In May 2021, Gibson Dunn attorneys won a landmark case before the General Court of the European Union (case T-561/18, ITD and Danske Fragtmænd v European Commission).

Gibson Dunn represented ITD (a Danish trade association of international companies operating parcel and logistics services) and Danske Fragtmænd (a company operating in this sector in Denmark) in a case concerning state subsidies in the Danish post and courier market. The EU General Court partially annulled a European Commission decision of 28 May 2018 authorising certain aid measures granted by the Danish and Swedish States to Post Danmark, the Danish postal incumbent and former monopolist owned by PostNord AB, a holding company in turn owned by the Danish and Swedish States. In its decision the Commission had rejected claims that a capital injection from Post Danmark’s parent company and a tax exemption in favour of Post Danmark involved unlawful State aid, but the General Court overturned this decision.

With the rapid decline in letter volumes across the EU, ex monopolists in the postal sector have been struggling to remain viable and have become more actively engaged in the booming parcel freight transport market based on e-commerce transactions. The problem is that ex monopolists still receive funding from their owners, i.e., the State, and while that funding may lawfully be granted for providing a universal letter service in remote areas, it is not justified to use it to gain a competitive advantage in markets such as parcel transport. The EU courts have therefore intensified its scrutiny of Member States which transfer funding to their State owned ex monopolists in various sectors, including in the postal sector. While Member States are allowed to invest in their own companies, capital contributions to loss making entities with no prospect of a reasonable return constitute prohibited State aid. Similarly tax exemptions granted selectively to State owned companies are illegal.

Post Danmark, the ex monopolist for letter services in Denmark, has experienced a 80% decline in letter volumes and has been unable to generate a profit even in the parcel transport market. The company has been incurring catastrophic losses for a decade (or more).

On 5 May 2021, the General Court of the European Union annulled the Commission’s finding that a capital injection to Post Danmark of EUR 135 million in 2017 did not involve State aid as well as a finding that a VAT exemption (with an annual value of approx. EUR 37 million) benefitting Post Danmark for at least 10 years did not constitute State aid. The Danish State and PostNord AB (the Danish-Swedish owned parent company of Post Danmark) intervened in the case to support the European Commission while two freight transport companies, Jørgen Jensen Distribution and Dansk Distribution, intervened in support of ITD and Danske Fragtmænd.

This judgment is the latest in a series by EU Courts setting out requirements regarding Member States’ capital injections in loss making State owned companies in the EU. Specifically, the General Court makes clear that State aid granted in the form of capital injections must be capable of producing a reasonable rate of return in order to avoid being classified as prohibited State aid.

Indeed, while the European Commission had concluded that the capital injection of EUR 135 million granted to loss making Post Danmark would make it possible to restore Post Danmark’s viability, the General Court found that the Commission had no basis for coming to this conclusion. There was no evidence that the company could be brought back to profitability nor that it would have prospects of generating a reasonable return. In the same vein, while the Commission had accepted their arguments that Denmark and Sweden were not involved in the capital injection (as it had been contributed by the parent company to Post Danmark) and were merely ‘passive spectators’ to this payment, the General Court held that the Commission cannot just rely on States’ own arguments whilst ignoring conflicting information submitted by the complainants. Instead the Commission must diligently investigate the matter especially in view of the Commission’s obligation to conduct an impartial examination of the complaint.

The judgment also finds that the VAT exemption (with an annual value of approx. EUR 37 million) benefiting Post Danmark, which allowed e-commerce companies not to charge their customers VAT if they used Post Danmark as their freight company, also benefits Post Danmark and thus involves illegal State aid. The General Court specifically pointed out that this VAT exemption is not covered by the existing permissible VAT exemption covering the provision of Universal Service Obligations based on the VAT Directive 2006/112/EC of 28 November 2006.

As a result of the judgment, the Commission must now reopen the case and will probably be forced to consider that the capital injection of EUR 135 million and the VAT exemption involve incompatible, and therefore unlawful, State aid that must be recovered from Post Danmark. In view of its catastrophic financial situation, this may mean that Post Danmark will unable to survive, at least in its current form.

The following Gibson Dunn lawyers assisted in preparing this client update: Lena Sandberg, Yannis Ioannidis and Pilar Pérez-D’Ocon.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Antitrust and Competition practice group:

Antitrust and Competition Group:

Brussels
Attila Borsos (+32 2 554 72 11, [email protected])
Christian Riis-Madsen (+32 2 554 72 05, [email protected])
Lena Sandberg (+32 2 554 72 60, [email protected])
David Wood (+32 2 554 7210, [email protected])
Alejandro Guerrero (+32 2 554 7218, [email protected])

London
Ali Nikpay (+44 20 7071 4273, [email protected])
Deirdre Taylor (+44 20 7071 4274, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Patrick Doris (+44 20 7071 4276, [email protected])
Charles Falconer (+44 20 7071 4270, [email protected])

Frankfurt
Georg Weidenbach (+49 69 247 411 550, [email protected])

Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])

Washington, D.C.
Adam Di Vincenzo (+1 202-887-3704, [email protected])
Scott D. Hammond (+1 202-887-3684, [email protected])
Joseph Kattan (+1 202-955-8239, [email protected])
Kristen C. Limarzi (+1 202-887-3518, [email protected])
Joshua Lipton (+1 202-955-8226, [email protected])
Richard G. Parker (+1 202-955-8503, [email protected])
Michael J. Perry (+1 202-887-3558, [email protected])
Cynthia Richman (+1 202-955-8234, [email protected])
Jeremy Robison (+1 202-955-8518, [email protected])
Stephen Weissman (+1 202-955-8678, [email protected])
Andrew Cline (+1 202-887-3698, [email protected])
Chris Wilson (+1 202-955-8520, [email protected])

New York
Eric J. Stock (+1 212-351-2301, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])

Los Angeles
Daniel G. Swanson (+1 213-229-7430, [email protected])
Christopher D. Dusseault (+1 213-229-7855, [email protected])
Samuel G. Liversidge (+1 213-229-7420, [email protected])
Jay P. Srinivasan (+1 213-229-7296, [email protected])
Rod J. Stone (+1 213-229-7256, [email protected])

San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])
Caeli A. Higney (+1 415-393-8248, [email protected])

Dallas
Veronica S. Lewis (+1 214-698-3320, [email protected])
Mike Raiff (+1 214-698-3350, [email protected])
Brian Robison (+1 214-698-3370, [email protected])
Robert C. Walters (+1 214-698-3114, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On May 18, 2021, the New York Privacy Act (“NYPA”) passed out of the New York Senate Consumer Protection Committee.[1] Senator Kevin Thomas previously introduced a version of this bill in the 2019-2020 legislative session, but this is the first time that the bill—or any comprehensive privacy bill in New York—has made it out of committee. In addition to needing the approval of the majority of the full senate, the bill must progress in the New York Assembly before it is enacted. If the NYPA is enacted, it would be the third comprehensive state privacy law in the United States following the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”), the latter of which was signed into law earlier this year and goes into effect in January 2023. While the New York Privacy Act shares similarities with its counterparts in California and Virginia, such as prohibiting discrimination against consumers that exercise their rights under the laws, the NYPA is substantially broader.[2] If the NYPA is signed into law, many companies doing business in New York will need to assess their compliance and may need to modify their compliance efforts and collection and use of consumer personal information.

