Publications Archives

Los Angeles partner Michael Farhang is the co-author of “Flagging FCPA Misconduct in Virtual Work Environments” [PDF], along with Jeannine Lemker, published by The Review of Securities & Commodities Regulation on October 26, 2022.

Los Angeles partner Maurice Suh and associate Jeremy Smith are the authors of “Standing Requirements in California Law” [PDF] published by Los Angeles Lawyer in its November 2022 issue.

1. Introduction

In March 2022, the Dubai Financial Services Authority (“DFSA”) published Consultation Paper No. 143 proposing to allow for the provision of financial services in relation to “Crypto Tokens” in and from the Dubai International Financial Centre (“DIFC”).

Following the ending of the consultation period, His Highness Sheikh Mohammed Bin Rashid Al Maktoum, the Ruler of Dubai, has enacted legislation and the DFSA Board has made amendments to the DFSA Rulebook each taking effect on 1 November 2022.

The new Crypto Tokens regime augments the DFSA’s existing Investment Tokens regime which was introduced on 25 October 2021. We discussed the Investment Tokens regime in a previous Client Alert.[1]

The new DFSA Crypto Tokens regime is detailed. Significant changes have been made to many of the rules and modules that form the DFSA Rulebook. In this Client Alert, we set out a summary of the key changes that have been made.

2. Summary of the DFSA Crypto Tokens Regime

Commencement Date. The new rules take effect on 1 November 2022.
Definition of Crypto Tokens. The regime largely deals with Crypto Tokens (e.g. cryptocurrencies and stablecoins). The DFSA considers a token to be a Crypto Token if it: (a) is used, or is intended to be used, as a medium of exchange or for payment or investment purposes; or (b) confers a right or interest in another token that meets the requirements in (a). However, certain tokens are not Crypto Tokens in the rules (i.e. “investment tokens”, NFTs, “utility tokens” and digital currencies issued by any government, government agency, central bank or other monetary authority).[2]
Only Recognised Crypto Tokens to be used in the DIFC. In general, only Crypto Tokens that are “recognised” by the DFSA may be used in connection with a financial service, public offering or financial promotion in the DIFC.[3] These are referred to as “Recognised Crypto Tokens”. The DFSA must publish an Initial List of Recognised Tokens within 30 days of 1 November 2022.[4] The DFSA must also publish notices when it recognises other Crypto Tokens after an application for recognition has been made by a current or applicant authorised person or an issuer or developer of the Crypto Token.[5]
Use of Privacy Tokens/Devices and Algorithmic Tokens is prohibited. Certain Crypto Tokens are prohibited from being used in connection with a financial service, public offering or financial promotion in the DIFC. Prohibited tokens are Privacy Tokens (e.g. tokens with features to hide, anonymise, obscure or prevent the tracing of transactions and individuals)[6] and Algorithmic Tokens (e.g. tokens using algorithms to increase or decrease their supply to stabilise or reduce volatility in their price).[7]
Mixing regulated and unregulated business related to Utility Tokens or NFTs is generally prohibited. A DFSA authorised firm may not carry on both a DFSA regulated crypto business and business relating to NFTs and Utility Tokens (unless providing custody).[8] The prohibition is intended to avoid any misconception by users of a service that regulatory requirements for financial services apply to the unregulated part of the business. However, the prohibition does not extend to the use of digital currencies issued by governments, government agencies, central banks or other monetary authorities. Therefore, an authorised person may provide a service or carry on an activity involving such a digital currency.
Money Services Providers restricted to Fiat Crypto Tokens. DFSA authorised money services providers may only use DFSA recognised Fiat Crypto Tokens (e.g. fiat stablecoins recognised by the DFSA) in connection with their money services business.[9]
Crowdfunding Operators. DFSA authorised crowdfunding operators may not facilitate investment in Crypto Tokens through their platforms.[10]
Representative Offices. DFSA authorised representative offices may not market Crypto Tokens or financial services related to Crypto Tokens.[11]
Authorised Firm applicants must generally be DIFC companies and not branches. In general, an applicant for a DFSA licence to carry out a financial service relating to Crypto Tokens must be a body corporate incorporated under the DIFC Companies Law, except in very limited circumstances.[12]
Notification of significant events affecting Crypto Tokens. The DFSA is keen on being informed of any significant events or developments affecting Crypto Tokens. Each DFSA authorised person carrying on a financial service relating to a Crypto Token must notify the DFSA immediately if it becomes aware of any significant event or development that reasonably suggests that the Crypto Token no longer meets the criteria for it to be a Recognised Crypto Token unless it reasonably believes that the information is already generally available to the public.[13]
Provision of information on Crypto Tokens to clients. The new rules regulate the provision of information on Crypto Tokens to clients. For example, a DFSA authorised firm must not provide a financial service related to a Crypto Token to a person unless it has given the person a “key features document” containing detailed information about the Crypto Token.[14] Prominent risk warnings must also be included on websites, marketing or educational materials and other communications relating to Crypto Tokens.[15]
Retail Clients. Significant protections have been introduced for retail clients (i.e. those persons that are not “professional clients” or “market counterparties”) in addition to the overarching duty to act in the best interest of a retail client. For example:
- A DFSA authorised firm must not carry on a financial service of “arranging deals in investments”, “dealing in investments as agent”, “dealing in investments as principal” or “operating a MTF” with or for a retail client, unless the authorised firm has carried out an appropriateness assessment of the person and formed a reasonable view that the person has: (a) adequate skills and expertise to understand the risks involved in trading in Crypto Tokens or Crypto Token derivatives (as the case may be); and (b) the ability to absorb potentially significant losses resulting from trading in Crypto Tokens or Crypto Token derivatives (as the case may be).[16] Similar appropriateness assessments and care are required by DFSA authorised firms recommending to a client a financial product or financial service, or executing a transaction on a discretionary basis for a client.[17]
- A DFSA authorised firm must: (a) not provide a “credit facility” to a retail client in connection with trading in Crypto Tokens; and (b) take reasonable steps to ensure that a retail client does not use a credit card or third-party credit facility to buy a Crypto Token.[18]
- A DFSA authorised firm must not offer or provide to a retail client any incentive that influences, or is reasonably likely to influence, the retail client to trade in a Crypto Token or Crypto Token derivative.[19] The DFSA states that incentives include bonus offers, gifts, rebates of fees (including volume-based rebates), trading credits or any form of reward in relation to the opening of a new account or trading in a new type of Crypto Token or Crypto Token derivative offered to an existing or potential new retail client.
- A DFSA authorised firm must not offer or provide any facility or service that allows a retail client to lend a Crypto Token to the authorised firm or to another person.[20]
Funds investing in Crypto Tokens. The DFSA has made a number of changes affecting funds investing in Crypto Tokens and the management, marketing and other financial services in respect of them in and from the DIFC. For example, a DIFC established fund may only invest in Recognised Crypto Tokens and must be managed by a DFSA authorised fund manager and a DFSA authorised fund manager must not manage a non-DIFC established fund that invests in Crypto Tokens.[21]
Anti-money laundering and registration of issuers and service providers of NFTs and Utility Tokens as DNFBPs. The DFSA has updated its anti-money laundering rules to take into account Crypto Tokens. These rules apply to DFSA authorised persons and those registered with the DFSA as Designated Non-Financial Business or Profession (DNFBP). Certain issuers and service providers of NFTs and Utility Tokens are required to be registered with the DFSA as a DNFBP and will be subject to the DFSA’s anti-money laundering rules.[22]
Six-month transitional period. The DFSA has put in place transitional rules applying to each person who immediately before 1 November 2022: (a) was a DFSA authorised person; and (b) carried on a relevant activity or service relating to a Crypto Token. Such persons may continue to carry on certain activities or services relating to Crypto Tokens for a transitional six-month period after 1 November 2022 without being required to obtain the necessary amendment to its authorisation or to comply with various detailed requirements relating to Crypto Tokens.[23] After the six-month period, such persons should comply with the new rules or cease doing Crypto Token related business. The DFSA, however, makes clear that the transitional relief does not relieve a DFSA authorised person from complying with certain key obligations during the transitional period in respect of the activities or services it carries on under the transitional arrangements (e.g. DFSA’s principles for authorised firms, anti-money laundering requirements, financial promotion requirements, market abuse provisions, provisions prohibiting misconduct (e.g. misleading, deceptive, fraudulent or dishonest conduct) and the prohibition relating to the use of Privacy Tokens).[24]

3. Concluding Remarks

The new DFSA Crypto Token regime is a momentous step forward augmenting the DFSA’s existing Investment Tokens regime introduced in 2021. With the new regime in place, the DFSA has completed its ambitious project to create a thoughtful framework covering the panoply of “crypto” assets.

________________________

[1] Gibson Dunn Client Alert dated 15 November 2021 entitled Dubai Financial Services Authority Moves into the “Crypto” Space and Establishes Regulatory Framework for “Investment Tokens” (https://www.gibsondunn.com/dubai-financial-services-authority-moves-into-crypto-space-and-establishes-regulatory-framework-for-investment-tokens/).

[2] Rule A2.5.1 of the DFSA Rulebook (General Module).

[3] Rule 3A.2.1 of the DFSA Rulebook (General Module).

[4] Rule 3A.4.1(2) of the DFSA Rulebook (General Module).

[5] Rule 3A.3.7 of the DFSA Rulebook (General Module).

[6] Rule 3A.2.2 of the DFSA Rulebook (General Module).

[7] Rule 3A.2.3 of the DFSA Rulebook (General Module).

[8] Rule 3A.2.4 of the DFSA Rulebook (General Module).

[9] Rule 3A.2.5 of the DFSA Rulebook (General Module).

[10] Rule 2.2.10F of the DFSA Rulebook (General Module).

[11] Rule 2.26.1(4) of the DFSA Rulebook (General Module).

[12] Rule 7.2.2(7) of the DFSA Rulebook (General Module).

[13] Rule 11.10.21 of the DFSA Rulebook (General Module).

[14] Rule 15.5.1 of the DFSA Rulebook (Conduct of Business Module).

[15] Rule 15.5.3(2) of the DFSA Rulebook (Conduct of Business Module).

[16] Rule 15.6.2 of the DFSA Rulebook (Conduct of Business Module).

[17] Rule 3.4.2 of the DFSA Rulebook (Conduct of Business Module).

[18] Rule 15.6.3 of the DFSA Rulebook (Conduct of Business Module).

[19] Rule 15.6.4 of the DFSA Rulebook (Conduct of Business Module).

[20] Rule 15.6.5 of the DFSA Rulebook (Conduct of Business Module).

[21] DFSA Rulebook (Collective Investment Rules).

[22] DFSA Rulebook (Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module).

[23] Rule 10.5.1 of the DFSA Rulebook (General Module).

[24] Guidance to Rule 10.5.1 of the DFSA Rulebook (General Module).

The following Gibson Dunn lawyer prepared this client update: Hardeep Plahe.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Crypto Taskforce ([email protected]) or the Global Financial Regulatory team, including the following:

Hardeep Plahe – London and Dubai (+44 (0) 20 7071 4282, +971 (0) 4 318 4611, [email protected])
William R. Hallatt – Hong Kong (+852 2214 3836, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 27, 2022, VDA OC LLC (“VDA”) pleaded guilty to engaging in a conspiracy with another healthcare staffing company to allocate employee nurses and fix their wages in violation of Section 1 of the Sherman Act.[1] The case marks the first successful criminal prosecution for a labor market antitrust violation, following two significant losses for the U.S. Department of Justice (“DOJ”) earlier this year with acquittals in United States v. DaVita, Inc., No. 1:21-cr-00229 (D. Colo.), and United States v. Jindal, No. 4:20-cr-00358 (E.D. Tex.).

VDA emphasized the “extremely limited nature of the [conspiratorial] agreement” in a statement.[2] According to the indictment, VDA entered into a nine-month agreement not to recruit nurses from a competitor in the Clark County School District in Nevada (“CCSD”) or to raise school nurses’ wages.[3] The agreement began in or around October 2016, when VDA’s former Regional Manager Ryan Hee sent an email to the executive of an unnamed competitor saying, “[p]er our conversation, we will not recruit any of your active CCSD nurses” and “[i]f anyone threatens us for more money, we will tell them to kick rocks!”[4] The competitor’s executive responded, “[a]greed on our end as well. I am glad we can work together through this, and assure that we will not let the field employees run our businesses moving forward.”[5] The agreement allegedly ended in or around July 2017.[6]

VDA was sentenced to pay a criminal fine of $62,000 and restitution of $72,000 to the affected nurses.[7] Under the U.S. Sentencing Guidelines (“USSG”), antitrust fine ranges are calculated by first determining the “base fine,” which is 20% of the “affected volume of commerce.”[8] The DOJ has not previously addressed how to measure the affected volume of commerce in labor market cases, but this case confirms the prevailing assumption that the DOJ will seek to calculate the volume of commerce using the compensation paid to the defendant’s affected employees for the duration of the alleged conduct. The volume of commerce attributed to VDA was $218,016 based on payroll records for the wages paid to affected nurses during the period of the conspiracy.[9] The resulting base fine was $43,603, which is adjusted for culpability under the USSG, yielding a recommended fine range between $52,324 to $104,647.[10]

The DOJ likely agreed to recommend a fine near the lower end of the USSG fine range because of the relatively high amount of restitution that VDA agreed to pay. The $72,000 restitution reflects nearly a third of the agreed-upon volume of commerce, which is much higher than the settlement rates in prior no-poach civil cases.[11] VDA’s resolution is silent about how the DOJ identified the affected nurses or how the restitution payment will be distributed, although the methodology that the DOJ adopts will be of significant interest to parties in future cases.

VDA’s willingness to pay such generous restitution, in exchange for a lower criminal fine, may reflect its own interest in a settlement skewed toward compensating alleged victims to reduce the risk of follow-on civil litigation. Indeed, the DOJ noted in its sentencing memorandum that VDA’s restitution payment would potentially obviate the need for nurses to bring parallel civil suits to recover damages.[12] This is a promising pathway for the DOJ to incentivize companies to enter plea agreements that merits further consideration. Companies now face years of costly and burdensome civil litigation following many criminal antitrust investigations and must consider whether a resolution with the DOJ will prejudice its ability to defend those cases. If the DOJ is willing to negotiate reasonable restitution amounts in plea agreements and advocate in court that its agreed-upon restitution payments fully compensate the allegedly harmed employees, it may significantly reduce the risk of follow-on private litigation. This incentive may also extend to leniency recipients under the Antitrust Division’s Corporate Leniency Policy, which was recently updated to require that “applicants must present concrete, reasonably achievable plans” for paying restitution to injured parties.[13]

The DOJ’s case remains ongoing against VDA’s former Regional Manager, Ryan Hee. Hee has pleaded not guilty and is currently scheduled for trial in April 2023.

________________________

[1] Plea Agreement at ¶ 2-3, United States v. VDA OC, LLC, No. 2:21-cr-00098 (D. Nev. Oct. 27, 2022).

[2] See Dan Papscun, DOJ Notches First No-Poach Win With Staffing Firm’s Sentencing (Oct. 27, 2022, 2:23 PM), Bloomberg News, https://news.bloomberglaw.com/in-house-counsel/doj-notches-first-no-poach-win-with-guilty-plea-sentencing?utm_source=rss&utm_medium=CCNW&utm_campaign=00000184-1a94-d054-af8e-5bb56feb0001.

[3] See Indictment at ¶ 12-14, United States v. VDA OC, LLC, No. 2:21-cr-00098 (D. Nev. March 26, 2021).

[4] Id. at ¶ 14.

[5] Id.

[6] See id. at ¶ 12.

[7] Plea Agreement at ¶ 10.

[8] USSG §§ 2R1.1(d), 8C2.4.

[9] Sentencing Memorandum at 4, United States v. VDA OC, LLC, No. 2:21-cr-00098 (D. Nev. Oct. 20, 2022). Interestingly, the DOJ did not consider the value of non-cash benefits or other forms of non-monetary compensation to the affected nurses in calculating VDA’s base fine.

[10] Id. at 4-5.

[11] For example, a survey of eleven employee class action settlements from 2002 to 2020 shows that the parties settled for an amount between 1.4% to 5.3% of the total compensation at issue. See Exhibit E to Motion for Preliminary Approval of Proposed Class Settlement, In re: Railway Industry Emp. No-Poach Antitrust Litig., No. 18-mc-798 (W.D. Pa. Feb. 24, 2020).

[12] Sentencing Memorandum at 6.

[13] Frequency Asked Questions About the Antitrust Division’s Leniency Program, U.S. Dep’t of Justice, Antitrust Division (Apr. 4, 2022), ¶¶ 34–35.

