Part One: EU Developments
Introduction
The concept of mandatory corporate human rights due diligence is gaining momentum, both within Europe and on the international stage.
In this two-part alert, we examine key global legislative developments and proposals on this important topic. In Part One, we look at very recent steps taken by the institutions of the EU towards implementation of legislation at a pan-European level. In Part Two, we will consider developments at a national level within the EU and also look beyond Europe as we discuss the position in APAC, the US and Canada.
Mandatory Corporate Human Rights Due Diligence: EU Developments
What exactly should be the responsibilities of directors and companies with regard to sustainability and mandatory human rights due diligence? That question has been high on the agenda at European level for some time, with both the European Commission (the executive branch) (the “Commission”) and the European Parliament (the legislature) (the “EU Parliament”) advocating strongly for legislation that would provide for mandatory corporate due diligence on human rights and environmental issues. Most recently, on 27 January 2021 the EU Parliament Committee on Legal Affairs (the “CLA”) adopted a draft report containing a proposal for a directive on Corporate Due Diligence and Corporate Accountability (the “draft directive”).
Background
In April 2020, a few months after more than a hundred civil society organisations had called on the Commission to develop human rights and environmental due diligence legislation, EU Justice Commissioner Didier Reynders announced that the Commission would (by early 2021) propose a law requiring corporates to undertake mandatory environmental and human rights due diligence across their supply chain and business relationships.
In July 2020, the Commission then published a study that focused on the root causes of “short termism” in corporate governance. Among those causes were, in the Commission’s opinion, a narrow view of directors’ duties, board remuneration that focused on short-term shareholder value, and the lack of a strategic perspective over sustainability. The study concluded that non-financial reporting obligations “have proven insufficient to overcome pressures to focus on short-term financial performance and to influence companies and their investors to prioritise sustainability.”[1]
Since these announcements, both the Commission and the EU Parliament have considered several legislative initiatives, which are the focus of this alert:
- On 2 September 2020, Commissioner Reynders announced the Commission’s intention to submit a proposal for a mandatory human rights and environmental due diligence and sustainable corporate governance framework in 2021. The initiative would aim to impose on directors an obligation to consider the interests of all stakeholders (and not just the interests of the company’s shareholders).
- On 11 September 2020, the CLA published a report containing the draft directive. Both the report and the draft directive focus on mandatory human rights, environmental and governance due diligence throughout a company’s value chain.
The Commission’s Sustainable Corporate Governance Initiative
The Commission has indicated that it will put forward a proposal for corporate governance legislation in Q1 2021. The Inception Impact Assessment (a plan prepared by the Commission which sets out preliminary ideas for the initiative and allows for stakeholder feedback) indicates that measures could include a combination of new due diligence obligations on companies, as well as a new duty on directors “to take into account all stakeholders’ interests which are relevant for the long-term sustainability of the firm.”[2] Those new duties would be supplemented by an appropriate facilitating, enforcement and implementation mechanism.
|
The Commission: Next Steps
|
EU Parliament Draft Directive on Corporate Due Diligence and Corporate Accountability
As mentioned above, on 11 September 2020, the CLA published a report that included the draft directive on corporate due diligence and corporate accountability. As things stand, the draft directive, which was adopted (with significant amendments to the September 2020 version) by the CLA on 27 January 2020, provides the best indication of what mandatory due diligence legislation might look like at EU level. While it is by no means final, the draft directive contains important considerations for businesses. This alert also considers the Compromise Amendments to the draft directive, which reflect the outcome of the CLA’s consideration of the report and the amendments published on 27 January.[3] A consolidated version of the report and accompanying revised draft directive are still awaited.
|
The Draft Directive: Key Points
|
|
The Draft Directive: Next Steps
|
It is important to note that there is no guarantee that the Commission will submit a proposal for legislation in the form of the draft directive. Indeed, between 2009 and 2019, the Commission put forward a legislative proposal in respect of only 7 out of the EU Parliament’s 29 legislative initiatives. While the Commission has expressed interest in this type of initiative (and, as explained above, is currently working on a similar initiative of its own), it may decide to make amendments to the draft legislative framework or simply propose its own framework. The future path of the draft directive in its current form is therefore by no means clear.
Other EU Parliament Initiatives
The developments just described feature among a whole suite of EU Parliament initiatives.
Other measures include a separate mandatory due diligence initiative focusing on forest and ecosystem-risk commodities (“FERC”). At the moment, this initiative is in the form of a report, which was adopted by the EU Parliament on 22 October 2020, and which requests that the Commission propose an EU legal framework to halt and reverse EU-driven global deforestation. The report contains recommendations, including that companies which place FERC on the EU market (or companies providing finance to such operators) should be required to conduct due diligence on their supply chains. In the case of non-compliance with the obligations proposed in the initiative, the report recommends criminal and civil penalties for individuals as well as for companies, irrespective of the company’s legal form, size, location or the complexity of its value chains.[4]
Further, on 17 December 2020, the EU Parliament approved a report on sustainable corporate governance.[5] The report does not put forward any legislative proposals but focuses on perceived shortcomings in the implementation of the Non-Financial Reporting Directive (“NFRD”), which governs the disclosure of non-financial and diversity information by large companies. The report invites the Commission to review the NFRD. The report calls for a new framework to introduce an enhanced director duty of care in company law, noting in particular that “the duty of care of directors towards their company should be defined not only in relation to short-term profit maximisation by way of shares, but also sustainability concerns.” The report also calls for additional measures to make corporate governance more sustainability-oriented. It “considers that linking the variable part of the remuneration of executive directors to the achievement of the measurable targets set in the [company’s sustainability] strategy would serve to align directors’ interests with the long-term interests of their companies; [and] calls on the Commission to further promote such remuneration schemes for top management positions.” The report is a way for the EU Parliament to exert pressure on the Commission to put forward a legislative proposal on corporate governance, and could also be an indicator that the EU Parliament will be supportive of the Commission’s corporate governance initiative.
Conclusion
If the European initiatives become law in their current form, or in a similar form, they will impose substantive requirements on companies with an EU footprint, whether based in Europe or providing goods or services into the EU. The expectation that companies should conduct mandatory due diligence for environmental and human rights impacts may extend to a requirement to conduct that due diligence across the company’s entire value chain, with potential administrative fines and civil liability for failures which have led (or might lead) to adverse human rights impacts. While we understand that director liability has been removed from the draft directive, the Commission’s sustainable corporate governance initiative means that legal risks could still arise at both a corporate and director level.
However these initiatives evolve, when viewed with other national and international developments (to be discussed in Part Two of this alert), it is clear that companies proactively need to be considering their value chain management and risk management frameworks for human rights, environmental and good governance considerations, and readying themselves for stricter controls and expectations in this field.
________________________
[1] Study on directors’ duties and sustainable corporate governance (29 July 2020), available at: https://op.europa.eu/en/publication-detail/-/publication/e47928a2-d20b-11ea-adf7-01aa75ed71a1/language-en.
[2] Emphasis added. The Inception Impact Assessment for the Commission’s Initiative is available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12548-Sustainable-corporate-governance.
[3] The September 2020 draft of the report is available at: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/JURI/PR/2021/01-27/1212406EN.pdf. The amendments to the draft are available at: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/JURI/DV/2021/01-27/Votinglist_Corporateduediligence_amendments_EN.pdf. As at the date of this article, a consolidated version of the draft report has not been published, but should soon be made available at: https://www.europarl.europa.eu/committees/en/juri/documents/latest-documents.
[4] Available at: https://www.europarl.europa.eu/doceo/document/TA-9-2020-0285_EN.html.