The NYPA’s broad jurisdictional mandate applies to any entity that “conduct[s] business in New York or produce[s] products or services that are targeted to residents of New York,” and that (1) has annual gross revenue of $25 million or more, (2) controls or processes the personal data of at least 100,000 New York consumers, (3) controls or processes the personal data of at least 500,000 individuals nationwide and 10,000 New York consumers, or (4) derives over 50% of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 New York consumers.[3] Just like the CCPA and VCDPA do not define “doing” or “conduct[ing]” business in California or Virginia, the NYPA does not define “conduct[ing] business in New York.” It seems likely that the NYPA will apply to for-profit and business-to-business companies that interact with New York residents, or process personal data of New York residents on a relatively large scale. Like the CCPA, the NYPA would exempt a list of enumerated data types, including data already subject to certain laws and regulations, like the Gramm-Leach-Bliley Act (“GLBA”).[4]

The cornerstone of the NYPA is the creation of an expansive consumer “bill of rights,” which contains similar rights as enacted in California and Virginia, but also goes further to give unprecedented rights to consumers. Similar to the California and Virginia laws, consumer rights under the NYPA include the right to know the categories of personal data collected, and purposes of such categories; the right to access, correct, and delete their personal information; the right to data portability; and anti-discrimination rights.[5] Unlike the California and Virginia laws, which provide consumers with the right to opt out of certain data selling, sharing, and/or processing, under the NYPA data controllers must obtain opt-in consent before processing personal data or “mak[ing] any changes in the processing or processing purpose,” such as using “less protective” methods of collection.[6]

The NYPA would also go further in codifying the concept of a “data fiduciary.” This concept would prevent controllers from using consumers’ personal information in a way that would harm them—that is, in a manner against a consumer’s physical, financial, psychological, or reputational interests. As a data fiduciary, a controller would be required pursuant the NYPA’s duty of loyalty to notify consumers about data processing foreseeably adverse to their interests and prohibit controllers from engaging in “unfair, deceptive, or abusive…practices with respect to obtaining consumer consent.”[7] Complying with the NYPA’s duty of care would require implementing certain practices, such as annual risk assessments and reasonable safeguards to protect personal data.[8] The bill’s consumer focus also extends to authorizing a broad private right of action for violations of any of these consumer rights—unlike the California laws, which provide for a narrow private right of action, and the Virginia law, which provides for no private right of action at all.[9] The Attorney General also has authority to enforce the law. Finally, the Virginia and California laws provide the opportunity to cure violations before enforcement, which is not explicitly provided for in the NYPA.[10]

The NYPA would create an even broader comprehensive privacy regime than its counterparts in Virginia and California. If the NYPA is enacted, it would mandate yet another privacy regime in the United States and pose additional challenges as businesses attempt to navigate this already complex environment. Gibson Dunn is tracking this bill through the end of the legislative session, and will continue to monitor developments in New York and nationwide.

______________________

[1] Senate Bill No. 6701.

[2] Compare id. § 1103(1)(C) with Cal. Civ. Code § 1798.125 (as amended by California Consumer Privacy Rights and Enforcement Act on November 3, 2020) and Virginia Consumer Data Protection Act, S.B. 1392 § 59.1-574(A)(4).

[3] Senate Bill No. 6701 § 1101.

[4] Id. § 1101(2).

[5] Id. § 1102–1103.

[6] Id. § 1102(2).

[7] Id. § 1103(1)(A).

[8] Id. § 1103(1)(B).

[9] Compare id. § 1106 with Cal. Civ. Code § 1798.150 and S.B. 1392 § 59.1-579(C).

[10] See, e.g., Cal. Civ. Code § 1798.199.45; S.B. 1392 § 59.1-579(B).

This alert was prepared by Alexander H. Southwell, Mylan L. Denerstein, Amanda M. Aycock, Jennifer Katz and Lisa V. Zivkovic.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Privacy, Cybersecurity and Data Innovation practice group, or the following authors:

Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Mylan L. Denerstein – Co-Chair, Public Policy Practice (+1 212-351-3850, [email protected])

Privacy, Cybersecurity and Data Innovation Group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

This week, there were important virtual currency developments at two of the principal federal banking agencies, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC). Both of these developments occurred as the markets for digital currencies showed substantial volatility. First, in testimony before Congress on Wednesday, Acting Comptroller of the Currency Michael Hsu expressed concerns about the OCC’s recent actions for digital currency companies and stated that he had “asked staff to review these actions.”[1] Second, the FDIC published a request for information (RFI) about digital assets and the banking system.[2] Comments on the RFI are due by July 16, 2021.

I. Office of the Comptroller of the Currency

Prior to Acting Comptroller Hsu’s appointment by Treasury Secretary Yellen, the OCC was the federal banking agency that had taken the lead on digital currencies, recently approving three applications by digital currency companies. Of these actions, Acting Comptroller Hsu stated his “broad[] concern . . . that these initiatives were not done in full coordination with all stakeholders. Nor do they appear to have been part of a broader strategy related to the regulatory perimeter.”[3]

The OCC approvals involved two applications for conversion from state trust companies to national trust banks, those of Anchorage Digital Bank, National Association, and Protego Trust Bank, National Association, and one application for a new national trust bank charter, for Paxos National Trust.[4] Each approval therefore involved a type of national bank specifically authorized by Congress, and not a special purpose “fintech” charter.

The activities that the OCC stated were permissible for national banks in the approvals covered many digital currency activities, including:

fiduciary custody of digital assets
custody of client cash deposits
providing on-chain governance services allowing clients to participate in the governance of the underlying protocols on which their digital assets operate
operating validator nodes
providing staking as a service
providing clients the ability to delegate staking to third-party validators
settling transactions facilitated by affiliates, third-party brokers and clients
determining that customers should claim forked assets
custody and management of U.S. dollar stablecoin reserves
payment, exchange, and other agent services
trading services and enabling partners to buy and sell cryptocurrency
“know your customer” as a service, including customer identification, sanctions screening, enhanced due diligence, customer risk rating, and other related services[5]

It is not clear what form the OCC staff review mandated by Acting Comptroller Hsu will take. It does appear from the rest of his testimony, however, that the OCC will no longer “go it alone” when it comes to digital assets. As Mr. Hsu – formerly a career supervisor at the Federal Reserve – stated, “[r]ecognizing the OCC’s unique authority to grant charters, we must find a way to consider how fintechs and payments platforms fit into the banking system, and we must do it in coordination with the FDIC, Federal Reserve, and the states.”[6] Mr. Hsu also warned of the potential of systemic risk from digital activities, stating that he was feeling “some déjà vu,” having seen the financial disintermediation of the late 1990s and 2000s that contributed to the Great Recession.[7]

II. Federal Deposit Insurance Corporation

If the OCC appears to be putting on the brakes, the FDIC – the primary federal supervisor for insured state banks, including industrial banks, that are not members of the Federal Reserve system, the U.S. deposit insurer, and the U.S. bank resolution authority – signaled that it wishes to know more about digital assets and the banking system. On May 17, it issued a request for information, soliciting comments regarding insured depository institutions’ (IDIs) current and potential digital asset activities.[8] The FDIC noted that banks are exploring several roles in the digital asset ecosystem, with digital use cases and related activities potentially falling into the following categories:

Technology solutions, such as those involving closed and open payment systems, other token-based systems for banking activities other than payments (g., lending), and acting as nodes in networks (e.g., distributed ledgers)
Asset-based activities, such as investments, collateral, margin lending and liquidity facilities
Liability-based activities, such as deposit services and where deposits serve as digital asset reserves
Custodial activities, such as providing digital asset safekeeping and related services, such as secondary lending, as well as acting as a qualified custodian on behalf of investment advisors
Other activity including market-making and decentralized financing

Current and Potential Use Cases

The RFI seeks information regarding current and potential use cases of digital assets, including categories of digital assets and related activities, activities or use cases that IDIs are currently engaging in or considering, and the demand for digital asset-related services.