The following Gibson Dunn lawyers prepared this client alert: Scott Hammond, Jeremy Robison, and Sarah Akhtar.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Antitrust and Competition or Labor and Employment practice groups:

Antitrust and Competition Group:
Scott D. Hammond – Washington, D.C. (+1 202-887-3684, [email protected])
Jeremy Robison – Washington, D.C. (+1 202-955-8518, [email protected])
Rachel S. Brass – Co-Chair, San Francisco (+1 415-393-8293, [email protected])
Stephen Weissman – Co-Chair, Washington, D.C. (+1 202-955-8678, [email protected])
Ali Nikpay – Co-Chair, London (+44 (0) 20 7071 4273, [email protected])
Christian Riis-Madsen – Co-Chair, Brussels (+32 2 554 72 05, [email protected])

Labor and Employment Group:
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202-955-8242, [email protected])
Katherine V.A. Smith – Co-Chair, Los Angeles (+1 213-229-7107, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Hong Kong partners Brian Gilchrist and Elaine Chen and of counsel Alex Wong are the authors of “Handling tax disputes in Hong Kong – ‘pay first, argue later’” [PDF] published by Financier Worldwide in November 2022.

This update provides an overview of significant class action developments during the third quarter of 2022 (July to September).

Part I summarizes an important Ninth Circuit decision reversing class certification on predominance grounds;

Part II analyzes recent Eleventh and Third Circuit opinions addressing Article III standing in putative class actions;

Part III discusses decisions from the Second and Eleventh Circuits addressing standing issues in the class settlement context; and

Part IV covers a Third Circuit decision addressing the applicability of Bristol-Myers Squibb v. Superior Court, 137 S. Ct. 1773 (2017), to claims by out-of-state plaintiffs in an opt-in collective action.

I. The Ninth Circuit Reverses Certification in Employment Misclassification Case Because of Individualized Questions Regarding Injury and Damages

In July, the Ninth Circuit published an important decision analyzing Rule 23(b)(3)’s predominance requirement in a worker misclassification action. In Bowerman v. Field Asset Services, Inc., 39 F.4th 652, 662 (9th Cir. 2022), the Ninth Circuit reversed class certification based on individualized injury and damages issues. This decision refutes a frequent argument by plaintiffs’ counsel that individualized damages issues are irrelevant to class certification.

Bowerman involved a putative class of workers whom the defendant allegedly misclassified as independent contractors rather than employees. As a result, the plaintiffs claimed they were owed overtime and business expenses. Id. at 657. The plaintiffs did not dispute that they lacked common proof showing that the putative class members worked overtime hours or that claimed expenses were reimbursable, but argued that under the Ninth Circuit’s decision in Leyva v. Medline Industries Inc., 716 F.3d 510 (9th Cir. 2013), “the presence of individualized damages cannot, by itself, defeat class certification.” Id. at 661–62 (quoting Leyva, 716 F.3d at 514).

The Ninth Circuit reversed, holding that class certification was improper for several reasons:

First, the court distinguished between “the calculation of damages and the existence of damages in the first place.” Id. at 662. The problem in Bowerman was the latter: The defendant’s “liability to any class member . . . would implicate highly individualized inquiries on whether that particular class member ever worked overtime or ever incurred any ‘necessary’ business expenses.” (emphases omitted).
Second, even damages issues (as opposed to liability) can defeat class certification if the class members’ purported damages are not capable of measurement on a classwide basis. In Bowerman, the plaintiffs lacked common proof of entitlement to overtime wages or expense reimbursement, so they failed to show that “the whole class suffered damages traceable to the same injurious course of conduct underlying the plaintiffs’ legal theory,” as required by Comcast Corp. v. Behrend, 569 U.S. 27 (2013). 39 F.4th at 663.
Third, the court also noted that class certification may be denied where calculating classwide damages “isn’t easy.” In Bowerman, because determining individual class members’ damages would require “the individual testimony of self-interested class members,” the plaintiffs had failed to “present[] a method of calculating damages that is not excessively difficult,” and therefore “failed to satisfy Comcast’s simple command that the case be ‘susceptible to awarding damages on a class-wide basis.’” Id. (quoting Comcast, 569 U.S. at 32 n.4).

II. The Eleventh and Third Circuits Further Opine on Standing and Article III Injury in Putative Class Actions

Questions about standing and Article III injury continue to confront the federal courts of appeals, with the Eleventh and Third Circuits being the latest to analyze these questions during this past quarter.

In Hunstein v. Preferred Collection & Management Services, 48 F.4th 1236 (11th Cir. 2022), a divided en banc Eleventh Circuit held that a statutory violation of the Fair Debt Collection Practices Act (FDCPA) was insufficient to establish an injury giving rise to Article III standing.

The plaintiff had alleged a debt collection agency violated the FDCPA when it disclosed information about his debt to a mail vendor that sent out debt-collection notices. Id. at 1240. In analyzing Article III standing, the en banc Eleventh Circuit agreed the common-law comparison approach (endorsed by the Supreme Court in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021)) was appropriate, but it ultimately concluded there was no “close relationship” between the alleged statutory violation and the common-law tort analogue. 48 F.4th at 1243–45 (explaining that under Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016), a statutory violation qualifies as a concrete harm if it has a “close relationship” to a harm traditionally recognized in tort law). The court explained that even though the alleged statutory harm need not be an “exact duplicate” of a traditionally recognized harm, there is no “close relationship” when an element “essential to liability” for the common-law analogue is missing. 48 F.4th at 1242. Here, a “public disclosure” was essential to the tort of “public disclosure of private facts,” yet the plaintiff did not allege their information had been disclosed to anyone other than a single third-party mail vendor. Id. at 1248. Without the critical element of public disclosure, the plaintiff’s statutory violation was not analogous to a common-law tort and did not confer standing—and the court stated that finding otherwise would be tantamount to “hammering square causes of action into round torts.” Id. at 1241, 1249.

In Adam v. Barone, 41 F.4th 230 (3d Cir. 2022), the Third Circuit held that the offer of a pre-litigation refund did not extinguish the plaintiff’s standing to sue. Id. at 236. The case involved a plaintiff who alleged that she was fraudulently charged $100 for beauty products that the defendants marketed as free samples. Id. at 232. Before the lawsuit was filed, defendants offered her a full refund in the ordinary course of business, which the plaintiff refused. Id. The district court held the refund offer mooted the plaintiff’s claim and dismissed the case. Id. at 233, 236.

The Third Circuit reversed. It held that a pre-litigation “refund offer . . . made in the ordinary course of business” is not a categorical bar to a plaintiff’s standing to sue. Id. at 234 . In particular, the $100 charge qualified as an “injury in fact” because the plaintiff “neither received a refund nor accepted any alternative to a refund,” and, applying traditional contract principles, the rejection of the refund offer “le[ft] the matter as if no offer had ever been made.” Id. at 234–35 (citing Campbell-Ewald Co. v. Gomez, 577 U.S. 153, 162 (2016)).

III. The Second and Eleventh Circuits Consider Standing in the Context of Class Action Settlements

The Second and Eleventh Circuits also weighed in on how the Article III standing requirements should be applied in the specific context of class settlements.

In Hyland v. Navient Corp., 48 F.4th 110 (2d Cir. 2022), the Second Circuit affirmed the district court’s certification of a Rule 23(b)(2) injunctive relief settlement class and held that class standing was satisfied even though some class members no longer had any relationship with the defendant. The case was filed by a group of public servants whose loans were not forgiven through the federal Public Service Loan Forgiveness program, allegedly because the defendant loan service companies misled them regarding their eligibility for the program. Id. at 115. The parties agreed to a nationwide non-monetary settlement class while also preserving class members’ rights to file individual claims for money damages. Id. at 114. In return, the defendants agreed to changes in their business practices and funded a cy pres award of $2.25 million to establish a loan counseling nonprofit. Id. at 116. The district court approved the settlement and several class members objected.

On appeal, the objectors argued that because “[s]ome class members were no longer using the company to service their loans when the class was certified, . . . the class as a whole . . . lacked standing to pursue injunctive relief.” Id. at 117. The Second Circuit rejected this argument, stating that “[s]tanding is satisfied so long as at least one named plaintiff can demonstrate the requisite injury.” Id. at 117–18 (citing cases). The court noted that the named plaintiffs alleged they “were likely to suffer future harm because they continued to rely on [the company] for information about repaying their student loans,” and at least six of them still had a relationship with the company. Id. at 118. In the injunctive relief context, at least, these allegations were therefore “enough to confer standing on the entire class.” Id. (citing Amador v. Andrews, 655 F.3d 89, 99 (2d Cir. 2011) (“In a class action, once standing is established for a named plaintiff, standing is established for the entire class.”)).

In Drazen v. Pinto, 41 F.4th 1354 (11th Cir. 2022), the Eleventh Circuit confronted a similar issue in the context of a damages class. There, it vacated and remanded a class settlement after determining that not all settlement class members had experienced an Article III injury. The plaintiffs alleged the defendant violated the Telephone Consumer Protection Act by sending them unauthorized calls and text messages. Even though the Eleventh Circuit had previously held that the receipt of a single unwanted text message is not enough to constitute an Article III injury, the district court nevertheless approved the settlement, reasoning that “only the named plaintiffs must have standing.” Id. at 1357. Only a small percentage (~7%) of the settlement class members had received a single text message. Id.

The Eleventh Circuit reversed. The court first stated that “even at the settlement stage of a class action, we must assure ourselves that we have Article III standing at every stage of the litigation.” Id. at 1360. The court further reasoned that under TransUnion, “[t]o recover individual damages, all plaintiffs within the class definition must have standing,” such that “when a class seeks certification for the sole purpose of a damages settlement under Rule 23(e), the class definition must be limited to those individuals who have Article III standing.” Id. at 1361. And here, because the settlement class may have included individuals who only received a single unwanted text message, approving the settlement would allow “individuals without standing [to] receiv[e] what is effectively damages in violation of TransUnion.” Id. at 1362.

IV. Joining the Sixth and Eighth Circuits, the Third Circuit Holds that Bristol-Myers Squibb Requires Out-of-State Plaintiffs in FLSA Collective Actions to Show Specific Jurisdiction Over Their Individual Claims

In Fischer v. Federal Express Corp., 42 F.4th 366 (3d Cir. 2022), the Third Circuit joined the Sixth and Eighth Circuits in concluding that Bristol-Myers Squibb Co. v. Superior Court, 137 S. Ct. 1773 (2017)—which held that a state court lacks jurisdiction over out-of-state plaintiffs’ claims unless their claims are sufficiently connected to the forum—also prohibits a district court from exercising jurisdiction over the claims of opt-in plaintiffs in a Fair Labor Standards Act (FLSA) collective action unless such a connection is established.

Fischer involved an FLSA collective action filed by a Pennsylvania resident against FedEx in the Eastern District of Pennsylvania, alleging FedEx misclassified employees in her position as exempt from the FLSA’s overtime rule. 42 F.4th at 371. Two former, non-resident FedEx employees sought to join the collective action in Pennsylvania, but the district court denied their request. Id. Relying on Bristol-Myers, the district court reasoned that it lacked personal jurisdiction over FedEx with respect to those employees’ claims since they did not work for FedEx in Pennsylvania, and thus, their claims did not “arise out of or relate to the defendant’s minimum contacts with the forum state.” Id. at 371.

The Third Circuit affirmed, holding that under Bristol-Myers, a district court can exercise specific jurisdiction over the out-of-state plaintiffs’ claims under the FLSA only if the claims arise out of or relate to the defendant’s minimum contacts with the forum state. Id. at 370. In so holding, the Third Circuit joined the Sixth and Eighth Circuits (Canaday v. Anthem Cos., 9 F.4th 392 (6th Cir. 2021); Vallone v. CJS Sols. Grp., LLC, 9 F.4th 861 (8th Cir. 2021)), and widened a split with a First Circuit case reaching the opposite conclusion (Waters v. Day & Zimmermann NPS, Inc., 23 F.4th 84 (1st Cir. 2022)).

The following Gibson Dunn lawyers contributed to this client update: Paulette Miniter, Nasim Khansari, Roark Luskin, Wesley Sze, Lauren Blas, Bradley Hamburger, Kahn Scolnick, and Christopher Chorba.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7396, [email protected])
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213-229-7726, [email protected])
Lauren R. Goldman – New York (+1 212-351-2375, [email protected])
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])
Lauren M. Blas – Los Angeles (+1 213-229-7503, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 26, 2022, the Securities and Exchange Commission (“SEC” or “Commission”), in a 3-to-2 vote, adopted final rules that will require listed companies to implement policies for recovery (i.e., “clawback”) of erroneously awarded incentive compensation, implementing Section 10D of the Securities Exchange Act, which was added by Section 954 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).[1] The SEC originally proposed clawback rules on July 14, 2015,[2] but the proposed rules remained dormant until October 14, 2021, when the SEC reopened the comment period[3] (and which was reopened for a second time on June 8, 2022).[4] The final rules add new Exchange Act Rule 10D-1 (“Rule 10D-1”), which largely tracks the long-pending proposed rules but also incorporate terms previewed in the 2021 release reopening the comment period.

Rule 10D-1 directs the national securities exchanges to establish listing standards that require issuers to adopt and comply with written clawback policies meeting strict conditions:

The clawback policy must provide that, in the event the company is required to prepare an accounting restatement due to the material noncompliance of the company with any financial reporting requirement under the federal securities laws, the company will recover (on a pre-tax basis) the amount of incentive-based compensation received by its current and former executive officers in excess of the amount of incentive-based compensation that would have been received had it been determined based on the restated amount, subject to limited exceptions.
Compensation recoupment is required regardless of whether the executive officer engaged in any misconduct and regardless of fault.
The policy must apply to compensation “received”—which is defined as occurring when the financial reporting measure was attained regardless of when payment is actually made—during the three-year “recovery period” preceding the date the company is required to prepare the accounting restatement (the three-year period was mandated by the Dodd-Frank Act).
The clawback policy must apply both to material accounting errors that require a restatement of prior years’ financial results (commonly known as “Big R” restatements), as well as to errors that are corrected in the current year’s results (commonly known as “little r” restatements).

In addition, the final rules require companies to file a copy of their policy as an exhibit to their Form 10-K, 20-F, 40-F or N-CSR, as applicable, and to publicly disclose how they have applied the policy whenever they experience a restatement. Rule 10D-1 also requires that issuers add two checkboxes to the cover page of their 10-Ks (or 20-Fs or 40-Fs): one checkbox to indicate whether the financial statements included in the filing reflect the correction of an error to previously issued financial statements, and one to indicate whether any of the error corrections require a recovery analysis under the company’s Rule 10D-1 clawback policy.

Almost all issuers are subject to the clawback rules, including those companies that are otherwise excluded from other SEC disclosure requirements related to executive compensation. A company would be subject to delisting if it does not adopt and comply with an exchange-compliant clawback policy.

The final rules release is available here and a Fact Sheet (Recovery of Erroneously Awarded Compensation) is available here. Set forth below is a summary of the final rules and considerations for companies.

When the Rules Take Effect

Each exchange will be required to propose rules or rule amendments consistent with Rule 10D-1 no later than 90 days following the date of the publication of the rules in the Federal Register. The listing standards must be effective no later than one year following the final rules publication date. Each company subject to such listing standards must adopt a compliant recovery policy no later than 60 days following the date on which the applicable listing standards become effective. The mandated clawback policies must apply to any incentive-based compensation that is received by current or former executive officers on or after the effective date of the applicable listing standard (which is a modification from the proposed rules). Compliance with the disclosure requirements is required in the first annual report or proxy or information statement required to be filed after the effective date of the new listing standards.

Summary of the Final Rules

All listed companies are covered by the rule, including foreign private issuers, emerging growth companies, smaller reporting companies, controlled companies and companies with only listed debt securities, but certain registered investment companies are excluded to the extent they have not provided incentive-based compensation to any current or former executive officer of the fund in the last three fiscal years.

There are five key components of the final rules:

Covered individuals. Current and former “executive officers” are subject to clawback of incentive-based compensation. “Executive officer” includes the company’s president, principal financial officer, principal accounting officer, any vice president in charge of a principal business unit, division or function, and any other person who performs policymaking functions for the company and otherwise conforms to the full scope of the Exchange Act Section 16 definition. In a change from the proposed rules, the final rules will only require recovery of incentive-based compensation received by a person (i) after beginning service as an executive officer and (ii) if that person served as an executive officer at any time during the recovery period. Recovery of compensation received prior to becoming an executive officer will not be required, although compensation received during the recovery period by former executive officers is covered.
Restatements that trigger application of clawback policy. In a change from the proposed rules, the final rules require recoupment of erroneously awarded compensation (i) when the company is required to prepare an accounting restatement that corrects an error in previously issued financial statements that is material to the previously issued financial statements (commonly referred to as “Big R” restatement) and (ii) when the company is required to prepare an accounting restatement that corrects an error that is not material to previously issued financial statements, but that would result in a material misstatement if (A) the error was left uncorrected in the current report or (B) the error correction was recognized in the current period (commonly referred to as “little r” restatements). Application of the recovery policy would not be triggered by an “out-of-period adjustment” – a situation where the error is immaterial to the previously issued financial statements and the correction of the error is also immaterial to the current period. The recovery policy also would not be triggered by changes to prior period financial statements that do not arise due to error corrections, such as retrospective revisions to financial statements due to changes in accounting principles or segments.

