In a further step towards the regulation of virtual assets (including digital tokens, stablecoins, and other crypto assets, “VAs”) in Hong Kong, on 28 January 2022, the Securities and Futures Commission (“SFC”) and the Hong Kong Monetary Authority (“HKMA”, collectively the “Regulators”) published a joint circular (the “Joint Circular”) and appendix document (the “Appendix”) on intermediaries’ VA-related activities. “VA-related activities” covers:

Distribution of VA-related products;
Provision of VA-dealing services; and
Provision of VA-advisory services.

On the same day, the HKMA published a further circular (the “HKMA Circular”) to provide regulatory guidance to authorised institutions (“AIs”) when dealing with VAs and virtual asset service providers.

This client alert provides an overview of the key requirements set out in these two circulars and our views on the regulatory direction of travel in Hong Kong.

I. Scope of the Joint Circular and the HKMA Circular

The Joint Circular refers to “intermediaries”, which covers corporations licensed by the SFC to carry on regulated activities and AIs registered with the SFC. The HKMA Circular only applies to AIs. Therefore companies engaged in VA-related activities that are neither intermediaries nor AIs (i.e. “Unregulated VASPs”) are not directly subject to the requirements and guidance set out in these circulars.

However, these two circulars will significantly affect intermediaries and AIs’ ability to deal with Unregulated VASPs, including for their customers. For example, pursuant to the regulatory guidance in the HKMA Circular, AIs may implement systems and controls that could potentially restrict their customers from engaging in certain VA-related activities through their Hong Kong bank accounts. Furthermore, such Unregulated VASPs must ensure that their business activities do not require license, registration and/or authorisation, or else they could be found to be in breach of the Securities and Futures Ordinance (Cap. 571) (“SFO”) and other laws, and be subject to enforcement action by the Regulators.

II. Distribution of VA-related products

“VA-related products” refers to investment products which:

Have a principal investment objective or strategy to invest in VAs;
Derive their value principally from the value and characteristics of VAs; or
Track or replicate the investment results or returns which closely match or correspond to VAs.

According to the Joint Circular, VA-related products are very likely to be considered “complex products” because, in the Regulators’ view, the risks of investing in VAs are not reasonably likely to be understood by a retail investor.

As such, the SFC’s investor protection measures for the sale of complex products apply when intermediaries distribute VA-related products. This means that intermediaries must ensure the suitability of transactions in VA-related products, even where there has been no solicitation or recommendation (i.e. execution-only transactions). The regulators also considered it necessary to set out additional investor protection measures for the distribution of VA-related products.

In summary, intermediaries distributing VA-related products must observe the following existing and new requirements:

Suitability: intermediaries must comply with the suitability obligations, taking into consideration the SFC’s guidance in the Suitability FAQ.[1] There are many aspects to the suitability obligations, including requiring intermediaries to ‘know their clients’ (e.g. have knowledge of clients’ financial situation, investment experience, knowledge of investment products, purposes of investment, etc.) and to understand the investment product (i.e. by undertaking product due diligence). In respect of product due diligence, the Joint Circular prescribes additional due diligence requirements for unauthorised VA funds (i.e. VA funds not authorised by the SFC).[2]
Professional investors only: VA-related products regarded as complex products should only be offered by intermediaries to professional investors.
VA-knowledge test: except for institutional professional investors and qualified corporate professional investors,[3] intermediaries must assess whether their clients have sufficient knowledge of investing in VAs or VA-related products (with reference to the criteria prescribed by the SFC[4]) before effecting transactions in such products on clients behalf. If a client does not possess the required knowledge, an intermediary may only proceed if, by doing so, it is acting in the client’s best interests and the intermediary has provided training to the client on the nature and risks of VAs. Intermediaries must also ensure that their clients have sufficient net worth to be able to assume the risks and to bear the potential losses of trading VA-related products.
VA-related derivative products: before intermediaries offer VA-related derivative products to their clients, they must assess their clients’ knowledge of derivatives (including the nature and risks of derivatives), and assure themselves that their clients have sufficient net worth to assume the risks and to bear the potential losses of trading VA-related derivative products.[5] Intermediaries are also required to provide the client a warning statement specific to VA futures contracts (as prescribed by the SFC in Appendix 5), where applicable.
Financial accommodation: intermediaries should be cautious in providing financial accommodation to clients for investing in VA-related products, and should only do so in circumstances where they have assured themselves that their clients have the financial capacity to meet potential obligations arising from leveraged or margined positions.
Provision of information and warning statements: intermediaries should ensure that information on VA-related products is provided in a clear and easily comprehensible manner to clients, and intermediaries should also provide VA warning statements to clients.

Note that, while not expressly stated in the Joint Circular, some of the requirements above (e.g. suitability) should not be applicable when intermediaries deal with institutional professional investors and qualified corporate professional investors, which aligns with the regulatory expectations for traditional securities products.

While the Joint Circular prescribes limited exemptions to the above requirements for VA-related derivative products traded on regulated exchanges specified by the SFC,[6] and to exchange-traded VA derivative funds authorised or approved for offering to retail investors by a regulator in a designated jurisdiction specified by the SFC.[7] However, at this time, this exemption will apply to a very small number of VA-related products because many VA-related derivative products are currently traded on unregulated VA trading platforms.

Finally, although not a new requirement, the Joint Circular reminds intermediaries to observe the provisions in Part IV of the SFO which prohibits the offering to the Hong Kong public of investments which have not been authorised by the SFC. Intermediaries are also reminded to strictly adhere to the Hong Kong selling restrictions applicable to VA-related products.

III. Provision of VA-dealing services

According to the Joint Circular, the Regulators’ are concerned that the majority of VA trading platforms are either unregulated, or are regulated only for anti-money laundering and counter-financing of terrorism (“AML/CFT”) purposes. Therefore, these VA trading platforms may not be subject to regulatory standards comparable to the SFC’s own regulatory framework for VA trading platforms.[8] As such, the Regulators will require licensed intermediaries that provide VA-dealing services to comply with the following requirements:

SFC-licensed platforms only: intermediaries can only partner with SFC-licensed VA trading platforms to provide VA-dealing services, whether by way of introducing clients to the platform for direct trading or establishing an omnibus account with the platform. Currently, this would cover trading platforms licensed by the SFC under the voluntary opt-in regime for virtual asset trading platforms. In future, this should also expand to cover trading platforms licensed by the SFC under the future virtual asset services providers (“VASP”) regulatory regime.
Professional investors only: intermediaries can only provide VA-dealing services to professional investors.
Compliance with regulatory requirements for securities: although many VA may not be regarded as “securities” under the SFO, and therefore fall outside the SFC’s jurisdiction, intermediaries are expected to comply with the regulatory requirements for dealing in securities, irrespective of whether or not the VAs are securities.
Type 1 licence or registration: the Regulators are only prepared to allow intermediaries licensed or registered for Type 1 regulated activity to provide VA-dealing services (and such services can only be provided to intermediaries’ existing clients to whom they currently provide Type 1 dealing services).
Terms and conditions: intermediaries providing VA-dealing services will be required to comply with the SFC’s licensing or registration conditions set out in Appendix 6 to the Joint Circular. Intermediaries providing VA-dealing services under an omnibus account arrangement will also be subject to the prescribed terms and conditions as set out in Appendix 6 to the Joint Circular (the “VA T&Cs”). One of the many conditions set out in the VA T&Cs is that intermediaries providing VA-dealing services under an omnibus account arrangements should only permit their clients to deposit or withdraw fiat currencies (and not VAs) from their accounts.
Discretionary account management services: for intermediaries providing VA discretionary account management services, where the investment objective is to invest 10% or more of gross asset value of a portfolio in VAs, the intermediaries will be required to comply with the requirements set out in the Proforma Terms and Conditions for Licensed Corporation which Management Portfolios that Invest in Virtual Assets published by the SFC in October 2019.[9] [10]

IV. Provision of VA-advisory services

According to the Joint Circular, the regulatory requirements for providing VA-advisory services can be summarised as follows:

Compliance with regulatory requirements for securities: similar to the requirements for VA-dealing services, intermediaries are expected to comply with the regulatory requirements for advising on securities, irrespective of whether or not the VAs are securities.
Type 1 or Type 4 licence or registration: the Regulators are only prepared to allow intermediaries licensed or registered for Type 1 or Type 4 regulated activity to provide VA-advisory services (and such services can only be provided to intermediaries’ existing clients to whom they provide services in Type 1 or Type 4 regulated activity).
SFC’s VA T&Cs: intermediaries providing VA-advisory services will need to comply with the requirements prescribed in the VA T&Cs, including the requirement to comply with the suitability obligations.
VA-knowledge test: intermediaries providing VA-advisory services are subject to the same VA-knowledge test requirements as intermediaries which distribute VA-related products (see above).
Professional investors only: intermediaries can only provide VA-advisory services to professional investors.
Advisory services in VA-related products: intermediaries providing advisory services in VA-related products are required to observe the same requirements applicable to the distribution of VA-related products (see above), including that intermediaries must ensure the suitability of their recommendations.

V. Implementation of requirements in the Joint Circular

For intermediaries that already engage in VA-related activities, there will be a six-month transition period for intermediaries serving existing clients of its VA-related activities to revise their systems and controls to align with the updated requirements in the Joint Circular.

For intermediaries that do not currently engage in VA-related activities, they should ensure that they comply with the requirements in the Joint Circular before providing such services.

Intermediaries are required to notify the SFC (and the HKMA, where applicable) before they engage in VA-related activities.

VI. HKMA Circular

The HKMA Circular provides regulatory guidance for AIs when dealing with VAs and VASPs. The guidance can be summarised as follows:

AIs are expected to keep abreast of ongoing international developments, including those of international forums and standard-setting bodies such as the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO), etc.
In addition to Hong Kong laws and regulations, AIs should ensure that their VA activities do not breach applicable laws and regulations in other jurisdictions, and should seek legal advice from competent advisers in relevant jurisdictions outside of Hong Kong as necessary.
AIs should undertake risk assessments to identify and understand the risks before engaging in VA activities, and should take appropriate measures to manage and mitigate the identified risks, taking into account legal and regulatory requirements. The three risk areas which are in focus are: (a) prudential supervision; (b) AML/CFT and financial crime risk; and (c) investor protection. In particular, the HKMA Circular provides guidance on the regulatory expectations on AIs to establish and implement effective AML/CFT policies, procedures and controls to manage and mitigate money-laundering and terrorist-financing risks that may arise from: (i) customers engaging in VA-related activities through their bank accounts; and (ii) AIs establishing and maintaining business relationships with VASPs. Further guidance is provided in the HKMA Circular.
AIs intending to engage in VA activities should discuss with the HKMA and obtain the HKMA’s feedback on the adequacy of the institution’s risk-management controls before launching VA products or services.

VII. Conclusion

The Joint Circular and the HKMA Circular reflect the SFC’s and the HKMA’s ongoing efforts to regulate the VA sector, particularly from the perspective of investor protection, mitigating AML/CFT risk, and addressing prudential risk in the case of AIs. This is reflected in both existing requirements (e.g. suitability obligations) and new requirements (e.g. VA-knowledge test). For intermediaries already providing or planning to provide VA-related services, there will likely need to be considerable changes to policies and procedures, and systems and controls, to ensure compliance with the latest regulatory requirements and guidance.

While the Joint Circular and the HKMA Circular are not directly applicable to Unregulated VASPs, it can be anticipated that these two circulars will have a commercial impact on these companies, as intermediaries and AIs are likely to implement systems and controls that limit their dealings with such companies (including on behalf of the customers of intermediaries and AIs). In the medium to long-term, these companies which operate VA trading platforms in or from Hong Kong, or provide services marketed to the Hong Kong public, will likely need to be licensed by the SFC under the virtual asset services providers regime and/or under a future regulatory regime to be supervised by the HKMA.

For further information on the future regulatory regimes, please refer to our earlier client alerts:

Licensing Regime for Virtual Asset Services Providers in Hong Kong (June 7, 2021); and
Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins (January 18, 2022).

_________________________

[1] SFC’s FAQ on Compliance with Suitability Obligations by Licensed or Registered Persons (last updated 23 December 2020) (the “Suitability FAQ”).

[2] See Appendix 4 to the Joint Circular.

[3] “Institutional professional investors” is defined under paragraph 15.2 of the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) as persons falling under paragraphs (a) to (i) of the definition of “professional investor” in section 1 of Part 1 of Schedule 1 to the SFO. “Qualified corporate professional investors” refers to corporate professional investors which have passed the assessment requirements under paragraph 15.3A and gone through the procedures under paragraph 15.3B of the Code of Conduct.

[4] See Appendix 1 to the Joint Circular.

[5] These are existing requirements under paragraphs 5.1A and 5.3 of the Code of Conduct.

[6] This refers to the list of specified exchanges set out in Schedule 3 to the Securities and Futures (Financial Resources) Rules (Cap. 571N).

[7] The list of designated jurisdictions is set out in Appendix 2 to the Joint Circular.

[8] This refers to the voluntary opt-in regime set out in the SFC’s Position Paper on Regulation of Virtual Asset Trading Platforms (6 November 2019).

[9] Proforma Terms and Conditions for Licensed Corporation which Management Portfolios that Invest in Virtual Assets (4 October 2019).

[10] For completeness, according to the Joint Circular, for intermediaries licensed or registered for Type 1 regulated activity that are authorised by its clients to provide VA-dealing services on a discretionary basis as an ancillary service, these intermediaries should only invest less than 10% of gross asset value of its clients’ portfolio in VA.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Crypto Taskforce ([email protected]) or the Global Financial Regulatory team, including the following authors in Hong Kong:

William R. Hallatt (+852 2214 3836, [email protected])
Grace Chong (+65 6507 3608, [email protected])
Emily Rumble (+852 2214 3839, [email protected])
Arnold Pun (+852 2214 3838, [email protected])
Becky Chung (+852 2214 3837, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Since 6 March 2018, the EU institutions have been sending EU investors a clear message regarding the protection of their investments within the EU under so-called ‘intra-EU’ bilateral investment treaties (BITs), as well as now the Energy Charter Treaty (the ECT).

As we have reported here, the Court of Justice of the European Union (the CJEU) concluded in Achmea B.V. (formerly known as Eureko B.V.) v Slovakia that EU investors could not have recourse to arbitration under a BIT between two EU Member States. The CJEU held that arbitration under intra-EU BITs was contrary to EU law. Following Achmea, and a call from the European Commission (the Commission), twenty-three EU Member States signed an agreement purporting to terminate approximately 130 intra-EU BITs on 5 May 2020 (the Termination Agreement), as we reported here. The door remained open as to whether the ruling in Achmea would be extended to the ECT.

On 2 September 2021 came the CJEU’s decision in Republic of Moldova v Komstroy (reported on here). Adopting the policy views expressed by the Commission, and broadening the scope of its findings in Achmea, the CJEU determined that intra-EU arbitration (i.e., between an EU investor and an EU Member State) under the ECT is also incompatible with EU law.

On 26 October 2021, the CJEU went even further in its decision in Republic of Poland v PL Holdings S.à.r.l.[1] (PL Holdings). The CJEU ruled that EU Member States are precluded from entering into ad hoc arbitration agreements with EU-based investors, where such agreements would replicate the content of an arbitration agreement in a BIT between EU Member States.

Finally, and most recently, on 25 January 2022, the CJEU overturned a decision by the General Court in Micula v Romania[2] (Micula) that had quashed a Commission State aid ruling from 2015 declaring payment of compensation to claimants as per their ICSID award unlawful State aid and ordering recovery of amounts paid to them. Contrary to the General Court’s decision, in CJEU’s view, EU State aid rules can be triggered at the time of payment of an arbitral award even though all the State measures that the ICSID award compensated the claimants for were taken before Romania’s accession to the EU. The CJEU also held (inter alia) that any consent that may have been given by an EU Member State to arbitration pre-accession lacks any force, to the effect that the system of judicial remedies provided for by the EU and the Treaty on the Functioning of the EU (the TFEU) replace the arbitration procedures upon accession to the EU.

These last two developments in the intra-EU arbitration saga, which we address further below, raise yet further alarm bells for EU investors who may have contemplated relying on existing intra-EU BITs as a means of protecting their investments within the EU, or are looking to enforce intra-EU arbitral awards that pre-date Achmea. That is: despite the unanimous stance of over 50 investment arbitration tribunals so far[3] which consider Achmea not to be a bar to their jurisdiction under international law to hear treaty claims and award compensation for investors’ injuries, the European Courts and the Commission are actively taking steps to weaken that protection, at least as a matter of EU law. Hence, investors need to think carefully about how to structure (or restructure) their investments to maximise treaty protection and ensure successful enforcement of any favourable arbitral awards with an EU connection.

PL Holdings: An intra-EU arbitration agreement found in a BIT and replicated as an ad hoc agreement between the investor and a Member State is invalid under EU law

Background

PL Holdings (a Luxembourg entity) brought arbitration proceedings against Poland under the BIT between the Belgium-Luxembourg Economic Union (BLEU) and Poland after a Polish regulator ordered the compulsory sale of its interests in a Polish bank. The seat of the arbitration was Stockholm, and the case was administered by the Stockholm Chamber of Commerce. The tribunal concluded in 2017 that Poland had expropriated PL Holdings’ investment and ordered damages.

In September 2017, Poland brought set-aside proceedings before the Swedish courts, arguing that the arbitration clause in the Poland-BLEU BIT was incompatible with EU law post-Achmea.

In 2019, the Swedish Court of Appeal accepted that, in light of Achmea, the arbitration agreement in the BIT was indeed invalid. However, the court held that this invalidity did not prevent an EU Member State and an EU investor from concluding an ad hoc arbitration agreement at a later date to resolve the same dispute. The court relied on the awkward distinction made in Achmea (and also Komstroy) between commercial arbitration and investment treaty arbitration, which we reported on before—namely, that commercial arbitration “originate[s] in the freely expressed wishes of the parties [concerned]” (in contrast to investment arbitrations, which do not).[4] In the court’s view, Poland tacitly accepted PL Holding’s offer to arbitrate by failing to raise an objection based on Achmea earlier on in the proceedings, thus creating an ad hoc arbitration agreement between Poland and PL Holdings under Swedish law, as the law of the seat. This was said to be derived from the parties’ common intention to resolve the dispute in the same manner as a commercial arbitration agreement.

Poland appealed to the Swedish Supreme Court, which resulted in a preliminary ruling from the CJEU on the following question: whether Articles 267 and 344 of the TFEU as interpreted in Achmea mean that an intra-EU arbitration agreement (concluded between two Member States) is invalid even if a Member State (by free will) refrains from raising objections to jurisdiction after arbitration proceedings were commenced by the investor.

The CJEU’s ruling

The CJEU ruled that it is: “[a]ny attempt by a Member State to remedy the invalidity of an arbitration clause by means of a contract with an investor from another Member State would run counter to the first Member State’s obligation to challenge the validity of the arbitration clause”.[5] In those circumstances, the Court added, it was for the national court to uphold an application seeking to set aside an arbitration award made on the basis of an arbitration agreement infringing Articles 267 and 344 TFEU and the principles of mutual trust, sincere cooperation and autonomy of EU law.[6]

Like in Achmea, the CJEU underscored that an agreement to remove from the jurisdiction of their own courts disputes which may concern the application or interpretation of EU law may prevent those disputes from being resolved in a manner that guarantees the full effectiveness of EU law.[7] In the CJEU’s view, any ad hoc arbitration agreement, on the same terms as the investment treaty, would have the same effect, meaning that the legal approach envisaged by PL Holdings could be adopted in a multitude of disputes which may concern the application and interpretation of EU law; “thus allowing the autonomy of that law to be undermined repeatedly”.[8]

The CJEU also said, it follows from Achmea, the principles of the primacy of EU law and of sincere cooperation, that EU Member States not only may not undertake to remove disputes from the EU judicial system, but also that, where there is a PL Holdings-type situation, they are required to challenge, before the competent arbitration body or the court, the validity of the arbitration clause or the ad hoc arbitration agreement. This is further confirmed in Article 7(b) of the Termination Agreement which states that Contracting Parties “shall”—where they are party to judicial proceedings concerned an arbitral award issued on the basis of a BIT—”ask the competent national court, including in any third country, as the case may be, to set the arbitral award aside, annul it or to refrain from recognising and enforcing it”.[9] According to the CJEU, that rule is also applicable mutatis mutandis in a PL Holdings-type scenario.[10] In effect, therefore, this requirement to challenge jurisdiction represents a deemed challenge that will be interpreted as having effect at any further stage of the arbitral process, including enforcement of any ultimate award.

The latest development in Micula: a further delay to enforcement by reviving the Commission’s State aid decision; and Achmea is relevant for assessing the case

Background

The Micula saga has now been running for over fifteen years. The ICSID arbitration proceedings commenced in 2005, prior to Romania’s accession to the EU, whereby the Micula brothers argued (and the ICSID tribunal agreed) that Romania had impaired the Micula brothers’ investments by repealing certain economic incentives with a view to eliminate measures that could constitute State aid shortly before its accession to the EU. In 2013, the same ICSID tribunal ordered Romania to pay EUR 178 million in compensation.

Romania partially paid the ICSID award. In 2015, however, the Commission ruled that such payment constituted unlawful State aid, precluding Romania from making further payments and ordering recovery of amounts already paid. In short, it is the Commission’s view that payment of the award would re-establish the situation in which the Micula brothers would have found themselves had the relevant incentives not been repealed by Romania, and that this constituted operating State aid.

In June 2019,[11] post-Achmea, the General Court quashed the Commission’s ruling on the basis that all events relating to the incentive took place before Romania’s accession to the EU in 2007, and the right to receive compensation arose at the time Romania repealed the incentives in 2005 and the ICSID award was intended to compensate the revocation of the incentive retroactively. The right to receive compensation arose, therefore, when Romania repealed the incentive. As EU State aid rules were not applicable in Romania pre-accession, the Commission could not exercise powers conferred to it under those rules.[12] Moreover, the Court found that payment of the compensation after accession is irrelevant in that context, because those payments made in 2014 represent the enforcement of a right which arose in 2005.[13]

In that respect, the General Court could avoid discussing the relationship between EU law and intra-EU investment arbitration, given that “in the present case, the arbitral tribunal was not bound to apply EU law to events occurring prior to the accession before it, unlike the situation in the case which gave rise to the judgment [in Achmea]”.[14]

Undeterred, the Commission then filed an appeal before the CJEU in August 2019. Not altogether surprisingly, Spain—the respondent State in over 50 ECT cases involving the removal of renewables incentives—filed a cross-appeal supported by the Commission (the Cross-Appeal). Spain (and the Commission) claimed that the award breached the EU principle of mutual trust and autonomy of EU law as interpreted in Achmea. In parallel, the Micula brothers sought to enforce the ICSID award following the General Court’s decision, including before the courts of England and Wales, as previously reported on here.

The opinion of Advocate General Szpunar and the decision of the CJEU

Notably, in July 2021, Advocate General (AG) Szpunar to the CJEU opined that the Cross-Appeal must be dismissed on the basis that Achmea could not be applied in arbitration proceedings initiated pursuant to Sweden-Romania BIT concluded before Romania’s accession to the EU, and when those proceedings were still pending at the time of that accession.[15] Yet, when it came to analysing the Commission’s competence regarding the application of EU State aid rules, the AG suggested that the alleged aid should be deemed granted at a time when Romania was required to pay that compensation, i.e. after the issuance of the arbitral award, at the time of its implementation by Romania.[16] As the time of award payment post-dated Romania’s accession to the EU, EU law was indeed applicable to that measure and the Commission was competent to make the ruling it did.

The dispute then reached the CJEU:

As to the question of when the alleged aid measure should be deemed granted, the Court agreed with AG Szpunar and held that EU State aid rules were applicable to the compensation paid by Romania and therefore upheld the competence of the Commission.
As to the relevance of Achmea, because the CJEU had already concluded to overturn the General Court’s decision as per the first question, the CJEU thought it was not necessary for it to rule on the Cross-Appeal.[17] The CJEU did state, however, that the General Court had erred in considering that Achmea was irrelevant.[18] Indeed, since the compensation sought by the Micula brothers did not relate exclusively to the damage allegedly suffered before Romania’s accession in 2007 (as the relevant period for such damage extended until 2009), the arbitral proceedings could not be considered as completely confined to the pre-accession period. As such, “with effect from Romania’s accession to the European Union, the system of judicial remedies provided for by the EU and FEU Treaties replaced that arbitration procedure, the consent given to that effect by Romania, from that time onwards, lacked any force”.[19]

The case will now be remanded to the General Court which will determine: (i) whether the Commission was right to consider that the compensation granted by the ICSID award did constitute incompatible State aid; and (ii) the relevance of Achmea. In that respect, whilst this decision is highly fact specific, it does signal further issues for any EU investor looking to enforce intra-EU arbitral awards within the EU where the Commission may invoke Achmea arguments in the State aid context. In fact, even if an EU investor tries to enforce a favourable award outside the EU, there is now a risk that the Commission may require the Member State to recover amounts paid which it concludes constitute incompatible State aid.

In that vein for example, the Commission recently announced its investigation into the arbitral award in Infrastructure Services v Spain in July 2021,[20] which it considers, on a preliminary view, constitutes State aid.[21]

What options do investors with investments in the EU have in light of these developments?

The decisions in PL Holdings and Micula have slightly different ramifications for EU investors, even though both underscore that the CJEU is not going to step away from its original stance in Achmea. Although investment treaty tribunals that have ruled on the impact of Achmea on investor-State arbitration so far remain unanimously adamant that Member State consent to arbitration in intra-EU investment treaties is valid under international law,[22] both cases demonstrate the hostile position that the EU has taken towards investor protection. Hence, EU-based investors should consider structuring (or restructuring, depending on whether there is a dispute already on the horizon) their investments via non-EU Member State entities (such as through the UK post-Brexit) in order to secure the benefit of investment treaties.

Further, in the event a dispute does arise in an intra-EU context, investors may consider opting for arbitration procedures which would allow a non-EU Member State to be designated as the seat of the arbitration, thus limiting the scope for the potential application of EU law.

From an enforcement perspective, investors with existing or planned EU-investments should also consider whether the EU Member State that hosts the investment has assets in non-EU Member States whose courts reliably enforce arbitral awards and would not necessarily consider themselves bound by CJEU rulings and Commission’s jurisdiction.

As regards PL Holdings specifically, the decision has other practical implications which require careful consideration by investors depending on their circumstances. For example:

National courts of EU Member States will now be expected to interpret their national legislation so that no Achmea-style arbitration clause is upheld to be valid. In other words, the CJEU and national courts may (in effect) overrule basic principles of domestic arbitration law regarding what a binding arbitration agreement looks like.

On its face, the reasoning in PL Holdings could, theoretically, be extended to commercial contracts with States or State Owned Enterprises whereby the arbitration clause effectively replicates the provisions in an investment treaty. However, the judgment does not appear aimed at, for example, concession agreements or other types investor-State direct contractual arrangements. If, say, a PL Holdings-based challenge were to arise in the context of a private commercial agreement between an EU Member State and an EU investor, and a preliminary reference was made to CJEU, it is likely that the Court would be inclined not to extend the reach of Achmea to commercial arbitration agreements, following the artificial distinction it drew between commercial and investment arbitration agreements in Achmea and Komstroy.

_________________________

[1] See Judgment of the Court (Grand Chamber), Case C‑109/20, Republiken Polen (Republic of Poland) v PL Holdings S.à.r.l., ECLI:EU:C:2021:875, 26 October 2021, available here.

[2] See Judgment of the Court (Grand Chamber), Case C‑638/19 P, Viorel Micula and others v Romania, ECLI:EU:C:2022:50, 25 January 2022, available here.

[3] As of the time of publication, we are aware of at least 76 investment treaty tribunals that have considered the intra-EU objection and all have unanimously rejected it (whether under intra-EU BITs or the ECT). At least 50 of these 76 tribunals have rejected the intra-EU objection specifically founded on the basis of CJEU’s Achmea decision.

[4] Judgment of the Court (Grand Chamber), Case C‑284/16, Slowakische Republik (Slovak Republic) v Achmea BV, ECLI:EU:C:2018:158, 6 March 2018, ¶ 55 ; see further our client alerts on Achmea (available here) and Komstroy (available here).

[5] Judgment of the Court (Grand Chamber), Case C‑109/20, Republiken Polen (Republic of Poland) v PL Holdings S.à.r.l., ECLI:EU:C:2021:875, 26 October 2021, ¶ 54.

[6] Id., see ¶ 55.

[7] Id., see ¶¶ 44-47.

[8] Id., ¶ 49.

[9] See Agreement for the termination of Bilateral Investment Treaties between the Member States of the European Union, 5 May 2020, Article 7(b).

[10] Judgment of the Court (Grand Chamber), Case C-109/20, Republiken Polen (Republic of Poland) v PL Holdings S.à.r.l., ECLI:EU:C:2021:875, 26 October 2021, see ¶ 53.

[11] See Judgment of the General Court (Second Chamber), Cases T-624/15, T-694/15 and T-704/15, Viorel Micula and others v European Commission, ECLI:EU:T:2019:423, 18 June 2019, available here.

[12] Id., ¶ 79.

[13] Id., ¶ 80.

[14] Id., ¶ 87.

[15] Opinion of Advocate General Szpunar, Case C‑638/19 P, European Commission v Viorel Micula and others, 1 July 2021, ¶ 107.

[16] There are, in other words, two ways that the Commission can assess the Award under the State aid rules: (i) either the Award is assessed by considering the underlying reason for the payment of the damages; or (ii) the Award is assessed in isolation, i.e., on a standalone basis as ad hoc aid.

[17] See Judgment of the Court (Grand Chamber), Case C‑638/19 P, Viorel Micula and others v Romania, ECLI:EU:C:2022:50, 25 January 2022, ¶ 148.

[18] Id., see ¶ 137.

[19] Id., ¶ 145 (emphasis added).

[20] See Infrastructure Services Luxembourg S.à.r.l. and Energia Termosolar B.V. (formerly Antin Infrastructure Services Luxembourg S.à.r.l. and Antin Energia Termosolar B.V.) v Kingdom of Spain, ICSID Case No. ARB/13/31.

[21] See European Commission Press Release, State aid: Commission opens in-depth investigation into arbitration award in favour of Antin to be paid by Spain, available here: https://ec.europa.eu/commission/presscorner/detail/en/IP_21_3783.

[22] See fn.3 above.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Arbitration, Judgment and Arbitral Award Enforcement or Transnational Litigation practice groups, the following practice leaders and members, or the authors:

Cyrus Benson – London (+44 (0) 20 7071 4239, [email protected])
Jeff Sullivan QC – London (+44 (0) 20 7071 4231, [email protected])
Rahim Moloo – New York (+1 212-351-2413, [email protected])
Ceyda Knoebel – London (+44 (0) 20 7071 4243, [email protected])
Stephanie Collins – London (+44 (0) 20 7071 4216, [email protected])

Please also feel free to contact the following practice leaders:

International Arbitration Group:
Cyrus Benson – London (+44 (0) 20 7071 4239, [email protected])
Penny Madden QC – London (+44 (0) 20 7071 4226, [email protected])

Judgment and Arbitral Award Enforcement Group:
Matthew D. McGill – Washington, D.C. (+1 202-887-3680, [email protected])
Robert L. Weigel – New York (+1 212-351-3845, [email protected])

Transnational Litigation Group:
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Perlette Michèle Jura – Los Angeles (+1 213-229-7121, [email protected])
Andrea E. Neuman – New York (+1 212-351-3883, [email protected])
William E. Thomson – Los Angeles (+1 213-229-7891, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

The Biden administration made its mark on U.S. sanctions and export controls in 2021—reviewing, revising, maintaining, augmenting, and in some cases revoking various trade restrictive measures created during the Trump era. China remained at the forefront of the U.S. national security dialogue as the administration sought to solidify measures to protect U.S. communications networks and sensitive personal data and blunt the development of China’s military capabilities after numerous earlier efforts by the Trump administration were blocked or limited by U.S. courts. China showed few signs of backing down in the face of U.S. pressure, instituting new restrictions that could potentially require multinational companies to choose between compliance with U.S. or Chinese law—creating a potential compliance minefield for global firms.

In October 2021, the U.S. Department of the Treasury published findings from its nine-month long review of the sanctions administered and enforced by the Office of Foreign Assets Control (“OFAC”), setting forth a policy framework to guide the imposition of new sanctions. The principles articulated in that review were apparent in major sanctions developments throughout the year—including new targeted sanctions on Myanmar, Belarus, and Ethiopia; the issuance of general licenses to facilitate the flow of humanitarian aid to Afghanistan after the Taliban takeover; termination of the sanctions with respect to the International Criminal Court; revocation of terrorist designations on the Revolutionary Armed Forces of Colombia (“FARC”) and the Yemen-based Houthis; and the first designation of a virtual currency exchange for its role in facilitating ransomware payments. Negotiations over the future of the Joint Comprehensive Plan of Action (“JCPOA”)—the 2015 Iran nuclear agreement abandoned by the Trump administration in 2018—continued, and the United States waived sanctions related to the Nord Stream 2 gas pipeline to appease European allies. In total, OFAC issued a total of 765 new designations and de-listed another 787 parties. By Treasury’s own estimate, there were roughly 9,421 sanctioned parties by late 2021—a 933 percent increase since 2000.

Source: U.S. Dep’t of Treasury, The Treasury 2021 Sanctions Review (Oct. 18, 2021)

OFAC sanctions developments tell only part of the story, as the United States continued to rely on export controls, foreign direct investment reviews, import restrictions, and restrictions with respect to the information and communications technology and services supply chain to accomplish foreign policy goals—often with a renewed emphasis on multilateral action. As in prior years, confronting the national security concerns associated with China remained a central focus of developments in U.S. export controls, especially those administered by the Department of Commerce’s Bureau of Industry and Security (“BIS”). In addition to confronting national security challenges, BIS took substantial steps to update the Export Administration Regulations, including addressing concerns associated with emerging and foundational technologies. As of this writing, the United States and its European allies were hammering out the details of an aggressive package of sanctions and export controls targeting Russia should the Kremlin follow through on threats to further invade Ukraine—presenting a key test of the Atlantic alliance and the ability of multilateral trade controls to deter a threatened use of force.

I. U.S. Trade Restrictions on China

A. Protecting Communications Networks and Sensitive Personal Data
B. Slowing the Advance of China’s Military Capabilities
C. Promoting Human Rights in Xinjiang
D. Promoting Human Rights in Hong Kong
E. Trade Imbalances and Tariffs

II. U.S. Sanctions

A. Treasury Department Sanctions Review
B. Myanmar
C. Russia
D. Belarus
E. Iran
F. Cuba
G. Ethiopia
H. Other Sanctions Developments

III. Information and Communications Technology and Services (ICTS)

A. Executive Order 13873: ICTS Supply Chain Framework
B. Executive Order 14034: Connected Software Applications
C. Executive Order 14017: Supply Chain Security
D. Executive Order 14028: Cybersecurity
E. Transatlantic Dialogues

IV. U.S. Export Controls

A. Commerce Department
B. Antiboycott Developments
C. White House Export Controls and Human Rights Initiative
D. State Department

V. European Union

A. Sanctions Developments
B. Export Controls Developments
C. Noteworthy Judgments and Enforcement Actions

VI. United Kingdom

A. Sanctions Developments
B. Export Controls Developments
C. Noteworthy Judgments and Enforcement Actions

VII. People’s Republic of China

A. Countermeasures on Foreign Sanctions
B. Export Controls Regime
C. Restrictions on Cross-Border Transfers of Data
D. Security Review of Foreign Investments

______________________________

I. U.S. Trade Restrictions on China

Despite the transition from the Trump to the Biden administration, U.S. trade policy toward China in 2021 was marked by a striking degree of continuity. As under the prior administration, the dozens of new China-related trade restrictions announced this year were generally calculated to advance a handful of longstanding U.S. policy interests for which there is broad bipartisan support within the United States, including protecting U.S. communications networks and sensitive personal data; slowing the advance of China’s military capabilities; promoting human rights in Xinjiang and Hong Kong; and narrowing the bilateral trade deficit. As the Biden administration enters its second year in office and tensions between Washington and Beijing show few signs of abating, those core objectives of U.S. policy toward China appear unlikely to change, at least in the near term.

Meanwhile, as discussed more fully in Section VII, below, China this year deepened its already considerable efforts to resist U.S. pressure by adopting a host of new or expanded measures, including counter-sanctions, export controls, restrictions on cross-border data transfers, and a rigorous foreign investment review regime. In light of these new instruments in Beijing’s policy arsenal, multinational enterprises seeking to do business in both of the world’s largest economies now face the unenviable task of navigating between two competing, and often conflicting, sets of trade controls.

A. Protecting Communications Networks and Sensitive Personal Data

Spurred by concerns about Chinese espionage, the United States during 2021 sought to solidify trade restrictions designed to protect U.S. communications networks and sensitive personal data.

Notably, President Biden on June 9, 2021 issued Executive Order (“E.O.”) 14034 to restrict the ability of “foreign adversaries,” including the People’s Republic of China, to access U.S. persons’ sensitive data. That measure revokes three Executive Orders that targeted by name certain Chinese connected software applications, including TikTok and various mobile payment platforms. In place of those restrictions, E.O. 14034 articulates a more neutral set of criteria that U.S. Executive branch agencies are to use in evaluating threats to sensitive data of U.S. persons. The Order also sets forth a more rigorous process, including the preparation of two reports by the U.S. Secretary of Commerce, for recommending policy options to address the purported threat posed by such apps. From a policy perspective, these changes appear calculated to put the earlier, Trump-era restrictions on certain Chinese apps—which were effectively unenforceable, having been enjoined by multiple federal courts in September and October 2020—on firmer footing.

For a more detailed discussion of U.S. measures to secure information and communications technology and services against foreign interference, please see Section III, below.

B. Slowing the Advance of China’s Military Capabilities

Another key feature of the Biden administration’s trade policy in 2021 was its attempt to blunt the development of China’s military capabilities, including by restricting exports of U.S.-origin items to certain Chinese end-users, prohibiting U.S. persons from investing in the securities of dozens of “Chinese military-industrial complex companies,” and subjecting potential Chinese acquisitions of and investments in sensitive U.S. businesses to stringent foreign investment reviews.

Export controls this year remained a core element of U.S. efforts to slow Beijing’s emergence as a strategic competitor as the Biden administration frequently used Entity List designations to target PRC-based firms. In its expanding size, scope, and profile, the Entity List has begun to rival OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List as a tool of first resort when U.S. policymakers seek to wield coercive authority, especially against major economies and significant economic actors. Among the more than 80 Chinese firms added to the Entity List during 2021 were substantial enterprises such as China National Offshore Oil Corporation Ltd. and the Xinjiang Production and Construction Corps (“XPCC”).

Entities can be designated to the Entity List upon a determination by the End-User Review Committee (“ERC”)—which is composed of representatives of the U.S. Departments of Commerce, State, Defense, Energy and, where appropriate, the Treasury—that the entities pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States. Through Entity List designations, BIS prohibits the export of specified U.S.-origin items to designated entities without BIS licensing. BIS will typically announce either a policy of denial or ad hoc evaluation of license requests.

The practical impact of any Entity List designation varies in part on the scope of items BIS defines as subject to the new export licensing requirement, which could include all or only some items that are subject to the U.S. Export Administration Regulations (“EAR”). Those exporting to parties on the Entity List are also precluded from making use of any BIS license exceptions. However, because the Entity List prohibition applies only to exports of items that are “subject to the EAR,” even U.S. persons are still free to provide many kinds of services and to otherwise continue dealing with those designated in transactions that occur wholly outside of the United States and without items subject to the EAR.

The ERC has over the past several years steadily expanded the bases upon which companies and other organizations may be designated to the Entity List to include activities like enabling human rights violations and producing surveillance technology. During 2021, BIS continued this trend by announcing six rounds of Entity List designations tied to activities in support of China’s military. Among those designated in January, April, June, July, November, and December 2021 were more than 40 PRC entities for their alleged involvement in developing, for example, supercomputers, quantum computing technology, and biotechnology (including purported brain-control weaponry) for Chinese military applications.

As part of the growing use of export controls to slow the advance of China’s military capabilities, pursuant to the Military End Use / User Rule, exporters of certain listed items subject to the EAR require a license from BIS to provide such items to China, Russia, Venezuela, Burma, and Cambodia if the exporter knows or has reason to know that the exported items are intended for a “military end use” or “military end user.” In April 2020, BIS announced significant changes to these military end use and end user controls that became effective on June 29, 2020. In particular, where the prior formulation of the Military End Use / User Rule only captured items exported for the purpose of using, developing, or producing military items, the rule now covers items that merely “support or contribute to” those functions. The scope of “military end uses” subject to control was also expanded to include the operation, installation, maintenance, repair, overhaul, or refurbishing of military items.

The expanded Military End Use / User Rule has presented a host of compliance challenges for industry, prompting BIS in December 2020 to publish a new, non-exhaustive Military End User (“MEU”) List to help exporters determine which organizations are considered military end users. The 71 Chinese companies identified to date appear to be principally involved in the aerospace, aviation, and materials processing industries. Although no new Chinese entities have been added to the MEU List since state-owned Beijing Skyrizon Aviation Industry Investment Co., Ltd. was named in the final days of the Trump administration, the Biden administration has continued to administer and enforce the MEU List (as well as the underlying Military End Use / User Rule). As such, that policy tool remains readily available and could be used by BIS in coming months to target additional entities with alleged links to China’s security services.

In addition to expanding U.S. export controls targeting China, the Biden administration in June 2021 announced updated restrictions on the ability of U.S. persons to invest in publicly-traded securities of certain companies determined to operate in the defense and related materiel sector or the surveillance technology sector of China’s economy.

In place of earlier Trump-era restrictions, an Executive Order promulgated on June 3, 2021—which OFAC is calling E.O. 13959, as amended—prohibits U.S. persons from engaging in “the purchase or sale of any publicly traded securities, or any publicly traded securities that are derivative of such securities or are designed to provide investment exposure to such securities” of certain companies named by the U.S. Secretary of the Treasury. In particular, persons may now be designated a Chinese Military-Industrial Complex Company (“CMIC”) if they are determined by the Secretary of the Treasury: (1) to operate or have operated in the defense and related materiel sector or the surveillance technology sector of the economy of the People’s Republic of China, or (2) to own or control, or to be owned or controlled by, such a company. The designation criteria in E.O. 13959, as amended, are therefore broader than under the Trump-era restrictions in that they target surveillance technology companies. Indeed, the White House has indicated that it intends to use E.O. 13959, as amended, to target Chinese companies that “undermine the security or democratic values of the United States and our allies”—including especially by targeting Chinese surveillance technology companies whose activities enable surveillance beyond China’s borders, repression, and/or serious human rights abuses.

The investment restrictions set forth in E.O. 13959, as amended, take effect 60 days after a company becomes designated as a CMIC. U.S. persons have 365 days from a company’s designation date to divest their interest in that CMIC. Those investment restrictions presently target 68 companies that appear by name on a new Non-SDN Chinese Military-Industrial Complex Companies List (the “NS-CMIC List”) administered by OFAC. For the initial tranche of 59 companies that were added to the NS-CMIC List in June 2021, the investment restrictions came into effect on August 2, 2021, and U.S. persons have until June 3, 2022 to divest their interest in such firms.

From a policy perspective, the updated investment restrictions appear designed to provide greater clarity regarding precisely which PRC companies are being targeted. In that sense, E.O. 13959, as amended, seems to be a reaction to widespread market uncertainty concerning which entities were covered by the prior administration’s restrictions, along with a series of successful court challenges by companies like the smartphone maker Xiaomi that were previously named on the basis of a surprisingly thin evidentiary record. In our view, the updated restrictions appear calculated to put those earlier, Trump-era measures on firmer footing to withstand legal challenges—suggesting that the Biden administration is recalibrating investment restrictions targeting companies linked to China’s military-industrial complex to survive for the long term.

Although the Entity List, the MEU List, and the NS-CMIC List are analytically distinct from one another, all three measures appear to be driven by similar concerns among U.S. officials regarding the use of U.S. resources—namely, technology and capital—to engage in activities contrary to U.S. national security interests, including facilitating the expansion of China’s military capabilities. In addition to their shared policy underpinnings, the three lists are similar in that they are each tailored to restrict only certain narrow categories of transactions. Unlike a designation to OFAC’s SDN List—which generally results in U.S. persons being prohibited from engaging in substantially all transactions involving a targeted entity—the three lists discussed above are each less sweeping in their effects. The Entity List and the MEU List both impose a licensing requirement on exports, reexports, and transfers of certain U.S.-origin goods, software, and technology to named companies, many of which are located in China. The NS-CMIC List restricts U.S. persons from having investment exposure to publicly-traded securities of certain named Chinese companies. In each case, absent some other prohibition, U.S. and non-U.S. persons are permitted to continue engaging in all other lawful dealings with the listed entities. In that sense, these three lists each offer a potentially attractive option for U.S. officials looking to impose meaningful costs on large non-U.S. firms that act contrary to U.S. interests while avoiding the economic disruption of designating such enterprises to OFAC’s SDN List.

Consistent with a whole-of-government approach to limiting China’s access to sophisticated technologies with potential military applications, the United States during 2021 also leveraged the expanded authorities available to the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) to target sensitive investments by Chinese acquirers. Notably, a lengthy CFIUS investigation led the South Korea-based chipmaker Magnachip Semiconductor Corporation in December 2021 to abandon its planned acquisition by a PRC-based private equity firm, suggesting that the Committee is likely to remain intensely focused on blunting efforts by Chinese buyers to acquire advanced technologies in general and semiconductors in particular.

Meanwhile, the U.S. Congress has in parallel sought to bolster the United States’ ability to develop the technologies of the future. The U.S. Senate in June 2021 approved a sprawling bill authorizing approximately $250 billion in spending to better position the United States to compete technologically with China, including through investments in research and development and semiconductor manufacturing. The measure, called the United States Innovation and Competition Act of 2021 (“USICA”), passed the Senate by a wide bipartisan majority—suggesting that countering China’s growing influence remains one of the few areas of agreement between congressional Republicans and Democrats. Debate over the USICA will soon shift to a conference committee between the Senate and the House of Representatives, where the measure is expected to undergo further changes during coming months. Although it is uncertain whether and in what form the bill will ultimately be approved by both chambers of Congress, in light of the bill’s broad base of support—including from President Biden—some version of the USICA appears likely to be passed by Congress and signed into law later this year.

C. Promoting Human Rights in Xinjiang

During 2021, the United States continued to ramp up legislative and regulatory efforts to address and punish reported human rights abuses, including high-tech surveillance of Muslim minority groups and forced labor, in China’s Xinjiang Uyghur Autonomous Region (“Xinjiang”).

The Biden administration took a number of executive actions against Chinese individuals and entities implicated in the alleged Xinjiang repression campaign. In March and December 2021, OFAC—acting in concert with the European Union, the United Kingdom, and Canada— designated to the SDN List four current or former PRC government officials for their ties to mass detention programs and other abuses. In December 2021, OFAC followed up on those designations by adding to the NS-CMIC List a total of nine Chinese surveillance technology companies for their role in enabling surveillance beyond China’s borders, repression, and/or serious human rights abuses. Specifically, OFAC on December 10, 2021 named China-based SenseTime Group Limited a CMIC for owning a company alleged to have developed facial recognition programs “that can determine a target’s ethnicity, with a particular focus on identifying ethnic Uyghurs.” The following week, OFAC on December 16, 2021 named a further eight Chinese technology companies to the NS-CMIC List for operating in the surveillance technology sector of China’s economy and/or for owning or controlling such an entity. Those eight firms were similarly targeted for their alleged involvement in developing technologies that have been used to—and, some cases, were specifically designed to—track members of ethnic and religious minority groups in Xinjiang, including especially ethnic Uyghurs. In addition to enabling the biometric tracking and surveillance of minorities in China, a further risk factor for designation to the NS-CMIC List appears to be the export of such surveillance technologies to regimes with troubling human rights records, for which several of the entities identified by OFAC were cited.

In tandem with sanctions designations, the United States during 2021 leveraged export controls to advance the U.S. policy interest in curtailing human rights abuses in Xinjiang—most notably through expanded use of the Entity List. Continuing a trend begun in October 2019, the ERC on two separate occasions this past year—in June and July 2021—added a total of 19 Chinese organizations to the Entity List for their involvement in human rights violations against Uyghurs, Kazakhs, and other members of Muslim minority groups in Xinjiang. Entities so designated included the silicon producer Hoshine Silicon Industry (Shanshan) Co., Ltd. (“Hoshine”) and the Chinese state-owned paramilitary organization XPCC, each for participating in the practice of, accepting, or utilizing forced labor in Xinjiang.

Consistent with the Biden administration’s whole-of-government approach to trade with China, the United States also used import restrictions—including multiple withhold release orders issued by U.S. Customs and Border Protection (“CBP”) and enactment of the Uyghur Forced Labor Prevention Act—to deny certain goods produced in Xinjiang access to the U.S. market.

CBP is authorized to enforce Section 307 of the Tariff Act of 1930, which prohibits the importation of foreign goods produced with forced or child labor. Upon determining that there is information that reasonably, but not conclusively, indicates that goods that are being, or are likely to be, imported into the United States may be produced with forced or child labor, CBP may issue a withhold release order, or WRO, which requires the detention of such goods at any U.S. port. To overcome a WRO and have its goods released into the United States, the importer bears the burden of demonstrating by evidence satisfactory to the Commissioner of CBP that the goods were not made, in whole or in part, with a prohibited form of labor—which, as a practical matter, is a difficult showing to make.

After issuing a record number of withhold release orders during 2020, CBP in January 2021 continued its aggressive use of this policy instrument by imposing a region-wide WRO targeting all cotton products and tomato products produced in whole or in part in Xinjiang. In June 2021, CBP issued a company-specific WRO targeting silica-based products—which are commonly used in solar panels and electronics—made by the Xinjiang-based company Hoshine and its subsidiaries. Underscoring the degree to which U.S. trade controls targeting China overlap and intersect, Hoshine was concurrently added to the Commerce Department’s Entity List, thereby constraining the company’s ability to both source inputs from, and sell goods into, the U.S. market.

Concerns regarding the PRC’s activities in Xinjiang appear to be shared by bipartisan majorities within the U.S. Congress. In December 2021, Congress passed and President Biden signed into law the Uyghur Forced Labor Prevention Act (the “Uyghur Act”), which in effect subjects all goods sourced from Xinjiang to a withhold release order. A key feature of that legislation is the creation of a rebuttable presumption—which takes effect on June 21, 2022—that all goods mined, produced, or manufactured even partially within Xinjiang are the product of forced labor and are therefore not entitled to entry at U.S. ports. Although the presumption can be overcome by “clear and convincing” evidence, the nature of which is to be articulated in formal guidance later this year, importers may face substantial practical hurdles to conducting due diligence into their supply chains as PRC entities have historically been unwilling to submit to audits of their labor practices. (Moreover, PRC entities may be prohibited by local law from cooperating with such requests in light of China’s new counter-sanctions measures, discussed in Section VII, below.) In addition to imposing import restrictions, the new law also amends the Uyghur Human Rights Policy Act of 2020 to authorize the President to impose sanctions on persons determined to be responsible for serious human rights abuses in connection with forced labor. For a more detailed description of the Uyghur Act and its implications for companies doing business in or related to Xinjiang, please see our January 2022 client alert.

As a complement to the legislative and regulatory changes described above, the Biden administration published guidance to assist the business community in conducting human rights due diligence related to Xinjiang. On July 13, 2021, the U.S. Departments of State, Treasury, Commerce, Homeland Security, and Labor, together with the Office of the U.S. Trade Representative, issued an updated Xinjiang Supply Chain Business Advisory. That document spotlights practices by PRC authorities that the U.S. Government considers objectionable, including especially related to forced labor and mass surveillance. The Advisory identifies “red flags” that individuals or entities linked to Xinjiang may be using forced labor, including dealing in certain types of goods (such as cotton and polysilicon) or operating facilities located within or near known internment camps and prisons.

D. Promoting Human Rights in Hong Kong

As Beijing continued to tighten its grip on the Hong Kong Special Administrative Region, the territory remained an area of focus for U.S. sanctions policy under the Biden administration. Building on policy measures announced during the preceding year—including revocation of Hong Kong’s special trading status under U.S. law, passage of the Hong Kong Autonomy Act, and the imposition of blocking sanctions against the territory’s chief executive, Carrie Lam—2021 witnessed multiple rounds of Hong Kong-related sanctions designations. Among those added to the SDN List for their alleged involvement in eroding Hong Kong’s autonomy were numerous current PRC government officials.

Additionally, the Biden administration on July 16, 2021 published a new Hong Kong Business Advisory that describes the potential financial, legal and reputational risks that can arise from operating in Hong Kong. The Advisory, which was timed to coincide with the one-year anniversary of the Hong Kong national security law, spotlights in particular the possibility of arrest under the national security law, warrantless electronic surveillance, and restrictions on the free flow of information. The Advisory also provides a helpful compilation of the U.S. legal authorities pursuant to which Hong Kong and mainland Chinese individuals and entities may be sanctioned and warns that U.S. businesses may suffer consequences for complying with those measures under China’s new counter-sanctions law, which we discuss in more detail in Section VII.A, below.

E. Trade Imbalances and Tariffs

Also in 2021, the Biden administration continued to make broad use of its authority to impose tariffs on Chinese-made goods. This policy approach—which was launched during the Trump era—remains the subject of substantial and ongoing litigation at the U.S. Court of International Trade. Among the mechanisms that the new administration has employed to retain significant tariffs targeting Beijing is Section 301 of the Trade Act of 1974 (“Section 301”), which allows the President to direct the U.S. Trade Representative to take all “appropriate and feasible action within the power of the President” to eliminate unfair trade practices or policies by a foreign country.

Although the Trump administration initiated Section 301 tariff investigations involving multiple jurisdictions, the Section 301 tariffs that have dominated the headlines are the tariffs imposed on China in retaliation for practices with respect to technology transfer, intellectual property, and innovation that the Office of the U.S. Trade Representative has determined to be unfair (“China 301 Tariffs”). The China 301 Tariffs were imposed in a series of waves in 2018 and 2019, and as originally implemented they together cover over $500 billion in products from China.

As we predicted in our 2020 Year-End Sanctions and Export Controls Update, although the China 301 Tariffs were a hallmark of the Trump administration’s trade policy, they have so far remained in place under President Biden and the new administration appears disinclined to relax those measures without first extracting concessions from Beijing.

II. U.S. Sanctions

A. Treasury Department Sanctions Review

In early 2021, the incoming Biden administration signaled its intent to evaluate the way the United States utilizes sanctions as a tool of foreign policy—often putting aside questions regarding the fate of a long list of Trump-era policies while the review was ongoing. The Treasury Department released the findings from its sanctions review in October 2021. In that document, Treasury articulates both the emerging challenges to the efficacy of sanctions as a national security tool, as well as a set of principles to guide U.S. sanctions policymaking in the future.

As part of a broader effort to ensure that sanctions—the use of which has sharply expanded during the past two decades—remain a durable and effective policy instrument, Treasury in its review emphasized that U.S. sanctions policies should be tied to clear, discrete objectives that are consistent with relevant Presidential guidance. To accomplish that goal, Treasury indicated that it would on a going-forward basis adopt the use of a structured policy framework—similar to the rigorous process that informs the use of force by the U.S. military—by asking whether a proposed sanctions action:

supports a clear policy objective within a broader U.S. Government strategy;
has been assessed to be the right tool for the circumstances;
incorporates anticipated economic and political implications for the sanctions target(s), U.S. economy, allies, and third parties and has been calibrated to mitigate unintended impacts;
includes a multilateral coordination and engagement strategy (where possible); and
will be easily understood, enforceable, and, where possible, reversible.

These principles were broadly apparent in the sanctions policy decisions made by the U.S. administration throughout 2021 as OFAC often announced new sanctions actions in coordination with close U.S. allies and issued numerous humanitarian general licenses to minimize the collateral consequences of U.S. measures on vulnerable populations such as the people of Afghanistan.

B. Myanmar

As we wrote in February and April 2021, the Biden administration imposed new sanctions on Myanmar (also called “Burma”) in response to the Myanmar military’s coup against the country’s elected civilian government on February 1, 2021. Since then, the military (called the “Tatmadaw”) has maintained tight control over the country by, among other things, using lethal force on protesters, issuing a series of martial law orders, and imprisoning civilian leaders like State Counselor Aung San Suu Kyi. As the situation worsened, the Biden administration continued to enhance sanctions, notably opting for a targeted, list-based approach instead of jurisdiction-wide measures like those on Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine.

The turmoil in Myanmar marks an unfortunate echo of the past. Suu Kyi had been detained by the military in the 1990s and early 2000s and the international community, led by the United States, had previously responded with sanctions. Myanmar eventually moved toward democratization, with one key pivot point being the overwhelming victory of Suu Kyi’s political party, the National League for Democracy, in the country’s November 2015 elections. As we noted back in May 2016, the U.S. Government responded by easing sanctions pressure on Myanmar, eventually dismantling the country-specific sanctions program administered by OFAC. While there was no longer a Myanmar sanctions program, in the ensuing years OFAC continued to sanction Myanmar-based actors under other programs targeting specific behaviors such as narcotics trafficking, weapons proliferation, and human rights abuses—with an emphasis on the military-linked perpetrators of violence against the Rohingya, a religious minority group, in 2016 and 2017.

In the wake of the February 2021 military coup, rather than revive the former Myanmar sanctions program, President Biden created a new one by issuing Executive Order 14014. Under this authority, OFAC may designate to the SDN List individuals and entities determined to be directly or indirectly causing, maintaining, or exacerbating the situation in Myanmar, and/or leading Myanmar’s military or current government, or operating in the country’s defense sector. Under E.O. 14014, OFAC may also designate the adult relatives of a designee, the entities owned or controlled by a designee, or those providing material support to a designee.

The breadth of the designation criteria in E.O. 14014 affords the administration considerable flexibility in selecting its targets. The Biden administration has taken full advantage. During the past year, OFAC has sanctioned, among others, leaders of the Tatmadaw and their relatives, military-run governmental entities and their leaders, and military-linked businesses operating across economic sectors.

The March 2021 designation of two military conglomerates—Myanmar Economic Holdings Public Company Limited (“MEHL”) and Myanmar Economic Corporation Limited (“MEC”)—is arguably the most consequential of the designations thus far. As we discussed in April 2021, by operation of OFAC’s Fifty Percent Rule, the sanctioned status of MEHL and MEC automatically flows down to their dozens of majority-owned subsidiaries that play foundational roles throughout the country’s economy, implicating the Myanmar-based operations of numerous foreign companies with touchpoints with the United States. Recognizing the potential collateral impact of targeting such key economic actors, OFAC issued a set of four general licenses authorizing the wind down of transactions involving MEHL or MEC for a set time period (which has since lapsed), and authorizing activities conducted by the U.S. Government and certain international organizations and non-profits.

It is also worth noting that OFAC in May 2021 designated the State Administrative Council (the “SAC”), the governmental body established by the Tatmadaw to govern Myanmar. The consequences of the SAC’s designation have been challenging to discern for companies doing business in Myanmar that deal directly or indirectly with the government. In our view, some clarity can be gained by looking to OFAC’s historical practices. When OFAC imposed sanctions on the Government of Venezuela, for example, it was explicit in the underlying authority, Executive Order 13884, that the entire Maduro regime was being targeted. The agency also promulgated numerous Venezuela-related general licenses to protect innocent third parties from what was a massively impactful measure. In contrast, the SAC designation, on its face, singled out one governmental entity, with no corresponding general licenses issued. The intended effect here appears to us to have been targeted, as opposed to sweeping, restrictions.

Over the past year or so, OFAC has designated 87 individuals and entities pursuant to E.O. 14014—not all at once but in recurring waves of designations, often prompted by particular atrocities committed by the Tatmadaw. President Biden has to date taken a calibrated and incremental approach to exerting economic pressure on Myanmar, but the tools used have been wide-ranging—extending beyond sanctions to include export controls, import controls, anti-money-laundering, and labor measures. Indeed, on January 26, 2022, the U.S. Departments of Treasury, State, Commerce, Labor, and Homeland Security, plus the Executive Office of the President, jointly published a Burma Business Advisory summarizing these measures and highlighting sectors, activities, and actors that the U.S. Government considers high risk. Absent dramatic developments on the ground, we would expect this gradual and whole-of-government approach to continue so long as the Tatmadaw remains in power in Myanmar. If the Biden administration decides to further increase pressure, the expected departure of major Western energy firms with a longtime presence in the country could soon open the way to sanctions on state-owned Myanmar Oil and Gas Enterprise, or MOGE, which is a key source of revenue for the military regime in Yangon.

C. Russia

Russia featured prominently in President Biden’s first year of foreign policy developments and challenges, as demonstrated by a range of sanctions actions aimed at the Kremlin. These actions—largely geared toward addressing Russia’s meddling abroad, including the annexation of Crimea, foreign election interference, and the SolarWinds cyberattack—have been relatively measured to date, reflecting concerns about potential impacts on European allies. However, an open question as of this writing is whether the Russian military buildup along the Ukrainian border will escalate into a further incursion into Ukrainian territory, which could trigger the imposition of biting sanctions and export controls by the United States and its North Atlantic Treaty Organization (“NATO”) allies.

1. Nord Stream 2

In May 2021, the Biden administration waived sanctions on Nord Stream 2 AG, the Russian-controlled company developing the Nord Stream 2 gas pipeline between Russia and Germany, along with the company’s chief executive. A State Department press release noted that the agency determined that, with respect to those two parties, “it is in the national interest of the United States to waive” sanctions authorized by the Protecting Europe’s Energy Security Act of 2019. The waiver came at the behest of Germany, with which the Biden administration has sought to strengthen ties. However, the action drew sharp criticism within the United States, including from both sides of the aisle in the U.S. Congress. Opponents of the project contend that, once complete, the Nord Stream 2 pipeline could strengthen Russia’s hand by positioning the Kremlin to withhold gas supplies from European consumers and deprive Ukraine of gas transit fees, a key source of government revenue. The waiver subsequently gave rise to a blockade by Senate Republicans of dozens of Biden administration national security-related nominations, as well as vigorous debate in the halls of Congress concerning the amount of discretion that should be afforded to the Executive branch in determining whether to impose further sanctions on Russia.

2. Navalny Sanctions

In two separate actions taken in March and August 2021, the United States imposed sanctions on Russia in response to the 2020 poisoning of the Russian dissident and activist Aleksey Navalny. The measures, which were implemented pursuant to the Chemical and Biological Weapons Control and Warfare Elimination Act of 1991 and various other U.S. legal authorities, expanded on sanctions imposed three years earlier in connection with a similar chemical attack on Sergei Skripal in the United Kingdom.

The March 2021 action consisted of the designation to the SDN List of seven Russian government officials involved in the attack and Navalny’s subsequent arrest and imprisonment. At the same time, the Department of Commerce added 14 entities to the Entity List based on their support to Russia’s chemical and weapons of mass destruction industries, and the Department of State expanded existing sanctions against multiple individuals and entities in Russian’s chemical weapons sector. In connection with this action, the U.S. Government is also now prohibited from providing foreign assistance or authorizing arms sales, arms sales financing, U.S. Government credit, and exports of national security-sensitive goods and technology to Russia. EAR license exceptions GOV, ENC, BAG, TMP, and AVS remain available, and the U.S. Government will consider licenses necessary for flight safety, certain deemed exports, exports to wholly owned subsidiaries of U.S. and foreign companies in Russia, and exports in support of government space cooperation on a case-by-case basis. Commercial end users, state-owned enterprises, and exports in support of commercial space launches are subject to a presumption of denial.

In August 2021, the State Department, acting pursuant to Executive Order 14024 (described below), imposed restrictions on two Russian Ministry of Defense scientific institutes and OFAC designated to the SDN List additional individuals associated with Russia’s foreign intelligence agency, the Federal Security Service (commonly referred to by its Russian acronym, the FSB), for their role in the Navalny poisoning.

3. Russian Harmful Foreign Activities Sanctions

As described in more detail in an earlier client alert, the United States on April 15, 2021 announced a significant expansion of sanctions on Russia for a range of harmful foreign activities such as the annexation of Crimea and interference with U.S. elections. The sanctions included new restrictions on the ability of U.S. financial institutions to deal in Russian sovereign debt and the designation of more than 40 individuals and entities for supporting the Kremlin’s malign activities abroad. The basis for these actions, Executive Order 14024, relied in large part on earlier Executive Orders and actions, but also expanded Treasury’s authorities to, for example, designate the spouse and adult children of sanctioned individuals, which could enable the future targeting of members of the Russian oligarchy and their close relatives. Other provisions in these and related actions taken by the Treasury Department suggest the Biden administration stopped short of adopting more draconian measures such as blacklisting either Russia’s sovereign wealth fund or the Russian government itself. Those policy options therefore remain available in the event of a further significant deterioration in relations between Washington and Moscow.

4. Possible Ukraine-Related Sanctions and Export Controls

Meanwhile, as tens of thousands of Russian troops continue in early 2022 to mass on the border with Ukraine, the United States and its NATO allies have threatened a barrage of sanctions and export controls should Russia mount a further invasion of its western neighbor. As diplomatic talks regarding the security of Eastern Europe unfold, the White House has suggested that the United States and its allies could respond to Russian military aggression in Ukraine by barring Russian access to the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) messaging system that underlies global financial transactions. Additional possible consequences such as sanctions on major Russian banks and stringent controls on exports to Russia of semiconductors and electronics—all of which the White House has suggested could be imposed within hours of a Russian incursion—could severely disrupt the global economy in the near term.

