at https://www.sec.gov/news/press-release/2024-55.
[29] SEC Press Release, SEC Charges Advisory Firm Mass Ave Global and Co-Founder and CEO Winston Feng with False Statements and Undisclosed Conflicts (May 29, 2024), available at https://www.sec.gov/news/press-release/2024-64.
[30] SEC Press Release, SEC Charges Advisory Firm HG Vora for Disclosure Failures Ahead of Ryder Acquisition Bid (Mar. 1, 2024), available at https://www.sec.gov/news/press-release/2024-30.
[31] SEC Press Release, SEC Charges TIAA Subsidiary for Failing to Act in the Best Interest of Retail Customers (Feb. 16, 2024), available at https://www.sec.gov/news/press-release/2024-22.
[32] SEC Order Instituting Administrative and Cease and Desist Proceedings, In the Mater of Western International Securities, Inc. (Administrative Proceeding File No. 3-21986) (July 30, 2024), available at https://www.sec.gov/files/litigation/admin/2024/34-100618.pdf.
[33] SEC Press Release, SEC Charges Intercontinental Exchange and Nine Affiliates Including the New York Stock Exchange with Failing to Inform the Commission of a Cyber Intrusion (May 22, 2024), available at https://www.sec.gov/news/press-release/2024-63.
[34] SEC Press Release, SEC Charges Three New Yorkers for Raising More Than $184 Million Through Pre-IPO Fraud Schemes (June 7, 2024), available at https://www.sec.gov/news/press-release/2024-69.
[35] SEC Press Release, SEC Charges Founder of $1.7 Billion “HyperFund” Crypto Pyramid Scheme and Top Promoter with Fraud (Jan. 29, 2024), available at https://www.sec.gov/news/press-release/2024-11.
[36] SEC Press Release, SEC Charges Founder of American Bitcoin Academy Online Crypto Course with Fraud Targeting Students (Feb. 2, 2024), available at https://www.sec.gov/news/press-release/2024-13.
[37] SEC Press Release, SEC Charges TradeStation Crypto for Unregistered Offer and Sale of Crypto Asset Lending Product (Feb. 7, 2024), available at https://www.sec.gov/news/press-release/2024-16.
[38] SEC Press Release, Genesis Agrees to Pay $21 Million Penalty to Settle SEC Charges (Mar. 19, 2024), available at https://www.sec.gov/news/press-release/2024-37.
[39] SEC Press Release, Terraform and Kwon to Pay $4.5 Billion Following Fraud Verdict (June 11, 2024), available at https://www.sec.gov/news/press-release/2024-73.
[40] SEC Press Release, SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence (Mar. 18, 2024), available at https://www.sec.gov/news/press-release/2024-36.
[41] SEC Press Release, SEC Charges Founder of AI Hiring Startup Joonko with Fraud (June 11, 2024), available at https://www.sec.gov/news/press-release/2024-70.
[42] SEC Press Release, SEC Charges Morgan Stanley and Former Executive Pawan Passi with Fraud in Block Trading Business (Jan. 12, 2024), available at https://www.sec.gov/news/press-release/2024-6.
[43] SEC Press Release, SEC Charges Future FinTech CEO Shanchun Huang With Fraud and Disclosure Failures (Jan. 11, 2024), available at https://www.sec.gov/news/press-release/2024-5.
[44] SEC Press Release, SEC Charges Husband of Energy Company Manager with Insider Trading (Feb. 22, 2024), available at https://www.sec.gov/news/press-release/2024-24.
[45] SEC Press Release, SEC Charges Tallgrass Energy’s Former Board Member Roy Cook and Four Others with Insider Trading in Advance of Blackstone Acquisition (Mar. 12, 2024), available at https://www.sec.gov/news/press-release/2024-34.
[46] SEC Press Release, SEC Charges Former Arista Networks Chairman Andy Bechtolsheim with Insider Trading (Mar. 26, 2024), available at https://www.sec.gov/news/press-release/2024-40.