The Commission rejected a bright-light standard for determining when the recovery period begins, reasoning that doing so might incentivize companies to delay a restatement determination in order to manipulate the recovery date. Therefore, the final rules state that the recovery period runs from the earlier of: (i) the date the company’s board of directors, committee of the board, or the officer or officers of the company authorized to take such action, concludes, or reasonably should have concluded, that the company is required to prepare an accounting statement due to the material noncompliance with any financial reporting requirement under the securities laws; or (ii) the date a court, regulator, or other legally authorized body directs the company to prepare an accounting restatement. The SEC stated in its October 14, 2021 Notice when it reopened the comment period: “For errors that are material to the previously issued financial statements, we generally expect the date . . . to coincide with the date disclosed in the Item 4.02(a) Form 8-K filed.”

Definition of incentive compensation and when it is “received.” “Incentive-based compensation” is any compensation (including cash and equity) granted, earned or vested based in whole or in part on the attainment of a “financial reporting measure.” “Financial reporting measures” are measures that are determined and presented in accordance with the accounting principles used in preparing the company’s financial statements, and any measures derived in whole or in part from such measures, as well as stock price and total shareholder return (“TSR”). A financial reporting measure is subject to the rule even if it is not actually presented in the company’s financial statements or included in an SEC filing. Incentive-based compensation does not include compensation that is based solely on continued employment for a specified period of time (e.g., time-vesting awards, including time-vesting stock options), unless such awards were granted or vested based in whole or in part on a financial reporting measure. Incentive-based compensation also does not include base salary (however, in the preamble to the proposed rule the SEC indicated that if the executive officer receives a salary increase earned wholly or in part based upon the attainment of a financial reporting measure, such increase would be subject to recovery), compensation awarded solely at the board’s discretion, or compensation awarded upon the achievement of subjective, strategic or operational measures that are not financial reporting measures (such as the achievement of ESG goals).

The Dodd-Frank Act specified that the compensation subject to clawback is that which was received by the executive during a recovery period that is defined as “the three-year period preceding the date on which the issuer is required to prepare an accounting restatement.” The final rules provide that incentive-based compensation is “received,” and thus subject to clawback, in the fiscal period during which the applicable financial reporting measure is attained, even if the payment or grant occurs after the end of that period. In other words, the date of “receipt” of such compensation is tied to the satisfaction of the financial reporting measure goal, irrespective of applicable vesting, grant or payment dates. An award subject to both time- and performance-based vesting conditions is considered received upon satisfaction of the performance metric even if the award continues to be subject to time-based vesting criteria.

Calculating the amount of clawback. The amount required to be recouped is the amount of incentive-based compensation received by the executive in excess of what would have been received if the incentive-based compensation was determined based on the restated financial statements. To the extent the incentive-based compensation was based on stock price or TSR, such excess amount must be based on a reasonable estimate of the effect of the accounting restatement on the applicable measure. The company must maintain documentation of the determination of that reasonable estimate and provide it to the relevant exchange. In all cases, the calculation of erroneously awarded compensation would be calculated on a pre-tax basis. As discussed below, companies are required to disclose in their Form 10-K, 20-F, 40-F or N-CSR, as applicable, and proxy statement information on their calculation of the amount subject to clawback.
Minimal discretion regarding recovery and its enforcement. The rules require a company to recover erroneously awarded compensation in compliance with its recovery policy subject to limited exceptions. Recovery is not required only if the company’s board or compensation committee has determined that recovery is impracticable for one of three reasons: (1) because the direct expenses paid to third parties to assist in enforcing the policy would exceed the amount to be recovered and the company has made a reasonable attempt to recover; (2) in the case of a foreign private issuer, because pursuing such recovery would violate home country law in effect prior to publication of the final rules in the Federal Register and where the company provides an opinion of counsel to that effect to the exchange; or (3) because recovery would likely cause an otherwise tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code.[5] Clawback must be evaluated on a “no fault” basis – e., without regard to whether any misconduct occurred or whether an executive bears responsibility. Executives may not be indemnified for the clawback, nor may companies pay premiums on an insurance policy that would cover an executive’s potential clawback obligations. The rules require that companies pursue recovery “reasonably promptly,” which suggests that boards may not allow covered executives to repay any clawed back amount in installments under a payment plan of any extended duration, barring any unreasonable economic hardship to the executive. In addition, under the new disclosure requirements (addressed further below), any amount subject to clawback from a current or former named executive officer but unpaid after 180 days must be disclosed.

New Disclosure Requirements

There are three key new disclosure requirements tied to the clawback rules:

Clawback Policy Exhibit Requirement. Each listed company must file its clawback policy as an exhibit to its annual report on Form 10-K, 20-F, 40-F or N-CSR, as applicable.
New Item 402 disclosures. Item 402 of Regulation S-K was amended to require companies to disclose how they have applied their recovery policies. If, during its last completed fiscal year, the company either completed a restatement that required recovery, or there was an outstanding balance of excess incentive-based compensation relating to a prior restatement, the company must disclose the following information for each restatement in any Form 10-K or proxy or information statements that includes executive compensation disclosure:

(i) the date on which the company was required to prepare each accounting restatement and the aggregate dollar amount of excess incentive-based compensation attributable to the restatement, including an analysis of how the recoverable amount was calculated (an expansion of the proposed rules), or if the clawback amount has not been determined yet, an explanation of the reasons why it has not, and subsequent disclosure in the next filing that is subject to Item 402 of Regulation S-K;

(ii) if the compensation is related to a stock price or TSR metric, the estimates used to determine the amount of erroneously awarded compensation attributable to such accounting restatement and an explanation of the methodology used for such estimates;

(iii) the aggregate dollar amount of excess incentive-based compensation that remained outstanding at the end of the company’s last completed fiscal year;

(iv) where a company is invoking an impracticability exception, for each current and former named executive officer and for all other current and former executive officers as a group, the amount of recovery forgone and a brief description of the reason the listed registrant decided in each case not to pursue recovery, as well as (to the extent applicable to the invoked impracticability exception) a brief explanation of the types of direct expenses paid to a third party to assist in enforcing the recovery policy, identification of the provision of foreign law the recovery policy would violate, or how the recovery policy would cause an otherwise tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code; and

(iv) for each current and former named executive officer, the amounts of incentive-based compensation that are subject to a clawback but remain outstanding for more than 180 days since the date the company determined the amount owed.

The final rules also add a new instruction to the Summary Compensation Table to require that any amounts recovered pursuant to a company’s compensation recovery policy reduce the amount reported in the applicable column, as well as the “total” column” for the fiscal year in which the amount recovered initially was reported, with the clawback identified by footnote.

The final rules require information mirroring the above Item 402 disclosures to be included in annual reports on Form N-CSR and in proxy statements and information statements relating to the election of directors; on Form 20-F or, if the foreign private issuer elects to use the registration and reporting forms that U.S. issuers use, on Form 10-K; and on Form 40-F.

New check boxes on cover pages of Forms 10-K, 20-F and 40-F. In addition, and according to the SEC, “to assure that issuers listed on different exchanges are subject to the same disclosure requirements regarding erroneously awarded compensation recovery policies,” companies must indicate by check boxes on their annual reports whether the financial statements included in the filings reflect a correction of an error to previously issued financial statements and whether any such corrections are restatements that required a recovery analysis.

Observations and Considerations for Companies

Companies do not need to adopt a Rule 10D-1 clawback policy until after the stock exchanges’ listing standards implementing Rule 10D-1 are proposed, adopted and become effective. Nevertheless, there are important steps that companies should be taking before that time to prepare for the new rules:

Prepare for Implementation. The new listing standards will require companies to adopt “and comply” with their Rule 10D-1 clawback policies. In addition, the clawback policy needs to apply to any incentive compensation “received” on or after the effective date of the new listing standards, even if that compensation was received pursuant to an award granted before adoption of the company’s Rule 10D-1 clawback policy. Therefore, to the extent they have not done so already, companies should be adding a term to their existing incentive compensation plans or award agreements and taking any other appropriate measures to enhance the enforceability of their Rule 10D-1 clawback policy once it is adopted.
Evaluate Incentive Compensation Arrangements. Companies should evaluate their existing compensation arrangements to assess which have any element that relates to a “financial performance measure” as defined under the SEC rules. At the same time, companies may wish to evaluate whether to modify or clarify the operation of arrangements that have financial performance measure elements. For example, companies with a legacy Section 162(m) bonus pool that is based on a financial performance measure, but under which actual payments are discretionary or based on other criteria, may wish to eliminate the performance-based funding of the bonus pool component. The clawback rules may also accelerate the trend toward the use of non-financial, strategic and ESG-related performance criteria in incentive compensation arrangements.
Interaction with Existing Clawback Policies. Companies will need to determine whether to integrate the Rule 10D-1 clawback policy with their existing policies, replace their existing policies, or adopt the Rule 10D-1 policy on a stand-alone basis. Various aspects of the Rule 10D-1 clawback requirements go beyond what companies typically have adopted to date, including the mandatory nature of the clawback, the timing and length of the recovery period and the no-fault standard. At the same time, many company policies cover triggering events beyond financial restatements, may cover a larger population, and may apply to broader categories of compensation. Given the differences, companies may find it easier to adopt a stand-alone Rule 10D-1 clawback policy, and simply modify their existing clawback policies to clarify that they apply only to the extent that the Rule 10D-1 clawback policy does not. As noted above, the new rules require attaching the clawback policy as an exhibit to the annual report, so it is advisable to review the policy in light of that anticipated public disclosure.
Enhance Documentation Around Compensation Committee Determinations. Going forward, it will be more important than ever to have clear documentation around the extent to which financial performance measures affect decisions regarding granting, vesting and settlement/payout of each element of executives’ compensation. To the extent that a compensation committee is exercising discretion, particularly if awarding compensation without regard to financial results, those decisions should be documented. Finally, it will be important to enhance internal and disclosure controls so that the implications of any restatement, including a “little r” restatement, can be taken into account.

The Rule 10D-1 clawback rules are designed to enhance an environment promoting compliance with applicable accounting rules. However, their application on a no-fault basis means that executives could be subject to compensation clawbacks based on inadvertent failures to satisfy complex accounting standards. It will be important to assess whether that possibility will lead to inadvertent consequences, such as a move away from financial performance measures in compensation arrangements or the loss of talented executives who feel unfairly penalized under a clawback claim that they intend to contest.

_________________________

[1] Pub. L. No. 111-203, 124 Stat. 1900 (2010).

[2] Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-75432 (July 14, 2015), available here.

[3] Reopening of Comment Period for Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-93311 (Oct. 14, 2021), available here.

[4] Reopening of Comment Period for Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-95057 (June 8, 2022), available here, which sought review and comment on the memo prepared by the staff of the SEC’s Division of Economic and Risk Analysis, available here.

[5] With respect to this exception, Rule 10D-1(b)(1)(iv)(C) provides: “Recovery would likely cause an otherwise tax-qualified retirement plan, under which benefits are broadly available to employees of the registrant, to fail to meet the requirements of 26 U.S.C. 401(a)(13) or 26 U.S.C. 411(a) and regulations thereunder.”

The following Gibson Dunn lawyers assisted in the preparation of this alert: Sean Feller, Krista Hanvey, Elizabeth Ising, Ronald Mueller, Michael Scanlon, Lori Zyskowski, Aaron Briggs, and Christina Andersen.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Executive Compensation and Employee Benefits or Securities Regulation and Corporate Governance practice groups, or any of the following practice leaders and members:

Executive Compensation and Employee Benefits Group:
Stephen W. Fackler – Palo Alto/New York (+1 650-849-5385/+1 212-351-2392, [email protected])
Sean C. Feller – Los Angeles (+1 310-551-8746, [email protected])
Krista Hanvey – Dallas (+ 214-698-3425, [email protected])
Christina Andersen – New York (+1 212-351-3857, [email protected])

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, [email protected])
Ron Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Michael J. Scanlon – Washington, D.C. (+1 202-887-3668, [email protected])
Michael Titera – Orange County (+1 949-451-4365, [email protected])
Lori Zyskowski – New York (+1 212-351-2309, [email protected])
Aaron Briggs – San Francisco (+1 415-393-8297, [email protected])
Julia Lapitskaya – New York (+1 212-351-2354, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In anticipation of the Financial Stability Board’s (FSB) report to the G20 Finance Ministers and Central Bank Governors in October on regulatory and supervisory approaches to stablecoins and other crypto-assets, please join us for this webcast hosted by our Global Financial Regulatory Practice Group. We discuss the latest legal and regulatory developments in digital assets markets, including:

FSB’s recommendations, and what they mean for the global regulatory and supervisory direction of travel for stablecoin arrangements and crypto-asset markets
Hong Kong and Singapore digital assets regulatory developments
UK and EU digital assets regulatory developments, including the Markets in Crypto-Assets (MiCA) regulation
US digital assets regulatory developments

We discuss how these regulatory and supervisory developments will impact on digital assets businesses operating in or providing services in these key jurisdictions, and share our views on how businesses can anticipate and prepare for the coming wave of regulatory and supervisory reforms that will impact on stablecoins and other crypto-assets. In addition, the team brings their predictions for the future of digital assets regulation, supervision and enforcement policy, based on their extensive experience in helping clients to navigate global regulations and to engage with key global regulators.

PANELISTS:

William Hallatt, a partner in our Hong Kong office and a Co-Chair of the firm’s Global Financial Regulatory Practice Group, is one of the Asia-Pacific region’s most prominent regulatory lawyers. He has close working relationships with key regulators, both at the local jurisdictional and international levels. He is heavily involved in regulatory reform initiatives and regularly leads discussions with the regulators on behalf of the financial services industry. This includes working closely with leading industry bodies, including ASIFMA and AIMA. Will has particular expertise in relation to the regulation of cryptocurrencies and other digital assets, and has advised the world’s leading cryptocurrency exchanges as well as regulated financial institutions on a range of key strategic matters in this space. This includes advising cryptocurrency exchanges on regulatory restructurings, high profile regulatory investigations and the handling of licence applications in multiple jurisdictions.

Michelle M Kirschner is a partner in the London office and Co-Chair of the firm’s Global Financial Regulatory Practice Group. Ms. Kirschner advises a broad range of financial institutions and fintech businesses on areas such as systems and controls, market abuse, conduct of business and regulatory change management, and she conducts internal investigations and reviews of corporate governance and systems and controls in the context of EU and UK regulatory requirements and expectations.

Jeffrey Steiner is a partner in the Washington D.C. office and Co-Chair of the firm’s Global Financial Regulatory Practice Group, Chair of the firm’s Derivatives Practice and co-lead of the Digital Currencies and Blockchain Technologies group. Mr. Steiner advises a range of clients on regulatory, legislative, enforcement and transactional matters related to OTC and listed derivatives, commodities and securities. He also advises clients, including exchanges, financial institutions and fintech firms, on matters related to digital assets and cryptocurrencies. Prior to joining the Firm, Mr. Steiner was a special counsel at the U.S. Commodity Futures Trading Commission (CFTC).

Grace Chong is Of Counsel in Gibson Dunn’s Singapore office and a member of the firm’s Global Financial Regulatory Group. She has been consistently named as one of Singapore’s top 10 FinTech lawyers and is highly ranked in Chambers FinTech 2022, with clients noting that she “is very savvy and shares her knowledge of the MAS and market trends.” Further, she is recommended in Financial Services Regulatory for Singapore by The Legal 500 2022 guide which notes that she “is one of the best crypto regulatory lawyers in Singapore.” Ms. Chong is an elected board member of the Singapore Association of Cryptocurrency Enterprises and Startups (ACCESS), is closely involved in regional regulatory reform initiatives and has led discussions with regulators on behalf of the financial services industry.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1 credit hour, of which 1 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit

On October 20, 2022, the U.S. Department of the Treasury (“Treasury”), as chair of the Committee on Foreign Investment in the United States (“CFIUS” or “Committee”), released the first-ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”).[1] As the Guidelines pointedly emphasize, CFIUS is tasked with balancing its mandate of identifying and mitigating national security implications of foreign investments with upholding U.S. openness to foreign investment.[2] As we discuss below, the Guidelines provide insight into how CFIUS will assess whether (and in what amount) to impose a penalty or undertake other enforcement action against a violating party, and also provide a non-exhaustive list of aggravating and mitigating factors that CFIUS will consider.

Importantly, the new Guidelines do not appear connected to any specific changes in statutory authority, nor do they expressly create new authorities for the Committee. They also do not appear to be connected with any reported increase in enforcement actions, as CFIUS reported in its most recent Annual Report that it did not assess or impose penalties or initiate a unilateral review of a transaction in 2021.[3] The CFIUS Monitoring and Enforcement website lists only two penalties imposed pursuant to Section 721: one in 2018 and one in 2019. Yet, these Guidelines have also been released as CFIUS has publicly announced efforts to increase its staffing, particularly to support monitoring and enforcement activities.[4] The Guidelines also include CFIUS’s first formal statement with respect to the treatment of voluntary self-disclosures.

Accordingly, the release of the Guidelines appears to be an effort to increase transparency of a committee long-viewed as secretive—and also may signal increased use by the Committee of its enforcement and penalty authorities. The issuance of the Guidelines is therefore noteworthy in several respects:

Their issuance is another in a series of signals from the U.S. government of its intense focus on protecting national security interests, inclusive of U.S. technological leadership;

The Guidelines provide a more transparent, public roadmap for how violations will be assessed and processed; and

The Guidelines establish a voluntary self-disclosure mechanism for violations that has parallels with other agencies, though stops short of offering specific incentives for such disclosures.