[5] Available at: https://www.europarl.europa.eu/doceo/document/TA-9-2020-0372_EN.html.
Susy Bullock, Allan Neil and Alexa Romanelli are members of Gibson Dunn’s Environmental, Social and Governance (ESG) Practice. Further information about the ESG Practice can be found at: https://www.gibsondunn.com/practice/environmental-social-and-governance-esg/.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, or the following authors in London:
Susy Bullock (+44 (0) 20 7071 4283, [email protected])
Allan Neil (+44 (0) 20 7071 4296, [email protected])
Alexa Romanelli (+44 (0) 20 7071 4269, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
On January 27, 2021, Climate Day, President Biden issued two Executive Orders and a Memorandum addressing climate change policy and scientific integrity, which include a moratorium on new oil and gas lease permits on federal lands and waters.[1] These steps build on actions President Biden took his first day in office, such as rejoining the Paris Agreement,[2] revoking the permit for the Keystone XL pipeline, and establishing a moratorium on federal leases in Arctic Wildlife Refuge.[3] The Climate Day Orders represent the President’s first comprehensive steps to tackle climate change issues domestically and internationally and implement his $2 trillion “whole-of-government” climate plan.
These Orders are expected to impact certain sectors of the American economy, including the fossil fuel industries. Most directly, the President’s moratorium on new fossil fuel lease permits on federal lands and waters may impact the domestic oil supply. Currently, legal challenges against the Orders are pending in court and legislation to block the orders have been introduced by Republicans in Congress.[4] Additionally, a battle is taking shape in an equally divided, Democratically-controlled Senate where President Biden hopes to enact sweeping climate change legislation.[5]
President Biden’s Executive Order on the Climate Crisis: International Measures
The President’s January 27 Executive Order, entitled “Tackling the Climate Crisis at Home and Abroad” (the “Order”),[6] announces an intent to join domestic action with international action so as to enhance global action on climate change. In Part I, the Order reaffirms the United States’ commitment to address climate change with international partners, “both bilaterally and unilaterally.”[7] The Order submits the United States to host platforms to facilitate international exchanges, such as a Leaders’ Climate Summit and the major Economics forum on Energy and Climate.[8] The Order also calls for the United States to re-enter, or enter into, existing international agreements on climate change.
For one, the Order submits “the United States instrument of acceptance to rejoin the Paris Agreement.”[9] In addition to committing domestic and foreign policy to that Agreement’s broad objectives, such as “safe global temperature” and “increased climate resilience,” the Order also calls for directing the nation’s “financial flows [in a manner] aligned with a pathway toward low greenhouse gas emissions and climate-resilient development.”[10] As part of that effort, the Order commits the United States to “pursue initiatives to advance the [renewable] energy transition . . . and [to pursue] alignment of financial flows with the objectives to the Paris Agreement, including with respect to coal financing.”[11]
Section 102(j) of the Order resolves to ratify the Kigali Amendment to the Montreal Protocol within 60 days of the Order. While the Montreal Protocol’s historic goal has been to phase out substances with high global warming potential, particularly hydrochlorofluorocarbons (HFC), the Kigali Amendment—adopted in 2016 by 170 countries, though not the United States—adopts a timeline “to achieve over 80% reduction in HFC consumption by 2047.”[12] Ratifying the Amendment and its 2047 target will likely also result in the United States’ adoption of the Amendment’s short term goals, namely “updating international standards for flammable low global warming potential (GWP) refrigerants” and supporting manufacturing and marketing of “zero GWP or low-GWP refrigerant alternatives to HCFCs and HFCs.”[13]
The Order also pledges domestic resources and funding to target international developments. First, in Section 102(f), the Order announces that “[t]he United States will also immediately begin to develop a climate finance plan, making strategic use of multilateral and bilateral channels and institutions, to assist developing countries in implementing ambitious emissions reduction measures, . . . and promoting the flow of capital toward climate-aligned investments and away from high-carbon investments.” Second, the Order asks the Secretaries of State, Treasury and Energy to collaborate with the Export–Import Bank of the United States and the Chief Executive Officer of the Development of Finance Corporation (DFC) to “identify steps through which the United States can promote ending international financing of carbon-intensive fossil fuel-based energy.”[14] The DFC is a recently formed consolidation tasked with focusing United States foreign development assistance operations that were previously spread out over several offices.[15] The DFC was tasked with investing $1 billion in transportation, information and communications technology through the Connect Africa initiative. By tying the DFC’s mission to “ending international financing of carbon-intensive fossil fuel-based energy,” the Order may result in added scrutiny from federal regulators for federally subsidized transportation infrastructure projects in Sub-Saharan Africa.
President Biden’s Executive Order on the Climate Crisis: Domestic Measures
Part II of the Order addresses climate change measures at the domestic level, drawing on domestic resources. The Order envisages both a “government-wide approach” and a strategy centralized with the newly formed White House Office of Domestic Climate Policy (the “Office”), which is tasked with overseeing all “domestic climate-policy decisions and programs,” ensuring their consistency with the President’s “stated goals” and drawing on all “assistance as may be necessary to carry out the provisions of th[e] order.”[16] The Office will be supported by a Climate Change Task Force (the “Task Force”) composed of most, if not all, cabinet secretaries, including the Secretary of Energy, as well as several Assistants to the President. The Task Force’s stated mission is to facilitate “deployment of a Government-wide approach to combat the climate crisis,” including measures “to reduce climate pollution; . . . conserve our lands, waters, oceans, and biodiversity; [and] deliver economic justice.”
Sections 207 to 209 of the Order describe President Biden’s more concrete and targeted initiatives. Section 207 requires a review, by the Secretary of the Interior, of “the siting and permitting processes on public lands and in offshore waters” to make these processes more amenable to renewable energy initiatives, with the goal of “doubling offshore wind by 2030 while ensuring robust protection for our lands, waters, and biodiversity.”
Section 208 of the Order announces a pause, or moratorium, on all “new oil and natural gas leases on public lands or in offshore waters” until a “comprehensive review and reconsideration of Federal oil and gas permitting and leasing practices” has been submitted.[17] Section 208 makes clear that such review should analyze the “potential climate and other impacts associated with oil and gas activities on public lands or in offshore waters.”[18] Because the Order does not delineate the timeline for such review, the duration of the moratorium is uncertain.[19]
Section 209 addresses fossil fuel subsidies and calls for the heads of agencies to identify fossil fuel subsidies provided by their agency and “then take steps to ensure that, to the extent consistent with applicable law, Federal funding is not directly subsidizing fossil fuels.”[20] This section also calls for the “eliminat[ion of] fossil fuel subsidies from the budget request for Fiscal Year 2022 and thereafter.” This latter goal, as discussed below, will require congressional action.
Sections 212 to 220 of the Order establish a distinct “Interagency Working Group on Coal and Power Plant Communities” to address employees in fossil fuel industries,[21] to “revitalize the economies of coal, oil and gas,” and to “assess opportunities to ensure benefits and protections for coal and power plant workers” and their communities.[22] The Order mandates that 60 days from its date, the newly established Interagency Working Group report back to the President on these matters.