Risk and Compliance Management

The RFI asks for comment regarding risk and compliance management, including IDIs’ existing risk and compliance management frameworks; unique risks that are challenging to measure, monitor, and control for the various digital asset use cases; unique benefits to operations from the various digital asset use cases; the integration of operations related to digital assets with legacy banking systems; potential benefits and unique risks of particular digital asset product offerings or services to IDI customers; and the integration of new technologies into existing cybersecurity functions.

Supervision and Activities

The RFI requests information regarding supervision and activities, including the unique aspects of digital asset activities that the FDIC should take into account from a supervisory perspectives; areas in which the FDIC should clarify or expand existing supervisory guidance to address digital asset activities; the difference between the custody of digital assets and the custody of traditional assets; and the interaction of digital assets with the FDIC’s Part 362 application procedures, which cover applications by insured state nonmember banks to conduct principal activities that have not been approved for national banks.

Deposit Insurance and Resolution

The RFI asks for information regarding deposit insurance and resolution, including steps to ensure customers can distinguish between uninsured digital asset products and insured deposits; distinctions or similarities between fiat-backed stablecoins and stored value products where the underlying funds are held at IDIs and for which pass-through deposit insurance may be available; and complexities that might be encountered in valuing, marketing, operating, or resolving digital asset activity in the resolution process or in a receivership capacity.

Conclusion

This week’s actions demonstrate that, as the Biden Administration takes shape, there is a change in banking agency approach to digital assets and that addressing the issues raised by digital assets remains a considerable regulatory priority. It appears that the OCC, Federal Reserve Board and FDIC will take a more coordinated approach to digital assets, one result of which may be that certain state bank regulatory agencies may take the lead on innovative proposals in the short term. For example, most of the activities that the OCC permitted in its digital currency approvals before Acting Comptroller Hsu was appointed had previously been deemed permissible for state-licensed trust companies.

____________________

[1] Statement of Michael J. Hsu, Acting Comptroller of the Currency, Committee on Financial Services, United States House of Representatives, May 19, 2021 (Hsu Statement).

[2] FDIC, Request for Information and Comment on Digital Assets (May 17, 2021), available at https://www.fdic.gov/news/press-releases/2021/pr21046a.pdf.

[3] Hsu Statement.

[4] Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Nathan McCauley, President & Director, Anchorage Trust Company, Application by Anchorage Trust Company, Sioux Falls, South Dakota to Convert to a National Trust Bank (Jan. 13, 2021); Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Greg Gilman, Founder & Executive Chair, Audaces Fortuna Inc., Application by Protego Trust Company, Seattle, Washington, to Convert to a National Trust Bank (Feb. 4, 2021); Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Daniel Burstein, General Counsel and Chief Compliance Officer, Paxos, Application to Charter Paxos National Trust, New York, New York (Apr. 23, 2021).

[5] See id., available at https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-6a.pdf; https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-19a.pdf; and https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-49a.pdf.

[6] Hsu Statement.

[7] Hsu Statement

[8] FDIC, Request for Information and Comment on Digital Assets (May 17, 2021), available at https://www.fdic.gov/news/press-releases/2021/pr21046a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long and Samantha Ostrom.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions practice group:

Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202-955-8220, [email protected])
Mylan L. Denerstein – New York (+1 212-351- 3850, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Matthew Nunan – London (+44 (0) 20 7071 4201, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Los Angeles partner Kahn Scolnick and associate Daniel Adler are the authors of “Ruling will protect noncitizens from consequences of uninformed guilty pleas,” [PDF] published by the Daily Journal on May 12, 2021.

Orange County of counsel Anne Brody is the co-author of “Courts Are Aligning Patent Fraud, Inequitable Conduct Claims,” [PDF] published by Law360 on May 18, 2021.

I. Introduction

Following two major cybersecurity events, President Biden issued a sweeping Executive Order on May 12, 2021,[1] reinforcing his commitment that fighting cyberattacks is “a top priority and essential to national and economic security.” The executive action is the latest of the Administration’s efforts on “prevention, detection, assessment, and remediation of cyber incidents,” coming on the heels of the Colonial Pipeline ransomware attack, and just a few months after the SolarWinds breach.

In brief, reports in December 2020 revealed that hackers accessed the systems of SolarWinds, an IT management software company, and implemented malicious code that enabled the hackers to install malware that was used to spy on SolarWinds and its customers, including several U.S. government agencies and many Fortune 500 companies. And in early May 2021, Colonial Pipeline, an oil pipeline system, was targeted by a criminal cybergroup encrypting its system and demanding a ransom. Although aimed at business technology, the attack caused Colonial Pipeline to shut down operations on a major pipeline serving the Northeast, leading to gas shortages and panic buying.

These two high-profile incidents illustrate the reality that cyberattacks are a growing threat facing both the public and private sectors. The scope and incidence of these attacks has grown steadily year over year, with experts from Cybersecurity Ventures estimating that cybercrime will cost $6 trillion globally in 2021 and continue to grow by 15% annually over the next five years.[2] Cyberattacks can have wide-ranging implications, including theft of sensitive personal data, breach of state and trade secrets, and network and power disruptions, so investment in cybersecurity infrastructure is critical.

In light of these threats, the Order is the latest step in the Biden Administration’s commitment to “disrupt and deter our adversaries from undertaking significant cyberattacks.” President Biden’s appointments have signaled his seriousness in this regard — he has appointed a number of experienced cybersecurity professionals to significant roles, including for the newly-created role of National Cyber Director and a Deputy National Security Advisor for Cyber and Emerging Technology (a role that elevated the subject within the Administration). While the Administration has indicated intentions to push for more comprehensive cybersecurity legislation, in the interim, the Order will have a significant impact on the way that federal government agencies and government contractors approach cybersecurity. The Administration intends the Order to also “encourage private sector companies to follow the Federal Government’s lead,” a strategy that had prior success with the widespread adoption of the National Institute of Standards and Technology’s 2014 voluntary cybersecurity framework.