The Guidelines are divided into four key areas: (i) clarifications of what constitutes a violation, (ii) how the Committee obtains information to investigate a potential violation, (iii) the penalty process itself, and (iv) aggravating and mitigating factors. We discuss each in turn below:

1. Three Categories of Conduct That May Constitute a Violation:

The Guidelines identify three specific types of conduct that may be considered a violation subject to enforcement and penalty. Note that the Guidelines specifically state that not all violations will result in a penalty or other remedy, as CFIUS will exercise discretion based on certain aggravating and mitigating factors, as discussed below in section (4).

Failure to submit a mandatory declaration or notice in a timely manner;
Failure to comply with CFIUS mitigation requirements when such mitigation has been imposed; and
Material misstatements, omissions, or false/materially incomplete certifications made at any point in the CFIUS process.

2. Sources of Information Concerning Potential Violations:

The Guidelines provide transparency about how the Committee obtains information on potential violations. It has been long understood that CFIUS has access to a range of tools available within the U.S. government to identify covered transactions. In addition, CFIUS is actively searching publicly available and third party information to identify non-notified transactions that may be subject to its review. The Guidelines highlight in particular information that may come from parties to a transaction themselves, whether voluntarily or involuntarily, including information regarding failure to comply with a mitigation agreement, condition or order:

Requests for Information: CFIUS may request information from relevant parties, and such parties may earn mitigation credit by cooperating with information requests and may also provide exculpatory evidence.
Self-Disclosures: The Guidelines provide the first formal discussion by CFIUS of voluntary self-disclosures to the Committee. Similar to self-disclosure policies published by the U.S. Department of Justice, the Office of Foreign Assets Control, the Directorate of Defense Trade Controls and the Bureau of Industry and Security, the Committee encourages timely self-disclosure of potential violations and has indicated that it will consider such voluntary disclosures as one among several factors when it is determining its enforcement response to an alleged violation. Notably, CFIUS has not in these Guidelines indicated that a self-disclosure will necessarily warrant any automatic deduction in the amount of a proposed penalty nor will self-disclosure necessarily result in a presumption applied by the Committee against imposition of a monetary or other more severe form of penalty.
Tips: CFIUS solicits tips from the general public—whether in connection with a transaction currently under review, a non-notified transaction, or a mitigation agreement—and provides email and phone contacts on its website for reporting directly to the Committee.
Subpoena Authority: The Guidelines draw attention to the Committee’s statutory authority to issue subpoenas to persons who may have information or records relevant to the administration or enforcement of the Committee’s regulations.

3. Penalty Process:

The Guidelines set forth the basic procedural process that will govern a potential enforcement or penalty action. In short, the Committee will send the subject person a notice of penalty, which includes (i) the conduct to be penalized, (ii) the amount of the monetary penalty to be imposed, (iii) the legal basis for concluding the conduct constitutes a violation, and (iv) any aggravating and mitigating factors the Committee considered. The subject person can, within 15 days of receiving the notice of penalty (which may be extended upon a showing of good cause), submit a petition for reconsideration to the CFIUS Staff Chairperson. The subject person can include any defense, justification, mitigating factors, or explanation within the petition. If the petition is timely received by CFIUS, within 15 days of receipt (which may be extended), CFIUS will take such petition into account before issuing a final penalty determination. However, if no petition is timely received, CFIUS will generally issue a final penalty determination in the form of a notice to the subject person. These procedures are also set forth in the Committee’s regulations at 31 CFR Part 800 and Part 802. Pursuant to §800.901, CFIUS has the authority to issue civil penalties up to $250,000 per violation for material misstatements, omissions, or false certifications. Failure to comply with mandatory declaration requirements or violations of a material provision of a mitigation agreement may result in a civil penalty not to exceed $250,000 or the value of the transaction, whichever is greater.

4. Aggravating and Mitigating Factors:

The Guidelines provide the first public statement by CFIUS of the factors it will consider when determining the appropriate response to an alleged violation. In essence, CFIUS will adopt a fact-based approach in which it weighs all relevant aggravating and mitigating factors in the context of specific conduct giving rise to a potential violation. The list of factors provided in the Guidelines is not exhaustive. Further, the list of factors are not presented in order of priority. Nonetheless, the factors will be generally familiar to anyone who has assessed the corporate enforcement factors published by DOJ, OFAC, DDTC, or BIS.

Accountability and future compliance: The impact of the enforcement action on protecting national security and ensuring subject persons are held accountable for their conduct and incentivized to ensure compliance.
Harm: The extent to which the conduct impaired, or threatened to impair, U.S. national security.
Negligence, awareness and intent: The extent to which the conduct was the result of simple or gross negligence, intentional action, or willfulness, as well as any efforts to conceal or delay the sharing of relevant information with CFIUS, or the involvement of senior personnel.
Persistence and timing: The length of time that elapsed after the subject person became aware, or had reason to become aware, of the conduct and before CFIUS became aware of the conduct and/or its remediation, as well as the frequency and duration of the conduct.
Response and remediation: Whether the subject person submitted a self-disclosure (including the timeliness, nature and scope of information within the self-disclosure), the subject person’s cooperation during the investigation, the promptness of complete and appropriate remediation, and whether the company undertook an analysis of the root cause, extent, and consequences of the alleged violative conduct to prevent any reoccurrence.
Sophistication and record of compliance: The subject person’s history and familiarity with CFIUS (including past compliance with CFIUS mitigation), the adequacy of internal and external resources dedicating to complying with relevant legal obligations, the existence of relevant policies and procedures, the consistency of implementation, the company’s culture of compliance, and other related factors.

Conclusion

The Guidelines contribute to the U.S. government’s increasing scrutiny of transactions that involve foreign investments in U.S. companies or operations with a potential impact on national security. The Guidelines provide additional transparency with respect to how CFIUS will determine its response to potential violations of CFIUS’s regulations. While the Guidelines are non-binding and do not expand or narrow CFIUS’s authorities, they may signal an intent to enhance enforcement efforts, particularly with respect to failure to submit a mandatory notification or failure to comply with mitigation agreements, conditions, or orders designed to address national security concerns.

_______________________

[1] CFIUS Enforcement and Penalty Guidelines (October 20, 2022), https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-enforcement-and-penalty-guidelines.

[2] This authority is granted to the Committee under Section 721 of the Defense Production Act of 1950, as amended (50 U.S.C. § 4565) (“Section 721”).

[3] CFIUS Annual Report to Congress, 44, https://home.treasury.gov/system/files/206/CFIUS-Public-AnnualReporttoCongressCY2021.pdf.

[4] See U.S. Department of the Treasury Press Release, Treasury Releases CFIUS Annual Report for 2021 (Aug. 02, 2022), https://home.treasury.gov/news/press-releases/jy0904.

The following Gibson Dunn lawyers prepared this client alert: Stephenie Gosnell Handler, David Wolber, Christopher Timura, Samantha Sewall, and Felicia Chen.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following members and leaders of the firm’s International Trade practice group:

United States
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Annie Motto – Washington, D.C. (+1 212-351-3803, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, [email protected])
Sarah L. Pongrace – New York (+1 212-351-3972, [email protected])
Samantha Sewall – Washington, D.C. (+1 202-887-3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing – (+86 10 6502 8534, [email protected])

Europe
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Nicolas Autet – Paris (+33 1 56 43 13 00, [email protected])
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Patrick Doris – London (+44 (0) 207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 (0) 20 7071 4205, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33 180, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 21, 2022, the IRS released its cost-of-living adjustments applicable to tax-qualified retirement plans for 2023. Many of the key limitations, including the elective deferral and catch-up contribution limits for employees who participate in 401(k), 403(b) and 457 retirement plans, have increased from current levels. The key limitations for 2023 will increase as follows:

Limitation	2023 Limit
402(g) Limit on Employee Elective Deferrals (Note: This is relevant for 401(k), 403(b) and 457 plans, and for certain limited purposes under Code Section 409A.)	$22,500 ($20,500 for 2022)
414(v) Limit on “Catch-Up Contributions” for Employees Age 50 and Older (Note: This is relevant for 401(k), 403(b) and 457 plans.)	$7,500 ($6,500 for 2022)
401(a)(17) Limit on Includible Compensation (Note: This applies to compensation taken into account in determining contributions or benefits under qualified plans. It also impacts the “two times/two years” exclusion from Code Section 409A coverage of payments made solely in connection with involuntary terminations of employment.)	$330,000 ($305,000 for 2022)
415(c) Limit on Annual Additions Under a Defined Contribution Plan	$66,000 (or, if less, 100% of compensation) ($61,000 for 2023)
415(b) Limit on Annual Age 65 Annuity Benefits Payable Under a Defined Benefit Plan	$265,000 (or, if less, 100% of average “high 3” compensation) ($245,000 for 2022)
414(q) Dollar Amount for Determining Highly Compensated Employee Status	$150,000 ($135,000 for 2022)
416(i) Officer Compensation Amount for “Top-Heavy” Determination (Note: Because Code Section 409A defines “specified employees” of public companies by reference to this provision, this amount also affects the specified employee determination, and thus, the group subject to the six-month delay under Code Section 409A.)	$215,000 ($200,000 for 2022)
Social Security “Wage Base” for Plans Integrated with Social Security	$160,200 ($147,000 for 2022)

The following Gibson Dunn lawyers assisted in the preparation of this alert: Michael Collins, Krista Hanvey, and Fanny Patel.

Stephen W. Fackler – Palo Alto/New York (+1 650-849-5385/+1 212-351-2392, [email protected])
Michael J. Collins – Washington, D.C. (202-887-3551, [email protected])
Sean C. Feller – Los Angeles (+1 310-551-8746, [email protected])
Krista Hanvey – Dallas (+ 214-698-3425, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Frankfurt partner Georg Weidenbach, Munich partner Kai Gesing and Frankfurt associate Jan Vollkammer are the authors of “German Draft Bill Reflects Trend Toward New Antitrust Tools” [PDF] published by Law360 on October 19, 2022.

On 12 October 2022, the Hong Kong Securities and Futures Commission (“SFC”) reprimanded and imposed a HK$1.75 million fine on Asia Research & Capital Management Limited (“ARCM”), a Hong Kong licensed corporation (“LC”), for its failure to:

comply with Regulation (EU) No 236/2012 of the European Parliament and of the Council of 14 March 2012 on short selling and certain aspects of credit default swaps (“EU Regulation”); and
promptly notify the SFC of its regulatory breaches.[1]

The SFC also banned ARCM’s Manager-In-Charge (“MIC”) for Compliance, Mr. Billy Wong Yim Chi (“Wong”), for 2 months in relation to the above failures.

This disciplinary action is particularly noteworthy given that the SFC has imposed disciplinary action in relation to a licensed firm’s failure to comply with foreign regulatory requirements. [2] [3] Further, this matter is also the second time that the SFC has announced disciplinary actions against an MIC since the introduction of the MIC regime in 2017. The SFC’s first disciplinary action against an MIC was in November 2021 against Fulbright Securities Limited and its MIC.[4]

I. Disciplinary action against ARCM

The disciplinary action against ARCM by the SFC followed a similar action against the firm by the Financial Conduct Authority (“FCA”) in the United Kingdom in relation to its failures to comply with the EU Regulation in relation to disclosures of its net short position in Premier Oil Plc, a company listed on the London Stock Exchange.[5]

The SFC was unsympathetic towards ARCM’s explanations that its breach of the EU Regulation was due to ARCM’s unfamiliarity with the EU Regulation, its reliance on reference materials provided by its prime brokers rather than on legal advice regarding the EU reporting regime and the absence of alerts from ARCM’s investment bank counterparts.

Instead, the SFC attributed ARCM’s failures to:

a lack of any formal process in its compliance framework requiring its staff members to analyse and understand reporting requirements which might apply when the firm invests in a new jurisdiction and implement appropriate controls;
its failure to incorporate controls to ensure continuous compliance with the EU Regulation; and
its decision to rely on reference materials provided by its prime brokers without conducting any further analysis. The SFC noted that if ARCM had sought legal advice on its reporting obligations or taken steps to independently check on reporting obligations under the EU Regulation, it would have identified its obligations to report short positions held through swap transactions.

The SFC considered that the above failures amounted to a breach of:

General Principle 2 (Diligence) of the Code of Conduct for Persons Licensed or Registered with the Securities and Futures Commission (“Code of Conduct”)[6], which requires licensed corporations to act with due skill, care and diligence in the best interests of its clients and the integrity of the market; and
General Principle 7 (Compliance) and paragraph 12.1 of the Code of Conduct, which require licenced corporations to comply with all regulatory requirements applicable to the conduct of its business activities and to implement and maintain measures appropriate to ensuring compliance with the law, rules, regulations and codes administered or issued by the Commission, the rules of any exchange or clearing house of which it is a member or participant, and the requirements of any regulatory authority which apply to the licensed or registered person.

The SFC also found that ARCM’s notification of its breaches of the EU Regulation two months after notification of such breaches to the FCA constituted a breach of the requirement under paragraph 12.5 (Notifications to the Commission) of the Code of Conduct to notify the SFC immediately of any material breach of any regulatory requirements applicable to the licensed corporation.

II. Disciplinary action against Wong

Wong was ARCM’s Head of Compliance and Operations, and the MIC for Compliance during the relevant time periods. As MIC for Compliance, his responsibilities included handling regulatory filings in relation to ARCM’s portfolio positions, and consulting external legal advisors where necessary. The SFC took the view that ARCM’s failures were attributable to Wong’s neglect in discharging his responsibilities as MIC for Compliance and as a member of senior management. In particular, the SFC noted that Wong failed to:

implement adequate controls to ensure ARCM’s compliance with the EU Regulation; and
seek legal advice on the short position reporting obligations under the EU Regulation despite Wong and his team’s unfamiliarity with the EU regulatory regime.

Based on the above findings, the SFC held that Wong had breached General Principle 9 (Responsibility of senior management), and paragraph 14.1 of the Code of Conduct. The provisions required Wong, as senior manager, to bear primary responsibility for maintaining appropriate standards of conduct and procedures, and to properly manage risks associated with the business of the LC.

III. Conclusion

This disciplinary action serves as a reminder to LCs and their senior management of the broad scope of the Code of Conduct in relation to foreign regulatory requirements, both from a compliance perspective as well as a self-reporting perspective. In particular, it serves as an important caution to firms considering whether foreign regulatory breaches may have triggered foreign self-reporting obligations that they must also carefully consider whether a self-report under paragraph 12.5 is required. Given the stringency of the self-reporting standard under paragraph 12.5 in comparison to foreign reporting requirements, this may put some firms in the uncomfortable position that foreign regulatory breaches may not require reports to be made to foreign regulators, but will require reporting in Hong Kong to the SFC. Similarly, given the ‘immediate’ nature of the Hong Kong self-reporting requirement and the SFC’s expectation that firms report prior to completion of investigations into the relevant conduct, firms may also need to report to the SFC before reporting to foreign regulators.

Further, this case is also particularly significant given the SFC’s clear expectation that senior management will seek legal advice in relation to regulatory requirements where they and their teams are unfamiliar with these requirements, rather than relying on (for example) summaries provided by counterparts. This should serve as an important reminder to senior Compliance staff of the need to carefully assess the necessity of seeking legal advice when entering new jurisdictions and/or rolling out new product types or lines of business. We would recommend that firms review their processes in relation to new types of business activity more broadly to ensure that these processes require active consideration by senior management as to whether legal advice is required, with a particular emphasis on new types of business activity which might lead to the firm being subject to foreign regulatory requirements.

_____________________

[1] “SFC reprimands and fines Asia Research & Capital Management Limited $1.75 million and bans former senior executive Billy Wong Yim Chi for two months” (12 October 2022), published by the Securities and Futures Commission, available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=22PR79

[2] Previously, the SFC had disciplined Capital Global Management Limited (“CGML”) over breaches of foreign regulatory laws. In February 2020, the SFC reprimanded and fined CGML HK$1.5 million for failing to ensure compliance with Taiwan’s Securities Investment Trust and Consulting Act when distributing investment funds and offering investment advice in Taiwan, and for failing to adequately supervise the business activities of its representatives to ensure such compliance. The SFC enforcement action followed the judgment of the Prosecution Office of the Taipei District Court which fined the owners of CGML. See “SFC reprimands and fines Capital Global Management Limited $1.5 million” (14 February 2020). Published by the SFC, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=20PR16.

[3] We further note that the SFC recently suspended a Responsible Officer and CEO of a licensed firm for two years following the SFAT upholding the SFC’s disciplinary action against this individual for breaches of the SFC Code of Conduct which occurred as a result of breaches of Korean legislation. See “SFAT affirms SFC decision to suspend hedge fund manager Christopher James Aarons” (29 September 2022), published by the Securities and Futures Commission, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=22PR75.