President Biden’s Executive Order on the Climate Crisis: Environmental Justice
A final segment of the Order addresses racial equity and the broader societal impacts reliance on fossil fuel production have had on certain communities. These impacts are addressed in a number of sections concerning environmental justice.[23] The Order reactivates President Clinton’s 1994 Executive Order on Environmental Justice, EO 12898 (2/11/94),[24] an order whose goals President Obama described as the “pursu[it of] clean air, water, and land for all people.”[25] Consistent with the goals of this Executive Order, the Biden Administration is expected to pursue racial justice and equity across the board, including in environmental justice.[26] To this end, the Order describes an initiative to ensure that 40% of the overall benefits of a renewable energy push accrue to minority communities.[27]
President Biden’s Executive Order (and Associated Memorandum) on Scientific Integrity
The Order’s opening paragraph commits the administration to listen to science. An additional order establishes the “President’s Council of Advisors on Science and Technology” (“PCAST”).[28] PCAST comprises both federal governmental employees as well as representatives from “sectors outside of the Federal Government . . . [with] diverse perspectives and expertise in science, technology, and innovation.” In addition, PCAST is instructed to “solicit information and ideas from a broad range of stakeholders, including . . . the private sector.”[29] PCAST’s advisory function is broad and discretionary, and explicitly contains within its scope policy matters affecting “energy, the environment, [and] public health.”[30]
An associated memorandum on scientific integrity[31] addresses private sector efforts to influence energy and climate policies by the current administration. Per President Biden’s Memorandum, a newly formed inter-agency task force will review “any instances in which existing scientific-integrity policies have not been followed or enforced, including whether such deviations from existing policies have resulted in improper political interference in the conduct of scientific research and the collection of scientific or technological data.”[32]
Projected Impacts of the Order’s Moratorium
President Biden’s Climate Day Executive Orders may most concretely impact the domestic oil and gas industry through the moratorium on new permits for fossil fuel projects on federal lands. While the moratorium is expected to have minimal immediate impact on the domestic supply of oil and gas, the long term impacts from a permanent ban could be significant for oil and gas producers and western states. A permanent ban may lead to a reduction in domestic oil supply.[33] While the Order undoubtedly presents challenges for the oil industry, it also provides concrete opportunities for oil and gas companies to adopt renewable energy technology. President Biden has sent a strong message to the private sector that aggressively addressing the climate crisis is a central policy objective of his administration. Whether President Biden’s Executive Orders are followed up by congressional action or not, there will be increased incentives for companies to invest in renewable energy.
The moratorium on new drilling leases on federal lands and offshore waters affects a significant portion of domestic oil and gas production. Because large oil companies were able to mitigate the effects of the anticipated moratorium by stockpiling permits in the final months of the Trump Administration, the moratorium is expected to have little immediate impact on domestic oil supply.[34] However, smaller oil and gas companies who lacked available capital to stockpile permits and who operate in western states with large amounts of federal land will be challenged by the Order regardless of how long it lasts.[35] If the Order becomes permanent, the domestic oil and gas industry will be significantly impacted, especially shale drillers in the Permian Basin and offshore producers in the Gulf of Mexico.[36] Analysts estimate that oil companies have three to five years of approved drilling permits on federal land and one to three years of approved permits in the Gulf.[37] Once these permits expire, the United States could lose up to 300,000 barrels of production a day.[38]
The moratorium also provides further incentive for oil and gas companies to invest in renewable energy technology. In the Order, President Biden set a concrete goal of doubling wind energy production in the Gulf by 2030.[39] The Order also asks the Interior Department to review permitting processes on federal lands to make those processes more amenable to renewable energy projects.[40] The moratorium, thus, provides oil and gas companies with an opportunity to leverage their existing capabilities and invest in renewable energy technology to secure federal permits for renewable energy projects in the Gulf and on federal land.
Legal Challenges to the Moratorium and President Biden’s $2 Trillion Climate Plan
President Biden’s Climate Day Executive Orders have already drawn legal challenges. Further, to implement his $2 trillion climate plan, President Biden will need to rely on Congress to pass sweeping legislation implementing his plan. This is a tall order since Congress is sharply divided and climate policy can transcend party lines.
The first legal attack on the moratorium on federal permits for fossil fuel projects was brought in federal district court in Wyoming by Western Energy Alliance, a group representing 200 small, independent oil companies in the western United States.[41] Western Energy Alliance challenges the Order “as exceeding presidential authority and constituting a violation of the Mineral Leasing Act, National Environmental Policy Act, and the Federal Lands Policy and Management Act.”[42] Additional lawsuits are expected as interested parties consider the interplay between presidential power and existing legislation and regulations.[43] Additionally, attorneys general from six states wrote a letter to the president warning him not to overstep his authority.[44]
In addition to court challenges, Republican Senators and Members of Congress have introduced bills seeking to block the moratorium. Wyoming Representative Liz Cheney (R-WY) introduced bills in the House that would block the moratorium on federal lease permits unless approved by a joint resolution of Congress.[45] In addition, a group of 25 Republican Senators introduced a bill that would require congressional approval to suspend fossil fuel leasing on federal lands or in federal waters.[46] These bills have little chance of advancing in the Democratically-controlled House and Senate.[47]
Beyond the moratorium on federal permitting for fossil fuel projects, the Order describes an ambitious $2 trillion plan to achieve a carbon-free electricity sector by 2035 and nationwide net-zero emissions by 2050, joining over 100 countries that have already made mid-century pledges and solidifying the United States as a global climate leader going forward.[48] To achieve these ambitious goals, however, President Biden must rely on Congress to pass sweeping legislation, which will be difficult in the evenly divided Senate. While Vice President Kamala Harris holds the tie-breaking vote to enact legislation, at least two Democratic Senators are sympathetic to the fossil fuel industries that provide jobs and revenue for their states.[49] In addition, at least two Democratic Senators oppose ending the filibuster, which, if invoked, would require 60 votes to enact legislation.[50] However, Senate Majority Leader Chuck Schumer (D-NY) has called on committee chairs to begin holding hearings on major climate legislation.[51]
If Democratic Senators are unable to push through major climate legislation, President Biden may be forced to implement his plan piecemeal, often by attaching climate initiatives as smaller pieces of bipartisan bills.[52] This approach will still be challenging. For example, President Biden plans to eliminate fossil fuel subsidies from the federal budget as early as 2022, which would free up funds for climate initiatives.[53] Fossil fuel subsidies are significant, with some estimates surpassing $20 billion per year.[54] However, most fossil fuel subsidies are in the form of tax breaks, which will require congressional action to eliminate.[55] Such a move is unlikely to pass, even assuming Democrats eliminated the legislative filibuster, as Democratic Senators, like Senators Martin Heinrich (D-NM) and Joe Manchin (D-WV), must consider the devastating effects President Biden’s Climate Day Executive Orders are already expected to have on fossil fuel production in their states.[56]
If President Biden fails to cement his plan through legislation, his Climate Day Executive Orders could be at risk of being overturned in four years. President Biden does, however, have another non-legislative option to enact his climate change plan. Senator Schumer suggested that President Biden should declare the climate crisis a state of emergency.[57] Declaring a state of emergency would allow President Biden to secure additional funding to fight the climate crisis.[58] Thus, declaring a state of emergency would allow President Biden to circumvent Congress and enact portions of his climate plan.[59]
Conclusion
President Biden’s Climate Day Orders represent the first step towards President Biden’s vision of a world in which the United States is a global leader on climate policy. These developments must be monitored closely over the years to come as they are expected to have a significant impact on fossil fuel industries, alternative energy industries, and the domestic economy more broadly.
____________________
[1] The White House, FACT SHEET: President Biden Takes Executive Actions to Tackle the Climate Crisis at Home and Abroad, Create Jobs, and Restore Scientific Integrity Across Federal Government (Jan 27, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/01/27/fact-sheet-president-biden-takes-executive-actions-to-tackle-the-climate-crisis-at-home-and-abroad-create-jobs-and-restore-scientific-integrity-across-federal-government/.