II. Key Provisions of the Executive Order

The Order aims to improve the nation’s cybersecurity and protect federal government networks against sophisticated, malicious cyber activity from both nation-state actors and cyber criminals. As many high-profile cyber incidents have shared risk factors and other commonalities, such as similar cybersecurity vulnerabilities and a lack of robust defenses, the Order focuses on measures likely to have an immediate and wide-ranging impact on critical infrastructure systems, such as strengthening federal network protections, promoting information-sharing between the U.S. government and private sector, and enhancing the ability to respond to incidents. While many federal agencies and contractors already maintain and abide by existing agency-specific cybersecurity measures, the Order establishes additional mechanisms and standards to ensure that all information systems used or operated by federal agencies or contractors “meet or exceed” the cybersecurity standards and requirements set forth in the Order.

The Order aims to spur substantial participation and investment from a diverse array of relevant stakeholders in both the public and private sectors. Although the Order’s requirements apply only to federal agencies and contractors, the Order acknowledges the private sector’s integral role in providing and maintaining domestic critical infrastructure. To this end, the Order expressly encourages the private sector — including entities that are not government contractors — to adopt comparable and ambitious measures to minimize future cyber incidents.

The Order contains eight key components and provisions for modernizing the federal government’s defenses and responses to cyberattacks, which are summarized below.

The Order calls for the review and update of Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) requirements to ensure that federal contractors collect, preserve, and share information related to cyber threats and incidents. The anticipated revisions to the FAR and DFARS provisions would also require service providers to collaborate with federal agencies in investigating and responding to incidents or potential incidents. The Order establishes a federal government policy that information and communications technology service providers must promptly report the discovery of cyber incidents to the appropriate federal agencies, and contemplates revisions to the FAR identifying the types of cyber incidents that will trigger such reporting, the types of information to be reported, the time periods within which to report cyber incidents based on a graduated scale of severity, and the types of contractors and service providers to be covered by the proposed language. The Order also contemplates the standardization of agency-specific cybersecurity requirements through the anticipated FAR updates. Furthermore, the Biden Administration has conveyed its expectation that these revised contract terms will spur adoption of the practices by the private sector more broadly.

Sec. 3. Modernizing Federal Government Cybersecurity.

Recognizing that the cyber threat environment is “dynamic and increasingly sophisticated,” the Order identifies necessary steps for modernizing its approach to cybersecurity and ensuring effective defenses, including: (1) adopting security best practices; (2) advancing toward Zero Trust Architecture; (3) accelerating movement to secure cloud services, including Software as a Service (“SaaS”), Infrastructure as a Service (“IaaS”), and Platform as a Service (“PaaS”); (4) centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and (5) investing in both technology and personnel to match these modernization goals.

Tools such as multi-factor authentication and encryption for data at rest and in transit, as well as endpoint detection response, logging, and operating in a zero-trust environment, will be rolled out across federal government networks on a tight timeline. The Order also requires the development of cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection, as well as the development and issuance of a cloud-service governance framework. Notably, the Order also requires modernization of the existing FedRAMP program, a government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring of cloud products and services.

Sec. 4. Enhancing Software Supply Chain Security.

The Order also seeks to improve the security of commercial software used by the federal government in three ways. First, the Order calls for the creation of baseline guidelines and standards for the security of software used by the federal government based on industry best practices established by the National Institute of Standards and Technology (“NIST”) with input from “the Federal Government, private sector, academia, and other appropriate actors.” Second, the Order seeks to jumpstart the market for secure software by leveraging federal buying power. The Order requires the FAR Council to consider recommendations for contract language requiring software suppliers to comply with, and attest to complying with, the new software standards. Agencies will then be directed to remove and remediate software products that do not meet the amended FAR requirements. Third, the Order directs NIST to develop a cybersecurity “pilot program” labeling initiative to give consumers visibility into the security of the software.

Sec. 5. Establishing a Cyber Safety Review Board.

The Order establishes a Cyber Safety Review Board composed of both federal officials and representatives from private-sector entities to review and assess threat activity, vulnerabilities, mitigation activities, and agency responses related to “significant” cyber incidents. The Board, which is modeled after the National Transportation Safety Board’s investigations of civil transportation incidents, would convene following significant cyber incidents and provide recommendations for improving cybersecurity and incident response practices.

Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.

As current cybersecurity vulnerability and incident response procedures vary across agencies, the Order calls for standardized response processes to “ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.” The Order mandates that federal agencies work together in the development of a “standard set of operational procedures (playbook)” that incorporates NIST standards, as well as articulates all phases of an incident response while also building in flexibility. The Administration intends for this playbook to “also provide the private sector with a template for its response efforts.”

Sec. 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.

Endpoint detection and response is an emerging technology intended to address the need for continuous monitoring and response to advanced threats. The Order calls for an Endpoint Detection and Response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.” Federal adoption of EDR has lagged behind the private sector, which has already begun incorporating it as central component of cybersecurity programs within industry.

Sec. 8. Improving the Federal Government’s Investigative and Remediation Capabilities.

The Order requires “agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency,” and requires that the FAR Council consider the recommendations for these policies in promulgating the revisions to the FAR described in Section 2 of the Order. Therefore, companies should anticipate changes to contractual requirements to establish logging policies.

Sec. 9. National Security Systems.

The Order calls for “National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems,” which will be reflected in a National Security Memorandum (“NSM”). Generally speaking, a “national security system” is an information system used or operated by an agency or contractor that involves intelligence activities, cryptologic activities, command and control of military forces, equipment integral to a weapon or weapons system, or that is critical to the fulfilment of military or intelligence missions.

III. Analysis and Takeaways

Among the many takeaways from the Order, the most noteworthy is the expected and intended impact beyond federal agencies and contractors, given the express goal of influencing the broader private sector’s cybersecurity best practices. The Order’s ultimate impact will largely be shaped by the regulations issued in the coming months to comply with these new requirements.

The Order contemplates an aggressive timeline for these reforms, with deadlines ranging between 45 and 120 days for agencies to begin implementing many of the Order’s key requirements.
Many of these requirements have already been established as common or best practices in the private sector, but widespread adoption by federal agencies may encourage additional private sector businesses to conform to these standards.
With the forthcoming guidelines, private companies — regardless of whether they intend to pursue federal contracts — may see a new “best practice” to which its own standards will be compared and evaluated. As a result, the requirements promulgated in response to the Order could impact what amounts to “reasonableness” and the duty of care for civil liability.
The Order’s recognition of the need for collaboration and cooperation between the federal government and the private sector creates an opportunity for input from private sector stakeholders. Industry should monitor forthcoming rulemakings to implement the Order and consider opportunities to comment.

The legal issues and obligations related to Executive Order 14028, entitled “Improving the Nation’s Cybersecurity,” are likely to shift as federal agencies implement its provisions. We will continue to monitor and advise on developments to stay on the forefront of this rapidly-changing area. We are available to guide companies through these and related issues. Please do not hesitate to contact us with any questions.

____________________

[1] See Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).

[2] Steve Morgan, Cybercrime To Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine (Nov. 13, 2020), https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/.

This alert was prepared by Alexander H. Southwell, Eric D. Vandevelde, Ryan T. Bergsieker, Lindsay M. Paulin, Jennifer Katz and Terry Y. Wong.

Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Lindsay M. Paulin – Washington, D.C. (+1 202-887-3701, [email protected])
Jennifer Katz – New York (+1 212-351-4066, [email protected])

Privacy, Cybersecurity and Data Innovation Group:

Government Contracts Group:
Dhananjay S. Manthripragada – Los Angeles (+1 213-229-7366, [email protected])
John W.F. Chesley – Washington, D.C. (+1 202-887-3788, [email protected])
Joseph D. West – Washington, D.C. (+1 202-955-8658, [email protected])
Lindsay M. Paulin – Washington, D.C. (+1 202-887-3701, [email protected])
Justin Paul Accomando – Washington, D.C. (+1 202-887-3796, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Decided May 17, 2021

CIC Services, LLC v. IRS, No. 19-930

Today, the Supreme Court unanimously held that the Anti-Injunction Act does not bar pre-enforcement judicial review of reporting mandates enforced by tax penalties, at least when a mandate is also enforced by criminal punishment.

Background:
CIC Services, LLC advises companies that create and use “captive insurers” to fill gaps in third-party insurance coverage. In 2016, the IRS issued Notice 2016-66, which imposes reporting and recordkeeping requirements for taxpayers and tax advisors involved in captive-insurance transactions—transactions the IRS believes can facilitate tax avoidance. If taxpayers or advisors violate these requirements, they face hundreds of thousands of dollars in civil tax penalties; for willful violations, they face criminal punishment, including imprisonment. CIC filed a pre-enforcement suit to challenge Notice 2016-66 under the Administrative Procedure Act, arguing that the IRS should have promulgated the Notice through notice-and-comment rulemaking, and that the Notice was arbitrary and capricious because it was issued without a proven need.

The Sixth Circuit held that CIC’s suit was barred by the Anti-Injunction Act, which prohibits suits “for the purpose of restraining the assessment or collection of any tax.” 26 U.S.C. § 7421(a). Because the Notice is enforced by a tax penalty, the Sixth Circuit ruled, CIC’s challenge to the Notice necessarily seeks to restrain the assessment or collection of that tax.

Issue:
Whether the Anti-Injunction Act bars pre-enforcement challenges to reporting mandates enforced by tax penalties.

Court’s Holding:
The Anti-Injunction Act does not bar pre-enforcement challenges to reporting requirements enforced by tax penalties that also impose independent legal obligations enforced by criminal punishment, such that the only alternative way of challenging the reporting mandate—violating it, paying the penalty, and then suing for a refund—requires committing a crime.

A suit “to enjoin a standalone reporting requirement, whose violation may result in both tax penalties and criminal punishment … is not a suit ‘for the purpose of restraining the [IRS’s] assessment or collection’ of a tax, and so does not trigger the Anti-Injunction Act.”

Justice Kagan, writing for the Court

What It Means:

Tax advisors may bring pre-enforcement challenges to standalone tax-reporting and other requirements that are backed by both tax penalties and criminal punishment, where the challenge is to the reporting mandate itself, rather than a challenge to the tax penalty imposed for violating that mandate. In these situations, tax advisors do not have to risk criminal liability by violating a mandate before they can challenge its legality.
The Court’s decision will make it easier to obtain judicial review of the IRS’s position that it can use informal guidance—as opposed to rules that go through the notice-and-comment process—to impose information reporting requirements on third parties. This could restrict the agency’s ability to gather information that is indirectly related to the computation of tax.
Now that CIC’s suit can proceed, if on remand the courts rule that Notice 2016-66 should have gone through notice-and-comment rulemaking or is arbitrary and capricious, this could pave the way for similar challenges to other IRS information reporting requirements.
Justice Kavanaugh wrote separately to observe that the Court’s focus on the objective purpose of a pre-enforcement suit aligns with the text of the Anti-Injunction Act and that the Court’s ruling narrows previous decisions suggesting that pre-enforcement suits are barred if they would have the effect of preventing the assessment or collection of a tax. Put another way, what matters is whether the plaintiff seeks relief from a legal obligation imposed by the challenged mandate that is separate and independent from the tax penalty.
Although the Court did not distinguish suits brought by taxpayers from those brought by tax advisors like CIC, Justice Sotomayor wrote separately to suggest that the outcome might have been different had the plaintiff been a taxpayer. This issue likely will be presented in future litigation if the Government attempts to cabin the ruling to tax advisors.

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Allyson N. Ho
+1 214.698.3233
[email protected]

Mark A. Perry
+1 202.887.3667
[email protected]

Lucas C. Townsend
+1 202.887.3731
[email protected]

Bradley J. Hamburger
+1 213.229.7658
[email protected]

Related Practice: Tax

Sandy Bhogal
+44 (0) 20 7071 4266
[email protected]

Eric B. Sloan
+1 212.351.2340
[email protected]

Dora Arash
+1 213.229.7134
[email protected]

Related Practice: Administrative Law and Regulatory Practice

Helgi C. Walker
+1 202.887.3599
[email protected]

Eugene Scalia
+1 202.955.8210
[email protected]

Decided May 17, 2021

BP plc v. Mayor & City Council of Baltimore, No. 19-1189

Today, the Supreme Court held 7-1 that appellate courts have jurisdiction to review all grounds for removal in a remand order so long as removal is premised in part on the federal-officer removal statute or the civil-rights removal statute.

Background:
The Mayor & City Council of Baltimore sued energy companies in Maryland state court, seeking to hold them liable under state tort law for harms attributable to global climate change. Defendants removed the action, asserting (among other things) federal-question jurisdiction, federal-officer removal jurisdiction, and Outer Continental Shelf Lands Act jurisdiction. The district court granted the City’s motion to remand, rejecting each of Defendants’ grounds for removal. Defendants appealed.

Under 28 U.S.C. 1447(d), “[a]n order remanding a case to the State court from which it was removed is not reviewable on appeal or otherwise, except that an order remanding a case to the State court from which it was removed pursuant to section 1442 [federal-officer removal] or 1443 [civil rights] of this title shall be reviewable by appeal or otherwise.” The Fourth Circuit acknowledged that the Supreme Court had interpreted similar language in 28 U.S.C. 1292(b) to confer appellate jurisdiction over the entire order, rather than particular reasons for the order, and that the Seventh Circuit had relied on that authority in holding that 28 U.S.C. 1447(d) authorizes appellate courts to review any issue in a remand order so long as removal was premised in part on the federal-officer removal statute or the civil-rights removal statute. But the court concluded that those decisions were insufficient to abrogate preexisting Circuit authority interpreting 28 U.S.C. 1447(d) as conferring appellate jurisdiction over only the enumerated grounds for removal.

The Fourth Circuit affirmed the district court’s conclusion that removal was improper under the federal-officer removal statute, and otherwise dismissed for lack of appellate jurisdiction.

Issue:
Does 28 U.S.C. 1447(d) permit courts of appeals to review any issue encompassed in a district court’s order remanding a removed case to state court where the removing defendant premised removal in part on the federal-officer removal statute, 28 U.S.C. 1442, or the civil-rights removal statute, 28 U.S.C. 1443?

Court’s Holding:
Yes. The plain meaning of the term “order” refers to “a ‘written direction or command delivered by … a court or judge,’” and neither legislative history nor policy support limiting the scope of appellate review to particular issues contained in such an order.