D. Belarus

In keeping with one of the key recommendations of the Treasury Department’s sanctions review, discussed above, the United States, in close collaboration with the European Union, United Kingdom, and Canada, imposed coordinated sanctions against individuals and entities associated with the deterioration in democratic norms and human rights in Belarus. OFAC emphasized that this effort “reflects the United States’ commitment to acting with its allies and partners to demonstrate a broad unity of purpose” because “sanctions are most effective when coordinated where possible with allies and partners who can magnify the economic and political impact.”

On April 19, 2021, subject to a wind-down period that has since expired, OFAC revoked a longstanding general license that authorized U.S. persons to engage in certain transactions involving nine sanctioned Belarusian state-owned enterprises. As described by the U.S. Department of State, that authorization was withdrawn in light of the human rights record of Belarusian leader Aleksandr Lukashenka and his regime, including the ongoing detention of hundreds of political prisoners following the country’s August 2020 presidential election.

Following the May 2021 forced diversion of a commercial airliner by the Lukashenka regime and the subsequent arrest of dissent journalist Raman Pratasevich—described by some observers as a state-sponsored hijacking—OFAC on June 21, 2021 designated an additional 16 individuals and five entities. Among those added to the SDN List were senior Belarusian government officials and government agencies, including the State Security Committee of the Republic of Belarus (the “Belarusian KGB”) and its chairman. OFAC concurrently issued a general license authorizing U.S. persons to engage in certain transactions involving the Belarusian KGB in its administrative capacity such as complying with law enforcement actions and investigations.

To mark the one-year anniversary of Belarus’ fraudulent presidential election, President Biden on August 9, 2021 signed Executive Order 14038 authorizing sanctions on Belarusian government agencies and officials, as well as individuals and entities determined to operate or have operated in certain identified sectors of the Belarusian economy. Targeted industries include the defense and related material, security, energy, potassium chloride (potash), tobacco products, construction, and transportation sectors, plus any other sector of the Belarusian economy that may subsequently be determined by the U.S. Secretary of the Treasury. In parallel, OFAC designated a further 23 individuals and 21 entities, including numerous parties identified as “wallets” for Lukashenka and his regime.

In late 2021, relations between Minsk and the West continued to spiral downward as the Lukashenka regime encouraged waves of vulnerable migrants to transit Belarusian territory and cross into the European Union. Following this development, OFAC on December 2, 2021 added Belarus to the short list of countries (including Russia and Venezuela) that are subject to sectoral sanctions. In particular, OFAC issued Directive 1 Under Executive Order 14038 prohibiting U.S. persons from transacting in, providing financing for, or participating in other dealings in the primary and secondary markets for “new” debt with a maturity of greater than 90 days issued by the Ministry of Finance or the Development Bank of the Republic of Belarus. OFAC indicated in published guidance that these sectoral restrictions apply only to the two named entities (and not their subsidiaries), and that absent some other prohibition, U.S. persons may continue engaging in all other lawful dealings with those two entities. OFAC concurrently designated a further 20 individuals and 12 entities, and identified three aircraft as blocked property. These designations targeted parties that financially prop up the regime, and those implicated in the Lukashenka regime’s smuggling of migrants into the European Union.

E. Iran

The advent of the Biden administration brought to the foreground the question of the future of the JCPOA. In 2021, events unfolded much as we anticipated in our 2020 Year-End Sanctions and Export Controls Update. Consistent with the interest that both President Biden and then-Iranian President Hassan Rouhani had signaled in returning to the JCPOA, negotiations resumed in April 2021 against a tense backdrop as Iran announced plans to begin enriching uranium to 60 percent purity. Tehran’s unveiling of new centrifuges was soon followed by an explosion at the Natanz nuclear enrichment facility that has been widely attributed to Israeli sabotage.

Although talks initially appeared to progress, negotiations stalled following the June 2021 election of current Iranian President Ebrahim Raisi—a hardliner who was previously (and remains) designated to the SDN List. Raisi was initially targeted in 2019 for his role as head of the Iranian judiciary in overseeing human rights abuses and, in an earlier role as prosecutor general, participating in a “death commission” that ordered the extrajudicial killing of thousands of political prisoners. Since assuming the presidency, Raisi has expressed support for a return to the JCPOA, and indirect talks resumed at the end of November 2021.

Progress in the resumed negotiations remains limited, and Iran meanwhile continues to advance its nuclear program—a trend that U.S. and European officials have indicated is not sustainable. On January 20, 2022, Secretary of State Antony Blinken said that it is “really now a matter of weeks” to “determine whether or not we can return to mutual compliance with the agreement,” a sentiment echoed by his French and German counterparts.

In the absence of a return to or renegotiation of the nuclear deal, the architecture of the Iran sanctions program has thus far not substantially changed since President Biden took office. However, OFAC continued to make use of its existing counter-terrorism authority to issue a significant set of designations in September 2021 targeting Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force. Both organizations had already been designated to the SDN List pursuant to OFAC’s counter-terrorism authority. The new designations target individuals and companies providing financial support to them, including the operation of a network for smuggling and selling valuable commodities, including gold, electronics, and currency, and laundering the proceeds through the international financial system. This action suggests that, with or without progress in the JCPOA talks, OFAC is likely to continue using its existing authorities to target Iran’s perceived malign activities.

F. Cuba

First established six decades ago following Cuba’s Communist Revolution, U.S. sanctions on the regime in Havana have lately oscillated between easing under President Obama and tightening under President Trump. Despite early speculation that the Biden administration might seek a renewed thaw in relations with Havana, prospects for relaxed U.S. sanctions were dashed as the Cuban government in July 2021 cracked down on a wave of peaceful protects by Cuban citizens.

The Biden administration in July and August 2021 soon announced four rounds of sanctions against Cuban government entities and senior officials, including the country’s defense minister, pursuant to OFAC’s Global Magnitsky sanctions authority which targets perpetrators of serious human rights abuse and corruption. On August 11, 2021, OFAC and BIS jointly issued a fact sheet highlighting the U.S. Government’s longstanding policy commitment to ensuring the free flow of information to the Cuban people. In the wake of these developments, U.S. sanctions on Cuba—including the country’s designation as a State Sponsor of Terrorism by the outgoing Trump administration—have remained substantially unaltered over the past year and show few signs of changing in the near term as the United States enters a pivotal election year.

G. Ethiopia

On September 17, 2021, OFAC launched a new Ethiopia-related sanctions program in response to the ongoing humanitarian and human rights crisis in Ethiopia, particularly in the country’s Tigray region. This program, which we discuss in depth in a recent client alert, authorizes OFAC to impose sanctions measures of varying degrees of severity without those sanctions necessarily flowing down to entities owned by sanctioned parties, suggesting that the United States is aiming to limit ripple effects on the Ethiopian economy.

Executive Order 14046 permits the Department of the Treasury to choose from a menu of blocking and non-blocking sanctions measures, allowing for a targeted application of restrictions. In keeping with recent Executive Orders of its kind, the criteria for designation under the E.O. are exceedingly broad. The Secretary of the Treasury can designate foreign persons for a wide range of activities related to the crisis in northern Ethiopia. These criteria range from obstructing access to humanitarian assistance and targeting civilians through acts of violence to being a political subdivision, agency, or instrumentality of the Ethiopian or Eritrean governments or of certain political parties. Upon designation of any such foreign person, the Secretary of Treasury may select from a menu of sanctions, including both blocking and non-blocking measures such as prohibiting U.S. persons from engaging in certain transactions with sanctioned persons involving significant amounts of equity or debt instruments, loans, credit, or foreign exchange.

Notably, unlike nearly all other sanctions programs administered by OFAC, E.O. 14046 stipulates that OFAC’s Fifty Percent Rule does not automatically apply to any entity “owned in whole or in part, directly or indirectly, by one or more sanctioned persons, unless the entity is itself a sanctioned person” and the sanctions outlined within the E.O. are specifically applied. OFAC has indicated in published guidance that E.O. 14046’s restrictions do not automatically “flow down” to entities owned in whole or in part by sanctioned persons unless such persons appear by name on either OFAC’s SDN List or the agency’s Non-SDN Menu-Based Sanctions (“NS-MBS”) List.

Concurrent with the announcement of its Ethiopia-related sanctions, OFAC issued three general licenses in recognition of the importance of ongoing humanitarian efforts to address the crisis in northern Ethiopia. These general licenses authorize a wide range of transactions and activities carried out by enumerated international organizations and non-governmental organizations to address this humanitarian and human rights crisis, as well as humanitarian trade in agricultural commodities, medicine, and medical devices.

Nearly two months after the program was created, OFAC announced its first (and so far only) round of Ethiopia-related designations on November 12, 2021, issuing blocking sanctions against four entities and two individuals. Among those targeted were the People’s Front for Democracy and Justice, Eritrea’s sole legal political party, and the Eritrean Defense Force (“EDF”), Eritrea’s military. OFAC in making that announcement highlighted reports of EDF looting, sexual assault, killing of civilians, and blocking of humanitarian aid.

H. Other Sanctions Developments

1. Virtual Currency and Ransomware

OFAC this year intensified its focus on digital currencies and ransomware by issuing multiple rounds of industry guidance and announcing the first U.S. sanctions designation of a virtual currency exchange. As cybercrime and ransomware schemes proliferate, OFAC appears poised to continue pursuing investigations and enforcement actions in the virtual currency space.

The total dollar value of ransomware-related reports filed with the U.S. Department of the Treasury more than doubled in 2021 compared against the prior year, according to information published by Treasury’s Financial Crimes Enforcement Network (“FinCEN”). As reported by FinCEN, financial institutions filed over 600 ransomware-related suspicious activity reports during the first half of 2021, and the average payment amount for ransomware-related transactions was over $100,000. Of course, the May 7, 2021, ransomware attack on the Colonial Pipeline, the largest pipeline system for refined oil products in the United States, involved a much larger sum—nearly $5 million, paid via Bitcoin—and focused global attention on the connection between cybercrime and digital currencies.

At the end of 2020 and in early 2021, OFAC published two enforcement actions against virtual currency services providers, BitPay and BitGo. BitPay, headquartered in Atlanta, provides a payment processing solution for merchants to accept digital currency as payment for goods and services. While BitPay screened its direct customers, the merchants, against OFAC restricted party lists, the company failed to use information it received about the merchants’ customers at the time of a transaction, including a buyer’s name, address, email address, phone number, and Internet Protocol (“IP”) address, to determine whether buyers were located in sanctioned jurisdictions. BitGo, headquartered in California, failed to use IP address information it obtained regarding its direct customers for security purposes to also determine whether its customers were located in comprehensively sanctioned jurisdictions.

Both enforcement actions demonstrate OFAC’s expectation that best practices with respect to sanctions compliance, including IP address geo-blocking and sanctions list screening, apply to virtual currency services providers to the same extent as traditional financial institutions. Additional details on those two enforcement actions can be found in our February 2021 client alert.

On September 21, 2021, OFAC took more severe action against SUEX OTC (“SUEX”), a virtual currency exchange headquartered in Moscow, by adding SUEX to the SDN List, essentially barring SUEX from transactions that utilize the U.S. financial system and prohibiting U.S. persons from engaging in transactions involving the company. According to OFAC, SUEX facilitated transactions involving illicit proceeds from at least eight ransomware variants and over 40 percent of SUEX’s known transaction history is associated with illicit actors. That action—which marked the first time that OFAC has designated a virtual currency exchange to the SDN List—was soon followed by the SDN designation of the Chatex virtual currency exchange in November 2021.

Underscoring the agency’s heightened focus on this space, in addition to pursuing enforcement actions and blacklisting alleged bad actors, OFAC in September 2021 published an updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. That document emphasizes that ransomware payments carry an elevated risk of dealing with prohibited parties. Expanding on earlier guidance, the Advisory also notes that, should an apparent sanctions violation occur in connection with a ransomware payment, OFAC will now take into account both the subject person’s cybersecurity practices and whether the ransomware attack was timely self-reported to U.S. authorities in determining what enforcement response to impose. OFAC in October 2021 also published an industry-specific handbook, titled Sanctions Compliance Guidance for the Virtual Currency Industry, that provides a comprehensive overview of OFAC’s sanctions programs, requirements, and resources for establishing a sanctions compliance program. Among other measures, OFAC suggests that virtual currency industry participants, consistent with a risk-based approach to sanctions compliance, consider implementing IP address geo-blocking, restricted party screening, and periodic “lookback” reviews after the agency adds new virtual currency addresses to the SDN List.

2. Reversal of International Criminal Court Sanctions

A major reversal of Trump-era sanctions policy occurred on April 5, 2021 when the Biden administration announced the revocation of Executive Order 13928, which had authorized sanctions against foreign persons determined to have engaged in any effort by the International Criminal Court (“ICC”) to investigate, arrest, detain, or prosecute United States or any U.S. ally personnel without the consent of the United States or that ally. As previously mentioned in our 2020 Year-End Sanctions and Export Controls Update, that earlier Executive Order came in retaliation for the ICC’s 2020 announcement of a human rights investigation into potential war crimes committed by U.S. troops, the Taliban, and Afghan forces in Afghanistan. As part of the Biden administration’s revocation, OFAC announced the elimination of the International Criminal Court-Related Sanctions Regulations and the removal from the SDN List of ICC Prosecutor Fatou Bensouda and Phakiso Mochochoko, the Head of the Jurisdiction, Complementarity, and Cooperation Division of the Office of the Prosecutor.

The reasoning for this reversal, according to the State Department, was that although the U.S. “maintain[s] our longstanding objection to the Court’s efforts to assert jurisdiction over personnel of non-States Parties such as the United States and Israel,” the new administration felt that those concerns “would be better addressed through engagement with all stakeholders in the ICC process rather than through the imposition of sanctions.” Given that the ICC sanctions were enacted without coordination with or support from traditional U.S. allies, this action appears to have been part of the Biden administration’s broader push to normalize and improve strained relationships between the United States and its foreign partners.

3. Taliban Sanctions and Impact on Afghanistan

In the wake of the Taliban’s de facto takeover of Afghanistan in August 2021, two longstanding sets of U.S. sanctions substantially complicated efforts by outside aid organizations to deliver humanitarian relief to the Afghan people.

Although Afghanistan itself is not subject to comprehensive U.S. sanctions, the Taliban have since 2001 been designated pursuant to E.O. 13224, which is administered through the Global Terrorism Sanctions Regulations and targets named foreign individuals, groups, and entities “associated with” designated terrorists. U.S. persons are generally prohibited from engaging in transactions involving the targeted individuals and entities—referred to as Specially Designated Global Terrorists (“SDGTs”)—and all property and interests in property of an SDGT that come within U.S. jurisdiction are frozen.

The Taliban’s designation as an SDGT presents serious practical challenges now that, as of August 2021, the organization exercises de facto control over the Afghan state. By operation of OFAC’s Fifty Percent Rule, the prohibitions on dealing with an SDGT (or other type of blocked person) extend to entities owned fifty percent or more in the aggregate by one or more SDGTs (or other type of blocked persons). That longstanding OFAC policy raises substantial questions as to whether the Taliban’s status as an SDGT applies by operation of law to dealings involving the Government of Afghanistan or perhaps more broadly the entire jurisdiction of Afghanistan. OFAC between September and December 2021 issued six general licenses authorizing U.S. persons to engage in various transactions to facilitate the provision of humanitarian aid to the people of Afghanistan; however, there is increasing concern that such humanitarian-focused authorizations may not be sufficient to protect the country’s fragile economy and the livelihoods of ordinary Afghans. While the accompanying guidance states that “[t]here are no OFAC-administered sanctions that generally prohibit the export or reexport of goods or services to Afghanistan, moving or sending money into and out of Afghanistan, or activities in Afghanistan,” the agency remains firm that such transactions cannot “involve sanctioned individuals, entities, or property in which sanctioned individuals and entities have an interest,” thereby leaving much of this ambiguity unanswered. The paucity of guidance on this point is further complicated by the lack of precedent for the circumstance in Afghanistan in which a sanctioned terrorist entity has seized control of an entire state, thereby offering the private sector few other points of reference.

In addition to U.S. sanctions targeting SDGTs, Section 302 of the Antiterrorism and Effective Death Penalty Act of 1996 (“AEDPA”) authorizes the U.S. Secretary of State to designate an organization as a Foreign Terrorist Organization (“FTO”) based on its status as a non-U.S. organization engaged in “terrorist activity” that poses a threat to U.S. nationals or national security. Under AEDPA, the Secretary of State may designate FTOs after consultation with the Secretary of the Treasury and the Attorney General. AEDPA also authorizes the Secretary of the Treasury to require financial institutions to block funds in their possession or control in which a designated FTO maintains an interest. Section 303 of the Act makes it a crime for persons within the United States or under U.S. jurisdiction to knowingly provide material support to an FTO, which term encompasses nearly all forms of property, as well as the provision of services such as transportation. OFAC implements Section 302 of AEDPA through the Foreign Terrorist Organizations Sanctions Regulations. Presently, 75 organizations are designated FTOs. Although the Taliban is not itself an FTO as of this writing, various organizations closely affiliated with the Taliban, including the Haqqani Network, members of which now occupy key Afghan government posts, are subject to such restrictions.

Uncertainty regarding the applicability of these two sets of sanctions restrictions, together with de-risking by multinational financial institutions, appears to have exacerbated one of the worst humanitarian crises in modern history, with more than 20 million Afghans reportedly on the brink of famine. Afghan banks have closed and, while some financial services have resumed in key cities, currency is in short supply and the movement of funds even internally within Afghanistan is challenging. The Afghan government has scant official assets located domestically and, given the Taliban sanctions, the country has been shut off from its modest assets domiciled abroad.

Notably, OFAC has maintained a freeze on the approximately $9.4 billion of Afghanistan’s foreign reserves located at the Federal Reserve Bank of New York, and to date has only issued general licenses that apply to the provision of medical and humanitarian aid to non-governmental instrumentalities. A significant degree of uncertainty remains for the private sector regarding to what extent it would be permitted to engage with anyone within Afghanistan, if at all, beyond the confines of applicable licenses.

4. Notable SDN De-Listings

Although OFAC continued to designate new sanctions targets at a steady clip, there were also a number of significant removals from the SDN List during 2021, highlighting that OFAC views sanctions as reversible and designed to change behavior. One of the most consequential recent de-listings took place in December 2021 when OFAC removed 274 individuals and entities associated with the Revolutionary Armed Forces of Colombia, or the FARC, from the SDN List. These entities and individuals had previously been designated under the Foreign Narcotics Kingpin Sanctions Regulations and the Global Terrorism Sanctions Regulations. However, according to the State Department, in acknowledgement of the fact that the FARC had formally dissolved and disarmed following the 2016 peace deal with the Colombian government, it “no longer exists as a unified organization that engages in terrorism or terrorist activity or has the capability or intent to do so.”

Another notable de-listing took place on February 16, 2021, when the State Department announced that it would be lifting the FTO and SDGT designations of the Yemen-based organization Ansarallah (commonly known as the Houthis) and its key leaders. The Houthis were designated just weeks earlier during the waning days of the Trump administration, triggering bipartisan concern about deepening the already significant practical challenges of delivering aid to the Yemeni people. This reversal, according to a State Department press release, came as “a recognition of the dire humanitarian situation in Yemen.” However, recent attacks by the Houthis against the United Arab Emirates—a close U.S. partner and host to a major U.S. military installation—have led some observers to suggest that the organization’s counter-terrorism designations should be reinstated.

In total, 787 persons and entities were removed from the SDN List during 2021, primarily as a result of the Foreign Narcotics Kingpin Sanctions Regulations removals and the Narcotics Trafficking Sanctions Regulation removals. These removals appear to be in accord with the underlying policy rationale of sanctions designations—namely, to alter the behavior of malign actors.

III. Information and Communications Technology and Services (ICTS)

During the past several years, the United States has increasingly used a novel and still evolving policy tool—controls on the information and communications technology and services (“ICTS”) supply chain—to shield sensitive U.S. data and communications. Years of malicious cyber activities targeting the United States have exposed both the significance of the ICTS industry to the national security and foreign policy interests of the United States and the vulnerabilities deep in the ICTS supply chain. Because a supply chain is only as strong as its weakest link, the ICTS supply chain controls regime seeks to identify the vulnerabilities down the supply chain to ensure the integrity of the ICTS industry.

The ICTS supply chain controls regime is built upon a number of Executive Orders—each addressing separate yet interrelated topics such as software applications, supply chain security, and cybersecurity—as well as accompanying regulations, reports, and initiatives by several government agencies, including the Department of Commerce and the Department of Homeland Security (“DHS”). What results is an emerging regulatory regime that has the potential to bring about significant compliance challenges for global companies operating in the ICTS industry. Below we summarize the major developments from the past year.

A. Executive Order 13873: ICTS Supply Chain Framework

On May 15, 2019, acting under the authorities provided by the International Emergency Economic Powers Act—the statutory basis for most U.S. sanctions programs—then-President Trump issued Executive Order 13873 (the “ICTS E.O.”), declaring a national emergency with respect to the ability of foreign adversaries to create and exploit vulnerabilities in the ICTS supply chain. The ICTS E.O. charged the Commerce Department with implementing a new regulatory framework to control risks in the ICTS supply chain. Although the Commerce Department published a Proposed Rule pursuant to the ICTS E.O. in November 2019, there was not much movement in this new regulatory framework until the beginning of this year.

1. ICTS Interim Final Rule

Just one day before the Biden administration’s start, on January 19, 2021, the Commerce Department published an Interim Final Rule establishing the processes and procedures that the Secretary of Commerce will use to evaluate ICTS transactions covered by the ICTS E.O. The Interim Final Rule provides the Department of Commerce with a broad, CFIUS-like authority to prohibit or unwind transactions or order mitigation measures. Specifically, it authorizes the Secretary of Commerce to prohibit ICTS transactions if the following three conditions are met:

First—The transactions must involve the acquisition, importation, transfer, installation, dealing in, or usage of certain ICTS. ICTS is broadly defined as any technology product or service used for the purpose of “information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” Despite many commenters’ requests to narrow the scope of the rules, the Commerce Department declined to provide categorical exemptions to specific industries or locations. Instead, the Commerce Department identified six main types of ICTS transactions that will fall under the scope of this rule, which include critical infrastructure, networks and satellites, data hosting or computing, surveillance or monitoring, communications software, and emerging technology.

Second—The ICTS must be designed, developed, manufactured, or supplied by companies owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary.” The Interim Final Rule identifies six specific “foreign adversaries”: (1) China, including the Hong Kong Special Administrative Region; (2) Cuba; (3) Iran; (4) North Korea; (5) Russia; and (6) the Maduro regime of Venezuela. This list is subject to change, however—the Secretary of Commerce may revise the list to go into effect immediately without prior notice and comment. The “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” may include:

Any agent, representative, or employee of a foreign adversary;
Any person who acts at the order, request, or under the direction or control of a foreign adversary, or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;
Any person who is a citizen or resident of a nation-state controlled by a foreign adversary;
Any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and
Any corporation, partnership, association, or other organization that is owned or controlled by a foreign adversary, regardless of the location.

Third—The ICTS transaction must “pose an undue or unacceptable risk”—an area that affords the Secretary of Commerce much discretion. The Interim Final Rule outlined broad criteria which the Secretary of Commerce may consider in assessing potential risks posed by the ICTS transaction:

The nature and characteristics of the ICTS at issue in the transaction, including technical capabilities, applications, and market share considerations;
The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS transaction;
The statements and actions of the foreign adversary at issue in the ICTS transaction;
The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS transaction;
The statements and actions of the parties to the ICTS transaction;
Whether the ICTS transaction poses a discrete or persistent threat;
The nature of the vulnerability implicated by the ICTS transaction;
Whether there is an ability to otherwise mitigate the risks posed by the ICTS transaction;
The severity of the harm posed by the ICTS transaction on health, safety, and security, critical infrastructure, sensitive data, the economy, foreign policy, the natural environment, or National Essential Functions; and
The likelihood that the ICTS transaction would in fact cause threatened harm.

Although the Interim Final Rule’s detailed lists of definitions and factors were an improvement from the 2019 Proposed Rule, the Interim Final Rule still left much room for discretion in the application of each of the three tests. Between the publication in January 2021 and the planned effective date in March, a number of U.S. trade associations submitted letters to the Commerce Department noting their concerns regarding the Rule’s sweeping scope and vague language and seeking to pause the Rule going into effect. Commentators also speculated as to the actions that the Biden administration might take to delay or reduce the impact of this midnight regulation from the prior administration. Despite the many doubts and unresolved questions, on March 22, 2021, the Interim Final Rule went into effect as planned.

2. Review Process

Under the Interim Final Rule, the Secretary of Commerce may initiate a review of an ICTS transaction at his or her own discretion or upon written request from an appropriate agency head. If an ICTS transaction meets the criteria above, the Secretary of Commerce will make an initial determination as to whether to prohibit the ICTS transaction or propose mitigation measures. Within 30 days of receiving a notice of the Commerce determination, the parties may challenge the initial determination or propose remedial steps (such as corporate reorganization, disgorgement of control of the foreign adversary, or engagement of a compliance monitor). Upon review, the Commerce Department must issue a final determination stating whether the transaction is prohibited, not prohibited, or permitted subject to mitigation measures. The final determination is generally to be issued within 180 days of commencing the initial review.

This review process is similar to that of CFIUS—another tool that is designed to protect U.S. national security interests in transactions involving foreign entities. In fact, the Interim Final Rule exempts transactions that CFIUS is actively reviewing or has reviewed, possibly recognizing that the two set of reviews are intended to address similar risks. However, the Interim Final Rule warns “that CFIUS review related to a particular ICTS, by itself, does not present a safe harbor for future transactions involving the same ICTS that may present undue or unnecessary risks as determined by the [Commerce] Department.” Under the current construction, the Commerce Department can get a second chance to review a transaction even if CFIUS finds that it does not have jurisdiction or that the national security risks involved in the transaction are not significant.

To date, no transaction review has officially begun. However, the Commerce Department has made clear its intent to actively implement the Interim Final Rule. On March 17, 2021, the Commerce Department announced that it served subpoenas on multiple unnamed Chinese companies that provide ICTS in the United States. This announcement was coupled with an unequivocal statement from the Secretary of Commerce Gina Raimondo that the “Biden-Harris Administration has been clear that the unrestricted use of untrusted ICTS poses a national security risk” and that “Beijing has engaged in conduct that blunts our technological edge and threatens our allies.” On April 13, 2021, the Commerce Department followed up with another subpoena on an unnamed Chinese company. The fact that the only subpoenas served to date were to Chinese companies is telling—the scrutiny that CFIUS has shown toward transactions involving Chinese entities might hold true for the ICTS supply chain controls regime, as well.

3. Safe Harbor Licensing Process

The Interim Final Rule also suggested that the Commerce Department will set forth a procedure for parties to seek a license for a proposed or pending ICTS transaction. The license application review would be conducted on a fixed timeline, not to exceed 120 days from accepting an application, such that if the Department of Commerce does not issue a license decision within 120 days from accepting the application, it will be deemed granted. The Department of Commerce noted, however, that it would not issue a license decision on a transaction that would reveal sensitive information to foreign adversaries or others who may seek to undermine U.S. national security.

On March 29, 2021, the Commerce Department published a Proposed Rule seeking input on establishing licensing procedures for the ICTS supply chain controls regime, including a question concerning whether the licensing process should model that of a CFIUS notification or a voluntary disclosure to BIS. Unsurprisingly, the possibility of the Commerce Department going through license applications for countless ICTS transactions within 120 days garnered much concern regarding the practicality of such an arrangement. While the Commerce Department was slated to publish procedures for a licensing process by May 19, 2021, this did not happen, and the Commerce Department has not communicated a new timeline or specific plan to do so.

B. Executive Order 14034: Connected Software Applications

On June 9, 2021, President Biden issued Executive Order 14034 (the “Applications E.O.”), which revoked three Trump-era Executive Orders that targeted by name TikTok and various other applications developed by Chinese companies. Instead, the Applications E.O. directed the Secretary of Commerce to undertake further consideration of the risks posed by “connected software applications” under the ICTS Supply Chain regulations, including potential undue or unacceptable risk to the ICTS, critical infrastructure, or national security of the United States.

On November 26, 2021, the Commerce Department published a Proposed Rule seeking to amend the Interim Final Rule. The Proposed Rule suggested two main amendments. One was to revise the definition of ICTS to include “connected software applications.” The definition of the term “connected software applications” would mirror the language in the Applications E.O.

Another was to provide for additional criteria that the Secretary of Commerce “may consider specifically when determining whether ICTS Transactions . . . that involve connected software applications present an undue or unacceptable risk.” The new criteria articulated in the Proposed Rule are:

Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
Ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
A lack of thorough and reliable third-party auditing of connected software applications;
The scope and sensitivity of the data collected;
The number and sensitivity of the users of the connected software application; and
The extent to which identified risks have been or can be addressed by independently verifiable measures.

The Commerce Department sought public comments on the effectiveness of the criteria, as well as the definition of various key terms, such as “ownership, control, or management”; “reliable third-party auditing”; and “independently verifiable measures.” The public comments reiterated many of the concerns that industry raised for the Interim Final Rule, especially noting the broad and vague nature of certain criteria. Once the Commerce Department has reviewed the comments, we anticipate there may be further changes, revisions, and additions. Further information on what the Commerce Department views as “thorough and reliable third-party auditing” and “independently verifiable measures” is going to be particularly significant as companies develop compliance measures to minimize the risk of an ICTS review.

C. Executive Order 14017: Supply Chain Security

On February 24, 2021, President Biden signed Executive Order 14017 (the “Supply Chain E.O.”), which seeks to prepare the United States to address vulnerabilities in U.S. supply chains against unexpected threats, including cyber-attacks and geopolitical and economic competition.

Section 3 of the Supply Chain E.O. initiated a 100-day process of reviewing and assessing the strengths and weaknesses of supply chains across key industries (i.e., semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials; and pharmaceuticals and active pharmaceutical ingredients). On June 8, 2021, the White House issued a Report from the 100-day review. While the Report mostly focused on recommendations to develop domestic capacity and gain a competitive edge, it also recognized that “[t]he United States cannot address its supply chain vulnerabilities alone.” For each key industry, the Report included the commitment to work with allies and partners—to promote production and investment and to strengthen supply chain transparency.

Section 4 of the Supply Chain E.O. also designated the Secretary of Commerce and the Secretary of Homeland Security to provide a report on supply chains for critical sectors and subsectors of the ICT industrial base within one year (expected by February 24, 2022). On September 20, 2021, BIS and DHS published a Request for Public Comments regarding priority areas for the U.S. ICT supply chains. The Request sought comments not only on the general resilience and capacity of American manufacturing supply chains, but also specific policy recommendations. Examples of policy recommendations (e.g., “sustainably reshoring supply chains and developing or strengthening domestic design, components, and supplies”; “cooperating with allies and partners to identify alternative supply chains”; and “building redundancy into domestic supply chains”) provide some window into the agencies’ preliminary inclinations.

On October 29, 2021, BIS hosted a public-private Virtual Forum regarding the Request for Public Comments, during which some of these policy options were discussed. The industry panelists, including the Telecommunications Industry Association and the Information Technology Industry Council, generally argued against restricting the ICT supply chain or requiring the disclosure of sensitive proprietary data in the name of security. They instead supported efforts to streamline supply chain security rules, leverage public-private dialogues, and cooperate with allies and partners. The public comments received will very likely shape how the ICTS supply chain controls regime will be enforced.

D. Executive Order 14028: Cybersecurity

On May 12, 2021, President Biden issued Executive Order 14028 (the “Cybersecurity E.O.”), setting out an ambitious schedule of reviews and rulemakings with respect to cybersecurity of software provided to the U.S. Government. The Cybersecurity E.O. calls for the federal agencies to modernize their cybersecurity practices and for federal contractors to share more information on cyber incidents. Of relevance to the ICTS supply chain regime, Section 4 of the Cybersecurity E.O. notes that “[t]he development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors” and thus charges the federal agencies to “rapidly improve the security and integrity of the software supply chain” of critical software sold to the government.

The requirements under the Cybersecurity E.O. apply only to federal agencies and contractors. However, in a statement announcing the Cybersecurity E.O., President Biden expressly “encourage[d] private sector companies to follow the Federal Government’s lead” in adopting comparable measures because “federal action alone is not enough” to protect against cybersecurity risks. As a result, the standards established for government contractors may come to be seen as what is “reasonable” or “standard” cyber and supply chain security in other related data and technology protection domains. In fact, on September 30, 2021, the Commerce Department’s National Institute of Standards and Technology (“NIST”) published draft preliminary guidelines on improving software supply chain security, pursuant to the Cybersecurity E.O. (final publication expected by February 6, 2022). The guidelines are addressed to software producers including commercial-off-the-shelf product vendors, as well as software purchasers and consumers including non-federal agency organizations.

E. Transatlantic Dialogues

On September 29, 2021, the U.S.-EU Trade and Technology Council (“TTC”) held its inaugural meeting. There, the TTC established ten working groups, one of which was tasked with “work[ing] towards ensuring security, diversity, interoperability and resilience across the ICT supply chain, including sensitive and critical areas such as 5G, undersea cables, data centers, and cloud infrastructure,” as well as data security. The TTC expects the working group to “develop a common vision and roadmap for preparing the next generation of communication technologies.” While the TTC is still in its beginning stages, there are growing expectations for the TTC’s role given the broader willingness that governments on both sides of the Atlantic have shown to rebuild cooperation. Forthcoming discussions from the TTC working groups will likely have direct and indirect impact on the U.S. Government’s stance on ICTS companies and transactions.

IV. U.S. Export Controls

A. Commerce Department

1. Military End Use / User Rule

The Department of Commerce tested a set of new tools and recalibrated old ones during the Trump administration with the aim of ensuring that dual-use U.S. products and technology are not used by companies and other entities located in countries with military-civil fusion policies to help build out their military research and development and production capabilities. In a development reported in our May 2020 client alert, the Commerce Department amended the Military End Use / User Rule to more broadly restrict dual-use products and technology and to broaden the definition of who should be considered a military end user.

As discussed more fully under Section I.B, above, on December 23, 2020, BIS further amended the MEU Rule to add a new MEU List for purposes of identifying specific military end users in China, Russia, and Venezuela. While the MEU Rule previously restricted exports, reexports, or transfers of items subject to the EAR to military end users or for military end use in specific countries, this change marked the first time that BIS identified specific entities of concern. BIS issued the MEU List in partial response to a flood of advisory opinion and licensing requests submitted by exporters who were uncertain as to whether their counterparty was a military end user. Designation to the MEU List subjects an entity to the export controls applied to more traditional military end users and military end uses, including requiring export licenses for certain items subject to the EAR that otherwise would not require authorization to be exported to end users in MEU List countries.

While Commerce’s issuance of the MEU List is welcome, frequent updates to the list in 2021 have meant that exporters, and others whose supply chain sourcing from MEU List countries requires the export of technology to suppliers, have needed to stay vigilant. Moreover, because the list is not exhaustive—exporters are still obligated to perform due diligence to determine whether they might be exporting to a military end user or for a military end use—compliance with the MEU Rule has become one of the most challenging aspects of export control counterparty diligence. Such challenges are compounded by China’s growing body of laws and regulations, discussed in Section VII, below, that restrict the ability of PRC companies to comply with U.S. sanctions.

For reasons specified in greater detail below, Burma and Cambodia were added to the list of countries subject to MEU controls in March 2021 and December 2021, respectively. Although, to date, BIS has only identified specific military end users located in China and Russia.

2. Military-Intelligence End Use / User Rule

Efforts to curtail exports to military end users were further expanded effective March 16, 2021, when BIS issued similar regulations to cover certain military-intelligence end uses and end users (“MIEUs”). This action added to the EAR a new MIEU Rule, which places significant restrictions on exports for a “military-intelligence end use” or to a “military-intelligence end user” in Burma, Cuba, China, Iran, North Korea, Russia, Syria, and Venezuela. Cambodia was subsequently added to this list on December 9, 2021. Significantly, in addition to prohibiting exports to MIEUs without a license—applications for which are subject to a presumption of denial—this rule prohibits U.S. persons from providing “support” to specified MIEUs, even if such support does not involve items subject to the EAR. “Support” is broadly defined to include certain shipments and transfers involving any items destined for MIEUs, the facilitation of such shipments and transfers, and performing any contract, service, or employment that may benefit or assist MIEUs, including but not limited to, “[o]rdering, buying, removing, concealing, storing, using, selling, loaning, disposing, servicing, financing, transporting, freight forwarding, or conducting negotiations in furtherance of.” The breadth of the new MIEU Rule imposes significant responsibility on U.S. persons to conduct sufficient due diligence to get comfort that they are not directly or indirectly supporting MIEUs, even when non-U.S. goods are involved. In light of the substantial compliance challenges that the MIEU Rule presents for industry, some observers have speculated that BIS may during the year ahead look to create a non-exhaustive MIEU List—similar to the MEU List that was introduced in December 2020—to help exporters determine which organizations are considered military-intelligence end users.

3. Sudan Moved to Less Restrictive Country Group B

On January 19, 2021, BIS removed anti-terrorism (“AT”) controls on Sudan in conjunction with the State Department’s rescission of Sudan’s designation as a State Sponsor of Terrorism. This action moved Sudan from Country Group E:1 to Country Group B, substantially reducing export restrictions applied to the country and raising the de minimis level of foreign-manufactured goods incorporating U.S.-origin content that can be exported, reexported, or transferred to Sudan from 10 percent to 25 percent. However, Sudan still remains subject to arms control limitations due to its continued placement in Country Group D:5, and exports to Sudan are not eligible for License Exceptions GBS and TSR.

4. Burma Added to More Restrictive Country Group D:1

In the wake of the February 2021 military coup in Burma, BIS on February 17, 2021 suspended license exceptions LVS, GBS, TSR, and APP for exports to Burma, which due to Burma’s Country Group B placement, would otherwise have been available. Pressure on the Burmese government was increased on March 8, 2021, when BIS moved Burma from Country Group B to Country Group D:1, a more restricted control group based on national security concerns. This designation removes several license exceptions that were previously available to Burma and subjects the country to the more restrictive national security licensing policy. Additionally, as noted above, the MEU Rule and MIEU Rule were extended to include military end uses and end users within that country in a further effort to restrict Burma’s access to U.S.-origin goods. The ERC concurrently designated to the Entity List four substantial Burmese entities, including the country’s Ministries of Defense and Home Affairs, plus the military conglomerates MEC and MEHL. Additional Entity List designations of four Burmese entities associated with copper mining followed on July 6, 2021.

5. Cambodia Subjected to More Restrictive Licensing Policy

Reflecting growing concerns among U.S. policymakers regarding Cambodia’s deepening ties with the Chinese military, as well as allegations of corruption and human rights abuses leveled against the Cambodian government, BIS on December 9, 2021 amended its license policy for Cambodia by adding a presumption of denial for national security (“NS”) controlled items that could be diverted to a military end user or military end use. As part of that same action, BIS added Cambodia to Country Group D:5, thereby subjecting the country to a U.S. arms embargo.

6. BIS Eases Restrictions of Exports of Vaccines

On January 7, 2021, BIS amended the EAR to clarify the scope of export controls that apply to certain vaccines and medical products. This update was meant to more closely align the controls under the EAR with the release (i.e., exclusion) notes in the “Human and Animal Pathogens and Toxins for Export Control” common control list published by the Australia Group—a multilateral forum consisting of 42 participating countries and the European Union that maintain export controls on a list of chemicals, biological agents, and related equipment and technology that could be used in a chemical or biological weapons program. The January 2021 rule made a number of technical changes to Export Control Classification Number (“ECCN”) 1C991 in an attempt to clarify the controls that apply to certain vaccines. Most notably, the rule amends the vaccine controls in paragraph (a) of ECCN 1C991 to more closely align with the Australia Group release notes to minimize controls on certain vaccines (though AT controls still apply), which is expected to help facilitate the development of new vaccines. Additionally, the changes clarify that the more stringent chemical/biological (“CB”) controls which apply to medical products described under ECCN 1C991.c do not also apply to medical products described under ECCN 1C991.d. As a result of this rule change, some COVID vaccines containing genetic elements of items controlled by ECCN 1C353 are now controlled under ECCN 1C991, which permits their export to all countries except for those subject to AT controls (as of this writing, Iran, North Korea, and Syria).

7. Implementation of Wassenaar Arrangement Controls

As discussed in greater detail in our 2020 Year-End Sanctions and Export Controls Update, on January 3, 2020, BIS imposed new unilateral export controls on artificial intelligence software specially designed to automate the analysis of geospatial imagery through an interim final rule, designating such items under the rarely-used temporary ECCN 0Y521. Under 15 C.F.R. § 742.6(a)(8)(iii), such items remain so classified for only one year, but the classification can be extended for two additional one-year periods. BIS utilized these extensions in January 2021 and again in January 2022 with the hope that it can persuade fellow Wassenaar Arrangement (“WA”) members to adopt their own controls on this technology once the WA Plenary, which has been postponed due to pandemic-related travel restrictions, is able to meet again. The next plenary session is scheduled to convene in Vienna in December 2022. Through its participation in the 42-member WA, the United States seeks to advance national and international security and foreign policy objectives through the promotion of multilateral controls over the use and transfer of conventional arms and dual-use goods and technologies.

As part of its membership in the WA, the United States commits to implement certain mutually agreed-upon export controls, including controls on cybersecurity items, which have been actively under discussion by WA members since 2013. On October 21, 2021, BIS solicited comments on an interim final rule that would establish new NS and AT controls on most cybersecurity items—implementing in part controls agreed upon by WA members in 2013 and further modified in 2017. As part of this interim final rule, BIS also solicited comments on a revised License Exception Authorized Cybersecurity Exports (“ACE”), which would authorize exports, reexports, and transfers of cybersecurity items to most destinations and for many end users and end uses, so long as such items were not subject to surreptitious listening (“SL”) controls under Category 5 – Part 2 of the Commerce Control List (“CCL”). While the proposed rule was meant to go into effect on January 19, 2022, BIS subsequently delayed implementation of the rule until March 7, 2022. BIS cited potential modifications to the rule as the reason for the delay and credited the public comments the agency received for prompting certain reconsiderations—underscoring the importance of public comments in agency deliberations.

On March 29, 2021, BIS also implemented revisions to the CCL to implement changes from the December 2019 WA Plenary meeting. These changes included revisions to 22 ECCNs and eliminated encryption reporting requirements under License Exception ENC in the following circumstances: (1) eliminates the email notification requirement for ‘publicly available’ encryption source code and beta test encryption software, except for ‘publicly available’ encryption source code and beta test encryption software implementing “non-standard cryptography”; (2) eliminates the self-classification reporting requirement for certain ‘mass market’ encryption products under 15 C.F.R. § 740.17(b)(1); and (3) allows self-classification reporting for ECCN 5A992.c or 5D992.c components of ‘mass market’ products (and their ‘executable software’). While this rule does not change License Exception ENC requirements for any non-’mass market’ encryption item or for any encryption items that implement “non-standard cryptography,” it has eliminated filing requirements for many companies using standard cryptography and has lightened the burden on others.

8. Emerging and Foundational Technology Controls

The Commerce Department’s Emerging Technology Technical Advisory Committee held partially closed meetings on March 19, May 21, and October 28, 2021. The announced topics included discussions of public comments, as well as presentations on cyber defense, foreign engagement risks in research enterprise, and work at the human-technology frontiers—signaling the broad approach that BIS is taking to fulfill its mandate under the Export Control Reform Act of 2018 to establish controls on emerging and foundational technologies. As part of this effort, on October 5, 2021, BIS published a final rule to implement a decision from the Advisory Committee’s Virtual Implementation session held in May 2021 to add controls on nucleic acid assembler and synthesizer “software” that is capable of designing and building functional genetic elements from digital sequence data. This software was identified as an emerging technology by BIS and given new ECCN 2D352.

In 2021, BIS continued its efforts to engage the public as it continues to assess the appropriate level of controls that should be applied to emerging and foundational technologies. On October 26, 2021, BIS issued an advance notice of proposed rulemaking (“ANPRM”) to solicit comments on the potential application of export controls to brain-computer interface (“BCI”) technology, including, among other things, neural-controlled interfaces, mind-machine interfaces, direct neural interfaces, and brain-machine interfaces. Previously, on November 19, 2018, BIS issued a similar ANPRM to broadly address a longer list of potential emerging technologies, including BCI technology. In this new ANPRM, BIS requested responses to a series of questions tailored specifically to BCI technology, signaling that the agency may be especially focused on placing export controls on such technology in the near future.

9. Solicitation of Public Comments on Issues Related to Supply Chains

As noted above, on February 24, 2021, President Biden issued Executive Order 14017 to address concerns associated with U.S. supply chains. As part of this E.O., the Secretary of Commerce was directed to submit reports on (1) the semiconductor manufacturing and advanced packaging supply chains and policy recommendations to address these risks and (2) the supply chains for critical sectors and subsectors of the information and communications technology industrial base.

In an effort to implement these measures, BIS solicited comments from the public on March 15, 2021 (concerning semiconductor manufacturing and advanced packaging supply chains); September 20, 2021 (concerning ICT supply chains); and September 24, 2021 (concerning technical questions associated with the semiconductor product supply chain). On January 25, 2022, the Department of Commerce released the results of its semiconductor supply chain request for information, which provided an overview of some of the underlying causes of supply shortages and committed the agency to “engage industry on node-specific problem-solving in the coming weeks.”

On January 24, 2022, BIS announced a further request for information concerning methods for strengthening the U.S. semiconductor industry. Secretary of Commerce Gina Raimondo has also urged Congress to pass the United States Innovation and Competition Act of 2021, which includes $52 billion to enhance domestic semiconductor production. Such efforts by Commerce exemplify a whole-of-government approach to identifying and loosening bottlenecks in semiconductor supply chains and increasing U.S. production capabilities.

10. Entity List Designations

As in previous years, BIS continued its liberal use of designations to the Entity List to curtail activities contrary to the national security or foreign policy interests of the United States. As noted above, BIS requires exporters to obtain a license before exporting, reexporting, or transferring specified items subject to the EAR (which, depending on the Entity List designation, can include all items subject to the EAR) to entities appearing on the Entity List. Each such entity is subject to a specific license review policy—most often a presumption of denial. As seen through past designations of such large companies as Huawei, addition to the Entity List can severely restrict a company’s access to much-needed goods and can significantly disrupt global supply chains.

Many of BIS’s Entity List designations in 2021—as discussed under Section I.B, above—were aimed at countering threats that the United States sees China posing to national security and foreign policy on several fronts. However, the tool was also frequently deployed against actors located beyond the PRC. On March 4, 2021, BIS issued designations for activities in support of Russia’s weapons of mass destruction program, followed by additional designations on July 12 for unauthorized support to Russian military programs and on July 19 for unauthorized support to Russian intelligence services. Additionally, on June 1, July 12, and November 26, 2021, BIS announced Entity List designations of entities involved in the proliferation of “unsafeguarded nuclear activities.”

BIS also acted to combat cybersecurity threats when, on November 4, 2021, the agency designated two Israeli companies, including NSO Group, for developing and supplying spyware to “foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers” and one Russian entity for “cyber exploits” which threatened the “privacy and security of individuals and organizations worldwide.”

In our view, robust use of the Entity List is likely to remain a durable feature of U.S. trade policy, as it has of late become a favored tool across administrations of both political parties to combat a wide range of U.S. national security threats.

B. Antiboycott Developments

Effective June 8, 2021, BIS’s Office of Antiboycott Compliance (“OAC”) recognized the United Arab Emirates’ (“UAE”) termination of its participation in the Arab League’s boycott of Israel. Part 760 of the EAR and Section 999 of the Internal Revenue Code specifically discourage, and in some circumstances explicitly prohibit, U.S. persons from engaging in activity that would support the Arab League’s boycott of Israel, including agreeing to contractual language that directly or indirectly implicates this boycott. OAC’s official recognition of the UAE’s termination of participation added a new interpretation section to 15 C.F.R. Part 760 which explicitly states that a request from the UAE that an exporter certify that a vessel is eligible to enter UAE ports will no longer carry the presumption that this language was in furtherance of the Arab League’s boycott of Israel, and companies can consequently agree to such language as long as no other antiboycott red flags are present. This interpretation comes on the heels of the UAE’s normalization of relations with Israel under the Abraham Accords signed on August 16, 2020, and should reduce companies’ antiboycott compliance burdens in connection with transactions involving the UAE. We note, however, that sufficient due diligence remains necessary to ensure general compliance with the antiboycott provisions of the EAR. Although BIS does not maintain an official list of boycotting countries, other members of the Arab League (including such countries as Algeria, Iraq, Kuwait, and Saudi Arabia) are widely considered states that frequently include antiboycott restrictions within commercial language.

C. White House Export Controls and Human Rights Initiative

On December 9 and 10, 2021, President Biden convened the first of two Summits for Democracy, which brought together leaders from government, civil society, and the private sector to address threats faced by modern democracies. The virtual summit gathered representatives from over 100 countries and the European Union to address the topics of (1) strengthening democracy and defending against authoritarianism; (2) fighting corruption; and (3) promoting respect for human rights. In connection with the gathering, the United States unveiled its first-ever Strategy on Countering Corruption, which we describe in detail in an earlier client alert.

Notably, the Biden administration used the Summit for Democracy to emphasize its use of export controls to advance human rights. During the Summit, the United States, Australia, Denmark, and Norway jointly announced the Export Controls and Human Rights Initiative, with support from Canada, France, the Netherlands, and the United Kingdom. The initiative aims to create a voluntary code of conduct for states to use in crafting export controls to combat the use of cyber-intrusion and surveillance tools and related technologies by authoritarian governments, both within their countries and across international borders, to track dissidents, censor political opposition, and engage in transnational repression. While WA states have already imposed export controls on tools for military offensive cyber operations and IP network communications systems—the United States announced its own version of the Wassenaar controls on “cybersecurity items” in October 2021—the initiative appears likely to focus on creating a framework for coordinated unilateral controls on technologies such as biometrics, facial recognition, and other forms of artificial intelligence-assisted surveillance and repression of individuals and ethnic groups.

D. State Department

1. Revisions to ITAR Proscribed Country List

During 2021, the U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”), which administers and enforces the International Traffic in Arms Regulations (“ITAR”), added several new countries to the list of jurisdictions for which the United States prohibits trade in defense articles and defense services. Russia, Ethiopia, and Cambodia were all added to the list of proscribed countries set forth at 22 C.F.R. § 126.1, and the existing entry for Eritrea was updated to codify a broad policy of denial. Accordingly, it is the U.S. Government’s policy to deny licenses and other approvals for exports and imports of defense articles and defense services to these countries, except on a case-by-case basis to Cambodia if in furtherance of conventional weapons destruction or humanitarian mine action activities or to Russia if for government space cooperation. Exports of defense articles and services to Ethiopia and Eritrea are only prohibited when destined to or for the armed forces, police, intelligence, or other internal security forces.

2. Revisions to United States Munitions List

DDTC continued to revise the United States Munitions List (“USML”) in 2021. Effective August 30, 2021, DDTC extended the temporary modification of Category XI(b) to ensure that certain intelligence-analytics software remained controlled under the USML. This rule extended the temporary revision until August 30, 2026, while DDTC considers a wholesale revision of Category XI. Separately, DDTC was finally able to effect the transfer of software and technical data related to 3-D printing of firearms or components to the EAR, which the State Department first announced in January 2020. This transfer was stayed by a preliminary injunction by the Western District of Washington in March 2020. On May 26, 2021, this injunction was vacated by the Ninth Circuit Court of Appeals, and these items are now exclusively controlled by the EAR. Finally, on September 30, 2021, the State Department extended the temporary modification of the ITAR removing prohibitions on exports, reexports, retransfers, and temporary imports of non-lethal defense articles and defense services destined for or originating in Cyprus. This temporary final rule is effective through September 30, 2022.

3. Changes to Regulations in Light of Remote Work Future

Importantly in a world still significantly impacted by remote working, DDTC has indefinitely authorized “regular employees” to work from remote locations (other than in a country listed in 22 C.F.R. § 126.1) and to send, receive, and access technical data authorized by the U.S. Government for export, reexport, or retransfer to their employer in their country of remote work even if the employer’s authorization is for exports to a different country. On May 27, 2021, DDTC solicited comments on the definition of “regular employee” to allow some employees who are contract employees to be treated as regular employees, provided those individuals are sufficiently subject to the employer’s control such that the agency can hold the regulated employer responsible for the individual’s actions.

V. European Union

A. Sanctions Developments

1. Belarus

2021 saw a major uptick in European Union sanctions, or “restrictive measures,” against Belarus. In particular, the EU adopted several rounds of (additional) sanctions packages in response to the Lukashenka regime’s human rights violations; violent repression of the opposition; the May 2021 forced landing of a commercial aircraft in Minsk and the resulting arrest of a dissident journalist and his companion; and the instrumentalization of migrants for political purposes.

Of note, the EU Belarus financial sanctions now also target individuals and entities organizing or contributing to activities that facilitate illegal crossing of the EU’s external borders, including selected Belarusian travel agencies. Further, the EU, on June 4, 2021, decided to strengthen the existing restrictive measures in view of the situation in Belarus by introducing a ban on the overflight of EU airspace and on access to EU airports by Belarusian carriers of all kinds.

To recall, EU financial sanctions are broadly comparable to U.S. SDN listings. Accordingly, any business dealings with Belarus, specifically any with proximity to the Government of Belarus, but also any travel arrangements for meetings in Belarus or with individuals and entities from Belarus, should undergo additional scrutiny to ensure no funds or economic resources are being made available to those subject to EU financial sanctions.

2. Russia

As tensions between, collectively, the European Union, the United Kingdom, and the United States, and the Russian Federation continue to intensify over a possible impending Russian military intervention in Ukraine, on January 24, 2022, the Council of the European Union (the “Council”) issued the Council Conclusions on the European Security Situation. In that document, the Council emphasizes its commitment to the sovereign equality and territorial integrity of states, as well as the inviolability of frontiers and the freedom of states to choose or change their own security arrangements—in this case especially, Ukraine’s choice to potentially join NATO. In this context, the Council further elaborates that any further military aggression against Ukraine will have “massive consequences and severe costs,” including a wide array of sectoral and individual restrictive measures, in close alignment with the EU’s partners. However, the Council does not at this juncture enumerate what specific consequences the EU is prepared to impose. As such, it is challenging to predict the implications for EU sanctions on Russia should the Kremlin launch a further military incursion into Ukraine.

In light of the unstable and fast-developing situation in Ukraine, firms with exposure to Russia may wish to review their existing Russian counterparties to identify possible sanctions targets among their business partners and prepare for the possible imposition of coordinated sanctions by the United States, the United Kingdom, and the European Union. Should Russian troops—thousands of which are presently massed on the border—cross into Ukraine, the wide range of possible sanctions that may be put into effect on a permanent member of the United Nations Security Council likely would be unprecedented and disruptive. Businesses should therefore consider preparing a contingency plan in the event that sanctions targeting substantial Russian enterprises, including major Russian financial institutions, are issued on short notice.

B. Export Controls Developments

When referring to “EU export controls,” we actually refer to a hybrid set of EU and EU member state legislation that together form the export control-related set of rules that apply to parties that undertake business with an EU nexus.

In order to keep up with the latest technological developments and to mitigate national security concerns, the European Union and its member states regularly update its export control regimes. While many of those regular updates cover rather technical aspects, 2021 was different. On September 9, 2021, “Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast)” (the “New EU Dual-Use Regulation“) came into effect. The New EU Dual-Use Regulation not only modernizes, but also substantially expands, the scope and breadth of the EU / EU member state system for the control of exports, brokering, technical assistance, transit, and transfer of dual-use products and technologies.

1. Overview

Recasting Council Regulation (EC) No. 428/2009 (the “Old EU Dual-Use Regulation“) in its entirety, the New EU Dual-Use Regulation (1) strengthens controls on a wider range of emerging dual-use technologies, including cyber-surveillance tools; (2) specifies due diligence obligations and compliance requirements for exporters, recognizing the role of the private sector in addressing the risks to international security posed by trade in dual-use items; and (3) increases coordination between member states and the European Commission (the “EU Commission”) in support of the effective enforcement of controls throughout the EU.

The New EU Dual-Use Regulation is the result of a long period of negotiations between the European Parliament and the Council of the European Union, which started when the reform of EU export controls was initially proposed by the EU Commission in September 2016. Observers have long noted the need for an updated framework due to abundant technological developments, the growing importance of human rights considerations, and growing security risks.

2. Human Rights Considerations

First and foremost, the New EU Dual-Use Regulation specifically includes stronger human rights considerations, resulting in the implementation of stricter controls on exports from the EU of certain surveillance and intrusion technologies that have the potential to contribute to human rights abuses. As Member of the European Parliament Bernd Lange put it, with this update “respect for human rights will become an export standard.”

To address the risk that certain cyber-surveillance items exported from EU territory might be misused by persons involved in serious violations of human rights or international humanitarian law, the New EU Dual-Use Regulation now includes a list of such items exceeding international lists in its revised Annex I, making them subject to export control restrictions enforced by the competent authorities of EU member states.

In particular, an authorization may be required even for certain unlisted cyber-surveillance items, if the exporter has been informed by the competent authority that the items in question are or may be intended for use in connection with internal repression and/or committing serious violations of human rights and international humanitarian law. We expect to see increased outreach efforts by the competent authorities of the EU member states in the months to come. In addition, in case an exporter is aware that unlisted cyber-surveillance items proposed for export are or may be intended for human rights violations, exporters are obligated to inform the competent authority.

3. Due Diligence Obligations and Compliance Requirements for Exporters

The New EU Dual-Use Regulation recognizes as vital the contributions of exporters, brokers, providers of technical assistance, and other relevant stakeholders to the overall aim of export controls. As such, the Regulation introduces due diligence obligations and compliance requirements that should be put in place through transaction-screening measures as part of an internal compliance program (“ICP”), which is to be implemented unless the competent national authority of an EU member state considers it unnecessary.

For instance, under the New EU Dual-Use Regulation, exporters using global export authorizations (broadly comparable to U.S. general licenses) should implement an ICP unless the competent national authority considers it unnecessary when processing the application for a global export authorization submitted by the exporter. In that regard, the size and organizational structure of exporters have to be considered when developing and implementing ICPs.

Yet, reporting and specific ICP requirements relating to the use of global export authorizations will be defined by EU member states. The competent authority in Germany has recently done so in published guidance. We assume this guidance will be updated in due course to reflect the New EU Dual-Use Regulation.

In recognition of the importance of sharing research data, academic and industrial research organizations have been included in the new EU regulations and are specifically addressed in Commission Recommendation (EU) 2021/1700, which provides guidance in order to help identify, manage, and mitigate risks associated with the New EU Dual-Use Regulation.

4. Increased Coordination Between EU Member States

To promote a common approach with regard to specific provisions, the New EU Dual-Use Regulation determines that EU member states and the EU Commission should raise awareness and promote tailored guidance to address challenges in the application of this new regime, as well as work together by sharing information among themselves, especially concerning the technological development of cyber-surveillance items.

5. EU-U.S. Trade and Technology Council

Finally, the New EU Dual-Use Regulation also provides a strong basis for the EU to engage with third countries in order to support a level playing field and enhance international security through more convergent approaches to export controls at the global level.

An example is the U.S.-EU Trade and Technology Council which, as discussed under Section III.E, above, held its inaugural meeting on September 29, 2021. The TTC serves as a forum for both jurisdictions to coordinate approaches to key global trade, economic, and technology issues, as well as to deepen transatlantic trade and economic relations more broadly. The meeting set up various working groups that focus on specific topics including export controls. Additionally, a joint statement was published, stipulating shared principles and areas for export cooperation. The TTC recognizes, among other things, the importance of a multilateral approach to export controls and lays a focus on dual-use items as such may be misused for violations of human rights. These areas of cooperation may also suggest that the European Union and the United States plan to use the TTC to further communicate and potentially synchronize their efforts on export controls as part of a joint approach to trade with China.

Under the New EU Dual-Use Regulation, companies will be burdened with the additional task to support the EU’s endeavor to protect and secure human rights. As a major amendment, companies will, even more so than before, be well advised to screen their transactions for possible dual-use technology, now including cyber-surveillance tools that could be used to violate human rights. Which specific standards will need to be applied to comply with such due diligence and ICP obligation remains to be seen, as such standards are currently being finally determined by the EU and its EU member states.

C. Noteworthy Judgments and Enforcement Actions

1. EU Blocking Statute Regulation

Following Advocate General Gerard Hogan’s Opinion of May 12, 2021, the European Court of Justice (“ECJ”) on December 21, 2021 delivered its highly anticipated decision in Bank Melli Iran, Aktiengesellschaft nach iranischem Recht v. Telekom Deutschland GmbH (C-124/20), involving interpretation of Council Regulation (EC) No 2271/96 (the “Blocking Statute Regulation”).

In its judgment—which adds to the growing body of case law concerning the circumstances under which parties can be judicially compelled to comply with the Blocking Statute Regulation—the ECJ provided guidance on three questions brought before the court:

First, the Blocking Statute Regulation impedes a contractual party from unilaterally terminating a contract with another party that is subject to U.S. “secondary” sanctions because the terminating party seeks to comply with such U.S. sanctions. This principle applies even without any prior compelling request by the U.S. administration for compliance with U.S. sanctions.

Second, under the Blocking Statute Regulation, a party that wishes to terminate a contract with a person subject to U.S. sanctions is not per se obliged to put forward a reason for such termination. However, if the termination is subject to proceedings before an EU member state court, the terminating party will have the burden of proof to demonstrate that such termination was not induced by compliance with the U.S. sanctions listed in the Blocking Statute Regulation if the evidence available to the national court suggests prima facie that the terminating party in fact complied with U.S. sanctions.

Third, the ECJ ruled that, in principle, the annulment of a termination by a national court shall be compatible with the fundamental right of freedom to conduct a business (Article 16 of the Charter of Fundamental Rights of the European Union (“CFR”)) and the principle of proportionality (Article 52 CFR) if the national court concluded that the notice of termination was given for the purpose of compliance with certain specified U.S. sanctions.

However, the ECJ also held that it is ultimately up to the national court to determine whether further performance of the contract could lead to disproportionate economic or financial consequences for the terminating party. In this regard, it is important to note that the ECJ stressed that one of the factors to take into consideration is whether or not the terminating entity applied for an exemption from the Blocking Statute Regulation prior to termination.

In addition, more on a side note, the ECJ gives its opinion on the Guidance Note to the Blocking Statute issued by the European Commission, stating that the document does not establish binding rules or interpretations. The ECJ further notes that only the Blocking Statute Regulation is binding and only the ECJ has the power to provide legally binding interpretations of that regulation. Although we believe the Guidance Note still provides some valuable guidance for the de facto interpretation of the Statue, its persuasive power in court is likely to be greatly reduced.

2. Denmark

On December 14, 2021, the Court of Odense sentenced Danish fuel supplier A/S Dan-Bunkering Ltd. and its parent company Bunker Holdings A/S to payments of 45 million Danish Crowns ($6.9 million) and 4 million Danish Crowns ($600,000) for violating EU sanctions. The holding company’s chief executive officer has also been sentenced to a suspended prison sentence of four months.

The court found that Dan-Bunkering, via its Kaliningrad office, purposely violated EU Regulation No. 36/2012 of 18 January 2012, as amended, which implemented restrictive measures against Syria. Dan-Bunkering had sold 172,000 tons of jet fuel worth over $100 million through a total of 33 trades between October 2015 and May 2017. The deals were made with two Russian companies listed on the U.S. sanctions list that ultimately acted as agents for the Russian Navy. The traded jet fuel was later used to execute Russian bombing runs near the Syrian city of Banias. The fines set by the court’s judgment ultimately are equivalent to double the profit Dan-Bunkering achieved from the deals. The court ruled that Dan-Bunkering must have been aware of a possible usage of their products for Russian interference in the Syrian war.

Notably, the verdict affirms that EU courts do not hesitate to hold business managers personally accountable for their company’s breach of sanctions. The decision also highlights the importance of maintaining an effective sanctions compliance program.

3. Germany

In 2021, the German Federal Court of Justice (Bundesgerichtshof) (“BGH”) dealt with multiple cases regarding payments made to members of the Islamic State. In the context of these judgments, the court clarified its interpretation of the scope of “mak[ing] available, directly or indirectly, to, or for the benefit of, a natural or legal person, group or entity designated” under Article 2.II of Regulation (EC) No. 881/2002.

The main focus of these cases was whether a private benefit to an individual is also “made available” to an organization of which that individual is a member or with which that individual is associated. The BGH used the rulings to emphasize that the wording at issue should be interpreted broadly. While the court leaves open the possibility that payments could be made to individuals regardless of their affiliation with organizations on the sanctions list, it sets a high bar for such defense. Any kind of economic benefit to the organization results in the good or service being considered as “made available” to the organization. In this context, it is also deemed irrelevant whether the service is provided in direct exchange for a service in return.

These rulings develop their practical relevance in that they shed light on how much distance should be maintained from organizations and persons appearing on the EU sanctions list in order to avoid running afoul of EU sanctions.

VI. United Kingdom

A. Sanctions Developments

Following the end of the Brexit transition period on December 31, 2020, the United Kingdom is no longer bound by EU sanctions law. The Sanctions and Anti-Money Laundering Act 2018 (the “Sanctions Act”) now provides the legislative framework for the UK’s post-Brexit sanctions regime. The year of 2021 constitutes the first full year that the UK’s autonomous sanctions regime has been underway.