[2] The President announced on January 20, 2021, that he, “having seen and considered the Paris Agreement, done at Paris on December 12, 2015, do hereby accept the said Agreement and every article and clause thereof on behalf of the United States of America.” See The White House, Paris Climate Agreement (Jan 20, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/01/20/paris-climate-agreement/.
[3] See, The White House, Executive Order on Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis §§ 4, 6 (Jan 20, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/20/executive-order-protecting-public-health-and-environment-and-restoring-science-to-tackle-climate-crisis/.
[4] Western Energy Alliance filed a lawsuit challenging the Order the day it was issued and Republicans have introduced bills in the House of Representatives and Senate. Audrey Conklin & Tyler Olson, Cheney Introducing Bills Prohibiting Biden Coal, Oil, Gas Leasing Moratoriums, Fox Business (Jan 28, 2021), https://www.foxbusiness.com/politics/cheney-legislation-biden-oil-gas-moratoriums; Biden’s Leasing Ban on Public Lands Challenged by Western Energy Alliance in Federal Court, Western Energy Alliance (Jan 27, 2021), https://www.westernenergyalliance.org/pressreleases/bidens-leasing-ban-on-public-lands-challenged-by-western-energy-alliance-in-federal-court [hereinafter Western Energy Alliance].
[5] Senate Majority Leader Chuck Schumer (D-NY) has instructed Democratic committee chairs to begin holding hearings on major climate change legislation. The ability of Democrats to pass such legislation in the evenly split Senate is doubtful as a number of Democratic Senators are sympathetic to fossil fuel industries that provide a significant portion of jobs and revenue for their home states. See Lindsay Wise, Senate Adopts Bipartisan Power-Sharing Deal Unanimously, The Wall Street Journal (Feb 3, 2021), https://www.wsj.com/articles/senate-democrats-reach-power-sharing-deal-with-republicans-11612364379?mod=hp_lead_pos3; Timothy Gardner, Biden Plan to End U.S. Fossil Fuel Subsidies Faces Big Challenges, Reuters (Dec 1, 2020), https://www.reuters.com/article/us-usa-biden-fossilfuel-subsidies/biden-plan-to-end-u-s-fossil-fuel-subsidies-faces-big-challenges-idUSKBN28B4T2.
[6] The White House, Executive Order on Tackling the Climate Crisis at Home and Abroad (Jan 27, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/27/executive-order-on-tackling-the-climate-crisis-at-home-and-abroad/ [hereinafter The Climate Order].
[7] Id. § 101.
[8] Id. §§ 102(a)-(b).
[9] Id. § 102.
[10] Id. For the Paris Agreement itself, see https://unfccc.int/sites/default/files/english_paris_agreement.pdf.
[11] Id. § 102(b).
[12] The Montreal Protocol Evolves to Fight Climate Change, United Nations Industrial Development Organization, https://www.unido.org/our-focus-safeguarding-environment-implementation-multilateral-environmental-agreements-montreal-protocol/montreal-protocol-evolves-fight-climate-change (last visited Feb 4, 2021).
[13] United Nations Industrial Development Organization, The Montreal Protocol Evolves to Fight Climate Change, https://www.unido.org/sites/default/files/2017-07/UNIDO_leaflet_07_MontrealProtocolEvolves_170126_0.pdf (last visited Feb 4, 2021).
[14] The Climate Order, supra note 6, § 102(h).
[15] Such operations were formerly spread out over larger and smaller offices, including the Overseas Private Investment Corporation (OPIC) and the Development Credit Authority (DCA) of the United States Agency for International Development (USAID).
[16] Id. § 202.
[17] Id. § 208.
[18] Id.
[19] In a recent client alert, we discussed how such a moratorium plays out at the regulatory level if implemented at, and with cooperation of, state level agencies regulating oil and gas permitting. See https://www.gibsondunn.com/colorados-sweeping-oil-and-gas-law-one-year-later/.
[20] The Climate Order, supra note 6, § 209.
[21] Id. § 218.
[22] Id. § 218(b)(i).
[23] Id. § 220-223.
[24] Federal Actions to Address Environmental Justice in Minority Populations and Low-Income Populations, 59 Fed. Reg. 7,629 (Feb 16, 1994), https://www.archives.gov/files/federal-register/executive-orders/pdf/12898.pdf.
[25] The White House, Presidential Proclamation – 20th Anniversary of Executive Order 12898 on Environmental Justice (Feb 10, 2014), https://obamawhitehouse.archives.gov/the-press-office/2014/02/10/presidential-proclamation-20th-anniversary-executive-order-12898-environ.
[26] The White House, Statement by President Joe Biden on Black History Month (Feb 1, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/02/01/statement-by-president-joe-biden-on-black-history-month/.
[27] The Climate Order, supra note 6, § 223.
[28] The White House, Executive Order on the President’s Council of Advisors on Science and Technology, (Jan 27, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/27/executive-order-on-presidents-council-of-advisors-on-science-and-technology/.
[29] Id. § 3(b)(ii).
[30] Id. § 3(a).
[31] The White House, Memorandum on Restoring Trust in Government Through Scientific Integrity and Evidence-Based Policymaking (Jan 27, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/27/memorandum-on-restoring-trust-in-government-through-scientific-integrity-and-evidence-based-policymaking/.
[32] Id. § 2(b).
[33] Paul Takahashi, Biden’s Ban on Oil and Gas Leases Could Be the ‘Nail in the Coffin’ for Houstin’s Economic Engine, Houston Chronicle (Jan 29, 2021), https://www.houstonchronicle.com/business/energy/article/Biden-executive-orders-nail-in-coffin-oil-and-gas-15906911.php?converted=1.
[34] See id.; Timothy Puko, Ken Thomas & Andrew Restuccia, Biden’s Climate-Change Policy Targets Oil Industry, The Wall Street Journal (Jan 26, 2021), https://www.wsj.com/articles/biden-to-suspendnew-federal-oil-and-gas-leasing-11611672331.
[35] Jennifer Hiller & Nichola Groom, Big US Oil Drillers Have Federal Permits to Mute Effect of Any Biden Ban, Hart Energy (Jan 21, 2021), https://www.hartenergy.com/exclusives/big-us-oil-drillers-have-federal-permits-mute-effect-any-biden-ban-191956?utm_source=Internal&utm_medium=Popular&utm_campaign=reccoengine&utm_content=/exclusives/big-us-oil-drillers-have-federal-permits-mute-effect-any-biden-ban-191956.
[36] Takahashi, supra note 33.
[37] Id.
[38] Puko et al., supra note 34.
[39] The Climate Order, supra note 6, § 207.
[40] Id.
[41] Collin Eaton, Biden’s Order to Freeze New Oil Drilling on Federal Land: What You Need to Know, The Wall Street Journal (Jan 27, 2021), https://www.wsj.com/articles/whats-the-impact-of-president-bidens-oil-drilling-freeze-on-federal-lands-11611677934; Western Energy Alliance, supra note 4.
[42] Western Energy Alliance, supra note 4.
[43] See Puko et al., supra note 34.
[44] Ishaan Tharoor, Biden Sweeps Away Trump’s Climate-Change Denialism, The Washington Post (Jan 31, 2021), https://www.washingtonpost.com/world/2021/02/01/biden-climate-change-reversal/.
[45] Conklin & Olson, supra note 4; bills available at https://mcusercontent.com/301a28247b80ab82279e92afb/files/e8e70a74-9eb1-4e9b-aaba-d28806adf19c/CHENEY_015_xml.pdf and https://mcusercontent.com/301a28247b80ab82279e92afb/files/4cde4335-ee1b-4403-b987-906a234dd382/CHENEY_013_xml.pdf.