[47] SEC Press Release, SEC Charges Pennsylvania Resident with Insider Trading in Dick’s Sporting Goods Securities (May 10, 2024), available at https://www.sec.gov/news/press-release/2024-53.
[48] SEC Press Release, SEC Charges Robert Scott Murray and Trillium Capital with Fraudulent Scheme to Manipulate Getty Images Stock (May 31, 2024), available at https://www.sec.gov/news/press-release/2024-66.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Securities Enforcement practice group, or the following authors:
Mark K. Schonfeld – Co-Chair, New York (+1 212.351.2433, [email protected])
David Woodcock – Co-Chair, Dallas (+1 214.698.3211, [email protected])
Tina Samanta – New York (+1 212.351.2469, [email protected])
Lauren Cook Jackson – Washington, D.C. (+1 202.955.8293, [email protected])
Timothy M. Zimmerman – Denver (+1 303.298.5721, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Ryan, LLC v. Federal Trade Commission
The United States District Court for the Northern District of Texas today granted summary judgment to Gibson Dunn’s client, Ryan, LLC, in its challenge to the Federal Trade Commission’s Non-Compete Rule. The Rule would have retroactively invalidated over 30 million employment contracts and preempted the laws of 46 states. The court set aside the rule, with nationwide effect, ordering that “the Rule shall not be enforced or otherwise take effect on its effective date of September 4, 2024 or thereafter.”
Ryan, LLC was the first party to challenge the lawfulness of the Non-Compete Rule. A group of trade associations led by the United States Chamber of Commerce intervened in the case to challenge the Rule as well. Ryan and the intervenors had previously won a preliminary injunction and stay of the Rule.[1]
The court today re-affirmed its core holdings that (1) the Rule exceeded the FTC’s statutory authority because the FTC does not have authority to promulgate substantive rules regarding unfair methods of competition and (2) the Rule is arbitrary and capricious, in violation of the Administrative Procedure Act, because the FTC failed to justify the nearly universal breadth of its ban. The court’s summary judgment order applies nationwide.
The court’s ruling means that the Non-Compete Rule will not take effect on September 4. The FTC cannot enforce it against anyone, non-competes that were enforceable before the rule remain enforceable, and businesses and workers are free to enter into new non-competes. The FTC may appeal the ruling to the Fifth Circuit. The FTC has not yet indicated whether or when it may appeal.
[1] A discussion of that preliminary injunction is available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Administrative Law & Regulatory, Labor & Employment, or Antitrust & Competition practice groups:
Administrative Law and Regulatory:
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Eugene Scalia – Washington, D.C. (+1 202.955.8673, [email protected])
Amir C. Tayrani – Washington, D.C. (+1 202.887.3692, [email protected])
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, [email protected])
Labor and Employment:
Andrew G.I. Kilberg – Washington, D.C. (+1 202.887.3759, [email protected])
Karl G. Nelson – Dallas (+1 214.698.3203, [email protected])
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242, [email protected])
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, [email protected])
Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Cynthia Richman – Washington, D.C. (+1 202.955.8234, [email protected])
Stephen Weissman – Washington, D.C. (+1 202.955.8678, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
On August 13, 2024, the Federal Circuit issued a precedential decision on the issue of obviousness-type double patenting (ODP) and patent-term adjustment (PTA) in Allergan USA, Inc. et al., v. MSN Laboratories Private Ltd., et al., No. 24-1061 (Fed. Cir. Aug. 13, 2024). While the decision also addressed other issues, this update focuses on summarizing the Court’s holding on the ODP issue.
Allergan markets and sells eluxadoline tablets under the brand name Viberzi®. Allergan owns patents that cover the drug compound and composition; specifically, claim 40 of the ’356 patent recites the eluxadoline compound. The ’356 patent was awarded 1,107 days of PTA due to delays in its prosecution. All but 467 of those PTA days were disclaimed. Continuing applications were filed claiming the same priority date as the ’356 patent (the ’011 and ’709 patents). Neither received PTA, and each was therefore set to expire before the ’356 patent. Defendant argued based on In re Cellect, LLC, 81 F.4th 1216, 1228–29 (Fed. Cir. 2023), that the ’011 and ’709 patents were ODP references that rendered the ’356 patent invalid. The district court agreed, and Allergan appealed.