1. OFSI Annual Review 2020-2021

On October 14, 2021, the UK Office of Financial Sanctions Implementation (“OFSI”) published its annual review for the financial year April 2020 to March 2021 (the “OFSI Annual Review”). The OFSI Annual Review comments on the impact of the end of the Brexit transition period on its activity levels, stating that “OFSI has had a stretching year, working across government and with both private sector and international partners as it transitioned out of the EU and into a UK autonomous sanctions framework.” Other key takeaways of the OFSI Annual Review include:

Changes to the Consolidated List: OFSI added 278 new designated persons to the consolidated list in the financial year 2020 to 2021, 159 of which implemented EU and UN legislation, outside of the period before the end of the Brexit transition period on December 31, 2020. Furthermore, 119 designations were made under the new Sanctions Act.
Licensing: The OFSI Annual Review highlights how the transition to an autonomous sanctions framework led to changes to licensing, including new licensing grounds (derogations) in respect of non-UN designated persons and adjustments to existing licensing grounds. For example, the existing licensing grounds for “maintenance of frozen funds and economic resources” and for payment of legal fees and expenses now require “reasonableness.” Under the Sanctions Act, OFSI was also granted new powers to provide for issuing General Licences under all regimes; previously, it could only issue these under the Terrorist Asset-Freezing etc. Act 2010. A General License allows multiple parties to undertake specified activities that would otherwise be prohibited without the need for a specific licence. In the financial year 2020 to 2021, OFSI issued 43 new licenses and made 75 amendments across 11 regimes; 64 out of the 75 amendments to licenses issued were issued under the Libya regime.
Compliance and Enforcement: The OFSI Annual Review makes clear that OFSI investigates every reported suspected breach of UK sanctions regulations, the result of which can vary depending on whether a breach has occurred and, if so, the nature of the breach. Where a breach has occurred, proportionate action can include the issuance of a warning letter, a civil monetary penalty, or escalation to law enforcement partners. In the financial year 2020 to 2021, OFSI considered 132 reports of potential financial sanctions breaches. This is a slight decrease from the previous financial year; however, generally the number of cases considered remains on an upwards trajectory from earlier years.

2. Sanctions Regulations Report on Annual Reviews 2021

The Sanctions Regulations Report on Annual Reviews 2021 has been published by the UK Foreign, Commonwealth & Development Office (the “Report”). The review is required under Section 30 of the Sanctions and Anti Money Laundering Act 2018, to assess whether the regulations are still appropriate for the purpose for which they were created. The report summarizes and reviews activity under the UK’s sanctions policy during 2021. The Report highlights the fact that the UK has become “more agile and has real autonomy to decide how [it] use[s] sanctions and where it is in our interests to do so” since leaving the EU and moving to an independent sanctions policy.

The Report observes the value of this in two recently established UK autonomous sanctions regimes: (1) the launch of the Global Human Rights sanctions regime on July 6, 2020; and (2) the launch of the Global Anti-Corruption sanctions regime on April 26, 2021. At the time of the Report, 106 designations have been made under these two regimes, “ensuring and sending a clear message that the UK is not a safe haven for those individuals and entities involved in serious corruption and human rights violations or abuses, including those who profit from such activities.”

3. Changes to Sanctions Lists

OFSI announced in December 2021 that, with effect from February 2022, the structure and data fields included in the UK sanctions list and the OFSI consolidated list will be changing.

The key changes to the UK sanctions list include the standardization of data (where possible) to remove duplications, unnecessary punctuation, and improve consistency; the creation of new fields to improve the detail and structure of the data; and changes to some field names to make their purpose clearer.

The key changes to the OFSI sanctions list include the addition of seven new fields, the introduction of a new group type “Ship,” and the retirement of the .xls format.

Organizations that regularly use the UK sanctions list and OFSI consolidated list in order to conduct sanctions checks should ensure that they understand these changes with a view to updating their systems, processes, and compliance policies accordingly.

B. Export Controls Developments

The UK’s status in relation to the EU has changed following the end of the Brexit transition period on December 31, 2020. Though the UK regime has similarities to the New EU Dual-Use Regulation, it now has its own sanctions and export control regimes, separate from those of the EU. In light of these changes, the UK Government published guidance on exporting military or dual-use technology (the “UK Guidance”).

1. Overview

In the UK export regime, “dual-use” means useable for both civil and military purposes. This includes dual-use goods, along with software or technology. In contrast to the human rights rhetoric used in describing the New EU Dual-Use Regulation, the UK dual-use export controls focus primarily on national security. The UK Guidance describes the basis of the UK’s export controls as aimed at preventing transfers that can lead to goods causing national security concerns for the UK and its allied forces, but doing so without “inhibiting legitimate trade [and] knowledge acquisition.”

Though the fines for dual-use export control violations pre-Brexit have been relatively low in the UK, with fines for export control violations in 2020 amounting to GBP 700,368 in total, the position post-Brexit and in light of the UK Guidance remains unclear.

2. Open Export General License

Broadly speaking, the EU and UK have sought to keep their respective post-Brexit trade control regimes aligned to minimize disruption to the pre-Brexit status quo. While the main features of the EU dual-use regime are seen in the UK regime, they are applied in the UK as a matter of English law rather than EU law. As such, when developing and implementing ICPs, the UK should be considered separately from the EU.

Furthermore, as the UK is no longer a member of the EU, the UK is now treated as a “third country” with respect to the EU’s export controls. This means that whereas previously most exports of dual-use items between the UK and EU member states did not require licenses, now exports from the UK to EU member states of dual-use goods or technology will require export authorization by way of an Open General Export License (an “OGEL”).

This new requirement, along with the heightened focus on technology, will not only impact companies that export dual-use goods, but also will have a bearing on how a company will transfer its “controlled technology” (i.e., information necessary to develop, produce, or use goods or software subject to UK dual-use export controls) within its international offices or employees, along with how such information is stored and accessed remotely (i.e., cloud storage).

3. Guidance on Exporting Military or Dual-Use Technology

The UK Guidance provides clarification regarding UK dual-use export controls including their applicability and scope, confirming that UK dual-use export controls apply to any entity in the UK and, in some circumstances, UK persons overseas.

In particular, the UK Guidance confirms that an OGEL for dual-use items will now be required for the transfer of controlled technology. A “transfer” includes sharing information via phone or video conferencing, emails, or laptops, phone or memory devices. Transfers can also include where the information is read out loud, shared via screensharing presentations, sent via email, or taken overseas on a memory device. Given the rise in remote working and the increased usage of video conferencing services, companies will need to be conscious of what information and data is shared overseas from their UK bases, and whether an OGEL will be required.

The Guidance also addresses the storage of controlled technology on servers that can be accessed remotely. It confirms that the location of the exporter and intended recipient, and not the location of the servers containing the controlled technologies themselves, will determine the need for an OGEL. As such, an OGEL is required if controlled technology is uploaded by persons in the UK and subsequently accessed by a recipient overseas.

This is of particular importance to multinational companies that transfer and store controlled technology through common IT systems and utilize intranets or cloud services. Companies falling into this category will now require an OGEL in order to share controlled technology from within the UK to their overseas offices, regardless of where that information is subsequently stored.

4. Updates to the Export Control Regime

On December 8, 2021, an update on the UK export control regime was released by the Secretary of State for International Trade, comprising three new measures.

Firstly, the UK Strategic Export Licensing Criteria have been amended, which will be applied with immediate effect to all license decisions on goods, software, and technology which are subject to control for strategic reasons for export, transfer, trade, and transit. For example, they lay a stronger focus on risks of violation of humanitarian law and misuse of items for internal repression, similar to the New EU Dual-Use Regulation.

In addition, a broader definition of military end-use will be established in early 2022, which will now permit control (on a case-by-case basis) of non-listed items intended for use by military and other security forces, apart from the previously covered listed items. However, the control will only be imposed when the government informs the exporter that a proposed export is intended for a military end use. To minimize the impact on legitimate trade, there will be exemptions for medical supplies and equipment, food, clothing, and other consumer goods.

Last but not least, China is expected to be added to the list of destinations subject to military end-use controls by spring 2022.

C. Noteworthy Judgments and Enforcement Actions

On August 5, 2021, OFSI announced a GBP 50,000 monetary penalty against the UK fintech company TransferGo Limited (“TransferGo”) for multiple breaches of The Ukraine (European Union Financial Sanctions) (No. 2) Regulations 2014. As stated in OFSI’s penalty report, the penalty related to 16 transactions made between March 2018 and December 2019, where TransferGo issued instructions to make payments to accounts held at the Russian National Commercial Bank (“RNCB”), a designated party under Council Regulation (EU) No 269/2014. The total value of the transactions was GBP 7,764.77.

OFSI imposed a monetary penalty because it was satisfied, on the balance of probabilities, that TransferGo breached a prohibition imposed by financial sanctions legislation and either knew or had reasonable cause to suspect that it was in breach of that prohibition. OFSI further elaborated that TransferGo erred in its assessment of whether the payments to RNCB were subject to financial sanctions restrictions. TransferGo asserted that payments to the accounts with RNCB were not breaches of financial sanctions restrictions since the relevant clients and beneficiaries were not themselves subject to such restrictions. However, OFSI considered that funds held in bank accounts ultimately belong to those banks.

VII. People’s Republic of China

China continued building up its legal arsenal against the continuing pressure from the United States. As we reported in our 2020 Year-End Sanctions and Export Controls Update, China had already begun establishing a sanctions blocking law and an export controls system. However, the myriad PRC policy developments that took place in 2021 extended even more broadly to include blocking laws and counter-sanctions, export controls, data security laws, national security reviews of foreign investments, and cybersecurity reviews. Importantly, these measures appear to be a symbolic statement against the United States and its allies that China will not back down in the strategic competition between Washington and Beijing. These measures also appear to be part of China’s efforts to build a resilient economic and business ecosystem and further establish itself as a major power in setting alternative global norms and standards.

The ink on these measures is barely dry and, because these measures were written in broad strokes and afford considerable discretion to PRC regulators, the compliance implications for global businesses are not yet clear. However, one certainty is that the new measures unveiled by PRC authorities have already increased the complexity and risk of doing business globally, especially when taken together with the various U.S. policy changes discussed above, such as heightened supply chain due diligence expectations and the ever-growing list of sanctioned Chinese entities. Global businesses with operations touching China now must monitor the developments in not only the U.S. legal regimes targeting China, but also the increasingly intricate set of Chinese legal rules.

A. Countermeasures on Foreign Sanctions

As the United States continued to impose a litany of trade restrictions on China in 2021, China showed few signs of backing down. In January and June 2021, China issued a set of laws that would allow the Chinese government to prohibit compliance with certain foreign laws. These laws could potentially require companies active in the global supply chain to choose whether to comply with U.S. sanctions or to comply with Chinese law. Although the practical impact of these developments is yet unclear, we are already seeing Chinese companies balk at agreeing to traditional representations and warranties in agreements, which may compel Western firms to reconsider how to obtain assurances regarding sanctions compliance going forward. Using its new legal tools, China has also counter-sanctioned several U.S. and other Western officials and entities in response to sanctions related to Xinjiang and Hong Kong. This cycle of sanctions and counter-sanctions appears likely to proliferate so long as relations between the United States and China remain fraught and the two superpowers continue their competition for global primacy.

1. Blocking Rules

As discussed in an earlier client alert, the Chinese Ministry of Commerce (“MOFCOM”) on January 9, 2021 issued the Rules on Blocking Unjustified Extraterritorial Application of Foreign Legislation and Other Measures (the “Blocking Rules”), which took immediate effect. (The Blocking Rules are available in both a Chinese-language version and an English translation.) The Blocking Rules established a mechanism for the Chinese government to designate “unjustified extraterritorial applications of foreign legislation and other measures” and issue prohibitions on Chinese persons’ and entities’ compliance with these foreign laws (Articles 4 & 7). Whether a foreign law constitutes “unjustified extraterritorial applications” is determined on an open-ended set of factors, including whether the law violates “international law or the basic principles of international relations,” impacts China’s “national sovereignty, security and development interests,” or impacts the “legitimate rights and interests” of Chinese individuals and entities, as well as a catch-all for “other factors that should be taken into account” (Article 6).

Under the Blocking Rules, Chinese individuals and entities—including, critically, Chinese subsidiaries of multinational companies—must report any restrictions they face from foreign governments (Article 5). Failure to comply may result in government warnings, orders to rectify, or fines (Article 13). Chinese individuals and entities also have a private right of action to sue in Chinese courts for compensation from any restrictions (Article 9). If carried out effectively, the Blocking Rules have the potential to create significant compliance risks for multinational enterprises.

Although the Blocking Rules went into effect immediately, they will only become enforceable in substance once the Chinese government designates the specific “unjustified extraterritorial applications”—a step that, as of this writing, has not yet been taken. Nevertheless, the Blocking Rules by their publication have forcefully communicated the Chinese government’s intention to establish a legal regime for countering foreign sanctions.

2. Anti-Foreign Sanctions Law

On June 10, 2021, the National People’s Congress further bolstered the message by passing the Law of the People’s Republic of China on Countering Foreign Sanctions (the “Anti-Foreign Sanctions Law”), which took immediate effect. (The Anti-Foreign Sanctions Law is available in both a Chinese-language version and an English translation.) The legislation formalizes previous administrative measures taken by China, such as the Blocking Rules and the Export Control Law (discussed below), by providing legal grounds for the countermeasures. Coming one day before the start of the G7 summit in the United Kingdom, the legislation was widely believed to be, at least in part, China’s challenge to President Biden’s objective at the G7 to build a coalition against China’s rising global influence.

Importantly, the Anti-Foreign Sanctions Law allows Chinese authorities to designate on the “Countermeasures List” and take a menu of counter-sanctions—including denial of visas, seizure of assets, blocking of transactions, and other necessary measures—against individuals (as well as their spouses and immediate relatives) or entities (as well as their senior management and controllers) involved in creating, deciding, or implementing “discriminatory restrictive measures” by foreign governments (Articles 4 to 6). The term “discriminatory restrictive measure” is left undefined—but it is likely to include China-related sanctions and export controls by foreign governments.

In announcing the Anti-Foreign Sanctions Law, China hinted that enforcement of this legislation may be limited to those involved in drafting and advocating for sanctions targeting China as “[t]he law only takes aim at those entities and individuals who grossly interfere in China’s internal affairs and spread rumors about and smear, contain and suppress China.” That said, like the Blocking Rules, the Anti-Foreign Sanctions Law also prohibits Chinese persons and entities from complying with foreign “discriminatory restrictive measures” and allows a private right of action for Chinese persons and entities that are negatively impacted by sanctions to seek injunctive relief and compensatory damages (Article 12). Even if the Countermeasures List designations may be reserved for those closer to the formulation of U.S. sanctions measures, private companies seeking to comply with U.S. sanctions must now carefully navigate between the conflicting regulatory requirements of the world’s two largest economies.

3. Impact on Entities in Hong Kong

Even before the introduction of the measures described above, multinational businesses and financial institutions in Hong Kong were faced with a dilemma. The Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “National Security Law”), which has been in effect in Hong Kong since June 30, 2020, established the crimes of secession, subversion, terrorist activities, and collusion with a foreign country or external elements to endanger national security. At the time of the National Security Law’s enactment, about 54 percent of businesses in a Hong Kong General Chamber of Commerce survey expressed concern about potential foreign sanctions risks—albeit in the short term—arising from the National Security Law.

On August 8, 2020, the Hong Kong Monetary Authority issued guidance instructing regulated institutions that “unilateral sanctions imposed by foreign governments are not part of the international targeted financial sanctions regime and have no legal status in Hong Kong.” However, the guidance did not expressly prohibit companies from complying with U.S. sanctions and instead advised that companies’ policies should be “informed by a thorough assessment of any legal, business and commercial risks involved and based on a balanced approach. In assessing whether to continue to provide banking services to an individual or entity designated under a unilateral sanction which does not create an obligation under Hong Kong law, boards and senior management of [regulated institutions] should have particular regard to the ‘treat customers fairly’ principles.”

Naturally, the enactment of the Anti-Foreign Sanctions Law again created a quagmire for Western businesses and financial institutions in Hong Kong. At the same time, however, China seems to be treading lightly to avoid discouraging foreign business activities in Hong Kong. In the August 2021 session, the National People’s Congress postponed a vote on extending the Anti-Foreign Sanctions Law to Hong Kong. On October 5, 2021, Hong Kong Chief Executive Carrie Lam provided some comfort to businesses by further clarifying that Beijing has shelved the extension of the Anti-Foreign Sanctions Law to Hong Kong and would take into account Hong Kong’s status as an international financial center even if the extension were to occur in the future.

4. Application of Counter-Sanctions

In part aided by the new legal regimes, the Chinese Ministry of Foreign Affairs (“MOFA”) issued counter-sanctions against major Western decisionmakers throughout the year. From March 22-27, 2021, MOFA announced counter-sanctions against 22 individuals and ten entities from the European Union, the United Kingdom, and the United States and Canada “in response” to sanctions imposed days earlier for alleged human rights abuses in Xinjiang. On July 23, 2021, MOFA announced a further round of counter-sanctions against seven individuals and one entity in the United States (including former Commerce Secretary Wilbur Ross) in response to the sanctions imposed on Chinese officials in connection with repression of protests in Hong Kong. On December 21, 2021, MOFA announced additional counter-sanctions against four members of the U.S. Commission on International Religious Freedom shortly after the United States imposed sanctions and announced a diplomatic boycott of the 2022 Beijing Winter Olympics related to the situation in Xinjiang. Although Chinese counter-sanctions have to date principally focused on Western government officials and agencies, such measures have also targeted scholars and non-profit organizations known for their advocacy of human rights.

Such tit-for-tat sanctions are likely to continue. Despite the November 2021 virtual meeting between President Biden and President Xi in which the two leaders discussed “the importance of managing competition responsibly,” the U.S.-China relationship remains tense. As the United States continues to impose sanctions and other policy measures targeting China, China may not simply let its newest policy tool gather dust.

B. Export Controls Regime

China’s first comprehensive Export Control Law (Chinese version here and English translation here), which went into effect on December 1, 2020, included a notable expansion of extraterritorial applicability, as we previously reported in an August 2020 client alert. In the intervening months, China has issued a number of regulations in relation to export controls, especially for dual-use items (i.e., items with both civil and military applications). For example, China announced new rules on commercial cryptographic products, updated the catalog of dual-use items and technologies subject to import and export license administration, and implemented paperless management of import and export licenses for dual-use items and technologies. While not a “sea change” per se, these regulations are evidence of China’s ongoing efforts to solidify and modernize its export controls regime.

On April 28, 2021, MOFCOM issued Guiding Opinions on Establishing the Internal Compliance Mechanism for Export Control by Export Operators of Dual-Use Items (the “Guiding Opinions”), answering the Export Control Law’s call for official internal compliance guidelines. The Guiding Opinions’ core elements of a sound internal compliance mechanism largely parallel those found in the U.S. Export Compliance Guidelines, thus allowing global companies to maintain consistency in their global compliance programs. The core elements of the Chinese Guiding Opinions include, among others: (1) issuing a statement of policy (equivalent to the “management commitment” in the U.S. Export Compliance Guidelines); (2) assigning a department and personnel responsible for export controls compliance; (3) conducting a comprehensive risk assessment; (4) establishing a set of internal controls to screen for red flags; and (5) conducting periodic compliance audits.

C. Restrictions on Cross-Border Transfers of Data

Prior to 2021, China already maintained several restrictions on the provision of data to foreign governments. For example, the International Criminal Judicial Assistance Law (Chinese version here and English translation here) bars Chinese individuals and entities from providing foreign enforcement authorities with evidence, materials, or assistance in connection with criminal cases without the consent of the Chinese government, and the China Securities Law (Chinese version here and English translation here) prohibits “foreign regulators from directly conducting investigations and collecting evidence” in China. In 2021, China issued the Data Security Law and the Personal Information Protection Law, thereby clamping down on the sharing of broader swaths of personal and corporate data outside its borders. With these recent developments, the restrictions now also apply in the context of civil enforcement actions and litigation, as well as general corporate practices including due diligence. Coupled with the blocking measures discussed above, these data restrictions could have a far-reaching impact on multinational companies.

1. Data Security Law

On the same day in June 2021 that China’s Anti-Foreign Sanctions Law was passed, the National People’s Congress also passed the Data Security Law (Chinese version here and English translation here), which took effect on September 1, 2021. As described in our June 2021 client alert, the legislation contains sweeping requirements and severe penalties for violations. It governs not only data processing and management activities within China, but also those outside of China that “damage national security, public interest, or the legitimate interests of [China’s] citizens and organizations.”

The Data Security Law generally creates strict data localization and data transfer requirements for entities and individuals operating within China, depending upon the category of data (e.g., “core data” or “important data”). Crucially, the Data Security Law prohibits the provision of any “data stored within the People’s Republic of China to foreign judicial or law enforcement bodies without the approval of the competent authority of the People’s Republic of China” (Article 36). Failure to obtain this prior approval may result in significant fines and, in some “serious” cases, suspension of business operations and revocation of business licenses (Article 48). The need to seek prior approval for any cross-border transfer of data creates substantial barriers to responding to government enforcement actions and lawsuits.

The Data Security Law also authorizes the Chinese government to implement “equal countermeasures” when a foreign country enacts any “discriminatory, restrictive, or other similar measures” with respect to investment or trade related to data and technology for data development and utilization (Articles 26). This provision appears to be a reference to recent U.S. sanctions and export controls targeting China’s technology sector and provides the Chinese government another sanctions tool under the data security regime.

The Data Security Law, like other PRC measures discussed above, leaves certain important terms undefined. In our experience, it is likely that the PRC authorities will issue additional guidance and implementation rules that provide further clarity, similar to the Provisions on the Management of Automobile Data Security that were issued on August 16, 2021 and which provide some insight into the definition of “important data” in the context of the automobile industry.

2. Personal Information Protection Law

On August 20, 2021, the National People’s Congress further built out the data protection regime when it passed the Personal Information Protection Law (Chinese version here and English translation here), which took effect on November 1, 2021. As described more fully in our September 2021 client alert, the legislation asserts an extensive extraterritorial reach. It governs not only domestic companies, but also foreign companies that process or use the personal information of individuals located within China for the purpose of providing products or services to individuals in China, analyzing or assessing the behavior of individuals in China, or under other unspecified circumstances provided in laws or regulations (Article 3). Foreign companies without a physical presence in China must appoint a designated representative in China for personal information protection (Article 53).

The Personal Information Protection Law generally requires personal information processing entities to adopt certain protective measures. Processing entities are only allowed to transfer personal information overseas if they: (1) pass a security assessment administered by the Cyberspace Administration of China (“CAC”); (2) obtain a certification from professional institutions in accordance with the rules of the CAC; (3) enter into a transfer agreement with the transferee using the standard contract published by the CAC; or (4) adhere to other conditions set forth by law, administrative regulations, or the CAC, unless any relevant international treaties to which China is a party stipulate otherwise (Article 38). Violations of the law’s requirements may lead regulators to take corrective actions, issue warnings, confiscate unlawful income, suspend services, revoke operating permits or business licenses, and/or issue fines (Article 66). Moreover, individuals may bring civil tort claims if the processing entities infringe their rights and interests (Article 69), and the People’s Procuratorate may file public interest lawsuits if the rights and interests of a large number of individuals are affected (Article 70).

Similar to the Data Security Law, the Personal Information Protection Law allows the Chinese government to take “reciprocal measures” if any country or region takes “discriminatory prohibitions, limitations, or other similar measures” against China in the area of personal information protection (Article 43). At the same time, the Personal Information Protection Law suggests a commitment by the Chinese government to “participate[] in the formulation of international rules for personal information protection, stimulate[] international exchange and cooperation in personal information protection, and promote[] mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations” (Article 12). This language reinforces the notion that Beijing may be interested in challenging the Western powers by promoting an alternative “model” of global norms and standards.

D. Security Review of Foreign Investments

Finally, any discussion of China’s growing arsenal of trade controls would be incomplete without a least a brief mention of China’s foreign investment review regime. The Foreign Investment Law took effect on January 1, 2020, focusing on foreign investment promotion, protection, and administration, and also noting that China will establish a system for the security review of foreign investments. Shortly after the anniversary of the Foreign Investment Law, in January 2021, the rules for this new security review system went into effect. Additionally, in December 2021, the rules for the new cybersecurity review were also announced in connection with the Data Security Law described above.

1. National Security Review

On December 19, 2020, China’s National Development and Reform Commission (“NDRC”) and MOFCOM issued the Measures for Security Review of Foreign Investment (the “Security Review Measures”) (Chinese version here and English translation here) which apply to investments closed after January 18, 2021. Prior to the new Security Review Measures, national security review of foreign investment was set forth under circulars issued by the State Council in 2011 and 2015. In addition to formalizing the existing national security review regime, the Security Review Measures made important changes to its scope and process.

The Security Review Measures substantially expand the scope of foreign investment subject to national security review. First, the national security review now captures not only direct foreign investments, but also indirect foreign investments—which include an offshore transaction between two foreign parties in which a foreign investor acquires indirect “actual control” (whether by way of 50 percent ownership or through other decision-making powers) of a Chinese target. Second, the national security review not only covers an investment in or acquisition of equities or assets in China, but also the establishment of new enterprises, such as subsidiaries or joint ventures (also known as “greenfield investments”).

The Security Review Measures create a mandatory review requirement by a new Working Office that is jointly headed by the NDRC and MOFCOM if:

The investment is (i) in sectors related to national defense and security, or (ii) in geographic locations in close proximity to military facilities or defense-related industries facilities; or
The investment (i) involves important sectors significant for national security, such as agricultural products, energy and resources, equipment manufacturing, infrastructure facilities, transportation services, cultural products and services, information technology and internet products and services, financial services, and key technologies, and (ii) will result in foreign investors’ actual control.

Because the sectors listed above cover a broad range and are not specifically defined, the Security Review Measures potentially create a widely-applicable mandatory pre-closing filing requirement—a key difference from the U.S. CFIUS review mechanism, which is a largely voluntary process. If a party fails to submit a mandatory application, the Working Office may require the submission of an application. If the parties still fail to submit an application, the Working Office may reverse the transaction through a divestment order or other actions. This, in theory, creates a significant risk for foreign investors considering an investment involving a Chinese interest in a sensitive industry. It remains to be seen, however, how aggressively China will enforce these measures as it vows to continue opening up to foreign investments.

2. Cybersecurity Review

On July 2, 2021, the CAC launched an investigation into DiDi Global Inc.’s (“DiDi”) June 30 initial public offering (“IPO”) on the New York Stock Exchange, marking the first cybersecurity review based on the measures implemented in June 2020. The CAC expressed concerns regarding the company’s network security practices and required the company to remove its app from local app stores, thus suspending any new-user registration, during the review period. On July 5, 2021, the CAC further expanded the investigation into Full Truck Alliance and Kanzhun, which had also recently listed in the United States.

On July 10, 2021, the CAC released a draft revision to the existing Cybersecurity Review Measures. The final measures were issued on December 28, 2021 (Chinese version here and English translation here), and will go into effect on February 15, 2022. The Cybersecurity Review Measures capture not only critical information infrastructure operators but also data processing activities by internet platform operators (Article 2), and expand the regulatory and enforcement agencies to include the China Securities Regulatory Commission (“CSRC”) (Article 4). Importantly, the Cybersecurity Review Measures require operators that hold personal information of more than one million users to report for a cybersecurity review by the CAC before going public on stock exchanges outside China (Article 6). The report to the CAC must include IPO materials prepared for submission (Article 8). Finally, the Cybersecurity Review Measures extend the “special review” period for a typical case from 45 working days to 90 working days (Article 14)—potentially causing significant delays to foreign listing preparation schedules.

These reviews can cause significant disruption. For example, on December 3, 2021, DiDi eventually announced that it would de-list from the New York Stock Exchange, following a five-month investigation. Amidst market turmoil from the series of investigations, the CSRC assured foreign investors that China has always supported Chinese companies choosing listing destinations of their own. However, uncertainties linger for Chinese companies listed in the United States, especially after the December 2020 enactment of the Holding Foreign Companies Accountable Act and the December 2021 adoption by the U.S. Securities and Exchange Commission of its final rule implementing this legislation, which would authorize the de-listing of Chinese firms unless they abide by U.S. accounting and auditing requirements. This, of course, requires careful balancing with the Data Security Law and the Personal Information Protection Law, both discussed above. Thus, foreign investors who have already invested or plan to make investments in China or Chinese companies should closely monitor the changing legislative landscape with respect to data security.

The following Gibson Dunn lawyers assisted in preparing this client update: Scott Toussaint, Richard Roeder, Judith Alison Lee, Adam M. Smith, Patrick Doris, Michael Walther, Attila Borsos, Fang Xue, Qi Yue, Christopher Timura, Sean Brennan, Laura Cole, Kanchana Harendran, Nicole Lee, Chris Mullen, Rose Naing, Sarah Pongrace, Cody Poplin, Anna Searcey, Samantha Sewall, Audi Syarief, Lindsay Bernsen Wardlaw, Xuechun Wen, Brian Williamson, and Claire Yi.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade practice group:

United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Laura R. Cole – Washington, D.C. (+1 202-887-3787, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, [email protected])
Samantha Sewall – Washington, D.C. (+1 202-887-3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, [email protected])

Asia:
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing – (+86 10 6502 8534, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Nicolas Autet – Paris (+33 1 56 43 13 00, [email protected])
Susy Bullock – London (+44 (0)20 7071 4283, [email protected])
Patrick Doris – London (+44 (0)207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 20 7071 4205, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Steve Melrose – London (+44 (0)20 7071 4219, [email protected])
Matt Aleksic – London (+44 (0)20 7071 4042, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Richard W. Roeder – Munich (+49 89 189 33-160, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

International Data Privacy Day was on January 28, 2022, and practitioners and enforcers alike took the opportunity to recognize developments over the past year, and look forward to what’s next.[1] California Attorney General Rob Bonta’s Office was no exception. Attorney General Bonta’s Office published Friday a press release announcing “an investigative sweep of a number of businesses operating loyalty programs in California” and that the Attorney General sent notices alleging noncompliance with the California Consumer Privacy Act (CCPA).

The CCPA passed in 2018, took effect January 1, 2020, and following multiple amendments and various versions of regulations, enforcement by the California Attorney General started July 1, 2020. Since that time, Attorney General Bonta’s Office’s enforcement priorities had appeared to focus on transparency (e.g., in privacy notices), sale requirements (e.g., ensuring sufficient opt-outs), verification, and CCPA right request forms. Indeed, in July 2021, the Attorney General’s Office published examples of its CCPA enforcement cases, only one of which related to transparency in the context of a loyalty program. In this release, the Office also launched a consumer reporting link, which allowed consumers to report potential violations to the Attorney General’s Office.

Now, it seems the Attorney General’s Office is adding fuel to the focus on loyalty programs in its list of enforcement priorities. As a reminder, the CCPA has various provisions and regulations relating to loyalty programs. Under CCPA’s Section 1798.125:

“a business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (B) Charging higher prices or rates for goods or services, including through the use of discounts or other benefits,” except that businesses can provide a different price, rate, level or quality, if the offering is:

“in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program”;
“reasonably related to the value provided by the consumer’s data”;
“for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer’s data.”

The CCPA Regulations provide further clarity on these provisions, stating among other requirements, that if “a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive . . . is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference” (Section 999.336, emphasis added), and that an explicit notice of financial incentive is required, which should include (1) a summary of the program, (2) material terms, (3) how to opt in and how to withdraw from the program, and (4) how the incentive is reasonably related to the value of the consumer’s data, including a good-faith estimate of the value, and the description of the method the business used to calculate it (Section 999.307).

Section 999.337 offers more detail regarding how to calculate the value of consumer data, including providing eight factors for consideration, such as the average value to the business, the revenue generated by the business from the processing of the consumers’ information, and the expenses relating to the processing.

Attorney General Bonta’s announcement serves as a helpful reminder that businesses offering financial incentives (including potentially discount coupons for submitting an email address), or loyalty programs (such as usage perks or membership discounts), should consider their CCPA compliance, and in particular review their disclosures regarding such programs. It is also a reminder more generally that the Attorney General’s Office remains active in enforcing the CCPA, at least until July 2023, when enforcement of the CPRA will begin.

We remain available to discuss your particular compliance needs, including regarding loyalty programs, to which businesses may have devoted less attention in their CCPA compliance efforts, in light of the late finalization of the regulations in August 2020.

______________________

[1] See, for example, Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review – 2022, Jan. 31, 2022, available at https://www.gibsondunn.com/international-cybersecurity-and-data-privacy-outlook-and-review-2022/.

This alert was prepared by Cassandra L. Gaedt-Sheckter and Alexander H. Southwell.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

In 2021, the U.S. Department of Justice (“DOJ”) articulated a renewed prosecutorial vision and strong statements and took decisive moves to expand the scope of enforcement efforts and devote more resources to them. Enforcement activity resulting in corporate non-prosecution agreements (“NPAs”) and deferred prosecution agreements (“DPAs”) was lower in 2021 than in 2020, but generally consistent with the trend in the past two decades. We expect continued aggressive corporate enforcement in 2022 as part of President Biden’s stated initiative to revisit standards of corporate prosecution.

In this client alert, the 25th in our series on NPAs and DPAs, we: (1) report key statistics regarding NPAs and DPAs from 2000 through 2021; (2) analyze statements by DOJ about recalibrating corporate enforcement policies and a coming effort to “surge resources” in corporate enforcement; (3) take an in-depth look at the use of corporate resolutions by DOJ’s National Security Division (“NSD”); (4) provide an update on the SEC whistleblower program and its implications for NPAs and DPAs; (5) summarize 2021’s publicly available DOJ corporate NPAs and DPAs since our 2021 Mid-Year Update; and (6) survey recent developments in DPA regimes abroad.

Chart 1 below shows all known DOJ NPAs and DPAs from 2000 through 2021. Of 2021’s 28 total NPAs and DPAs, 7 are NPAs and 21 are DPAs.[1] The SEC, consistent with its trend since 2016, did not enter into any NPAs or DPAs in 2021.

Chart 2 reflects total monetary recoveries related to NPAs and DPAs from 2000 through 2021. At approximately $4.0 billion, recoveries associated with NPAs and DPAs in 2021 are the lowest since 2018, and are below the average yearly recoveries for the period between 2005 (when use of these agreements became fairly routine) and 2021. As we have stated repeatedly, annual statistics should not be isolated to try to extrapolate a trend. The completion of investigations ebb and flow and are not calibrated to the calendar. Although 2021 represents a significant reduction in recoveries compared to 2020’s record-breaking $9.4 billion, certain patterns identified in prior years have remained. For example, in 2020, the two largest resolutions accounted for approximately 53% of the total monetary recoveries. Similarly, in 2021, the two largest resolutions accounted for 69% of all recoveries, and the largest resolution accounted for approximately 62%. In 2020, 34% of the agreements had total recoveries of $100 million or more; in 2021, approximately 21% included recoveries of at least $100 million. Supported by statements suggesting a possible shift in DOJ corporate enforcement policies (discussed in further detail below), these 2021 trends suggest a continued focus by DOJ on large monetary resolutions.

2021 in Context

21 of the 28 resolutions—or 75%— in 2021 were DPAs. The 28 resolutions entered in 2021 resolved investigations brought by fourteen distinct lead enforcement offices, including nine different U.S. Attorney’s offices. Among the fourteen, DOJ’s Fraud Section (5), Antitrust Division (4), and Consumer Protection Branch (3) were most active. Increased activity by DOJ’s Consumer Protection Branch, in particular, may be a trend to watch in the coming year. This branch has a broad enforcement mandate and is staffed by approximately 100 lawyers.

Of particular note, the number of DPAs in 2021, as illustrated in Chart 3 below and discussed in our Mid-Year Update, is consistent with a seven-year trend toward the increased use of DPAs compared to NPAs.

Three of the seven NPAs entered in 2021 referenced division-specific self-disclosure programs as primary motivating factors. SAP SE and Avnet Asia Pte. Ltd., respectively, qualified for NPAs under NSD’s Export Control and Sanctions Enforcement Policy for Business Organizations, announced in late 2019.[2]

Although there are limited outliers, the numbers reflect a continuing trend toward increased use of DPAs.

2021 was also the first year without a public declination pursuant to DOJ’s FCPA Corporate Enforcement Policy since DOJ first announced the precursor FCPA Pilot Program in 2016. The program was designed originally to encourage voluntary self-disclosure and cooperation from companies involved in potential misconduct. The number of public declinations offered by DOJ under the program and the FCPA Corporate Enforcement Policy has steadily declined in recent years, with four declinations in 2018, two in 2019, and only one in 2020.[3] However, DOJ has disagreed with commentary suggesting this decline reflects a long-term trend, with an official spokesperson stating “We do not believe the aforementioned results in 2019 and 2020 reflect a ‘lull’ or a downward trend, rather we believe they reflect the natural ebb and flow of our cases.”[4] Further, it remains possible that DOJ has issued private declinations where it has determined “a public declination is neither necessary nor warranted,” on the basis that that the decision to disclose a declination belongs solely to the DOJ.[5] Gibson Dunn’s investigative inventory corresponds to DOJ’s perspective.

DOJ Announces Shifting Enforcement Policies and Resource “Surge”

In the final months of 2021, DOJ has made several important announcements regarding corporate enforcement as part of President Biden’s broader initiative to revisit the standards and practices that DOJ has applied to corporate criminal enforcement. These announcements, which touch on every stage of corporate enforcement—from investigation through charging, settlement, and beyond—reflect that DOJ is taking a fresh, holistic look at its approach to corporate enforcement. Through these changes, DOJ is signaling to companies that DOJ intends to maintain a sharp focus on identifying and addressing corporate crime.

Reflecting this focus, DOJ announced the formation of a Corporate Crime Advisory Group, which will be made up of representatives from all divisions of DOJ involved in corporate criminal enforcement. This new advisory body has a broad mandate to make recommendations and propose revisions to DOJ’s policies on corporate criminal enforcement topics, including monitorship selection, recidivism and NPA/DPA non-compliance, and prioritization of individual accountability, all of which were targeted for updates in 2021.

Zero Tolerance for Recidivism and Noncompliance

In an October 5, 2021 speech, Principal Associate Deputy Attorney General (“PADAG”) John Carlin emphasized that DOJ will continue to use NPAs, DPAs, and guilty pleas, and that DOJ views the inking of an agreement as the start of a longer-term obligation.[6] He stated that companies should expect DOJ to enforce agreement terms, noting that DOJ will be firm with companies that do not comply. He also said that the consequences for violating an agreement “may be worse than the original punishment.” Typically, DPAs and NPAs include specific obligations with respect to compliance, cooperation, and reporting of misconduct over the term of the agreement (often three years).

Shortly after PADAG Carlin’s speech, Deputy Attorney General (“DAG”) Lisa Monaco amplified this position, stating that DOJ has “no tolerance for companies that take advantage of [DPAs or NPAs] by going on to continue to commit crimes.”[7] These statements hearken back to 2015, when DOJ similarly postured about not hesitating to “tear up” agreements for companies that fail to meet their NPA or DPA obligations.[8] DOJ has already proved willing to follow through on this renewed zero-tolerance policy, requiring Monsanto Company (“Monsanto”) to plead guilty to both of the previously deferred two felony charges that otherwise would have been dismissed pursuant to its 2019 DPA, as well as thirty new misdemeanor charges, as a result of new conduct that violated laws involving the proper use of pesticides and the terms of the 2019 DPA.[9]

Further emphasizing its tough stance on recidivist behavior, DOJ also announced that it will take into account a corporation’s full criminal, civil, and regulatory record in making charging decisions, even if alleged prior misconduct is dissimilar from the alleged conduct at issue.[10] No longer will DOJ focus primarily on prior misconduct similar to the conduct under investigation. This revised policy is sweeping, implicating not only prior enforcement actions across all DOJ units, but all prosecutions and non-criminal enforcement actions across all federal regulators, the states and other countries, as well.[11]

Taken at face value, this means that a prior resolution for conduct that would not be illegal in the United States could theoretically be taken into account in a domestic charging decision. Practitioners have raised significant concerns about this new policy, particularly given this potential for consideration of acts that are not punishable in the United States, and for consideration of criminal, civil, and regulatory actions involving completely inapposite facts, standards, and legal frameworks.

Speaking at the American Conference Institute’s 38th International Conference on the FCPA, Assistant Attorney General for the Criminal Division, Kenneth Polite, responded to these concerns, stating that, “it’s a discretionary evaluation, where we have to trust and rely on our trial attorneys to properly evaluate each instance…where every potential act of misconduct is not going to be weighted the same way.”[12] At the same event, Chief of the DOJ’s FCPA Unit, David Last stated that, “if there are so many instances to count, that may be another conversation that we need to have…If you’re in the 50s, or the hundreds of prior touches, that’s something we probably need to know.”[13]

Surging Resources to Investigate Corporate Wrongdoing

Also in October, PADAG John Carlin noted that DOJ is “building up to surge resources for corporate enforcement.”[14] These resources include additional FBI agents tasked to work full-time alongside the prosecutors in the Criminal Fraud section, which PADAG Carlin stated has worked in the past and would provide flexibility to pursue white-collar matters nationwide.

According to Mr. Carlin, the surge in resources also will facilitate the use of data analytics tools, including working together with other regulatory agencies to share “the same fruits of analytic [labor],” to identify criminal conduct. He noted corporations should take advantage of these types of tools as DOJ will expect corporations to use data analytics in their compliance programs to look for and predict misconduct.[15]

These comments build on updates to DOJ’s corporate enforcement posture dating back to 2020. On June 1, 2020, DOJ updated its guidance to prosecutors for assessing corporate compliance programs when conducting investigations, making charging decisions, and negotiating resolutions. That guidance included an expectation that companies’ internal risk assessments should be based on “continuous access to operational data and information across functions.” Reflecting the application of this guidance, 2021 agreements include a provision requiring data-based monitoring, review, and testing of a company’s compliance procedures. As discussed in our Mid-Year Update, the Epsilon DPA, for example, requires the company to “conduct periodic reviews and testing” of its compliance program as it relates to “preventing and detecting the transfer or sale of consumer data.”[16] More recently, the Recology DPA requires that “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing.”[17] The Credit Suisse DPA contains nearly identical language that specifically aims at monitoring and testing transactional data.[18] Given the express focus on analytics, Mr. Carlin’s recent messaging, and the cross-pollination that tends to occur among the 93 U.S. Attorney’s Offices and Main Justice, we expect to see this enhanced language make its way into future agreements.

Continued Focus on Pursuit of Individual Actions

Historically, DOJ has had a particular focus on pursuing individuals responsible for corporate crime. In 2015, the Yates Memorandum announced a requirement that companies seeking cooperation credit provide DOJ with all non-privileged information about all individuals involved in misconduct to receive credit.[19] Reflecting what some viewed as a more pro-company stance, DOJ modified the Yates Memo requirement in November 2018, in response to concerns that the requirement was slowing down investigations by forcing companies to pursue and disclose every individual fact pattern—even relatively immaterial ones.[20] This revised standard premised cooperation credit on providing information about individuals who were “substantially” involved in, or responsible for, the misconduct.[21]

In October 2021, Deputy Attorney General Monaco announced a return to the Yates standard, explaining that the revised standard had proved unworkable because the standard was not clear and left too much to the judgment of cooperating companies.[22] In response to renewed concerns about the burden on companies imposed by the Yates standard, Assistant Attorney General Polite disagreed about the impacts to companies, explaining that the Yates standard is appropriate because it swings the decision regarding who is culpable back to DOJ, which views itself as being in the best position to evaluate who is substantially involved, based on all of the information known to it.[23]

Monitorship Policy Reconsidered

In 2021, DOJ also has “rescinded” any prior guidance suggesting that monitorships are disfavored, and prosecutors are, therefore, free to impose a corporate monitor when they determine it is appropriate. This signals a possible intent to reverse a trend away from compliance monitorships, which have declined in recent years in favor of self-reporting requirements. According to our records, only two of the 28 publicly available agreements in 2021 and two of 38 resolutions in 2020 imposed a corporate monitor, as compared to 9 out of 40 agreements in 2016, for example, and 5 out of 23 in 2017. Practitioners have raised concerns that DOJ’s new position on corporate monitors may make companies less willing to self-report, because self-reporting will carry a greater risk of monitorship—an extremely expensive and burdensome outcome. It remains to be seen whether individual prosecutors will take this as a signal to increase use of monitorship arrangements, and whether this will have a chilling effect on self-reporting.

DOJ Adds a Formal Disclosure Certification

NPAs and DPAs have long included obligations to disclose additional related conduct or evidence of illegal activity identified during the agreement’s term.[24] Many also require certification on behalf of the company, at the conclusion of the term, that all relevant evidence has been disclosed.[25] Until recently, DOJ had not given form to this certification requirement, instead relying on companies to provide the certification in an ad hoc manner.

Beginning in late-2020, DOJ’s Fraud Section introduced a new certification attached to some NPAs and DPAs, formalizing the certification requirement. This certification requires a company’s executives to certify, on the date that that the period of the NPA or DPA expires, that (1) they are aware of the company’s disclosure obligations under the NPA or DPA; and (2) the company has disclosed “any and all evidence,” including all allegations relating to broadly-specified conduct (which varies by agreement).[26] In 2021, this new certification became standard across resolutions involving the Fraud Section.[27] It also was adopted by the Antitrust Division in several resolutions[28] and the USAO for the Eastern District of New York in at least one case[29]. The corporate officers required to sign the certification varies; the Fraud Section has thus far required the CEO and CFO to sign, the Antitrust Division lists the CEO/President and internal or external legal counsel as mandatory signatories, and the Eastern District of New York required that the President and Chief Compliance Officer sign the certification.

Consistent with past practice surrounding disclosures, the certification expressly deems any disclosure “ a material statement and representation by the Company to the executive branch of the United States” under 18 U.S.C. § 1001, which imposes harsh penalties for materially false or fraudulent statements. The resolutions provide that the certification “constitute[s] a significant and important component” of the resolution for the purposes of determining whether the company has satisfied its obligations under the agreement—an express acknowledgment that did not exist before the new certification requirement.

At the same time, as has been the case in recent years, continuing disclosure requirements often are more expansive than the conduct at issue in the underlying agreement. For example, an agreement may require disclosure of evidence relating to any potential violation of a specific law anywhere in the world, even where the underlying agreement relates to conduct specific to a location or line of business, even if the conduct would not constitute a violation of law because it did not occur within the jurisdiction of the United States, and even where the evidence is not credible on its face. As a continuation of this trend, the certification form defines “disclosable information” exceptionally broadly, to include “any and all evidence or allegations” of specified illegal conduct – going well beyond concrete evidence of illegal activity.

As a result, accurate and complete self-reporting is becoming increasingly more difficult to navigate as companies seek to balance their self-reporting obligations with retaining some autonomy to make informed judgments about the credibility of allegations raised and the sufficiency of evidence identified in internal investigations. This, coupled with the new statement that adherence to expansive self-reporting mandates is a “significant and important component” of agreement compliance, plus DOJ’s renewed emphasis on the consequences of breach and recidivist acts, create a mine field for companies seeking to meet their agreement obligations without outsourcing investigative judgment completely to the U.S. government.

We will continue to monitor whether this certification requirement becomes the norm across Divisions and USAOs moving forward. For now, it continues a trend of extracting increasingly intrusive disclosure agreements from companies, and increasing the risk of potential breach when the letter of those requirements is not met.

Spotlight on DOJ National Security Division (NSD) Developments

Background on Updated Guidance

As detailed in a prior Gibson Dunn client alert, in December 2019, NSD released updated guidance governing the treatment of voluntary self-disclosures in criminal sanctions and export control investigations.[30] To incentivize self-reporting, the NSD guidance established a presumption that a company that voluntarily discloses potentially willful criminal sanctions or export control violations will receive an NPA and will not pay a fine.[31] Although a company will not pay a fine under the NSD guidance, the company must still pay all disgorgement, forfeiture, and restitution resulting from the misconduct.[32] The NSD guidance also takes into account potential aggravating factors that could merit a DPA or guilty plea instead of an NPA. Listed aggravating factors present elevated threats to national security, such as the export of items known to be used in the construction of weapons of mass destruction, the knowing involvement of upper management in the criminal conduct, or repeated violations.[33] If aggravating factors are present such that a DPA or guilty plea is warranted, DOJ will recommend a reduced fine and will not require a monitor if the other requirements in the guidance are met, including voluntary self-disclosure, full cooperation with the government’s investigation, remediation, and the implementation of an effective compliance program.[34] In this way, the guidance assigns value to voluntary self-disclosure even where the facts and circumstances of a particular case otherwise make an NPA inappropriate in the eyes of DOJ.

Recent NSD Corporate Resolutions

Since the NSD guidance was published in December 2019, NSD has entered into five corporate resolutions. These resolutions provide an initial view into how DOJ is applying the updated NSD guidance in practice and how companies should weigh the guidance when considering a potential voluntary self-disclosure. We covered two of these resolutions in our 2020 Mid‑Year and Year-End Updates.

In 2021, NSD entered into NPAs with Avnet Asia Pte. Ltd (“Avnet”) and SAP SE (“SAP”). In January 2021, Avnet entered into a two-year NPA to resolve allegations related to an alleged criminal conspiracy carried out by former employees to violate U.S. export laws by shipping U.S. power amplifiers to Iran and China.[35] Avnet paid a $1.5 million penalty. Avnet did not receive voluntary self-disclosure credit. The NPA suggests that Avnet may have made a self-disclosure to DOJ after prosecutors initiated their own investigation as it states that Avnet did not receive voluntary self-disclosure credit because it did not disclose the conduct “prior to commencement of the investigation.”[36] In contrast, in April 2021 SAP entered into a three-year NPA after making voluntary self-disclosures to NSD, the Bureau of Industry and Security (“BIS”), and the Office of Foreign Assets Controls (“OFAC”) acknowledging violations of the Export Administration Regulations (“EAR”) and Iranian sanctions through the export of software to Iranian end users.[37] SAP received full credit for its timely voluntary self-disclosure to NSD and, consistent with the 2019 NSD guidance, SAP was required to disgorge $5.14 million but was not required to pay additional financial penalties pursuant to the NPA.[38] In the press release announcing the SAP NPA, NSD noted the December 2019 guidance and encouraged companies to make voluntary self-disclosures of all potentially willful violations of export control and sanctions laws.[39] The SAP NPA is the first clear example of NSD applying the updated NSD guidance and entering an NPA, and it appears that the updated NSD guidance may have informed the approach for the Avnet NPA as well.

By contrast, in early 2021, NSD entered into a DPA with PT Bukit Muria Jaya (“BMJ”) to resolve allegations of conspiracy to commit bank fraud in connection with providing goods to North Korea.[40] BMJ did not self-disclose and therefore did not receive voluntary self-disclosure credit, and the Company paid a $1.5 million penalty.[41] The BMJ DPA did not identify aggravating factors related to repeat offenses or the involvement of upper management, so it appears that the lack of voluntary self-disclosure may have meaningfully influenced DOJ’s decision to offer a DPA instead of an NPA.

Guidance for Practitioners

These NSD developments illustrate several important considerations for companies when evaluating if and when to disclose potential misconduct. The developments highlight the significant role played by NSD in the criminal enforcement of U.S. sanctions and export controls. Relatedly, the updated NSD guidance includes a stringent timing requirement for voluntary self-disclosures. To receive full credit, the updated NSD guidance requires that a company submit a voluntary self-disclosure to NSD rather than submitting it only to a regulatory agency (e.g. the Department of State’s Directorate of Defense Trade Controls (“DDTC”), BIS, or OFAC).[42] In the SAP case, for example, SAP made a voluntary self-disclosure to DOJ on the same day that a voluntary self-disclosure was made to OFAC.[43] In an investigation with NSD implications, careful consideration should be given to the NSD program.

Under the guidance, when considering the potential benefits or downside to self-disclosing misconduct, a company that discovers a potential willful export control or sanctions violation must carefully consider at what stage in an investigation the misconduct should be disclosed to the government; and to what agencies the disclosure should be made and in what sequence. The NSD guidance does not answer these questions so much as it emphasizes that, for any situation in which the conduct at issue could be of interest to DOJ, timely voluntary self-disclosure can carry significant weight in resolution negotiations.

Developments in SEC Whistleblower Program

Effective December 7, 2020, the SEC amended its whistleblower program rules to include NPAs and DPAs in its definition of “administrative action.”[44] Given that the SEC can award whistleblowers for information leading to a successful “administrative action,” this amendment expands the scope of actions in which the SEC can make such awards.[45] Gibson Dunn analyzed the changes to the whistleblower rules in an alert in September 2020, when the Commission first approved the amendments. In February 2021, the SEC made its first award under the new rules, which included a $9.2 million award to a whistleblower who reportedly provided “significant information” that led to “successful related actions” by DOJ, “one of which was” an NPA or DPA.[46] The SEC has continued to issue awards under this new rule. On October 29, 2021, the SEC announced an award of over $2 million to a whistleblower who provided information that led to a successful NPA or DPA.[47] The award order notes that the whistleblower “provided information that prompted the opening of the DOJ and SEC investigations.”[48] The whistleblower also “provided extensive, ongoing assistance in the investigations.”[49] This award came shortly after the SEC announced that it issued whistleblower awards in connection with four NPAs and DPAs in fiscal year 2021, accounting for more than $117 million in whistleblower awards, equivalent to approximately 21% of total whistleblower awards reported in 2021.[50]

This uptick in NPA- and DPA-related whistleblower awards is in line with the SEC’s overall whistleblower award increase. According to the 2021 Whistleblower Program Annual Report to Congress, the SEC broke nearly every whistleblower program record in fiscal year 2021, including the highest amount awarded, the highest number of individuals awarded, and the highest number of whistleblower tips received—all previous highs from only one year prior.[51] The report also states that the SEC has “made more whistleblower awards in FY 2021 than in all prior years combined.”[52] We can expect the trend in NPA- and DPA-related whistleblower awards to continue, particularly in light of the link the SEC rule amendments now make between whistleblower tips and related DOJ “administrative actions,” DOJ’s own plans for a “surge” in corporate enforcement[53], and the other features of the amended SEC rules that reinforce incentives for whistleblowers to report directly to the government without first reporting internally.

2021 Agreements Since Mid-Year

Bank of N.T. Butterfield & Son Ltd. (NPA)

On July 26, 2021, The Bank of N.T. Butterfield & Son Limited (“Butterfield” or “Bank”) entered into a three-year NPA with the Office of the United States Attorney (“USAO”) for the Southern District of New York and the DOJ Tax Division.[54] The government alleged that from at least 2001 through 2013, Butterfield, whose principal operations were based out of its Bermuda and Cayman Island operations, assisted U.S. taxpayer-clients in evading their U.S. tax obligations.[55] The government alleged that Butterfield knew or should have known that these clients were using their Butterfield accounts to evade U.S. tax obligations.[56]

In entering into the NPA, the USAO considered Butterfield’s voluntary and “extraordinary cooperation” with the government, specifically noting that the Bank turned over approximately 386 client files; its voluntary implementation of remedial measures beginning in or about 2013; and its representation that the conduct did not extend beyond what is described in the NPA’s statement of facts.[57] The government did not impose a criminal penalty on Butterfield. Butterfield agreed to pay $5.6 million in forfeiture and restitution and agreed not to contest a civil forfeiture action filed by the United States.[58] Further, Butterfield agreed to continuing cooperating and disclosure requirements for the NPA’s three-year term.[59] During this term, Butterfield is also required to report any criminal conduct by, and criminal investigations of, Butterfield or its employees related to any federal law violations that come to senior management’s attention, in addition to any administrative proceeding or civil action brought by the U.S. government in which Butterfield is a party.[60] Notwithstanding the three-year term, Butterfield is also required to cooperate with the government on any matters related to the conduct in the NPA until all investigations, proceedings, or appeals are concluded.[61]

Bicycle Casino (NPA)

On October 22, 2021, The Bicycle Casino, L.P. (“Bicycle”), a California-based hotel and casino, entered into a two-year NPA with the United States Attorney’s Office for the Central District of California to resolve an investigation into alleged violations of the anti-money laundering provisions of the Bank Secrecy Act (“BSA”).[62] According to the NPA, after a foreign national conducted certain transactions at the casino, Bicycle failed to properly file Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports for Casinos (“SARCS”) that are required under the BSA.[63]

In deciding to enter into the NPA, DOJ considered Bicycle’s remedial efforts to strengthen its anti-money laundering program, as well as its cooperation with authorities during the investigation.[64] Additionally, Bicycle agreed to pay $500,000, which represents the revenue that Bicycle made from the foreign national in question, and to undergo enhanced review and reporting requirements. These requirements included both self-reporting and a one-time audit and report, within one year of signing the agreement and an at least two-year look-back review by an independent “third-party reviewer” retained by Bicycle and “subject to the determination of non-objection” of DOJ.[65]

Constructure Technologies (DPA)

On September 14, 2021, Constructure Technologies LLC (“Constructure”), a New York-based information technology services company, entered into a three-year DPA with the U.S. Attorney’s Office for the Eastern District of New York to resolve a criminal charge for violating the Digital Millennium Copyright Act (“DMCA”) in relation to certain copyright protection systems for software, including encryption systems.[66] Specifically, the government alleged that from 2011 to 2018, the company installed unlicensed versions of software for its customers using illegally-obtained license keys that company employees had acquired through cracking programs and key generators found on the internet. These keys allowed Constructure to grant its customers access to copyrighted software programs and then bill its customers for those same keys, which the customers believed to be legitimate license keys.[67] This case appears to be the first time that the DOJ has entered into either a DPA or NPA in relation to the DMCA.

Under the terms of the DPA, Constructure agreed to pay a criminal penalty of $60,000 and implement a compliance and ethics program that will enhance the company’s ability to prevent and detect future violations of the DMCA.[68] The company also agreed to fully cooperate with the government until the conclusion of the investigation or the end of the three-year DPA term, whichever is later.[69] Three Constructure employees, including two principals, pleaded guilty to misdemeanor charges of criminal copyright infringement and face up to one year in prison and a fine.[70]

Credit Suisse (DPA)

On October 19, 2021, Credit Suisse Group AG (“Credit Suisse”) entered into a three-year DPA with DOJ’s Money Laundering and Asset Recovery Section (“MLARS”) and Fraud Section, and the United States Attorney’s Office for the Eastern District of New York.[71] The government alleged that between 2013 and March 2017, Credit Suisse, through its subsidiary Credit Suisse Securities (Europe) Limited (“CSSEL”), defrauded investors in connection with a Mozambique lending project.[72] DOJ alleged that Credit Suisse hid information regarding the risk that proceeds from loans to three Mozambican government-owned entities were used to pay approximately $150 million in bribes to senior government officials and $50 million in kickbacks to two CSSEL employees.[73] DOJ also alleged that Credit Suisse hid from its investors information about debt owed by the Mozambique government.[74] The DPA followed guilty pleas by three CSSEL employees and was concurrent with CSSEL’s guilty plea to one count of conspiracy to commit wire fraud.[75]

Under the DPA, Credit Suisse agreed to pay a U.S. criminal monetary penalty of $247.5 million.[76] The DPA considered Credit Suisse’s resolutions with SEC and United Kingdom’s Financial Conduct Authority (“FCA”), which included (1) a $65 million civil penalty and $34.1 million in disgorgement and prejudgment interest to SEC, and (2) a $200.6 million penalty to FCA and a promise to irrevocably undertake $200 million of debt relief to Mozambique.[77] DOJ credited the Company for these payments, reducing its penalty to approximately $175.5 million.[78] The DPA did not credit the Company with voluntary disclosure or full cooperation with the government’s investigation.[79]

Gree Electric Appliances (DPA)

On October 28, 2021, Gree Electric Appliances Inc. of Zhuhai (“Gree Zhuhai”)—a China-based appliance manufacturer—and one of its subsidiaries entered into a three-year DPA with the U.S. Attorney’s Office for the Central District of California and DOJ’s Consumer Protection Branch (“CPB”) to resolve charges related to the companies’ failure to notify the U.S. Consumer Product Safety Commission (“CPSC”) of defects in its humidifiers.[80] DOJ alleged that the companies knew that their humidifiers failed to meet applicable safety standards and failed to notify the CPSC of these dangerous defects for six months.[81] The resolutions are the first corporate criminal enforcement actions that have been brought under the Consumer Product Safety Act of 1972, the law which established the CPSC.[82]

Under the DPA terms, Gree Zhuhai agreed to pay $91 million in penalties and agreed to provide restitution for any uncompensated victims that received injuries as a result of the companies’ humidifiers.[83] The companies also agreed to continue to cooperate with any ongoing or future investigations related to the defective humidifiers until these investigations are fully concluded.[84] Additionally, Gree Zhuhai and its affiliate agreed to strengthen their compliance programs and to provide DOJ with yearly reports about the companies’ remediation efforts and the status of their compliance programs.[85] Prior to the DPA, the Gree Companies had already agreed to pay a $15.45 million civil penalty as part of a 2016 settlement with the CPSC.[86] Consistent with DOJ’s policy of coordinating resolution penalties in multi-agency investigations arising out of the same misconduct, the DPA credits the Gree Companies’ earlier payment of $15.45 million to the CPSC against the $91 million total penalty.[87]

National Spine and Pain Centers (NSPC) (NPA)

On August 4, 2021, the National Spine and Pain Centers, LLC (“NSPC” or “Company”) entered into a two-year NPA with the United States Attorney’s Offices for the Central District of California and Southern District of California (collectively “USAO”).[88] NSPC agreed to pay $5.1 million to the government to resolve charges for receiving payments in violation of the Anti-Kickback Statute.

The USAO’s charges stem from NSPC’s and its affiliate’s agreement with Proove Biosciences, Inc. (“Proove”), a now defunct genetics testing company. The USAO alleged, and NSPC admitted, that NSPC’s and its affiliate’s physicians received illegal kickback payments from Proove “under the guise of a clinical research program,” that they were receiving payments “per test” or “per patient,” and that as part of the scheme, these physicians submitted timesheets used by Proove to pay the physicians which overstated the time they spent conducting clinical research.[89] The USAO also alleged that as a result of these violations, Medicare overpaid Proove for claims submitted in connection with its agreement with NSPC.[90] NSPC terminated its contract with Proove for compliance reasons in March 2017 before NSPC was acquired by a new ownership group.[91]

In entering into the NPA, the USAO considered NSPC’s commitment to compliance, specifically noting its implementation of a compliance program designed to ensure compliance with the Anti-Kickback Statute; the Company’s early engagement and cooperation with the USAO’s investigation; the Company’s acceptance of responsibility; the Company’s voluntary undertaking of remedial measures prior to its knowledge of the criminal investigation; and the Company’s agreement to continue to cooperate with the USAO, FBI, and HHS-OIG.[92] Further, the USAO determined that there was no need for an independent compliance monitor.[93]

Nine individuals were charged in connection with the alleged scheme in the Central District of California in a related case.[94]

Penn Credit Corp. (DPA)

On October 12, 2021, Penn Credit Corporation (“Penn Credit”), a debt collection company, entered into a two-year DPA with the United States Attorney’s Office for the Northern District of Illinois to resolve a corruption investigation.[95] According to the DPA, Penn Credit engaged in a corruption scheme at the direction of its former owner, Donald Donagher, Jr.[96] Donagher separately pleaded guilty to one count of bribery.[97] Specifically, the scheme involved Donagher underwriting certain expenses for a special event hosted by the former Cook County Circuit Court Clerk in an effort to reward the Clerk for awarding debt collection work to Penn Credit.[98]

DOJ entered into the agreement based on the nature and seriousness of the offense conduct, Penn Credit’s and its current management’s ongoing cooperation, and its remedial measures and operational improvements.[99] In terms of remedial measures, Penn Credit ensured that its former CEO is no longer employed by or has a business relationship with the company.[100] Further, Penn Credit and its current management created a compliance policy and code of ethics for the company and implemented a system involving company counsel to ensure compliance with laws and regulations relating to monetary contributions to campaigns and/or charitable entities run or managed by elected officials.[101] Additionally, Penn Credit agreed to report to DOJ annually during the term of the agreement regarding remediation and implementation of the compliance measures.[102] As a part of the DPA, Penn Credit will pay a monetary penalty of $225,000.[103]

SF Recology Group (DPA)

On September 9, 2021, three San Francisco-based trash disposal subsidiaries of Recology, Inc., entered into a three-year DPA with the United States Attorney’s Office for the Northern District of California and agreed to pay $36 million in criminal penalties.[104] The DPA resolved allegations that the companies conspired to commit honest services fraud in violation of 18 U.S.C. §§ 1343, 1346, and 1349.[105] Specifically, the companies admitted to utilizing recurring nonprofit donations to pay bribes and kickbacks or rewards to a former public official with the City and County of San Francisco, with the intent to obtain favorable official action and influence.[106]

As part of the resolution, Recology and its subsidiaries agreed to cooperate with the government’s ongoing investigation into public corruption, and to adopt a new compliance program or modify its existing compliance program.[107] The DPA outlines a number of remedial measures taken by Recology, including terminating employees identified as responsible for the underlying conduct.[108] In addition, Recology “revamped” its companywide compliance program by, among other things, developing new policy guidance, procedures, training and reporting mechanisms around travel expenses, charitable contributions, gifts, and interactions with public officials.[109]

International Developments

As noted in prior Mid-Year and Year-End Updates (see, e.g., our 2020 Year-End Update), a number of countries have adopted DPA-like regimes.[110] DPA-like agreements are available in Brazil, Canada, France, Singapore, and the United Kingdom, although prosecutors in Canada and Singapore have yet to enter into such an agreement since both countries passed legislation authorizing the practice in 2018.[111]

In 2021, France and Brazil had the most active DPA-like regimes. Prosecuting authorities in each country entered into four DPA-like agreements this year. The UK was close behind with the SFO entering into three DPAs in the first half of the year, but there have been no new agreements in the latter half of the year. For a summary of the DPAs entered by the SFO in 2021, see our 2021 Mid-Year Alert. As discussed there, the SFO has received wide-spread media attention recently for its failure to successfully prosecute individuals involved in the subject matter of past DPAs.