[46] Reuters, Republican Bill Seeks to Block Biden’s Freeze on Oil and Gas Leasing, Hart Energy (Jan 29, 2021), https://www.hartenergy.com/news/republican-bill-seeks-block-bidens-federal-leasing-freeze-oil-and-gas-192089; bill available at https://www.lummis.senate.gov/power-act-2/.
[47] See Conklin & Olson, supra note 4.
[48] The Climate Order, supra note 6, §§ 201, 205; see United Nations, Net-Zero Emissions Must Be Met by 2050 or COVID-19 Impact on Global Emissions Will Pale Beside Climate Crisis, Secretary General Tells Finance Summit (Nov 12, 2020), https://www.un.org/press/en/2020/sgsm20411.doc.htm.
[49] See Gardner, supra note 5.
[50] Wise, supra note 5.
[51] Id.
[52] Lauren Sommer, How Fast Will Biden Need to Move on Climate? Really, Really Fast, NPR (Feb 2, 2021), https://www.npr.org/2021/02/02/963014373/how-fast-will-biden-need-to-move-on-climate-really-really-fast.
[53] The Climate Order, supra note 6, § 209; Gardner, supra note 5.
[54] Gardner, supra note 5.
[55] Id.
[56] See id.
[57] Jordain Carney, Schumer Calls for Biden to Declare Climate Emergency, The Hill (Jan 25, 2021), https://thehill.com/homenews/senate/535811-schumer-suggests-biden-should-declare-climate-emergency.
[58] Id.
[59] See id.
The following Gibson Dunn attorneys assisted in preparing this client update: Michael D. Bopp, Hillary H. Holmes, Stefan Koller and Matthew D. Ross. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Public Policy, ESG, or Oil and Gas practices:
Public Policy Practice:
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Mylan L. Denerstein – New York (+1 212-351-3850, [email protected])
Environmental, Social and Governance (ESG) Practice:
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Ronald Kirk – Dallas (+1 214-698-3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])
Oil and Gas Practice:
Michael P. Darden – Houston (+1 346-718-6789, [email protected])
Tull Florey – Houston (+1 346-718-6767, [email protected])
Hillary H. Holmes – Houston (+1 346-718-6602, [email protected])
Shalla Prichard – Houston (+1 346-718-6644, [email protected])
Doug Rayburn – Dallas (+1 214-698-3442, [email protected])
Gerry Spedale – Houston (+1 346-718-6888, [email protected])
Beau Stark – Denver (+1 303-298-5922, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Denver associate Jared Greenberg and Orange County associate Andrew Blythe are the authors of “New Drone Rules Show FAA is Listening to the Industry,” [PDF] published by Law360 on February 4, 2021.
On February 4, 2021, the Federal Trade Commission and the Antitrust Division of the U.S. Department of Justice jointly announced that both agencies would review the processes and procedures regarding early termination of merger notification waiting periods under the Hart-Scott-Rodino Act.[1] The announcement also stated that early termination requests would not be granted for the pendency of this review.
The Hart-Scott-Rodino Pre-Merger Notification program imposes a 30-day waiting period for most proposed transactions that meet the program’s notification requirements. During that 30-day period, the merging parties may not consummate the proposed transaction. The program permits the parties to seek early termination of the waiting period if the agencies conclude that the transaction does not pose a risk of substantial lessening of competition under the Clayton Act.
The agencies’ announcement does not describe what areas the agencies intend to review or the basis for the suspension. Rebecca Kelly Slaughter, Acting Chairwoman of the Federal Trade Commission, states in the announcement that the suspension was warranted given “the confluence of an historically unprecedented volume of filings during a leadership transition amid a pandemic.” In a dissenting statement, Commissioners Noah Phillips and Christine Wilson note “[b]y definition, transactions terminated early are those in which the agencies are not interested. And there are many. Early terminations constitute roughly half of all transactions noticed to the agencies under the HSR Act,” adding, “[s]uspending early terminations introduces inefficiency into market operation, harming consumers and other stakeholders involved in the transactions that would have consistently received [early termination] at any point during the last 45 years.”[2]
The announcement likewise does not set out a timeframe for the review, instead noting only that the suspension will be “brief,” but the bipartisan scrutiny of consolidation in various economic sectors may lead to other changes in the U.S. merger review framework.
* * *
Separately, on February 1, 2021, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”). Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product.
The size of transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will decrease by $2.0 million, from $94 million in 2020 to $92 million for 2021. The new thresholds will take effect on March 4, 2021, applying to transactions that close on or after that date.
|
Original Threshold |
2020 Threshold |
2021 Threshold |
|
$10 million |
$18.8 million |
$18.4 million |
|
$50 million |
$94.0 million |
$92.0 million |
|
$100 million |
$188.0 million |
$184.0 million |
|
$110 million |
$206.8 million |
$202.4 million |
|
$200 million |
$376.0 million |
$368.0 million |
|
$500 million |
$940.1 million |
$919.9 million |
|
$1 billion |
$1,880.2 million |
$1,839.8 million |
The maximum fine for violations of the HSR Act has increased from $43,280 per day to $43,792.
The amounts of the filing fees have not changed, but the thresholds that trigger each fee have decreased:
|
Fee |
Size of Transaction |
|
$45,000 |
Valued at more than $92.0 million but less than $184.0 million |
|
$125,000 |
Valued at $184.0 million or more but less than $919.9 million |
|
$280,000 |
Valued at $919.9 million or more |
The 2021 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $37,382,000 for Section 8(a)(l) (size of corporation) and $3,738,200 for Section 8(a)(2)(A) (competitive sales). The Section 8 thresholds took effect on January 21, 2021.
If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact any of the partners or counsel listed below.
______________________
[1] Press Release, FTC, DOJ Temporarily Suspend Discretionary Practice of Early Termination, Federal Trade Commission, Feb. 4, 2021, available at: https://www.ftc.gov/news-events/press-releases/2021/02/ftc-doj-temporarily-suspend-discretionary-practice-early.
[2] Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson Regarding the Commission’s Indefinite Suspension of Early Terminations, Feb. 4, 2021, available at: https://www.ftc.gov/system/files/documents/public_statements/1587047/phillipswilsonetstatement.pdf.
The following Gibson Dunn lawyers prepared this client alert: Adam Di Vincenzo, Richard Parker, Andrew Cline and Chris Wilson.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the HSR Act or antitrust issues raised by business transactions. Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s Antitrust and Competition practice group:
Antitrust and Competition Group:
Washington, D.C.