[4] “SFC reprimands and fines Fulbright Securities Limited $3.3 million and suspends its responsible officer for internal control failures” (1 November 2021), published by the Securities and Futures Commission, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=21PR107

[5] “Final Note to Asia Research and Capital Management Ltd” (14 October 2020), published by the Financial Conduct Authority, available at https://www.fca.org.uk/publication/final-notices/asia-research-and-capital-management-ltd-2020.pdf. The FCA’s disciplinary action against ARCM resulted in ARCM being fined £873,118.

[6] “Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission” (August 2022), published by the Securities and Futures Commission, available at https://www.sfc.hk/-/media/EN/assets/components/codes/files-current/web/codes/code-of-conduct-for-persons-licensed-by-or-registered-with-the-securities-and-futures-commission/Code_of_conduct_05082022_Eng.pdf

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong:

William R. Hallatt (+852 2214 3836, [email protected])
Emily Rumble (+852 2214 3839, [email protected])
Arnold Pun (+852 2214 3838, [email protected])
Becky Chung (+852 2214 3837, [email protected])
Grace Chong (+65 6507 3608, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On 27 September 2022, following a ministerial review, the Office of Financial Sanctions Implementation (OFSI) imposed a monetary penalty of £30,000 in accordance with s. 146 of the Policing and Crime Act 2017 (PACA) against Hong Kong International Wine and Spirits Competition Limited (HKIWSC) for breaching UK[1] and EU[2] sanctions regulations. According to the relevant legislative provisions, it is prohibited to make funds or economic resources available, directly or indirectly, to a sanctioned party.

Between September 2017 and August 2020 HKIWSC received three payments and seventy-eight wine bottles from the sanctioned State Unitary Enterprise of the ‘Republic of Crimea’ Production-Agrarian Union (Massandra) for entry into HKIWSC’s 2017, 2018, 2019 and 2020 competitions.

OFSI identified two types of breaches: four relating to the provision of funds and tangible economic resources (i.e. the wine bottles) and one relating to the provision of intangible economic resources in the form of the publicity that was made available to Massandra by entering its wine into competitions. OFSI imposed the monetary penalty because it was satisfied that, on the balance of probabilities, HKIWSC knew or had reasonable cause to suspect that it was in breach of the relevant prohibitions. No voluntary disclosures were made in this case, therefore a penalty discount was not applied.

Intangible Economic Resources: A Novel Interpretation

This decision represents a material development as OFSI’s determination that publicity constitutes an intangible economic resource, i.e. an asset that may be exchanged for funds, is not intuitive, nor currently envisaged by the available guidance.

OFSI based its determination on the “reasonable inference” that publicity would increase Massandra’s wine sales, and PACA expressly allows the imposition of monetary penalties when the exact financial value of the resources being made available cannot be determined[3]. However, publicity may more conventionally be construed as a service, and it does not squarely fit within the definition of ‘economic resources’, i.e. “assets of every kind, whether tangible or intangible, movable or immovable, which are not funds but can be used to obtain funds, goods or services”[4].

Publicity is not conventionally treated as an asset on a company’s balance sheet and there is no way of directly exchanging ‘publicity’ for ‘funds, goods or services’. Publicity may lead to increased sales which in turn may lead to increased profits, yet the path from publicity to funds is not linear. It would have been different – and perhaps more coherent – if OFSI were to have held that the publicity increased Massandra’s goodwill in the form of brand recognition, and that such goodwill constituted an intangible economic resource. This construction would preserve the linearity of the exchange between ‘economic resources’ and ‘funds’ envisaged by the definition in the legislation, as goodwill is conventionally recognised as an asset which can directly be used to obtain funds.

Key Takeaways

This case serves as a useful reminder of the following:

The breadth of the legislative provisions may not always be foreseeable based on a close textual reading. OFSI’s creative construction of what constitutes intangible economic resources is an example. OFSI may favour generous, over-inclusive interpretations of key terms if it is motivated to enforce.
Many categories of assets can fall under the umbrella of intangible economic resources. OFSI’s report makes an explicit reference to intellectual property rights. This inclusion is to be expected given that intellectual property rights are conventionally treated as intangible assets and can be readily exchanged for money. Other inclusions may be less conventional, as this enforcement case shows.
OFSI has the power to impose hefty penalties even in the face of relatively minor violations. The total cumulative value of tangible economic resources and funds received by HKIWSC was estimated at £3,919.62. Nevertheless, the penalty amounted to £30,000. In cases where the breach relates to funds or economic resources, OFSI is authorised to impose a monetary penalty the greater of £1 million and 50% of the estimated value of the funds or resources. In any other case, the maximum penalty is capped at £1 million[5]. Notably, penalties may be reduced if a voluntary disclosure is made. This highlights the value of proactive reporting supported by strong internal compliance systems which may detect breaches before the regulator does.
OFSI continues to investigate and impose penalties for breaches of EU regulations and UK regulations that occurred prior to 31 December 2020. The breaches in this case occurred between 2017 and 2020 and were therefore breaches of the EU regulations and the now-repealed UK regulations implementing the EU regulations. If pre-2021 breaches are identified internally, it is worth considering a voluntary disclosure as the regulator can impose penalties if it becomes aware of historic noncompliance.

________________________

[1] Regulations 3(1) and 6(1) of the Ukraine (European Union Financial Sanctions) (No. 2) Regulations 2014

[2] Articles 2(1) and 2(2) of Council Regulation (EU) No. 269/2014

[3] Policing and Crime Act 2017, s. 146(4)

[4] Sanctions and Anti-Money Laundering Act 2018, s. 60

[5] Policing and Crime Act 2017, s. 146

The following Gibson Dunn lawyers prepared this client alert: Irene Polieri, Michelle Kirschner, and Patrick Doris.

Europe
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Nicolas Autet – Paris (+33 1 56 43 13 00, [email protected])
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Patrick Doris – London (+44 (0) 207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 (0) 20 7071 4205, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Irene Polieri – London (+44 (0) 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33 180, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

We are pleased to provide you with Gibson Dunn’s Accounting Firm Quarterly Update for Q3 2022. The Update is available in .pdf format at the below link, and addresses news on the following topics that we hope are of interest to you:

PCAOB Signs Cooperative Agreement with China
Sens. Warren and Lujan Push for Increased Suspension/Debarment
Ohio Supreme Court Leaves Verein Ruling in Place
SEC Adopts Whistleblower Program Enhancements
PCAOB, SEC, and DOJ Signal Continued Aggressive Enforcement
Supreme Court Grants Certiorari in Attorney-Client Privilege Case
New York Dept. of Financial Services Strengthens Corporate Cyber Requirements
Other Recent SEC and PCAOB Regulatory Developments

Read More

Accounting Firm Advisory and Defense Group:

James J. Farrell – Co-Chair, New York (+1 212-351-5326, [email protected])

Ron Hauben – Co-Chair, New York (+1 212-351-6293, [email protected])

Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, [email protected])

Michael Scanlon – Co-Chair, Washington, D.C.(+1 202-887-3668, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Denver partner Monica Loseman and associate Timothy Zimmerman and Washington, D.C. of counsel David Ware are the authors of “How Much Information Should Cos. Share With Auditors” [PDF] published by Law360 on October 13, 2022.

Nicholas Venable, a recent law graduate in the firm’s Denver office, assisted in the preparation of this article.

Personal Data | Cybersecurity | Data Innovation

Europe

10/07/2022 – United States Government | Executive Order | EU-US Data Transfers

President Biden signed an Executive Order to implement the EU-US Data Privacy Framework, aiming to safeguard cross-border data flows.

As a reminder, the Privacy Shield framework (which used to enable transfers of personal data from the EU to the US) was declared invalid by the Court of Justice of the European Union in 2020 (Schrems II ruling). In March 2022, leaders of the EU and the US announced that they agreed “in principle” to a new trans-Atlantic data flow agreement (the EU-US Data Privacy Framework). For that purpose, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities directs the steps that the US will take to implement the US commitments under the EU-US Data Privacy Framework.

The Framework notably aims to provide binding safeguards to limit US intelligence authorities access to data to what is necessary and proportionate to protect national security. A Data Protection Review Court will also be created to investigate and resolve complaints of Europeans on access of data by US intelligence authorities.

The White House asserts that this will provide the European Commission with a basis to adopt a new adequacy determination, but also greater legal certainty for companies using Standard Contractual Clauses to transfer personal data to the US.

For further information: White House Website

09/20/2022 – Court of Justice of the European Union | Decision | Data Retention

The Court of Justice of the European Union ruled that the general and indiscriminate retention of traffic data by operators providing electronic communications services for a year in order to combat market abuse offences including insider dealing is not compliant with European law.

However, in case of a serious threat to national security, some personal data (such as traffic and location data or IP addresses) may be retained under certain circumstances.

For further information: CJEU Website

09/15/2022 – European Commission | Regulation | Cybersecurity

The European Commission has presented its proposal for a new Cyber Resilience Act. The aim of the proposal is to protect both consumers and businesses from products with inadequate security features and thereby ensure a better level of cybersecurity.

In particular, the Cyber Resilience Act draft introduces mandatory cybersecurity requirements and obligations for manufacturers, as well as importers and distributors, of products with digital elements (i.e., software or hardware product and its remote data processing solutions, defined as any data processing at a distance for which the software is designed and developed by the manufacturer or under its responsibility and the absence of which would prevent the product from performing one of its functions) within the European Union. Any vulnerability contained in the product or any incident impacting its security will have to be reported by the manufacturer to the European Union Agency for Cybersecurity (ENISA). The “critical products” (e.g., operating systems, firewalls or network interfaces) would be subject to a specific compliance procedure.

This proposal of Regulation, if adopted, will be directly applicable in all Member States. Sanctions for violation will depend on the concerned breach (up to €15 million or 2.5% of the company’s total worldwide annual turnover of the preceding financial year, whichever is the higher).

In terms of timeline, it still has to be examined by the European Parliament and the Council and, once adopted, companies will have two years to adapt to the new requirements (one year for reporting obligations of manufacturers of incidents/vulnerabilities — if not modified in the final version of the Regulation).

For further information: European Commission Website

08/01/2022 – Court of Justice of the European Union | Decision | Special Categories of Data

The Court of Justice of the European Union ruled that indirectly revealing the sexual orientation of a natural person constitutes processing of special categories of personal data, protected under Article 9 of the GDPR.

In this case, Lithuanian legislation provided for the online publication of the declaration of private interests, required from individuals working in the public service in order to prevent corruption. This declaration contained name-specific data relating to the individual’s spouse, cohabitee or partner, thus disclosing indirectly his/her sexual orientation.

For further information: CJEU Website

07/28/2022 – European Data Protection Board and European Data Protection Supervisor | Joint Opinion | Child Sexual Abuse

The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion 04/2022 on the Proposal for a regulation to prevent and combat child sexual abuse.

In particular, the Opinion stresses the concerns regarding the proportionality of the interferences and limitations to the protection of the fundamental rights to privacy and the protection of personal data.

For further information: EDPB Website

07/18/2022 – European Union | Regulation | Digital Markets Act

The Council of the European Union gave its final approval to the Digital Markets Act.

Following the signature of the Digital Markets Act by the President of the European Parliament and the President of the Council, it will apply six months after publication in the Official Journal of the European Union.

For further information: Council of the European Union

07/14/2022 – European Data Protection Board | Document | Cooperation

In order to enhance cooperation between European supervisory authorities, the Board has published a set of criteria for identifying cross-border cases of strategic importance in different Member States, as well as the process followed by the Board to select these cases.

The Commission recalls that cases of strategic importance are primarily one-stop-shop cases which are likely to involve a high risk to the rights and freedoms of individuals in several Member States. In particular, several criteria have been defined by the Council (e.g., cases related to the intersection of data protection and other legal fields, where a high risk can be assumed, where a data protection impact assessment is required or where there is a large number of complaints in several Member States).

The supervisory authorities may refer to other supervisory authorities in any case that meets at least one of the criteria. The Board members will then decide which cases will be identified as cases of strategic importance at the European level. The Board already agreed on three (undisclosed) cases to start the project.

For further information: EDPB Website

07/12/2022 – European Data Protection Board and European Data Protection Supervisor | Joint Opinion | European Health Data Space

The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion 03/2022 on the European Commission’s Proposal for a Regulation on the European Health Data Space.

The Opinion aims to draw attention to a number of overarching concerns such as the clarification of the interplay between the Proposal and the GDPR or Member State laws.

For further information: Joint Opinion

07/12/2022 – European Data Protection Board | Statement | Data Transfers

The Board adopted a Statement on data transfers to Russia.

The Board recalls that data exporters who transfer personal data to Russia should assess and identify appropriate safeguards and the necessity for supplementary measures to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EU.

For further information: EDPB Website

Belgium

09/07/2022 – Belgian Supervisory Authority | Preliminary Questions | Advertising

The Belgian Supervisory Authority announced it has referred preliminary questions to the Court of Justice of the European Union (CJEU) regarding the appeal filed by IAB Europe in the case against the compliance of the so-called Transparency & Consent Framework (TCF) with the GDPR.

As a reminder, the TCF aims to contribute to the GDPR compliance of the OpenRTB protocol, which is one of the most widely used Real-Time Bidding protocols. In February 2022, the Belgian Supervisory Authority fined IAB €250.000 on the basis that the TCF infringes the GDPR.

In particular, the CJEU will have to determine whether a transparency and consent string which reflects users’ consent, objections and preferences can be considered as personal data.

For further information: CJUE Questions

08/19/2022 – Belgian Supervisory Authority | Sanction | Medical Data

The Belgian Supervisory Authority imposed a €20.000 fine on a medical analysis laboratory regarding various GDPR violations.

The Authority found that the principles of integrity and confidentiality were violated insofar as health data was processed through a website without using encryption. In addition, the argument that a privacy policy was not required on the website used as a “mere commercial showcase” was rejected as it was considered as an important operational tool for the laboratory’s activities. Finally, the Authority sanctioned the company for not having carried out a data protection impact assessment despite the fact that a large amount of health data was processed.

For further information: APD Website [NL]

08/17/2022 – Belgian Supervisory Authority | Decision | Complaint

The Belgian Supervisory Authority considered that a company may file a complaint against another one.

According to the Authority, the GDPR does not prohibit national regulations from allowing persons other than data subjects to file a complaint before a supervisory authority, for example where a personal data breach occurs in the context of a business relationship.

For further information: APD Website [NL]

Croatia

07/21/2022 – Croatian Supervisory Authority | Sanction | Security Breach

Following a personal data breach, the Croatian Supervisory Authority fined a company HRK 2.15 million (approx. €285.000) for failure to take adequate technical and organizational security measures.

In particular, the Authority highlighted that no access restrictions had been implemented and considered it an aggravating factor that the company is one of the main telecommunications services providers in Croatia.

For further information: AZOP Website [HR]

Denmark

09/21/2022 – Danish Supervisory Authority | Press Release | Data Transfers

The Danish Supervisory Authority issued a decision against a company using the analytics tool of an American company, reaffirming that said tool cannot be used in accordance with Chapter V of the GDPR without supplementary measures.

As a reminder, the Austrian, French and Italian Authorities expressed similar concerns.

For further information: Datatilsynet Website [DK]

08/18/2022 – Danish Supervisory Authority | Decision | Data Transfers

The Danish Supervisory Authority upheld the ban on a municipality’s use of a cloud-based workspace, imposed on July 14, 2022.

The Authority specified that the ban will apply until the municipality brings its processing activities in line with the GDPR and carries out a data protection impact assessment that meets the GDPR requirements.

For further information: Datatilsynet Website [DK]

07/14/2022 – Danish Supervisory Authority | Sanction | Security Breach

The Danish Supervisory Authority proposed to fine a Danish law firm DKK 500.000 (approx. €67.000) for failing to implement appropriate data security measures.

The Authority found that basic security measures (such as multifactor authentication to login to IT systems) were not implemented by the Danish law firm while a large amount of personal data was being processed.

For further information: Datatilsynet Website [DK]

Estonia, Latvia and Lithuania

07/27/2022 – Baltics States Data Supervisory Authorities | Coordination | Short-Term Vehicle Rental

Supervisory Authorities of the Baltic States initiated a coordinated inspection of privacy practices in the field of short-term vehicle rental.

The Estonian, Latvian and Lithuanian Supervisory Authorities launched a coordinated preventive supervision of companies specialized in short-term vehicle rental. The aim is to monitor compliance with the GDPR and to proactively address potential threats to privacy in this sector, in light of its increasing importance in the daily lives of many citizens over the last three years.

For further information: EDPB Website

Finland

07/05/2022 – Finnish Supervisory Authority | Sanction | Data Subject Rights

The Finnish Supervisory Authority published a decision issued on May 9, 2022, imposing a €85.000 fine on a Finnish magazine publisher for deficiencies in the implementation of data subject rights.

In particular, the decision outlines that some of the data subjects’ requests were not handled due to a technical issue in the e-mail redirect. In addition, the company gathered an excessive amount of information for identification by requiring data subjects to complete and sign a printable form to identify the customer exercising his/her right, and collecting signatures, without a justified reason (such as comparing the customer’s signature with one already in its possession, which was not the case here).