France

After a relatively quiet first half of the year, France’s prosecuting agencies entered into three DPA-like agreements (known as convention judiciaire d’intérêt public, or “CJIPs”) in the latter half of 2021. On July 12, 2021, Systra SA, a subsidiary of French state transport company RATP and public railway company SNCF, entered into a CJIP with the French National Prosecutor’s Office (PNF) to resolve allegations that it profited in the amount of €5 million by engaging in multiple bribery schemes in connection with public contracts in Azerbaijan and Uzbekistan between 2009 and 2014.[112] Consistent with the trend we are seeing in increasingly complex international enforcement interactions, the PNF initiated the investigation into Systra’s misconduct in 2017, based on a complaint filed by Japanese authorities in 2015, following a complaint by a Japanese expatriate living in Uzbekistan.[113] The PNF’s investigation also identified misconduct by Systra in connection with the award of an engineering contract in Azerbaijan in May 2009.[114]

Under the CJIP, Systra agreed to pay a €7.5 million fine (approximately $8.9 million at the time of the agreement), which reflected a significant reduction from the maximum permitted under the law (€187.2 million).[115] In imposing the reduced fine, the PNF considered mitigating factors such as the relatively distant dates of the misconduct, Systra’s implementation of a reinforced compliance program since the discovery of the facts, and the company’s ongoing cooperation and remediation.[116]

On September 2, 2021, JP Morgan Chase Bank (“JPMC”) entered into a CJIP with the PNF to resolve allegations that JPMC aided and abetted tax fraud committed by former executives and board directors at French investment company, the Wendel Group.[117] The investigation was opened in 2012 after the French tax authority filed a complaint related to a series of transactions made from 2004 to 2007.[118] JPMC allegedly helped finance 11 former executives and three former board directors at the Wendel Group to help them evade capital gains taxes on €315 million of investment income.[119] Under the terms of the agreement, JPMC agreed to pay €25 million (approximately $29.6 million at the time of the agreement).[120] JPMC’s role was limited to financing, and it did not act as a legal or tax advisor; PNF treated these facts, JPMC’s cooperation, and the isolated nature of the facts, as mitigating factors.[121] Conversely, the complexity of the individuals’ alleged tax scheme was considered an aggravating factor.[122] The individuals involved in the alleged misconduct are scheduled to go to trial in early 2022.[123]

Finally, on December 15, 2021, a luxury goods company agreed to pay €10 million (approximately $11.3 million) to resolve allegations that the company hired the former head of France’s domestic intelligence agency to spy on a French journalist and filmmaker and other private citizens.

Brazil

On October 25, 2021, Brazil’s Office of the Comptroller General (CGU) and the Attorney General of the Union (AGU) entered into a leniency agreement with Rolls-Royce PLC related to allegations that the company bribed public bribery Petrobras 2003, 2004, and 2005.[124] The agreement is related to the coordinated resolution Rolls-Royce entered into in 2017 with the UK’s SFO, the Brazilian Ministério Público Federal (MPF), and DOJ to resolve allegations that Rolls-Royce caused millions in bribes to be paid to officials of state-owned oil companies in Angola, Azerbaijan, Brazil, Iraq, Kazakhstan, and Thailand.[125] As discussed in our 2017 Mid-Year FCPA Update, under the terms of the 2017 settlement, Rolls-Royce agreed to pay over $800 million in penalties, including a penalty of approximately $25.5 million to the MPF in connection with conspiring to bribe Brazilian officials between 2005 and 2008.[126] Under the new agreement with the CGU and AGU, Rolls-Royce agreed to pay a penalty of $27.8 million.[127]

On June 7, 2021, manufacturing companies SICPA do Brasil Ltda (SICPA) and CEPTIS SA (CEPTIS), agreed to pay fines and restitution totaling 762 million reais (approximately $135.4 million), to be paid to the Brazilian government and the Brazilian Mint in 21 installments over a 20-year period.[128] Through its own internal investigation, SICPA identified irregularities in certain payments made to a public agent between 2009 and 2015 and self-disclosed the issue to Brazilian authorities.[129] The agreement recognizes the companies’ cooperation and remedial efforts.[130]

On February 22, 2021, South Korean shipbuilder Samsung Heavy Industries (SHI) entered into a leniency agreement with the CGU, AGU, MPF to resolve allegations that the company engaged in bribery and money laundering in connection with its contracts with Petrobras.[131] The agreement is second part of a global resolution SHI negotiated with Brazilian and U.S. authorities.[132] As discussed in our 2019 Year-End Update, in November 2019, SHI entered into a DPA with the DOJ and agreed to pay a $75.5 million penalty.[133] Under the new agreement with Brazilian authorities, SHI agreed to a pay a total of 812 million reais (approximately $148.56 million), reflecting 706 million reais in damages to be paid to Petrobras and a 106 million reais fine.[134]

Brazilian authorities entered into a fourth leniency agreement in 2021, in connection with the resolution with Amec Foster Wheeler Energy Limited (“AFWEL”) that we discussed in our 2021 Mid-Year Update.[135] DOJ and the SEC credited most of the amounts paid under the leniency agreement against those agencies’ resolutions in the AFWEL matter.[136]

APPENDIX: 2021 Non-Prosecution and Deferred Prosecution Agreements

The chart below summarizes the agreements entered into by DOJ in 2021. The SEC has not entered into any NPAs or DPAs in 2021. The complete text of each publicly available agreement is hyperlinked in the chart.

The figures for “Monetary Recoveries” may include amounts not strictly limited to an NPA or a DPA, such as fines, penalties, forfeitures, and restitution requirements imposed by other regulators and enforcement agencies, as well as amounts from related settlement agreements, all of which may be part of a global resolution in connection with the NPA or DPA, paid by the named entity and/or subsidiaries. The term “Monitoring & Reporting” includes traditional compliance monitors, self-reporting arrangements, and other monitorship arrangements found in settlement agreements.

U.S. Deferred and Non-Prosecution Agreements in 2020
Company	Agency	Alleged Violation	Type	Monetary Recoveries	Monitoring & Reporting	Term of DPA/NPA (months)
Amec Foster Wheeler Energy Limited	DOJ Fraud; E.D.N.Y.	Conspiracy to violate the FCPA	DPA	$41,139,287	Yes	36
American Century Companies, Inc.	DOJ Antitrust	Restraint of interstate trade	NPA	$1,500,000	Yes	36
Argos USA LLC	DOJ Antitrust	Price-fixing conspiracy	DPA	$20,024,015	Yes	36
A Medical Technology Company	DOJ Fraud; DOJ CPB; N.D. Tex.	FDCA	DPA	$22,228,000	Yes	36
Avnet Asia Pte. Ltd	D.D.C.; DOJ NSD	Export controls – conspiracy to violate the International Emergency Economic Powers Act	NPA	$1,508,000	Yes	24
Bank Julius Baer & Co. Ltd.	DOJ MLARS; E.D.N.Y.	AML	DPA	$79,688,400	Yes	36
Bank of N.T. Butterfield & Son Ltd.	DOJ Tax; S.D.N.Y.	Defrauding IRS; filing false tax returns; evading federal income tax	NPA	$5,600,000	No	36
Berlitz Languages, Inc.	DOJ Antitrust	Bid rigging	DPA	$203,984	Yes	36
Bicycle Casino	C.D. Cal.	Bank Secrecy Act	NPA	$500,000	Yes	24
The Boeing Company	DOJ Fraud; N.D. Texas	Fraud	DPA	$2,513,600,000	Yes	36
Colas Djibouti SARL	S.D. Cal.; DOJ Civil	FCA	DPA	$14,500,000	No	24
Comprehensive Language Center, Inc.	DOJ Antitrust	Bid rigging	DPA	$196,984	Yes	36
Constructure Technologies	E.D.N.Y.	Copyright	DPA	$60,000	No	36
Credit Suisse	E.D.N.Y.	Wire fraud	DPA	$ 274,619,872	Yes	36
Deutsche Bank AG	DOJ Fraud; MLARS; E.D.N.Y.	FCPA	DPA	$124,796,046	Yes	36
Epsilon Data Management, LLC	DOJ CPB; D. Colo.	Mail and wire fraud	DPA	$150,000,000	Yes	30
Gree Electric Appliances	DOJ CPB; C.D. Cal.	Failure to notify of substantial product hazards	DPA	$91,200,000	Yes	36
KBM Group, LLC	DOJ CPB; D. Colo.	Mail and wire fraud	DPA	$42,000,000	Yes	30
National Spine and Pain Centers	S.D. Cal.; C.D. Cal.	Conspiracy to defraud United States	NPA	$5,100,000	No	24
Penn Credit Corp.	N.D. Ill.	Offense against the United States; bribery	DPA	$225,000	Yes	24
PT Bukit Muria Jaya	D.D.C.; DOJ NSD	Bank fraud	DPA	$1,561,570	Yes	18
Rahn+Bodmer Co.	S.D.N.Y.; DOJ Tax	>Fraud, false tax return filings, and tax evasion	DPA	$22,000,000	No	36
SAP SE	DOJ NSD; D. Mass.	Export controls	NPA	$8,430,000	Yes	36
SF Recology Group	N.D. Cal.	Honest services wire fraud	DPA	$36,000,000	Yes	36
State Street Corporation	D. Mass.	Wire fraud	DPA	$211,575,000	Yes	24
Swiss Life Holding AG	S.D.N.Y.; DOJ Tax	Fraud, false tax return filings, and tax evasion	DPA	$77,374,337	No	36
United Airlines, Inc.	DOJ Fraud	Fraud	NPA	$49,458,102	No	36

__________________________

[1] For client reasons, an additional DPA is not discussed here but is included in relevant statistics.

[2] See infra “New NSD Corporate Resolutions”; see also U.S. Dep’t of Justice, NSD Div., Export Control and Sanctions Enforcement Policy for Business Organizations (Dec. 13, 2019), https://www.justice.gov/nsd/ces_vsd_policy_2019/download (hereinafter “Updated NSD Guidance”).

[3] See U.S. Dep’t of Justice, Fraud Section: Declinations, available at https://www.justice.gov/criminal-fraud/corporate-enforcement-policy/declinations.

[4] Clara Hudson, “DOJ sees decrease in corporate enforcement policy declinations,” Global Investigations Review (Apr. 15, 2021), https://globalinvestigationsreview.com/just-anti-corruption/fcpa/doj-corporate-enforcement-policy-declinations-decrease.

[5] Deputy Assistant Attorney General Matt Miner Delivers Remarks at The American Bar Association, Criminal Justice Section Third Global White Collar Crime Institute Conference, (June 27, 2019), available at https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matt-miner-delivers-remarks-american-bar-association.

[6] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[7] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[8] See Assistant Attorney General Leslie R. Caldwell Delivers Remarks at a Press Conference on Foreign Exchange Spot Market Manipulation (May 20, 2015), available at https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-press-conference-foreign (“If appropriate and proportional to the misconduct and the company’s track record, we will tear up an NPA or a DPA and prosecute the offending company based on the admitted statement of facts”).

[9] Press Release, Monsanto Agrees to Plead Guilty to Illegally Using Pesticide at Corn Growing Fields in Hawaii and to Pay Additional $12 Million (Dec. 9, 2021), https://www.justice.gov/usao-cdca/pr/monsanto-agrees-plead-guilty-illegally-using-pesticide-corn-growing-fields-hawaii-and.

[10] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[11] Id.

[12] Dylan Tokar, Justice Department Officials Dig In on Corporate Repeat Offenders, Wall. St. J. (Dec. 1, 2021), https://www.wsj.com/articles/justice-department-officials-dig-in-on-corporate-repeat-offenders-11638405092.

[13] Id.

[14] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[15] Id.

[16] Deferred Prosecution Agreement, United States v. Epsilon Data Mgmt., LLC, No. 21-cr-06 (D. Colo. Jan. 19, 2021) (hereinafter “Epsilon DPA”), at C-5.

[17] Deferred Prosecution Agreement, United States v. Recology San Francisco, et al., No. CR21-356 (N.D. Cal. Sep. 9, 2021) (hereinafter “Recology DPA”), at B-4.

[18] Deferred Prosecution Agreement, United States v. Credit Suisse Group AG, Cr. No. 21-521 (E.D.N.Y. Oct. 19, 2021) (hereinafter “Credit Suisse DPA”), at C-9.

[19] Memorandum from Sally Quillian Yates, Deputy Attorney General, U.S. Dep’t of Justice, to Assistant Attorney General, Antitrust Division, et al., Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015), at 3, http://www.justice.gov/dag/file/769036/download; as covered in our prior client alert here.

[20] See Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act (Nov. 29, 2018), available at https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0.

[21] Id.

[22] Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[23] Jack Queen, New DOJ Crime Chief Talks ‘Carrot And Stick’ Enforcement, Law360 (Dec. 8, 2021), https://www.law360.com/articles/1447069/new-doj-crime-chief-talks-carrot-and-stick-enforcement.

[24] See, e.g., Non-Prosecution Agreement, Petróleo Brasileiro S.A. – Petrobras (Sept. 26, 2018), at 5 (imposing obligation to “promptly report” “evidence or allegations of actual or potentially corrupt payments or actual or potential violations of the FCPA” to DOJ) (hereinafter “Petrobras NPA”); Deferred Prosecution Agreement, United States v. Telefonaktiebolaget LM Ericsson (Nov. 26, 2019), at 7 (hereinafter “Ericsson DPA”).

[25] Petrobras NPA at 5; Ericsson DPA at 18.

[26] See, e.g., Deferred Prosecution Agreement, United States v. Vitol Inc., No. 20-539 (ENV) (E.D.N.Y. Dec. 3, 2020).

[27] See, e.g., Deferred Prosecution Agreement, United States v. Deutsche Bank Aktiengesellschaft, No. 20-00584 (E.D.N.Y. Jan. 8, 2021); Deferred Prosecution Agreement, United States v. The Boeing Company (N.D. Tex. Jan. 7, 2021).

[28] See, e.g., Non-Prosecution Agreement, American Century Companies, Inc. (March 5, 2021); Deferred Prosecution Agreement, United States v. Argos USA LLC, No. 4:21-CR-0002-RSB-CLR (S.D. Ga. Jan. 4, 2021); Deferred Prosecution Agreement, United States v. Berlitz Languages, Inc., No. 21-51-FLW (D.N.J. Jan. 19, 2021); Deferred Prosecution Agreement, United States v. Comprehensive Language Center, Inc., No. 21-50-FLW (D.N.J. Jan. 19, 2021).

[29] See, e.g., Deferred Prosecution Agreement, United States v. Ticketmaster L.L.C., Cr. No. 20-563 (MKB) (E.D.N.Y. Dec. 29, 2020).

[30] U.S. Dep’t of Justice, NSD Div., Export Control and Sanctions Enforcement Policy for Business Organizations (Dec. 13, 2019), https://www.justice.gov/nsd/ces_vsd_policy_2019/download (hereinafter “Updated NSD Guidance”).

[31] Id. at 2. NSD defines an act as willful if done with knowledge that it is illegal. Id. at 1 n.2.

[32] Id. at 2-3.

[33] Id. at 6.

[34] Id. at 2.

[35] Press Release, U.S. Dep’t of Justice, Chinese National Charged with Criminal Conspiracy to Export US Power Amplifiers to China (Jan. 29, 2021), https://www.justice.gov/opa/pr/chinese-national-charged-criminal-conspiracy-export-us-power-amplifiers-china.

[36] Non-Prosecution Agreement, Avnet Asia Pte. Ltd. (Jan. 21, 2021), at 3, 4 (“The Company did not receive voluntary disclosure credit because it did not disclose to the Offices the conduct described in the Statement of Facts prior to commencement of the investigation.”)

[37] Press Release, U.S. Dep’t of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ (Apr. 29, 2021), https://www.justice.gov/opa/pr/sap-admits-thousands-illegal-exports-its-software-products-iran-and-enters-non-prosecution.

[38] Id.

[39] Id.

[40] Press Release, U.S. Dep’t of Justice, Indonesian Company Admits to Deceiving U.S. Banks in Order to Trade with North Korea, Agrees to Pay a Fine of More Than $1.5 Million (Jan. 17, 2021), https://www.justice.gov/opa/pr/indonesian-company-admits-deceiving-us-banks-order-trade-north-korea-agrees-pay-fine-more-15.

[41] United States v. PT Bukit Muria Jaya, No. 21-cr-14 (D.D.C. Jan. 14, 2021), at Attach. A, 3-4, 7‑8.

[42] Updated NSD Guidance, supra note 1, at 3 (“It is important to note that when a company identifies potentially willful conduct, but chooses to self-report only to a regulatory agency and not to DOJ, the company will not qualify for the benefits of a VSD under this Policy in any subsequent DOJ investigation.”).

[43] Non-Prosecution Agreement, SAP SE (Apr. 29, 2021), at Attach. A, 5 (“On September 8, 2017, SAP made a voluntary self-disclosure to DOJ’s National Security Division and the U.S. Department of the Treasury’s Office of Foreign Assets Control (‘OFAC&rsqrsquo;) regarding potential violations of the ITSR.”)

[44] 17 C.F.R. § 240.21F-4(d)(3)(i)-(ii).

[45] Id; 17 C.F.R. § 240.21F.

[46] Press Release, U.S. Sec. and Exch. Comm’n, SEC Awards More Than $9.2 Million to Whistleblower for Successful Related Actions, Including Agreement with DOJ (Feb. 23, 2021), https://www.sec.gov/news/press-release/2021-31; SEC Order Determining Whistleblower Award Claim, Release No. 91183 (Feb. 23, 2021), at 2, https://www.sec.gov/rules/other/2021/34-91183.pdf.

[47] Press Release, U.S. Sec. and Exch. Comm’n, SEC Awards More Than $2 Million to Whistleblower for Successful Related Action (Oct. 29, 2021), https://www.sec.gov/news/press-release/2021-220 (hereinafter “$2M Whistleblower Press Release”); SEC Order Determining Whistleblower Award Claim, Release No. 93465 (Oct. 29. 2021), https://www.sec.gov/rules/other/2021/34-93465.pdf (hereinafter “$2M Whistleblower Award Order”).

[48] $2M Whistleblower Award Order, at 2.

[49] Id.

[50] U.S. Sec. and Exch. Comm’n, Office of the Whistleblower, 2021 Annual Report to Congress: Whistleblower Program (2021), https://www.sec.gov/files/owb-2021-annual-report.pdf (hereinafter “2021 SEC Whistleblower Report”), at 1, 20.

[51] 2021 SEC Whistleblower Report, at 1.

[52] Id.

[53] Transcript, John Carlin on Stepping up DOJ Corporate Enforcement (Oct. 11, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.

[54] Non-Prosecution Agreement, Bank of N.T. Butterfield & Son Ltd. (Jul. 26, 2021) (hereinafter “Butterfield NPA”).

[55] Id. at 1.

[56] Id., Ex. A at 2.

[57] Id. at 1.

[58] Press Release, U.S. Dep’t of Justice, Manhattan U.S. Attorney Announces Agreement With Bermudian Bank To Resolve Criminal Tax Investigation (Aug. 3, 2021), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-agreement-bermudian-bank-resolve-criminal-tax.

[59] Butterfield NPA at 2.

[60] Id. at 2‑3.

[61] Id.

[62] Non-Prosecution Agreement, The Bicycle Casino, L.P. (Oct. 22, 2021), (hereinafter “Bicycle NPA”); Press Release, U.S. Dep’t Justice, Bicycle Casino Agrees to Pay $500,000 Settlement and Submit to Increased Review of Anti-Money Laundering Compliance Program (Nov. 5, 2021), https://www.justice.gov/usao-cdca/pr/bicycle-casino-agrees-pay-500000-settlement-and-submit-increased-review-anti-money (hereinafter “Bicycle NPA Press Release”).

[63] Bicycle NPA Press Release.

[64] Id.

[65] Id.

[66] Press Release, U.S. Dep’t of Justice, Three Employees of a Long Island Information Technology Company Plead Guilty to Criminal Copyright Infringement (Sep. 16, 2021), https://www.justice.gov/usao-edny/pr/three-employees-long-island-information-technology-company-plead-guilty-criminal (hereinafter “Constructure Technologies DPA Press Release”).

[67] Id.

[68] Id.

[69] Deferred Prosecution Agreement, United States v. Constructure Technologies, LLC, No. 2:21-cr-00368, at 3 (E.D. N.Y., Sep. 15, 2021).

[70] Constructure Technologies DPA Press Release.

[71] Press Release, U.S. Dep’t of Justice, Credit Suisse Resolves Fraudulent Mozambique Loan Case in $547 Million Coordinated Global Resolution (Oct. 19, 2021), https://www.justice.gov/opa/pr/credit-suisse-resolves-fraudulent-mozambique-loan-case-547-million-coordinated-global.

[72] Id.

[73] Id.

[74] Id.

[75] Id.

[76] Id.

[77] Deferred Prosecution Agreement, United States v. Credit Suisse Group AG, No. 21-cr-00521, at 5 (E.D. N.Y., Oct. 19, 2021) (hereinafter “Credit Suisse DPA”).

[78] Credit Suisse Press Release, supra note 58.

[79] Credit Suisse DPA at 4.

[80] Deferred Prosecution Agreement, United States v. Gree Electric Appliances, Inc. of Zhuhai, and Hong Kong Gree Electric Appliances Sales Co., Ltd., (C.D. Cal. Oct. 28, 2021) (hereinafter “Gree DPA”); Press Release, U.S. Dep’t of Justice, Gree Appliance Companies Charged with Failure to Report Dangerous Dehumidifiers and Agree to $91 Million Resolution (Oct. 28, 2021), https://www.justice.gov/opa/pr/gree-appliance-companies-charged-failure-report-dangerous-dehumidifiers-and-agree-91-million (hereinafter “Gree Press Release”).

[81] Gree Press Release.

[82] Id.

[83] Id.

[84] Id.

[85] Id.

[86] Gree DPA at 17.

[87] Id. at 17‑18.

[88] Non-Prosecution Agreement, National Spine and Pain Centers, LLC (Aug. 3, 2021) (hereinafter “NSPC NPA”).

[89] Press Release, U.S. Dep’t of Justice, Pain Management Organization Pays $5.1 Million to Settle Criminal Medicare Kickback Violations (Aug. 6, 2021), https://www.justice.gov/usao-sdca/pr/pain-management-organization-pays-51-million-settle-criminal-medicare-kickback.

[90] NSPC NPA.

[91] Id.

[92] Id.

[93] Id.

[94] Case No. 21CR0112-JLS; Press Release, U.S. Dep’t of Justice, Pain Management Organization Pays $5.1 Million to Settle Criminal Medicare Kickback Violations (Aug. 6, 2021), https://www.justice.gov/usao-sdca/pr/pain-management-organization-pays-51-million-settle-criminal-medicare-kickback.

[95] Deferred Prosecution Agreement, United States v. Penn Credit Corporation, No. 19 CR 240 (Oct. 12, 2021), (hereinafter “Penn Credit DPA”); Press Release, Owner of Debt Collection Company Pleads Guilty to Corruptly Providing Benefits to Public Official (Oct. 12, 2021), https://www.justice.gov/usao-ndil/pr/owner-debt-collection-company-pleads-guilty-corruptly-providing-benefits-public (hereinafter “Penn Credit DPA Press Release”).

[96] Penn Credit DPA Press Release.

[97] Id.

[98] Id.

[99] Penn Credit DPA at 2-3.

[100] Id. at 6.

[101] Id.

[102] Id.

[103] Id.

[104] Press Release, U.S. Dep’t of Justice, Three San Francisco Garbage Companies Admit Bribery And Pay $36 Million To Resolve Federal Investigation (September 9, 2021), https://www.justice.gov/usao-ndca/pr/three-san-francisco-garbage-companies-admit-bribery-and-pay-36-million-resolve-federal.

[105] Deferred Prosecution Agreement, United States v. Recology San Francisco, Sunset Scavenger Company. Golden Gate Disposal & Recycling Company, No. 21-cr-356 (N.D. Cal., Sept. 9, 2021) (hereinafter “SF Recology DPA”).

[106] Id. at A-2.

[107] Id. at 4, 7.

[108] Id. at 7.

[109] Id at 7-8.

[110] Gibson, Dunn & Crutcher, 2020 Year-End Update On Corporate Non-Prosecution Agreements And Deferred Prosecution Agreements, at 22 (Jan. 19, 2021), https://www.gibsondunn.com/2020-year-end-update-on-corporate-non-prosecution-agreements-and-deferred-prosecution-agreements/.

[111] Lawrence F. Ritchie & Sonja Pavic, Canada’s Deferred Prosecution Agreements: Still Waiting for Takeoff, Osler (Dec. 11, 2020), https://www.osler.com/en/resources/regulations/2020/canada-s-deferred-prosecution-agreements-still-waiting-for-takeoff; Criminal Justice Reform Act 2018 (Act. No. 19/2018) (Sg.), https://sso.agc.gov.sg/Acts-Supp/19-2018.

[112] James Thomas, Regular compliance renewal helps French transport company minimize corruption fine, Global Investigations Review (Aug. 2, 2021) https://globalinvestigationsreview.com/anti-corruption/regular-compliance-renewal-helps-french-transport-company-minimise-corruption-fine

[113] Id.

[114] Id.

[115] Id.

[116] Id.

[117] Leila Abboud, JPMorgan to pay €25m to settle tax fraud case in France, Financial Times (Sept. 2, 2021) https://www.ft.com/content/0b845a1c-0b73-400f-93c5-b3d3d08ffe08/.

[118] Id.

[119] Fraude fiscale d’ex-dirigeants de Wendel: JPMorgan paie 25 millions d’euros d’amende pour clore les poursuites, Le Figaro (Sept. 2, 2021), https://www.lefigaro.fr/societes/fraude-fiscale-d-ex-dirigeants-de-wendel-jpmorgan-paie-25-millions-d-euros-d-amende-pour-clore-les-poursuites-20210902. \

[120] Id.

[121] Id.

[122] Id.

[123] US bank agrees 25 million euro deal to settle French tax fraud investigation (Sept. 2, 2021), https://www.rfi.fr/en/france/20210902-us-bank-agrees-25-million-euro-deal-to-settle-french-tax-fraud-investigation.

[124] CGU e AGU assinam acordo de leniência com a Rolls-Royce PLC (Oct. 26, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/10/cgu-e-agu-assinam-acordo-de-leniencia-com-a-rolls-royce-plc.

[125] Gibson, Dunn & Crutcher, 2017 Mid-Year FCPA Update, at 4-5 (July 10, 2017), https://www.gibsondunn.com/2017-mid-year-fcpa-update/.

[126] Id.

[127] CGU e AGU assinam acordo de leniência com a Rolls-Royce PLC (Oct. 26, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/10/cgu-e-agu-assinam-acordo-de-leniencia-com-a-rolls-royce-plc.

[128] Brazil Leniency Agreement (June 7, 2021), https://www.sicpa.com/news/brazil-leniency-agreement.

[129] CGU and AGU Enter Into a Leniency Agreement with the Companies SICPA and CEPTIS in the Amount of BRL 762 million, gov.br (June 7, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/06/cgu-e-agu-celebram-acordo-de-leniencia-com-as-empresas-sicpa-e-ceptis-no-valor-de-r-762-milhoes.

[130] Id.

[131] UPDATE 1-South Korea’s Samsung Heavy settles Brazil graft probe for $149 mln, Reuters (Feb. 23, 2021), https://www.reuters.com/article/samsung-heavy-brazil-corruption/update-1-south-koreas-samsung-heavy-settles-brazil-graft-probe-for-149-mln-idUSL1N2KT0E1.

[132] Id.

[133] Gibson, Dunn & Crutcher, 2019 Year-End FCPA Update, at 8 (Jan. 6, 2020), https://www.gibsondunn.com/2019-year-end-fcpa-update/.

[134] UPDATE 1-South Korea’s Samsung Heavy settles Brazil graft probe for $149 mln, Reuters (Feb. 23, 2021), https://www.reuters.com/article/samsung-heavy-brazil-corruption/update-1-south-koreas-samsung-heavy-settles-brazil-graft-probe-for-149-mln-idUSL1N2KT0E1.

[135] CGU and AGU Enter Into a R$86 Million Leniency Agreement with Companies for Illicit Activities in a Project with Petrobras (June 25, 2021), https://www.gov.br/cgu/pt-br/assuntos/noticias/2021/06/cgu-e-agu-celebram-acordo-de-leniencia-de-r-86-milhoes-com-empresas-por-ilicitos-em-projeto-com-a-petrobras.

[136] Deferred Prosecution Agreement, United States v. Amec Foster Wheeler Energy Limited, No. 21-cr-298 (E.D. N.Y., June 23, 2021) (hereinafter “Amec DPA”); Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of The Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, Release No. 92259 (June 25, 2021), https://www.sec.gov/litigation/admin/2021/34-92259.pdf.

The following Gibson Dunn lawyers assisted in preparing this client update: F. Joseph Warin, M. Kendall Day, Courtney Brown, Melissa Farrar, Laura Cole, Michael Dziuban, Alexandra Buettner, Will Cobb, Abiel Garcia, Yamini Grema, Sarah Hafeez, Cate Harding, Jasdeep Kaur, Teddy Kristek, Madelyn La France, Allison Lewis, Jacob McGee, Katie Mills, Tory Roberts, Alyse Ullery-Glod, and Brian Williamson.

Gibson Dunn’s White Collar Defense and Investigations Practice Group successfully defends corporations and senior corporate executives in a wide range of federal and state investigations and prosecutions, and conducts sensitive internal investigations for leading companies and their boards of directors in almost every business sector. The Group has members across the globe and in every domestic office of the Firm and draws on more than 125 attorneys with deep government experience, including more than 50 former federal and state prosecutors and officials, many of whom served at high levels within the Department of Justice and the Securities and Exchange Commission, as well as former non-U.S. enforcers. Joe Warin, a former federal prosecutor, is co-chair of the Group and served as the U.S. counsel for the compliance monitor for Siemens and as the FCPA compliance monitor for Alliance One International. He previously served as the monitor for Statoil pursuant to a DOJ and SEC enforcement action. He co-authored the seminal law review article on NPAs and DPAs in 2007. M. Kendall Day is a partner in the Group and a former white collar federal prosecutor who spent 15 years at the Department of Justice, rising to the highest career position in the DOJ’s Criminal Division as an Acting Deputy Assistant Attorney General.

The Group has received numerous recognitions and awards, including its third consecutive ranking as No. 1 in the Global Investigations Review GIR 30 2020, an annual guide to the world’s top 30 cross-border investigations practices. GIR noted, “Gibson Dunn & Crutcher is the premier firm in the investigations space and has an unrivalled Foreign Corrupt Practices Act practice.” The list was published in October 2020.

Please feel free to contact any of the following practice leaders and members:

Denver
Robert C. Blume (+1 303-298-5758, [email protected])
John D.W. Partridge (+1 303-298-5931, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Laura M. Sturges (+1 303-298-5929, [email protected])

Los Angeles
Nicola T. Hanna (+1 213-229-7269, [email protected])
Debra Wong Yang (+1 213-229-7472, [email protected])
Marcellus McRae (+1 213-229-7675, [email protected])
Michael M. Farhang (+1 213-229-7005, [email protected])
Douglas Fuchs (+1 213-229-7605, [email protected])
Eric D. Vandevelde (+1 213-229-7186, [email protected])

Palo Alto
Benjamin B. Wagner (+1 650-849-5395, [email protected])

San Francisco
Winston Y. Chan (+1 415-393-8362, [email protected])
Thad A. Davis (+1 415-393-8251, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])
Michael Li-Ming Wong (+1 415-393-8234, [email protected])

London
Patrick Doris (+44 20 7071 4276, [email protected])
Charlie Falconer (+44 20 7071 4270, [email protected])
Sacha Harber-Kelly (+44 20 7071 4205, [email protected])
Michelle Kirschner (+44 20 7071 4212, [email protected])
Matthew Nunan (+44 20 7071 4201, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Steve Melrose (+44 20 7071 4219, [email protected])

Paris
Benoît Fleury (+33 1 56 43 13 00, [email protected])
Bernard Grinspan (+33 1 56 43 13 00, [email protected])

Munich
Benno Schwarz (+49 89 189 33-110, [email protected])
Michael Walther (+49 89 189 33-180, [email protected])
Mark Zimmer (+49 89 189 33-130, [email protected])

Dubai
Graham Lovett (+971 (0) 4 318 4620, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Oliver D. Welch (+852 2214 3716, [email protected])

São Paulo
Lisa A. Alfaro (+5511 3521-7160, [email protected])
Fernando Almeida (+5511 3521-7093, [email protected])

Singapore
Joerg Bartz (+65 6507 3635, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Thirty-five years ago, Congress ushered in the modern era of False Claims Act (“FCA”) enforcement when it enacted the False Claims Amendments Act of 1986. At the time, the FCA was a seldom-enforced statute that resulted in government recoveries each year counted in the tens of millions. Now, 35 years later, the FCA is firmly—and consistently from one administration to another—established as the government’s principal fraud enforcement tool, netting the government annual recoveries counted in the billions. This past year underscored the continuing impact of the FCA and attendant risks to companies that do business—directly or indirectly—with the government.

DOJ announced that it collected more than $5.6 billion in FCA and related recoveries during FY 2021, which is the second-largest total ever for FCA recoveries and the largest since 2014. That figure is inflated by Purdue Pharma’s $2.8 billion bankruptcy payment in connection with its opioid resolutions; but even without the Purdue payment, the government still recovered $2.8 billion from FCA defendants, in line with year-over-year trends for the last 5 years.

Meanwhile, on the legislative and policy front, the chief architect of the 1986 amendments, Senator Chuck Grassley (R-IA), advanced new legislation aimed at strengthening the FCA even further. DOJ also announced several of its own efforts to strengthen the FCA, including plans to unwind Trump Administration policies, leverage the FCA in cybersecurity enforcement, and police fraud on COVID-19 stimulus programs. On the judicial front, the federal appellate courts issued a number of significant decisions in the second half of 2021, including important decisions exploring the FCA’s materiality and scienter requirements, the public disclosure bar, and pleading fraud with particularity under Rule 9(b).

Below, we begin by summarizing recent enforcement activity, then provide an overview of notable legislative and policy developments at the federal and state levels, and finally analyze significant court decisions from the past six months.

As always, Gibson Dunn’s recent publications regarding the FCA may be found on our website, including in-depth discussions of the FCA’s framework and operation, industry-specific presentations, and practical guidance to help companies avoid or limit liability under the FCA. And, of course, we would be happy to discuss these developments—and their implications for your business—with you.

I. FCA ENFORCEMENT ACTIVITY

A. NEW FCA ACTIVITY

The government and qui tam relators filed 801 new cases in 2022.[1] That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.[2]

Last year, we noted that the government filed an abnormally high number of cases (250) on its own—i.e., without the involvement of qui tam relators. Cases of this sort remained historically high in 2021: although they dipped from 2020’s all-time high, DOJ initiated 203 cases in 2021, the second-highest total in the last 25 years. As discussed below, cases where the government is involved—either because the government brought the case, or later intervened—typically account for 90% of all FCA recoveries. If the government continues to bring more than 200 cases a year—up from an average of ~120 in the prior decade—then we will also expect to see increased DOJ recoveries. With the government’s stated commitments to proactive enforcement initiatives focusing on COVID stimulus fraud, cybersecurity, and matters stemming from health care data analysis, the number of government-driven new cases is likely to stay very high in 2022.

Number of FCA New Matters, Including Qui Tam Actions

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

B. TOTAL RECOVERY AMOUNTS: 2021 RECOVERIES EXCEED $5.6 BILLION

The federal government recovered more than $5.6 billion during fiscal year 2021, which ended September 30, 2021. Of this amount, more than 90% was recovered in intervened cases, underscoring once again that companies face more significant exposure in cases in which the government initiated the case or intervened. Still, it is worth noting that relators’ recoveries from declined cases remained historically high since escalating significantly as a percentage of total recoveries in 2015; this data point reflects recent trends in relators’ willingness and ability to pursue cases into litigation after the government declines to intervene.

DOJ touted in its annual press release that the $5.6 billion haul represents the “second largest annual total in False Claims Act history, and the largest since 2014.”[3] But that only tells part of the story. The total includes approximately $3.2 billion in settlements stemming from the opioid crisis, including the $2.8 billion claim that Purdue agreed to allow in its bankruptcy “to resolve civil allegations that the company promoted its opioid drugs to health care providers it knew were prescribing opioids for uses that were unsafe, ineffective, and medically unnecessary, and that often led to abuse and diversion.”[4]

If the Purdue bankruptcy amount is removed, the government’s total recoveries this year are $2.8 billion. That amount is in line with trends during the last 5 years, while marking an increase from last year’s total of $2.2 billion.

Settlements or Judgments in Cases Where the Government Declined Intervention as a Percentage of Total FCA Recoveries

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

C. INDUSTRY BREAKDOWN

The relative breakdown of FCA recoveries across industries remained consistent with past years. Health care cases comprised 90% of total recoveries, Department of Defense procurement issues made up 2%, and the remaining 8% was split among other industries.[5] If you exclude the Purdue bankruptcy amount, then health care cases were 80% of recoveries, defense procurement cases were 4%, and other cases accounted for the remaining 16%.

Within the health care industry, DOJ announced that its primary areas of enforcement were opioid abuse, Medicare Advantage (Part C) fraud, illegal kickbacks, and provision of medically unnecessary services. While opioids, kickbacks, and provision of medically unnecessary services are familiar entries on the list of top theories for the government, the emergence of alleged Medicare Advantage fraud as one of DOJ’s top sources for FCA settlements is a relatively new development. Although close observers of the FCA have watched for several years as DOJ began to pursue these cases in earnest, those efforts are just beginning to result in significant recoveries for the government.

FCA Recoveries by Industry

Source: DOJ “Fraud Statistics – Overview” (Feb. 1, 2022)

II. NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2021

We summarize below the most notable FCA settlements in the second half of calendar year 2021, with a focus on the industries and theories of liability involved. We covered settlements from the first half of the year in our 2021 Mid-Year Update.

A. HEALTH CARE AND LIFE SCIENCE INDUSTRIES

On July 2, two rehabilitation therapy providers agreed to pay $8.4 million to resolve allegations that they violated the FCA by encouraging skilled nursing facilities in New York and New Jersey to bill Medicare for rehabilitation therapy services that were unnecessary, unreasonable, and performed by unskilled employees. The allegations stemmed from a qui tam suit filed by a former employee of the provider; the whistleblower’s share of the recovery was not reported with the settlement.[6]
On July 2, an Ohio-based regional hospital system committed to pay $21.25 million to settle allegations that it paid certain physician groups substantially more than fair market value for patient referrals and then billed Medicare for these illegally referred patients, in violation of the Anti-Kickback Statute and the Stark Law. DOJ noted that the hospital system received credit for disclosing the allegedly improper compensation arrangements, which were implemented by the system’s prior leadership. The settlement also resolved claims brought under a qui tam suit filed by the hospital system’s former Director of Internal Audit; the whistleblower’s share of the recovery was not reported at the time of settlement.[7]
On July 8, two related medical device manufacturers agreed to pay $38.75 million to resolve allegations that they violated the FCA by submitting, and causing others to submit, claims to Medicare for defective blood coagulation monitors (used by patients prescribed anticoagulant drugs to verify that they were taking a clinically appropriate and safe dosage of the medication). The government alleged that the manufacturers knew the monitors contained a material defect, which purportedly produced inaccurate and unreliable results, but nonetheless billed Medicare for use of the devices and did not take appropriate corrective action until the U.S. Food & Drug Administration (“FDA”) initiated a product recall.[8]
On July 8, a medical device manufacturer committed to pay $27 million to settle allegations that it violated the FCA by knowingly selling defective miniature defibrillators to health care facilities that surgically implanted the devices into patients enrolled in federal health insurance programs. The government alleged that the manufacturer knew that the batteries in some of the defibrillators depleted prematurely and that two serious injuries and one death had been associated with premature battery depletion, but kept this information from the FDA when seeking approval for a change to the device to fix this issue. The settlement also resolved a qui tam suit filed by one of those patients; the whistleblower’s share of the recovery was not reported with the settlement.[9]
On July 19, one of the country’s largest hospital systems, the system’s chief executive, and a referring physician entered into a $37.5 million joint settlement with DOJ and the California Department of Justice resolving federal and state fraud allegations. The settlement stemmed from two qui tam suits filed by former employees of the hospital system; the United States declined to intervene in those suits, but it participated in negotiating the settlement agreement. The agreement resolved allegations that the hospital system paid kickbacks to the referring physician in exchange for patient referrals; that the hospital system and the referring physician knowingly billed Medicare and Medi-Cal for another, suspended doctor’s services under the referring physician’s billing number; and that the hospital system and its chief executive knowingly overbilled Medi-Cal and two federal programs for implantable medical devices. As part of the settlement, the hospital system and its chief executive entered into a five-year Corporate Integrity Agreement requiring the system to maintain a compliance program and hire an Independent Review Organization to assess certain business transactions. One of the whistleblowers, a former hospital executive, will receive approximately $10 million of the recovery.[10]
On July 23, a rehabilitation therapy provider in California agreed to pay $2 million to settle allegations that it caused false claims to be submitted to Medicare by pressuring therapists to artificially increase the number of patients who received Medicare’s most expensive level of care for skilled nursing, “Ultra High,” even when that level of services was not necessary. The settlement resolved a qui tam suit filed by a former Director of Rehabilitation at the company, who will receive $360,000 of the settlement proceeds.[11]
On July 21, an ambulatory electroencephalography (“EEG”) testing company and a private investment firm that owned a minority share in the company, both based in Texas, agreed to pay $15.3 million to settle kickback and false billing allegations. The United States alleged that the testing company improperly: induced physicians to refer patients to the company in exchange for free EEG test-interpretation reports; inflated invoices for certain EEG testing by using inaccurate billing codes; and billed for a specialized digital analysis that it never performed. The United States also alleged that the private investment firm learned about these schemes when performing pre-investment due diligence but allowed the schemes to continue. The settlement agreement consisted of payments to both the federal government and state Medicaid programs and also resolved claims brought under six different qui tam Two of the relators received approximately $3 million of the settlement funds; the respective shares of the other relators were not included in the settlement announcement.[12]
On July 20, a Billings, Montana rheumatologist committed to pay $2 million to resolve allegations that he violated the FCA by billing Medicare for improper medical treatments. The United States asserted that the rheumatologist knowingly billed Medicare for MRI scans, patient visits, and biologic infusions on behalf of patients who did not have rheumatoid arthritis.[13]
On August 2, a recently closed mail-order diabetic testing supplier and its parent company agreed to pay $160 million to resolve allegations that they violated the FCA through a kickback scheme and other fraudulent billing practices. The government alleged that the testing supplier, with its parent company’s approval, paid kickbacks to Medicare beneficiaries in the form of free glucometers and waived co-payments; billed Medicare for glucometers for which patients were not eligible; and billed Medicare on behalf of deceased patients, which led Medicare to revoke the company’s supplier number in 2016. In 2019, the testing company’s two founders each paid $500,000 to resolve allegations that they were personally involved in the kickback scheme. The civil settlement also resolves a qui tam suit filed by a former employee who worked at the testing company’s call center; he will receive approximately $28.5 million as his share of the recovery.[14]
On August 5, a hospital system in Michigan agreed to pay $2.8 million to resolve allegations that it violated the FCA by submitting bills to federal health care programs for medically unnecessary procedures performed by a specific physician. In the settlement announcement, DOJ noted that the hospital system made a submission under the Provider Self-Disclosure Protocol of the U.S. Department of Health & Human Services, Office of Inspector General (“HHS-OIG”) and implemented several remedial measures to address the physician’s conduct, such as hiring another physician to conduct a peer review, placing the physician in a performance improvement plan, and ultimately ending its relationship with the physician. The settlement also resolved a qui tam suit filed by three individuals, who received a combined payment of $532,000 as their share of the recovery.[15]
On August 6, a county medical center in California agreed to pay $11.4 million to settle allegations that it submitted, or caused the submission of, false claims to Medicare by admitting Medicare beneficiaries for inpatient services that were not medically necessary, such as when no alternative placements for a beneficiary could be found. As a part of the settlement, the medical center entered into a Corporate Integrity Agreement requiring the center to hire an Independent Review Organization to annually review the medical center’s inpatient admissions and billings of federal health insurance programs. The settlement also resolved a qui tam suit filed by a former employee of the medical center; that individual’s share of the recovery was not reported with the settlement announcement.[16]
On August 25, a California-based provider of home respiratory services and durable medical equipment agreed to pay $3.3 million total to the United States, California, and Nevada to settle allegations that it violated the FCA by billing public health care programs for home ventilators that were not medically necessary or that patients were no longer using. The settlement also resolved a qui tam suit filed by a respiratory therapist who worked for the company, who will receive approximately $612,000 as his share of the settlement amount.[17]
On August 26, a mental health and addiction treatment services provider agreed to the entry of judgments totaling over $15 million to resolve allegations that it violated the FCA and the Controlled Substances Act. Approximately $13.7 million, plus interest, of the judgment went to resolving allegations that the provider billed Medicare and Medicaid for mental health services performed by unqualified practitioners and billed Medicaid for mental health services using incorrect procedure codes that inflated the price of the care provided. The settlement partially resolved a related whistleblower suit filed by former employees, although the relators in that suit continued to pursue additional FCA claims against the company and its former chief executive. Additionally, the company agreed to the entry of a judgment for approximately $1.6 million, plus interest, to resolve allegations that it negligently failed to document its use of controlled substances and its transfer of controlled substances between locations. DOJ continued to pursue claims against several executives, including the former chief executive, alleging violations of the Controlled Substances Act.[18]
On August 27, a hospital in Texas agreed to pay $3.3 million to settle a qui tam suit brought by its former Director of Compliance resolving allegations that the hospital improperly utilized billing modifiers to inflate the cost of care it billed to federal health care programs. The relator received approximately $912,000 of the recovery. The settlement announcement noted that, although the government did not intervene in the case, it investigated the relator’s allegations and collaborated with the relator.[19]
On August 30, a California-based company who contracted to provide health care services to certain Medicare Advantage patients committed to pay $90 million to resolve allegations that it knowingly submitted incorrect diagnosis codes for those patients who inflated federal payments made to Medicare Advantage plans and, in turn, the provider. The settlement also resolved a qui tam suit filed by a former employee of the provider; the United States intervened in the claims against some, but not all, of the defendants named in the suit. Also, pursuant to the settlement, the provider entered into a five-year Corporate Integrity Agreement requiring it to implement a risk assessment program into its overarching compliance program and hire an Independent Review Organization to review a sample of its Medicare Advantage patients’ medical records and diagnosis codes each year.[20]
On September 3, the U.S. District Court for the District of South Carolina entered default judgments totaling $140 million against various pain management clinics, drug testing laboratories, and a substance abuse counseling center. The government alleged the defendant entities violated the FCA by providing illegal financial incentives to providers to induce drug test referrals and billed the federal government for unnecessary drug tests. The allegations arose from qui tam complaints by five former employees of the defendant pain management clinics.[21]
On September 8, a collection of home health care companies agreed to pay $17 million to settle allegations that they violated the FCA by paying a kickback to a retirement home operator when they purchased two of its home health agencies. The government alleged the companies bought the home health agencies to induce the seller to refer Medicare beneficiaries residing in its retirement homes throughout the United States, and then submitted false claims to Medicare for the resulting services. The allegations stem from a qui tam complaint, and the whistleblower’s share of the recovery was not disclosed at the time of the settlement announcement.[22]
On September 15, a cardiologist agreed to pay $6.75 million to settle allegations that he violated the FCA by billing federal health care programs for medically unnecessary ablations and vein stent procedures performed on patients. The government alleged that the cardiologist made false statements in patient medical records to justify the procedures, and that many of the ablations were performed by ultrasound technicians outside the scope of their practice. The cardiologist and his consulting company entered into a multi-year integrity agreement including requirements for training, reporting, and independent quarterly claims reviews.[23]
On October 1, three pharmaceutical manufacturers agreed to pay $447.2 million to resolve allegations that they violated the FCA by conspiring to fix prices for various generic drugs, resulting in higher drug prices for federal health care programs. DOJ alleged a novel theory of remuneration, contending that the manufacturers conveyed value in the form of agreements on pricing. The settlement is in addition to $424.7 million previously paid by the companies to resolve related criminal charges. The government alleged that between 2013 and 2015, the companies entered agreements on pricing, supply, and allocation of customers with other pharmaceutical manufacturers for drugs manufactured by the companies, purportedly in violation of the Anti-Kickback Statute. Each company also entered into a five-year Corporate Integrity Agreement, which includes monitoring, price transparency, and other compliance provisions.[24]
On October 8, two providers of home-based health care services agreed to pay $8.5 million to settle allegations that they violated the FCA by submitting claims to Medicare for laboratory and diagnostic testing performed between 2010 and 2015 that was not medically necessary. The allegations arose from five qui tam lawsuits; the first-to-file whistleblower will receive $1.53 million as a result of the settlement.[25]
On October 22, two physicians agreed to pay $3.9 million to settle allegations that they violated the FCA by ordering unnecessary drug tests for patients at their pain management clinic and lab. The allegations stem from a lawsuit filed by two qui tam The relators will receive 17% of the United States’ portion of the settlement, totaling approximately $618,000.[26]
On October 25, a group of pharmacies agreed to pay $4.6 million to resolve allegations that the pharmacies violated the FCA in various ways, including by charging the government higher prices than those charged to other patients and paying kickbacks to a third-party marketer who assisted in arranging for medically unnecessary prescriptions of pain and scar creams. The allegations arose from a qui tam lawsuit filed by a former pharmacist. The whistleblower will receive approximately $800,000 from the settlement.[27]
On October 28, a physical therapy company agreed to pay $4 million to settle allegations that it violated the FCA by billing the government for outpatient physical therapy that was not provided. The allegations stem from a qui tam lawsuit, and the relator’s share was not disclosed at the time of the settlement announcement.[28]
On November 8, a medical device company agreed to pay $16 million to resolve allegations that it violated the FCA by causing the submission of false claims to Medicare. The company made royalty payments to an orthopedic surgeon related to the surgeon’s contributions towards the company’s products. However, according to the government, these payments constituted illegal kickbacks because they were allegedly intended to encourage the surgeon to use and recommend the company’s products to patients. The underlying allegations relate to a qui tam suit, and the whistleblower will receive approximately $2.5 million of the settlement payment.[29]
On November 9, several anesthesia providers and outpatient surgery centers agreed to pay more than $28 million to resolve allegations that they violated the FCA by entering into arrangements involving purported kickbacks. The government alleged that the anesthesia providers sought to enter exclusive contracts with the outpatient surgery centers by offering kickbacks in the form of payments for drugs, supplies, and equipment and labor, as well as through the provision of free staffing services. According to the government, the alleged kickback scheme caused the submission of false claims. Relators who brought the underlying qui tam suit will receive over $4.7 million of the settlement payment.[30]
On November 9, a pharmaceutical manufacturer agreed to pay $12.7 million to resolve allegations that it violated the FCA by causing the submission of false claims for an injectable drug. The company allegedly directed doctors to preferred pharmacies despite being aware that certain of those preferred pharmacies submitted false prior authorization requests that misrepresented to insurers that the requests were submitted by physicians instead of by the pharmacies themselves, and/or included false or misleading information about the underlying patients’ medical histories. The allegations relate to a qui tam suit, and the whistleblower will receive approximately $2.5 million of the settlement payment.[31]
On November 22, a chiropractor agreed to a $9 million civil consent judgment to resolve allegations that he violated the FCA by conspiring to pay illegal kickbacks and bill for unnecessary medical services. The chiropractor purportedly caused the submission of false claims to federal health care programs through kickbacks paid to physicians for urine drug testing referrals, as well as through medically unnecessary prescriptions for pain creams. The chiropractor pleaded guilty to criminal charges arising from the same conduct and faces a potential sentence of up to five years in prison and a fine of $250,000.[32]
On November 22, a home health agency agreed to pay $4.2 million to resolve allegations that it violated the FCA by submitting claims for services that were not covered by Medicare or Medicaid, and by failing to timely refund associated overpayments. The non-covered services underlying the allegedly false claims included, among other things, services that lacked the required face-to-face certifications or plans, and services that did not document the beneficiary’s need for home care. The underlying allegations relate to a qui tam suit, and the relator will receive over $700,000 from the settlement.[33]
On November 23, a hospice and palliative care provider operating in Ohio and Tennessee agreed to pay $5.5 million to settle allegations that it violated the FCA by submitting claims to Medicare for non-covered hospice services. The provider allegedly submitted false claims to Medicare between January 2012 and December 2014 for hospice services and care provided to patients who were not terminally ill for at least a portion of the relevant time period during which they received care. The allegations arise from a qui tam lawsuit, and the whistleblower will receive approximately $1 million of the settlement payment.[34]
On December 2, a hospital agreed to pay $18.2 million to resolve allegations that it violated the FCA by submitting claims to Medicare, Medicaid, and TRICARE for services referred to the hospital as a result of alleged kickbacks. The hospital allegedly induced certain physicians to refer patients to the hospital by giving those physicians shares repurchased from older physician-owners. According to the government, the hospital then violated the FCA by submitting claims for services referred or ordered by the physicians who received the newly repurchased shares. The underlying allegations stem from a qui tam lawsuit, and the associated whistleblower will receive approximately $3 million of the settlement payment.[35]
On December 7, a pathology practice agreed to pay $2.4 million to resolve allegations that it violated the FCA by making false representations in connection with submissions to the government. The practice allegedly submitted certain claims to the government without written substantiation, and as a result billed Medicare for a type of testing analysis that was not actually required. Contemporaneous with the settlement, the pathology practice entered into a three-year Corporate Integrity Agreement requiring training, auditing, and monitoring designed to address the alleged misconduct along with other evolving compliance risks. The underlying allegations arose from a qui tam lawsuit, and the whistleblower for that suit will receive approximately $450,000 from the settlement.[36]
On December 8, a physician and a medical device manufacturer agreed to pay a collective $4.2 million to resolve allegations that they violated the FCA by entering into kickback arrangements. The government alleged that, between 2014 and 2018, the company provided kickbacks—in the form of cash payments, commissions, and all-expense paid trips—to the physician to induce him to direct physicians at his institute to utilize the company’s medical devices and to increase the number of certain surgeries performed in order to then increase orders of the company’s supplies. The physician also allegedly directed physicians to order toxicology and genetic tests from a medical testing laboratory from which he accepted additional kickbacks. The civil settlement resolved claims brought under a qui tam suit, and the whistleblower will receive approximately $600,000 from the settlement.[37]

B. GOVERNMENT CONTRACTING AND PROCUREMENT

On July 6, an aviation company based in Illinois and Florida agreed to pay $11 million to resolve allegations that it violated the FCA in connection with two U.S. Transportation Command contracts for aircraft maintenance services supporting U.S. Department of Defense (“DOD”) operations in Afghanistan and Africa. According to the government, the company knowingly failed to maintain several helicopters utilized by the Department of Defense to transport cargo and personnel in accordance with contract requirements, such that the helicopters were not airworthy and should not have been certified as “fully mission capable.” The settlement included a resolution of claims brought in a qui tam suit filed by a former employee, who received approximately $2.2 million of the settlement proceeds. The company also agreed to pay a separate $429,000 fine to the Federal Aviation Administration for purported deficiencies in its helicopter maintenance program.[38]
On September 27, an oil and natural gas exploration and production company agreed to pay $6.15 million to settle allegations that it violated the FCA by underpaying royalties for natural gas from federal lands. The government alleged that the company improperly deducted processing costs from the royalties due to the United States under a lease that permitted the company to extract natural gas from federal lands as long as the gas was placed in marketable condition at no cost to the United States.[39]
On October 6, a military supplier agreed to pay over $4.5 million to settle allegations that it violated the FCA by failing to comply with requirements for certain products supplied to the military. The government alleged that the supplier had provided high-performance butterfly valves to military ship builders from May 2011 through September 2017 and failed to disclose that there had been unapproved modifications made to the valves. The allegations stem from a qui tam lawsuit brought by a former employee, and the whistleblower will receive approximately $850,000 of the recovery.[40]
On October 15, a contracting company entered into a consent judgment, agreeing to pay $4.8 million to settle allegations that it violated the FCA by submitting false certifications of eligibility to obtain federal contracts intended to benefit service-disabled veterans. The complaint alleged that the company was not owned by a veteran but instead recruited a service-disabled veteran to nominally run a pass-through entity that enabled the company to obtain federal contracts for which it otherwise would not have been eligible.[41]
On December 21, an information technology contractor agreed to pay over $1.3 million to resolve allegations that it violated the FCA when seeking payment for information technology and cybersecurity services. The government alleged that the company caused the submission of false claims by billing the government for labor hours in excess of time worked, labor rates that exceeded the rates actually paid to employees, labor costs exceeding the company’s actual recorded costs, and overly high indirect rates.[42]
On December 22, an aircraft manufacturer agreed to pay $1.9 million to resolve allegations related to a jet fuel spill, including allegations that it violated the FCA during the government’s investigation of the incident. According to the government, employees of the manufacturer made material false statements to avoid contractual liability for cleanup related to the spill and, by doing so, violated the reverse false claims provision of the FCA.[43]

C. OTHER

On July 12, the Florida Department of Children and Families (“FDCF”) agreed to pay $17.5 million to settle allegations that its management of federal Supplemental Nutrition Assistance Program (“SNAP”) funds violated the FCA, one of several settlement agreements the United States has secured recently with state agencies and a private consulting firm regarding alleged manipulation of SNAP data. The U.S. Department of Agriculture (“USDA”) requires states to determine individuals’ eligibility for SNAP benefits and maintain quality control processes to confirm eligibility decisions. Additionally, states must accurately report their error rates in awarding benefits to USDA, and USDA pays performance bonuses to states that report low error rates and demonstrate decreasing error rates. The government alleged that FDCF improperly injected bias into its SNAP quality control program that caused the submission of false information to USDA regarding FDCF’s error rate. This, in turn, allegedly led USDA to pay FDCF performance bonuses that it did not earn. As part of the settlement, FDCF also agreed to forego $14.7 million in pending bonus payments that it had not yet received from USDA.[44]
On July 28, two clothing companies and their former chief executive and owner agreed to pay $6 million to resolve allegations of underreporting the value of imports on invoices submitted to U.S. Customs & Border Protection in order to pay less in customs duties. In a related criminal prosecution from 2020, the former chief executive and owner also pled guilty to a subset of this conduct, was sentenced to six months in prison, and paid a separate forfeiture amount of $1.7 million. The allegations leading to his conviction and the subsequent civil settlement agreement stemmed from a qui tam complaint, but the whistleblower share of the recovery was not announced with the settlement.[45]
On August 5, the Tennessee Department of Human Services (“TDHS”) committed to pay $6.8 million to resolve allegations that it submitted false quality control data to USDA regarding TDHS’s award of SNAP benefits to low-income individuals. The United States alleged that TDHS, in implementing the recommendations of an outside consulting firm, inserted bias into its quality control program that led to the submission of false quality control data to USDA. According to the government, TDHS then received performance bonuses from USDA on the basis of this false data.[46]

III. LEGISLATIVE AND POLICY DEVELOPMENTS

A. FEDERAL POLICY DEVELOPMENTS

In its first year, the Biden Administration has not ushered in a major shift in overarching FCA policy. But the Administration has emphasized that it remains focused on FCA enforcement, and significant changes have nonetheless begun to take shape.

1. Biden Administration Continues Move Away from “Brand” Memo

In July 2021, DOJ promulgated an interim final rule that opens the door for DOJ attorneys to leverage agency guidance in enforcement actions. This step culminates a shift that we flagged in our 2021 Mid-Year Update, in which we discussed Executive Order 13992, issued on the day of President Biden’s inauguration. That Order foreshadowed a possible shift away from DOJ’s so-called Brand Memo.

By way of background, the internal DOJ guidance communicated by the January 2018 Brand Memo stated that agency “[g]uidance documents” without notice-and-comment rulemaking “cannot create binding requirements that do not already exist by statute or regulation.”[47] In December 2018, DOJ codified the Brand Memo at Section 1-20.100 of the Justice Manual, which explained that with limited exceptions, DOJ “should not treat a party’s noncompliance with a guidance document as itself a violation of applicable statutes or regulations.”[48] Executive Order 13992 did not refer expressly to DOJ’s civil enforcement of the FCA, but it did explicitly revoke President Trump’s Executive Order 13891, which expressed a principle similar to that codified in Section 1-20.100 of the Justice Manual.

Effective July 1, 2021, DOJ issued the interim final rule implementing Executive Order 13992 and rescinding DOJ regulations that proscribed use of guidance documents in DOJ enforcement actions.[49] On the same date, Attorney General Merrick Garland issued a memo to all DOJ component heads explaining that, while guidance alone cannot form the basis for an enforcement action, it “may be entitled to deference or otherwise carry persuasive weight with respect to the meaning of the applicable legal requirements” in a particular case.[50] The memo stated that “[t]o the extent guidance documents are relevant to claims or defenses in litigation, Department attorneys are free to cite or rely on such documents as appropriate.”[51] These developments surely will open back up the reliance that many DOJ attorneys placed on sub-regulatory guidance as evidence both that a claim is materially false and that defendants recklessly disregarded statutory and regulatory requirements. On the other hand, while the Brand Memo’s safeguards against the use of guidance as the basis for asserting falsity under the FCA have eroded, certain federal courts—and Supreme Court justices—have signaled significant skepticism about use of sub-regulatory guidance to impose substantive legal standards. E.g., Whitman v. United States, 574 U.S. 1003 (2014) (statement of Justice Scalia and Justice Thomas on denial of certiorari, warning that courts should not defer to “executive interpretations of a variety of laws that have both criminal and administrative applications”).

This is a development we will continue to closely watch.

2. DOJ Announces Initiative to Use FCA in Cybersecurity Cases

On October 6, 2021, Deputy Attorney General Lisa Monaco announced a new Civil Cyber Fraud Initiative that will leverage the FCA to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[52] The new effort will “combine [DOJ’s] expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”[53]

On October 13, 2021, Acting Assistant Attorney General Brian Boynton delivered remarks on this new initiative at the Cybersecurity and Infrastructure Security Agency Fourth Annual National Cybersecurity Summit.[54] AAG Boynton noted that the Civil Cyber Fraud Initiative “will use the [FCA] to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.” He indicated that “three common cybersecurity failures” are “prime candidates” for potential FCA enforcement by DOJ: (1) “knowing failures to comply with cybersecurity standards,” such as those negotiated with government contractors; (2) “knowing misrepresentation of security controls and practices”; and (3) “knowing failure to timely report suspected breaches.”

3. DOJ Continues FCA Enforcement to Protect COVID-19 Spending

Spending packages tied to COVID-19 also continue to be a focus for federal FCA enforcement. Under the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”)[55] and subsequent stimulus programs, including the American Rescue Plan in March 2021,[56] the government provided trillions of dollars in government funds to mitigate the effects of COVID-19. Anytime the government spends money, particularly massive amounts, there is a possibility the funds are misspent. This, in turn, brings the FCA into play as a potential remedy; unsurprisingly, the government has repeatedly indicated its intent to rely heavily on the FCA to police any fraud associated with pandemic relief funds.

The Paycheck Protection Program (“PPP”), one of several programs created by the CARES Act, aims to allow businesses to receive low-interest private loans to pay for their payroll and certain other costs. In January 2021, DOJ settled its first civil case involving the Paycheck Protection Program with SlideBelts, Inc. and its President and CEO.[57] Since then, DOJ has entered into at least two other settlements related to the Program.

Pursuant to the settlement agreement reached in United States ex rel. Hablitzel v. All in Jets, LLC & Seth A. Bernstein, the owner of a jet charter company agreed to pay almost $290,000 to settle allegations that he diverted nearly $100,000 from a $1.2 million PPP loan for personal, non-company related expenses within a day of receiving the loan. The relator (a former employee) who initially filed the action received close to $60,000.[58]

In United States ex rel. Quesenberry v. Sextant Marine Consulting LLC et al., a duct cleaning company agreed to pay $30,000 in damages and civil penalties for conduct associated with two PPP loans, in addition to repaying the duplicative PPP funds in full.[59] The relator received $4,500 of this amount. According to DOJ, additional claims against other entities remain under seal in Quesenberry.

These sorts of relatively small dollar-value settlements likely do not represent the extent of DOJ’s focus on FCA enforcement related to PPP funds. FCA investigations—and subsequent litigation—often take years to play out. And all signs indicate that the biggest and most important FCA cases to come out of the COVID-19 pandemic are still to come.

The CARES Act also contained a provision establishing a Special Inspector General for Pandemic Recovery (“SIGPR”),[60] who “has the duty to conduct, supervise, and coordinate audits and investigations of the making, purchase, management, and sale of loans, loan guarantees, and other investments by the Secretary of the Treasury under any program established by the Secretary under Division A of the CARES Act.”[61] Since September 2020, the SIGPR has added thirty-three staff members, and it has sought “a place in the annual federal budget” beyond the original $25 million first allocated for five years of the office’s service.[62] The SIGPR has thus far focused on cases where CARES Act participants allegedly sought funding from multiple programs to be used for the same purpose.[63] Although the SIGPR has not focused on FCA claims, the fact that it has referred a significant number of fraud-related claims to other agencies for investigation leaves the door open to new FCA claims arising from this office.