Adam Di Vincenzo (+1 202-887-3704, [email protected])
Scott D. Hammond (+1 202-887-3684, [email protected])
Kristen C. Limarzi (+1 202-887-3518, [email protected])
Joshua Lipton (+1 202-955-8226, [email protected])
Richard G. Parker (+1 202-955-8503, [email protected])
Cynthia Richman (+1 202-955-8234, [email protected])
Jeremy Robison (+1 202-955-8518, [email protected])
Andrew Cline (+1 202-887-3698, [email protected])
Chris Wilson (+1 202-955-8520, [email protected])
New York
Eric J. Stock (+1 212-351-2301, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])
Los Angeles
Daniel G. Swanson (+1 213-229-7430, [email protected])
Samuel G. Liversidge (+1 213-229-7420, [email protected])
Jay P. Srinivasan (+1 213-229-7296, [email protected])
Rod J. Stone (+1 213-229-7256, [email protected])
San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])
Caeli A. Higney (+1 415-393-8248, [email protected])
Dallas
Veronica S. Lewis (+1 214-698-3320, [email protected])
Mike Raiff (+1 214-698-3350, [email protected])
Brian Robison (+1 214-698-3370, [email protected])
Robert C. Walters (+1 214-698-3114, [email protected])
Brussels
Peter Alexiadis (+32 2 554 7200, [email protected])
Attila Borsos (+32 2 554 72 11, [email protected])
Jens-Olrik Murach (+32 2 554 7240, [email protected])
Christian Riis-Madsen (+32 2 554 72 05, [email protected])
Lena Sandberg (+32 2 554 72 60, [email protected])
David Wood (+32 2 554 7210, [email protected])
Frankfurt
Georg Weidenbach (+49 69 247 411 550, [email protected])
Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])
London
Patrick Doris (+44 20 7071 4276, [email protected])
Charles Falconer (+44 20 7071 4270, [email protected])
Ali Nikpay (+44 20 7071 4273, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Deirdre Taylor (+44 20 7071 4274, [email protected])
Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
2020 was a uniquely uncertain and perilous year. Within the world of international trade, the steady increase in the use of sanctions and export controls—principally by the United States but also by jurisdictions around the world—proved to be a rare constant. In each of the last four years, our annual year-end Updates have chronicled a sharp rise in the use of sanctions promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), as well as growing economic tensions between the United States and other major world powers. In the final tally, OFAC during President Donald Trump’s single term sanctioned more entities than it had under two-term President George W. Bush and almost as many as two-term President Barack Obama.
The raw numbers understate the story, as the Trump administration focused sanctions authorities on larger and more systemically important players in the global economy than ever before, and also brought to bear other coercive economic measures—including export controls, import restrictions, foreign investment reviews, tariffs, and novel measures like proposed bans on Chinese mobile apps and restrictions on U.S. persons’ ability to invest in securities of certain companies with alleged ties to the Chinese military. The pace and frequency of these actions intensified in the Trump administration’s final days—an ostensible attempt to force the hand of the incoming Biden-Harris administration on a number of key national security policy decisions.
 |
 |
China takes top billing in this year’s Update, as long-simmering tensions between Beijing and Washington seemingly reached a boil. Despite a promising start to the year with the January 2020 announcement of a “phase one” trade agreement between the world’s two largest economies, relations between the two powers rapidly deteriorated amidst recriminations concerning the pandemic, a crackdown in Hong Kong, a heated U.S. presidential election, and a deepening struggle for economic, technological, and military primacy. The Chinese government on January 9, 2021 responded to the Trump administration’s barrage of trade restrictions by issuing the first sanctions blocking regime in China to counteract the impact of foreign sanctions on Chinese firms. Although the law—which borrows from a similar measure adopted by the European Union—is effective immediately, it currently only establishes a legal framework. The Chinese blocking statute will become enforceable once the Chinese government identifies the specific extra-territorial measures—likely sanctions and export controls the United States has levied against Chinese companies—to which it will then apply. While experts have long predicted the rise of a technological Cold War with Chinese 5G and Western 5G competing for dominance—the advent of China’s blocking statute (amid threats of additional counter-measures) suggests the emergence of a regulatory Cold War as well. Major multinational companies may be forced to choose between the two powers.
The pandemic and Sino-American tensions almost over-shadowed what would have been the principal trade story of the year: nearly four-and-a-half years after the United Kingdom voted to leave the European Union, London and Brussels finally completed Brexit. On December 30, 2020—one day prior to the end of the Brexit Transition period—the EU and China concluded negotiations, over the objections of the incoming U.S. administration, for a comprehensive agreement on investment focused on enabling an increase in outbound investment in China from the EU.
At year’s end, China, France, Germany, Russia, the United Kingdom, and the High Representative of the European Union for Foreign Affairs and Security Policy stressed the importance of the 2015 Joint Comprehensive Plan of Action (“JCPOA”), while the Trump administration sought to impose additional sanctions on Tehran that will make it more difficult for the Biden-Harris administration to reenter the agreement.
In the coming months, the Biden-Harris administration has promised a fulsome review of U.S. trade measures with a view to finding ways of providing possible relief to help with the global response to the coronavirus pandemic. And although we expect a more measured approach to diplomatic relations under the new administration, U.S. sanctions and export controls will continue to play a dominant role in U.S. foreign policy—and an increasingly dominant role in foreign policy strategies of America’s friends and competitors. The increasing complexity of these measures in the United States—with “sanctions” authorities increasingly split between the U.S. Treasury Department, the Department of Commerce, the Department of State, the Department of Homeland Security, and even the Department of Defense—makes for increasing challenges for parties seeking to successfully comply while managing their businesses.
Contents
A. Protecting Communications Networks and Sensitive Personal Data
B. TikTok and WeChat Prohibitions and Emerging Jurisprudence Limiting Certain Executive Authorities
C. Slowing the Advance of China’s Military Capabilities
D. Promoting Human Rights in Hong Kong
E. Promoting Human Rights in Xinjiang
F. Trade Imbalances and Tariffs
G. China’s Counter-Sanctions – The Chinese Blocking Statute
H. New Chinese Export Control Regime
II. U.S. Sanctions Program Developments
A. Iran
B. Venezuela
C. Cuba
D. Russia
E. North Korea
F. Syria
G. Other Sanctions Developments
A. Commerce Department
B. State Department
A. EU-China Relationship
B. EU Sanctions Developments
C. EU Member State Export Controls
D. EU Counter-Sanctions
V. United Kingdom Sanctions and Export Controls
A. Sanctions Developments
B. Export Controls Developments
_______________________________
I. U.S.-China Relationship
The dozens of new China-related trade restrictions announced in 2020 were generally calculated to advance a handful of longstanding U.S. policy interests for which there is broad, bipartisan support within the United States, namely protecting U.S. communications networks, intellectual property, and sensitive personal data; slowing the advance of China’s military capabilities; promoting human rights in Hong Kong and Xinjiang; and narrowing the trade deficit between Washington and Beijing. As such, while the new Biden-Harris administration promises a shift in tone—including greater coordination with traditional U.S. allies and a more orderly and strategic policymaking process—the core objectives of U.S. trade policy toward China are unlikely to change, at least in the near term. Given the emerging consensus in Washington in favor of a tough stance against China, we anticipate that President Biden will continue to pressure China over its human rights record and will be disinclined to relax Trump-era measures targeting Chinese-made goods and technology without first extracting concessions from Beijing.
Meanwhile, China shows few signs of backing down in the face of U.S. pressure. As we wrote here, in January 2021 China’s Ministry of Commerce unveiled long-anticipated counter-sanctions prohibiting Chinese citizens and companies from complying with “unjustified” foreign trade restrictions, which could soon force multinational firms into an unpalatable choice between complying with U.S. or Chinese regulations. How vigorously and selectively the Chinese authorities enforce these new counter-sanctions remains to be seen and will help set the tone for the future of U.S.-China trade relations and the challenges multinational corporations will have in navigating between the two powers.
A. Protecting Communications Networks and Sensitive Personal Data
Spurred by concerns about Chinese espionage and trade secret theft, the United States during 2020 imposed a variety of trade restrictions designed to protect U.S. communications networks and sensitive personal data by targeting globally significant Chinese technology firms like Huawei and popular mobile apps like TikTok and WeChat.