“[W]hen a district court’s removal order rejects all of the defendants’ grounds for removal, §1447(d) authorizes a court of appeals to review each and every one of them.”

Justice Gorsuch, writing for the Court

What It Means:

A defendant that asserts multiple grounds for removal will be able to secure appellate review from a remand order with respect to all grounds, so long as at least one of those grounds is appealable (such as the federal-officer removal statute or the civil-rights removal statute).
The Court’s ruling may create opportunities for state-court defendants to test new theories supporting federal jurisdiction. The Court noted that the prospect of sanctions or the award of costs and expenses (including attorneys’ fees) for frivolously removing a case to federal court should deter gamesmanship.
The Court’s reasoning may have broader implications for statutory interpretation. First, the Court emphasized that the presumption that statutory exemptions should be read narrowly does not give courts license to give those exemptions anything but a fair reading. Second, it held that Congress did not ratify the more limited interpretation of 28 U.S.C. 1447(d) adopted by lower courts when it subsequently amended the statute without changing its use of the term “order,” because the statutory text was clear.

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Allyson N. Ho
+1 214.698.3233
[email protected]

Mark A. Perry
+1 202.887.3667
[email protected]

Theodore J. Boutrous, Jr.
+1 213.229.7804
[email protected]

Lucas C. Townsend
+1 202.887.3731
[email protected]

Bradley J. Hamburger
+1 213.229.7658
[email protected]

Thomas G. Hungar
+1 202.887.3784
[email protected]

The SPAC boom has resulted in more than 400 SPACs searching for targets. The SEC has opened investigations and issued a string of warnings about potential risks associated with companies going public through mergers with SPACs. Civil litigation has been growing. This webcast will provide the latest update on the state of the SPAC market, recent SEC guidance on SPACs, the issues that sponsors, boards, underwriters, advisers and auditors should be considering in connection with SPAC IPOs, de-SPAC transactions, disclosures, and strategies for mitigating the regulatory and litigation risk.

View Slides (PDF)

PANELISTS:

Evan M. D’Amico is a partner in Gibson Dunn’s Washington, D.C. office, where his practice focuses primarily on mergers and acquisitions. Mr. D’Amico advises companies, private equity firms, boards of directors and special committees in connection with a wide variety of complex corporate matters, including mergers and acquisitions, asset sales, leveraged buyouts, spin-offs and joint ventures. He also has experience advising issuers, borrowers, underwriters and lenders in connection with financing transactions and public and private offerings of debt and equity securities. Mr. D’Amico has particular expertise in advising special purpose acquisition companies (SPACs), operating companies and investors in connection with SPAC business combinations and financing transactions.

Brian Lutz is a partner in Gibson Dunn’s San Francisco where he is Co-Chair of the Firm’s National Securities Litigation Practice Group. Mr. Lutz has experience in a wide range of complex commercial litigation, with an emphasis on corporate control contests, securities litigation, and shareholder actions alleging breaches of fiduciary duties. He represents public companies, private equity firms, investment banks and clients across a variety of industries, including bio-pharma, tech, finance, retail, health care, energy, accounting and insurance.

Mark Schonfeld is a partner in Gibson Dunn’s New York office, and Co-Chair of Gibson Dunn’s Securities Enforcement Practice Group. Mr. Schonfeld’s practice focuses on the representation of financial institutions, public companies, hedge funds, accounting firms and private equity firms in investigations conducted by the Securities and Exchange Commission (SEC), Department of Justice (DOJ), States Attorneys General, Financial Industry Regulatory Authority (FINRA) and other regulatory organizations. Mr. Schonfeld also conducts internal investigations and counsels clients on compliance and corporate governance matters.

Lori Zyskowski is a partner in the New York office and Co-Chair of the firm’s Securities Regulation and Corporate Governance practice. She was previously Executive Counsel, Corporate, Securities & Finance at GE. She advises clients, including public companies and their boards of directors, on a wide variety of corporate governance and securities disclosure issues, and provides a unique perspective gained from over 12 years working in-house at S&P 500 corporations.

Gerry Spedale is a partner in Gibson Dunn’s Houston office where he has a broad corporate practice, advising on mergers and acquisitions, joint ventures, capital markets transactions and corporate governance. He has extensive experience advising public companies, private companies, investment banks and private equity groups actively engaging or investing in multiple industries, including the energy industry. His over 20 years of experience covers a broad range of the energy industry, including upstream, midstream, downstream, oilfield services, utilities and renewables.

MODERATOR:

Stephen Glover is a partner in the Washington, D.C. office and Co-Chair of the firm’s Mergers and Acquisitions Practice Group. Mr. Glover has an extensive practice representing public and private companies in complex mergers and acquisitions, including SPACs, spin-offs and related transactions, as well as other corporate matters. Mr. Glover’s clients include large public corporations, emerging growth companies and middle market companies in a wide range of industries. He also advises private equity firms, individual investors and others.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.5 credit hours, of which 1.5 credit hours may be applied toward the areas of professional practice requirement.

This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.5 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

London partner Benjamin Fryer and associate Bridget English are the authors of the “United Kingdom” [PDF] chapter in Taxation of Crypto Assets published by Wolters Kluwer on November 13, 2020.

Reprinted from Taxation of Crypto Assets, (November 2020), (p683-710) with permission of Kluwer Law International.

The 17th amendment of the Foreign Trade and Payments Ordinance (“AWV amendment”) came into effect in the first week of May 2021. It marks the third fundamental revision of the German FDI regime since April 2020. FDI scrutiny in Germany therefore continues to witness a significant amount of attention.

Summary

Almost 20 new business sectors, for which a mandatory cross-sector filing may be required, are added to the existing regime. These include: satellite systems, artificial intelligence, robots, autonomous driving/unmanned aircrafts, quantum mechanics, and critical raw materials.
In these newly covered business sectors, a mandatory filing is triggered if 20% or more of the voting rights in the German target are to be acquired by a non-EU/EFTA investor. This is higher than the 10% threshold that applies to the business sectors covered by the regime before the most recent changes.
One of the main goals of the reform is to mirror in national law the protection of the specific sectors mentioned in Art. 4(1) Regulation (EU) 2019/452 (“EU Screening Regulation”) and to further clarify the delineation of these sectors.
Investments in the defence sector also face a broader range of mandatory sector-specific filing obligations.
In addition, an ex officio review can now also be triggered if certain control rights are acquired.

Background

On 30 April 2021, the AWV amendment was published in the Federal Gazette and came into effect the day after. The German Ministry of Economic Affairs and Energy (“BMWi”) had published a draft of the amendment in January 2021, which was open for public consultation. The AWV amendment follows two earlier revisions to the German FDI regime in 2020 which were triggered by the COVID-19 pandemic as well as the EU Screening Regulation. FDI regimes across the globe, in particular in EU Member States, such as Austria, France, Italy, and Spain have seen substantial expansion in recent months.

Overview

The AWV amendment is mainly driven by the aim of reflecting in national law the categories of critical technologies and activities mentioned in Art. 4(1) of the EU Screening Regulation. By its nature, the EU Screening Regulation has a directly binding effect so that a transposition into national law is not formally required. However, the EU Member States are not obliged to consider these categories as a ground for a mandatory filing and have some discretion with respect to their implementation. The German regulator has added almost twenty critical sectors to the list.