4. DOJ Updates FCA Penalty Amount to Adjust for Inflation

DOJ is required by law to adjust penalties to keep pace with inflation. In December, DOJ issued a final rule to update penalties for 2021. See 86 Fed. Reg. 70740 (Dec. 13, 2021). Under the final rule, FCA penalties now range from a minimum of $11,803 to a maximum of $23,607 for penalties assessed after December 13, 2021, compared to the prior range of $11,665–$23,331. These increased amounts apply to any violation of the FCA that occurred after November 2, 2015, when the law requiring inflation adjustments took effect.

B. FEDERAL LEGISLATIVE DEVELOPMENTS

Congressional attention on FCA enforcement reignited in the latter half of 2021 with the introduction of proposed legislative amendments by Senator Chuck Grassley (R-IA). Senator Grassley, the architect of the 1986 amendments, has long touted himself as a leading advocate of the FCA. This past year, he set his sights on cementing his legacy as the FCA’s principal champion.

As discussed in our Mid-Year Update, in February 2021, Senator Grassley sent a letter to then-Attorney General Nominee Merrick Garland, criticizing DOJ’s actions in dismissing relator claims, decrying the effects of the Supreme Court’s decision in Escobar, and requesting assistance in crafting new legislation to address his concerns.[64]

In July 2021, Senator Grassley—joined by a bipartisan group of four co-sponsors—made good on his promise and introduced the False Claims Amendments Act of 2021 (the “Amendments”), which included four main provisions.[65] First, the Amendments would implement a burden-shifting scheme under which the plaintiff (government or relator) may establish materiality by a simple “preponderance of the evidence,” at which point the defendant “may” rebut evidence of materiality by “clear and convincing” proof. Second, the Amendments would require that, when DOJ seeks to dismiss declined qui tam cases, the relator must first have an opportunity to show that the reasons for dismissal are fraudulent, arbitrary and capricious, or contrary to law. Third, the Amendments would allow DOJ to shift the cost of discovery defendant served on the government to the defendant if the defendant’s discovery requests are irrelevant, disproportional, or unduly burdensome. Finally, the Amendments would expressly apply the FCA’s existing anti-retaliation provisions to post-employment retaliation. The Amendments would be applicable to all pending and future litigation “to ensure that [the FCA] covers the trillions of dollars spent on COVID relief.”[66]

In October 2021, Senator Grassley amended his proposal in several respects. First, he eliminated the burden-shifting approach to the materiality standard. This portion of the bill now reads: “In determining materiality, the decision of the Government to forego a refund or pay a claim despite actual knowledge of fraud or falsity shall not be considered dispositive if other reasons exist for the decision of the Government with respect to such refund or payment.”[67] With this revision, Senator Grassley again is targeting the Supreme Court’s decision in Escobar.

If adopted, this provision could have broader implications than the original burden‑shifting framework. The original framework, by its plain language, focused only on evidentiary burdens, whereas the revised framework speaks in more general terms of “determin[ations]” of materiality.[68] Such determinations could occur at the motion-to-dismiss stage, as the Escobar Court clearly contemplated, even before litigation stages involving evidentiary determinations. A basic principle of civil pleading is that an “obvious alternative explanation” for the conduct a plaintiff alleges is enough to make the plaintiff’s allegations legally implausible and subject to dismissal. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 567–68 (2007). The revised provision of the Amendments threatens to upend this principle by making payment of claims notwithstanding their falsity “not . . . dispositive” of materiality as a matter of law, where otherwise such facts could form the basis for an argument that an “obvious alternative explanation” for the government’s payments was that it spotted the alleged fraud and decided it was immaterial. Senator Grassley’s amendments also removed the original bill’s cost-shifting provisions for discovery expenses.[69]

This revised bill was reported out of Committee in November 2021,[70] but it remains unclear if the bill will receive a vote on the Senate floor. If enacted, however, the Amendments would surely give DOJ and relators new arguments in a variety of different FCA scenarios, and could have a meaningful impact on the cost of defending against FCA cases, particularly including meritless cases brought by a would-be whistleblower.

Gibson Dunn will continue to monitor this and other legislative developments.

C. STATE LEGISLATIVE DEVELOPMENTS

The federal government provides incentives for states to enact false claims statutes in keeping with the federal FCA. In particular, HHS-OIG grants “a 10-percentage-point increase” in a state’s share of any recoveries under the relevant laws to any state that obtains HHS-OIG approval for its false claims statute.[71] Such approval requires that the statute in question, among other requirements, “contain provisions that are at least as effective in rewarding and facilitating qui tam actions for false or fraudulent claims as those described in the [federal] FCA.”[72] Approval is also contingent on the statute containing a sixty-day sealing provision and “a civil penalty that is not less than the amount of the civil penalty authorized under the [federal] FCA.”[73] The total number of states with approved statutes remains at twenty-two, with Montana (which was previously on the “approved” list) having obtained approval on October 4, 2021 for the amendments to its false claims act that we covered in our 2021 Mid-Year Update.[74] The list of seven states with false claims statutes listed by HHS-OIG as “not approved” likewise remains the same: Florida, Louisiana, Michigan, New Hampshire, New Jersey, New Mexico, and Wisconsin.[75]

The “not approved” list may soon shrink, however. On October 20, 2021, the Wisconsin legislature introduced a bill that would “restore[] a private individual’s authority to bring a qui tam claim against a person who makes a false claim for medical assistance, which was eliminated in 2015 Wisconsin Act 55.”[76] The bill also provides for qui tam awards of up to thirty percent of recoveries, which is consistent with the federal FCA, and for “additional changes not included in the prior law to conform state law to the federal [FCA], including expanding provisions to facilitate qui tam actions and modifying the bases for liability to parallel the liability provisions under the federal False Claims Act.”[77] While Wisconsin’s 2015 repeal of false claims liability for Medicaid claims was not expressly one of the grounds HHS-OIG relied on in refusing to grant federal incentives, the government did in 2016 cite the state statute’s lack of a provision pegging civil penalties to inflation as grounds for the government’s continued “not approved” designation.[78] The 2021 bill ostensibly seeks to address this issue (among others cited by HHS-OIG) by incorporating the federal FCA penalty amounts, which are pegged to inflation.[79]

IV. CASE LAW DEVELOPMENTS

The second half of 2021 saw a number of notable federal appellate court decisions, which we have summarized below.

A. Seventh and Second Circuits Evaluate How Government’s Continued Payment Bears on Materiality Under Escobar

During the latter half of 2021, courts continued to refine the FCA’s materiality requirement, applying the standard articulated by the Supreme Court in Universal Health Services Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016). In Escobar, the Supreme Court noted that to survive a motion to dismiss plaintiffs must “plead[] facts to support allegations of materiality” when bringing claims under the FCA. Id. at 195 n.6. In the five years since Escobar, materiality has become a key consideration at the motion-to-dismiss stage, even when it requires courts to make factually specific, case-by-case determinations.

In United States v. Molina Healthcare of Illinois, Inc., 17 F.4th 732 (7th Cir. 2021), the Seventh Circuit reversed a district court’s order dismissing a complaint involving alleged false certifications by Molina Healthcare of Illinois, Inc. relating to Medicaid reimbursement. Molina Healthcare and the State of Illinois had agreed to a capitated system of Medicaid payments—payments based on the number of patients a health care provider projects it will serve based on patients’ risk levels. Id. at 736. As part of the agreement, Molina agreed to provide skilled nursing facility services to the most expensive (riskiest) tier of patients. Id. A relator filed an FCA complaint alleging that Molina falsely certified that it was providing such services to patients. According to the relator, Molina stopped providing these services a year into the agreement, yet continued to collect the Medicaid payments owed under the capitated payment system for the most expensive tier of patients. Id. at 737.

The Seventh Circuit allowed the relator’s suit to proceed, concluding that Molina Healthcare’s certification regarding its skilled nursing facility services was material to the State’s decision to continue making Medicaid payments to Molina Healthcare. Id. at 744. The court acknowledged that the State continued paying even after it knew that Molina Healthcare did not provide the relevant services. Id. at 743–44. But it concluded this did not dispose of the materiality inquiry. Rather, the court focused on the fact that those patients who qualified for skilled nursing facility services were in a much more expensive tier in the capitation system than other patients. Id. at 743. The difference in cost between patients in the most expensive tier and those in lower tiers suggested that Molina Healthcare’s certification was material, notwithstanding the inference that the government knew of the alleged misconduct and disregarded it in its payment decision.

The court also held that the relator adequately alleged Molina Healthcare knew its certifications were material. Id. at 745. The district court had also premised its dismissal on the relator’s failure to plead specific allegations about Molina Healthcare’s knowledge. The Seventh Circuit disagreed. It concluded that because Molina Healthcare was “a highly sophisticated member of the medical-services industry,” relator plausibly alleged that the company may have known the importance of its false certifications in Medicaid payment decisions. Id. at 744-5.

In United States ex rel. Foreman v. AECOM, 19 F.4th 85 (2d Cir. 2021), the Second Circuit applied Escobar’s materiality factors and affirmed, in part, a district court’s decision to dismiss a relator’s FCA complaint. The case involved allegations that AECOM, a company that provided maintenance and management services to the U.S. Army in Afghanistan, violated the FCA by failing to live up to contractual obligations. Id. at 95. Specifically, the relator alleged that AECOM overstated its man-hour utilization rate, overbilled the government for labor not actually performed, and failed to properly track government property. Id. AECOM moved to dismiss, arguing that the alleged misrepresentations to the government were not material to any payments, pointing to government reports suggesting that the government knew about the issues and continued to pay in any event. The district court agreed and dismissed the complaint.

The Second Circuit affirmed in part and reversed in part. In doing so, the Second Circuit focused on three factors identified in Escobar to determine whether a false certification of compliance with a contract was material to payment by the government: (1) whether the government “expressly identified a provision as a condition of payment,” id. at 110, (2) “the government’s response to noncompliance” with the contract, id. at 111, and (3) whether the “alleged noncompliance was substantial,” id. at 116. In granting AECOM’s motion to dismiss, the district court had focused on the second factor, relying on government reports indicating that the government had been aware of the alleged false claims and still chose to pay AECOM for its work under the contract.

Although the Second Circuit observed that the government’s continued payment—i.e., the “response to noncompliance”—bore heavily on the question of materiality, the court took a restrictive view of what documents it could consider at the motion-to-dismiss stage to demonstrate the government’s “response to noncompliance.” In drafting the complaint, the relator had expressly referenced and relied on government reports about man-hour-utilization rate and property tracking. Id. at 113–14. Because the relator’s complaint included those documents, the Second Circuit determined that the trial court could consider these documents. And those reports indicated that the government knew about the alleged fraud and “not only continued to extend and pay claims under the [contract], but also never demanded repayment, disallowed any charged costs, or penalized AECOM.” Id. at 115. By contrast, the court concluded that separate government reports referencing overbilling—which the district court also relied on—were not integral to or referenced in the complaint and, thus, should not have been considered at the pleading stage. Id. at 116. Without the presence of those reports for consideration on the motion to dismiss stage showing the government’s response to AECOM’s alleged overbilling practices, the court allowed the relator to proceed on those claims. Id. at 117–18.

B. Seventh and Eighth Circuits Issue Important Decisions on the FCA’s Scienter and Falsity Requirements

In United States ex rel. Schutte v. SuperValu, Inc., 9 F.4th 455 (7th Cir. 2021), the Seventh Circuit became the latest circuit court to apply the scienter standard announced by the U.S. Supreme Court in Safeco Insurance Company of America v. Burr, 551 U.S. 47 (2007), to the FCA. The FCA defines “knowingly” to mean that a person “(i) has actual knowledge of the information, (ii) acts in deliberate ignorance of the truth or falsity of the information, or (iii) acts in reckless disregard of the truth or falsity of the information.” 31 U.S.C. § 3729(b)(1)(A). In Safeco, which addressed the Fair Credit Reporting Act’s nearly identical scienter requirement, the Supreme Court determined that a person who acts under an incorrect interpretation of a relevant statute or regulation does not act with “reckless disregard” if the interpretation is objectively reasonable and no authoritative guidance cautioned the person against it. Safeco, 551 U.S. at 70.

The relators in SuperValu alleged that when SuperValu sought Medicare and Medicaid reimbursements, it misrepresented its “usual and customary” drug prices. See 9 F.4th at 459. After interpreting the relevant regulations, SuperValu reported its retail cash prices as its usual and customary drug prices rather than the lower, price-matched amounts that it charged customers under its price-match discount drug program, through which SuperValu would match discounted prices of local competitors upon request from anyone purchasing. Id. The court agreed with the relator that SuperValu’s discounted prices were the correct usual and customary prices under the relevant regulations, and that SuperValu therefore should have reported those prices. The court applied the Safeco scienter standard, however, and concluded that SuperValu’s interpretation of the regulations was objectively reasonable and that there was no authoritative guidance that warned SuperValu away from its interpretation. Id. at 472. The court therefore found that SuperValu faced no liability under the FCA. Id.

The SuperValu opinion is significant for FCA defendants who are often required to interpret vague and ambiguous regulations. It provides FCA defendants with a basis to contest scienter as a matter of law, instead of leaving scienter issues for juries to decide.

In Thayer v. Planned Parenthood of the Heartland, 11 F.4th 934 (8th Cir. 2021), the Eighth Circuit explored the intersection of FCA’s scienter and falsity requirements. In that case, the relator alleged two distinct bases for FCA liability. The relator alleged that Planned Parenthood dispensed extra cycles of contraceptives without a physician’s order in violation of Iowa law and knowingly billed Iowa Medicaid Enterprise for post-abortion-related services in violation of state and federal law. The district court granted summary judgment to Planned Parenthood on both counts.

The Eighth Circuit first disposed of the claim that Planned Parenthood illegally dispensed extra cycles of contraceptives without a physician’s order, affirming that relator’s complaint was not particular enough to survive summary judgment. Id. at 940. Next, the court turned to the allegations of illegal billing for post-abortion related services. As to two of the patients, the Eighth Circuit held that the billing codes used were appropriate for the services provided, and therefore “there [was] no real dispute that Planned Parenthood did not submit a false claim for these patients.” Id. at 942. In other words, Iowa may not have intended to pay those types of claims, but there was nothing false about the information submitted. As to the remaining patients, the court noted that “to prove knowing falsity, [relator] must do more than show that the . . . billing code was wrong; she must have evidence that the defendants knowingly or recklessly cheated the government.” Id. at 943 (emphasis in original) (internal quotation marks and citation omitted). The relator contended that Planned Parenthood improperly and knowingly entered level-three billing codes for services that justified only level-two billing codes on four occasions, resulting in a minor difference in the amount reimbursed. But, in the court’s view, “a one-level difference in billing, resulting in less than a $12.00 reimbursement difference, is at most evidence of an innocent mistake or negligence, not a willful lie to cheat the government.” Id. at 944. Therefore, the court held there was no knowing falsity.

C. Fifth and Second Circuits Grapple with Scope of Public Disclosure Bar

The FCA’s public disclosure bar requires dismissal of an FCA case brought by a private plaintiff “if substantially the same allegations or transactions” forming the basis of the action have been publicly disclosed, including “in a Federal criminal, civil, or administrative hearing in which the Government or its agent is a party,” unless the relator is an “original source of the information.” 31 U.S.C. § 3730(e)(4).

In United States ex rel. Schweizer v. Canon, Inc., 9 F.4th 269 (5th Cir. 2021), the Fifth Circuit took up the issue of whether a copycat lawsuit premised on the same fundamental facts, but against a different defendant, is prohibited by the public disclosure bar. From November 2004 to December 2005, the relator worked as a General Services Administration (“GSA”) contracts manager for Océ North America Inc., a company that sold printers, copiers, and related services to the government. In 2006, the relator filed an FCA suit against Océ. She alleged that the United States was “overpaying Océ for copiers and services, and that its products were manufactured in noncompliant countries including China.” Id. at 272. Before the district court, she alleged that Océ violated the applicable “Price Reductions Clause” (by charging the government more than it did its commercial customers) and the Trade Agreements Act (by sourcing products from China and other non-TAA-compliant countries). In 2013, the district court presiding over that action approved a settlement in which Océ agreed to pay the government $1,200,000 in exchange for a release of the asserted FCA claims. In 2012—before the action became final—Océ was acquired by Canon. Id.

In 2016, the relator filed another FCA suit, this time against Canon. She alleged the same violations of the FCA as she had alleged against Océ in 2006. Canon moved to dismiss the suit, arguing that the FCA’s public disclosure bar prevented Schweizer’s claims. The district court agreed, and the Fifth Circuit affirmed the district court’s judgment on appeal. As the Fifth Circuit explained: “Schweizer’s allegations against Canon are ‘based upon’ the allegations and transactions asserted in the Océ litigation,” and “one could have produced the substance of the [Canon] complaint merely by synthesizing the public disclosures’ description of the [Océ] scheme.” Id. at 275–76 (internal quotation marks and citation omitted). The court rejected the relator’s arguments that the public disclosure bar did not apply because the companies were different, that Canon’s alleged scheme occurred at a later time, and that Canon allegedly violated additional government contracts. Id. at 276–77.

In United States ex rel. Foreman v. AECOM, 19 F.4th 85 (2d Cir. 2021) (discussed above), the Second Circuit also analyzed whether the FCA’s public disclosure bar precluded relator’s claims. The FCA disallows an action if substantially the same allegations have been “publicly disclosed” in a federal report. See 31 U.S.C. § 3730(e)(4)(A)(ii). AECOM argued that all the claims had been made available to the public through government reports presented to AECOM’s employees. The court disagreed. In interpreting the FCA’s requirement that disclosure be public, the court concluded that information does not become “public” if it is (1) not disclosed to innocent employees of the government contractor and (2) when information is disclosed, it comes with the obligation that employees keep the information confidential. Id. at 125. The court thus determined that the information had not been made public here when provided to AECOM employees through a government report. As such, the Second Circuit held that the public disclosure bar did not put an end to relator’s claim.

D. Several Courts Issue Notable Decisions on Pleading Fraud with Particularity Under Rule 9(B) in FCA Cases, and Supreme Court Invites Solicitor General’s View on Topic

In United States ex rel. Mamalakis v. Anesthetix Management LLC, 20 F.4th 295 (7th Cir. 2021), the Seventh Circuit addressed the level of specificity required for a relator’s allegations to satisfy the heightened pleading standards of Federal Rule of Civil Procedure 9(b). The relator alleged that Anesthetix fraudulently billed Medicare and Medicaid for services performed by anesthesiologists by using the code for “medically directed” services rather than the more appropriate and lower rate “medically supervised” services code. Id. at 297. After an initial dismissal without prejudice for failure to meet Rule 9(b)’s requirements, the relator filed an amended complaint including ten examples, identifying a particular procedure and anesthesiologist, and alleging the services did not qualify for payment at the medical-directed billing rate. Id.

The Seventh Circuit held that the district court’s decision to dismiss the amended complaint was “error” because the “ten examples, read in context with the other allegations in the amended complaint, provide sufficient particularity about the alleged fraudulent billing to survive dismissal.” Id. Although a relator “need not produce the invoices and accompanying representations at the outset of the suit, it is nevertheless essential to show a false statement, though this can be accomplished by including particularized factual allegations that give rise to a plausible inference of fraud.” Id. at 301 (internal quotation marks and citation omitted). The court concluded that the ten examples identifying specific procedures, anesthesiologists, and billing rates “provide[d] a particularized basis from which to plausibly infer that at least on these occasions, [defendant] presented false claims to the government.” Id. at 303. By providing such examples, the relator “injected enough precision and substantiation into his allegations of fraud to entitle him to move forward with his case.” Id.

The Sixth Circuit took a similar approach to Rule 9(b) pleading requirements in United States ex rel. Owsley v. Fazzi Associates, Inc., 16 F.4th 192 (6th Cir. 2021). There, the relator alleged “in detail, a fraudulent scheme” in which defendants allegedly fraudulently up-coded patient data and subsequently submitted inflated requests for payment to the Centers for Medicare and Medicaid Services (“CMS”). Id. at 196. But fatal to the relator’s claim was her failure “to identify any specific claims that [defendants] submitted pursuant to the scheme.” Id. (emphasis added) (internal quotation marks and citation omitted).

The court explained that the relator could have satisfied Rule 9(b)’s standard in one of two ways: identifying a “representative claim that was actually submitted to the government for payment,” or otherwise alleging facts “based on personal knowledge of billing practice” sufficient to support “a strong inference that particular identified claims were submitted to the government for payment.” Id. (emphasis in original) (internal quotation marks and citations omitted). The relator alleged “personal knowledge of billing practices” but “did not allege facts that identify any specific fraudulent claims” because she failed to identify the dates on which she reviewed patient records, the dates of any related claims for payment, or the amounts of those claims. Id. at 196–97. Acknowledging that the Rule 9(b) inquiry will turn on the facts of each particular case, the court clarified the “touchstone” consideration is “whether the complaint provides the defendant with notice of a specific representative claim that the plaintiff thinks was fraudulent.” Id. at 197. The information in the relator’s complaint failed to meet this standard and thus did not satisfy Rule 9(b). Id.

Finally, the Supreme Court invited the views of the Solicitor General on the issue of application of Rule 9(b) in FCA cases. See Johnson, et al. v. Bethany Hospice and Palliative Care LLC, No. 21-462, 2022 WL 145173, at *1 (U.S. Jan. 18, 2022). But it remains to be seen whether the Court will take up the issue. Indeed, this is not the first time parties have petitioned the Court on this issue, and the Supreme Court has rejected multiple petitions to clarify the interplay of Rule 9(b) and the FCA in recent years. See e.g., 81 U.S.L.W. 3650 (U.S. Mar. 31, 2014) (No. 12-1349). This is also not the first time the Supreme Court has asked for the views of the Solicitor General on this issue: in 2014, the Court asked for the input of the Solicitor General on whether to grant certiorari on this issue in the Fourth Circuit case of United States ex rel. Nathan v. Takeda Pharm., 707 F.3d 451 (4th Cir. 2013). After the Solicitor General urged the Court not to take up the issue, the Supreme Court denied certiorari, see Brief for the United States as Amicus Curiae Supporting Respondents, United States ex re. Nathan v. Takeda Pharm., 572 U.S. 1003 (2014); 81 U.S.L.W. 3650 (U.S. Mar. 31, 2014) (No. 12-1349).

E. Third Circuit Analyzes DOJ’s Authority to Dismiss Qui Tam FCA Cases

In October, the Third Circuit waded into the circuit split concerning the government’s statutory authority to dismiss an FCA qui tam suit. In Polansky v. Exec. Health Res. Inc., 17 F.4th 376 (3d Cir. 2021), a case in which the government initially declined to intervene in relator’s suit but then later moved to dismiss without formally intervening, the court considered two questions: (1) whether the government may move to dismiss a relator’s suit without intervening, and (2) what standard must the government meet for dismissal to be granted.

First, the court considered the government’s statutory authority to seek dismissal when it does not intervene. The court recognized the split between the D.C., Ninth, and Tenth Circuits, which read 31 U.S.C. § 3730(c) as granting authority to move for dismissal at any point in the litigation regardless of whether the government intervenes, and the Sixth and Seventh Circuits, which interpret the section to only grant authority to seek dismissal after intervention pursuant to Federal Rule of Civil Procedure 41.

In analyzing the question, the court accepted that the government may only dismiss cases where it has intervened. The court concluded that 31 U.S.C. § 3730(c)(2)(A) is not “a standalone provision that grants the Government unconditional authority to seek dismissal as a non-party.” Id. at 385. The court held that, when read in context along canons of statutory construction, 31 U.S.C. § 3730(c)(2)(A) served as a limit on relator’s rights “if—and only if—the Government proceeds with the action.” Id. The court noted that the other limitations in section 3730(c)(2), such as enabling the government to limit a relator’s ability to call witnesses where it “would interfere with … the Government’s prosecution of the case,” only make sense if the government is party to the case. Id. Furthermore, to allow the government to dismiss without intervention would limit the relator regardless of whether the government “proceeds with the action,” rendering those words superfluous. However, the Third Circuit rejected the relator’s argument that the government may only move to dismiss if it intervenes at the outset of a case. Id. at 387.

Second, the court held that, “[h]aving intervened, the Government becomes a party, and like any party, it is subject to the Federal Rules of Civil Procedure, including the rule governing Voluntary Dismissal.” Id. at 389. Recognizing that the FCA added “certain wrinkles,” the court concluded that the government must only meet the threshold requirements of Federal Rule of Civil Procedure 41(a), while also providing relator “notice and an opportunity for a hearing” under 31 U.S.C. § 3730(c)(2)(A). Id. In doing so, the Third Circuit agreed with the Seventh Circuit and expressly rejected both the Swift approach of the D.C. Circuit for being incongruous with other provisions of the FCA and relegating the Article III judge to the role of “serv[ing] . . . some donuts and coffee” as well as the Sequoia Orange approach of the Ninth Circuit for focusing solely on constitutional limits and for failing to consider the limitations of the Federal Rules of Civil Procedure on voluntary dismissal. Id. at 392–93 (quoting United States ex rel. CIMZNHCA, LLC v. UCB, Inc., 970 F.3d 835, 850 (7th Cir. 2020)).

Despite holding that the government must “intervene under § 3730(c)(3) before seeking to dismiss relator’s case,” the court ultimately construed the government’s motion to dismiss as including a motion to intervene, again adhering to the Seventh Circuit’s approach. Id. at 392. Further, the court found no abuse of discretion “[i]n light of [the] thorough examination and weighing of the interests of all the parties, and Rule 41(a)(2)’s ‘broad grant of discretion’ to shape the ‘proper’ terms of dismissal.” Id. at 393. In sum, the Third Circuit has responded to the growing circuit split over the authority of the government to dismiss whistleblower lawsuits by adopting the Seventh Circuit’s position in CIMZNHCA; the government must intervene to dismiss and the standard for dismissal should be primarily informed by Federal Rule of Civil Procedure 41.

F. Third Circuit Considers Retroactivity of Amendments to FCA

In United States ex rel. International Brotherhood of Electrical Workers Local Union No. 98 v. Fairfield Co., 5 F.4th 315 (3d Cir. 2021), the Third Circuit grappled with the question of whether (relatively) recent amendments to the FCA had retroactive effect. The Fraud Enforcement and Recovery Act of 2009 (“FERA”), Pub. L. No. 111-21, § 4, 123 Stat. 1625, amended several portions of the FCA, including eliminating the requirement that the false claim be presented to an office or employee of the United States, and removing the requirement for specific intent. Id. at 324. Fairfield challenged the purported retroactivity of the FERA amendments, claiming that should the specific intent provision remain, judgment must be in Fairfield’s favor. Id. at 329–30. The Third Circuit concluded, however, that the statute included a clear expression of retroactivity. The court also held that applying FERA’s amendments would not violate the ex post facto clause of the U.S. Constitution, because the penalties under the FCA were insufficiently punitive in nature to trigger that clause. Id. at 330–41.

After resolving the retroactivity point, the Third Circuit affirmed the district court’s orders entering judgment against Fairfield for FCA violations stemming from Fairfield’s alleged violation of the Davis Bacon Act, 40 U.S.C. § 3142, et. seq., which requires contractors performing work on federally funded construction projects to pay prevailing wages to their employees based on the classification of work performed. Id. at 323. As the court explained, a misclassification of employees may result in those individuals being underpaid, which means accompanying certifications to the government that a contractor is in compliance with the Act may be both false and material to payment for contractual performance. Id. at 323–24. Fairfield allegedly underpaid its employees as compared to the wages the Act required, but still submitted certifications to the government that it satisfied applicable wage requirements. Id. at 326–27.

G. Eleventh Circuit Addresses Novel Excessive Fines Issue

In Yates v. Pinellas Hematology & Oncology, P.A., 21 F.4th 1288 (11th Cir. 2021), the Eleventh Circuit considered whether a penalty imposed under the FCA violated the Eighth Amendment’s Excessive Fines Clause. Pinellas was a medical practice that collected and tested blood samples at its clinical laboratory. The entity purchased a second location—an oncology practice—at which it also performed testing allegedly without obtaining a new certification under the Clinical Laboratory Improvement Amendments (“CLIA”) of 1988, as required, for almost a year after the purchase. Id. at 1295. According to the qui tam suit, in which the government declined to intervene, the defendant allegedly then submitted reimbursement claims for blood tests to Medicare that miscited the CLIA certificate at its other location and other claims that misrepresented the location of service. Id. at 1296. A jury ultimately found the defendant liable for submitting 214 false claims to Medicare and found that the government sustained $755.54 in damages. Id. Under the FCA’s treble damages and statutory penalty provisions, discussed above, the district court imposed a total monetary award of $1,179,266.62 (composed of $2,266.62 in treble damages (3 x $755.54) and $1,177,000 in statutory penalties (214 x $5,500)). Id. at 1297.

The defendant challenged both the jury’s verdict and the district court’s monetary award. The Eleventh Circuit affirmed the jury’s verdict, concluding that the evidence presented at trial supported the jury’s findings that the defendant knowingly submitted materially false reimbursement claims. The court also disagreed with the defendant’s argument that the damages finding was incorrect because the government had received exactly what it paid for: 214 blood tests. The court explained that, in cases involving Medicare claims, damages are measured as the difference between what the government paid and what it would have paid if the defendant’s claims had been truthful. Id. at *1304–05. Thus, the court found that the evidence supported $755.54 in damages.

The defendant also argued the district court’s monetary award violated the Eighth Amendment’s Excessive Fines Clause. As a matter of first impression, the Eleventh Circuit considered whether the Excessive Fines Clause applies to an FCA case in which the government has declined to intervene (as was the case here). After explaining that the Eighth Amendment applies only to government imposition of fines and noting that the qui tam relator was a private citizen, the Eleventh Circuit held that an FCA monetary award is a fine for purposes of the Excessive Fines Clause, that it is the United States that imposes such a fine in a non-intervened qui tam action, and that the Eighth Amendment thus should apply to such actions. Id. at 1307. In so holding, the court focused on the fact that the government, although “not a formal party to a non-intervened qui tam action,” “remains a real party in interest,” has “significant procedural rights” in the ability to decide whether to intervene, and remains involved in non-intervened cases—namely, by preserving the ability to intervene later, receiving the vast majority of any monetary award, and maintaining control over whether a relator can dismiss a qui tam action. Id. at 1308–14. The court then weighed the proportionality of the award and found, based on the defendant’s alleged repeated violations and the fact that the award fell at the low-end of the FCA’s prescribed penalty range, that the penalty was not excessive. Id. at 1314–16.

H. DC Circuit Issues Opinion on Medicare Overpayment Rule

The D.C. Circuit issued a decision that, while not specifically adjudicating FCA liability, is likely to impact future FCA litigation.

In UnitedHealthcare Insurance Co. v. Becerra, 16 F.4th 867 (D.C. Cir. 2021), the D.C. Circuit considered a challenge by health care insurers to a rule promulgated by CMS, known as the “Overpayment Rule.” Under the Overpayment Rule, if an insurer “learns a diagnosis it submitted to CMS for payment lacks support in the beneficiary’s medical record, the insurer must refund that payment within sixty days.” Id. at 869. In the context of Medicare Advantage—private Medicare plans where members “elect to receive their health insurance through a private insurer . . . rather than directly through the government under traditional Medicare”—insurers must accurately track diagnosis and demographic information for purposes of ensuring that “risk-adjusted” payments from CMS are accurate. Id. at 869–70. For many years, the government has pursued FCA investigations and actions against insurers, alleging that they artificially inflated those “risk-adjusted” payments by manipulating diagnosis codes collected for members, and therefore owed CMS money, including under the Overpayment Rule.

Insurers brought suit seeking to invalidate the Overpayment Rule, claiming that the Overpayment Rule violated statutory provisions guaranteeing that risk-adjusted payments under Medicare Advantage would be “actuarially equivalent” to payment under traditional Medicare and employ the “same methodology.” According to insurers, the mechanisms established by the Overpayment Rule would violate these requirements by, in essence, requiring the return of “overpayments” under Medicare Advantage that departed from actuarial standards used in traditional Medicare.

The district court agreed with the insurers and struck down the rule. Id. at 880. In doing so, the district court also rejected the Overpayment Rule’s imposition of a “reasonable diligence” or negligence-type standard for identifying and reporting overpayments, which, according to the court, was inconsistent with the “knowingly” standard set forth in the FCA. Id. at 881. The D.C. Circuit, however, overturned the district court’s decision and held, as a matter of first impression, that nothing in the Overpayment Rule or applicable authority violated application of the “actuarial equivalence” requirement for the Medicare Advantage plans. Id. at 884–87. The D.C. Circuit also rejected the district court’s findings that the Rule violates the Medicare statute’s “same methodology” requirement. Id. at 891–92. The district court’s rejection of the “reasonable diligence” standard was not challenged on appeal.

It remains to be seen how the district court will apply the circuit court’s position on remand. But enactment and application of the Overpayment Rule will likely have significant consequences for potential FCA liability against health care insurers, and we will continue to watch this case closely.

V. CONCLUSION

We will monitor these developments, along with other FCA legislative activity, settlements, and jurisprudence throughout the year and report back in our 2022 False Claims Act Mid-Year Update, which we will publish in July 2022.

___________________________

[1] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department’s False Claims Act Settlements and Judgments Exceed $5.6 Billion in Fiscal Year 2021 (Feb. 1, 2022), https://www.justice.gov/opa/pr/justice-department-s-false-claims-act-settlements-and-judgments-exceed-56-billion-fiscal-year [hereinafter DOJ FY 2021 Recoveries Press Release].

[2] See U.S. Dep’t of Justice, Fraud Statistics Overview (Feb. 1, 2022), https://www.justice.gov/opa/press-release/file/1467811/download [hereinafter DOJ FY 2021 Stats].

[3] DOJ FY 2021 Recoveries Press Release.

[4] Id.

[5] DOJ FY 2021 Stats.

[6] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Contract Rehabilitation Therapy Providers Agree to Pay $8.4 Million to Resolve False Claims Act Allegations Relating to the Provision of Medically Unnecessary Therapy Services (July 2, 2021), https://www.justice.gov/opa/pr/contract-rehabilitation-therapy-providers-agree-pay-84-million-resolve-false-claims-act.

[7] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Northern Ohio Health System Agrees to Pay Over $21 Million to Resolve False Claims Act Allegations for Improper Payments to Referring Physicians (July 2, 2021), https://www.justice.gov/opa/pr/northern-ohio-health-system-agrees-pay-over-21-million-resolve-false-claims-act-allegations.

[8] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Companies Alere Inc. and Alere San Diego Inc. Agree to Pay $38.75 Million to Settle False Claims Act Allegations (July 8, 2021), https://www.justice.gov/opa/pr/medical-device-companies-alere-inc-and-alere-san-diego-inc-agree-pay-3875-million-settle.

[9] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, St. Jude Agrees to Pay $27 Million for Allegedly Selling Defective Heart Devices (July 8, 2021), https://www.justice.gov/opa/pr/st-jude-agrees-pay-27-million-allegedly-selling-defective-heart-devices.

[10] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Prime Healthcare Services and Two Doctors Agree to Pay $37.5 Million to Settle Allegations of Kickbacks, Billing for a Suspended Doctor, and False Claims for Implantable Medical Hardware (July 19, 2021), https://www.justice.gov/opa/pr/prime-healthcare-services-and-two-doctors-agree-pay-375-million-settle-allegations-kickbacks.

[11] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Interface Rehab to Pay $2 Million to Resolve False Claims Act Allegations (July 23, 2021), https://www.justice.gov/opa/pr/interface-rehab-pay-2-million-resolve-false-claims-act-allegations.

[12] See Press Release, U.S. Dep’t of Justice, EEG Testing and Private Investment Companies Pay $15.3 Million to Resolve Kickback and False Billing Allegations (July 21, 2021), https://www.justice.gov/opa/pr/eeg-testing-and-private-investment-companies-pay-153-million-resolve-kickback-and-false.

[13] See Press Release, U.S. Atty’s Office for the Dist. of MT, Former Billings Rheumatologist Settles Alleged Health Care Fraud Claims for $2 Million (July 20, 2021), https://www.justice.gov/usao-mt/pr/former-billings-rheumatologist-settles-alleged-health-care-fraud-claims-2-million.

[14] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Mail-Order Diabetic Testing Supplier and Parent Company Agree to Pay $160 Million to Resolve Alleged False Claims to Medicare (Aug. 2, 2021), https://www.justice.gov/opa/pr/mail-order-diabetic-testing-supplier-and-parent-company-agree-pay-160-million-resolve-alleged.

[15] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Ascension Michigan to Pay $2.8 Million to Resolve False Claims Act Allegations (Aug. 5, 2021), https://www.justice.gov/opa/pr/ascension-michigan-pay-28-million-resolve-false-claims-act-allegations.

[16] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, County Medical Center and County Agree to Pay $11.4 Million to Resolve False Claims Act Allegations Relating to Medically Unnecessary Inpatient Admissions (Aug. 6, 2021), https://www.justice.gov/opa/pr/county-medical-center-and-county-agree-pay-114-million-resolve-false-claims-act-allegations.

[17] See Press Release, U.S. Atty’s Office for the Central Dist. of CA, Downey Company that Provides In-Home Respiratory Services Agrees to Pay Over $3.3 Million to Resolve Fraud Allegations (Aug. 25, 2021), https://www.justice.gov/usao-cdca/pr/downey-company-provides-home-respiratory-services-agrees-pay-over-33-million-resolve.

[18] See Press Release, U.S. Atty’s Office for the Dist. of DE, Connections Community Support Programs Agrees to Judgments of Over $15 Million to Resolve Health Care Fraud and Controlled Substances Allegations (Aug. 26, 2021), https://www.justice.gov/usao-de/pr/connections-community-support-programs-agrees-judgments-over-15-million-resolve-health.

[19] See Press Release, U.S. Atty’s Office for the Northern Dist. of TX, Hospital to Pay More Than $3 Million to Settle Whistleblower Suit (Aug. 27, 2021), https://www.justice.gov/usao-ndtx/pr/hospital-pay-more-3-million-settle-whistleblower-suit.

[20] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Sutter Health and Affiliates to Pay $90 Million to Settle False Claims Act Allegations of Mischarging the Medicare Advantage Program (Aug. 30, 2021), https://www.justice.gov/opa/pr/sutter-health-and-affiliates-pay-90-million-settle-false-claims-act-allegations-mischarging.

[21] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, United States Obtains $140 Million in False Claims Act Judgments Against South Carolina Pain Management Clinics, Drug Testing Laboratories and a Substance Abuse Counseling Center (Sept. 3, 2021), https://www.justice.gov/opa/pr/united-states-obtains-140-million-false-claims-act-judgments-against-south-carolina-pain.

[22] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Home Health Agency Operator BAYADA to Pay $17 Million to Resolve False Claims Act Allegations for Paying Kickback (Sept. 8, 2021), https://www.justice.gov/opa/pr/home-health-agency-operator-bayada-pay-17-million-resolve-false-claims-act-allegations-paying.

[23] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Orlando Cardiologist Pays $6.75 Million to Resolve Allegations of Performing Unnecessary Medical Procedures (Sept. 15, 2021), https://www.justice.gov/opa/pr/orlando-cardiologist-pays-675-million-resolve-allegations-performing-unnecessary-medical.

[24] See Press Release, U.S. Atty’s Office for the Eastern Dist. of PA, Three Generic Pharmaceutical Companies Agree to Pay Almost Half a Billion Dollars to Resolve Alleged False Claims Act Liability, Bringing Total Payments for Price-Fixing to Nearly $900 Million (Oct. 15 2021), https://www.justice.gov/usao-edpa/pr/three-generic-pharmaceutical-companies-agree-pay-almost-half-billion-dollars-resolve.

[25] See Press Release, U.S. Atty’s Office for the Eastern Dist. of MI, USMM and VPA Pay $8.5 Million To Resolve Overpayment of Medicare Claims for Laboratory and Diagnostic Testing (Oct. 8, 2021), https://www.justice.gov/usao-edmi/pr/usmm-and-vpa-pay-85-million-resolve-overpayment-medicare-claims-laboratory-and.

[26] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Texas Pain Management Physicians Agree to Pay $3.9 Million to Resolve Allegations Relating to Unnecessary Urine Drug Testing (Oct. 22, 2021), https://www.justice.gov/opa/pr/texas-pain-management-physicians-agree-pay-39-million-resolve-allegations-relating.

[27] See Press Release, U.S. Atty’s Office for the Northern Dist. of GA, Atlanta pharmacy to pay $4.6 million to settle False Claims Act allegations regarding compound medications (Oct. 25, 2021), https://www.justice.gov/usao-ndga/pr/atlanta-pharmacy-pay-46-million-settle-false-claims-act-allegations-regarding-compound.

[28] See Press Release, U.S. Atty’s Office for MN, Physical Therapy Provider to Pay $4 Million to Resolve Alleged False Claims Act Violations (Oct. 28, 2021), https://www.justice.gov/usao-mn/pr/physical-therapy-provider-pay-4-million-resolve-alleged-false-claims-act-violations.

[29] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Company Arthrex to Pay $16 Million to Resolve Kickback Allegations (November 8, 2021), https://www.justice.gov/opa/pr/medical-device-company-arthrex-pay-16-million-resolve-kickback-allegations.

[30] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Anesthesia providers and outpatient surgery centers pay more than $28 million to resolve kickback and False Claims Act allegations (Nov. 9, 2021), https://www.justice.gov/usao-ndga/pr/anesthesia-providers-and-outpatient-surgery-centers-pay-more-28-million-resolve.

[31] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Kaléo Inc. Agrees to Pay $12.7 Million to Resolve Allegations of False Claims for Anti-Overdose Drug (Nov. 9, 2021), https://www.justice.gov/opa/pr/kal-o-inc-agrees-pay-127-million-resolve-allegations-false-claims-anti-overdose-drug.

[32] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, South Carolina Chiropractor Pleads Guilty and Agrees to $9 Million False Claims Act Consent Judgment (Nov. 22, 2021), https://www.justice.gov/opa/pr/south-carolina-chiropractor-pleads-guilty-and-agrees-9-million-false-claims-act-consent.

[33] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Home health agency to pay $4.2 million to settle False Claims Act allegations (Nov. 22, 2021), https://www.justice.gov/usao-ndga/pr/home-health-agency-pay-42-million-settle-false-claims-act-allegations-0.

[34] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Crossroads Hospice Agrees to Pay $5.5 Million to Settle False Claims Act Liability (Nov. 23, 2021), https://www.justice.gov/opa/pr/crossroads-hospice-agrees-pay-55-million-settle-false-claims-act-liability.

[35] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Flower Mound Hospital to Pay $18.2 Million to Settle Federal and State False Claims Act Allegations Arising from Improper Inducements to Referring Physicians (Dec. 2, 2021), https://www.justice.gov/opa/pr/flower-mound-hospital-pay-182-million-settle-federal-and-state-false-claims-act-allegations.

[36] See Press Release, U.S. Atty’s Office for the Dist. of NJ., Pathology Practice Agrees to Pay $2.4 Million to Resolve False Claims Act Allegations (Dec. 7, 2021), https://www.justice.gov/usao-nj/pr/pathology-practice-agrees-pay-24-million-resolve-false-claims-act-allegations.

[37] See Press Release, U.S. Atty’s Office for the N. Dist. of Ga., Dr. Jeffrey M. Gallups and Entellus Medical agree to pay $4.2 million to resolve False Claims Act lawsuit alleging kick-back arrangements (Dec. 8, 2021), https://www.justice.gov/usao-ndga/pr/dr-jeffrey-m-gallups-and-entellus-medical-agree-pay-42-million-resolve-false-claims-act.

[38] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, AAR Corp. Agrees to Pay $11 Million to Settle False Claims Act Allegations on Aircraft Maintenance Contract and to Pay Penalties Assessed by the FAA (July 6, 2021), https://www.justice.gov/opa/pr/aar-corp-agrees-pay-11-million-settle-false-claims-act-allegations-aircraft-maintenance.

[39] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Devon Energy Companies Agree to Pay $6.15 Million to Settle False Claims Act Allegations for Underpaying Royalties on Gas from Federal Lands (Sept. 27, 2021), https://www.justice.gov/opa/pr/devon-energy-companies-agree-pay-615-million-settle-false-claims-act-allegations-underpaying.

[40] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Crane Company Agrees to Pay More Than $4.5 Million to Resolve False Claims Act Lawsuit for Non-Compliance with Military Specifications (Oct. 6, 2021), https://www.justice.gov/opa/pr/crane-company-agrees-pay-more-45-million-resolve-false-claims-act-lawsuit-non-compliance.

[41] See Press Release, U.S. Atty’s Office for the Western Dist. of NY, Cheektowaga Contractor Agrees To Settle False Claims Act Violations (Oct. 15, 2021), https://www.justice.gov/usao-wdny/pr/cheektowaga-contractor-agrees-settle-false-claims-act-violations.

[42] See Press Release, U.S. Atty’s Office for the Dist. of Md., Information Technology Contractor Agrees to Pay More Than $1.3 Million to Settle Federal False Claims Act Allegations of Overbilling (Dec. 21, 2021), https://www.justice.gov/usao-md/pr/information-technology-contractor-agrees-pay-more-13-million-settle-federal-false-claims.

[43] See Press Release, U.S. Atty’s Office for the W. Dist. of Tx., Maytag Aircraft Corporation Agrees to Pay $1.9 Million to Resolve Liability for 2014 Jet Fuel Spill at Fort Hood (Dec. 22, 2021), https://www.justice.gov/usao-wdtx/pr/maytag-aircraft-corporation-agrees-pay-19-million-resolve-liability-2014-jet-fuel-spill.

[44] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Florida Department of Children and Families Agrees to Pay $17.5 Million to Resolve False Claims Act Liability in Connection with SNAP Quality Control (July 12, 2021), https://www.justice.gov/opa/pr/florida-department-children-and-families-agrees-pay-175-million-resolve-false-claims-act.

[45] See Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Manhattan U.S. Attorney Settles Civil Fraud Lawsuit Against Clothing Companies and Their Former CEO for Misrepresenting the Value of Goods to Avoid Paying Customs Duties (July 28, 2021), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-settles-civil-fraud-lawsuit-against-clothing-companies-and-their.

[46] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Tennessee Department of Human Services Agrees to Pay $6.8 Million to Resolve False Claims Act Liability in Connection with SNAP Quality Control (Aug. 5, 2021), https://www.justice.gov/opa/pr/tennessee-department-human-services-agrees-pay-68-million-resolve-false-claims-act-liability.

[47] U.S. Dep’t of Justice, Office of the Associate Attorney General Rachel Brand, Memorandum for Heads of Civil Litigating Components and United States Attorneys: Limiting Use of Agency Guidance Documents In Affirmative Civil Enforcement Cases (Jan. 25, 2018), https://www.justice.gov/file/1028756/download.

[48] U.S. Dep’t of Justice, Justice Manual § 1-20.100 (Dec. 2018), https://web.archive.org/web/20190327044939/https://www.justice.gov/jm/1-20000-limitation-use-guidance-documents-litigation.

[49] See 86 Fed. Reg. 37674 (July 16, 2021), https://www.govinfo.gov/content/pkg/FR-2021-07-16/pdf/2021-14480.pdf.

[50] U.S. Dep’t of Justice, Office of the Attorney General, Memorandum for Heads of All Department Components: Issuance and Use of Guidance Documents by the Department of Justice (July 1, 2021), https://www.justice.gov/opa/page/file/1408606/download.

[51] Id.

[52] Press Release, U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[53] Id.

[54] U.S. Dep’t of Justice, Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit (Oct. 13, 2021), https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-cybersecurity-and.

[55] See Gibson, Dunn & Crutcher LLP, Emergency Federal Measures to Combat Coronavirus (Mar. 18, 2020), https://www.gibsondunn.com/emergency-federal-measures-to-combat-coronavirus/.

[56] American Rescue Plan Act, 2021, Pub. L. No. 117-2, 117th Cong. (2021).

[57] Press Release, U.S. Dep’t of Justice, Eastern District of California Obtains Nation’s First Civil Settlement for Fraud on Cares Act Paycheck Protection Program (Jan. 12, 2021), https://www.justice.gov/usao-edca/pr/eastern-district-california-obtains-nation-s-first-civil-settlement-fraud-cares-act.

[58] Press Release, U.S. Dep’t of Justice, Owner of Jet Charter Company Settles False Claims Act Allegations Regarding Misappropriation of Payment Protection Program Loan (Aug. 27, 2021), https://www.justice.gov/usao-sdfl/pr/owner-jet-charter-company-settles-false-claims-act-allegations-regarding.

[59] Press Release, U.S. Dep’t of Justice, COVID-19 Task Force Nets Florida Duct Cleaning Company; Settles False Claims Act Allegations Relating to Improper Paycheck Protection Program Loan (Oct. 28, 2021), https://www.justice.gov/opa/pr/covid-19-task-force-nets-florida-duct-cleaning-company-settles-false-claims-act-allegations.

[60] CARES Act, Pub. L. No. 116-136, 116th Cong. (2020), § 4018.

[61] Special Inspector Gen. for Pandemic Recovery, SIGPR Overview, https://www.sigpr.gov/about-sigpr/sigpr-overview.

[62] Special Inspector Gen. for Pandemic Recovery, Quarterly Report: Message from the Special Inspector General for Pandemic Recovery (July 30, 2021), https://www.sigpr.gov/news/quarterly-report-message-special-inspector-general-pandemic-recovery.

[63] See Press Release, U.S. Dep’t of Justice, Baltimore Woman Facing Federal Indictment for Allegedly Obtaining More Than $1.6 Million in Federal Funds Intended to Relieve Financial Distress Caused by the Covid-19 Pandemic (Dec. 15, 2021), https://www.justice.gov/usao-md/pr/baltimore-woman-facing-federal-indictment-allegedly-obtaining-more-16-million-federal (reflecting SIGPR’s involvement in action); see also Baltimore Woman Used Fake Documents To Get $1.6 Million In COVID Relief Funds, Feds Say, Balt. Sun (Dec. 15, 2021), https://www.baltimoresun.com/news/crime/bs-md-ci-cr-covid-relief-charges-20211215-wcf7ydmpozd2rm7tb77dt7o7ze-story.html.

[64] Ltr. from Sen. Charles Grassley to Hon. Merrick B. Garland (Feb. 24, 2021), https://g7x5y3i9.rocketcdn.me/wp-content/uploads/2021/03/2021-02-24-CEG-to-DOJAG-Nominee-Garland-regarding-FCA.pdf.

[65] False Claims Amendments Act of 2021, S. 2428, 117th Cong. (July 22, 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/text/is?r=1.

[66] Press Release, Sen. Chuck Grassley, False Claims Act Amendments of 2021, https://www.grassley.senate.gov/imo/media/doc/false_claims_amendments_act_summary.pdf.

[67] False Claims Amendments Act of 2021, S. 2428, 117th Cong. (Nov. 16, 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/text/rs?r=1.

[68] Id.

[69] Id.

[70] Actions Overview, False Claims Amendments Act of 2021, S. 2428, 117th Cong. (1st Sess. 2021), https://www.congress.gov/bill/117th-congress/senate-bill/2428/actions?r=1&s=1.

[71] HHS-OIG, State False Claims Act Reviews, https://oig.hhs.gov/fraud/state-false-claims-act-reviews/.

[72] Id.

[73] Id.

[74] See Ltr. from Christi A. Grimm, Principal Deputy Inspector General, to Hon. Austin Knudsen, Attorney General of Minnesota (Oct. 4, 2021), https://oig.hhs.gov/documents/false-claims-act/1003/montana2021.pdf.

[75] HHS-OIG, supra note 63.

[76] Analysis by the Legislative Reference Bureau, Wisconsin S.B. 652 (Oct. 20, 2021), https://docs.legis.wisconsin.gov/2021/related/proposals/sb652.pdf.

[77] Id.

[78] See Ltr. from Daniel R. Levinson, Inspector General, to Hon. Brad Schimel, Attorney General of Wisconsin (Dec. 28, 2016), https://oig.hhs.gov/documents/false-claims-act/276/Wisconsin-supplement.pdf.

[79] See Analysis of the Legislative Reference Bureau, supra note 76.

The following Gibson Dunn lawyers assisted in the preparation of this alert: Jonathan Phillips, John Partridge, James Zelenay, Reid Rector, Michael Dziuban, Allison Chapin, Chelsea Knudson, Becca Smith, Emma Strong, Phuntso Wangdra, Mike Ulmer, Katie King, Jabari Julien, Nick Perry, Ben Gibson, and John Turquet Bravard.

Gibson Dunn lawyers regularly counsel clients on the False Claims Act issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s False Claims Act /Qui Tam Defense Group:

Washington, D.C.
Jonathan M. Phillips – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 202-887-3546, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])
Joseph D. West (+1 202-955-8658, [email protected])
Robert K. Hur (+1 202-887-3674, [email protected])
Geoffrey M. Sigler (+1 202-887-3752, [email protected])
Lindsay M. Paulin (+1 202-887-3701, [email protected])

San Francisco
Winston Y. Chan – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 415-393-8362, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])

New York
Reed Brodsky (+1 212-351-5334, [email protected])
Mylan Denerstein (+1 212-351-3850, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Brendan Stewart (+1 212-351-6393, [email protected])
Casey Kyung-Se Lee (+1 212-351-2419, [email protected])

Denver
John D.W. Partridge (+1 303-298-5931, [email protected])
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Reid Rector (+1 303-298-5923, [email protected])

Dallas
Robert C. Walters (+1 214-698-3114, [email protected])
Andrew LeGrand (+1 214-698-3405, [email protected])

Los Angeles
Nicola T. Hanna (+1 213-229-7269, [email protected])
Timothy J. Hatch (+1 213-229-7368, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
James L. Zelenay Jr. (+1 213-229-7449, [email protected])

Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Please join us for a discussion about FCPA developments and emerging trends from 2021. Intended to complement our Year-End FCPA Update, this webcast discusses in greater detail recent FCPA enforcement updates of note, the Biden Administration’s focus and initiatives on combating corruption, and the increasing interplay between anti-corruption and anti-money laundering efforts. We also discuss key takeaways from these developments, including with respect to anti-corruption compliance program trends and recommendations. Download our FCPA Year-End Update.

PANELISTS:

Patrick Stokes is Co-Chair of the firm’s Anti-Corruption and FCPA Practice Group and a partner in the Washington, D.C. office, where he focuses his practice on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. Mr. Stokes is ranked nationally and globally by Chambers USA and Chambers Global as a leading attorney in FCPA. Prior to joining the firm, Mr. Stokes headed the DOJ’s FCPA Unit, managing the FCPA enforcement program and all criminal FCPA matters throughout the United States covering every significant business sector. Previously, he served as Co-Chief of the DOJ’s Securities and Financial Fraud Unit.

John W.F. Chesley is a partner in the Washington, D.C. office. Mr. Chesley has been recognized repeatedly recognized for his white collar defense work by Global Investigations Review’s “40 Under 40,” as well as Law 360’s “Rising Stars”. He represents corporations, audit committees, and executives in internal investigations and before government agencies in matters involving the FCPA, procurement fraud, environmental crimes, securities violations, antitrust violations, and whistleblower claims. He also litigates government contracts disputes in federal courts and administrative tribunals.

Ella Capone is a senior associate in the Washington, D.C. office, where she is a member of the White Collar Defense and Investigations and Anti-Money Laundering practice groups. Her practice focuses primarily in the areas of white collar criminal defense, corporate compliance, and securities litigation. Ms. Capone regularly conducts internal investigations and advises multinational corporations and financial institutions, on compliance with anti-corruption and anti-money laundering laws and regulations.

Joseph Warin is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and he is chair of the over 200-person Litigation Department of the Washington, D.C. office. Mr. Warin is ranked in the top-tier year after year by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience. He has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers, including UK’s SFO and FCA, and government regulators in Germany, Switzerland, Hong Kong, and the Middle East. Mr. Warin has served as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement.

This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

Munich associate Marcus Geiss and of counsel Birgit Friedl are the authors of “German Corporate Law 2022: At the Cross-Roads of Continued Globalization and Keeping Your Own House in Order” [PDF] published by M&A Review on February 2, 2022.

Munich of counsel Silke Beiter, associates Sonja Ruttmann and Maximilian Schniewind and Frankfurt associate Jan Vollkammer also contributed to the article.

In this client alert, we outline a number of significant UK and international tax developments of recent weeks and months, many of which will continue to take shape as we move forward into 2022.

In the UK, domestic tax policy looks set to play as important a role as ever as the government continues to walk the tightrope of seeking to stimulate economic activity and investment, whilst raising much needed revenue. Forecasters have predicted strong economic growth over 2022, but this is against the backdrop of record pandemic borrowing, a drop in tax revenue figures for 2020/2021, high inflation and expected interest rate rises (of course exacerbating the government’s cost of borrowing). Many will find themselves wondering if the current government will be able to hold out on all aspects of the “triple tax lock” pledge to not raise income tax, National Insurance contributions or VAT until 2024 – of course already side-lined in relation to National Insurance contributions which are due to increase by 1.25% from April 2022.

In the international tax arena, 2022 promises to be a seminal, perhaps “make or break”, year. The OECD’s BEPS 2.0 project is in full motion, at least as regards Pillar II in relation to which model rules were published in a flurry of activity in December 2021. With a scheduled 2023 effective date, some degree of turmoil looks inevitable as numerous stakeholders get to grips with the finer details of local implementation – and that’s before we even begin to understand the interplay with US domestic tax policy and reform. Pillar I proposals on the other hand would appear to be considerably less advanced and so far less certain to succeed, although model rules for domestic implementation are still expected in early 2022.

In any event, we expect to see the UK government continue to stake the UK’s claim to be “open for business”, with significant measures in the asset management and investment funds sector in particular which seek to enable the UK to compete with other jurisdictions and bolster the financial services components of the UK economy – as analysed further below.

We hope that you find this alert useful. Please do not hesitate to contact us with any questions or requests for further information.

Read More

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the Tax Practice Group, or the authors in London:

Sandy Bhogal (+44 (0) 20 7071 4266, [email protected])
Benjamin Fryer (+44 (0) 20 7071 4232, [email protected])
Bridget English (+44 (0) 20 7071 4228, [email protected])
James Chandler (+44 (0) 20 7071 4211, [email protected])
William Inchbald (+44 (0) 20 7071 4264, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

New York partner Lindsey Schmidt is author of “ICDR, JAMS, and CPR Comparison Chart (International)” [PDF] published in Practical Guidance by LexisNexis in December 2021.

Washington, D.C. partner Judith Alison Lee is the author of “US Commerce Department takes more action against Chinese companies” [PDF] published by Financier Worldwide in February 2022.

Click for PDF

For the fourth consecutive year, and complementing the publication of Gibson Dunn’s upcoming tenth annual U.S. Cybersecurity and Data Privacy Outlook and Review, we offer this separate International Outlook and Review. As every year, this Outlook and Review provides an overview of past and upcoming developments related to global privacy and cybersecurity laws.

2021 saw an increasing number of data protection bills and laws passed across numerous international jurisdictions. Notably, China, the UAE, Brazil, Russia and Switzerland, among others, passed new laws, amendments or implementing regulations paving the way for a new round of significant data privacy regimes. It is expected that international authorities will make full use of their new powers in order to apply and enforce their respective data protection legislation in the near future.

In the European Union (“EU”), there were a significant number of developments in the evolution of the data protection and cybersecurity landscape:

In the aftermath of the Schrems II ruling, the EDPB adopted a series of Recommendations and Guidelines in order to clarify the regime and rules applicable to data transfers to the U.S. and other jurisdictions that do not benefit from an adequacy decision, as well as on the territorial scope of the General Data Protection Regulation (“GDPR”). Furthermore, the European Commission adopted new sets of Standard Contract Clauses (“SCCs”) that must be used as of 27 September 2021 for new contractual arrangements and apply to existing contractual arrangements by 27 December 2022.
Further to the three-year review of the e-Privacy Regulation Bill by the EU Member States, negotiations between the Council, the European Parliament and the European Commission commenced for its finalisation and adoption, which is due to replace the 20-year-old e-Privacy Directive.
EU lawmakers have also made progress on the adoption of the revised Network Infrastructure Security Directive (“NIS2 Directive”), which is due to replace the current NIS Directive by expanding its scope and seeking to harmonise further this sector across all levels (including sanctions).
EU supervisory authorities continued to apply and enforce the GDPR vigorously, imposing record-setting fines and making full use of EU law instruments to achieve a harmonised approach.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

I. European Union

A. International data transfers

1. Aftermath of the Schrems II Ruling

As we indicated in the 2021 International Outlook and Review, on 16 July 2020, the so-called Schrems II ruling of the Court of Justice of the EU (“CJEU”) struck down the EU-U.S. Privacy Shield, which numerous companies had relied upon to transfer personal data from the EU to the U.S. Despite this, the CJEU also ruled that the SCCs approved by the European Commission, another mechanism used by an even higher number of companies to transfer personal data outside of the EU, remained valid subject to certain caveats.[1]

Further to the Schrems II ruling, organisations transferring personal data to a third country must verify, on a case-by-case basis, if there is anything in the law and practice of the third country which may impinge on the appropriate safeguards of the transfer tools (a “Risk Assessment”). If the law and practice of the third country do impinge the transfer tools safeguards, the organisations are required to implement supplementary measures to ensure an equivalent level of protection.

In this respect, the European Data Protection Board (“EDPB”) issued important new guidance on international transfers of personal data, namely:

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[2] which provide guidance to help organisations conduct their Risk Assessment and determine which supplementary measures should be implemented;
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures adopted by the EDPB,[3] which clarify the elements that organisations are required to take into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance.

In parallel, on 4 June 2021, the European Commission adopted new SCCs to cover data transfers among controllers and processors from the European Economic Area (“EEA”) to third countries not recognised by the European Commission as ensuring an adequate level of protection for personal data.[4] These new set of SCCs replace the old SCCs adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC (“e-Privacy Directive”), and take into account the conclusions of the CJEU in Schrems II. Since 27 September 2021, it is no longer possible to execute the old SCCs and, as of 27 December 2022, existing contracts will need to have been replaced or amended to incorporate the new SCCs.

The EDPB also adopted the Guidelines 04/2021 on codes of conduct as tools for transfers[5], the Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR[6], each for public consultation. The latter Guidelines aim to clarify the territorial scope of the GDPR and the provisions on international transfers, to assist controllers and processors to determine whether a particular data processing activity falls directly under the GDPR, or should be covered by a legal data transfer mechanism to provide adequate safeguards.

In light of these developments, several Member State supervisory authorities issued statements and guidance in relation to matters concerning international data transfers:[7]

the Austrian Data Protection Authority ruled that the provider of a website using Google Analytics was illegally transferring data to the U.S. considering that Google, as an electronic communication service provider, is subject to U.S. surveillance and that the safeguards provided were insufficient to prevent U.S. intelligence from accessing the data;
the Italian Garante[8] fined a Milanese university €200,000 in relation to the transfer of personal data to the U.S. on the basis of the SCCs due to the lack of Risk Assessment and insufficient encryption measures;
the Belgian Conseil d’Etat[9] decided not to suspend a transfer of personal data to the U.S. since it could not exclude that encryption with separate key management can constitute a sufficient supplementary measure in this context;
in Germany, the Bavarian BayLDA[10] considered a data transfer as being unlawful due to the lack of Risk Assessment;
the Portuguese CNPD[11] ordered a controller to suspend within 12 hours any international transfers to the U.S. or other third countries without an adequate level of protection; and
the French Conseil d’Etat[12] decided not to suspend transfers of personal data to the U.S. in view of the safeguards implemented by the controller.

2. Adequacy decisions

On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom,[13] under the GDPR and the Law Enforcement Directive. These decisions will allow personal data to flow freely from the EU to the UK without the need for additional tools or authorisations. The adequacy findings include a ‘sunset clause’, which means that the decisions will automatically expire four years after their entry into force. It is likely that the decisions will only be renewed if the UK continues to ensure an adequate level of data protection of personal data.

On 17 December 2021, the European Commission also adopted the South Korea adequacy decision,[14] making it possible for personal data to be transferred safely from the EU to the Republic of Korea. With this decision, the Commission guarantees that the South Korean legislation on data protection, combined with the additional safeguards implemented in the country, ensure an adequate level of protection for EU data subjects’ personal data.

B. Proposed E-Privacy Regulation and Cookies and Telemarketing Enforcement

As we indicated was likely in the 2021 International Outlook and Review, the e-Privacy Regulation, which was proposed by the European Commission in 2017 to update laws applicable to telecoms, digital and online data processing, was not adopted in 2021.

In 2021, the Council, the European Parliament and the European Commission initiated joint discussions for the adoption of the e-Privacy Regulation. Although the co-legislators failed to find common ground, the situation does not look as dim as in 2020 and 2021. Legislators and industry experts are confident that the final Regulation will be adopted in 2022 or 2023.[15]

Relatedly, European e-privacy laws have continued to be the object of enforcement by EU data protection authorities. As explained further in Section ‎I.E below, in 2021, the Luxemburg, French and Spanish supervisory authorities, among others, imposed significant fines on companies for e-privacy violations (e.g., setting of cookies, the use of online targeted advertising and the use of telemarketing, without consent).

C. Proposed Network Information Security (“NIS2”) Directive Proposal

As explained in past iterations of the International Outlook and Review, the Network and Information Security (“NIS”) Directive, the first piece of EU-wide legislation on cybersecurity, had the specific aim of achieving a high common level of cybersecurity across the Member States.