During 2020, the Trump administration continued its diplomatic, intelligence-sharing, and economic pressure campaign to dissuade countries from partnering with Huawei and other Chinese telecommunications providers in the development and deployment of fifth-generation (“5G”) wireless networks. The rollout of 5G networks—long viewed as a key battleground in the U.S.-China tech war—is about more than faster smartphones, as 5G networks are expected to support advanced technology like autonomous vehicles and to catalyze innovation across the economy from manufacturing to the military. As Huawei has emerged as a leader in 5G infrastructure, the U.S. government has increasingly raised alarms that the company’s technology may be vulnerable to Chinese government espionage. Some U.S. allies have taken steps to block Huawei’s involvement in their own domestic 5G networks. Australia blacklisted Huawei from its 5G network in August 2018, and the British government announced in July 2020 that it would ban the purchase of new Huawei equipment and would remove Huawei gear already installed from its networks by 2027, marking a reversal from a prior decision in January 2020. Other European allies, however, have resisted an outright ban, with Germany signaling in December 2020 that it could allow Huawei’s continued involvement subject to certain assurances.
The Trump administration also continued to tighten the screws on Huawei along several other fronts, with the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) adding another 38 non-U.S. affiliates of Huawei to the Entity List in August 2020. Since first adding Huawei in May 2019 citing national security concerns, the Trump administration has added over 150 Huawei affiliates to the Entity List, significantly limiting Huawei’s ability to source products from the United States and U.S. companies. These actions highlight the administration’s sustained focus on Huawei, but also reflect a broader trend in the increasingly expansive use of the Entity List against Chinese firms. In its expanding size, scope, and profile, the Entity List has begun to rival the more traditional OFAC Specially Designated Nationals (“SDN”) and Blocked Persons List as a tool of first resort when U.S. policymakers seek to wield coercive authority especially against major economies and significant economic actors.
On May 15, 2020, BIS announced a new rule to further restrict Huawei’s access to U.S. technology. The complicated rule amends the “Direct Product Rule” (discussed below) and the Entity List to restrict Huawei’s ability to share its semiconductor designs or rely on foreign foundries to manufacture semiconductors using U.S. software and technology. Although multiple rounds of Entity List designations targeting Huawei entities had already effectively cut off the company’s access to exports of most U.S.-origin products and technology, BIS claimed that Huawei had responded to the designations by moving more of its supply chain outside the United States. However, for the time being, Huawei and many of the foreign chip manufacturers that Huawei uses, still depend on U.S. equipment, software, and technology to design and produce Huawei chipsets.
BIS’s May 2020 Direct Product Rule amendment expanded one of the bases on which the U.S. can claim jurisdiction over items produced outside of the United States. Generally, under the EAR, the United States claims jurisdiction over items that are (1) U.S. origin, (2) foreign-made items that are being exported from the United States, (3) foreign-made items that incorporate more than a minimal amount of controlled U.S.-origin content, and (4) foreign-made “direct products” of certain controlled U.S.-origin software and technology. Under the fourth basis of jurisdiction, also known as the Direct Product Rule, foreign-made items are subject to U.S. Export Administration Regulation (“EAR”) controls if they are the direct product of certain U.S.-origin technology or software or are the direct product of a plant or major component of a plant located outside the United States, where the plant or major component of a plant itself is a direct product of certain U.S.-origin software and technology.
BIS’s new rule allows for the application of a tailored version of the Direct Product Rule to parties identified on its Entity List, with a bespoke list of controlled software and technology commonly used by foreign manufacturers to design and manufacture telecommunications and other kinds of integrated circuits for Huawei. Specifically, the rule makes the following non-U.S.-origin items subject to the restrictions of U.S. export controls:
- Items, such as chip designs, that Huawei and its affiliates on the Entity List produce by using certain U.S.-origin software or technology that is subject to the EAR; and
- Items, such as chipsets, made by manufacturers from Huawei-provided design specifications, if those manufacturers are using semiconductor manufacturing equipment that itself is a direct product of certain U.S.-origin software or technology subject to the EAR.
By subjecting these items to a new licensing requirement, BIS can block the sale of many semiconductors manufactured by a number of non-U.S.-based manufacturers that Huawei uses across its telecom equipment and smartphone business lines.
While Huawei has been a focal point of U.S. trade policy over the past several years, U.S. government concerns about maintaining the integrity of its communications networks and U.S. residents’ sensitive personal data extend more broadly across China’s tech sector. On May 15, 2019, acting under the authorities provided by the International Emergency Economic Powers Act (“IEEPA”)—the statutory basis for most U.S. sanctions programs—President Trump issued Executive Order 13873, which declared a national emergency with respect to the exploitation of vulnerabilities in information and communications technology and services (“ICTS”) by foreign adversaries, and authorized the Secretary of Commerce to prohibit transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction of a foreign adversary that pose an undue or unacceptable risk to U.S. critical infrastructure, the U.S. digital economy, national security, or the safety of U.S. persons.
On January 19, 2021, the Commerce Department published an Interim Final Rule clarifying the processes and procedures that the Secretary of Commerce will use to evaluate ICTS transactions covered by Executive Order 13873. The Interim Final Rule identified six foreign adversaries: China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela’s President Nicolás Maduro; though this list can be revised as necessary. The Interim Final Rule also identified broad categories of ICTS transactions that fall within its scope, and announced that the Commerce Department will establish a licensing process for entities to seek pre-approval of ICTS transactions. Unless the Biden-Harris administration acts to delay the measure, the Interim Final Rule is scheduled to take effect on March 22, 2021.
B. TikTok and WeChat Prohibitions and Emerging Jurisprudence Limiting Certain Executive Authorities
To address the national emergency declared in the ICTS order, President Trump on August 6, 2020 issued two further Executive Orders restricting U.S. persons from dealing with the Chinese social media platforms TikTok and WeChat. The orders sought to prohibit or restrict certain categories of transactions—subsequently to be defined by the U.S. Secretary of Commerce—involving TikTok’s corporate parent ByteDance and WeChat’s corporate parent Tencent Holdings Ltd. by September 20, 2020.
Pursuant to these Executive Orders, the Commerce Department on September 18, 2020 issued a broad set of prohibitions that would have essentially banned the use or download of the TikTok and WeChat apps in the United States. The following day, a California federal district court granted a nationwide preliminary injunction halting the WeChat ban on First Amendment grounds. The plaintiffs, a group of WeChat users, successfully argued that WeChat functions as a “public square” for the Chinese-American community in the United States and that the restrictions imposed by the Commerce Department infringed upon their First Amendment rights.
One week later, a Washington D.C. federal district court granted a similar injunction with respect to the TikTok ban, finding that content exchanged by users on TikTok constitutes “information and informational materials” protected by the Berman Amendment, a statutory provision within IEEPA that aims to safeguard the free flow of information. The court further found that, by virtue of being primarily a conduit of such informational materials, the platform itself was protected by the Berman Amendment. On October 30, 2020, a Pennsylvania federal district court granted a second, nationwide preliminary injunction halting the TikTok ban on Berman Amendment grounds. On December 7, 2020, the D.C. district court found that the Trump administration had overstepped its authority under IEEPA by failing to adequately consider “an obvious and reasonable alternative” to an outright ban. Together these opinions have clarified and expanded case law regarding the limits of the President’s authority under IEEPA.
The litigation over the Commerce Department’s TikTok and WeChat bans upended a parallel effort by the U.S. Committee on Foreign Investment in the United States (“CFIUS”)—the interagency committee tasked with reviewing the national security risks associated with foreign investments in U.S. companies—to force a divestiture of TikTok’s U.S. operations. In 2019, CFIUS initiated a review of ByteDance’s 2017 acquisition of the U.S. video-sharing platform Musical.ly in response to growing concerns regarding the use of data and censorship directed by the Chinese government. The CFIUS review culminated in an August 14, 2020 order directing ByteDance to divest its interest in TikTok’s U.S. platform by November 12, 2020.