In more detail:

Cross-sector review increased significantly

The AWV amendment expands the cross-sector review significantly and introduces a new investment threshold. A mandatory filing in the newly covered business sectors is only triggered if a non-EU/EFTA investor acquires 20% or more of the voting rights in a German target. The 10% threshold remains the applicable threshold for the business sectors previously covered. The “new” business sectors include:

developers or manufacturers of filter materials that are suitable as a starting material for respirators or medical face masks;
operators of a high-quality earth remote sensing system (e. satellites);
developers or manufacturers of goods which solve specific application problems by means of artificial intelligence and are capable of independently optimizing their algorithm, and which can be used inter alia to carry out cyber-attacks or imitate individuals in order to distribute targeted disinformation;
developers or manufacturers of motor vehicles or unmanned aircrafts;
developers or manufacturers of specific industrial robots;
developers, manufacturers or refiners of micro- or nanoelectronics, including their components;
developers or manufacturers of specific security-relevant IT products or components of such products;
operators of an air carrier with an EU operating license or developers or manufacturers of goods mentioned in subcategories 7A, 7B, 7D, 7E, 9A, 9B, 9D, or 9E of Annex I of Regulation (EC) No 428/2009 (“Dual-Use Regulation”) or goods or technology intended for use in space or for use in space infrastructure systems;
developers, manufacturers, modifiers or users of goods of category 0 or of list headings 1B225, 1B226, 1B228, 1B231, 1B232, 1B233 or 1B235 of Annex I to Dual-Use Regulation;
developers or manufacturers of specific goods or components for such goods using quantum mechanics;
developers or manufacturers of goods with which components of metallic or ceramic materials are produced by means of additive manufacturing processes;
developers or manufacturers of goods specifically for the operation of wireless or wireline data networks;
manufacturers of (components of) smart meter gateways;
employers of persons who work in vital facilities at safety-sensitive locations;
processors or refiners of raw materials or ores that have been defined in the list of critical raw materials;
developers or manufacturers of goods within the scope of protection of a patent classified or a utility model classified; and
a German undertaking which is of fundamental importance for food safety and directly or indirectly manages an agricultural area of more than 10,000 hectares.

Scope of sector-specific review also broadened

In addition, Section 60 of the AWV amendment expands the sector-specific review and now includes a reference to the entire part 1, section A of the export list [Ausfuhrliste]. It also captures developers or manufacturers or modifiers of goods in the field of defence technology, and those who have actual control over such goods which are within the scope of protection of a patent classified or a utility model classified. Both cases also apply to undertakings which have developed, produced or modified or had actual control over the respective goods in the past and which still have knowledge or other access to the underlying technology.

The acquisition of certain control rights opens the scope for ex officio investigations

The scope of the FDI review now also extends to acquisitions of control rights. Section 56(3) of the AWV amendment provides that the regime also applies to acquisitions of effective control over a German target, even if the voting rights threshold of 25% is not exceeded. This is particularly the case if an acquisition of voting rights is accompanied by (i) the guarantee of additional seats or majorities in supervisory bodies or in the management; (ii) the granting of veto rights in strategic business or personnel decisions; or (iii) the granting of information rights. Such rights must go beyond the influence which would ordinarily result from a 25% stake.

Increasing shareholding may trigger another filing obligation

The AWV amendment also clarified that share increases may lead to new filing obligations. If, for example, a non-EU/EFTA investor initially acquired 10% in a German target which operates a critical infrastructure and intends to increase its stake to 25%, 40%, 50%, or 75% (25%, 40%, 50%, or 75% in case of the 20% threshold for “new” business sectors, respectively) a mandatory filing is triggered.

Conclusion

The decision of the German regulator to introduce specific business sectors instead of referring to the broad categories mentioned in the EU Screening Regulation promotes legal certainty. However, it also significantly increases the regulatory burden for inbound M&A. First, the business sectors now covered by the German FDI regime will often require a sophisticated qualitative filing assessment. Secondly, since the categories of control are rather vague, a voluntary filing (to obtain a certificate of non-objection) will more often be considered as the only prudent course.

In light of this, investors should analyse potential FDI filing requirements at an early stage to avoid any time constraints impeding the completion of the transaction.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. For further information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the team in Frankfurt or Munich, or the following authors:

Georg Weidenbach (+49 69 247 411 550, [email protected])
Michael Walther (+49 89 189 33 180, [email protected])
Wilhelm Reinhardt (+49 69 247 411 520, [email protected])
Linda Vögele (+49 69 247 411 536, [email protected])
Jan Vollkammer (+49 69 247 411 551, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Washington, D.C. partner Joshua Lipshutz and Los Angeles associate Thomas Cochrane are the authors of “Ruling sets up worker classification test for high court review,” [PDF] published by the Daily Journal on May 5, 2021.

Dallas associate Michael Cannon is the author of “The Clean Energy Revolution: Renewable Energy Tax Incentives and Issues” [PDF] published by Tax Notes Federal on April 12, 2021.

New York partner Joel Cohen, London partner Sacha Harber-Kelly and London associate Steve Melrose are the authors of “Why Corporations Should Rethink How They Evaluate Deferred Prosecution Agreements,” [PDF] published by the New York Law Journal on May 6, 2021.

Washington, D.C. partner Mark Perry and Los Angeles partner Perlette Michèle Jura are the authors of the “United States” [PDF] chapter in Appeals 2021 published by Lexology in May 2021.

London partners Doug Watson and Patrick Doris and associate Daniel Barnett are the authors of the “United Kingdom” [PDF] chapter in Appeals 2021 published by Lexology in May 2021.

Join our panelists for a discussion of cap and trade programs in the United States and Europe, and a forecast of what to expect for a U.S. carbon market under the Biden administration. The panel will cover the potential for federal action by the new administration as well as the existing cap and trade systems of California, the Regional Greenhouse Gas Initiative, and the EU Emissions Trading System, including lessons learned and key takeaways from these existing systems.

View Slides (PDF)

PANELISTS:

Lena Sandberg is a partner in the Brussels office where she is a member of the firm’s Energy Group. Ms. Sandberg’s practice covers all aspects of competition law, including subsidies (State aid) and she has extensive regulatory experience in the energy and environmental sectors, including gas, renewables, electricity production and transmission, carbon emission reduction schemes and hydrogen. Prior to joining Gibson Dunn, Ms. Sandberg served as Senior Officer in the Competition and State Aid Directorate at the EFTA Surveillance Authority, where she covered complex questions in the energy and environmental area particularly in the field of the EU Emissions Trading Scheme, renewable energy, energy taxes, electricity supply, carbon capture, and a string of related issues.

Jeffrey L. Steiner is a partner in the Washington, D.C. office, where he co-leads the firm’s Derivatives practice and is co-leader of the firm’s Digital Currencies and Blockchain Technology team practice. Mr. Steiner advises financial institutions, energy companies, private funds, corporations and others on compliance and implementation issues relating to derivatives and commodities trading, including compliance with CFTC, SEC, the Dodd-Frank Act, and other rules and regulations. He also helps clients to navigate through cross-border issues resulting from global derivatives and commodities requirements. Before joining the firm, Mr. Steiner was special counsel in the Division of Market Oversight at the CFTC where he handled a range of issues relating to trading and execution of futures and swaps.