While the NIS Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult and resulted in a patchwork of national legislations across the EU. To respond to the growth of digitalisation and cyber-attacks, on 16 December 2020, the European Commission submitted the NIS2 Directive Proposal to replace the NIS Directive. The NIS2 Directive Proposal aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The NIS2 Directive Proposal will also have a broader scope of application, effectively requiring more entities and sectors to take the prescribed measures in relation to cybersecurity.

Further to the Council discussions, the European Parliament adopted its report on 28 October 2021, leading to interinstitutional negotiations with the European Commission.[16] It is expected that the NIS2 Directive will be effectively adopted in 2022 or in 2023.

D. EDPB Guidance

Aside from its guidance on international data transfers, the EDPB issued Guidelines on various topics, including:

Guidelines 06/2020 on the interplay between the second Payment Services Directive (PSD2) and the GDPR,[17] which notably address lawful grounds for further processing under the PSD2;
Guidelines 07/2020 on the concepts of controller and processor in the GDPR,[18] which aim to clarify these concepts and the consequences of attributing these roles to entities that collect and process personal data;
Guidelines 08/2020 on the targeting of social media users,[19] which provide an overview of the main parties and the targeting mechanisms involved in such processing, as well as the related GDPR requirements;
Guidelines 10/2020 on restrictions under Article 23 GDPR,[20] which address the grounds for restricting data subjects’ rights, including for national security and public defence, and for objectives of general public interest; and
Guidelines 01/2021 on Examples regarding Data Breach Notification,[21]which aim to assist data controllers in determining how to handle data breaches and what factors to consider during a risk assessment.

The EDPB also issued its Strategy 2021-2023,[22] as well as its Work Program 2021/2022,[23] notably announcing awaited Guidelines on, inter alia, legitimate interest, blockchain and the calculation of administrative fines.

E. Enforcement by Supervisory Authorities

In 2021, the GDPR and the e-Privacy Directive continued to be applied and enforced by EU Member State supervisory authorities. As explained in previous issues of our Outlook and Review, the GDPR put in place a one-stop shop mechanism to enable lead supervisory authorities of one Member State to adopt decisions and impose fines for EU-wide GDPR violations resulting from cross-border data processing activities.

On 15 June 2021, the CJEU generally upheld and confirmed the status of lead supervisory authorities as “sole interlocutors” of controllers and processors that process personal data cross-border within the EU.[24] Other supervisory authorities cannot therefore initiate any action, administrative or in court, that runs in parallel to that of the lead supervisory authority, except in exceptional circumstances foreseen by the GDPR (e.g., in urgency procedures under Article 66).

The GDPR’s jurisdictional rules were also addressed in another matter before the supervisory authority in France. In 2016, the French data protection authority (“CNIL”) had initiated investigations against the EU operations of a U.S. tech company regarding particularly its data sharing activities with the U.S. parent company. Among the alleged grievances being investigated, the CNIL considered that such data sharing was undertaken without appropriate legal basis. However, one of the key procedural issues being disputed was to determine whether the CNIL still had jurisdiction over a case initiated prior to the GDPR, but which continued after the GDPR became applicable in 2018 and after the U.S. tech company set up an EU establishment in charge of its processing activities in the same year. The CNIL eventually held in 2021 that it did not have jurisdiction on this case and did not sanction the U.S. tech company.

On 16 July 2021, the Luxembourg CNPD imposed a record-breaking €746 million fine on an e-commerce and online services corporation and required the company to remedy the instances of non-compliance within six months, with a penalty of €746,000 per day of delay.[25] According to the plaintiff, La Quadrature du Net, the company was processing personal data for targeted advertising purposes without a valid legal basis. The sanction has since been partially suspended by a local administrative court.[26]

On 2 September 2021, the Irish Data Protection Commission (“DPC”) imposed a fine of €225 million on online messaging service provider for allegedly failing to meet its transparency obligations under the GDPR. Given that the company’s data processing activities were cross-border, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under the GDPR.

On 31 December 2021, the French CNIL imposed a €150 million fine on Google (€90 million for Google LLC and €60 million for Google Ireland Ltd), as well as a €60 million fine on a social network service[27], on the basis of the e-Privacy Directive, for allegedly not enabling users to refuse cookies as easily as to accept them. The CNIL also summoned the companies, in both cases, to bring their practices in compliance with the e-Privacy Directive within three months, with a penalty of €100,000 per day of delay.

On 25 May 2021, the German Competition Authority (“Bundeskartellamt”) opened proceedings under Germany’s 2021 GWB Digitalization Act against Google Germany GmbH, Google Ireland Ltd., Dublin, Ireland, and Alphabet Inc., USA, reviewing Google’s data processing terms and cross-service data processing. Subsequently, on 30 December 2021, it took a decision determining that Google has a paramount significance for competition across markets which is a prerequisite for the further investigation under the new law. Of note, the German Bundeskartellamt is not a supervisory authority under the GDPR, but is an active enforcer in the digital economy – including at the interface to the processing of personal data under the GDPR.

In addition, throughout 2021, several European Supervisory Authorities issued fines around €5-10 million, including for unlawful employee surveillance[28] or marketing calls[29] and lack of valid consent for the processing of personal data.[30]

II. Developments in Other European Jurisdictions: UK, Switzerland, Russia and Turkey

A. UK

In the UK, the Information Commissioner’s Office (“ICO”) has continued to undertake efforts to enforce the UK GDPR and the Data Protection Act 2018. Notably, in 2021, it announced its provisional intent to fine Clearview AI, Inc. £17 million[31] for its processing of biometric data scraped from the internet, and issued a provisional notice to stop further processing and delete the personal data of individuals in the UK. Throughout the year, the ICO also imposed fines of a lower amount to corporations and local businesses for their failure to apply data protection and e-privacy laws.[32]

In addition to its enforcement action, the UK ICO also undertook efforts to complete its regulatory framework post-Brexit. The most important development relates to the publication of draft international data transfer agreement (“IDTA”) and guidance, which were subject to consultation and are intended to replace the EU’s legacy SCCs.[33]

B. Switzerland

As we indicated in the 2021 International Outlook and Review, on 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”). In anticipation of its upcoming entry into law in the second half of 2022, on 5 March 2021, the Federal Data Protection and Information Commissioner (“FDPIC”) published guidance on how the private sector and federal authorities needed to adapt their processing activities to comply with the new provisions of the Revised FADP. In particular, the guidance covers the right to data portability, codes of conduct, records of processing activities and cross-border transfers and extended requirements around providing information on data processing and transparency under the Revised FADP.[34]

On 23 June 2021, the Swiss Federal Council also released a draft revised Ordinance on the Federal Data Protection Act for public consultation following the adoption of the Revised FADP. In particular, the Council highlighted that the revisions to the Ordinance include minimum data security requirements, the modalities of the duty to inform data subjects, the right of access, data breach notification requirements, and exceptions to the obligation to keep a record of data processing activities for companies with fewer than 250 employees. Furthermore, the draft Ordinance specifies the criteria which the Council must take into account in its assessment of the adequacy of transfers of personal data to third countries, and includes a draft list of 34 countries which are considered to provide an adequate level of protection.[35]

With regard to data transfers, the FDPIC published a guide on 18 June 2021 to allow companies to review the admissibility of data transfers to third countries in accordance with the Federal Act on Data Protection 1992. The guide provides a flowchart detailing the actions required by organisations to ensure data transfers are made in compliance with the Act and, notably, elaborates on the legal requirement that apply to transfers to third countries that do not appear on the FDPIC list of adequate countries.[36]

Furthermore, on 27 August 2021, the FDPIC announced that the new SCCs adopted by the European Commission on 4 June 2021 for data transfers to third countries were also valid under Swiss law. The FDPIC recalled that the Commission’s SCCs may be used by data exporters, provided that the necessary adaptations and amendments be made for use under Swiss data protection law (i.e., replacing references to the EU with references to Switzerland). In addition, in line with the timeline in the EU, the FDPIC confirmed that the European Commission’s old SCCs could still be entered into until 27 September 2021 and existing agreements entered into under the old SCCs may still be used during a transitional period until 31 December 2022.[37]

C. Russia

As we indicated in the 2021 International Outlook and Review, Russia undertook a number of legislative modifications in 2021 to enhance and complete its data protection regime, notably in terms of increasing applicable fines.

In the same vein, Russia adopted a new federal law in 2021 ‘On Amendments to the Code of Administrative Offenses’, which increased the amounts of administrative fines prescribed in the Code of Administrative Offenses against the Federal Law On Personal Data. The amendments do not touch upon the highest fines for breaching the data localisation requirement, but do increase the administrative fines for repeated offenses (i.e., offences that occur within one year from the date the previous violation was enforced). Recidivism concerning the localisation requirement may lead to fines between RUB 6,000,000 and 18,000, 000 (approximately USD 80,000 to 240,000) on companies, and responsible managers may face fines between RUB 500,000 and 800,000 (approximately USD 6,600 to 10,500).[38]

In addition, the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”) and the Russian Parliament (“Duma”) have continued to undertake efforts to protect Russian consumers and citizens. First, on 29 March 2021, the Ministry of Digital Development published draft amendments to the Federal Law of 27 July 2006 No. 152-FZ on Personal Data in order to require telecom operators to obtain the consent of subscribers prior to the sale of their personal data for telemarketing purposes.[39]

On 1 July 2021, the Roskomnadzor also announced that it had launched an online service allowing companies to obtain and record consent to the processing of personal data collected directly from the data subject. The Roskomnadzor claims that the template service will enable operators to meet the consent requirements following the entry into force of the amendments to the Federal Law on Personal Data in March 2021. Furthermore, the Roskomnadzor noted that the template may be customised to the specific activities of the operator, and that data subjects may record their preferences as to how their personal data may be processed and further distributed to third parties.

Finally, on 10 November 2021, the Duma registered a bill on ‘Amendments to Article 14.8 of the Code of the Russian Federation on Administrative Offences’ in order to prohibit companies from forcing consumers to provide personal data in cases where such data is not necessary to complete the transaction and is not provided for by legislation.[40]

D. Turkey

In 2021, the Turkish data protection authority (“KVKK”) proceeded with its significant activity in providing guidance on the application of the Turkish Data Protection Act. Notably, on 20 October 2021, it issued guidance on the right to be forgotten (“RTBF”) in respect of search engines. The guidance follows up on the KVKK Board Decision 2020/481 regarding the requests of individuals to remove names, surnames and the results of searches made through search engines from the index, and it aims to clarify issues relating to the exercise of the RTBF. Among other points, it indicates that the individuals may exercise the RTBF either by making a request to the data controller (search engine) or by complaining to the KVKK.[41]

Finally, throughout 2021, the KVKK continued with its enforcement of the Turkish Data Protection Act. For example, on 21 June 2021, it imposed a fine of TRY 800,000 (approx. €77,390) on an e-commerce site for data security and breach notification failures under the Turkish Data Protection Act. In particular, the KVKK noted that the investigation was triggered by a complaint that access to the information of third-party companies was provided through the customer service panel on the e-commerce site.[42] On 3 September 2021, the KVKK published a summary of review of a decision concerning an online messaging service provider, in which it imposed a fine of TRY 1,950,000 (approx. €195,000) for allegedly failing to take necessary technical and administrative measures to ensure data security pursuant to the Act.[43]

III. Developments in Asia-Pacific

A. Australia

As explained in the 2021 International Outlook and Review, the Australian government is currently undertaking a wholesale review of the Privacy Act 1988 with a view to implementing significant reforms to the country’s privacy regime. In October 2021, the Attorney-General’s Department released a discussion paper considering the items raised in the issues paper published in October 2020 (and referred to in the 2021 International Outlook and Review) and has sought further feedback on the proposed reforms.[44] Submissions on the discussion paper closed on 10 January 2022, and those submissions will now form the basis of a final report to be submitted to government.

The discussion paper proposes wide-ranging reforms which would align Australia’s privacy regime more closely to global equivalents, such as the GDPR, in order to reflect recent developments in the digital economy, including to expand the definition of personal information, impose stricter anonymisation requirements on organisations subject to the laws, increase maximum civil penalties for non-compliance, strengthen the rights of individuals to object to the collection and use of disclosure of their information or require its erasure and to modify the framework for international data transfers.

This review has been conducted concurrently with a public consultation process on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (“Online Privacy Bill”), which was released on 25 October 2021.[45] The Online Privacy Bill proposes to establish a binding privacy code for social media platforms, data brokerage services and large online platforms, expand the enforcement options available to the regulator and significantly broaden the extra-territorial reach of the Privacy Act 1988 to apply to acts performed outside Australia by foreign organisations carrying on business in Australia. Submissions on the Online Privacy Bill closed on 6 December 2021 and those submissions will inform further development of the Online Privacy Bill before its introduction to Parliament in 2022.

In addition to the ongoing review of the Privacy Act 1988 and the Online Privacy Bill, the US and Australian governments signed an agreement on 15 December 2021 to facilitate access to electronic data for investigations authorised by the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018.[46] This agreement allows authorities from each country to access certain data directly from providers operating in the others’ jurisdiction to mitigate, detect and investigate serious crimes, including ransomware attacks and terrorism, as well as crimes that sabotage critical infrastructure over the internet. The agreement will undergo parliamentary and congressional review procedures in 2022 and is intended to replace the mutual legal assistance mechanism currently used to access data from such providers, which relevant authorities perceive as too slow and awkward to fulfil its intended purpose.[47]

B. China

1. Passage of the Personal Information Protection Law

On 20 August 2021, the Standing Committee of China’s National People’s Congress passed the Personal Information Protection Law (“PIPL”), which took effect on 1 November 2021.[48] The PIPL applies to “personal information processing entities (‘PIPEs’)”, defined as “an organisation or individual that independently determines the purposes and means for processing of personal information”. The PIPL defines “personal information” broadly as “various types of electronic or otherwise recorded information relating to an identified or identifiable natural person”, excluding anonymised information, and defines “processing” as “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information” (PIPL Article 4).

The PIPL shares many similarities with the EU’s GDPR, including its extraterritorial reach, restrictions on data transfer, compliance obligations and sanctions for non-compliance, amongst others. The PIPL raises some concerns for companies that conduct business in China, even where such companies’ data processing activities take place outside of China, and the consequences for failing to comply could potentially include monetary penalties and companies being placed on a government blacklist.

The PIPL applies to cross-border transmission of personal information and applies extraterritorially. Where PIPEs transmit personal information to entities outside China, they must inform the data subjects of the transfer, obtain their specific consent to the transfer and ensure that the data recipients satisfy standards of personal information protection similar to those in the PIPL. The PIPL applies to organisations operating in China, as well as to foreign organisations and individuals processing personal information outside China in any one of the following circumstances: (1) the organisation collects and processes personal data for the purpose of providing products or services to natural persons in China; (2) the data will be used in analysing and evaluating the behaviour of natural persons in China; or (3) under other unspecified “circumstances stipulated by laws and administrative regulations”. This is an important similarity between the PIPL and GDPR, as the GDPR’s data protection obligations apply to non-EU data controllers and processors that track, analyse and handle data from visitors within the EU. Similarly, under the PIPL, a foreign receiving party must comply with the PIPL’s standard of personal information protection if it handles personal information from natural persons located in China.

The PIPL gives the Chinese government broad authority in processing personal information. State organisations may process personal information to fulfil statutory duties, but may not process the data in a way that exceeds the scope necessary to fulfil these statutory duties. Personal information processed by state organisations must be stored within China.

The PIPL establishes guiding principles on protection of personal information. According to the PIPL, processing of personal information should have a “clear and reasonable purpose” and should be directly related to that purpose. The PIPL requires that the collection of personal information be minimised and not excessive, and that PIPEs ensure the security of personal information. To that end, the PIPL imposes a number of compliance obligations on PIPEs, including requiring PIPEs to establish policies and procedures on personal information protection, implement technological solutions to ensure data security and carry out risk assessments prior to engaging in certain processing activities.

The PIPL adopts a risk-based approach, imposing heightened compliance obligations in specified high-risk scenarios. For instance, PIPEs whose processing volume exceeds a yet-to-be-specified threshold must designate a personal information protection officer responsible for supervising the processing of personal data. PIPEs operating “internet platforms” that have a “very large” number of users must engage an external, independent entity to monitor compliance with personal information protection obligations, and regularly publish “social responsibility reports” on the status of their personal information protection efforts. The law mandates additional protections for “sensitive personal information”, broadly defined as personal information that, once disclosed or used in an illegal manner, could infringe on the personal dignity of natural persons or harm persons or property. “Sensitive personal information” includes biometrics, religious information, special status, medical information, financial account, location information and personal information of minors under the age of 14. When processing “sensitive personal information”, according to the PIPL, PIPEs must only use information necessary to achieve the specified purpose of the collection, adopt strict protective measures and obtain the data subjects’ specific consent.

The PIPL creates legal rights for data subjects. According to the new law, PIPEs may process personal information only after obtaining fully informed consent in a voluntary and explicit statement, although the law does not provide additional details regarding the required format of this consent. The law also sets forth certain situations where obtaining consent is unnecessary, including where necessary to fulfil statutory duties and responsibilities or statutory obligations, or when handling personal information within a reasonable scope to implement news reporting, public opinion supervision and other such activities for the public interest. Where consent is required, PIPEs should obtain a new consent where it changes the purpose or method of personal information processing after the initial collection. The law also requires PIPEs to provide a convenient way for individuals to withdraw their consent, and mandates that PIPEs keep the personal information only for the shortest period of time necessary to achieve the original purpose of the collection. If PIPEs use computer algorithms to engage in “automated decision making” based on individuals’ data, the PIPEs are required to be transparent and fair in the decision making, and are prohibited from using automated decision making to engaging in “unreasonably discriminatory” pricing practices. “Automated decision-making” is defined as the activity of using computer programs to automatically analyse or assess personal behaviours, habits, interests, hobbies, financial, health, credit or other status, and make decisions based thereupon. When individuals’ rights are significantly impacted by PIPEs’ automated decision making, individuals can demand PIPEs to explain the decision making and decline automated decision making.

The PIPL creates penalties for organisations that fail to fulfil their obligations to protect personal information. These penalties include disgorgement of profits and provisional suspension or termination of electronic applications used by PIPEs to conduct the unlawful collection or processing. Companies and individuals may be subject to a fine of not more than 1 million RMB (approximately $154,378.20) where they fail to remediate conduct found to be in violation of the PIPL, with responsible individuals subject to fines of 10,000 to 100,000 RMB (approximately $1,544 to $15,438). Companies and responsible individuals face particularly stringent penalties where the violations are “grave”, a term left undefined in the statute. In these cases, the PIPL allows for fines of up to 50 million RMB (approximately $7,719,027) or 5% of annual revenue, although the PIPL does not specify which parameter serves as the upper limit for the fines. Authorities may also suspend the offending business activities, stop all business activities entirely or cancel all administrative or business licenses. Individuals responsible for “grave” violations may be fined between 100,000 and 1 million RMB (approximately $15,438 to $154,383), and may also be prohibited from holding certain job titles, including Director, Supervisor, high-level Manager or Personal Information Protection Officer, for a period of time. In contrast, fines for severe violations of the GDPR can be up to €20 million (approximately $23,486,300) or up to 4% of the undertaking’s total global turnover of the preceding fiscal year (whichever is higher).

For more details regarding potential issues for companies operating in China and the impact of the PIPL, please see our client alert here.

2. Draft Measures for Data Export Security Evaluations

On 29 October 2021, the Cyberspace Administration of China requested public comments on the draft Measures for Data Export Security Evaluation until 28 November 2021. The draft underscores the need to standardise data exports under the PIPL, Cybersecurity Law and Data Security Law. Under the draft, PIPEs transferring data which meets one of the following requirements outside of China are required to submit a report through the provincial Cyberspace Administration: (1) personal information and important data are generated by operators of critical information infrastructure; (2) outbound data contains important data; (3) personal information processors who have processed personal information of one million people; (4) personal information processors who have processed personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad; or (5) other situations required by the Cyberspace Administration.

3. Regulations on the Security Protection of Critical Information Infrastructure

Following the United States’ proposal of the Cyber Incident Notification Act of 2021 and the EU’s adoption of Directive (EU) 2016/1148 on Security of Network and Information Systems in 2016, China introduced rules to protect the country from cyber-attacks on critical information systems. China’s Regulations on the Security Protection of Critical Information Infrastructure (the “Regulations”) took effect on 1 September 2021.[49]

The Regulations are a key feature of China’s Cybersecurity Law, which was implemented on 1 June 2017. The Regulations protect the security of critical information infrastructure (“CII”) and expand on the Cybersecurity Law by imposing additional compliance obligations. Article 31 of the Cybersecurity Law delegates further authority to the State Council to formulate specific security protection measures for CII. By enacting the Regulations, the State Council has broadened the definition of CII, clarified which authorities are responsible for CII protection, outlined the duties of CII operators and third parties in relation to testing / monitoring CII and established penalties for non-compliance.

The Cybersecurity Law defines CII as infrastructure from important industries, including public communication and information services, energy, transportation, water conservancy, finance, public services, e-government and other critical information infrastructure which may endanger national security, national welfare, people’s livelihoods or the public interest if data is disabled, damaged or leaked. The Regulations not only define CII as those industries identified in Article 31 of the Cybersecurity Law, but also national defence and technology industries. This includes:

Public communications and information services;
Energy;
Transportation;
Water conservancy;
Finance;
Public services;
E-government;
National defence science, technology and industry; and
Other important network facilities and information systems that may severely threaten national security, national welfare, people’s livelihood or the public interest if disabled, damaged or leaked.

The Regulations impose obligations on CII operators (“CIIOs”), including, but not limited to: (1) establishing a security management department; (2) conducting background checks on key personnel with the assistance of police and national security agencies; (3) conducting an annual risk audit and assessing security risks; (4) reporting cyber incidents or threats to relevant authorities (including the Cyberspace Administration and the State Council); (5) conducting cybersecurity reviews when the network products and services a CIIO purchases may influence national security; and (6) reporting any corporate activity that may impact cyber security, including mergers or dissolutions (Regulations Articles 15, 19, 21).

The Regulations prohibit any entity or individual from illegally invading, interfering with or destroying CII and carrying out loophole detection or permeability tests on CII (Regulations Article 5). Additionally, no entity or individual may carry out vulnerability monitoring, penetration testing or other such activities on CII that may influence or endanger the security of CII, unless such entity or individual has received approval from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator (Regulations Article 31). If an entity or individual chooses to carry out such activities on basic telecommunications networks, it must report such activity in advance to the State Council department in charge of telecommunications (Regulations Article 31).

Under the Regulations, companies may face monetary fines of up to RMB 1 million (USD 155,000) for serious violations, and key individuals may face fines up to RMB 100,000 (US 15,000) (Regulations Articles 39, 40, 41, 42 and 43).

The Regulations will impact network operators as more network operators may be deemed CIIOs and more compliance obligations will likely be imposed by competent industry regulators. Network operators in critical industries should remain alert to their industry regulators and ensure their compliance programs align with the Regulations and the Cybersecurity Law. Global clients that operate in China in the identified industries and sectors should be aware of these requirements and alert to the prospect that they may be designed as CIIOs. Further, firms in the business of carrying out vulnerability monitoring or penetration testing on businesses in China operating in the industries outlined above should be conscious of the prospect that their clients could be considered CIIOs, and should ensure that they are seeking assurances from their clients that they are not CIIOs before undertaking this work. Alternatively, these firms should be prepared for the need to seek approval for this work from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator.

4. Draft Regulations on Algorithmic Recommendation Technology

Chinese authorities announced the Internet Information Service Algorithmic Recommendation Management Provisions, which will come into force on 1 March 2022.[50] These regulations apply to technology such as personalised recommendations, search filters and any algorithms that provide content to users. These regulations cover various services, such as social media platforms and entertainment streaming. The regulations not only apply to the PIPL, but also the Cybersecurity Law, Data Security Law and the Internet Information Services Management Rules for the purpose of promoting national security and public interests.

C. India

As indicated in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Indian Parliament on 11 December 2019 and subsequently referred to a Joint Parliamentary Committee (“JPC”) for consideration. On 16 December 2021, after a prolonged review period, the JPC tabled its report and suggested amendments to the PDP Bill, which has not yet been enacted. The resulting report and amendments were primarily informed by the stated need to balance data-driven innovation while catering to national security demands. Some of the key recommendations include:[51]

Expansion of the scope of the PDP Bill to cover both personal and non-personal data. The JPC suggested that consolidation of the regulatory framework in this manner was necessary in light of the impossibility to distinguish between personal and non-personal data when mass data is collected or transported.
Preparation and implementation of data localisation policies to ensure that sensitive personal data or other critical data is stored and processed in India, and only transferred outside India with the DPA’s approval (subject to government consultation).
Establishment of a mechanism for the formal certification of digital and IoT devices to ensure their integrity with respect to data security.
Assigning responsibility to social media platforms for the content hosted on their platforms and requiring those platforms to set up an office in India.
Introduction of a fixed timeline of 72 hours for breach reporting.

The JPC recommended that a 24-month transitional period should apply for implementation of the PDP Bill to allow relevant parties to update their policies, infrastructure and processes. The JPC’s report and amendments to the PDP Bill will be reviewed by the Parliament before being enacted. Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 continue to govern data protection in India.

D. Indonesia

As identified in the 2021 International Outlook and Review, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives on 24 January 2020.[52] The PDP Bill consolidates the rules related to personal data protection in Indonesia and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[53]

On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[54] However, as of the date of this review, the Indonesian House of Representatives is still yet to pass the PDP Bill due to ongoing debate over the position, form and independence of the authority slated to oversee its regulation and enforcement.[55] Despite this, the expectation is that the PDP Bill will be enacted in the first quarter of 2022.

E. Hong Kong

The Personal Data (Privacy) Ordinance (“PDPO”), passed in 1995, is one of Asia’s longest standing data protection laws. The PDPO was amended in 2021 to combat doxxing acts which intrude on personal data privacy.

The Personal Data (Privacy) (Amendment) Bill 2021 (“PDPO Bill”) came into effect on 8 October 2021 after the Hong Kong legislature passed the legislation on 29 September 2021.[56] The PDPO Bill criminalises doxxing acts, including imprisonment for five years and fines up to HK$1 million. In addition, the PDPO Bill empowers the Office of the Privacy Commissioner for Personal Data to persecute individuals for doxxing incidents and perform related criminal investigations.

F. Japan

1. APPI Amendments

As explained in the 2021 International Outlook and Review, the Parliament of Japan adopted a bill on 5 June 2020 to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”). The APPI will take force on 1 April 2022, while transitional measures for companies that share data with third parties took effect on 1 October 2021.

2. Review of EU-Japan Mutual Adequacy Agreement

On 26 October 2021, the Personal Information Protection Commission of Japan, the European Commission and other relevant authorities conducted the first review of the EU-Japan mutual adequacy arrangement effective in 2019. The Commissions will publish separate reports to conclude the review process.[57]

G. Mongolia

In 2021, the Standing Committees on Innovation and e-Policy and Legal Affairs in Mongolia opened discussions on a Draft Law on the Protection of Personal Information, which details data subject rights, requirements and responsibilities for data processors and controllers, and requirements for overseas data transfers.

H. New Zealand

The New Zealand Privacy Act 2020 (“NZ Privacy Act”) came into force on 1 December 2020, repealing and replacing an existing 1993 act. In implementing the new act, the New Zealand government sought to modernise the privacy regime in New Zealand and reflect global trends in international privacy standards and the digital economy. While the NZ Privacy Act remains less onerous than international equivalents, such as the GDPR, it nonetheless introduces significant reforms to the privacy regime in the country, such as mandatory data breach reporting, broader investigative and enforcement powers for the regulator and new criminal offences and penalties, including fines of up to NZ$10,000. Pursuant to the changes, the NZ Privacy Act applies extraterritorially to overseas organisations carrying on business in New Zealand and which hold information about New Zealand individuals.[58]

Despite these recent reforms, the Office of the Privacy Commissioner of New Zealand recommended in 2021 that “further changes are desirable” in response to fast-changing technologies. The proposed changes include the introduction of a right of personal information portability and a right to be forgotten, protection against the risk of re-identification from de-identified information, limitation of harm caused by automated decision making algorithms, increased civil penalties for non-compliance and expanded powers of the regulator to require compliance reporting by organisations subject to the NZ Privacy Act.[59]

I. Philippines

On 4 February 2021, the National Privacy Commission of the Philippines (“NPC”) announced the approval of a substitute bill to amend the Data Privacy Act of 2012 (“PDPA”). The proposed bill seeks to implement wide-ranging reforms to the Philippines privacy regime, including to redefine “sensitive personal information” to include biometric and genetic data, clarify the extra-territorial application of the PDPA (including in circumstances where an organisation offers goods or services, or monitors the behaviour of individuals within the Philippines or where it has a link with the country), render performance of a contract as a lawful basis for processing of personal information, allow controllers outside of the Philippines to authorise processors within the Philippines to notify the Commissioner of a data breach, widen the enforcement powers of the regulator and modify the criminal penalties for non-compliance.[60]

J. Singapore

As explained in the 2021 International Outlook and Review, data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).

The initial phase of the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) (“Singapore PDPA Amendments”) took effect on 1 February 2021. On 1 February 2021, the Singapore PDPA Amendments’ requirement for mandatory notification to the Personal Data Protection Commission (“PDPC”) for data breaches came into force. This requires organisations to notify the PDPC no later than three calendar days after the organisation determines that a data breach is notifiable if either of the following occurs: (1) a data breach that results in or is likely to result in significant harm to the data subject or (2) a data breach of a significant scale (i.e. which involves more than 500 affected data subjects). The PDPC also made follow-up amendments on 1 October 2021 to clarify these situations.[61]

On 25 November 2021, the PDPC announced its collaboration with the Singapore Police Force and Cyber Security Agency of Singapore to develop a handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018) and Computer Misuse Act (Cap. 50A).[62]

On 9 December 2021, Singapore and the United Kingdom published a Digital Economy Agreement (“DEA”). The DEA aims to facilitate cross-border data flows while upholding data protection standards. Furthermore, both countries have committed that neither will introduce unjustified data localisation requirements, giving businesses in the United Kingdom a guarantee that they will not have to pay for data storage and processing in Singapore. The DEA will require both countries to maintain their data protection frameworks.[63]

K. South Korea

As explained in the 2021 International Outlook and Review, data protection in South Korea is currently governed by the Personal Information Protection Act (“PIPA”).

As noted above, on 17 December 2021, the PIPC and the European Commissioner for Justice formally announced an adequacy agreement between South Korea and the European Union for transfers of personal data. This adequacy agreement promotes the transfer of personal data between South Korea and the European Union without additional mechanisms or authorisations for data transfers.[64]

L. Sri Lanka

Sri Lanka’s official gazette published the Regulation of Processing of Personal Data (2021) on 25 November 2021 to be considered by the Parliament of Sri Lanka.[65]

M. Thailand

As noted in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020. However, in May 2020, and then again in May 2021, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021 and, subsequently, 31 May 2022, citing the negative effects of the COVID-19 pandemic and the requirement for further legislative work as the primary reasons for doing so.[66]

Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation. Moreover, the Thailand PDPA provides for the creation of a 16-member Personal Data Protection Committee (“PDPC”), which is yet to be fully established. As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand. Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA once it is passed.

N. Vietnam

As explained in the 2021 International Outlook and Review, the data protection framework in Vietnam is fragmented, and relevant provisions can be found in numerous laws. In February 2020, however, a draft personal data protection decree (“Draft PDPD”) was released, which sets out principles of data protection, including purpose limitation, data security, data subject rights and the regulation of cross-border data transfers. Moreover, the Draft PDPD contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, the creation of a data protection authority and the introduction of penalties for non-compliance, ranging between VDN 50 million to VDN 100 million.

From February to April 2021, the Ministry of Public Security sought public comments on the Draft PDPD with a view to the final decree coming into effect on 1 December 2021. As of the date of this publication, the Draft PDPD remains unissued, with little clarity over the timing of the parliamentary process required for it to come into effect.

IV. Developments in Africa

A. Botswana

On 15 October 2021, the Data Protection Act entered into effect, more than three years after it was passed by the National Assembly on 12 July 2018. The Act’s transition period is 12 months from the date of commencement and will automatically end on 15 October 2022, meaning that data controllers, including companies and organisations, must take compliance measures until that date. The Act requires data controllers and processors to respect in their processing: the lawfulness and fairness of processing, imposes limitations with respect to the purpose of processing, personal data retention and minimisation, in addition to other protections concerning the relevance and adequacy, integrity and confidentiality of personal data collected by entities. Further, the Act provides for data subject rights, including the right to be informed, the right to access, the right to be given reasons if the access is denied, the right to object and revoke consent and the right to raise a challenge for purposes of deletion and amendment, in addition to setting out restrictions of matters such as direct marketing, sensitive data and data transfers. The Act creates the Information and Data Protection Commission, which will be responsible to protect the personal rights of individuals with regard to their personal data, and to ensure the effective application and enforcement of the Act. Unlike the GDPR, the Act also provides for significant potential prison terms ranging from three to 12 years for certain violations.[67]

B. Kenya

In 2021, the Ministry of ICT, Innovation and Youth Affairs launched a public consultation on three draft data protection regulations, which remained open until 11 May 2021:

The Data Protection (General) Regulations 2021, which set out the procedures for enforcement of the rights of the data subjects and outline the duties and obligations of the data controllers and data processors.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021, which define the procedure that will be adopted by the Office of the Data Commissioner in registering data controllers and data processors.
The Data Protection (Compliance and Enforcement) Regulations, 2021, which outline the compliance and enforcement provisions for Data Commissioner, Data Controllers and Data Processors.

In January 2021, the Office of the Data Protection Commissioner published a guidance note on access to personal data during the Coronavirus pandemic. According to the guidance, the access and processing of personal data of individuals in response to the pandemic is subject to the Data Protection Act No. 24 of 2019. The key principles emphasised by the guidance include the processing of personal data in an accountable manner, the maintenance of the integrity and confidentiality of data and the responsibility for the implementation of a protection and safeguarding personal data mechanism.[68]

C. Nigeria

The National Information Technology Development Agency (“NITDA”) announced in a press release on 12 November 2021 its collaboration with the Federal Competition and Consumer Protection Commission (“FCCPC”) in order to combat data privacy abuse by money lending operators.[69] The partnership is anticipated to provide a more robust and concerted regulatory approach while ensuring that Nigerians get necessary reprieve from the illegal use of their personal data for money lending operations, including through joint investigations, enforcement and possible prosecution for non-compliance.[70]

In this regard, NITDA announced, on 17 August 2021, that it had fined Soko Loans Lending Company Limited NGN 10 million (approx. €20,700) for various violations of the Nigeria Data Protection Regulation, 2019 (“NDPR”), marking the first fine issued under the NDPR. NITDA outlined that the fine followed an investigation into a series of complaints against Soko Loans for unauthorised disclosures, failure to protect customers’ personal data and defamation of character, as well as failure to carry out the necessary due diligence required by the NDPR. Soko Loans grants its customers uncollateralised loans and requires them to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the borrowing customer’s phone contacts. Following the complainant customers’ failures to meet loan repayment obligations, the company unilaterally sent privacy invading messages to their contacts (who were neither were parties to the loan transaction nor consented to the processing of their data). In addition, NITDA found that Soko Loans embedded trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis. NITDA therefore found that Soko Loan and its entities violated multiple provisions of the NDPR.

In addition to a financial penalty, NITDA compelled Soko Loans to suspend the issuance of privacy-invading messages to any Nigerian until the company and its entities show full compliance with the NDPR, paid for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO, and were placed on mandatory Information Technology and Data Protection supervision for nine months.[71]

D. Rwanda

Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (the “Law”) came into effect upon its publication in the Rwanda Official Gazette on 15 October 2021. The Law establishes provisions relating to the processing of personal data, including the rights of the data subject such as the right to object to the processing of personal data, to personal data portability, to the erasure of personal data and to rectification of incorrect personal information.

The Law also provides for the duties and powers of the supervisory authority relating to the protection of personal data and privacy, stipulates the obligations and registration requirements of data controllers and processors, and includes provisions regarding the sharing, transfer and retention of personal data. Moreover, the Law provides for the consequences and sanctions of non-compliance, including fines ranging from RWF 2,000,000 (approx. €1,500) to RWF 5,000,000 (approx. €4,243) or, in the case of a corporate body or legal entity, 1% of their global turnover in the preceding financial year.

The Law provides for a two-year transitional period before its application to data controllers or data processors who are already in operation.[72] The National Cyber Security Authority (“NCSA”) has been designated as the supervisory authority in charge of enforcement of the Law.[73]

On 10 December 2021, the NCSA issued a notice on the Personal Data Law detailing that the Personal Data Law requires all those who wish to process personal data to register with the NCSA as a data controller or data processor.[74]

On 14 December 2021, the NCSA also published a notice clarifying that consent of the data subject is a key foundation to the lawful collection and processing of personal data and may be made in oral, written or electronic format.[75]

E. South Africa

The enforcement powers of the supervisory authority of South Africa (the “Information Regulator”) under the Protection of Personal Information Act, 2013 (“POPIA”) came into effect on 1 July 2021, following the conclusion of a 12-month transitional grace period.[76]

In 2021, the Information Regulator issued a set of notices and rules for guidance on different sections of POPIA. Notably:

Guidance note on the processing of special personal information under sections 26 and 27(1) of POPIA to guide responsible parties who are required to obtain authorisation from the Information Regulator to process special personal information, as provided for in section 27(2) of POPIA. The guidance provides for the manner of submission of an application for authorisation and outlines specific exemptions in which the prohibition on processing of personal information does not apply.[77]
Guidance note on Exemptions from the Conditions for Lawful Processing of Personal Information under sections 37 and 38 of POPIA. In particular, the guidance outlines that these exemptions include that the processing is either in the public interest or involves a clear benefit to the data subject.[78]
Rules on the manner in which a complaint must be submitted and handled by the Information Regulator which will come into operation on a future date that the Information Regulator determines.[79]

On the enforcement front, the Information Regulator has initiated its action by targeting both local and international businesses. For example, in a media statement published on 13 May 2021, the Information Regulator announced that it was preparing a litigation opinion contending the need for an online messaging service provider to adopt its EU privacy policy in South Africa and other developing countries with frameworks similar to the GDPR. However, the service provider has so far declined to make any revisions to its South African privacy policy.[80]

Finally, on 1 June 2021, the President assented to the Cybercrimes Act 19, 2020, which intends to criminalise the disclosure of harmful data messages, regulate relevant government authorities’ powers to investigate cybercrimes, provide for the establishment of a designated Point of Contact and impose obligations to report cybercrimes. The President has not yet proclaimed the commencement date of this new legislation.[81]

F. Other African Jurisdictions

Other developments in 2021 in data protection and cybersecurity regulation in Africa include:

Togo: On 29 June 2021, the National Assembly adopted a Bill authorising the ratification of the Convention on Cyber Security and Personal Data Protection. According to the National Assembly, this convention will strengthen the country’s legal framework for electronic transactions, the protection of personal data and the fight against cybercrime.[82]
Uganda: The Data Protection and Privacy Regulations, 2021 of the Republic of Uganda (“the Regulations”) came into force on 12 March 2021. The Regulations establish provisions for the collection and processing of personal data and the rights of data subjects in regard to their personal data, in addition to establishing an independent Personal Data Protection Office (“PDPO”) in the National Information Technology Authority of Uganda (“NITA-U”), which shall be responsible for personal data protection and privacy and for the implementation of the Data Protection and Privacy Act, 2019, including the imposition of administrative, civil or criminal sanctions for non-compliance. [83]

On 2 November 2021, the PDPO issued a press release announcing that it required data collectors, processors and controllers to register on its website before the end of the grace period of 31 December 2021 and that it will begin enforcement measures for those that do not in January 2022.[84]

Zambia: On 23 March 2021, the Parliament of Zambia enacted the Data Protection Act No. 3 of 2021, which stipulates a system for the use and protection of personal data by regulating the collection, use, transmission, storage and processing of personal data. The Act also establishes the Office of the Data Protection Commissioner and outlines the duties of data controllers and data processors, the rights of data subjects and the conditions for cross-border transfer of personal data. The Minister will appoint the date of the commencement of the Act by statutory instrument.[85]
Zimbabwe: The Data Protection Act [Chapter 11:12] was enacted on 3 December 2021. The Act provides for the establishment of the Cyber Security and Monitoring Center and the designation of the Postal and Telecommunications Regulatory Authority of Zimbabwe (“POTRAZ”) as the data protection authority. The Act addresses the processing of personal data collected and processed by companies, cross-border transfers of personal data, and general provisions, including the appeals process, offences and penalties. The Act does not establish a date of application or a transitional period prior to its application.[86]

V. Developments in the Middle East

A. Israel

On 6 January 2022, the Government of Israel published a Bill[87] amending and updating Israel’s Protection of Privacy Law, 5741-1981 (“PPL”).[88] The Deputy Prime Minister and the Minister of Justice announced that the Bill aims to protect citizens and adapt the PPL’s provisions and enforcement to the current digital era. The most noteworthy amendments, summarised by Israel’s Privacy Protection Authority (“PPA”), include the expansion of PPA’s substantive investigation and enforcement powers, including the imposition of administrative sanctions in an amount up to 3.2 million NIS ($1 million), the adaptation of definitions in the law to technological and social developments, and the reduction of bureaucratic burdens through a significant reduction in the obligation to register databases.[89] The Bill would be effective six months after its approval by the parliament.

Before the introduction of the Bill, a ransomware attack on sensitive data of more than 290,000 Israeli medical patients and members of an LGBTQ+ website was reported. An Iranian-based hacking group targeted host program CyberServe and, on 2 November 2021, released the data, demanding a ransom of $1 million that the company refused. Israel’s National Cyber Directorate had previously warned CyberServe on multiple occasions that its systems were not secure.[90] The ransomware attack was followed by a press release of the U.S. Department of the Treasury on 14 November 2021, announcing that it established a partnership with Israel to combat ransomware.[91]

On the enforcement side, on 23 May 2021, the PPA announced that, following a serious information security incident that resulted in the disclosure of sensitive personal information from the databases of the Hod Hasharon Municipality, it had determined that the Hod Hasharon Municipality had violated the Privacy Protection Law and regulations under it. The PPA’s investigation concluded that sensitive personal information, including documents, email correspondence and complaints from residents (including names and ID numbers and information about employees using municipal systems) contained in the municipality’s database, was accessible to unauthorised persons, and that the municipality did not take appropriate measures to assure that access to the database was carried out by authorised users. Additionally, according to the PPA’s findings, the municipality had not conducted an assessment to identify security risks in its systems at the required time and did not correct the findings of a previous assessment, as required by the Protection of Privacy (Data Security) Regulations, 5777 – 2017. In light of this, the PPA gave the municipality instructions to correct the deficiencies discovered and fined it NIS 10,000 (approx. €2,530) for failing to register databases required to be registered under the provisions of the PPL.[92]

In his efforts to support the global fight against COVID-19, Israel’s Prime Minister Benjamin Netanyahu announced an agreement between the Israeli Ministry of Health (“MoH”) and Pfizer for an expedited supply of COVID-19 vaccines to Israel, under which Israel agreed to share with Pfizer “statistical data that would help develop strategies for defeating the coronavirus”. In order to address privacy and transparency concerns, the MoH published a partially redacted version of its Real-World Epidemiological Evidence Collaboration Agreement with Pfizer. The agreement provides that the MoH will share “aggregate de-identified data” and jointly analyse such data with Pfizer. In particular, the MoH is required to provide “data transfers” that include, “at a minimum”, weekly counts of confirmed COVID-19 cases, hospitalisations, severe or critical cases, ventilator use, deaths, symptomatic cases, vaccines given “by age and other demographic subgroups” and COVID-19 cases by age groups “and other demographic factors”. The MoH undertook to provide such data “solely in a form rendered anonymised by the MoH in accordance with Regulatory Requirements” so that the data could not reasonably be used to re-identify the identity of an individual.[93]

B. United Arab Emirates

In late 2021, the UAE issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the “Data Protection Law”), alongside a law establishing the new UAE Data Office with the mandate to ensure the full protection of personal data, monitor the application of the Data Protection Law and issue necessary guidelines and instructions for its implementation (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).

According to the announcement of the Cabinet of UAE,[94] the Data Protection Law relevantly:

has extraterritorial effect and applies to the processing of personal data (a) inside the country or (b) outside the country about data subjects within the country;
prohibits the processing of personal data without the consent of its owner (subject to prescribed exceptions);
defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure personal data and maintain its confidentiality;
defines the rights and cases in which the owner has the right to request correction of inaccurate personal data, restrict or stop the processing of personal data; and
sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.

The Data Protection Law became effective on 2 January 2022. Executive regulations are due to be issued within six months of the date of issuance of the Data Protection Law (i.e. by 20 March 2022). UAE companies will then have six months from the issuance of those executive regulations to comply with the Data Protection Law (although that period may be extended by the Cabinet).[95]

On 14 February 2021, following public consultation conducted in 2020, the Abu Dhabi Global Market (“ADGM”) announced that it had enacted the Data Protection Regulations 2021, which replaced the Data Protection Regulations 2015. In its announcement, ADGM endorsed the EU’s GDPR for its robust data protection provisions and outlined that the new Regulations intend to be proportionate and business friendly, without undermining the key ambition of achieving a high standard of protection for personal data. Acknowledging that the adoption of the new Regulations will result in additional responsibilities for data controllers and data processors, ADGM proposed a transitional grace period of 12 months for current establishments and six months for new establishments, starting from 14 February 2021.[96] The Office of Data Protection (“ODP”) has been established to monitor the compliance with the new Regulations.[97] The ODP has also published several guidance notes and templates to support ADGM entities and authorities in compliance with the Regulations.[98]

C. Other Middle East Jurisdictions

Other developments in 2021 in data protection and cybersecurity regulation in the Middle East include:

Jordan: On 29 December 2021, the Council of Ministers approved a draft law on the protection of personal data.[99] The draft law intends to protect personal data in light of the ease of its collection, retention and processing, and to prevent attacks on the rights of citizens. The law also aims to establish a safe and stable online environment and define the obligations of persons responsible for personal data. A personal data protection board will be established to enforce the draft law. The draft law became publicly available in January 2022[100] and its commencement will follow upon approval by the parliament and the king.
Pakistan: On 25 August 2021, the Ministry of Information Technology (“MOITT”) published a revised draft for consultation on the Personal Data Protection Bill 2021. The revised draft provides for the establishment of the National Commission for Personal Data Protection. The draft includes also provisions for the cross-border transfer of personal data, the right to data portability and the right not to be subject to a decision based solely on automated processing. Unlike the previous draft Personal Data Protection Bill 2020, which was presented to the Cabinet of Pakistan for approval in April 2020, the revised draft requires data controllers to notify the supervisory authority and the data subject in the event of a data breach without undue delay and, where reasonably possible, not beyond 72 hours of becoming aware of the breach.[101]
Qatar: On 16 August 2021, the Qatar Financial Centre (“QFC”) Authority launched a public Consultation Paper proposing changes to the QFC Data Protection Regulations and Rules.[102] The proposed changes aim to make the scope of the QFC Data Protection Regulations consistent with the provisions of international data protection laws and reflect the needs for expanded digitalisation in a global business environment. The amendments, inter alia, propose additional rights for data subjects and increased responsibilities for data controllers and data processors. On 31 January 2021, the Compliance and Data Protection Department at the Ministry of Transport and Communications released guidelines on the Personal Data Privacy Protection Law No. 13 of 2016 to inform individuals, regulated entities and stakeholders on their respective responsibilities, rights and practices as per the amended law.[103]
Saudi Arabia: The National Centre for Documents and Archives Royal Court published, on 24 September 2021, the new Personal Data Protection Law (“PDPL”), marking the introduction of Saudi Arabia’s first data protection law. The PDPL includes provisions for data controllers, the rights of data subjects and sanctions for non-compliance. The PDPL will come into force 180 days after the date of its publication in the Official Gazette.[104] In the field of cybersecurity, the Regulatory Framework for Cyber Security for Service Providers in the Communications, Information Technology and Postal Sector came into force on 29 May 2021. That framework intends to raise the level of cybersecurity maturity of service providers by requiring them to improve their cybersecurity risk management in accordance with international best practices and frameworks.[105]

VI. Developments in Latin America and the Caribbean

A. Brazil

As we indicated in the 2021 International Outlook and Review, the biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018 and the General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (“LGPD”), on 18 September 2020.

During 2021, the Brazilian data protection authority (“ANPD”) adopted and published a series of guidance and FAQs regarding the LGPD. In particular:

Guidance for Personal Data Processing Agents and Data Protection Officers, which aims to resolve common issues, set out non-binding guidelines for data processing agents and explain who may exercise the role of a data controller, operator and/or data protection officer. For each of those roles, the Guidance also specifies their respective liability regime, legal definition and example cases, in addition to FAQs regarding the same.[106]
FAQs related to the commencement of the application of sanctions and fines under the LGPD.[107]
Regulation CD/ANPD No. 1, on the Inspection Process and the Sanctioning Administrative Process’, which aims to establish procedures with respect to the conduct of inspections and rules with respect to the administrative processes carried out by the ANPD. Moreover, the Regulation covers topics such as inspection, monitoring, guidance, injunctive measures and provides for an administrative fining procedure.[108]
FAQs on data subjects’ rights to petition controllers to enforce their data subject rights under the LGPD, which provide guidance on, among other things, procedures to be observed by data controllers, as well as the right of data subjects to complain about possible irregularities regarding the processing of their personal data.[109]

Finally, while the ANPD assumed its enforcement and fining powers, other Brazilian authorities have applied and enforced rules that concerned the protection of personal data in their territories. For example, on 14 June 2021, the Brazilian Federal Department of Consumer Protection of the National Consumer Secretariat (“SENACON”) announced that it had fined Banco Cetelem S.A. with BRL 4,000,000 (approx. €653,200) for financial fraud that included the contracting of payroll loans with the improper use of personal data of elderly consumers.[110] In addition, on 13 July 2021, the Protection and Consumer Defence Foundation of the State of Mato Grosso (“Procon-MT”) fined the pharmacies Droga Raia S.A and Drogasil S.A BRL 572,680.71 (approx. €94,210) for the irregular receipt of authorisation from customers for the processing and use of their data.[111]

B. Developments in Other Latin American and Caribbean Jurisdictions

There have also been significant developments in the adoption and enforcement of cybersecurity and data privacy laws in other Central and South American jurisdictions in 2021. We have set out highlights in key countries below:

Argentina: On 16 April 2021, the Central Bank of Argentina (“BCRA”) published guidelines on cybersecurity incident response and recovery. The BCRA noted that the guidelines are aimed at financial institutions, payment service providers that offer payment accounts and financial market infrastructures. However, the BCRA highlighted that, due to their general nature, the guidelines can also be adopted by any institution in the financial sector, as well as by information technology and communication service providers, among others.[112]
Chile: On 5 November 2021, the Information Security Incident Response Team (“CSIRT”) released cybersecurity guidelines for small and medium-sized enterprises (“SMEs”). In particular, the guidelines aim at supporting SMEs in the digitalisation process in a secure manner, helping them manage risks of data breaches, loss of business continuity, phishing, ransomware and other cyber threats.[113]
Costa Rica: On 12 February 2021, the Bill No. 22.388 was published to Reform the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011. In particular, the bill aims to reform the current data protection law in Costa Rica by, among other things, improving the legal definitions for certain technical concepts (e.g., biometric data, genetic data and pseudonymisation), developing the principles governing the processing of personal data (such as transparency and data minimisation), improving data subject rights; strengthening the Costa Rican data protection authority, and strengthening the sanctions regime.
Ecuador: On 21 May 2021, the Organic Law on the Protection of Personal Data was published, triggering a two-year grace period for companies and other entities that process personal data to adapt their operations to the new law.[114]
Panama: On 28 May 2021, the National Authority of Transparency and Access to Information (“ANTAI”) announced that the President of the Republic of Panama approved the Executive Decree No. 285 of 28 May 2021 that regulates the Law No. 81 on Personal Data Protection. The Executive Decree obliges all companies to put in place protocols or procedures to process data in compliance with the new law. Furthermore, the Executive Decree includes general provisions, information gathering requirements, the functions of the new role of data protection officer and the criteria for applying sanctions.[115]
Paraguay: On 30 April 2021, the Chamber of Deputies announced the official presentation of the bill on the Protection of Personal Data of the Republic of Paraguay. The bill provides for the regulation of, among other things, data subject rights, security standards and obligations, data protection officer activities, and issues related to the creation of and procedures applicable to a supervisory authority.[116]
Uruguay: On 16 September 2021, the Uruguayan data protection authority (“URCDP”) announced the adoption of Resolution No. 23/021 of 8 June 2021, which implements important changes in the international data transfer regime in Uruguay. In particular, the resolution excludes the U.S. from the list of territories considered appropriate, in addition to suggesting the use of other mechanisms to transfer personal data abroad (e.g., contractual clauses, consent of the interested parties and other elements justifying transfers). Moreover, to assist data controllers and processors, the URCDP published Resolution No. 41/021 of 8 September 2021, which includes a guide for the drafting of contractual clauses to transfer personal data.[117]

VII. Conclusion

As can be seen, 2021 was an eventful year in the field of data protection and privacy worldwide. In addition to the recently adopted laws and regulations on data privacy adopted by China, UAE, Brazil and Mexico, international lawmakers put a special focus on the regulatory treatment of key issues such as data localisation and transfers (e.g., in the EU, Russia and India).

2022 promises to be an equally active year from a legal and enforcement perspective, as regulators worldwide commence to make use of new legal tools and apply their respective national laws. We will continue to monitor the events in this space, and cover them in our monthly updates and in the Outlook and Review of 2023.

_______________________________

[1] See http://curia.europa.eu/juris/document/document.jsf;jsessionid=2BDC80771D0FB7EA8B6F60B9A3C4F572?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=20032710.

[2] See
https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.

[3] See https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.

[4] See https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

[5] See https://edpb.europa.eu/system/files/2021-07/edpb_guidelinescodesconducttransfers_publicconsultation_en.pdf.

[6] See https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en.

[7] See, e.g., the French CNIL published guidance on the implementation of the SCCs, two Q&As on the content and the consequences of the Schrems II ruling, as well as a methodology to help controllers identify and process data transfers outside of the EU. German authorities released revised recommendations and updated guidance on international data transfers. The UK ICO launched a public consultation on its draft international data transfer agreement that would replace the current SCCs to take into account the Schrems II ruling.

[8] See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9703988.

[9] See http://www.raadvst-consetat.be/Arresten/251000/300/251378.pdf#xml=http://www.raadvst-consetat.be/apps/dtsearch/getpdf.asp?DocId=42765&Index=c%3a%5csoftware%5cdtsearch%5cindex%5carrets%5fnl%5c&HitCount=10&hits=28+29+2c+6b+de+17a+1de+505+150c+1884+&11111202021318.

[10] See https://edpb.europa.eu/news/national-news/2021/bavarian-dpa-baylda-calls-german-company-cease-use-mailchimp-tool_en.

[11] See https://edpb.europa.eu/news/national-news/2021/census-2021-portuguese-dpa-cnpd-suspended-data-flows-usa_en.

[12] See https://www.conseil-etat.fr/fr/arianeweb/CE/decision/2021-03-12/450163.

[13] See https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183.

[14] See https://ec.europa.eu/info/sites/default/files/1_1_180366_dec_ade_kor_new_en.pdf.

[15] Relatedly, some Member States have continued to update their e-privacy legislation under the e-Privacy Directive. For example, in Germany, the Data Protection and Privacy in Telecommunications and Telemedia Act was enacted effective 1 December 2021, and contains comprehensive data protection regulations in the e-privacy field.

[16] See https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333.

[17] See https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf.

[18] See https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf.

[19] See https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf.

[20] See https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf.

[21] See https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf.

[22] See https://edpb.europa.eu/sites/default/files/files/file1/edpb_strategy2021-2023_en.pdf.

[23] See https://edpb.europa.eu/system/files/2021-03/edpb_workprogramme_2021-2022_en.pdf.

[24] See https://curia.europa.eu/juris/document/document.jsf?text=&docid=242821&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=558920.

[25] See https://d18rn0p25nwr6d.cloudfront.net/CIK-0001018724/cbae1abf-eddb-4451-9186-6753b02cc4eb.pdf.

[26] See https://justice.public.lu/fr/actualites/2021/12/communique-presid-trib-adm-ordonnance-amazon-cnpd.html.

[27] See https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance.

[28] See, e.g. Lower-Saxony Supervisory Authority https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html.

[29] See, e.g. Spanish AEPD https://www.aepd.es/es/documento/ps-00059-2020.pdf and Italian Garante https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9570980.

[30] See, e.g. Norwegian Datatilsynet https://www.datatilsynet.no/en/regulations-and-tools/regulations/avgjorelser-fra-datatilsynet/2021/gebyr-til-grindr/ and Spanish AEPD https://edpb.europa.eu/news/national-news/2021/spanish-data-protection-authority-aepd-imposes-fine-6000000-eur-caixabank_en.

[31] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/11/ico-issues-provisional-view-to-fine-clearview-ai-inc-over-17-million/.

[32] See https://ico.org.uk/action-weve-taken/enforcement/.

[33] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-consults-on-data-transferred-outside-of-the-uk/.

[34] See https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/revdsg.pdf.download.pdf/revDSG_EN.pdf.

[35] See https://www.bj.admin.ch/dam/bj/fr/data/staat/gesetzgebung/datenschutzstaerkung/vdsg/vorentw.pdf.

[36] See https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.download.pdf/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.

[37]&nbnbsp; See https://www.edoeb.admin.ch/edoeb/en/home/latest-news/aktuell_news.html#-1259254222.

[38] See https://iapp.org/news/a/level-up-russia-enhances-the-protection-of-personal-data/#:~:text=Russia%20amends%20data%20protection%20law%20to%20increase%20personal%20data%20subjects’%20rights,-schedule%20May%2013&text=Beginning%20March%2027%2C%202021%2C%20Russia,period%20for%20data%2Drelated%20breaches.

[39] See https://rg.ru/2021/03/29/sotovym-operatoram-zapretiat-tajno-prodavat-dannye-klientov.html.

[40] See https://sozd.duma.gov.ru/bill/1184517-7#bh_note.

[41] See https://kvkk.gov.tr/SharedFolderServer/CMSFiles/11b6fd99-d42a-45b1-a009-21f2d36ded21.pdf.

[42] See https://kvkk.gov.tr/Icerik/6981/2021-427.

[43] https://www.kvkk.gov.tr/Icerik/7045/WHATSAPP-UYGULAMASI-HAKKINDA-YURUTULEN-RESEN-INCELEMEYE-ILISKIN-KAMUOYU-DUYURUSU.

[44] See https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/.

[45] See https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/.

[46] See https://www.justice.gov/opa/pr/united-states-and-australia-enter-cloud-act-agreement-facilitate-investigations-serious-crime.

[47] See https://www.itnews.com.au/news/australia-and-us-sign-cloud-act-deal-for-cross-border-data-access-574128.

[48] An unofficial English translation of the newly enacted PIPL is available at <https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-effective-nov-1-2021> and the Mandarin version of the PIPL is available at <http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml>.

[49] An unofficial translation of the Regulations is available <https://digichina.stanford.edu/news/translation-critical-information-infrastructure-security-protection-regulations-effective-sept>.

[50] An unofficial English translation of the Internet Information Service Algorithmic Recommendation Management Provisions is available at <https://digichina.stanford.edu/work/translation-internet-information-service-algorithmic-recommendation-management-provisions-effective-march-1-2022/>.

[51] See https://www.dsci.in/sites/default/files/Summary-%20and-Primer-on-Joint-Parliamentary-Committee-Report-and-Data-Protection-Bill-2021.pdf.

[52] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers; the PDP Bill (in Indonesian) is available athttps://web.kominfo.go.id/sites/default/files/users/4752/Rancangan%20UU%20PDP%20Final%20%28Setneg%20061219%29.pdf.

[53] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24041/menkominfo-indonesia-akan-menjadi-negara-ke-5-di-asean-pemilik-uu-pdp/0/berita_satker.

[54] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/29084/siaran-pers-no-104hmkominfo092020-tentang-pemerintah-apresiasi-pandangan-fraksi-terhadap-ruu-pdp/0/siaran_pers.

[55] See https://kr-asia.com/indonesia-needs-a-data-protection-authority-but-cant-decide-how-to-create-one.

[56] The PDPO Bill is available at <https://www.gld.gov.hk/egazette/pdf/20212540/es12021254032.pdf>.

[57] For more information on the first review of the EU-Japan mutual adequacy arrangement, please click <https://ec.europa.eu/newsroom/just/items/724795/en>.

[58] See https://www.natlawreview.com/article/less-two-weeks-to-go-new-zealand-privacy-act-commences-1-december-2020.

[59] See https://www.privacy.org.nz/publications/reports-to-parliament-and-government/2020-briefing-to-the-incoming-minister-of-justice/.

[60] See https://www.privacy.gov.ph/2021/06/a-stronger-data-privacy-law-sought-in-proposed-amendments/.

[61] The PDPC’s updated advisory guidelines are available at https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/03/Advisory-Guidelines-on-Key-Concepts-in-the-Personal-Data-Protection-Act and <https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/02/Advisory-Guidelines-on-the-Personal-Data-Protection-Act-for-Selected-Topics>.

[62] The handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018), and Computer Misuse Act (Cap. 50A) is available at <https://www.csa.gov.sg/News/Publications/overview-of-legislations>.

[63] More information on the Digital Economy Agreement between Singapore and the United Kingdom is available at <https://www.gov.uk/government/publications/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer>.

[64] The adequacy decision between South Korea and the European Union is available at <https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-republic-korea-annexes_en>.

[65] The Regulation of Processing of Personal Data (2021) is available at <http://documents.gov.lk/files/bill/2021/11/152-2021_E.pdf>.

[66] See https://www.bangkokpost.com/business/2110719/controversial-law-on-personal-data-againt-postponed-for-another-year.

[67] See Act No. 32 of 2018 Data Protection Act (12 July 2018), available athttps://www.bocra.org.bw/sites/default/files/documents/32%20Act%2010-08-2018-Data%20Protection.pdf and Data Protection Act (Commencement Date) Order, 2021 (15 October 2021).

[68] See Republic of Kenya, Office of the Data Protection Commissioner, “Guidance Note on access to personal date during Covid-19 pandemic” (January 2021), available at https://ict.go.ke/wp-content/uploads/2021/01/Draft-Data-Request-Review-Framework-Jan-2021.pdf.

[69] The FCCPC is empowered to administer and enforce provisions of every Nigerian law with respect to competition and protection of consumers under Section 17(a) of the Federal Competition and Consumer Protection Act, 2019.

[70] See “NITDA Collaborates With The Federal Competition And Consumer Commission (FCCPC) To Tackle Data Abuse By Money Lending Operations”, Press Release (12 November 2021), available athttps://nitda.gov.ng/nitda-collaborates-with-the-federal-competition-and-consumer-commission-fccpc-to-tackle-data-abuse-by-money-lending-operations/.

[71] See “NITDA Sanctions SokoLoan For Privacy Invasion”, Press Release (17 August 2021), available athttps://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/.

[72] See Law No. 058/2021 Law relating to the protection of personal data and privacy (15 October 2021), available at https://www.minijust.gov.rw/fileadmin/user_upload/Minijust/Publications/Official_Gazette/_2021_Official_Gazettes/October/OG_Special_of_15.10.2021_Amakuru_bwite.pdf.

[73] See “Rwanda passes new Law protecting personal data”, Press Release (21 October 2021), available at https://www.minict.gov.rw/fileadmin/user_upload/minict_user_upload/Documents/Press_Release/211021_PRESS_RELEASE_Rwanda_s_New_Data_Protection_Law_ENGLISH.pdf.

[74] See National Cyber Security Authority, “The Significance of Rwanda’s Personal Data Protection and Privacy Law” (10 December 2021), available at https://cyber.gov.rw/updates/article/the-significance-of-rwandas-personal-data-protection-and-privacy-law-1/.

[75] See National Cyber Security Authority, “Consent, Ownership and Lawful Data Processing” (14 December 2021), available at https://cyber.gov.rw/updates/article/consent-ownership-and-lawful-data-processing-1/.

[76] See Section 110 of POPIA.

[77] See Information Regulator (South Africa), “Guidance Note on Processing of Special Personal Information” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-Processing-SpecialPersonalInformation-20210628.pdf.

[78] See Information Regulator (South Africa), “Guidance Note On Exemptions From The Conditions For Lawful Processing Of Personal Information In Terms Of Section 37 And 38 Of The Protection Of Personal Information Act 4 Of 2013, 2021” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-LawfulProcessing-202106.pdf.

[79] See Information Regulator (South Africa), “Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Regulator, 2021” (October 2021), available at https://www.justice.gov.za/inforeg/legal/20211012-InfoReg-RulesOfProcedure-HandlingPOPIAcomplaints.pdf.

[80] See “Information Regulator to take further action regarding the WhatsApp privacy policy”, Media Statement (13 May 2021), available at https://www.justice.gov.za/inforeg/docs/ms/ms-20210513-WhatsAppPrivacyPolicy.pdf.

[81] See Act No. 19 of 2020 Cybercrimes Act, 2020 (1 June 2021), available at https://www.gov.za/sites/default/files/gcis_document/202106/44651gon324.pdf.