For further information: Ombudsman Website

France

09/08/2022 – French Supervisory Authority | Sanction | Data Security

The French Supervisory Authority fined the French Trade and Companies Register €250.000, for breaches relating to data security and retention periods.

In particular, strong passwords were not required to create a user account and personal data such as passwords were stored and transmitted in clear text. Besides, the data of a quarter of the service’s users was kept beyond the retention period.

For further information: CNIL Website [FR]

09/07/2022 – French Government | Regulation | Cybersecurity

A bill proposed various revisions to French legislation, with the aim to act against cybercrime.

In particular, the bill proposes a framework for insurance reimbursement clauses, making such reimbursement conditional on the filing of a complaint by the victim. Besides, in the context of a criminal procedure, and under the authorization given by the official authorities, enforcement authorities may seize digital assets.

For further information: French Senate Website [FR]

08/03/2022 – French Supervisory Authority | Sanction | Marketing Communication

The French Supervisory Authority fined a French group of hotels €600.000 for various breaches in the context of marketing activities.

The group sent marketing messages to customers without their consent, and did not comply with the exercise of data subject’s rights. For example, the box to subscribe to a marketing newsletter was pre-ticked, and technical issues prevented individuals from exercising their right to object.

For further information: CNIL Website [FR]

07/26/2022 – French Supervisory Authority | Recommendations | Age Verification Systems

The French Supervisory Authority issued its recommendations for online age verification systems.

In particular, the Authority reminded that pornographic websites shall not directly collect identity documents, estimate a visitor’s age based his/her browsing history, nor process biometric data to uniquely identify or authenticate an individual. The Authority further suggested using an independent trusted third party to prevent the direct transmission of identifying data about the user to the website or application publishing pornographic content, in accordance with the data minimization principles.

For further information: CNIL Website [FR]

07/22/2022 – French Administrative Court | Decision | Personal Data Breach Notification

The French Administrative Court (Conseil d’Etat) ruled that data controllers are not required to notify a personal data breach to the French Supervisory Authority (CNIL) if the CNIL was already aware of the breach.

On that basis, the Conseil d’Etat reduced the fine imposed by the CNIL from €3.000 to €2.500.

For further information: French Administrative Court Website [FR]

07/21/2022 – French Supervisory Authority | Sanction | Geolocation Data

The French Supervisory Authority fined a short-term vehicle rental company €175.000, in particular for having disproportionately infringed the privacy of its customers by geolocating them almost permanently.

The company also failed to identify and implement a proportionate data retention period, and to inform individuals.

For further information: CNIL Website

07/08/2022 – French Supervisory Authority | Formal Notices | Website Security

The French Supervisory Authority issued formal notices against fifteen organizations for insufficiently secured websites, amongst the twenty-one websites inspected in 2021.

The Authority highlights the lack of sufficient data encryption, including obsolete versions of the transport layer security (TSL) protocol and unsecured access (HTTP) to the website, and the lack of sufficient measures to protect users’ accounts, such as weak password policies.

For further information: CNIL Website [FR]

Germany

09/21/2022 – Baden Württemberg Supervisory Authority | Sanction | Use of Personal Data from Public Land Register

The Baden Württemberg Supervisory Authority imposed fines of €50.000 against a company and €5.000 against an individual for using personal data from a public land register for business development purposes.

The Authority highlights that there is no legitimate interest to process personal data as the register is created pursuant to a legal obligation, to ensure legal certainty and protect property interests, but not to facilitate marketing.

For further information: BfDI-BW Website [DE]

09/20/2022 – Berlin Commissioner for Data Protection and Freedom of Information | Sanction | Data Protection Officer

The Berlin Supervisory Authority imposed a €525.000 fine on the subsidiary of an e-commerce group because its data protection officer had a conflict of interest.

The Authority highlighted that the appointed data protection officer was the managing director of two service companies that processed personal data on behalf of the company for which he was the data protection officer. The Authority held that the subsidiary failed to comply with the GDPR insofar as a conflict of interest had arisen with no action being taken by the company, despite a previous warning issued in 2021.

For further information: BfDI Website [DE]

09/08/2022 – Lower Saxony Supervisory Authority | Warning | Profiling

The Lower Saxony Supervisory Authority issued a press release warning banks against profiling for advertising purposes.

In particular, payment transaction data and third-party data was used by the bank to assess whether a customer might be interested in a particular product. According to the Supervisory Authority, such processing would be unlawful insofar as legitimate interests of the controller cannot constitute the legal basis for the processing, and the consent forms used did not meet the GDPR requirements.

For further information: LfD Niedersachsen [DE]

09/07/2022 – Karlsruhe Higher Regional Court | Decision | Data Transfers

The Karlsruhe Higher Regional Court overturned the judgment of the Baden-Württemberg Procurement Chamber, which argued that a company had to be excluded from a public procurement procedure as its offer violated Chapter V of the GDPR governing data transfers.

As a reminder, the Baden-Württemberg Procurement Chamber excluded a company from a procurement procedure insofar as the company intended to employ the services of a Luxembourg subsidiary of an American cloud provider. According to the Baden-Württemberg Procurement Chamber, the mere risk of access to personal data stored in the European Union by American authorities would be considered as a data transfer.

The Regional Court overturned the judgment, considering that the sole group affiliation does not imply that illegal instructions might be received from the American cloud provider. However, the Regional Court did not address the Chamber of Public Procurement’s argument that the mere ability to access personal data from outside the European Union by a US cloud provider would be considered a transfer under Chapter V of the GDPR.

For further information: Oberlandesgericht Karlsruhe [DE]

08/18/2022 – Thuringia Data Protection Authority | Recommendation | Data Transfers

The Thuringia Data Protection Authority published a recommendation regarding the dynamic embedding of an American provider’s fonts on a website without obtaining visitors’ prior consent.

The Authority refers to recent case law regarding the dynamic embedding of fonts, which was found to constitute a data transfer to the US (of at least the IP address of a website visitor) because of the dynamic linking. Instead, the Authority recommends considering hosting these fonts locally to avoid any link to US servers.

For further information: TLfDI Thüringen Website [DE]

08/09/2022 – Federal Institute for Drugs and Medical Devices | Regulation | Data Protection Certification

The Federal Institute for Drugs and Medical Devices has published standard data protection criteria for digital health and care applications, making it one of the first authorities to establish a data protection certification under Article 42 of the GDPR.

For further information: BfArM Website [DE]

07/28/2022 – Lower Saxony Supervisory Authority | Sanction | Profiling

The Lower Saxony Supervisory Authority fined a bank €900.000 for profiling its active and former customers for advertising purposes without their consent.

For further information: LfD Niedersachsen Website [DE]

07/26/2022 – Lower Saxony Supervisory Authority | Sanction | Driver Assistance System

The Lower Saxony Supervisory Authority fined a car company €1.1 million for using a test vehicle with a driver assistance system using a surveillance camera without informing data subjects, conducting a data protection impact assessment, nor entering into an agreement with its processor.

In particular, the Authority highlights that a vehicle equipped with a driver assistance system using surveillance cameras must be equipped with magnetic signs displaying a camera symbol and other required information for the data subjects, in this case other road users.

For further information: LfD Niedersachsen Website [DE]

07/19/2022 – German Supervisory Authorities | Recommendation | Data Processing Agreements

Several German data protection authorities undertook a joint exercise to review model data processing agreements used by website hosting providers for the processing of their customers’ personal data.

The German data protection authorities have published a detailed checklist for data processing agreements in this respect.

For further information: BlnBDI Website [DE]

Greece

07/13/2022 – Hellenic Supervisory Authority | Sanction | Facial Recognition

The Hellenic Supervisory Authority fined an American AI company specialized in facial recognition €20 million for multiple breaches of the GDPR.

As a reminder, the company used data scraped from the internet for facial recognition and has already been subject to enforcement actions, including in France, Italy, Australia, the UK and Canada.

The Authority notably highlights that the Company failed to name a representative since the company is not established in the European Union, to lawfully process personal data, to inform the data subject and to ensure the right of access of data subjects.

For further information: HDPA Website [GR]

Ireland

09/15/2022 – Irish Supervisory Authority | Sanction | Protection of Minors

The Irish Supervisory Authority fined a social media company €405 million for breaches relating to the public disclosure of children’s personal data using the social media’s business features and a public-by-default setting for personal accounts of children.

As the Authority was unable to reach consensus with the concerned supervisory authorities, the European Data Protection Board issued a binding decision in accordance with the GDPR dispute resolution process. In addition to the fine, the Authority imposed a range of corrective measures, including an order to bring the processing into compliance by taking a range of specified remedial actions.

For further information: DPC website; EDPB Binding Decision

07/06/2022 – Irish Supervisory Authority | Reprimand | Erasure Request

The Irish Supervisory Authority published a reprimand issued on April 27, 2022 against a social media company, for requiring data subjects to provide copies of their IDs when submitting erasure requests.

In particular, the Authority found that the company failed to comply with the data minimization principle and to provide a valid legal basis for such processing. It also ordered the company to revise its internal policies and procedures for handling erasure requests.

For further information: DPC Decision

Italy

06/30/2022 – Italian Supervisory Authority | Sanction | Financial Data

The Italian Supervisory Authority published a decision issued on May 26, 2022, imposing a €100.000 fine on an Italian bank for the unlawful disclosure of customer data to an unauthorized third party.

The bank disclosed a data subject’s banking activity to its parent company without a valid legal basis. The Authority rejected the bank’s argument according to which the disclosure was made by an employee in good faith.

For further information: Garante Website [IT]

Netherlands

07/27/2022 – Dutch Council of State | Decision | Legitimate Interest

The Dutch Council of State upheld a decision overturning the €575.000 fine imposed by the Dutch Supervisory Authority against a video and social platform in 2020. Besides, the European Commission issued a letter, asking the Authority to change its position according to which pure commercial interest does not qualify as legitimate interest.

As a reminder, the case concerned a video and social media platform that installed streaming cameras around amateur soccer fields. The Authority held that the platform could not use legitimate interest as a legal basis since its interest is exclusively commercial. On the contrary, the district court and the Council of State ruled that the platform has other interests such as the interests of players or the public watching the game.

In its letter, the European Commission considers that the Authority’s strict interpretation of legitimate interests is not in line with the GDPR and severely limits businesses’ possibilities of processing personal data for commercial interests, as they would have to collect consent from the data subject in every case where an economic interest is pursued. Against this background, the Commission invited the Authority to readjust its position and reflect that commercial interests can be regarded as legitimate interests when they are not overridden by the fundamental rights and freedoms of the data subject.

For further information: Raad van State Website [NL]; European Commission Letter

Norway

09/09/2022 – Norwegian Supervisory Authority | Sanction | Credit Assessment

The Norwegian Supervisory Authority published a decision issued on August 25, 2022, imposing a NOK 200.000 (approx. €20.000) fine on a company for performing a credit assessment on a data subject without any legal basis to do so.

The Authority notes that the data subject did not have any kind of customer relationship or other connection with the company. In particular, the Authority found that legitimate interest cannot be used a lawful basis insofar as the data subject did not expect the company to process his credit information.

For further information: Datatilsynet Website [NO]

Poland

07/06/2022 – Polish Supervisory Authority | Sanction | Personal Data Breach Notification

The Polish Supervisory Authority fined a company PLN 15.994 (approx. €3.500) for failing to notify a personal data breach.

The Authority considered that a company who loses an employment certificate must notify such breach, even if the employee does not file a complaint, since the certificate of employment contains personal data (e.g., period of employment, parental and child care leave taken).

For further information: EDPB Website

Portugal

08/16/2022 – Portuguese Supervisory Authority | Sanction | Data Security

The Portuguese Supervisory Authority announced the publication of Law No. 16/2022 of August 16, 2022 which approves the Electronic Communications Law.

The law aims to implement several EU Directives, including the Directive 2018/1972 establishing the European Electronic Communications Code. The law notably requires operators to notify the Authority of any security incident and imposes obligations to ensure an adequate level of security for public electronic communication networks and publicly available electronic communications services. This new law will come into force within 90 days as of its publication.

For further information: ANACOM Website [PT]

Romania

09/08/2022 – Romanian Supervisory Authority | Sanction | Security

The Romanian Supervisory Authority fined a digital and media company RON 39.272 (approx. €8.000) for failure to implement adequate technical and organizational measures.

The Authority found that a security incident impacting the platform managed by the company led to an unauthorized disclosure or access to personal data, including names, telephone numbers and bank data.

For further information: ANSPDCP Website [RO]

08/22/2022 – Romanian Supervisory Authority | Sanction | Security of Processing

The Romanian Supervisory Authority fined an energy company RON 49.337 (approx. €10.000) for failure to implement remedial measures to reduce risk following a personal data breach.

The Authority considered that the company, which sent an email containing personal data to the wrong person, breached Article 32 of the GDPR by not providing the Authority with sufficient information on the remedial measures taken following the incident. In addition, the Authority issued a warning against the company for failing to notify the breach.

For further information: ANSPDCP Website [RO]

08/09/2022 – Romanian Supervisory Authority | Sanction | Transparency

The Romanian Supervisory Authority fined a passenger transportation company RON 34.630,40 (approx. €7.000) for failure to provide clear, complete and accurate information to data subjects.

In particular, the company’s website did not provide information regarding the purpose and the legal basis of the processing, the identity and contact data of the data controller, the data retention periods and the conditions for the exercise of data subject’s rights.

For further information: ANSPDCP Website [RO]

Slovenia

08/05/2022 – Slovenian Supervisory Authority | Guidance | Data Protection Impact Assessments

The Slovenian Supervisory Authority published a guide for conducting data protection impact assessments (DPIA).

In particular, the guidance highlights common DPIA shortcomings, gives recommendations to data controllers, and provides a checklist to help determine if a DPIA is comprehensive.

For further information: Slovenian Supervisory Authority Website [SL]

Spain

08/04/2022 – Spanish Supervisory Authority | Sanction | Data Accuracy

The Spanish Supervisory Authority fined an electricity company €50.000 for violation of the accuracy principle.

The Authority found that the company breached the principle of accuracy by linking wrong information, and consequently causing the cancellation of the complainant’s electricity supply contract with his provider.

For further information: AEPD Website [ES]

08/02/2022 – Spanish Supervisory Authority | Sanction | Lawfulness of Processing – Spanish Supervisory Authority | Sanction | Lawfulness of Processing

The Spanish Supervisory Authority fined a bank €42.000 for violations of the lawfulness of processing principle.

The Authority found that after the claimant asked the bank several times not to send any stock market investment report by post to his home address, the bank continued to do so.

For further information: AEPD Website [ES]

07/26/2022 – Spanish Supervisory Authority | Guidance | Biometric Data

The Spanish Supervisory Authority issued guidance regarding the use of biometric data.

The guidance focuses on data protection impact assessments in relation to biometric data and the criteria used to classify biometric systems in the framework of a processing operation when assessing the risk to the rights and freedoms of individuals that the processing of such data may entail.

For further information: AEPD Website

07/22/2022 – Spanish Supervisory Authority | Sanction | Marketing Calls

The Spanish Supervisory Authority fined a telecommunications company €40.000 for unlawful marketing calls, despite a data subject’s registration in the national opt-out list and notification of his direct opt-out to the company.

For further information: AEPD Website [ES]

07/18/2022 – Spanish Supervisory Authority | Sanction | Data Processing Principles

The Spanish Supervisory Authority fined a bank €56.000 for failing to comply with various data processing principles.

In particular, the Authority ruled that the bank violated the principle of integrity and confidentiality of processing by sending a report on a data subject’s investment to the wrong recipient, due to a computer error.

For further information: AEPD Website [ES]

07/13/2022 – Spanish Supervisory Authority | Sanction | Personal Data Breach

The Spanish Supervisory Authority published a decision issued on May 3, 2022, imposing a €132.000 fine on an insurance company for repeatedly sending medical data to an unauthorized third party and failing to notify a personal data breach despite being alerted.

For further information: AEPD Website [ES]

Sweden

09/13/2022 – Swedish Supervisory Authority | Decision | Sensitive Personal Data

The Swedish Supervisory Authority sanctioned a company for offering a browsing service that allows users to access court decisions containing sensitive personal data.

In particular, the Authority highlighted that the company’s database gave users access to court decisions with information on individuals who had undergone mandatory care due to mental illness or addiction. Therefore, the Authority issued a reprimand and ordered the company to take measures to prevent such access.

For further information: IMY Website [SE]

09/06/2022 – Swedish Supervisory Authority | Investigation | Employee Monitoring

The Swedish Supervisory Authority announced that it has opened an investigation regarding a transport company for monitoring the driving behavior of some of its employees.

The Swedish Supervisory Authority asked the transport company to clarify whether it had a legal basis for processing and whether it had provided required information to its employees.

For further information: IMY Website [SE]

Switzerland

08/31/2022 – Swiss Supervisory Authority | Press Release | New Data Protection Legislation

The Swiss Supervisory Authority announced that a new data legislation will come into force on September 1, 2023.

This regulation aims to improve data protection in Switzerland and shares similarities with the GDPR, such as data processing principles, the obligation to report personal data breaches and to conduct data protection impact assessments. It differs from the GDPR in some respects as, for example, there is no obligation for companies to appoint a data protection officer.