Abbey Hudson is a partner in the Los Angeles office where she is a member of the Environmental Litigation and Mass Tort Practice Group. Ms. Hudson devotes a significant portion of her time to helping clients navigate environmental and emerging regulations and related governmental investigations. She has handled all aspects of environmental and mass tort litigation and regulatory compliance. She also provides counseling and advice on environmental and regulatory compliance to clients on a wide range of issues, including supply chain transparency requirements, comments on pending regulatory developments, and enforcement.

Jennifer C. Mansh is a senior associate in the Washington, D.C. office and a member of the firm’s Energy, Regulation and Litigation Practice Group. Ms. Mansh advises clients on energy litigation, regulatory, and transactional matters before the FERC, CFTC, the Department of Energy, and state public utility commissions. Ms. Mansh has represented a wide variety of electric utilities, merchant transmission companies, power marketers, and natural gas and oil pipeline companies in rate, licensing, and enforcement proceedings, and she assists clients on a variety of transactional matters and compliance issues.

Mark Tomaier is an associate in the Orange County office where he currently practices general litigation in the firm’s Litigation Department. Mr. Tomaier earned his law degree cum laude in 2017 from Harvard Law School, where he was an Articles Editor on the Harvard Environmental Law Review. In 2012, he graduated with highest honors from the University of California Berkeley with a Bachelor of Arts Degree, double majoring in English and in Rhetoric. Prior to joining the firm, Mr. Tomaier served as a law clerk to The Honorable Marilyn L. Huff in the United States District Court for the Southern District of California and as a law clerk to The Honorable Michael D. Wilson in the Supreme Court of Hawaii.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hours, of which 1.0 credit hours may be applied toward the areas of professional practice requirement.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

Los Angeles partner Theane Evangelis is the author of “Don’t turn classrooms into courtrooms and retraumatize victims,” [PDF] published by the Daily Journal on April 28, 2021.

Los Angeles partner Michael Dore is the author of “Legal issues to watch in navigating the secondary market for NFTs,” [PDF] published by the Daily Journal on April 27, 2021.

On April 27, 2021, a federal court in the Northern District of California dismissed federal and state law claims brought derivatively on behalf of The Gap, Inc., holding that the California proceedings were foreclosed by a forum selection bylaw designating the Delaware Court of Chancery as the exclusive forum for derivative suits (the “Forum Bylaw”). See Lee v. Fisher, Case No. 20-cv-06163-SK, ECF No. 59. This decision strikes a blow against what has become a new tactic of the plaintiff’s bar: asserting violations of the federal securities laws in the guise of shareholder derivative claims. This ruling furthers the purpose of exclusive forum bylaws to prevent duplicative litigation in multiple forums, and highlights the benefits these bylaws may achieve for companies.

The plaintiff in Fisher brought derivative claims purportedly on behalf of Gap against certain directors and officers based on their alleged failure to promote diversity at Gap and for allegedly making misleading statements about Gap’s commitment to diversity. The plaintiff asserted both state law claims (like breach of fiduciary duty) and a federal securities law claim for violation of Section 14(a) of the Securities Exchange Act.

Defendants moved to dismiss on forum non conveniens grounds pursuant to the Forum Bylaw. Plaintiff argued that the court could not enforce the Forum Bylaw as to the federal Section 14(a) claim because (1) that claim was subject to exclusive federal jurisdiction and could not be asserted in the Delaware Court of Chancery, and (2) enforcing the Forum Bylaw would violate the Exchange Act provision that prohibits waiving compliance with the Exchange Act (the “anti-waiver” provision).

The court rejected plaintiff’s arguments and enforced the Forum Bylaw, effectively precluding the plaintiff from asserting a Section 14(a) claim in any forum. First, the court noted the strong policy in favor of enforcing forum selection clauses, which the Ninth Circuit has held supersedes anti-waiver provisions like those in the Exchange Act. See Yei A. Sun v. Advanced China Healthcare, Inc., 901 F.3d 1081 (9th Cir. 2018). Second, relying on the Ninth Circuit’s holding in Sun that a forum selection clause should be enforced unless the forum “affords the plaintiffs no remedies whatsoever,” the court held that the Forum Bylaw was enforceable because the plaintiff could file a separate state law derivative action in Delaware, even if that action could not include federal securities law claims.

This ruling is notable because other federal courts confronted with a similar argument have decided to enforce these bylaws only as to state law claims, and to keep the federal claims in federal court. The result of those rulings, though, is that derivative actions involving the same alleged misconduct could proceed in two forums—actions in federal court involving federal law claims, and actions in state court involving state law claims. This result undermines the purpose of exclusive forum bylaws to prevent duplicative litigation in multiple forums.

The Fisher decision, as well as a similar ruling reached in Seafarers Pension Plan v. Bradway, 2020 WL 3246326 (N.D. Ill. June 8, 2020), should help establish that exclusive forum bylaws require all derivative actions to proceed in a single forum. When drafting and (later) enforcing exclusive forum bylaws, companies should have these recent decisions top of mind to make sure that these bylaws achieve their goal of efficiently litigating disputes in one forum only.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the Securities Litigation or Securities Regulation and Corporate Governance practice groups, or the following authors:

Brian M. Lutz – San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Michael J. Kahn – San Francisco (+1 415-393-8316, [email protected])

Please also feel free to contact any of the following practice leaders and members:

Securities Litigation Group:
Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Robert F. Serio – Co-Chair, New York (+1 212-351-3917, [email protected])
Craig Varnen – Co-Chair, Los Angeles (+1 213-229-7922, [email protected])
Jefferson Bell – New York (+1 212-351-2395, [email protected])
Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Michael D. Celio – Palo Alto (+1 650-849-5326, [email protected])
Paul J. Collins – Palo Alto (+1 650-849-5309, [email protected])
Jennifer L. Conn – New York (+1 212-351-4086, [email protected])
Thad A. Davis – San Francisco (+1 415-393-8251, [email protected])
Mark A. Kirsch – New York (+1 212-351-2662, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, [email protected])
Alex Mircheff – Los Angeles (+1 213-229-7307, [email protected])
Robert C. Walters – Dallas (+1 214-698-3114, [email protected])

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Co-Chair, Orange County, CA (+ 949-451-4343, [email protected])
Lori Zyskowski – Co-Chair, New York (+1 212-351-2309, [email protected])
Brian J. Lane – Washington, D.C. (+1 202-887-3646, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, [email protected])
Michael A. Titera – Orange County, CA (+1 949-451-4365, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

I. Introduction

II. Key Provisions of the Executive Order

Sec. 2. Removing Barriers to Sharing Threat Information.

Sec. 3. Modernizing Federal Government Cybersecurity.

Sec. 4. Enhancing Software Supply Chain Security.

Sec. 5. Establishing a Cyber Safety Review Board.

Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.

Sec. 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.

Sec. 8. Improving the Federal Government’s Investigative and Remediation Capabilities.

Sec. 9. National Security Systems.

III. Analysis and Takeaways