[82] See “Togo : l’Assemblée nationale ratifie la convention de Malabo et actualise le fonctionnement de la CNDH” (in French) (14 July 2021), available at https://togomedia24.com/2021/07/01/togo-lassemblee-nationale-ratifie/.

[83] See Statutory Instrument No. 21 of 2021 The Data Protection and Privacy Regulations, 2021 (12 March 2021).

[84] See “Requirement to register with Personal Data Protection Office”, Press Release (2 November 2021), available at https://www.linkedin.com/posts/personal-data-protection-office-pdpo_press-release-on-requirement-to-register-activity-6863366852064628736-wJc_.

[85] See Act No. 3 of 2021 The Data Protection Act, 2021 (24 March 2021).

[86] See Data Protection Act [Chapter 11:22].

[87] Bill (in Hebrew), available at https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:1510391d-592a-3272-bd12-d559164b70e2#pageNum=1.

[88] An unofficial translation of the Protection of Privacy Law, 5741 – 1981 is available at https://www.gov.il/BlobFolder/legalinfo/legislation/en/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf.

[89] Press Release (in Hebrew), available at https://www.gov.il/he/departments/news/amendments_privacy_protection_act.

[90] See “Iranian Hacking Group Leaks Patient and LGBTQ Info” (4 November 2021), available at https://www.infosecurity-magazine.com/news/iranian-hacking-group-leaks/.

[91] See “U.S. Department of the Treasury Announces Partnership with Israel to Combat Ransomware”, Press Release (14 November 2021), available at https://home.treasury.gov/news/press-releases/jy0479.

[92] Announcement (in Hebrew), available at https://www.gov.il/he/departments/news/privacy_hod_hasharon_city.

[93] See “Israel to Share Vaccination Data With Pfizer as Part of Secret Deal” (10 January 2021), available at https://www.haaretz.com/israel-news/.premium-israel-to-share-covid-vaccine-data-with-pfizer-but-agreement-remains-secret-1.9438504, and a partially redacted version of the Real-World Epidemiological Evidence Collaboration Agreement, available at https://govextra.gov.il/media/30806/11221-moh-pfizer-collaboration-agreement-redacted.pdf.

[94] See “UAE adopts largest legislative reform in its history”, Media Release, available at https://uaecabinet.ae/en/details/news/uae-adopts-largest-legislative-reform-in-its-history.

[95] The Data Protection Laws of UAE are available at https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws.

[96] See “ADGM enacts its new Data Protection Regulations 2021”, Media Release (14 February 2021), available at https://www.adgm.com/media/announcements/adgm-enacts-its-new-data-protection-regulations-2021.

[97] See the dedicated website of the Office of Data Protection, available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/overview.

[98] The Data Protection Guidance 2021, templates and assessments are available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance.

[99] Prime Minister’s announcement (in Arabic), available at http://www.pm.gov.jo/content/1640846700/%D9%85%D8%AC%D9%84%D8%B3-%D8%A7%D9%84%D9%88%D8%B2%D8%B1%D8%A7%D8%A1-%D9%8A%D9%82%D8%B1%D9%91-%D9%85%D8%B4%D8%B1%D9%88%D8%B9-%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9.html, and Ministry’s announcement (in Arabic), available at https://modee.gov.jo/Ar/NewsDetails/%D9%82%D8%A7%D9%86%D9%88%D9%86_%D8%AD%D9%85%D8%A7%D9%8A%D8%A9_%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA_%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9_%D9%84%D8%B3%D9%86%D8%A9_2021%D9%85.

[100] The text of the draft law (in Arabic) is available at http://www.lob.jo/?v=1.14&url=ar/DraftDetails?DraftID:10254,AddComment:0,PageIndex:1&DraftTitle:%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D8%A9-/–%D8%AA%D9%85-%D8%AA%D9%85%D8%AF%D9%8A%D8%AF-%D9%85%D8%AF%D8%A9-%D9%86%D8%B4%D8%B1%D9%87-%D8%B9%D9%84%D9%89-%D8%A7%D9%84%D9%85%D9%88%D9%82%D8%B9-%D8%A7%D8%B1%D8%A8%D8%B9-%D8%A7%D9%8A%D8%A7%D9%85-%D8%B9%D9%85%D9%84-%D8%A7%D8%B6%D8%A7%D9%81%D9%8A%D8%A9.

[101] The Consultation Draft of the Personal Data Protection Bill 2021 (25 August 2021) is available at https://moitt.gov.pk/SiteImage/Misc/files/25821%20DPA%20Bill%20Consultation%20Draft_docx.pdf.

[102] See the announcement of the Qatar Financial Centre (QFC) Authority “Consultation on proposed changes to QFC Data Protections Regulations & Rules”, available at https://www.linkedin.com/feed/update/urn:li:activity:6833700338965512192/, and the Consultation Paper “QFCA CP No. 1 of 2021 Proposed Changes to QFC Data Protection Regulations and Rules”, available at https://qfcra-en.thomsonreuters.com/rulebook/qfca-cp-no-1-2021-proposed-changes-qfc-data-protection-regulations-and-rules.

[103] See “MOTC Releases Guidelines on Personal Data Privacy Protection Law”, Media Release (31 January 2021), available at https://www.motc.gov.qa/en/news-events/news/motc-releases-guidelines-personal-data-privacy-protection-law.

[104] See Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 (in Arabic) (14 September 2021), available at https://ncar.gov.sa/Documents/Details?Id=waEbJasbk9cJVNdJ%2B31GUA%3D%3D.

[105] See “The Communications Commission announces the entry into force of the Regulatory Framework for Cyber Security for Service Providers in the Communications, Information Technology and Postal Sector”, Press Release (29 May 2021), available at https://www.citc.gov.sa/ar/mediacenter/pressreleases/Pages/20210529.aspx, and the Commission’s portal on cybersecurity regulations, available at https://www.citc.gov.sa/ar/RulesandSystems/CyberSecurity/Pages/default.aspx.

[106] See https://www.gov.br/anpd/pt-br/assuntos/noticias/2021-05-27-guia-agentes-de-tratamento_final.pdf.

[107] See https://www.gov.br/anpd/pt-br/assuntos/noticias/sancoes-administrativas-o-que-muda-apos-1o-de-agosto-de-2021.

[108] See https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-1-de-28-de-outubro-de-2021-355817513.

[109] See https://www.gov.br/anpd/pt-br/canais_atendimento/cidadao-titular-de-dados/peticao-de-titular-contra-controlador-de-dados/reclamacao.

[110] See https://www.gov.br/mj/pt-br/assuntos/noticias/secretaria-nacional-do-consumidor-multa-banco-por-utilizar-dados-sem-consentimento-de-consumidores-idosos.

[111] See http://www.procon.mt.gov.br/-/17501890-procon-estadual-multa-rede-de-farmacias-por-infracao-a-lei-de-protecao-de-dados-pessoais.

[112] See http://www.bcra.gov.ar/Noticias/Ciberincidentes-lineamientos-para-respuesta-y-recuperacion.asp.

[113] See https://www.ciberseguridad.gob.cl/media/2021/11/Ciberguía-para-pymes.pdf.

[114] See https://www.dinardap.gob.ec/dos-anos-tienen-las-entidades-publicas-y-empresas-privadas-para-adaptar-sus-procesos-a-la-ley-de-proteccion-de-datos-personales/.

[115] See https://www.antai.gob.pa/reglamentan-ley-81-de-proteccion-de-datos-personales/.

[116] See http://silpy.congreso.gov.py/expediente/123459.

[117] See https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-23021 and https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-41021.

The following Gibson Dunn lawyers assisted in the preparation of this article: Alejandro Guerrero in Brussels; Ahmed Baladi, Vera Lukic, Clémence Pugnet, and Lena Bionducci in Paris; Connell O’Neil, Nicholas Hay, and Jocelyn Shih in Hong Kong; Kai Gesing in Munich; and Alex Southwell, Ryan Bergsieker, and Cassandra Gaedt-Sheckter in the United States.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33 180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

With the backdrop of the continuing COVID-19 pandemic and high M&A volume, 2021 presented new issues for dealmakers. Hear from seasoned practitioners on how deals are getting done and the issues being confronted. This discussion covers various M&A-related topics, including the following:

• Key deal issues to navigate in light of increased antitrust regulatory scrutiny;
• Limitations on liability for fraud;
• Clauses to include in deal documents to avoid pitfalls; and
• Current state of play for SPAC transactions, and forecasts for the future.

PANELISTS:

Quinton C. Farrar is a corporate partner in the New York office of Gibson, Dunn & Crutcher. Mr. Farrar advises public and privately held companies, including private equity sponsors and their portfolio companies, investors, financial advisors, boards of directors and individuals in connection with a wide variety of complex corporate matters, including mergers and acquisitions, asset sales, leveraged buyouts, spin-offs, joint ventures and minority investments and divestitures. He also has substantial experience advising clients on corporate governance issues as well as in advising issuers and underwriters in connection with public and private issuances of debt and equity securities.

Abtin Jalali is a partner in the San Francisco office of Gibson, Dunn & Crutcher. He is a member of Gibson Dunn’s Private Equity and Mergers and Acquisitions Practice Groups. Mr. Jalali has extensive experience representing private equity firms and their portfolio companies in all aspects of their businesses, with a focus on mergers and acquisitions, divestitures, growth equity investments, minority investments and general corporate matters. Mr. Jalali’s representative private equity clients include Serent Capital, True Wind Capital, TPG Capital, FTV Capital, Gryphon Investors and Tower Arch Capital.

Robert B. Little is a partner in Gibson, Dunn & Crutcher’s Dallas office. He is a Global Co-Chair of the Mergers and Acquisitions Practice Group. Mr. Little has consistently been named among the nation’s top M&A lawyers every year since 2013 by Chambers USA. Admired by clients as “very efficient, always knowledgeable in the subjects with immediate recommendations for action” and “an excellent corporate attorney well suited for negotiating tough deals” (Chambers, 2021), his practice focuses on corporate transactions, including mergers and acquisitions, securities offerings, joint ventures, investments in public and private entities, and commercial transactions. Mr. Little has represented clients in a variety of industries, including energy, retail, technology, infrastructure, transportation, manufacturing, and financial services.

Kristen P. Poole is a corporate partner in the New York office of Gibson, Dunn & Crutcher, where her practice focuses on mergers and acquisitions and private equity. Ms. Poole represents both public and private companies, as well as financial sponsors, in connection with mergers, acquisitions, divestitures, minority investments, restructurings and other complex corporate transactions. She also advises clients with respect to general corporate governance matters and shareholder activism matters.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.0 hour. Regulated by the Solicitors Regulation Authority (Number 324652).

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

Most participants should anticipate receiving their certificates of attendance via e-mail in approximately 4-6 weeks following the webcast.

Members of the Virginia Bar should anticipate receiving the applicable certification forms in approximately 6-8 weeks.

Click for PDF

On January 27, 2022, the Supreme Court of California issued a decision that changes the burden for employers that are defending against current or former employees’ whistleblower retaliation claims. In Lawson v. PPG Architectural Finishes, Inc., No. S266001,___ Cal.5th ___, the Court answered a question that the Ninth Circuit had certified in an effort to dispel “widespread confusion” over the evidentiary standard for retaliation claims bought under California Labor Code section 1102.5. Some courts had concluded the traditional burden-shifting framework set out in McDonnell Douglas Corp. v. Green (1972) 411 U.S. 792, should apply, with plaintiffs having to prove that they were retaliated against for a pretextual reason. Others had decided that the more employee-friendly California Labor Code section 1102.6 should apply, with employers having to prove by clear and convincing evidence that the plaintiffs would have suffered the challenged consequence (such as losing their jobs) even if they had not identified any wrongdoing. The California Supreme Court sided with the latter group, holding that section 1102.6’s framework applies both on summary judgment and at trial.

In Lawson, the plaintiff sued his former employer under section 1102.5 for firing him after he complained of allegedly fraudulent practices. The district court granted the employer’s motion for summary judgment on the ground that the plaintiff failed to demonstrate that the employer’s stated reasons for termination, including poor performance, were pretextual.

The issue on appeal was the appropriate framework for Lawson’s claim. The district court applied McDonnell Douglas’s three-part burden-shifting framework: (1) the employee establishes a prima facie case of retaliation; (2) the burden of production shifts to the employer to articulate a legitimate reason for its decision; and (3) the burden shifts back to the employee to show that that the employer’s reason is pretextual. Lawson argued the district court instead should have followed section 1102.6’s two-part framework, which mirrors the analysis required for retaliation claims brought under the Sarbanes-Oxley Act and related federal statutes: (1) the employee demonstrates (by a preponderance of the evidence) that retaliation was a “contributing factor” in the adverse employment action, and (2) the burden shifts to the employer to prove (by clear and convincing evidence) that the adverse action would have occurred even if the employee had not engaged in protected conduct. The Ninth Circuit certified the question to the California Supreme Court because, it observed, the “state’s appellate courts do not follow a consistent practice.”

In a unanimous decision written by Justice Leondra Kruger, the Court held that section 1102.6 governs section 1102.5 retaliation claims. The Court anchored its conclusion in the statutory text: The statute “[b]y its terms” specifies “the applicable substantive standards and burdens of proof.” The statute’s legislative history, by contrast, “yields no clear answers on the McDonnell Douglas question.” The Court also observed that the McDonnell Douglas framework is not “well suited” to employee-whistleblower claims because while McDonnell Douglas presumes an employer’s reason for adverse action “is either discriminatory or legitimate,” a section 1102.5 plaintiff can prove unlawful retaliation “even when other, legitimate factors also contributed to the adverse action.” Finally, the Court rejected the employer’s argument that the McDonnell Douglas framework should apply at least during the summary judgment stage, explaining that “the parties’ burdens of proof at summary judgment generally depend on their burdens of proof at trial.”

The Court’s decision changes the burden that employers must satisfy in attempting to prove that they took adverse employment actions for legitimate, nonretaliatory reasons. Under McDonnell Douglas, an employer has to show only a legitimate, nonretaliatory reason for its decision, at which point the burden shifts to the employee to prove that reason is pretextual. But under section 1102.6, an employer must instead prove, by “clear and convincing” evidence, that it would have taken the same action against the employee “even had the plaintiff not engaged in protected activity.” Section 1102.6 thus makes it easier for employees alleging retaliation to prove their case and avoid summary judgment. Yet the Court’s decision did not change plaintiffs’ burden to establish, by a preponderance of the evidence, that their protected activity “was a contributing factor in a contested employment action.” The Court also made clear that under the section 1102.6 framework, employers will “be able to raise a same-decision defense on summary judgment,” allowing courts to dismiss “meritless” retaliation claims before trial.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have about these matters or regarding developments at the California Supreme Court or in state or federal appellate courts in California. Please feel free to contact any member of the Appellate and Constitutional Law or Labor and Employment practice groups, or the following appellate lawyers in California:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, [email protected])
Julian W. Poon – Los Angeles (+1 213-229-7758, [email protected])
Theane Evangelis – Co-Chair, Litigation Group, Los Angeles (+1 213-229-7726, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])
Michael Holecek – Los Angeles (+1 213-229-7018, [email protected])
Daniel R. Adler – Los Angeles (+1 213-229-7634, [email protected])
Ryan Azad – San Francisco (+1 415-393-8276, [email protected])
Matt Aidan Getz – Los Angeles (+1 213-229-7754, [email protected])
Matthew Ball – Denver (+1 303-298-5731, [email protected])

Please also feel free to contact the following Labor and Employment practice leaders and members:

Harris M. Mufson – Co-Head, Whistleblower Team of Labor & Employment Group, New York (+1 212-351-3805, [email protected])

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

We are pleased to present Gibson Dunn’s ninth “Federal Circuit Year In Review,” providing a statistical overview and substantive summaries of the 76 precedential patent opinions issued by the Federal Circuit between August 1, 2020 and July 31, 2021. This term included significant panel decisions in patent law jurisprudence with regard to standing (ABS Global, Inc. v. Cytonome/ST, LLC, 984 F.3d 1017 (Fed. Cir. 2021) and Gen. Elec. Co. v. Raytheon Techs. Corp., 983 F.3d 1334 (Fed. Cir. 2020)); subject matter eligibility (cxLoyalty, Inc. v. Maritz Holdings Inc., 986 F.3d 1367 (Fed. Cir. 2021) and Illumina, Inc. v. Ariosa Diagnostics, Inc., 967 F.3d 1319 (Fed. Cir. 2020)); venue (In re Samsung Elecs. Co., 2 F.4th 1371 (Fed. Cir. 2021) and Valeant Pharms. N. Am. LLC v. Mylan Pharms. Inc., 978 F.3d 1374 (Fed. Cir. 2020)); IPR procedures (Facebook, Inc. v. Windy City Innovations, LLC, 973 F.3d 1321 (Fed. Cir. 2020)); and public accessibility of prior art (M & K Holdings, Inc. v. Samsung Elecs. Co., 985 F.3d 1376 (Fed. Cir. 2021) and VidStream LLC v. Twitter, Inc., 981 F.3d 1060 (Fed. Cir. 2020)). Each of these decisions, as well as all other precedential decisions issued by the Federal Circuit in the 2020‒2021 term, is summarized in the Federal Circuit Year In Review.

Use the Federal Circuit Year In Review to find out:

The easy-to-use Table of Contents is organized by substantive issue, so that the reader can easily identify all of the relevant cases bearing on the issue of choice.
Which issues may have a better chance (or risk) on appeal based on the Federal Circuit’s history of affirming or reversing on those issues in the past.
The average length of time from issuance of a final decision in the district court and docketing at the Federal Circuit to issuance of a Federal Circuit opinion on appeal.
What the success rate has been at the Federal Circuit if you are a patentee or the opponent based on the issue being appealed.
The Federal Circuit’s history of affirming or reversing cases from a specific district court.
How likely a particular panel may be to render a unanimous opinion or a fractured decision with a majority, concurrence, or dissent.
The Federal Circuit’s affirmance/reversal rate in cases from the district court, ITC, and the PTO.

The Year In Review provides statistical analyses of how the Federal Circuit has been deciding precedential patent cases, such as affirmance and reversal rates (overall, by issue, and by District Court), average time from lower tribunal decision to key milestones (oral argument, decision), win rate for patentee versus opponent (overall, by issue, and by District Court), decision rate by Judge (number of unanimous, majority, plurality, concurring, or dissenting opinions), and other helpful metrics. The Year In Review is an ideal resource for participants in intellectual property litigation seeking an objective report on the Court’s decisions.

Gibson Dunn is nationally recognized for its premier practices in both Intellectual Property and Appellate litigation. Our lawyers work seamlessly together on all aspects of patent litigation, including appeals to the Federal Circuit from both district courts and the agencies.

Please click here to view the FEDERAL CIRCUIT YEAR IN REVIEW

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work or the authors of this alert:

Mark A. Perry – Washington, D.C. (+1 202-887-3667, [email protected])
Nathan R. Curtis – Dallas (+1 214-698-3423, [email protected])
Florina Yezril – New York (+1 212-351-2689, [email protected])

Please also feel free to contact any of the following practice group co-chairs or any member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:

Appellate and Constitutional Law Group:
Allyson N. Ho – Dallas (+1 214-698-3233, [email protected])
Mark A. Perry – Washington, D.C. (+1 202-887-3667, [email protected])

Intellectual Property Group:
Kate Dominguez – New York (+1 212-351-2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415-393-8224, [email protected])
Josh Krevitt – New York (+1 212-351-4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212-351-3922, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

In February and March 2021, we published updates on global legislative developments in relation to mandatory human rights due diligence and supply chain reporting (see here and here).

At that time, it was expected that the European Commission (“EC”) would publish draft legislation at the pan-European level in the form of a Sustainable Corporate Governance proposal (“SCG”) in Summer 2021. The anticipated draft directive was hailed as a potential game-changer: directing how companies should manage matters in their own operations and value chains as regards human rights, climate change and the environment, and related governance.

By comparison, fewer material developments have arisen in the United States, with the most notable change to the law in this field in recent years being the California Transparency in Supply Chains Act 2010. But the landscape may be changing, both with the recently passed federal Uyghur Forced Labor Prevention Act and a new proposed law pending in New York State (the draft “Fashion Sustainability and Social Accountability Act”) that may impose significant reporting requirements on the fashion industry.

Pan-European Developments – EC draft legislation significantly delayed

As it stands, the EC draft directive has not yet been handed down and updates on its status have not been forthcoming from the EC. However, it is reported that the delay is a result of a (second) rejection by the EC’s internal Regulatory Scrutiny Board (an independent body charged with quality control and impact assessment of legislation). The latest indications by the EC are that the draft directive is now expected in February 2022.

Unsurprisingly, this delay has been met with widespread condemnation and concern from civil society. For example, on 8 December 2021, in an open letter signed by 47 civil society and trade union organizations to EC President Ursula von der Leyen (see here), complaints were made about delays to a “crucial new law that can help millions of people to demand justice against human rights violations…” and expressing “dee[p] concer[n]” about the “complete lack of transparency on the reasons for this new delay”. The letter called on the President to “publicly reiterate [the] commitment … to making supply chains of companies active on the EU market sustainable through ambitious, binding human rights and environmental due diligence legislation”.

US Developments – Groundbreaking draft legislation proposed

Meanwhile, in the US, human rights due diligence legislation has advanced with two meaningful developments.

On the federal level, on 23 December 2021, President Biden signed the Uyghur Forced Labor Prevention Act (the “UFLPA”) into law. The UFLPA creates a rebuttable presumption that all goods manufactured – even partially – in China’s Xinjiang Uyghur Autonomous Region are the product of forced labor and therefore not entitled to entry at US ports. The UFLPA also builds on prior legislation, such as the Uyghur Human Rights Policy Act of 2020, by expanding that Act’s authorization of sanctions to cover foreign individuals responsible for human rights abuses related to forced labor in the Xinjiang region. We explore the UFLPA in detail in our client alert, here.

On the state level, earlier this month, two New York State Senators introduced historic legislation to set broad sustainability mandates for the fashion industry – an industry which is (according to some estimates) responsible for approximately 4-8.6% of global greenhouse gas emissions. The Fashion Sustainability and Social Accountability Act (the “FSSAA”), sponsored by Senator Alessandra Biaggi and assembly member Dr. Anna Kelles, is a proposal that, if enacted, would require fashion retailers and manufacturers doing business in New York State with annual global gross revenues that exceed $100 million to publish extensive disclosures on their websites about their “environmental and social due diligence policies, processes and outcomes, including significant real or potential adverse environmental and social impacts” (see here). The FSSAA would therefore place obligations on many household fashion names and brands based around the world.

The disclosures under the draft FSSAA include, among other things: (i) supply chain mapping of at least 50% of suppliers by volume across all tiers of production; (ii) a “sustainability report” identifying each business’s risks, as informed by United Nations and International Labor Organization principles; (iii) independently verified greenhouse gas reporting; and (iv) quantitative measures, such as publishing the median wages of workers of suppliers compared with the local minimum wage. The FSSAA requires that all disclosures be made on the retail or manufacturer’s website within a year of the legislation’s enactment into law.

In terms of enforcement, the FSSAA, if passed, would require New York’s Attorney General (“AG”) to publish an annual report regarding companies’ compliance with the law. And, if enacted, failure to meet the legislation’s requirements would result in the AG having the power to fine sellers and manufacturers up to 2% of annual revenues of $450 million or more. Such money will then be deposited into a community benefit fund, which will be used for environmental projects that directly and verifiably benefit environmental justice communities.

While legislation can take years, advocates are hoping that the bill is passed by Spring 2022 and certainly no later than the end of the 2022 New York State legislative session in June. The legislation has four cosponsors and is currently pending before the New York House Consumer Affairs and Protection and Senate Consumer Protection Committees and, if it advances out of committee, it will be voted on by the full legislative body.

Conclusion

These initiatives in the US are a further indication of the general direction of evolving due diligence expectations. If enacted, the FSSAA would not only make waves in the fashion world, but could also foreshadow legislation requiring ESG disclosures for other industries in the US.

With this in mind, together with the anticipated EC legislation and individual country developments, companies should continue to reflect on their knowledge of their own supply chains, human rights and environmental risks within their business, and internal due diligence processes/compliance methodologies. The expectations of companies in terms of their substantive management of environmental and human rights risks, as well as their reporting obligations, looks set only to increase.

This alert has been prepared by Susy Bullock, Stephanie Collins, and Ryan Butcher* in London; and Roscoe Jones, Jr., Howard S. Hogan, Perlette Michèle Jura, and Jessica C. Benvenisty in the United States.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Environmental, Social and Governance (ESG) practice, or the following authors in London and the US:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Stephanie Collins – London (+44 (0) 20 7071 4216, [email protected])
Roscoe Jones, Jr. – Washington, D.C. (+1 202-887-3530, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Jessica C. Benvenisty – New York (+1 212-351-2415, [email protected])

Please also feel free to contact the following ESG practice leaders:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Ronald Kirk – Dallas (+1 214-698-3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])

* Ryan Butcher is a trainee solicitor working in the firm’s London office who is not yet admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

This update provides an overview and summary of key class action developments during the fourth quarter of 2021 (October through December).

Part I addresses recent arbitration-related developments relevant to class action practitioners, including cases addressing the Federal Arbitration Act’s (“FAA”) Section 1 exemption for interstate transportation workers, and the Supreme Court’s grants of certiorari in two arbitration-related appeals.

Part II covers decisions from the Second and Seventh Circuits applying the Supreme Court’s holding in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), that requires plaintiffs to establish that they have suffered “concrete” harm in order to have Article III standing.

Part III summarizes two decisions from the First and Seventh Circuits emphasizing the rigorous analysis that district courts must conduct under Rule 23 before certifying a class.

And Part IV analyzes a Fifth Circuit order granting a stay of discovery pending appeal of a class-certification order under Rule 23(f).

I. Important Arbitration Issues Continue to Percolate at the Supreme Court and Circuit Court-Levels

As reported in last quarter’s update, the FAA’s Section 1 residual clause exemption continues to generate litigation across the country. Under this clause, “workers engaged in foreign or interstate commerce” are exempt from having to arbitrate their claims under the FAA. 9 U.S.C. § 1. The courts of appeals have continued interpreting the scope of this exemption in various contexts.

In Cunningham v. Lyft, Inc., 17 F.4th 244 (1st Cir. 2021), a group of Massachusetts Lyft drivers alleged they had been misclassified as independent contractors. The district court denied Lyft’s motion to compel arbitration based on the Section 1 exemption, but the First Circuit reversed. Id. at 246–47. The First Circuit noted that even though many drivers transport passengers to and from the airport as part of the passenger’s interstate trip, they do not fall within the exemption because the “driver contracts with the passenger as part of the driver’s normal local service to take the passenger to the start (or from the finish) of the passenger’s interstate journey.” Id. at 250. Moreover, that some drivers may occasionally transport passengers across state lines did not mean that drivers generally are “primarily in local intrastate transportation.” Id. at 253.

In a different context, the Ninth Circuit in Carmona v. Domino’s Pizza, LLC, 21 F.4th 627 (9th Cir. 2021), held that certain pizza delivery drivers are engaged in interstate commerce, and are thus covered by the Section 1 exemption. This case involved Domino’s drivers who delivered pizza ingredients from a Domino’s “Supply Center” in California to various Domino’s franchisees in California; the drivers sued Domino’s for alleged violations of various California labor laws. Id. at 628. The Ninth Circuit affirmed the denial of Domino’s motion to compel arbitration, holding that the drivers were not covered by the Section 1 exemption. Id. at 629–30. The court observed that “[t]he critical factor in determining whether the residual clause exemption applies is not the nature of the item transported in interstate commerce (person or good) or whether the plaintiffs themselves crossed state lines, but rather the nature of the business for which a class of workers performed their activities.” Id. at 629 (citation omitted). The court reasoned that the plaintiffs were “engaged in a single, unbroken stream of interstate commerce that renders interstate commerce a central part of their job description,” because they were responsible for delivering products from suppliers located outside of California to franchises within the state. Id. (citation omitted).

Additional guidance from the Supreme Court regarding the residual clause’s scope may be on its way. In December 2021, the Supreme Court granted certiorari in Saxon v. Southwest Airlines Co., 993 F.3d 492 (7th Cir. 2021), to resolve whether an airline cargo ramp supervisor qualifies as exempt from arbitration under the residual clause. In that case, the Seventh Circuit held that such workers are exempt under Section 1, reasoning that “transportation workers” are those who “perform[] work analogous to that of seamen and railroad employees, whose occupations are centered on the transport of goods in interstate and foreign commerce.” Id. at 496 (citation omitted). The court noted that the proper focus of the analysis is whether the worker is “actually engaged in the movement of goods in interstate commerce,” and added that “actual transportation is not limited to the precise moment either goods or the people accompanying them cross state lines.” Id. at 498. We will continue monitoring this appeal and other cases addressing the Section 1 exemption.

In another notable grant of certiorari concerning arbitration, the Supreme Court agreed to hear Morgan v. Sundance, Inc., 992 F.3d 711 (8th Cir. 2021), which presents the issue of whether a party resisting arbitration on the grounds of waiver must show prejudice. In this case, the Eighth Circuit had held that even a defendant’s participation in litigation for eight months did not amount to waiver, given that the litigation remained at a preliminary phase and the plaintiff had not demonstrated any prejudice by the defendant’s alleged delay in asserting its right to arbitrate. See id. at 714–15. The case is now being briefed and we’ll provide a further update when the Supreme Court issues its decision.

II. Standing and Article III Injury After TransUnion LLC v. Ramirez

As reported in our prior update, in an important decision with significant ramifications for standing in class actions, in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), the Supreme Court held that each class member must have suffered a “concrete” harm bearing a “close relationship” to traditional harms—like physical injury, monetary injury, or intangible injuries like damage to reputation—to have Article III standing. Id. at 2200. And importantly, after TransUnion, “an injury in law is not an injury in fact.” Id. at 2206. In the months since it was issued, the courts of appeals have adopted different approaches to applying TransUnion to determine when class action plaintiffs alleging statutory violations have alleged a “concrete” harm satisfying Article III.

In Maddox v. Bank of New York Mellon Trust Co., 19 F.4th 58 (2d Cir. 2021), the Second Circuit ruled that the plaintiffs’ allegations that the defendant bank violated New York’s mortgage-satisfaction-recording statutes did not support Article III standing because the allegations showed only a risk that plaintiffs would be injured—but not that plaintiffs suffered any actual harm. While Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), allows a “real risk of harm” to “satisfy the requirement of concreteness” in some cases for injunctive relief, the Second Circuit explained that “TransUnion established that in suits for damages[,] plaintiffs cannot establish Article III standing by relying entirely on a statutory violation or risk of future harm.” 19 F.4th at 63–64. Thus, even though the plaintiffs alleged the bank failed to timely record satisfaction, they did not allege that anyone saw the misleading records, that they suffered reputational harm, or other injury. Id. at 65. As a result, the plaintiffs lacked standing to seek damages in federal court. Id. at 66.

The Seventh Circuit adopted a slightly different view in Persinger v. Southwest Credit Systems, L.P., 20 F.4th 1184 (7th Cir. 2021). In Persinger, the Seventh Circuit held that the defendant’s use of the plaintiff’s “propensity-to-pay score” without a permissible purpose, in violation of the Fair Credit Reporting Act (“FCRA”), was sufficient to confer Article III standing. Id. at 1193. Specifically, the court reasoned that “the FCRA’s protection of consumer credit information is akin to the common law’s protection of private information through the tort of invasion of privacy,” and that in making it “unlawful to furnish, obtain, or use a consumer’s credit information without a permissible purpose,” “Congress created a federal cause of action for a common-law-like harm.” Id. at 1192. Thus, because the plaintiff’s alleged harm resembled a harm traditionally protected by common law, it was a “concrete injury” for purposes of Article III. Id.

III. The Seventh and First Circuits Address the Requirements for Class Certification

This past quarter, the Seventh and First Circuits published noteworthy decisions analyzing the Rule 23 certification requirements.

In Santiago v. City of Chicago, 19 F.4th 1010 (7th Cir. 2021), the Seventh Circuit emphasized the “rigorous analysis” that district courts must conduct before certifying a class. Id. at 1019. When the plaintiff’s van was towed and disposed of pursuant to Chicago’s Municipal Code, she moved for class certification under Rule 23(b)(3) for ten claims. Id. at 1014–15. The district court certified two classes (a tow class and a vehicle-disposal class) without specifying which claims survived. Id. at 1015–16. On appeal, the Seventh Circuit found two “fatal flaw[s]” in the district court’s certification analysis, and concluded the district court failed to “properly engage in the rigorous analysis that a class certification order requires.” Id. at 1017, 1019.

First, the district court’s certification analysis was “organized … around potential common questions rather than the claims at issue.” at 1017. As the Supreme Court has explained, any analysis of whether commonality or predominance are satisfied “‘begins, of course, with the elements of the underlying cause of action.’” Id. (quoting Erica P. John Fund, Inc. v. Halliburton Co., 563 U.S. 804, 809 (2011)). Although the district court reasoned that there were some common questions that predominated, it did “not discuss any of the elements of the underlying causes of action, nor in clear terms explain what the causes of action are.” Id. By failing to conduct the requisite “detailed analysis” of the elements of the underlying claims, the district court abused its discretion. Id. at 1018.
Second, the district court also erred by conducting a “less-than-rigorous analysis” of the adequacy of the named plaintiff. Id. at 1019. Although the defendant had argued the plaintiff was susceptible to a unique defense of actual notice (which may have precluded the plaintiff from challenging the notice’s procedural sufficiency), the district court did not identify why this unique defense was irrelevant to the claims for each class. Id.

The First Circuit also addressed the certification requirements in Aronstein v. Massachusetts Mutual Life Insurance Co., 15 F.4th 527 (1st Cir. 2021), where the court affirmed a denial of certification because the plaintiff had not established that he was similarly situated to proposed class members. In this case, the plaintiff alleged he purchased an annuity that he believed had a guaranteed annual interest rate of 3%, when in actuality, the defendant attached a rider that reduced the guaranteed interest rate to 1.5%. Id. at 530. The district court denied certification because under New York contract-interpretation law, extrinsic evidence was needed to determine which interest rate each putative class member believed prevailed when they purchased the annuity, which destroyed predominance. Id. at 531.

The First Circuit affirmed, reasoning that, “although [the plaintiff] was never told that MassMutual reduced the interest rate to 1.5%, MassMutual produced evidence that it engaged in an extensive marketing campaign to inform sales agents of the minimum guaranteed interest rate change, its marketing materials were modified to reflect this change, and sales agents generally explained this key interest rate to potential purchasers orally.” Id. at 535. Thus, the court held that because the plaintiff only produced evidence that he had not been informed of the rate change, there was nothing to show that other potential class members had not been so informed. Id.

IV. The Fifth Circuit Stays Discovery During Pendency of Important Rule 23(f) Appeal

In a relatively rare decision, a split panel of the Fifth Circuit granted a motion to stay discovery during the pendency of the defendants’ Rule 23(f) appeal even after the district court had denied the defendants’ request to stay such discovery. Earl v. Boeing Co., No. 21-40720, — F.4th —, 2021 WL 6061767 (5th Cir. Dec. 22, 2021). Acknowledging the uncertainty regarding the amount of deference owed to the district court’s ruling on the request for a discovery stay, the Fifth Circuit held that even under a deferential standard of review, all the factors in Nken v. Holder, 556 U.S. 418 (2009), favored granting the stay. 2021 WL 6061767, at *1.

In particular, the Fifth Circuit concluded the defendants had a “significant likelihood of success” in reversing the certification decision, and emphasized the “very costly and time consuming” discovery that would be needed in a class action suit of this magnitude. Id. at *2. Moreover, allowing discovery as to liability while staying discovery as to class membership (as the district court ordered) was not a reasonable solution because proportionality concerns “would impose far different constraints on discovery by eleven named plaintiffs” (if the appeal were successful) “than it would for classes of millions of air travelers” (if the appeal were unsuccessful). Id. Finally, the plaintiffs did not plausibly allege that they would be injured by a stay in the absence of “any specific prospective threat of spoliation,” and the public interest supported a stay to avoid potentially wasteful and unnecessary litigation. Id. at *3.

The Earl decision should be helpful for defendants challenging class certification orders via Rule 23(f) and simultaneously seeking a discovery stay.

The following Gibson Dunn lawyers contributed to this client update: Christopher Chorba, Kahn Scolnick, Bradley Hamburger, Wesley Sze, Jacob Rierson, Jessica Pearigen, and Mari Vila.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7396, [email protected])
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213-229-7726, [email protected])
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])
Lauren M. Blas – Los Angeles (+1 213-229-7503, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On the heels of a record-setting 2020, the year 2021 saw a more modest pace of Foreign Corrupt Practices Act (“FCPA”) enforcement, particularly as it relates to corporate actions. The inevitable slowdown from any changeover in presidential administrations, combined with the lingering impacts of the global pandemic, undoubtedly contributed to this phenomenon. But with the Biden Administration doubling down on the strategic importance of global anti-corruption enforcement, and with continuing robust FCPA-related enforcement against individuals, we fully anticipate a return to substantial corporate FCPA enforcement in the years to come.

This client update provides an overview of the FCPA and other domestic and international anti-corruption enforcement, litigation, and policy developments from 2021, as well as the trends we see from this activity. Gibson Dunn has the privilege of helping our clients navigate anti-corruption-related challenges every day, and we are honored to have been ranked again this year Number 1 in the Global Investigations Review “GIR 30” ranking of the world’s top investigations practices—Gibson Dunn’s fourth consecutive year and sixth in the last seven years to have been so honored. For more analysis on anti-corruption enforcement and related developments over the past year, we invite you to join us for our upcoming complimentary webcast presentations:

“FCPA 2021 Year-End Update” on February 1, 2022 (to register, Click Here)
“Corporate Compliance and U.S. Sentencing Guidelines” on March 30, 2022 (to register, Click Here)

FCPA OVERVIEW

The FCPA’s anti-bribery provisions make it illegal to corruptly offer or provide money or anything else of value to officials of foreign governments, foreign political parties, or public international organizations with the intent to obtain or retain business. These provisions apply to “issuers,” “domestic concerns,” and those acting on behalf of issuers and domestic concerns, as well as to “any person” who acts while in the territory of the United States. The term “issuer” covers any business entity that is registered under 15 U.S.C. § 78l or that is required to file reports under 15 U.S.C. § 78o(d). In this context, foreign issuers whose American Depositary Receipts (“ADRs”) or American Depositary Shares (“ADSs”) are listed on a U.S. exchange are “issuers” for purposes of the FCPA. The term “domestic concern” is even broader and includes any U.S. citizen, national, or resident, as well as any business entity that is organized under the laws of a U.S. state or that has its principal place of business in the United States.

In addition to the anti-bribery provisions, the FCPA also has “accounting provisions” that apply to issuers and those acting on their behalf. First, there is the books-and-records provision, which requires issuers to make and keep accurate books, records, and accounts that, in reasonable detail, accurately and fairly reflect the issuer’s transactions and disposition of assets. Second, the FCPA’s internal controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations. Prosecutors and regulators frequently invoke these latter two sections when they cannot establish the elements for an anti-bribery prosecution or as a mechanism for compromise in settlement negotiations. Because there is no requirement that a false record or deficient control be linked to an improper payment, even a payment that does not constitute a violation of the anti-bribery provisions can lead to prosecution under the accounting provisions if inaccurately recorded or attributable to an internal controls deficiency.

International corruption also may implicate other U.S. criminal laws. Increasingly, prosecutors from the FCPA Unit of the Department of Justice (“DOJ”) have been charging non-FCPA crimes such as money laundering, mail and wire fraud, Travel Act violations, tax violations, and even false statements, in addition to or instead of FCPA charges. Without question, the most prevalent amongst these “FCPA-related” charges is money laundering—a generic term used as shorthand for statutory provisions that generally criminalize conducting or attempting to conduct a transaction involving proceeds of “specified unlawful activity” or transferring funds to or from the United States, in either case to promote the carrying on of specified unlawful activity, to conceal or disguise the nature, location, source, ownership or control of the proceeds, or to avoid a transaction reporting requirement. “Specified unlawful activity” includes over 200 enumerated U.S. crimes and certain foreign crimes, including the FCPA, fraud, and corruption offenses under the laws of foreign nations. Although this has not always been the case, in recent years, DOJ has frequently deployed the money laundering statutes to charge “foreign officials” who are not themselves subject to the FCPA. It is now commonplace for DOJ to charge the alleged provider of a corrupt payment under the FCPA and the alleged recipient with money laundering violations.

FCPA AND FCPA-RELATED ENFORCEMENT STATISTICS

The below table and graph detail the number of FCPA enforcement actions initiated by DOJ and the Securities and Exchange Commission (“SEC”), the statute’s dual enforcers, during the past 10 years.

2012		2013		2014		2015		2016		2017		2018		2019		2020		2021
DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC
11	12	19	8	17	9	10	10	21	32	29	10	22	17	35	19	21	11	11	4

But as our readers know, the number of FCPA enforcement actions represents only a piece of the robust pipeline of international anti-corruption enforcement efforts by DOJ. Indeed, the increasing proportion of “FCPA-related” charges in the overall enforcement docket of FCPA prosecutors is a trend we have been remarking upon for years. In total, DOJ brought 17 such FCPA-related actions in 2021, bringing the overall anti-corruption figures for the past year to 28 cases filed or unsealed by DOJ. The past 10 years of FCPA plus FCPA-related enforcement activity is illustrated in the following table and graph.

2012		2013		2014		2015		2016		2017		2018		2019		2020		2021
DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC	DOJ	SEC
12	12	21	8	23	9	12	10	27	32	36	10	48	17	54	19	40	11	28	4

2021 FCPA-RELATED ENFORCEMENT TRENDS

In each of our year-end FCPA updates, we seek not merely to report on the year’s FCPA enforcement actions, but also to distill the thematic trends we see stemming from these individual events. For 2021, we have identified three key enforcement trends that we believe stand out from the rest:

Sharp downturn in corporate FCPA enforcement actions and financial penalties;
DOJ continues substantial FCPA and FCPA-related enforcement against individuals; and
Biden Administration policies foreshadow a return to robust corporate anti-corruption enforcement in the coming years.

Sharp Downturn in Corporate FCPA Enforcement Actions and Financial Penalties

The modern era of FCPA enforcement (often described as beginning with the blockbuster Siemens resolution in 2008) may certainly be characterized by its penchant for setting enforcement records in one year, and then breaking them the next. But this overall trend has not always been linear, and indeed, frequently, there is a drop-off in cases in the years that presidential administrations change. So, it is accurate to say that corporate FCPA enforcement—after reaching new heights of penalties imposed in 2019 ($2.66 billion in corporate penalties on 21 enforcement actions) and 2020 ($2.79 billion in corporate penalties on 16 enforcement actions)—fell off the proverbial cliff in 2021 ($259.5 million on 6 enforcement actions). But we would not go nearly so far as to foretell the demise of corporate anti-corruption enforcement in the years to come. Indeed, based on what we are seeing at DOJ and the SEC, we counsel against such predictions.

The first corporate FCPA enforcement action of 2021 was with German financial institution and U.S.-issuer Deutsche Bank AG, which on January 8 reached a coordinated FCPA resolution with DOJ and the SEC to resolve allegations of internal control deficiencies and inaccurate record-keeping associated with the use of third-party business development consultants between 2009 and 2016. The DOJ allegations focused on consultants in Abu Dhabi and Saudi Arabia, each of which was allegedly known by Deutsche Bank employees to be relatives or close associates of government officials who would pass portions of their consulting payments on to the officials in exchange for business awarded to the bank. The SEC resolution additionally identified purportedly questionable consulting relationships in China and Italy.

To resolve the criminal charges, Deutsche Bank entered into a three-year deferred prosecution agreement with DOJ alleging conspiracy to violate each of the FCPA’s books-and-records and internal controls provisions, as well as a separate wire fraud conspiracy charge associated with an unrelated commodities trading scheme that was charged together with the FCPA matter. For the FCPA misconduct, the bank paid a criminal penalty of $79.6 million, which represented a 25% discount from the middle of the U.S. Sentencing Guidelines range—this was the maximum discount for cooperation (in a non-voluntary disclosure case), but the discount was taken from the middle rather than the bottom of the range because of a prior criminal antitrust resolution in 2016. To resolve the SEC charge, Deutsche Bank consented to the entry of an administrative cease-and-desist order charging FCPA accounting violations and agreed to pay $43.3 million in disgorgement and prejudgment interest. Gibson Dunn represented Deutsche Bank in these matters.

On June 25, 2021, global engineering firm Amec Foster Wheeler Ltd. (“AFW”), which during the relevant period was principally based in the UK but traded on a U.S. exchange, reached a $177 million coordinated resolution with anti-corruption authorities in Brazil, the United Kingdom, and the United States. The U.S. charging documents allege that between 2011 and 2014, an AFW subsidiary used several agents—including one that failed AFW’s due diligence process based on compliance concerns, but nonetheless continued working “unofficially” on the project—to make more than $1 million in improper payments to win a contract with state-owned oil company Petróleo Brasileiro S.A. (“Petrobras”).

On the U.S. front, to resolve the SEC’s investigation, AFW consented to the entry of an administrative cease-and-desist order charging FCPA bribery and accounting violations and ordering $22.76 million in disgorgement and prejudgment interest. To resolve a criminal FCPA bribery conspiracy charge, a UK subsidiary of AFW entered into a three-year deferred prosecution agreement with DOJ and agreed to a criminal penalty of $18.375 million. Both the SEC and DOJ applied offsetting credits for payments to authorities in Brazil and the UK in connection with the coordinated resolution, bringing the total due to the SEC to $10.13 million and $7.66 million to the United States. The Petrobras-related allegations were only a part of a larger anti-corruption resolution reached by the UK AFW subsidiary and the SFO, which as described in our UK section below imposed the USD-equivalent of $142.7 million in penalties and disgorgement for alleged improper payments in India, Malaysia, Nigeria, and Saudi Arabia, as well as Brazil, as part of its own, separate three-year deferred prosecution agreement. The U.S. resolutions, which were coordinated by Gibson Dunn, acknowledged AFW’s cooperation and remediation by applying the maximum available 25% discount from the bottom of the U.S. Sentencing Guidelines range and not requiring an independent compliance monitor.

The third corporate FCPA enforcement action of 2021, and the only one that was resolved solely with civil SEC charges, was with WPP Plc, the world’s largest advertising group and an ADS issuer. On September 24, 2021, the SEC announced that WPP consented to the entry of a cease-and-desist order charging FCPA bribery and accounting violations, and agreed to pay $10.1 million in disgorgement, $1.1 million in prejudgment interest, and an $8 million civil penalty, without admitting or denying the SEC’s allegations.

According to the SEC’s charging document, prior to 2018, WPP deployed a global growth strategy by which it entered markets through acquisitions of smaller advertising agencies, frequently with an “earn-out provision” that deferred a portion of the purchase price pending the accomplishment of future financial goals, which in many cases the acquired agency’s founder stayed on to achieve. These newly acquired agencies and their founders were the focus of this enforcement action, with the SEC alleging improper payments in Brazil, China, India, and Peru. A DOJ investigation reportedly is ongoing, and it is not clear whether additional charges are forthcoming.

Closing out the year in corporate FCPA enforcement, on October 19, 2021 Swiss financial institution and ADR issuer Credit Suisse Group AG agreed to an FCPA resolution with the SEC and a related non-FCPA, wire fraud resolution with DOJ. The DOJ and SEC allegations concern the same Mozambique loan bribery and kickback scheme that we first reported in our 2019 Year-End FCPA Update, wherein we described FCPA and FCPA-related charges against three Credit Suisse bankers, two former Mozambican government officials and a business consultant, as well as two Lebanese former executives of a UAE shipbuilding company. The allegations are that between 2013 and 2016, the defendants structured three syndicated loan and securities offerings worth $2 billion involving Mozambican state-owned entities, from which at least $200 million was allegedly misappropriated for bribes and kickbacks to the scheme participants.

To resolve the SEC’s charges, Credit Suisse consented to an administrative cease-and-desist proceeding alleging violations of the FCPA’s accounting provisions, as well as fraud-based securities violations, and agreed to pay combined disgorgement and prejudgment interest of $34 million plus a $65 million civil penalty. To resolve the criminal investigation, Credit Suisse entered into a three-year deferred prosecution agreement with DOJ concerning, and a UK subsidiary pleaded to, wire fraud charges, and agreed to pay a cumulative criminal fine of $247.5 million, plus $10.34 million in criminal forfeiture. After applying a variety of offsets, Credit Suisse ultimately agreed to pay $99 million to the SEC, $175 million to DOJ, and $200 million to the UK Financial Conduct Authority (“FCA”) in a related resolution. The bank also agreed to forgive $200 million in debt owed by the Government of Mozambique, which the prosecutors and regulators considered, together with Credit Suisse’s remediation and cooperation efforts, in setting the $475 million combined resolution amount.

DOJ Continues Substantial FCPA and FCPA-Related Enforcement Against Individuals

DOJ filed or unsealed FCPA or FCPA-related charges against 25 individual defendants in 2021, which may be grouped as follows.

Ecuadorian Police Pension Fund Defendants

On March 2, 2021, DOJ announced the arrest of Ecuadorian citizens John Luzuriaga Aguinaga and Jorge Cherrez Miño for their alleged roles in a long-running bribery scheme involving the Instituto de Seguridad Social de la Policia Nacional (“ISSPOL”), Ecuador’s public police pension fund. DOJ alleges that from 2014 to 2020, Cherrez, an investment advisor with operations in Florida and Panama, paid more than $2.6 million in bribes to ISSPOL officials, including now-former ISSPOL Risk Director Luzuriaga, in exchange for the right to manage ISSPOL funds. Two-and-a-half months later, on May 19, 2021, Ecuadorian investment company manager Luis Alvarez Villamar pleaded guilty to money laundering conspiracy for his role in accepting funds from Cherrez in connection with the ISSPOL corruption scheme. Luzuriaga is currently scheduled for trial on money laundering charges in the Southern District of Florida in February 2022, and Cherrez is considered a fugitive on his pending FCPA bribery and money laundering charges.

Additional PDVSA (Citgo) Charges

For years, we have been covering a multi-faceted corruption investigation by DOJ with the common nucleus being Venezuelan state-owned oil company Petróleos de Venezuela S.A. (“PDVSA”). One of the investigation strands has involved a pay-to-play corruption scheme at Citgo Petroleum Corporation, PDVSA’s U.S. subsidiary, as covered most recently in our 2020 Year-End FCPA Update. On March 12, 2021, DOJ unsealed money laundering conspiracy charges initially filed two years earlier against another defendant, former Citgo buyer Laymar Giosse Pena-Torrealba. According to the charging documents, Pena-Torrealba accepted bribes from Juan Manuel Gonzalez (who himself pleaded guilty in May 2019) in exchange for helping Gonzalez’s companies to secure contracts with Citgo. Pena-Torrealba pleaded guilty to one count of money laundering conspiracy and was sentenced in November 2021 to three years of probation.

Additional PetroEcuador Charges

We also have been reporting for several years now on a multi-agency investigation into alleged corruption at Ecuador’s state-owned oil company, Empresa Publica de Hidrocarburos del Ecuador (“PetroEcuador”). This has included coordinated charges brought by DOJ and the Commodity Futures Trading Commission (“CFTC”) against energy trading firm Vitol, Inc., as well as several of its traders, as covered in our 2020 Year-End FCPA Update. On April 6, 2021, DOJ unsealed an August 2020 criminal complaint against Canadian citizen Raymond Kohut, a now-former employee of a different Swiss energy trading firm. According to the charges, two Asian state-owned entities contracted to provide loans to PetroEcuador backed by periodic oil deliveries, and Kohut’s employer negotiated with the Asian entities to market and sell those oil products. Starting in 2012, Kohut and his co-conspirators allegedly made more than $22 million in corrupt payments to PetroEcuador officials to award contracts to the Asian entities under favorable terms so that Kohut’s company could then enter related, advantageous trading agreements with the Asian entities. Kohut and his co-conspirators allegedly met to discuss the conspiracy in Florida, and some of the payments flowed through New York correspondent bank accounts. Kohut pleaded guilty to a single count of money laundering on April 6, 2021, and awaits sentencing.

Additional Odebrecht-Related Charges

The blockbuster multinational anti-corruption resolution with Odebrecht S.A. in 2016, first covered in our 2016 Year-End FCPA Update, continues to be a recurring source of FCPA and FCPA-related charges against individual defendants. On May 20, 2021, DOJ unsealed money laundering charges against Austrian citizens and bank executives Peter Weinzierl and Alexander Waldstein. The indictment alleges that Weinzierl and Waldstein moved more than $170 million through a series of fraudulent transactions and sham agreements from Odebrecht’s New York bank accounts, through Weinzierl’s and Waldstein’s Austrian bank, into accounts at an Antiguan bank allegedly used by Odebrecht as a slush fund used to pay bribes to Brazilian, Mexican, and Panamanian officials. Weinzierl was arrested on May 25, 2021 in the United Kingdom, where he is currently undergoing extradition proceedings. Waldstein remains at large.

Chadian Oil Rights Defendants

On May 24, 2021, DOJ announced the indictment of two diplomats from Chad—Mahamoud Adam Bechir and Youssouf Hamid Takane—Bechir’s wife Nouracham Bechir Niam, and the founder of a Canadian energy company, Naeem Riaz Tyab, all on FCPA or FCPA-related charges stemming from an alleged bribery scheme relating to the award of oil rights in the Republic of Chad. According to the indictment, while serving in Washington, D.C. as Chad’s Ambassador to the United States and Canada and Deputy Chief of Mission, respectively, Bechir and Takane collectively solicited and accepted $2 million in bribes, plus corporate shares, in exchange for awarding Tyab’s company oil rights worth tens of millions of dollars. Bechir’s wife Niam was allegedly brought into the scheme when Tyab received legal advice not to enter a consulting contract with a company owned by Bechir, and so instead, entered into substantially the same consulting contract with a company owned by Niam, in addition to awarding Niam substantial shares in Tyab’s company. Tyab and Niam were both charged with conspiracy to violate the FCPA, and all four defendants were charged with conspiracy to commit money laundering.

The indictment was initially handed down in February 2019, shortly before Tyab was arrested in New York City. According to court documents, Tyab immediately began cooperating and pleaded guilty in April 2019. But the case remained sealed as DOJ sought to obtain custody of the other three defendants. More than two years later, in May 2021, DOJ acknowledged that its efforts to arrest the other defendants were unlikely to be successful in the near term and moved to unseal the indictment. Further illustrating the long tail of these corruption cases, Tyab’s company—Griffiths Energy International Inc.—pleaded guilty to violations of Canada’s Corruption of Foreign Public Officials Act in 2013 as covered in our 2013 Year-End FCPA Update. Bechir, Takane, and Niam all remain at large, and Tyab is currently scheduled to be sentenced in February 2022.

Bolivian Military Equipment Defendants

Also in May 2021, DOJ announced charges against five individuals in an alleged pay-to-play bribery scheme involving the sale of tactical defense equipment to the Bolivian Ministry of Defense. DOJ alleges that Bryan Berkman, the owner of Bravo Tactical Solutions LLC, his father Luis Berkman, and his business associate Philip Lichtenfeld, all conspired to make over $600,000 in corrupt payments to former Bolivian Minister of Government Arturo Carlos Murillo Prijic and his former Chief of Staff Sergio Rodrigo Mendez Mendizabal in exchange for a $5.6 million contract to supply tear gas and other non-lethal riot equipment to the Ministry of Defense. Four of the five defendants have pleaded guilty—Bryan Berkman and Lichtenfeld to FCPA conspiracy charges and Luis Berkman and Mendez to money laundering conspiracy charges. Murillo is currently set for a May 2022 trial date on a superseding eight-count money laundering indictment.

Nigeria Oil Contract Defendant

On July 26, 2021, DOJ filed a criminal information charging Anthony Stimler, a former West Africa-based oil trader for a Swiss commodity trading and mining firm, with one count each of conspiracy to violate the FCPA’s anti-bribery provisions and money laundering conspiracy. According to the charging document, between 2007 and 2018, Stimler participated in a scheme to bribe employees of the state-owned Nigerian National Petroleum Corporation to obtain contracts for more lucrative grades of oil on better delivery schedules for the commodity trading firm. Stimler has pleaded guilty and is cooperating with DOJ on the ongoing investigation of Stimler’s former employer.

CASA Corruption Defendant

On August 4, 2021, DOJ announced the arrest of Florida businessman Naman Wakil on charges that between 2010 and 2017 he allegedly bribed officials of both PDVSA and Venezuelan state-owned food company Corporación de Abastecimiento y Servicios Agrícola (“CASA”) to secure approximately $250 million in contracts for his companies. Wakil faces substantive and conspiracy FCPA and money laundering charges. He has pleaded not guilty and is currently set for a November 2022 trial date.

Ericsson Djibouti Defendant

On September 8, 2021, DOJ announced the unsealing of a June 2020 FCPA and money laundering conspiracy indictment of former Telefonaktiebolaget LM Ericsson Horn of Africa Account Manager Afework Bereket. According to the indictment, between 2010 and 2014, Bereket participated in a scheme to pay approximately $2.1 million to two high-ranking officials in Djibouti’s executive branch and one employee of a Djibouti state-owned telecommunications company to secure a €20.3 million contract with the state-owned entity. The indictment further alleges that Bereket concealed the bribes by entering a sham consulting contract with a company owned by the spouse of one of the officials, and concealing that ownership interest from others at Ericsson. As first reported in our 2019 Year-End FCPA Update, in 2019, Ericsson entered into an FCPA resolution with DOJ and the SEC that included the Djibouti scheme. Bereket remains at large.

CLAP Corruption Defendants

On October 21, 2021, DOJ announced a money laundering indictment returned against five defendants stemming from alleged corruption involving Comité Local de Abastecimiento y Producción (“CLAP”), a Venezuelan state-owned and state-controlled food and medicine distribution program. The indictment alleges a scheme involving a staggering $1.6 billion in food and medicine contracts obtained by Colombian businessmen Alvaro Pulido Vargas, Emmanuel Enrique Rubio Gonzalez, and Carlos Rolando Lizcano Manrique, and Venezuelan businesswoman Ana Guillermo Luis obtained through corrupt payments to the then-governor of Venezuelan State Táchira, Jose Gregorio Vielma-Mora. All five defendants are considered fugitives. Pulido—who additionally faces money laundering charges stemming from a separate pay-to-play scheme described in our 2019 Year-End FCPA Update—along with Rubio and Vielma-Mora also were sanctioned by the Office of Foreign Assets Control in 2019 for alleged CLAP-related corruption.

Egyptian Coal Sale Defendant

On November 3, 2021, DOJ charged Frederick Cushmore Jr., the now-former Head of International Sales for a Pennsylvania-based coal mining company, with one count of conspiracy to violate the FCPA’s anti-bribery provisions. According to the criminal information, between 2016 and 2020, Cushmore and others at his company engaged an Egyptian sales agent to secure $143 million in coal contracts with an Egyptian state-owned company, knowing that the agent would provide a portion of his $4.8 million in commissions to officials at the state-owned entity. The information further alleges that Cushmore and others used encrypted messaging applications and commercial email accounts in an effort to avoid detection of their corruption scheme. Cushmore is currently scheduled to be sentenced in the Western District of Pennsylvania in March 2022, but the limited information available publicly suggests additional charges may be forthcoming, which would likely impact that sentencing date.

Biden Administration Policies Foreshadow Return to Robust Corporate Anti-Corruption Enforcement in the Coming Years

As noted above, there may be a slowdown in government enforcement actions that takes place with any change in presidential administrations. Although most prosecutors and enforcement lawyers at DOJ and the SEC are career attorneys who holdover across administrations, the senior political leadership often changes, and that can cause a delay in necessary approvals or willingness to move more significant cases forward until new leadership is in place. This is particularly true for high-profile enforcement activities such as corporate FCPA actions. If there was any lingering doubt, further tempering overreliance on last year’s comparatively low corporate FCPA enforcement rate, the Biden Administration took several notable steps in 2021 that lead us to anticipate a return to robust corporate enforcement in the years to come.

Biden Administration Announces U.S. Strategy on Countering Corruption

On June 3, 2021, the White House published a National Security Study Memorandum that identifies “countering corruption as a core United States national security interest.” The memorandum emphasizes the significant costs of corruption, estimated at between two and five percent of global GDP, as well as its associated impacts on less tangible (but equally important) societal goods, such as rule of law, inequality, trust in government, and national security. The memorandum directed the National Security Advisor and Assistants to the President for Economic Policy and Domestic Policy to conduct a review across numerous government agencies to devise a comprehensive anti-corruption strategy report and recommendations within 200 days.

On December 6, 2021, the Biden Administration released its first-ever “United States Strategy on Countering Corruption.” This 38-page Strategy Memorandum is structured around five “pillars”: (1) “modernizing, coordinating, and resourcing U.S. Government efforts to fight corruption”;
(2) “curbing illicit finance”; (3) “holding corrupt actors accountable”; (4) “preserving and strengthening the multilateral anti-corruption architecture”; and (5) “improving diplomatic engagement and leveraging foreign assistance to advance policy goals.” The Strategy Memorandum further emphasizes that the Biden Administration will pursue “aggressive enforcement action” in support of its anti-corruption objectives through enforcement of the FCPA and other statutes by U.S. enforcers in coordination with foreign law enforcement partners. It also suggests that the Biden Administration will seek additional tools to broaden the reach of its anti-corruption enforcement powers, including through enhanced legislation to target the “demand side” of bribery. The Strategy Memorandum further recognizes the need for increased coordination and synergy between the U.S.’s anti-corruption and anti-money laundering efforts and to address “deficiencies in the U.S. anti-money laundering regime” through the extension of regulatory compliance and reporting requirements to non-financial institution “gatekeepers,” such as lawyers, accountants, and trust and company service providers.

For additional details regarding the Strategy Memorandum, please consult our recent Client Alert, “U.S. Strategy on Countering Corruption Signals Focus on Enforcement.” And for further details on the Biden Administration’s overall approach to anti-corruption enforcement, please consult our Client Alert “Big Changes Afoot for FCPA and Anti-Bribery Enforcement?“

Deputy Attorney General Announces Changes to DOJ Criminal Enforcement Policies

In a sign of an increasingly tough approach to corporate enforcement generally, on October 28, 2021, Deputy Attorney General Lisa O. Monaco announced that DOJ is modifying certain corporate criminal enforcement policies. Specifically, these policy changes: (1) restore prior guidance concerning the need for corporations to provide non-privileged information about all individuals involved in misconduct (not just those substantially involved) in order to receive cooperation credit; (2) require prosecutors to consider a corporation’s full criminal, civil, and regulatory record in making charging decisions (not just conduct related to the misconduct at issue in the present case); and (3) make clear that there is no general presumption against monitorships and prosecutors are free to require the imposition of a corporate monitor whenever they determine it appropriate. Further, Monaco highlighted DOJ’s increasing scrutiny of companies that have received pretrial diversion (such as deferred or non-prosecution agreements) in the past, including to determine whether they continue their criminal conduct during the period of those agreements. Close in time to Monaco’s speech, several companies announced that DOJ is investigating breach allegations, including in the FCPA context an announcement by Telefonaktiebolaget LM Ericsson that DOJ determined the company breached its obligations under its deferred prosecution agreement covered in our 2019 Year-End FCPA Update.

Although these policy changes concern general corporate criminal enforcement, they touch closely upon corporate FCPA matters. For further details on Deputy Attorney General Monaco’s speech, please see our recent Client Alert, “Deputy Attorney General Announces Important Changes to DOJ’s Corporate Criminal Enforcement Policies.”

2021 FCPA-RELATED ENFORCEMENT LITIGATION

Following the filing of FCPA or FCPA-related charges, criminal and civil enforcement proceedings can often take years to wind through the courts. A selection of prior-year matters that saw material enforcement litigation developments during 2021 follows.

Two Alleged Fugitives Challenge Their Indictments from Abroad

A recurring theme in FCPA investigations is indictments returned and sometimes unsealed while the defendant is abroad. A frequently litigated issue that arises in these circumstances is whether the defendant is able to challenge the charges—frequently on jurisdictional grounds—from abroad without submitting themselves physically to the Court’s jurisdiction. Courts have reached differing conclusions on whether these challenges are barred by the so-called “fugitive disentitlement” doctrine, including two district court decisions from different circuit courts of appeal going in opposite directions in 2021.

On March 18, 2021, the Honorable Robert N. Scola, Jr. of the U.S. District Court for the Southern District of Florida denied a motion to enter a special appearance and challenge the indictment filed by Alex Nain Saab Moran, a joint Colombian and Venezuelan national charged with money laundering offenses in connection with a $350 million construction-related bribery scheme in Venezuela as covered in our 2019 Year-End FCPA Update. In January 2021, 18 months after the indictment was returned, Saab moved to vacate his fugitive status with leave to challenge his indictment on the grounds that he is a Venezuelan diplomat entitled to absolute immunity under the Vienna Convention on Diplomatic Relations, as well as that the indictment does not state an offense given Saab’s lack of connection to the United States. Saab’s motion followed his arrest in the Republic of Cape Verde, where he was detained as his plane stopped for refueling en route from Venezuela to Iran based on an INTERPOL “red notice” request filed by the United States.

Saab argued that the fugitive disentitlement doctrine should not apply because he was not in the United States when the indictment was returned—indeed he asserted he had not been to the United States in nearly three decades, long before the alleged criminal activity—and therefore he could not be correctly described as a fugitive who fled the charges. But Judge Scola disagreed, holding that a defendant who is aware of an indictment and does not appear in court to answer the charges is a fugitive regardless of whether they affirmatively fled the United States to avoid the charges—this concept is known in the Eleventh Circuit as “constructive flight.” The Court denied the motion for a special appearance and declined to consider the substantive motion to dismiss.