For further information: Swiss Supervisory Authority Website [FR]

08/09/2022 – Swiss Supervisory Authority | Document | Access Request

The Swiss Supervisory Authority issued recommendations on the exercise of access requests.

The Authority published recommendations in a dispute settlement procedure between a the Federal Intelligence Service (FIS) and a claimant requesting access to documents concerning the legal basis and processing of the FIS’ facial recognition systems. The FIS refused on the basis of national law, which provides that access to official documents shall be restricted if it jeopardizes the internal or external security of Switzerland. However, the Supervisory Authority deemed the FIS’ arguments too general and unspecific to prove a threat to the internal or external security of Switzerland and recommended the FIS to grant the claimant full access to the required documents.

For further information: Swiss Supervisory Authority recommendations [DE]

United Kingdom

09/07/2022 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies

The UK Supervisory Authority has published draft guidance on privacy-enhancing technologies (PETs).

The publication forms part of the Authority’s draft guidance on anonymization and pseudonymization. The draft guidance explains some of the different types of PETs and their benefits, as well as how they can help organizations comply with data protection law.

For further information: ICO Website

09/06/2022 – UK Supervisory Authority | Sanction | Direct Marketing

The UK Supervisory Authority fined a UK-based motoring and cycling retailer £30.000 (approx. €34.000) for sending unsolicited marketing emails to data subjects without their consent.

The Authority held that the company improperly relied on legitimate interest as a lawful basis and could not count on the soft opt-in exemption insofar as the customers who received the email had opted out of marketing.

For further information: ICO Website

08/19/2022 – UK Supervisory Authority | Guidance | Complaint

The UK Supervisory Authority published guidance for small businesses that receive data protection complaints.

The Authority issued a six-step guide to acknowledge receipt of the complaint, find out the specific issue related to the complaint, provide updates to the data subject, record actions taken in response to the complaint, formally respond to the individual regarding the outcome of the investigation, and review the lessons learned.

For further information: ICO Website

07/21/2022 – UK and US Government | Joint Statement | Data Access Agreement

UK and US Governments issued a joint statement announcing that the UK-US Data Access Agreement will come into force on October 3, 2022.

As a reminder, the Data Access Agreement allows the US and the UK law enforcement agencies to directly request data held by communications providers in the other party’s jurisdiction in order to prevent, detect, investigate and prosecute serious crimes such as terrorism and child sexual abuse and exploitation.

In October 2019, the UK and US Governments signed an agreement on cross-border law enforcement demands for data from communication service providers. Recently, the two countries have completed the procedural steps required to bring this agreement into force.

For further information: US Department of Justice Website

07/18/2022 – UK Parliament | Regulation | Data Protection and Digital Information Bill

The UK Government published a draft of the Data Protection and Digital Information Bill.

The draft Bill provides for various changes to the UK’s legal framework, including replacement of the role of data protection officer with a designated senior responsible individual, changes to record-keeping requirements, replacement of the regime for carrying out data protection impact assessments and removal of the requirement for non-UK organizations to appoint a UK representative, as well as exempting additional types of website cookies from the existing consent requirements.

Please note that the Bill may be subject to substantial change following the announcement in October by the Secretary of State that the UK will be replacing GDPR with a new data protection regime.

For further information: UK Parliament Website

07/05/2022 – UK Government | Data Transfers | Data Adequacy Agreement

The UK and the Republic of Korea reached an adequacy agreement in principle to secure the transfer of data outside of the UK.

For further information: UK Government Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Joel Harrison – Partner, London ([email protected])
Alison Beal – Partner, London ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Léna Bionducci – Associate, Paris ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 7, 2022, the Department of Commerce Bureau of Industry and Security (“BIS”) released broad changes in the Export Administration Regulations (“EAR”) that together will create an effective embargo against providing to China the technology, software, manufacturing equipment, and commodities that are used to make certain advanced computing integrated circuits (“ICs”) and supercomputers. These changes include new restrictions on the participation by U.S. companies on enabling any semiconductor development or production at a facility in China[1] that manufactures or even potentially manufactures certain advanced ICs. BIS explained that it developed this sweeping set of new regulations to curtail China’s use of these items in the development of weapons of mass destruction, artificial intelligence and supercomputing-enhanced war fighting, and in technologies that enable violations of human rights. BIS further noted that these broad-based controls are necessary to address China’s mobilization of vast resources to support its defense modernization and the implementation of its “military-civil fusion” development strategy in ways that are contrary to U.S. national security and foreign policy interests.

BIS framed this new set of regulations as an interim final rule, which allows it to impose immediate controls with specified effective dates. Generally speaking, the new restrictions on exports of items associated with semiconductor manufacturing activities went into effect immediately on October 7, 2022, and the new restrictions on the exports of supercomputers, as well as associated parts, software, and technology, will come into effect on October 21, 2022. In addition, a new licensing requirement for support of foreign items destined for use in Chinese company development and production of ICs will become effective between these two dates, on October 12. In the table below we summarize almost 20 separate changes that BIS’s interim final rule is implementing in the coming weeks.

Effective Fri., Oct. 7, 2022 (U.S. Time)	Effective Wed., Oct. 12, 2022 (U.S. Time)	Effective Fri., Oct. 21, 2022 (U.S. Time)
15 C.F.R. § 740.2 (NEW restriction on license exceptions for certain ECCNs)	15 C.F.R. § 744.6 (NEW and Expanded controls on U.S. person’s ability to support China development of integrated circuits)	15 C.F.R. § 734.9(e) (Revised Entity List FDP Rule to add additional restrictions to 28 Chinese entities on the Entity List)
15 C.F.R. § 740.10 (Revised recordkeeping requirement for License Exception RPL)		15 C.F.R. § 734.9(h) (NEW Advanced Computing FDP Rule)
15 C.F.R. § 742.6 (NEW Regional Stability (“RS”) Controls for semiconductor manufacturing items sent to China)		15 C.F.R. § 734.9(i) (NEW Supercomputer FDP Rule)
>15 C.F.R. § 744.11(b) (NEW criteria for adding entities to the Entity List)		15 C.F.R. Part 734, Supplement No. 1 (NEW model certification for Advanced Computing FDP Rule)
15 C.F.R. § 744.23 (NEW semiconductor manufacturing end-use prohibitions)		15 C.F.R. Part 736, Supplement No. 1 (NEW Temporary General License for certain newly controlled activities)
15 C.F.R. Part 774, Supplement No. 1 (NEW ECCN 3B090 and Revised ECCNs 3B991, 3D001, and 3E001)		15 C.F.R. § 740.2 (NEW Restriction on License Exceptions for certain ECCNs) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. § 742.6 (NEW RS Controls for semiconductor manufacturing and advanced computing items to China) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. § 744.1 (NEW restrictions on supercomputer and semiconductor manufacturing end-use prohibitions)
		15 C.F.R. § 744.11 (NEW licensing requirements concerning expansion of Entity List FDP Rule and “Footnote 4” Entity List entities)
		15 C.F.R. § 744.23 (New supercomputer and semiconductor manufacturing end-use prohibitions) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. Part 744, Supplement No. 4 (NEW Footnote 4 added to 28 Chinese entities on Entity List to account for expansion of Entity List FDP Rules)
		15 C.F.R. § 762.2 (NEW recordkeeping requirement to retain Advanced Computing FDP Rule supply chain certificate)
		15 C.F.R. § 772.1 (NEW definition for “supercomputer” under the Commerce Control List (“CCL”))
		15 C.F.R. Part 774, Supplement No. 1 (Revised Note 3 to Category 3, Product Group A; Revised ECCNs 3A991, 3D001, 3E001, 4A994, 4D994, 4E001, 5A992, and 5D992; NEW ECCNs 3A090, 4A090, and 4D090)

On October 7, 2022, BIS also released a final rule adding 31 Chinese technology companies to the Commerce Department’s Unverified List. It also revised the criteria for inclusion on the Entity List to include an entity’s refusal or a host country’s continued interference in the ability of the entity to provide its bona fides or information to verify end-use checks. A concurrent rule issued by Commerce’s Export Enforcement division states that it will be applying a new, staged approach to adding companies to the Entity List where a foreign government interferes in end-use checks, essentially using the Unverified List as a first step.

We explain and outline the impacts of each of the new provisions below.

New Controls for Exports to China of Advanced IC, Advanced IC Manufacturing Equipment, and Associated Commodities, Software and Technology (15 C.F.R. §§ 740.2, 740.10, 742.6, and Part 774, Supplement No. 1)

One of the most consequential changes contained in the new regulations is the imposition of unilateral “Regional Stability” or RS controls on exports to China of advanced computing ICs, computer commodities that contain such ICs, and certain semiconductor manufacturing equipment, as well as associated software and technology. These new unilateral controls impose a license requirement for exports, reexports, and in-country transfers of identified items to or within China.

The new RS-based licensing requirement will be imposed in stages on a set of new and revised items defined by Export Control Classification Numbers (“ECCNs”). The new RS controls on certain semiconductor manufacturing items, as well as associated software and technology, became effective on October 7, 2022. Similar controls on certain advanced computing items will come into effect on October 21, 2022.

Effective October 7, 2022:
- New ECCN 3B090 to control certain semiconductor manufacturing equipment and specially designed parts, component, and accessories.
- Revised ECCNs 3B991, 3D001, and 3E001 to account for new RS controls and corresponding changes in light of new ECCN 3B090.
Effective October 21, 2022:
- New ECCNs 3A090, 4A090, and 4D090 to control specified high-performance ICs; certain computers, electronic assemblies, and components containing ICs; and associated software, respectively.
- Revised ECCNs 3D001, 3E001, and 4E001 for the software and technology associated with ECCNs 3A090, 4A090, and 4D090, as well as 5A992 and 5D992 for commodities and software that meet or exceed the performance parameters of ECCNs 3A090 or 4A090.

BIS further restricted access in China to the items described by these ECCNs by limiting the availability of most license exceptions for these items, including the widely used license exception for encryption items (referred to as “ENC”). Prior to this rule change, some advanced ICs did not require licensing when exported to China solely because they incorporated an information security functionality that could qualify for license exception ENC after certain classification, filing, and/or reporting requirements were met. Under the new rules, license exception ENC will not be available to overcome the new RS license requirements for items that also meet the classification criteria for ECCNs 3A090, 4A090, and the associated software and technology in 3D001, 3E001, 4D090, and 4E001.

Importantly, the new RS controls do not apply to deemed exports or deemed reexports.

BIS will review license applications to export, reexport, and transfer in-country RS-controlled items to PRC-IC fabricators under a presumption of denial. However, BIS will review applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 on a case-by-case basis.

New Controls on Specified High-Performance Computing ICs and Commodities That Contain Them (15 C.F.R. Part 774, Supplement No. 1)

BIS is also adding new unilateral “anti-terrorism” or AT controls on the export of certain high-performance ICs, and their associated software and technology. These ICs can be found in a wide range of applications, including central processing units (“CPU”), graphics processing units (“GPU”), tensor processing units (“TPU”), neural processors, in-memory processors, vision processors, text processors, co-processors/accelerators, adaptive processors, and field-programmable logic devices (“FPLDs”). These new IC controls are described under ECCNs 3A991p and 4A994.l, and their corresponding software and technology controls under ECCNs 3D991, 3E991, 4D994, and 4E992, and exports, reexports, and transfers of these items to Iran, North Korea, and Syria will now require licensing.

Impact of New AT Controls on Certain Foreign National Employees in the United States – Deemed Exports

Whenever BIS identifies new technologies for control, companies and other organizations that employ foreign nationals in the United States need to consider whether the new controls will impose a requirement for them to obtain “deemed export” licenses. With respect to these new controls on these high-performance ICs and the commodities that contain them, BIS clarified that foreign national employees who did not previously require a license, but now do, will not require licensing unless they are provided access to new technology or software that exceeds the scope of the technology or software they received previously. For example, an Iranian national technologist who lawfully accessed technology or software specified in new ECCN paragraphs 3A991.p or 4A994.l prior to the effective date would not need a new license to continue receiving the same technology or software, but would require a license for the release of controlled technology or software different from that previously released, even if the technology or software is classified under the same ECCNs.

Although this clarification creates something of a safe harbor for existing national employees who support U.S. domestic companies with the development of high-performance ICs, the harbor is not particularly deep or wide, and we expect these new export controls to pose significant deemed export compliance challenges for many. Among other challenges, few companies would have already created detailed inventories of the specific software and technology its employees have access to that Commerce now controls with the new ECCNs prior to their creation last week. Moreover, even if and when such inventories are developed, the question of what would constitute the release of a new or different software or technology to the foreign national employee will immediately present itself. For example, would foreign national’s writing of new source code for the same piece of software be considered new? What if the employee is asked to work on design changes for a similar, but different IC than a company currently sells? Not only will many companies have significant difficulties identifying access to the newly controlled technologies, and then construing what releases of technology and software are new, but once they determine a license is needed, the companies and the foreign national employees will then be faced with a protracted period of uncertainty as BIS adjudicates the deemed export license application, a process that often takes between six and twelve months.

New and Expanded Foreign Direct Product (“FDP”) Rules

BIS is also significantly expanding the application of its existing Entity List FDP rules and creating two new FDP rules on advanced computing ICs and supercomputers. These rules come into effect October 21, 2022.

Entity List FDP Rule (15 C.F.R. §§ 734.9(e), 744.11, and Part 744, Supplement No. 4)

After early attempts to cut off the flow of U.S.-origin items to Huawei, BIS modified the national security-related control known as the Foreign Direct Product Rule to enable it to target a broader range of exports to specific companies that it has designated to the EAR Entity List (“Entity List FDP rule”). The Foreign Direct Product Rule concept is at the farthest end of U.S. efforts to extend its export controls jurisdiction extraterritorially because it applies to non-U.S.-origin items that are the direct products of specified U.S.-origin software and technology, or of “major components” or whole plants that are the direct product of this software and technology. BIS also has used new FDP rule modifications to limit the access by Russian and Belarusian military end users and military intelligence end users to commodities produced with controlled U.S. software and technology.

BIS has now expanded its Entity List FDP rule to cover 28 China-based entities that it had already designated to the Entity List over the last several years for their alleged participation in nuclear and other weapons of mass destruction proliferation, as well as surveillance and other human rights violations. Thus, in addition to requiring licenses for exports of U.S. origin items, any non-U.S. based exporters also will require U.S. export licenses to export, reexport or transfer items that are direct products of technology or software classified by the following ECCNs: 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D002, 5D991, 5E001, 5E002, or 5E991, as well as the direct product of any plant or “major component” of a plant that is the “direct product” of U.S.-origin “technology” or “software” that is specified in the ECCNs listed above. These ECCNs apply to most ICs, computers, telecommunications, and information security items controlled by Commerce.

BIS also has created two new, similarly structured FDP rules to target the export, reexport and transfer of foreign direct products used to develop or produce ICs and supercomputers for China-based manufacturers.

Advanced Computing FDP Rule (15 C.F.R. §§ 734.9(h), 762.2, and Part 734, Supplement No. 1)

The Advanced Computing FDP rule expands the scope of the EAR to certain items destined for China, as well as certain items produced in China. The rule is applicable whenever an exporter has “knowledge” (as defined under the EAR to cover actual knowledge and an awareness of a high probability, which can be inferred from acts constituting willful blindness) that the item is (1) destined for China or will be incorporated into any “part,” “component,” “computer,” or “equipment” (not designated EAR99) destined for China, or (2) the technology is developed by an entity headquartered in China for the “production” of a mask or an IC wafer or die. The foreign-produced items that are affected by this new rule include those items that are either:

(i) the “direct product” of “technology” or “software” subject to the EAR and specified in ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D090, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D002, 5D991, 5E001, 5E991, or 5E002; and

- (a) are described by ECCNs 3A090, 3E001 (for 3A090), 4A090, or 4E001 (for 4A090); or
- (b) are ICs, computers, “electronic assemblies,” or “components” specified elsewhere on the CCL that meet the performance parameters of ECCNs 3A090 or 4A090;

(ii) or are produced by any complete plant or “major component” of a plant that is located outside the United States, when the plant or “major component” of a plant, whether made in the United States or a foreign country, itself is a “direct product” of U.S.-origin “technology” or “software” that meets the requirements discussed immediately above.

As a suggested compliance aid, BIS has provided a suggested (voluntary) sample certification that suppliers can complete to comply with this Advanced Computing FDP. See Supplement 1 to Part 734. In this certification, the supplier would assert that an item being provided will be subject to the EAR if a future transaction meets the destination scope outlined above. If a certificate is not provided by a supplier, BIS explains that the supplier’s customers will need to complete additional due diligence to determine if the item purchased is subject to the Advanced Computing FDP’s licensing requirement for onward exports to China. BIS further notes, however, that the certification alone should not be the only due diligence conducted before an export occurs. Moreover, BIS advises that entities outside of China that receive 3E001 for 3A090 technology from China should consider confirming that a license was obtained to export such technology from China, as the provisions of the Advanced Computing FDP also extend to certain items produced in China by China-based manufacturers. If no such license has been obtained, the item would have been exported from China in violation of the EAR. In addition, parties involved in supporting the transaction would be subject to the EAR’s General Prohibition 10, which prohibits any person from taking further action on a transaction with knowledge (see definition above) that a violation has occurred or is about to occur.