The Federal Circuit (Lourie, J., joined by Dyk[1] and Reyna, J.J.) reversed, concluding that the claims of the ’011 and ’709 reference patents were not proper ODP references that could be used to invalidate claim 40 of the ’356 patent. The Court held that a “first-filed, first-issued, later-expiring claim cannot be invalidated by a later-filed, later-issued, earlier-expiring reference claim having a common priority date.” The Federal Circuit distinguished the facts and questions presented in In re Cellect from Allergan and stated that “Cellect does not address, let alone resolve, any variation of the question presented here—namely, under what circumstances can a claim properly serve as an ODP reference—and therefore has little to say on the precise issue before us.” The Court then held that a “later-filed, later-issued” patent cannot be an ODP reference to “the first-filed, first-issued patent in its family,” stating: “[t]hat is the only conclusion consistent with the purpose of the ODP doctrine, which is to prevent patentees from obtaining a second patent on a patentably indistinct invention to effectively extend the life of a first patent to that subject matter.” The Court further asserted that “the first-filed, first-issued patent in its family . . . is the patent that sets the maximum period of exclusivity for the claimed subject matter and any patentably indistinct variants.”
The Court provided the following further rationale for its decision:
“When seeking patent protection, it is not atypical for a patent applicant to first seek to protect the most valuable inventive asset (e.g., a pharmaceutical genus claim) before filing continuing applications on enhancements or modifications to that inventive asset (e.g., a particular compound in that genus, a method of using the compounds of that genus, etc.). And it is unsurprising that prosecution of a first-of-its-kind invention can be protracted, requiring greater time and effort by the applicant and examiner alike, such that any eventual patent on that invention is awarded some amount of PTA. Nor is it surprising that, for one reason or another (e.g., the examiner’s newfound familiarity with the subject matter), a subsequently filed continuing application claiming the same priority date and covering a modification of that invention proceeds much more efficiently through prosecution such that any patent awarded to that modification receives little to no award of PTA. As a result, that later-filed, later-issued continuing, or “child,” patent, whether subject to a terminal disclaimer over the parent or not, generally expires no later than the parent patent. That child patent does not, then, result in any extension of patent term of the invention claimed in the parent patent given that it expires first. Nor can the parent patent be said to result in an extension of patent term of the invention claimed in the child patent when, as here, the claims in the child patent did not even exist until after the parent patent issued. To hold otherwise—that a first-filed, first-issued parent patent having duly received PTA can be invalidated by a later-filed, later-issued child patent with less, if any, PTA—would not only run afoul of the fundamental purposes of ODP, but effectively abrogate the benefit Congress intended to bestow on patentees when codifying PTA. That is because such a holding would require patent owners, in order to preserve the validity of the parent patent, to file a terminal disclaimer disclaiming any term of the parent that extends beyond that of the child, which, given that the patents share a priority date, would amount to the disclaimer of only PTA. That parent patent, then, would not receive the benefit of its congressionally guaranteed patent term, see 35 U.S.C. § 154(b), and would instead be limited to the, presumably shorter, term of its own child. Such a result would be untenable.”
After this decision, there could be more proceedings forthcoming, including a petition for panel rehearing, a petition for rehearing en banc, and/or a petition for certiorari. Please stay tuned for further developments on this front.
[1] Judge Dyk joined this portion of the majority opinion. He dissented with respect to other issues addressed by the Court, which have not been summarized in this update.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the authors:
Robert W. Trenchard – New York (+1 212.351.3942, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, [email protected])
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Julian W. Poon – Los Angeles (+ 213.229.7758, [email protected])
Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415.393.8224, [email protected])
Josh Krevitt – New York (+1 212.351.4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.