Saab has appealed the district court’s ruling, and DOJ has moved to dismiss the appeal. Meanwhile, the Republic of Cabo Verde granted the extradition request and transferred Saab to the United States, where he is now being detained pending trial. To fulfill a condition of the extradition, DOJ dismissed seven of the eight counts against Saab to ensure that the maximum term of imprisonment is consistent with Cabo Verde law.

The case of Daisy Teresa Rafoi Bleuler—a Swiss citizen and wealth manager charged with FCPA and money laundering offenses arising from the transfer of allegedly corrupt proceeds associated with a PDVSA-related bribery scheme covered in our 2019 Year-End FCPA Update—turned out very differently under Fifth Circuit law. Rafoi was arrested by Italian authorities, again on a U.S.-initiated INTERPOL red notice request, as she vacationed with family in Lake Como. As she underwent extradition proceedings, first in Italy and then in Switzerland, Rafoi filed a motion to dismiss the indictment on jurisdictional grounds.

In an opinion dated November 10, 2021, the Honorable Kenneth M. Hoyt of the U.S. District Court for the Southern District of Texas made short work of the government’s argument that Rafoi’s motion should not be heard under the fugitive disentitlement doctrine. The Court held that fugitive disentitlement is a discretionary doctrine, and found that where a foreign national challenges the applicability of U.S. law to their actions, without having affirmatively fled the United States, they should be permitted to do so from abroad. Moving to the merits of the motion to dismiss, Judge Hoyt fond that as a matter of law the indictment was deficient in alleging any action by Rafoi in the territory of the United States such as to bring her within the scope of 15 U.S.C. § 78dd-3, that she acted as an agent of U.S. persons under 15 U.S.C. § 78dd-2, or that she engaged in any financial transactions subject to U.S. jurisdiction under the money laundering statutes. Fundamentally, the Court found that neither the FCPA nor the money laundering statutes should be read so broadly as to apply to foreign nationals acting completely outside the United States, and that any other interpretation would lead to serious constitutional due process concerns under the “void for vagueness” doctrine.

On December 7, 2021, DOJ noticed an appeal to the U.S. Court of Appeals for the Fifth Circuit. We expect this appeal could lead to an important appellate court ruling on the breadth of the FCPA and money laundering statutes as applied to foreign nationals in 2022, likely to be joined by the heavily-anticipated revisitation of the Hoskins case by the Second Circuit Court of Appeals, covered in our 2020 Mid-Year FCPA Update and still pending after an August 17, 2021 argument.

Roger Ng Motion to Dismiss Denied

We reported in our 2018 Year-End FCPA Update on the indictment of former Goldman Sachs banker “Roger” Ng Chong Hwa on FCPA bribery and money laundering conspiracy charges arising from the 1Malaysia Development Berhad (“1MDB”) scandal in Malaysia. In October 2020, after being extradited to the United States to face these charges, Ng filed a comprehensive motion to dismiss, arguing: (1) the superseding indictment returned after his extradition from Malaysia violated the “rule of specialty,” which prohibits material changes to charges post-extradition; (2) venue in the Eastern District of New York was insufficiently alleged in the indictment; (3) the indictment did not meet the requirement of alleging that he was an “agent of an issuer” because the “U.S. Financial Institution #1” described in the indictment—meant to refer to Goldman Sachs—was in fact an “artificial combination” between various Goldman Sachs entities; (4) he could not have circumvented Goldman Sachs’s internal accounting controls because the alleged bribes were paid with 1MDB funds, rather than money from Goldman Sachs; (5) the money laundering count was deficient because it did not specify the particular Malaysia bribery statute alleged to have been violated as the requisite specified unlawful activity; (6) the so-called “silence provision” in Goldman Sachs’s deferred prosecution agreement—a standard term that prohibits companies from contracting the admitted statement of facts—violated his constitutional right to call witnesses in his defense; and (7) he was entitled to Brady disclosures from Goldman Sachs because the bank’s cooperation with DOJ made it a part of the “prosecution team.”

In September 2021, the Honorable Margo Brodie of the U.S. District Court for the Eastern District of New York denied Ng’s motion to dismiss in its entirety in an equally comprehensive, 160-page memorandum opinion. Trial is currently scheduled to commence in February 2022.

SEC Imposes $35,000 Civil Penalty—In a Case from 2016

We reported in our 2016 Year-End FCPA Update on the SEC’s enforcement action against former Och-Ziff CFO Joel M. Frank in which, without admitting or denying the SEC’s findings, Frank agreed to cease and desist from future violations of the FCPA’s books-and-records and internal controls provisions. The parties further agreed that Frank would pay a civil penalty, but in an unusual move left for another day the determination of the penalty amount. That other day came four-and-a-half years later, on March 16, 2021, when the SEC published a new cease-and-desist order imposing a $35,000 civil penalty. The new order also softened some of the allegations against Frank, acknowledging that he “expressed objections” regarding certain of the payments in question, while still taking the position that because Frank allegedly “had final signing authority” for all expenditures he was responsible for causing the company’s accounting violations.

Baptiste and Boncy FCPA Convictions Reversed for Ineffective Assistance of Counsel

We reported in our 2019 Year-End and then 2020 Mid-Year FCPA updates on the jury trial convictions of retired U.S. Army colonel Joseph Baptiste and businessperson Roger Richard Boncy on conspiracy to violate the FCPA and the Travel Act arising from an FBI sting simulating a bribery scheme involving Haitian port project investments, followed by the post-trial grant of a new trial to both defendants based on the ineffective assistance of Baptiste’s counsel infecting the fundamental fairness of the joint trial. DOJ appealed the new trial grants but, on August 9, 2021, the U.S. Court of Appeals for the First Circuit affirmed the district court’s ruling.

On appeal DOJ did not contest the lower court’s deficient-performance findings—which included that Baptiste’s counsel did not open discovery files or share them with his client, did not obtain independent translations of Haitian-Creole audio recordings even after learning of deficiencies in the government’s translations, and did not subpoena any defense witnesses, including experts who could have testified about Haitian law or business practices. Instead, DOJ argued that the “overwhelming” evidence against both defendants was so strong that there was no prejudice based on the deficient performance of Baptiste’s counsel, and even if there was that prejudice did not extend to Boncy, whose counsel was competent. Writing for the First Circuit panel, the Honorable O. Rogeriee Thompson disagreed and held that the focus of Fifth and Sixth Amendment rights to due process and counsel is on the fundamental fairness of the proceeding, which clearly was undermined for both defendants based on the deficient performance of one defendant’s counsel. Both cases have been remanded to the district court and a joint retrial is currently set for July 2022.

2021 FCPA-RELATED LEGISLATIVE AND POLICY DEVELOPMENTS

In addition to the enforcement developments covered above, 2021 saw numerous important developments in FCPA-related legislative and policy areas.

Congress Strengthens SEC Disgorgement Authority

On January 1, 2021, Congress passed the National Defense Authorization Act (“NDAA”) for the 60th consecutive year, overriding a presidential veto from then-President Trump. Included within the nearly 1,500 pages of omnibus legislation, at Section 6501, is an expansion of the SEC’s statutory authority to seek disgorgement. These revisions are clearly a response to recent Supreme Court decisions in Kokesh v. SEC and Liu v. SEC, both of which narrowed the scope of the SEC’s disgorgement power, which (as our readership knows) is a critical driver of the SEC’s ability to penalize corporate and individual misconduct, including in FCPA cases. The Section 6501 changes explicitly authorize the SEC to seek disgorgement in cases filed in federal court, eliminating any residual doubt after Liu. They also extend the statute of limitations from five years to ten years for SEC enforcement actions based on scienter-based claims, a change which applies to both pending cases and enforcement actions initiated after the passage of the NDAA. For further details regarding the impact of Section 6501, please consult our separate Client Alert “Congress Buries Expansion of SEC Disgorgement Authority in Annual Defense Budget.”

Congress Passes Comprehensive Anti-Money Laundering Legislation

The NDAA also included the Anti-Money Laundering Act of 2020 (“AMLA”), which enacted the most consequential set of anti-money laundering reforms since the passage of the USA PATRIOT Act in 2001. As our readership knows, U.S. enforcers increasingly use the money laundering laws to prosecute and pursue proceeds of corruption passed through the U.S. financial system. The AMLA strengthens the government’s ability to investigate and prosecute corruption-related money laundering. Specifically, to limit the practice of using shell companies to launder ill-gotten gains, the AMLA implemented beneficial ownership reporting requirements for certain U.S. entities and foreign entities registered to do business in the United States and tasked the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) with maintaining a beneficial ownership registry of such reported information, which will be available for use by law enforcement agencies. Other changes made by the AMLA include enhancing the government’s ability to investigate money laundering, including by expanding DOJ’s authority to subpoena foreign banks with U.S.-based correspondent banking accounts. For a detailed summary of the most significant changes enacted by the AMLA, please see our separate Client Alert, “The Top 10 Takeaways for Financial Institutions from the Anti-Money Laundering Act of 2020.”

FinCEN Identifies Corruption as a Key National Priority

On June 30, 2021, FinCEN announced its first set of government-wide anti-money laundering and countering the financing of terrorism priorities, which will be updated every four years pursuant to the AMLA. FinCEN developed these priorities in consultation with federal and state regulators, law enforcement, and national security agencies. In its announcement, FinCEN explained that these priorities were meant to identify and describe the most significant money laundering and terrorist financing threats currently facing the United States to both signal FinCEN’s upcoming regulatory priorities and to provide guidance to covered institutions in developing and updating their compliance programs. Although FinCEN’s announcement stated that the priorities were listed in no particular order, it bears noting that corruption was the first priority listed. Consistent with other statements by the U.S. government in 2021, as reported herein, FinCEN identified anti-corruption as “a core national security interest of the United States,” in which anti-money laundering regulation and enforcement plays a crucial role.

New IRS Treatment of FCPA Disgorgement Payments

The U.S. Internal Revenue Service (“IRS”) has long prohibited tax deductions for fines or penalties paid to the government for unlawful conduct, including violations of the FCPA. But a question has arisen over the years as to whether disgorgement and forfeiture constitute a fine or penalty such that it is non-deductible. As covered in our 2017 Year-End FCPA Update, the IRS answered that question in the affirmative, issuing an advice memorandum opining that consistent with the Supreme Court’s decision in Kokesh v. SEC, disgorgement is equivalent to a penalty. The December 2017 Tax Cuts and Jobs Act, however, revised the Internal Revenue Code to make an exception for amounts paid to the government for restitution, remediation, or to come into compliance with the law. In January 2021, the IRS issued a finalized rule in response to this law, which sets out a multi-factored inquiry to determine whether an amount paid in disgorgement or forfeiture is deductible as restitution or remediation. The requirements are quite stringent and generally inconsistent with DOJ / SEC practice in FCPA resolutions, including a requirement that the payments must be made directly to victims rather than to the U.S. Treasury, potentially continuing to limit the ability of companies to deduct amounts paid as disgorgement or forfeiture in an FCPA enforcement action.

2021 FCPA-RELATED PRIVATE CIVIL LITIGATION

Although the FCPA does not provide for a private right of action, civil litigants have pursued a variety of causes of action in connection with FCPA-related conduct, with varying degrees of success. A selection of matters with material developments in 2021 follows.

Shareholder Lawsuits / Class Actions

MTS – As covered in our 2019 Year-End FCPA Update, Russian telecommunications company and U.S. issuer Mobile TeleSystems PJSC (“MTS”) reached an $850 million joint FCPA resolution with the SEC and DOJ to resolve allegations of corrupt payments to the daughter of the late Uzbek president, to facilitate access to the telecommunications market in Uzbekistan. Shortly after the announcement of this settlement, a class action suit was filed against MTS and several individual defendants in the U.S. District Court for the Eastern District of New York, alleging that MTS issued false and misleading statements about the company’s inability to predict the outcome of the U.S. government’s investigations into its Uzbekistan operations, the effectiveness of the company’s internal controls and compliance systems, and its level of cooperation with U.S. regulatory agencies. On March 1, 2021, the Honorable Ann M. Donnelly dismissed the lawsuit, finding that the plaintiffs did not demonstrate that the challenged statements were false or misleading, that MTS could not have predicted the outcome of the investigation, and that its disclosures about the existence of the investigation were not insufficient. Plaintiffs have appealed the dismissal to the Second Circuit Court of Appeals, and the case is currently set for argument in March 2022.
VEON – We covered in our 2016 Mid-Year FCPA Update an FCPA resolution by then-VimpelCom Ltd. (now VEON Ltd.) in connection with the same Uzbek fact pattern described above for MTS. VEON also found itself faced with a putative class action arising from alleged material omissions in securities filings relating to the adequacy of its internal controls, which also was dismissed in 2021. Specifically, on March 11, the Honorable Andrew L. Carter of the U.S. District Court for the Southern District of New York granted VEON’s motion to dismiss finding that the plaintiffs failed to establish that the company omitted material facts that it had a duty to disclose. This mooted the case as to lead plaintiffs, but the Court reopened the lead plaintiff appointment process, which remains ongoing.
IFF – In 2018, following an acquisition of Israel-based Frutarom Industries Ltd, International Flavors & Fragrances, Inc. (“IFF”) disclosed that during the integration process it learned that pre-acquisition Frutarom executives had made improper payments in Russia and Ukraine, and that IFF had disclosed the matter to DOJ. Shareholders brought suit against IFF, Frutarom, and certain executives, claiming they lost millions of dollars when the news became public and IFF’s share price dropped. On March 30, 2021, the Honorable Naomi Reice Buchwald of the U.S. District Court for the Southern District of New York dismissed the lawsuit, explaining that the investors failed to show how they were misled by IFF, failed to allege improper conduct during the putative class period, and failed even to adequately allege how the payments by the Israeli company Frutarom violated U.S. law. The plaintiff shareholders have appealed aspects of the decision to the Second Circuit, with oral arguments scheduled for February 2022.
500.com – In 2020, shareholders brought suit against Chinese online gaming company and U.S. issuer 500.com Ltd., alleging that company executives made improper payments to Japanese government officials to secure a lucrative gaming license, and then made misrepresentations concerning the same in the company’s public filings, including filings containing the text of its code of conduct. On September 20, 2021, the Honorable Gary R. Brown of the U.S. District Court for the Eastern District of New York granted 500.com’s motion to dismiss, adopting the report and recommendation of Magistrate Judge A. Kathleen Tomlinson. The two decisions together note that only in rare circumstances have courts permitted statements in a code of conduct to survive motions to dismiss and in those rare cases, the statements were made in response to inquiries or challenges to the company’s conduct rather than general, aspirational statements about how the company expects its employees to act. Regarding the alleged misstatements or omissions unrelated to the code of conduct, Judge Tomlinson found that the plaintiff failed to allege scienter adequately and that 500.com was not obligated to disclose uncharged wrongdoing.
OSI – As reported in our 2019 Year-End FCPA Update, OSI Systems, Inc. succeeded in dismissing a putative class action lawsuit that arose from a short-seller’s report relating to alleged corruption in connection with an Albanian scanning contract (the underlying conduct of which was declined for prosecution by DOJ and the SEC), but plaintiffs were given leave to amend. Amend they did, and on October 22, 2021, OSI agreed to a $12.5 million settlement to resolve the matter. The October 2021 settlement agreement has received preliminary approval from the Honorable Fernando M. Olguin of the U.S. District Court for the Central District of California, and a final fairness hearing is scheduled for May 2022.
Cognizant – Another FCPA enforcement case we covered in our 2019 Year End FCPA Update that wound its way towards a private civil resolution in 2021 concerns Cognizant Technology Solutions Corporation. Following an SEC FCPA resolution and DOJ declination with disgorgement arising from an alleged bribery scheme in India, a putative class of investors sued Cognizant in the U.S. District Court for the District of New Jersey. On September 7, 2021, Cognizant reached an agreement-in-principle to a $95 million settlement of the matter, which was approved by the Honorable Esther Salas on December 20, 2021.

Civil Fraud / RICO Actions

Samsung – We covered in our 2019 Year-End FCPA Update a DOJ FCPA resolution reached by Samsung Heavy Industries Co., Ltd. arising from alleged corruption of Petrobras officials in the “Operation Car Wash” investigation. Also in 2019, Petrobras’s U.S. subsidiary filed a RICO / common-law fraud complaint against Samsung in Texas state court, which Samsung removed to federal district court and moved to dismiss. In June 2020, the district court dismissed the complaint on statute-of-limitation grounds, but on August 11, 2021 the U.S. Court of Appeals for the Fifth Circuit revived the case, finding that when Petrobras learned (or should have learned) of the corruption allegations such as to begin the clock was a dispute of fact and that Samsung had not conclusively established that Petrobras’s claims accrued before Petrobras filed its complaint. Following the Fifth Circuit’s remand, the case is now back before the Honorable Lee H. Rosenthal of the U.S. District Court for the Southern District of Texas.
Ericsson – In an unfiled (but still quite noteworthy) action, on May 12, 2021 Telefonaktiebolaget LM Ericsson announced that it had reach an agreement to pay competitor Nokia Corporation $97 million to settle potential damages claims arising from the events that were the subject of Ericsson’s FCPA 2019 resolution with DOJ and the SEC. That resolution, covered in our 2019 Year-End FCPA Update, resulted in more than $1 billion in fines for alleged FCPA violations in China, Djibouti, Indonesia, Kuwait, Saudi Arabia, and Vietnam. There are no public details about Nokia’s claims, but it would seem that the case was predicated on Nokia losing out on competitive bids due to Ericsson’s alleged corruption.

Whistleblower Actions

Western Digital – On June 25, 2021, Chief Judge Richard Seeborg of the U.S. District Court for the Northern District of California granted Western Digital Corp.’s motion to dismiss a bribery-related whistleblower lawsuit for lack of jurisdiction and failure to state a claim. The lawsuit was brought by a Brazilian citizen formerly employed by Western Digital’s Brazilian subsidiary, who alleged that he was terminated in retaliation for raising bribery and tax fraud concerns in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”). In dismissing the case, the Court held that Dodd-Frank’s anti-retaliation provision does not apply to overseas conduct. Moreover, the Court held that, even if the claim alleged domestic wrongdoing, the former employee “failed to allege sufficient facts to give rise to a plausible inference that he suffered adverse employment actions in retaliation for whistleblowing” given the length of time between his report and his termination and the fact that he caused the company to be victimized by a phishing scam close in time to his firing.

2021 INTERNATIONAL ANTI-CORRUPTION DEVELOPMENTS

Multilateral Development Banks

U.S. Federal Court Reinforces World Bank Sovereign Immunity

In our 2016 Year-End FCPA Update, we discussed the landmark Canadian Supreme Court decision in World Bank Group v. Wallace, which concluded that the Bank had not waived its privileges and immunities by providing evidence gathered in a Bank investigation to national law enforcement authorities. On April 5, 2021, Chief Judge Beryl A. Howell of the U.S. District Court for the District of Columbia reached a similar conclusion in a lawsuit filed by businessmen Noah J. Rosenkrantz and Christopher Thibedeau against the Inter-American Development Bank (“IDB”) asserting that the internal sanctions proceedings against their company failed to comply with the sanctions procedures governing such procedures, in violation of its contractual obligations. In dismissing the lawsuit, the Court held that the IDB is immune from suit in U.S. federal court as a sovereign entity and emphasized, like the Canadian court in Wallace, that a contrary ruling would undermine the Bank’s ability to carry out its mission. The plaintiffs have appealed the dismissal to the U.S. Court of Appeals for the District of Columbia Circuit.

Europe

United Kingdom

WGPSN (Holdings)

On March 16, 2021, Scotland’s Crown Office and Procurator Fiscal Service announced that WGPSN, a subsidiary of John Wood Group PLC, agreed to pay £6.46 million to Scotland’s Civil Recovery Unit to resolve allegations that PSNA Limited, a company WGPSN had acquired, benefitted from improper payments to secure contracts in Kazakhstan. These payments were allegedly made between 2012 and 2015, all prior to WGPSN’s acquisition, and when discovered by WGPSN were voluntarily reported to Scottish authorities.

GPT Special Project Management Ltd.

On April 28, 2021, the UK Serious Fraud Office (“SFO”) announced that Airbus subsidiary GPT Special Project Management pleaded guilty to corruption in violation of section 1 of the Prevention of Corruption Act 1906 and was ordered to pay a confiscation order of £20,603,000, a fine of £7,521,920, and costs of £2,200,000. The charges arise from alleged improper payments involving the Saudi Arabian National Guard. In setting the penalty, Justice Bryan at Southwark Crown Court considered GPT’s guilty plea, the fact that it no longer is in operation, the company’s cooperation with the SFO’s investigation, and the UK government’s role in facilitating the conduct. Also relevant was the fact that parent company Airbus entered into a $3.9 billion deferred prosecution agreement in January 2020 (as covered in our 2020 Mid-Year FCPA Update).

Amec Foster Wheeler Energy Ltd.

As covered above, on June 25, 2021 Amec Foster Wheeler reached a coordinated anti-corruption resolution with UK, U.S., and Brazilian authorities. The U.S. and Brazilian cases related to only to Brazil, while the UK case brought by the SFO is broader and covers alleged corrupt payments between 1996 and 2014 in India, Nigeria, Saudi Arabia, and Malaysia, as well as Brazil. Pursuant to a three-year deferred prosecution agreement approved by Lord Justice Edis, sitting at the Royal Courts of Justice, Amec Foster Wheeler agreed to pay £103 million in connection with a 10-count indictment, including nine counts of violating Section 1 of the Criminal Law Act 1977 and Section 1 of the Prevention of Corruption Act 1906 and one count of failure to prevent bribery under Section 7 of the Bribery Act 2010.

Petrofac Ltd.

On October 1, 2021, the SFO secured the conviction of Petrofac for seven separate counts of failure to prevent bribery between 2011 and 2017. Petrofac admitted to failing to prevent former senior executives of the group’s subsidiaries from using agents to pay bribes of £32 million to win oil contracts in Iraq, Saudi Arabia, and the United Arab Emirates worth approximately £2.6 billion. Petrofac will pay a confiscation order of £22.8 million; a fine of approximately £47.2 million; and the SFO’s investigation costs of £7 million. On the same day, Petrofac’s former Global Head of Sales David Lufkin was sentenced to a two-year custodial sentence, suspended for 18 months, as a result of his January 14, 2021, guilty plea admitting to three individual counts of bribery related to corrupt offers and payments made between 2012 and 2018 to influence the award of contracts to Petrofac in the United Arab Emirates. Lufkin had previously pleaded guilty in February 2019 to 11 counts of bribery already brought by the SFO (as discussed in our 2019 Year-End FCPA Update).

Unaoil Individual Prosecutions

On February 24, 2021, the SFO secured the conviction of former SBM Offshore executive Paul Bond arising out of his role in allegedly conspiring to bribe public officials to secure oil contracts from Iraq’s South Oil Company in the years following the overthrow of Saddam Hussain in 2003. A jury found the former senior sales manager guilty on two counts of conspiracy to give corrupt payments following a retrial of his case. On March 1, 2021, Bond was sentenced to three-and-a-half years in prison, making him the fourth individual to be sentenced in the case involving Iraq’s South Oil Company, which forms part of the SFO’s broader investigation into bribery at Unaoil. As covered in our 2020 Year-End FCPA Update, Bond’s three co-defendants have been sentenced to a collective total of 11 years and four months in prison.

On June 17, 2021, the SFO secured an approximately £402,000 confiscation order by consent against former Unaoil executive Basil Al Jarah. And on November 3, 2021, Stephen Whiteley, former Vice President at SBM Offshore and Unaoil’s territory manager for Iraq, was ordered to repay criminal gains of £100,000.

In a judgement handed down on December 10, 2021, the UK Court of Appeal quashed the conviction of Ziad Akle, another Unaoil executive who was convicted in 2020 of conspiracy to give corrupt payments as covered in our 2020 Year-End FCPA Update. The Court criticized the SFO for its contact with a U.S.-based “fixer” who had offered to assist in obtaining the convictions of related parties. The Court also found that the SFO had failed to disclose material relating to that contact, which was necessary for the defense to properly bring its case. The Court refused an application for a retrial on the grounds of the SFO’s misconduct. The UK Attorney General has since announced an independent review into the matter. Bond has appealed his conviction on the same grounds as Akle.

SFO Deferred Prosecution Agreements with Two Unidentified Companies

On July 19, 2021, the SFO entered into separate deferred prosecution agreements with two UK-based companies for bribery offenses. The SFO did not identify the companies because the investigations are ongoing, but confirmed that the criminal conduct saw bribes paid in relation to multi-million pound UK contracts. The two companies will pay more than £2.5 million between them, representing disgorgement of profits along with a financial penalty, and the SFO acknowledged that both companies fully cooperated. We will report back on these agreements when the companies names are made public.

France

A bill to strengthen the fight against corruption in France was registered at the French National Assembly on October 19, 2021. The bill outlines several proposals concerning the French Anti-Corruption Agency (“AFA”), the extension of anti-corruption obligations of public and private actors, the regulation of lobbying, and negotiated justice. Among other things, the bill would extend anti-corruption obligations to subsidiaries of large foreign organizations. The text also would make companies and public entities (other than the French State) criminally liable if a lack of supervision led to the commission of one or more offenses by an employee.

Italy

After more than three years of proceedings, in March 2021 an Italian court acquitted oil companies Royal Dutch Shell and Eni SpA, as well as a number of individuals, including the Eni CEO, of charges that they paid more than $1 billion to acquire the license to an offshore block in Nigeria. Prosecutors alleged that the money was intended as bribes, while the companies successfully defended with evidence that the payment was legitimate and intended to resolve long-running disputes as to the block’s ownership.

Kyrgyzstan

On May 31, 2021, Kyrgyzstan’s State Committee for National Security announced the arrest of former Prime Minister Omurbek Babanov as part of an investigation into corruption involving a gold mine project in Kumtor. The project was operated by Canadian company Centerra Gold until the Kyrgyz government took it over, citing a new law allowing it to take control of a project for up to three months due to environmental or safety violations. The Kumtor mine accounts for more than 12% of the national economy, according to Centerra, which has denounced the Kyrgyz government’s seizure.

Norway

In our 2015 Year-End FCPA Update, we reported that several senior level officers of Norwegian fertilizer manufacturer Yara International ASA were sentenced to prison in Norway for their role in an alleged scheme to pay bribes to government officials in India, Libya, and Russia. The former chief legal officer in particular, U.S. citizen Kendrick Wallace, received a two-and-a-half year prison sentence for his role. In 2017 the Norwegian appeals court upheld Wallace’s conviction and revised his sentence to seven years, finding that his conduct had been “very central” to the alleged scheme.

Norway subsequently submitted a request for extradition of Wallace. On June 11, 2021, the Honorable Sean P. Flynn, Magistrate Judge of the U.S. District Court for the Middle District of Florida, denied the request. The Court found that “Wallace cannot be extradited because the prosecution for the offense of which extradition is sought has become barred by lapse of time according to the laws of the United States.” Specifically, the Court found that while Wallace’s crimes were committed in 2007, he was indicted in 2014, exceeding the applicable five-year statute of limitations in the United States. The DOJ provided evidence that Norway sought evidence pursuant to Mutual Legal Assistance Treaty requests—which would toll the statute of limitations in the United States pursuant to 18 U.S.C. § 3292—but the Court found the specific evidentiary showing lacking, and ordered Wallace’s release from custody.

Russia

The Russian Federation Prosecutor General’s office reported nearly 30,000 corruption-related crimes in the first nine months of 2021, a 12.7% increase as compared to the same period a year ago, with bribery accounting for more than half of all corruption-related offenses. The reported damage caused by corruption-related crimes also increased from 45 billion rubles (approximately $612 million) to 53 billion rubles (approximately $719 million). In 2020, the number of corruption-related convictions of Russian officials was at an eight-year low of just under 7,000, continuous decline from a high of approximately 11,500 in 2015, but the number of convictions stemming from large-scale bribes, defined as greater than one million rubles (approximately $13,700), has increased 12-fold since 2012.

On the legislative front, on October 1, 2021, the Russian Duma approved the National Plan For Countering Corruption through 2024. This plan prioritizes prohibiting anyone who has been fined for corrupt activities from holding government positions, improving the procedures for the submission and auditing of government employees’ asset declarations, implementing technology to combat corruption, instituting anti-corruption regulations involving the purchase of goods and services for government/municipal use, monitoring international agreements for cooperation in fighting corruption, and employing Duma deputies to participate in an inter-parliamentary organization aimed at preventing corruption.

And on the judicial front, on June 9, 2021, a Moscow court issued a decision classifying activist Alexei Navalny’s political organization, the Anti-Corruption Foundation (“ACF”), as an “extremist” movement. Under the applicable “anti-extremism” law, authorities can jail ACF members and freeze their assets, and those associated with the group cannot run for public office. On August 10, 2021, Russia’s financial watchdog—the Federal Financial Monitoring Service—also added ACF to its blacklist of groups accused of extremist activities or terrorism, which freezes the organization’s bank account and prevents ACF from opening new accounts.

Sweden

In our 2019 Year-End FCPA Update, we covered the trial acquittal in Sweden of three former Telia executives—former CEO Lars Nyberg, former deputy CEO and head of Eurasia unit Tero Kivisaari, and former general counsel for the Eurasia unit Olli Tuohimaa—on charges of bribing Uzbek’s then-first daughter Gulnara Karimova in exchange for telecommunications contracts in Uzbekistan. In February 2021, a Swedish appeals court upheld the acquittals, agreeing that Karimova, the daughter of Uzbekistan’s former president, was not a government official under Swedish law.

Switzerland

In January 2021, a Swiss court convicted Beny Steinmetz of 2019 charges (discussed in our 2019 Year-End FCPA Update) of paying bribes to the wife of former-Guinean President Lansana Conté and of related forgery to obtain a mining concession. He was sentenced to five years in prison and ordered to pay a CHF 50 million fine (~ $56.5 million).

In November 2021, three Swiss subsidiaries of Netherlands-based SBM Offshore were ordered to pay more than CHF 7 million (~ $7.6 million) for failing to prevent the bribery of public officials in Angola, Equatorial Guinea, and Nigeria between 2006 and 2012. The Office of the Attorney General of Switzerland found that these companies had entered into sham contracts with shell companies to pay more than $22 million in bribes. The Office of the Attorney General alleged that in light of the “extent and duration of the acts of corruption,” the companies’ risk assessment measures and anti-corruption controls were allegedly “either non-existent, or wholly inadequate.” This order is in addition to the more than $800 million that SBM Offshore has already paid to resolve corruption probes dating back to its 2017 FCPA resolutions reported in our 2017 Year-End FCPA Update.

Ukraine

Ukrainian President Zelensky’s focus in the first half of 2021 was on securing the release of the remainder of a $5-billion IMF loan to bolster Ukraine’s economy. After a six-week virtual mission to Ukraine in the beginning of 2021, the IMF refused to release the funds in what some viewed as an indication that Ukraine had not met the IMF’s expectations for tackling corruption. Following this refusal, in June 2021, Ukraine’s parliament, the Verkhovna Rada, passed two bills: the first reestablished the High Judicial Council, a special commission on appointing judges that will be majority-comprised of international experts; and pursuant to the second bill, public officials who fail to submit or submit false income or asset declarations could face prison sentences. Additionally, on November 8, 2021, President Zelensky signed into law amendments to legislation that provide for the independence of the anti-corruption bureau (“NABU”). Subsequently, on November 22, 2021, following a review by its Executive Board, the IMF announced that Ukrainian authorities would be allowed to draw on an additional $699 million.

The Americas

Brazil

In February 2021, President Bolsonaro disbanded Operation Car Wash, one of the most prolific anti-corruption investigations of all time and a staple of these updates for years. Operation Car Wash led to dozens of convictions, many prominent enforcement actions, and hundreds of millions of dollars in penalties within Brazil and billions of dollars globally. Still, the ripples of Operation Car Wash continued throughout the year. For example, on February 22, 2021, Korean engineering company Samsung Heavy Industries Co., Ltd. entered into a leniency agreement in Brazil to resolve allegations concerning contracts with Petróleo Brasileiro S.A. (Petrobras). Samsung Heavy Industries, as covered in our 2019 Year-End FCPA Update, previously in November 2019 entered into a deferred prosecution agreement with DOJ and agreed to pay a $75.5 million criminal fine to resolve FCPA anti-bribery conspiracy charges arising from the company’s alleged provision of $20 million to an intermediary, while knowing that some or all of that amount would be paid to officials at Petrobras. Half of the U.S. criminal fine was to be credited to a parallel resolution with Brazilian authorities. In connection with the Brazilian leniency agreement, Samsung Heavy Industries agreed to pay approximately R$ 706 million in damages to Petrobras together with R$ 106 million in fines. And on April 15, 2021, Brazil’s Supreme Court upheld a ruling annulling one of the most notable convictions resulting from Operation Car Wash—that of former President Luiz Inácio Lula da Silva, on grounds that the lower court in which Lula was tried did not have jurisdiction. The case was transferred to a federal court for retrial and, should no conviction follow, Lula will be able to run for presidential office in the upcoming 2022 election.

In August 2021, Brazil’s Federal Prosecution Service (“MPF”) filed a criminal complaint against two executives at French engineering company Doris Group over allegedly corrupt activity concerning platform vessel contracts totaling more than $200 million. The MPF also charged a former treasurer of Brazil’s Workers’ Party and two associates for active and passive money laundering. The executives allegedly paid bribes via a financial operator to a former manager of Petrobras and the former treasurer. The financial operator and Petrobras manager both signed collaboration agreements with the MPF in which they confessed to their roles in the scheme and cooperated by providing relevant documents and information.

In September 2021, a review body within the São Paulo prosecutor’s office vacated a resolution prosecutors reached with EcoRodovias in 2020. The now-nullified agreement was the culmination of a two-year bribery investigation into EcoRodovias and its subsidiaries concerning allegations that the companies engaged in a cartel that bribed public officials to obtain road concessions contracts between 1998 and 2015. In signing the 2020 agreement, EcoRodovias admitted to paying bribes and agreed to pay a fine of $113.72 million. The review body threw out the agreement due to a lack of evidence of illegal conduct.

And on October 27, 2021, Rolls Royce signed an agreement with Brazil’s Office of the Comptroller and Attorney General’s Office to pay $27.8 million to settle allegations that it bribed Brazilian public officials in connection with its contracts with Petrobras. As covered in our 2017 Mid-Year FCPA Update, the company in 2017 previously agreed to pay more than $800 million through a global resolution with the SFO, DOJ, and MPF. Under the new agreement, Brazilian officials will credit the $25.6 million that Rolls Royce paid to the MPF, leaving the company to pay another $2.2 million.

Canada

As reported in our 2019 Year-End FCPA Update, in September 2018 Canada passed legislation allowing deferred prosecution agreements for corporate offenders. In 2019, following a long-running investigation into alleged bribery of Libyan officials, engineering and construction giant SNC-Lavalin became one of the first major companies to seek such an agreement. Canadian prosecutors, however, reportedly were unwilling to negotiate with the company, and in 2021, prosecutors charged the company with several offenses, including fraud against the government. The Royal Canadian Mounted Police also arrested two former executives and charged them with fraud and forgery offenses tied to the investigation. The company has publicly stated that it is cooperating with the investigation and that prosecutors have invited it to negotiate a settlement. According to SNC-Lavalin, it is the first company to receive such an offer.

In August 2021, the Court of Appeal for Ontario threw out the bribery convictions of two former employees of Cryptometrics. As discussed in our 2019 Year-End FCPA Update, following trial in 2018, U.S. citizen Robert Barra and UK citizen Shailesh Govindia were sentenced to two-and-a-half years in prison for agreeing to bribe Indian aviation officials, including employees of Air India. But the appellate court found a “reasonable possibility” that prosecutors delayed disclosing emails they exchanged with a principal witness—the former Cryptometrics COO—and that such delay unduly impacted the trial’s fairness. The appellate court further found that the prosecution’s slow production of potentially exculpatory information, only after repeated requests from the defense, deprived the defense of the opportunity to conduct further lines of inquiry or obtain additional evidence.

Costa Rica

Costa Rican officials have been investigating an alleged scheme known as “Cochinilla,” involving allegations that certain construction companies bribed government officials to secure contracts to build public roads, resulting in approximately $125 million in misappropriated funds. On June 14, 2021, the Costa Rican Judicial Investigation Police executed 57 search warrants and made 28 arrests in connection with the investigation, including at the Casa Presidencial, the National Highway Council, the Ministry of Public Works and Transport, and the Public Transport Council, as well as at private homes and at the offices of several construction companies. In August 2021, the Judicial Investigation Police unearthed a trove of invoices apparently related to the investigation buried in a municipal cemetery.

Additionally, on November 16, 2021, six mayors—including the current mayors of San José, Escazú, Alajuela, Osa, and San Carlos—were arrested in connection with the “Diamante” investigation into public works corruption. The Diamante investigators conducted more than 80 raids across the country in connection with the probe.

Ecuador

In April 2021, Ecuador’s Comptroller General Pablo Celi, former Oil Minister José Augusto Briones, and several others were arrested as part of the long-running investigation concerning Ecuador’s state-owned oil company Empresa Pública de Hidrocarburos del Ecuador (“PetroEcuador”). The alleged scheme, covered previously in these pages, allegedly allowed contracting companies to charge PetroEcuador artificially inflated prices to supply fuel, with a percentage of the profits then kicked back to PetroEcuador executives. Augusto died in his jail cell by apparent suicide while awaiting trial.

El Salvador

In July 2021, prosecutors in El Salvador issued an arrest warrant for former president Salvador Sánchez Cerén in connection to the “Public Looting” scam that allegedly occurred while Sánchez Cerén was serving as Vice President from 2009 to 2014. The scandal allegedly involved $351 million in government funds illegally used to pay bonuses to government employees and their associates. Two weeks after the warrant was issued, Sánchez Cerén and his family fled to Nicaragua.

Peru

In an offshoot of the Odebrecht investigation (covered in our 2019 Year-End FCPA Update), in May 2021 Peru’s Attorney General and National Public Prosecution Office announced a plea agreement with Peruvian real estate and construction company Aenza (formerly Graña y Montero), to resolve allegations that the company, two subsidiaries, and certain former employees were involved in corruption in connection with several public infrastructure projects in the country. Under the agreement, Aenza will pay approximately $126 million to the state over several years.

Earlier, in March 2021, prosecutors charged former presidential candidate Keiko Fujimori with money laundering following a multi-year investigation into allegations that she received more than $1 million in bribes from Odebrecht during a prior presidential run. Prosecutors are seeking a sentence of 30 years in prison, while Fujimori denies any wrongdoing. In June 2021, Fujimori’s opponent in the presidential race claimed victory, which Fujimori disputed before conceding in August 2021. The first hearing related to Fujimori’s trial began in late August 2021.

Finally, on September 28, 2021, Magistrate Judge Thomas Hixson of the U.S. District Court for the Northern District of California granted Peru’s request to extradite former Peruvian President Alejandro Toledo. Peru had been seeking Toledo’s extradition since May 2018, and Toledo was arrested in 2019, in connection with alleged corruption and money laundering in an Odebrecht project for the construction of the Peru-Brazil Southern Interoceanic Highway. In his ruling, Judge Hixson found that there was enough evidence to “establish probable cause to believe that Toledo committed collusion and money laundering.” The Court said that this included testimony from Odebrecht’s former executive director in Peru, and Mr. Toledo’s admission during the extradition proceeding that he had received approximately $500,000 in Odebrecht bribes.

Asia

China

In 2020, China’s Supreme People’s Procuratorate (“SPP”) launched the first phase of a pilot program focusing on corporate criminal compliance. Although China does not have a mechanism equivalent to a U.S.-style deferred prosecution agreement, the pilot program encourages local procuratorates to decline prosecutions or arrests for corporate criminal cases, or to propose lighter or suspended sentences, where companies are committed to making compliance enhancements and implementing remediation plans. In April 2021, the SPP published the Work Plan on Launching the Pilot Program for Corporate Compliance Reform, which signals the launch of the second phase of the pilot program and its expansion to 10 provinces and cities, including Beijing, Shanghai, and Guangdong. In June 2021, the SPP, along with eight other national authorities, issued the Guiding Opinions on Establishing a Third-Party Supervision and Evaluation Mechanism for the Compliance of Enterprises Involved in Criminal Cases (for Trial Implementation). Under these guiding opinions, the SPP can refer a company that qualifies for the pilot program to a yet-unspecified third-party organization to investigate, evaluate, supervise, and inspect compliance commitments made by the company. The SPP confirmed in a press release in June 2021 that bribery-related cases may qualify for leniency under the pilot program, citing an example concerning Shenzhen Y Technology Co., Ltd, an audio equipment supplier whose employee was suspected of bribing customers to secure advantages in the procurement process, but which the SPP decided not to prosecute in lieu of a compliance supervision agreement.

On September 20, 2021, the Supervision Law of the People’s Republic of China came into effect, with implementing regulations issued by the National Supervision Commission. The National Supervision Commission was established in 2018 and is primarily responsible for supervising China’s anti-corruption efforts. The Supervision Law seeks to standardize the National Supervision Commission’s work by setting forth the scope, jurisdiction, procedures, and oversight of China’s anti-corruption agencies. In the same month, the National Supervision Commission, the Central Commission for Discipline Inspection (“CCDI”), and the SPP, among other government agencies, jointly issued a document titled “Opinions on Further Promoting the Investigation of Bribery and Acceptance of Bribes.” These opinions emphasize the importance of investigating those offering bribes, which marks a turn for an enforcement regime that historically has focused predominately on those who accept improper payments. These opinions also suggest that enforcement authorities should explore the implementation of a “blacklist” that would impose market restrictions on those that make improper payments, although implementing guidance on this “blacklist” proposal has yet to be issued.

Last but not least, 2021 saw a seismic shift in China’s data and privacy protection laws, with the developments likely to have far-reaching implications for cross-border investigations and litigation. The Standing Committee of the National People’s Congress first passed the Data Security Law, which took effect on September 1, 2021. Among other things, Article 36 of the Data Security Law prohibits “provid[ing] data stored within the People’s Republic of China to foreign judicial or law enforcement bodies without the approval of the competent authority of the People’s Republic of China.” In August 2021, the Standing Committee of China’s National People’s Congress passed the Personal Information Protection Law (“PIPL”), which came into effect on November 1, 2021. The PIPL is China’s first comprehensive legislation regulating personal data processing activities, and it shares many similarities with the EU’s General Data Protection Regulation, including, among other things, its extraterritorial reach, restrictions on data transfer, compliance obligations, and sanctions for non-compliance. In October 2021, the Cyberspace Administration of China (“CAC”) published the “Draft Measures for Data Export Security Assessment” to regulate the export of data in accordance with the Cybersecurity Law, the Data Security Law, and the PIPL. Under the Draft Measures, data processors must apply to the CAC for a “security assessment” of the outbound data in certain circumstances. For a detailed analysis of these new legislative developments, please see our separate Client Alerts, “China Constricts Sharing of In-Country Corporate and Personal Data Through New Legislation“ and “China Passes the Personal Information Protection Law, to Take Effect on November 1.”

Hong Kong

In May 2019, the Independent Commission Against Corruption (“ICAC”) charged Catherine Leung Kar-cheung, a former senior banker at JPMorgan Chase & Co., in connection with the long-running “Sons and Daughters” investigation. The ICAC accused Leung of offering a job to the son of a logistics company chairperson in an effort to win a mandate for an initial public offering. In January 2021, the district court acquitted Leung of the charges, finding that there was insufficient evidence that she corruptly sought to secure the IPO mandate by making the job offer.

India

The Indian Government has issued standard operating procedures that must be followed by Indian police before commencing any investigation against Indian public officials for alleged violations of India’s Prevention of Corruption Act, 1988. One of these standards is to require additional approvals to open an investigation, which have been criticized as erecting barriers to bringing enforcement actions against public officials.

In November 2021, India’s Enforcement Directorate arrested a former cabinet minister of the State of Maharashtra, Anil Deshmukh, on allegations involving money laundering and extortion.Deshmukh, who stepped down from his post earlier this year, is accused of using police officials to extort various hotels, restaurants, and bars in Mumbai, and of using shell companies to siphon the funds received for personal use. He is accused of extorting up to INR 100 crore (~ $13.4 million) per month while in office.

Indonesia

In August 2021, former Indonesian social affairs minister Juliari Batubara was sentenced to 12 years in prison by the Jakarta Corruption Court over a multi-million dollar COVID-19 graft scandal. A judge found the former politician “convincingly guilty of corruption” for receiving IDR 32.4 billion (~ $2.25 million) in kickbacks related to procurement intended for COVID-19 social assistance packages. The Court also fined Batubara IDR 500 million (~ $350,000) and ordered him to return IDR 14.5 billion (~ $1 million) in funds. As a result of his sentence, Batubara also will be banned from public office for four years after serving his prison term.

In 2021, Indonesia’s Corruption Eradication Commission (Komisi Pemberantasan Korupsi Republik Indonesia) (“KPK”) removed 57 of its graft investigators and personnel, while subjecting two dozen more to re-training, after 75 of its personnel failed a tailor-made civil service exam implemented as part of an effort to fold the body into the civil service. Controversy has surrounded the composition of the test: the National Commission on Human Rights has said that the test was plagued with “baseless stigmatization” and “illegal conduct,” while the Indonesian Ombudsman found that the document that set forth the legal basis for organizing the test was signed by officials who did not attend the meeting to discuss it. The KPK has defended the exam, which was taken by 1,300 staff. Dozens of the employees plan to appeal their dismissals.

Japan

In May 2021, the Japanese Ministry of Economy, Trade and Industry (“METI”) revised the Guidelines for the Prevention of Bribery of Foreign Public Officials. These revised Guidelines include a new subsection on mergers and acquisitions and provide additional guidance on third-party due diligence, facilitation payments, and applicability of the “agreement system” under the Japanese Criminal Procedure Code to bribery offenses. The due diligence provisions closely track the recommendations made by DOJ and the SEC in the FCPA Resource Guide. In addition, the revised Guidelines urge Japanese companies to prohibit small facilitation payments, noting that such payments could be made “in order to obtain a wrongful gain in business” in violation of the Unfair Competition Prevention Act.

Malaysia

The Malaysian government reached two corporate resolutions in 2021 in connection with the 1Malaysia Development Berhad (“1MDB”) scandal. First, in February 2021, the Malaysian banking group AMMB Holdings Berhad agreed to pay MYR 2.83 billion (~ $682.3 million) to settle outstanding claims and actions related to AMMB’s involvement in the 1MDB scandal, although the specifics of that involvement were not reported. Second, in March 2021, Deloitte PLT agreed to pay $80 million to the Malaysian government to settle claims related to its auditing of reports issued by 1MDB and a former 1MDB subsidiary. Also related to 1MDB, on August 5, 2021, DOJ announced that it had repatriated to Malaysia an additional $452 million in funds in connection with the scandal, bringing the total repatriated to more than $1.2 billion.

In other enforcement developments, we reported in our 2020 Year-End FCPA Update on amendments to the Malaysia Anti-Corruption Commission Act 2009 that took effect in June 2020, allowing for corporate liability. Under Section 17A, a commercial organization commits a criminal offense if a person associated with the organization corruptly gives any gratification with intent to obtain or retain any business or advantage for the commercial organization. In March 2021, Pristine Offshore Sdn Bhd became the first organization charged by the Malaysia Anti-Corruption Commission (“MACC”) under Section 17A, for allegedly having paid MYR 321,350 (~ $78,000) to the chief operating officer of Deleum Primera Sdn Bhd to secure a subcontract for the supply of workboats Both Pristine Offshore and its former director have pleaded not guilty.

Singapore

In February 2021, Singapore’s Corrupt Practices Investigation Bureau charged three former employees of a Singaporean subsidiary of Royal Dutch Shell with bribing shipping inspectors in exchange for assistance in stealing millions of metric tons of fuel from the company. In May 2021, Daewoo Engineering and Construction executives Ro Sung-Young and Kim Young-Gyu pleaded guilty to conspiring to bribe a Singapore Land Transport Authority official in exchange for contracts with the authority. Prosecutors also charged the official, alleging that he received bribes totaling SGD 1.2 million (~ $893,300) between 2014 and 2019. Also in May, a Singapore court sentenced Chang Peng Hong Clarence, a former Regional Director for Marine Fuels at BP plc’s Singapore subsidiary, to 4.5 years in prison for receiving bribes of almost $4 million from Koh Seng Lee, the executive director of a Singaporean petroleum and petroleum products wholesaler, in exchange for promoting that company’s business within BP. The court also ordered Chang to pay a SGD 6.2 million (~ $4.7 million) penalty.

South Korea

In January 2021, the Korean government launched the Corruption Investigation Office for High-Ranking Officials (“CIO”), an independent investigative agency with jurisdiction to prosecute corruption cases involving high-ranking public officials. The creation of the CIO, which has exclusive prosecution authority over financial crimes involving certain categories of senior officials (as well as private parties involved in the investigations), fulfills a key campaign promise of President Moon Jae-In, who came to power in 2017 following a corruption scandal that resulted in the impeachment of his predecessor (as discussed in our 2020 Year-End FCPA Update). The CIO was active throughout 2021, conducting multiple investigations that even extended to searches of the Supreme Prosecutor’s Office and offices of National Assembly members. Perhaps predictably, these measures have led to claims that the CIO is acting too aggressively.

On the legislative front, in November and December 2021 the Korean National Assembly passed a series of amendments to the Improper Solicitation and Graft Act (“Anti-Graft Act”) and the Act on the Prevention of Corruption and the Establishment and Management of the Anti-Corruption and Civil Rights Commission. These amendments expand the law and its proscriptions to include additional improper advantages such as employment and internship opportunities, selection of scholarship recipients, positive reviews of dissertations and granting of degrees, and activities of prison guards. The amendments also increase the threshold for permissible agricultural gifts given to public officials during public holidays, and allow for anonymous reporting of Anti-Graft Act violations through attorneys.

The Middle East and Africa

Israel

Months after the corruption trial of Benjamin Netanyahu restarted following delays due to COVID-19, Netanyahu’s election loss ended his 12 years as Israeli Prime Minister. As covered most recently in our 2020 Year-End FCPA Update, the Israeli Attorney General announced indictments in February 2019 stemming from three separate allegations of wrongdoing. On February 8, 2021, Netanyahu pleaded not guilty, and the trial then was postponed again due to a disagreement over certain documents. One former media adviser to Netanyahu and his family recently testified regarding regulatory favors Netanyahu allegedly awarded to media tycoons in return for positive press coverage and gifts. The witness, who previously was charged and signed a cooperation deal with the government, also provided investigators with recordings of conversations with Netanyahu and his family.

Namibia

In 2021, state-owned National Fishing Corporation of Namibia (“Fishcor”), and several executives including former CEO Mike Nghipunya, were charged with racketeering, conspiracy, fraud, money laundering, tax evasion, and obstruction of justice. The investigation began in 2019, after Wikileaks published more than 30,000 documents from a former managing director of Icelandic seafood company Samherji’s Namibian operations. According to prosecutors, Fishcor illegally sold quotas to Samherji for $11.1 million, with funds then being provided to others, including a former Namibian fisheries minister. Pretrial hearings are scheduled for January 2022.

South Africa

The trial of former South African President Jacob Zuma for allegedly accepting bribes related to a 1994 arms purchase spent most of 2021 plagued with delays. The National Prosecuting Authority accuses Zuma of accepting bribes on hundreds of occasions. Zuma was first charged in 2005, but the charges have been dropped and reinstated many times over the years amid allegations of political interference, and recent delays have been caused by the unexplained simultaneous resignation of Zuma’s entire legal team and Zuma’s application to remove the chief prosecutor on alleged bias grounds. Zuma’s trial is currently set to begin in April 2022.

The following Gibson Dunn lawyers and alumnae participated in preparing this client update: F. Joseph Warin, John Chesley, Richard Grime, Patrick Stokes, Kelly Austin, Patrick Doris, Matthew Nunan, Oleh Vretsona, Oliver Welch, Christopher Sullivan, Anna Aguillard, Claire Aristide, Anthony Balzofiore, Junghyun Baek, Sean Brennan, Alexandra Buettner, Lizzy Brilliant, Ella Alves Capone, Josiah Clarke, Priya Datta, Bobby DeNault, Nathan Eagan, Amanda Kenner, Derek Kraft, Michael Kutz, Caroline Leahy, Nicole Lee, Allison Lewis, Jenny Lotova, Andrei Malikov, Megan Meagher, Katie Mills, Erin Morgan, Sandy Moss, Monica Murphy, Jaclyn Neely, Ning Ning, Kareen Ramadan, Hayley Smith, Jason Smith, Pedro Soto, Laura Sturges, Karthik Ashwin Thiagarajan, Katie Tomsett, Dillon Westfall, Sophie White, Terry Wong, and Caroline Ziser Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. We have more than 110 attorneys with FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices. Please contact the Gibson Dunn attorney with whom you work, or any of the following:

Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])

Paris
Benoît Fleury (+33 1 56 43 13 00, [email protected])
Bernard Grinspan (+33 1 56 43 13 00, [email protected])

Munich
Benno Schwarz (+49 89 189 33-110, [email protected])
Michael Walther (+49 89 189 33-180, [email protected])
Mark Zimmer (+49 89 189 33-130, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Oliver D. Welch (+852 2214 3716, [email protected])

São Paulo
Lisa A. Alfaro (+5511 3521-7160, [email protected])
Fernando Almeida (+5511 3521-7093, [email protected])

Singapore
Joerg Bartz (+65 6507 3635, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On January 24, 2022, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”). Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product. The new thresholds will take effect on February 23, 2022, applying to transactions that close on or after that date.

The size of transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $9.0 million, from $92 million in 2021 to $101 million for 2022.

Original Threshold	2021 Threshold	2022 Threshold
$10 million	$18.4 million	$20.2 million
$50 million	$92.0 million	$101 million
$100 million	$184.0 million	$202 million
$110 million	$202.4 million	$222.2 million
$200 million	$368.0 million	$403.9 million
$500 million	$919.9 million	$1.0098 billion
$1 billion	$1,839.8 million	$2.0196 billion

The maximum fine for violations of the HSR Act has increased from $43,792 per day to $46,517.

The amounts of the filing fees have not changed, but the thresholds that trigger each fee have increased:

Fee	Size of Transaction
$45,000	Valued at more than $101 million but less than $202 million
$125,000	Valued at $202 million or more but less than $1.0098 billion
$280,000	Valued at $1.0098 billion or more

The 2022 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $41,034,000 for Section 8(a)(l) (size of corporation) and $4,103,400 for Section 8(a)(2)(A) (competitive sales). The Section 8 thresholds took effect on January 21, 2022.

If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact any of the partners or counsel listed below.

The following Gibson Dunn lawyers prepared this client alert: Adam Di Vincenzo, Andrew Cline, and Chris Wilson.

Gibson Dunn’s lawyers are available to assist clients in addressing any questions they may have regarding the HSR Act or antitrust issues raised by business transactions. Please feel free to contact the Gibson Dunn attorney with whom you usually work in the firm’s Antitrust and Competition Practice Group, or the following:

Adam Di Vincenzo – Washington, D.C. (+1 202-887-3704, [email protected])

Andrew Cline – Washington, D.C. (+1 202-887-3698, [email protected])

Chris Wilson – Washington, D.C. (+1 202-955-8520, [email protected])

Rachel S. Brass – Co-Chair, Antitrust & Competition Group, San Francisco
(+1 415-393-8293, [email protected])

Stephen Weissman – Co-Chair, Antitrust & Competition Group, Washington, D.C.
(+1 202-955-8678, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Antitrust Enforcement Actions Followed Highly Unusual Price Increases

Decision Illustrates Risks Faced by Shareholders That Exercise Direct Control Over Their Companies

On January 14, 2022, a federal court in New York issued its decision in Federal Trade Commission v. Shkreli, holding that Martin Shkreli, the former head of Vyera Pharmaceuticals, violated federal and state antitrust laws by allegedly interfering with the entry of generic competition for Vyera’s drug Daraprim.[1] For his participation in the conduct, the District Court ordered Shkreli to disgorge $64.4 million in profits and banned him from participating in the pharmaceutical industry for life.[2] The court’s decision followed a seven-day bench trial last month. The case was brought by the Federal Trade Commission, the New York Attorney General, and the attorneys general of six other states.

The case centered on Shkreli’s conduct after Vyera, formerly known as Turing Pharmaceuticals, purchased the rights to Daraprim, a medication used to treat potentially fatal parasitic infections. In 2015, Vyera raised the price of Daraprim from $17.50 to $750 per pill. It also moved Daraprim from a retail distribution to a closed distribution system, and entered into agreements with the two primary manufacturers for Daraprim’s active pharmaceutical ingredient that restricted access to that ingredient. The District Court held that, in doing so, Vyera made it difficult for generic manufacturers to obtain sufficient samples of the drug to conduct bioequivalence and other studies needed for FDA approval, thus delaying the entry of generic competition for at least eighteen months. The District Court found that this conduct violated federal and state antitrust laws, and that Shkreli himself was personally liable for such conduct due to the control he exercised over the company. Below, we provide several important takeaways from the court’s decision.

Dramatic Price Hikes Untethered to Demand Can Lead To Intense Antitrust Scrutiny. The District Court cites testimony describing Shkreli’s decision to dramatically increase the cost of Daraprim as the “poster child of everything that is considered wrong about the pharmaceutical industry.”[3] Shkreli’s over-the-top price increases clearly drew significant media and law enforcement attention to his company’s business practices. The case shows that even though there is nothing unlawful about a company raising price, dramatic price increases unconnected with increased demand can draw extraordinary public attention and attract intense regulatory scrutiny. Here, that close scrutiny resulted in severe personal and professional penalties for Shkreli.

Closed Distribution Systems As An Anti-Generic Strategy. Daraprim had been in open retail distribution since the 1950s.[4] After purchasing the rights in 2015, Shkreli swiftly moved to create a highly restrictive closed distribution system. To do so, Vyera imposed class of trade restrictions on its distribution contacts, limited the number of bottles that a single customer could purchase at a given time, bought back Daraprim inventory from wholesalers and distributors, and surveilled distributors sales reports “to prevent the diversion of Daraprim to generic drug companies for [bioequivalence] testing.”[5] Vyera also allegedly blocked access to pyrimethamine, Daraprim’s active pharmaceutical ingredient, by entering into exclusive supply agreements with two of its largest manufacturers. The District Court held that these practices dramatically heightened the barriers to generic market entry. The District Court’s holding that this conduct was illegal, anticompetitive conduct, illustrates that closed distribution systems – while not ordinarily unlawful – can be the basis for an antitrust claim where they are allegedly used as a means to impede generic entry.

Risk of Liability For Large Shareholders. Shkreli founded Vyera (initially known as Turing), was the company’s first CEO, and allegedly masterminded the scheme to exclude Daraprim’s generic competitors from the market. Even after he stepped down as Vyera’s CEO following his December 2015 arrest, the District Court found that Shkreli “remained in functional control of Vyera’s management and its business strategy.”[6] Even during his incarceration, the District Court stated that Shkreli continued to manage Vyera’s leadership, direct corporate policy, and maintain the allegedly anticompetitive Daraprim scheme by wielding his authority as the company’s largest shareholder. For this conduct, the District Court held Shkreli personally liable under the Sherman Act and joint and severally liable for the disgorgement remedy under New York State law. The Court’s decision is a warning that shareholders who exert a high degree of control over companies’ anticompetitive conduct can themselves be found directly liable. This case illustrates the risk that federal and state antitrust enforcers, and even private plaintiffs, will invoke similar reasoning in an attempt to impose liability on other types of shareholders (e.g., institutional shareholders).

Expansion of Remedies When FTC Cooperates With State AGs. By working with the Attorneys General of New York, California, Ohio, Pennsylvania, Illinois, North Carolina, and Virginia, the FTC was able to seek remedies unavailable under federal law. Chief among these was the remedy requiring Shkreli to disgorge $64.4 million in net profits – a remedy afforded by New York state law[7] but not currently available to the FTC since the Supreme Court’s 2019 decision in AMG Capital v. FTC.[8] The District Court found the plaintiffs’ federal and state injunctive authority also to be sufficient to order a lifetime ban on Shkreli from participating in the pharmaceutical industry. The case therefore highlights the risks posed when the FTC’s enforcement power is paired with the additional remedies afforded to certain state attorneys general. Importantly, these remedies were available to the FTC and states without Mr. Shkreli having a right to a jury trial, because the FTC and state AGs did not pursue a traditional damages remedy.

The District Court’s decision in FTC v. Shkreli is a reminder that pharmaceutical and other companies should seek legal advice when engaging in activities that have generated significant regulatory attention, such as price increases untethered to demand increases, and changing the distribution system used for a drug. In addition, as noted, the decision illustrates that institutional and other types of shareholders should seek legal advice when seeking to exert influence over a subsidiary or other company that is potentially subject to significant antitrust or other legal exposure.

_______________________

[1] Federal Trade Commission, State of New York, State of California, State of Ohio, Commonwealth of Pennsylvania, State of Illinois, State of North Carolina, & Commonwealth of Virginia vs. Martin Shkreli, No. 20CV00706 (DLC), 2022 WL 135026 (S.D.N.Y. Jan. 14, 2022).

[2] Id. at *1.

[3] Id. at *11, citing the testimony of Dr. Eliseo Salinas, Vyera’s President of Research & Development from June 2015 to April 2017, and interim CEO from April to July 2017.

[4] Id. at *12.

[5] Id. at *14.

[6] Id. at *28.

[7] Id. at *46.

[8] AMG Cap. Mgmt., LLC v. Fed. Trade Comm’n, 141 S. Ct. 1341 (2021).

The following Gibson Dunn lawyers prepared this client alert: Reed Brodsky, Eric Stock, and Jessica Trafimow*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please feel free to contact the Gibson Dunn attorney with whom you usually work in the firm’s Antitrust and Competition or Securities Enforcement practice groups, or the authors:

Reed Brodsky – New York (+1 212-351-5334, [email protected])
Eric J. Stock – New York (+1 212-351-2301, [email protected])

Please also feel free to contact any of the following practice leaders:

Antitrust and Competition Group:
Rachel S. Brass – San Francisco (+1 415-393-8293, [email protected])
Stephen Weissman – Washington, D.C. (+1 202-955-8678, [email protected])

Securities Enforcement Group:
Richard W. Grime – Washington, D.C. (+1 202-955-8219, [email protected])
Mark K. Schonfeld – New York (+1 212-351-2433, [email protected])

* Jessica Trafimow is a recent law graduate working in the firm’s New York office who is not yet admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Contents

I. U.S. Trade Restrictions on China

A. Protecting Communications Networks and Sensitive Personal Data

B. Slowing the Advance of China’s Military Capabilities

C. Promoting Human Rights in Xinjiang

D. Promoting Human Rights in Hong Kong

E. Trade Imbalances and Tariffs

II. U.S. Sanctions

A. Treasury Department Sanctions Review

B. Myanmar

C. Russia

1. Nord Stream 2

2. Navalny Sanctions

3. Russian Harmful Foreign Activities Sanctions

4. Possible Ukraine-Related Sanctions and Export Controls

D. Belarus

E. Iran

F. Cuba

G. Ethiopia

H. Other Sanctions Developments

1. Virtual Currency and Ransomware

2. Reversal of International Criminal Court Sanctions

3. Taliban Sanctions and Impact on Afghanistan

4. Notable SDN De-Listings

III. Information and Communications Technology and Services (ICTS)

A. Executive Order 13873: ICTS Supply Chain Framework

1. ICTS Interim Final Rule

2. Review Process

3. Safe Harbor Licensing Process

B. Executive Order 14034: Connected Software Applications

C. Executive Order 14017: Supply Chain Security

D. Executive Order 14028: Cybersecurity

E. Transatlantic Dialogues

IV. U.S. Export Controls

A. Commerce Department

1. Military End Use / User Rule

2. Military-Intelligence End Use / User Rule

3. Sudan Moved to Less Restrictive Country Group B

4. Burma Added to More Restrictive Country Group D:1

5. Cambodia Subjected to More Restrictive Licensing Policy

6. BIS Eases Restrictions of Exports of Vaccines

7. Implementation of Wassenaar Arrangement Controls

8. Emerging and Foundational Technology Controls

9. Solicitation of Public Comments on Issues Related to Supply Chains

10. Entity List Designations

B. Antiboycott Developments

C. White House Export Controls and Human Rights Initiative

D. State Department

1. Revisions to ITAR Proscribed Country List

2. Revisions to United States Munitions List

3. Changes to Regulations in Light of Remote Work Future

V. European Union

A. Sanctions Developments

1. Belarus

2. Russia

B. Export Controls Developments

1. Overview

2. Human Rights Considerations

3. Due Diligence Obligations and Compliance Requirements for Exporters

4. Increased Coordination Between EU Member States

5. EU-U.S. Trade and Technology Council

C. Noteworthy Judgments and Enforcement Actions

1. EU Blocking Statute Regulation

2. Denmark

3. Germany

VI. United Kingdom

A. Sanctions Developments

1. OFSI Annual Review 2020-2021

2. Sanctions Regulations Report on Annual Reviews 2021

3. Changes to Sanctions Lists

B. Export Controls Developments

1. Overview

2. Open Export General License

3. Guidance on Exporting Military or Dual-Use Technology

4. Updates to the Export Control Regime

C. Noteworthy Judgments and Enforcement Actions

VII. People’s Republic of China

A. Countermeasures on Foreign Sanctions

1. Blocking Rules

2. Anti-Foreign Sanctions Law