Supercomputer FDP Rule (15 C.F.R. §§ 734.9(i) and 772.1)

Similarly, BIS has now issued the Supercomputer FDP rule to expand the scope of the EAR to certain items destined for China whenever the exporter has “knowledge” that the foreign-produced item will be (1) used in the design, “development,” “production,” operation, installation (including on-site installation), maintenance (checking), repair, overhaul, or refurbishing of a “supercomputer” (as defined in the EAR) located in or destined to China; or (2) incorporated into, or used in the “development,” or “production,” of any “part,” “component,” or “equipment” that will be used in a “supercomputer” located in or destined to the China.

The foreign-produced items affected by this new rule are as follows:

foreign-produced items that are the “direct product” of “technology” or “software” subject to the EAR and specified in ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D991, 5E001, 5E991, 5D002, or 5E002; or

are produced by any plant or “major component” of a plant that is located outside the United States, when the plant or “major component” of a plant, whether made in the United States or a foreign country, itself is a “direct product” of U.S.-origin “technology” or “software” that is specified in the ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D994, 4E001, 4E992, 4E993, 5D001, 5D991, 5E001, 5E991, 5D002, or 5E002.

As of October 21, 2021, “supercomputer” will be specifically defined under the EAR as “a computing “system” having a collective maximum theoretical compute capacity of 100 or more double-precision (64-bit) petaflops or 200 or more single-precision (32-bit) petaflops within a 41,600 ft³ or smaller envelope.” Commerce’s definition for “supercomputer” is interesting in at least two ways. First, it appears that a large variety of advanced ICs can be used to create the level of computing power density outlined by the definition. Thus, this definition creates a kind of catch-all for computing power regardless of how it is achieved. Second, data center providers, and those who support them, may need to consider whether any specific data center could conceivably meet this computing power threshold.

Temporary General License (15 C.F.R. Part 736, Supplement No. 1)

Taken together, these new sets of RS, FDP, and ECCN-defined controls will have a significant impact on the ability of China-headquartered companies to obtain access to the commodities, technology and software required to manufacture ICs and Supercomputers. But a larger policy comes into focus when one considers a Temporary General License (“TGL”) that BIS issued alongside these controls.

The TGL authorizes companies headquartered in the United States or in a subset of other countries (those not headquartered in Country Groups D:1 or D:5 or E) to continue exporting certain ICs and associated software and technology for specified purposes to their affiliates and subsidiaries located in China through April 7, 2023, provided that none of the ultimate recipients of the items being manufactured with these products are located in China. The announced objective for the TGL is to mitigate the immediate disruption that these new controls will have on users of the TGL’s supply chains. Once the TGL expires in April 2023, exporters will need to apply for an individually validated export license to export such advanced computing chips, assemblies containing them, and related software and technology to China for supply chain-related activities, such as assembly, inspection, quality assurance, and distribution. These applications will carry a presumption of denial, although license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 will be reviewed on a case-by-case basis.

The TGL allows, at least until April 7, 2023, companies to continue exporting the following items:

ECCNs 3A090, 4A090, and associated software and technology in ECCNs 3D001, 3E001, 4D090, or 4E001; and

any item that is a computer, IC, “electronic assembly” or “component” and associated software and technology, specified elsewhere on CCL which meets or exceeds the performance parameters of ECCNs 3A090 or 4A090.

The TGL’s expiry in April 2023 provides but a short time for U.S. and other Group A:5 and A:6 headquartered companies to find alternative fabricators for ICs. Other non-China based fabricators may already be at capacity, and the timeline for bringing new fabrication facilities online and qualifying them to produce new ICs is far longer than the timelines currently contemplated by the TGL.

New End-User/End-Use Controls (15 C.F.R. §§ 744.1 and 744.23)

The new regulations also restrict China’s access to ICs and supercomputing through the imposition of new end-user and end-use controls. These controls are knowledge-based controls that require exporters to seek BIS licensing when they know, are informed, or are otherwise unable to determine that their exports will be put to certain end uses.

On October 7, 2022, these end-user/end-use prohibitions were extended to the following:

any item subject to the EAR used in the “development” or “production” of ICs at a semiconductor fabrication “facility” located in China which fabricates certain ICs such as advanced logic, NAND, and DRAM ICs;

any item subject to the EAR and classified in an ECCN in Product Groups B, C, D, or E in Category 3 of the CCL when the individual or entity knows the item will be used in the “development” or “production” of ICs at any semiconductor fabrication “facility” located in China, but for which the individual or entity does not know whether such semiconductor fabrication “facility” fabricates advanced ICs; and

any item subject to the EAR for which the individual or entity will be used in the “development” or “production” in China of any “parts,” “components” or “equipment” specified under ECCNs 3B001, 3B002, 3B090, 3B611, 3B991, or 3B992.

On October 21, 2022, these end-user/end-use prohibitions also will apply to certain “supercomputers” as defined under the EAR, namely:

any IC subject to the EAR and specified in ECCNs 3A001, 3A991, 4A994, 5A002, 5A004, or 5A992 when the individual or entity knows the item will be used in (1) the “development,” “production,” “use,” operation, installation (including on-site installation), maintenance (checking), repair, overhaul, or refurbishing of a “supercomputer” located in or destined to China; or (2) incorporation into, or the “development” or “production” of any “component” or “equipment” that will be used in a “supercomputer” located in or destined to China; and

any computer, “electronic assembly,” or “component” subject to the EAR and specified in ECCNs 4A003, 4A004, 4A994, 5A002, 5A004, or 5A992 when the individual or entity knows the item will be used for the activities described above.

Commerce notes that it will review all end-user/end-use license applications with a presumption of denial, but that it will consider license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 on a case-by-case basis.

Activities of U.S. Persons (15 C.F.R. § 744.6)

Effective October 12, U.S. persons will be prohibited from engaging in certain activities, even when dealing with items that are non-U.S. origin.

Specifically, BIS will now require U.S. persons to apply for licenses to facilitate or engage in shipping, transmitting or transferring to or within China the following products:

any item not subject to the EAR that the individual or entity knows will be used in the “development” or “production” of ICs at a semiconductor fabrication “facility” located in China that fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items;

any item not subject to the EAR and meeting the parameters of any ECCN in Product Groups B, C, D, or E in Category 3 of the CCL that the individual or entity knows will be used in the “development” or “production” of ICs at any semiconductor fabrication “facility” located in China, but for which the individual or entity does not know whether such semiconductor fabrication “facility” fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items; or

any item not subject to the EAR and meeting the parameters of ECCNs 3B090, 3D001 (for 3B090), or 3E001 (for 3B090) regardless of end use or end user; or in the servicing of any such items.

Commerce will review all such license applications with a presumption of denial, although license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 will be reviewed on a case-by-case basis.

Additions to Unverified List (“UVL”) and Changes to Entity List Designation Criteria (15 C.F.R. § 744.11(b))

The new final rule adds specific criteria for designation to the more restrictive Entity List:

an entity precludes access to, refuses to provide, or provides false or misleading information related to the parties to the export transaction or the underlying item; or
where there is a sustained lack of cooperation by the entity’s host government to facilitate end-use checks of entities on the UVL.

In a related statement of a new policy in line with these changes in the final rule, BIS laid out a two-step process whereby companies that do not complete requested end-use checks within 60 days will be added to the UVL, and if those companies are added to the UVL due to the host country’s interreference, after a subsequent 60 days of the end-use check not being completed, the company on the UVL will be transferred to the Entity List.

The new policy states that for all companies currently on the UVL as of the date of the policy (October 7, 2022), including the 31 new China company additions, the 60-day “escalation” clock begins immediately.

________________________

[1] As a reminder, under current U.S. export controls, China also includes the Hong Kong Special Administrative region after the United States revoked Hong Kong’s special status under U.S. law in 2020.

The following Gibson Dunn lawyers prepared this client alert: Christopher Timura, Chris Mullen, Judith Alison Lee, David A. Wolber, Adam M. Smith, and Stephenie Gosnell Handler.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

London associate Rose Naing is the author of “Provisional Measures in Investment Treaty Arbitration: Protecting the Playing Field” [PDF] published by Corporate Disputes Magazine in its October-December 2022 issue.

Today the U.S. Department of Labor issued a proposed rule regarding who is an “independent contractor” under the Fair Labor Standards Act (the “FLSA” or “Act”), and thus not subject to the minimum wage and overtime requirements the Act applies to “employees.” The proposal defines independent contractor more narrowly than the 2021 Trump Administration rule it is intended to replace. Interested parties will have 45 days from the proposal’s expected October 13 Federal Register publication to submit comments.

The proposal would codify a six-factor, totality-of-the-circumstances test for who qualifies as an independent contractor, similar in some respects to the approach the Department often used before the 2021 rule. Under DOL’s proposal, independent contractor status would be determined by looking to the following factors: the worker’s opportunity for profit or loss; the worker’s investments; the permanency of the relationship; the degree of control by the employer over the worker; whether the work is an integral part of the employer’s business; and the skill and initiative required to do the work. The proposed test would not assign special weight to any of the six factors, and instead consider them “in view of the economic reality of the whole activity” in which the worker in question is engaged.

Apart from jettisoning the framework of the 2021 rule—which relied on five factors, not six, and gave particular weight to “control” and the “opportunity for profit or loss”—the new proposal would make important adjustments to how the six traditional factors are applied. For example, DOL proposes considering the worker’s investments on a relative basis with the employer’s investments. The proposed rule states, “If the worker’s investment does not compare favorably to the employer’s investment, then that fact suggests that the worker is economically dependent and an employee of the employer.” Likewise, the proposal would reformulate the factor concerning whether a worker’s activities are part of an “integrated unit of production” into an assessment of whether the activity is important or “central” to a business’s operations. The proposal would also treat control measures implemented by a company to comply with “legal obligations, safety or health standards, or requirements to meet contractual or quality control obligations” as indicative of employee status.

The proposed rule does not adopt either the common-law test or the “ABC test” for determining independent contractor status. DOL stated that it “continues to believe that legal limitations prevent the Department from adopting either of those alternatives.”

If finalized, these changes could reduce the number of workers who can be treated as independent contractors.

In its proposal, DOL acknowledges that the proposed rule is an “interpretive” rule, meaning that if finalized it would be entitled only to “Skidmore deference” from the courts, rather than the more robust “Chevron deference” that sometimes is given to binding substantive rules.

The terms of the Department’s final rule will depend on its response to comments submitted by interested parties during the notice-and-comment period, including legal objections raised to the Department’s proposed six-part test, and commenters’ description and substantiation of any significant adverse consequences expected under the proposed approach. Until a final rule is issued—possibly in mid-to-late 2023—the Department’s 2021 rule will remain in place. Legal challenges are possible once a final rule is adopted.

The following Gibson Dunn attorneys assisted in preparing this client update: Gene Scalia, Michael Holecek, and Blake Lanning.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment or Administrative Law and Regulatory practice groups, or the following authors or practice leaders:

Eugene Scalia – Co-Chair, Administrative Law and Regulatory Group, Washington, D.C. (+1 202-955-8210, [email protected])

Michael Holecek – Los Angeles (+1 213-229-7018, [email protected])

Blake Lanning – Washington, D.C. (+1 202-887-3794, [email protected])

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, [email protected])

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, [email protected])

Helgi C. Walker – Co-Chair, Administrative Law and Regulatory Group, Washington, D.C. (+1 202-887-3599, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 27, 2022, Governor Newsom signed California’s new pay transparency and pay scale disclosure law. This Alert summarizes the new requirements and enforcement mechanisms, including how they depart from California’s previous pay transparency laws, as well as their impact on employers’ pay reporting and disclosure obligations.

The new requirements are set to become effective January 1, 2023, with the first pay data reports due to the California Civil Rights Department (the “Department,” formerly the Department of Fair Employment and Housing) in May 2023.

Pay Scale Disclosures in Job Postings to Employees and Applicants

The law expands California’s existing salary history law to impose new pay scale disclosure requirements on covered employers.

Under the existing law, California employers were required to provide the pay scale, meaning the salary or hourly wage range, only upon request by an applicant who completed an initial interview. The new law maintains that applicant disclosure requirement and adds that, upon a current employee’s request, covered employers will be required to provide the pay scale the employer reasonably expects to pay for such employee’s currently-held position.

California employers with 15 or more employees will also be required to include a position’s pay scale, meaning the salary or hourly rate an employer reasonably expects for the position, in any job posting, whether the employer itself posts the job or engages a third party to manage job postings.

The new law also imposes recordkeeping requirements on all employers, regardless of size, in that employers must maintain job title and salary history for all employees during their employment and for three years thereafter.

New Enforcement Mechanisms, Including Private Right of Action and Civil Penalties

The California Labor Commissioner is authorized to order civil penalties ranging from $100 to $10,000 for violations of the pay scale disclosure requirements. The Labor Commissioner will determine the penalty based on the totality of the circumstances, including prior violations.

Fortunately, the law provides that the Labor Commissioner will not assess a penalty for the first violation of the job posting requirements so long as the employer demonstrates that all job postings are updated to include the required disclosures.

Employers must also make available job title and salary history records for inspection upon request by the Labor Commissioner, with violations being subject to the same civil penalties as the pay data disclosure provisions, ranging from $100 to $10,000.

Finally, the Legislature created a private right of action for violations of the pay scale transparency law within a year of learning of such violations, giving aggrieved parties the right to seek injunctive and “any other appropriate relief.” Perhaps most significantly, the law creates a rebuttable presumption in favor of an employee’s claim should an employer fail to maintain the records of each employee’s job titles and pay rate history for the specified timeframe.

More Employers Covered, and Additional Data Required

The new law also dramatically expands the scope of potential employers covered as well as their pay data reporting obligations.

Covered Employers

Previously, only private employers with 100 or more employees were required to submit pay data reports to the Department if they were already required to file an annual EEO-1 Employer Information Report. Employers were also permitted to submit their annual EEO-1 report to satisfy the state’s pay data reporting obligations.

Now, all private employers with 100 or more employees will be required to submit pay data reports, without regard to federal EEO-1 reporting status. And employers are no longer permitted to submit an EEO-1 in lieu of a pay data report.

Although the Department has not yet published guidance interpreting the new law, the Department’s guidance on the existing law provides that employers are covered by these requirements if they have 100 or more total employees with at least one employee in California. Existing guidance also directs employers to include remote employees in the pay data reports if the employees are assigned to a California establishment, regardless whether they reside in California, or the employees reside in California but are assigned to an establishment in another state.

In addition, under the new law, employers with multiple establishments must continue to submit a separate report for each establishment. Employers will no longer be required to submit a consolidated report that includes all employees across establishments as the existing law required.

Data Required

Similar to requirements under existing law, employers’ pay data reports are to be based on a “snapshot” of W-2 earnings during a single pay period from October through December of the previous calendar year.

The pay data report must break out the number of employees by race, ethnicity, and sex in a series of job categories, and must report the number of employees by race, ethnicity, and sex whose earnings fall within each of the pay bands prescribed in the Bureau of Labor Statistics’ Occupational Employment Statistics survey. Significantly, there is a new requirement that employers identify the median and mean hourly pay rate for each combination of race, ethnicity and sex (inter-sectionally) for each job category.

Contract Workers

In a further departure from existing requirements, private employers with over 100 employees hired through labor contractors in the prior year will also be required to submit a separate pay data report covering contract workers. The new law broadly defines “labor contractors” to include both individuals and entities “that supply workers, either with or without a contract,” “to perform labor within the client employer’s usual course of business.”

Although the new law requires each labor contractor to provide employers with the necessary pay data to complete the reports, covered employers are ultimately responsible for the reports and must disclose the ownership names of any labor contractors who supplied workers in the previous year.

New Civil Penalties

Starting next year, employers who fail to submit the required annual reports may face fines of up to $100 per employee for initial violations, and up to $200 per employee for subsequent violations, in addition to potentially being responsible for the Department’s costs associated with obtaining a court order to ensure compliance.

Key Takeaways

Covered employers should take steps to comply with the new requirements, including to disclose pay scales in job postings, as well as to maintain job title and pay rate history records, in advance of the January 1, 2023 effective date. Covered employers should be mindful of the fact that obtaining the required information from labor contractors may prove time consuming so employers should plan in advance of the May reporting deadline. In addition, preparing the requisite pay data reports will also require careful consideration and preparation to comply with the Department’s guidance. Employers located in multiple states should also be mindful of other state salary transparency requirements such as those for Washington, Colorado, and New York City.

The following Gibson Dunn attorneys assisted in preparing this client update: Amanda R. Sansone, Jason C. Schwartz, Katherine V.A. Smith, Danielle J. Moss, Harris M. Mufson and Tiffany Phan.

Tiffany Phan – Los Angeles (+1 213-229-7522, [email protected])

Harris M. Mufson – New York (+1 212-351-3805, [email protected])

Danielle J. Moss – New York (+1 212-351-6338, [email protected])

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.