The Commerce restrictions and ensuing litigation threatened to derail CFIUS negotiations over the TikTok divestment—a matter made more challenging on August 28, 2020, when China retaliated with its own set of export controls requiring Chinese government approval for such a transaction. Although the U.S. Department of the Treasury announced an agreement in principle for the sale of TikTok on September 19, 2020, a final agreement proved elusive. Negotiations ground to a halt around the time of the U.S. presidential election, and CFIUS extended the deadline for a resolution three times by the end of the year before defaulting to a de facto continuation as the parties continue to negotiate.
None of these developments, however, appeared to dampen the Trump administration’s drive to target leading Chinese technology companies. On January 5, 2021, President Trump issued another Executive Order requiring the Commerce Department to issue a more narrowly tailored set of prohibitions with respect to the Chinese mobile payment apps WeChat Pay, Alipay, QQ Wallet, as well as CamScanner, SHAREit, Tencent QQ, VMate, and WPS Office within 45 days (by February 19, 2021). Given the timing of the order, the Biden-Harris administration will ultimately be responsible for either implementing or revoking the ban, setting up an early test case for the Biden-Harris administration with respect to Trump-era restrictions on Chinese tech companies.
C. Slowing the Advance of China’s Military Capabilities
Another key goal of the Trump administration’s trade policy in 2020 was its attempt to blunt the development of China’s military capabilities, including by restricting exports to Chinese military end uses and end users, adding military-linked firms to the Entity List, prohibiting U.S. persons from investing in the securities of dozens of “communist Chinese military companies,” and proposing new rules that seek to eject Chinese firms from U.S. stock exchanges for failure to comply with U.S. auditing standards.
Over the past year, the Trump administration has heavily relied on export controls to deny Beijing access to even seemingly low-end U.S. technologies that might be used to modernize China’s military. Pursuant to the Military End Use / User Rule, exporters of certain listed items subject to the EAR require a license from BIS to provide such items to China, Russia, or Venezuela, if the exporter knows or has reason to know that the exported items are intended for a “military end use” or “military end user.” In April 2020, BIS announced significant changes to these military end use and end user controls that became effective on June 29, 2020. Notably, the new rules (1) expanded the scope of military end uses subject to control, (2) added a new license requirement for exports to Chinese military end users, (3) expanded the list of covered items, and (4) broadened the reporting requirement for exports to China, Russia, and Venezuela. These changes appear to have been animated by concerns among U.S. policymakers that the targeted countries are each pursuing a policy of “military-civil fusion” that blurs the line between civilian and military technological development and applications of sensitive technologies.
In particular, where the prior formulation of the Military End Use / User Rule only captured items exported for the purpose of using, developing, or producing military items, the rule now covers items that merely “support or contribute to” those functions. The scope of “military end uses” subject to control was also expanded to include the operation, installation, maintenance, repair, overhaul, or refurbishing of military items. For a more comprehensive discussion of the new Military End Use / User Rule, please see our client alert on the subject, as well as our 2020 Mid-Year Sanctions and Export Controls Update.
The expanded Military End Use / User Rule has presented a host of compliance challenges for industry, prompting BIS in June 2020 to release a detailed set of frequently asked questions (“FAQs”) addressing potential ambiguities in the rule and in December 2020 to publish a new, non-exhaustive Military End User List to help exporters determine which organizations are considered military end users. The more than 100 Chinese and Russian companies identified to date appear to be principally involved in the aerospace, aviation, and materials processing industries, which is consistent with the newly added categories of items covered under the rule. BIS has also continued to add new companies to the Military End User List.
Meanwhile, reflecting the recent significant expansion of the bases for additions to the Entity List, the U.S. Department of Commerce during 2020 announced three batches of Entity List designations tied to activities in support of China’s military. Among those designated in June, August and December 2020 were more than 50 governmental and commercial organizations accused of procuring items for Chinese military end users, building artificial islands in the South China Sea, and supporting China’s policy of “military-civil fusion”—including substantial enterprises like the Chinese chipmaker Semiconductor Manufacturing International Corporation (“SMIC”). Such military-related designations have continued into January 2021 with the addition to the Entity List of China National Offshore Oil Corporation (“CNOOC”) for its activities in the South China Sea, suggesting that the Entity List remains an attractive option for U.S. officials looking to impose meaningful costs on large non-U.S. firms that act contrary to U.S. interests while avoiding the economic disruption of designating such enterprises to OFAC’s SDN List.
In addition to using export controls to deny the Chinese military access to sensitive technology, during 2020 the Trump administration and Congress deployed several other types of measures to deny the Chinese military, and the firms that support it, access to U.S. capital. On November 12, 2020, the Trump administration issued Executive Order 13959, which sought to prohibit U.S. persons from purchasing securities of certain Communist Chinese military companies (“CCMCs”)—ostensibly civil companies that the U.S. Department of Defense alleges have ties to the Chinese military, intelligence, and security services, including enterprises with substantial economic footprints in the United States such as Hikvision and Huawei. A fuller description of the Order and its implications can be found in our November 2020 client alert.
As amended and interpreted to date by OFAC (which has been tasked with implementing and enforcing the Order), Executive Order 13959 seeks to prohibit U.S. persons from engaging in any transaction in publicly traded securities or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any CCMC. The Order covers a wide range financial instruments linked to such companies, including derivatives (e.g., futures, options, swaps), warrants, American depositary receipts, global depositary receipts, exchange-traded funds, index funds, and mutual funds.
OFAC has published a list of the targeted CCMCs, providing additional identifying information about the CCMCs. U.S. persons holding covered securities of CCMCs identified in the initial Annex of Executive Order 13959 must sell or otherwise dispose of those securities by the expiration of a wind-down period on November 11, 2021. As such, the new Biden-Harris administration has a period of time to review the prohibitions and propose further modifications.
In the months since it was issued, Executive Order 13959 has generated widespread confusion within the regulated community concerning what activities are (and are not) prohibited, prompting index providers to sever ties with named Chinese companies and a major U.S. stock exchange to reverse course multiple times on whether such companies should be de-listed. Indeed, despite a flurry of guidance from OFAC, there remains considerable uncertainty concerning which companies are covered by the Order, including how the restriction applies to companies whose names “closely match” firms identified by the U.S. government, as well as such companies’ subsidiaries. In seeming recognition of the compliance concerns expressed by industry, OFAC has issued a general license delaying the Order’s effective date with respect to entities with “closely matching” names of parties explicitly listed until May 2021.
Whatever comes of the Trump administration’s restrictions on investments in CCMCs, there remains broad bipartisan support in Congress for denying Chinese firms access to U.S. capital markets. In December 2020, Congress unanimously passed and President Trump signed into law the Holding Foreign Companies Accountable Act, which requires foreign companies listed on any U.S. stock exchange to comply with U.S. auditing standards or risk being de-listed within three years. Although formally applicable to companies from any foreign country, the Act appears to be principally aimed at Chinese firms, many of which have historically declined to comply with U.S. auditing standards, citing national security and state-secrets concerns. Whether the threat of de-listing Chinese firms materializes will depend in part on how the Act is implemented by the U.S. Securities and Exchange Commission. However, the measure’s approval by Congress without a single dissenting vote suggests that there is likely to be continuing support among U.S. policymakers for limiting Beijing’s access to U.S. investors and capital.
D. Promoting Human Rights in Hong Kong
In connection with China’s crackdown on protests in Hong Kong and the June 2020 enactment of China’s new Hong Kong national security law—which criminalizes dissent through vague offenses such as secession, subversion, terrorism, and collusion with a foreign power—the United States moved to impose consequences on Beijing for undermining freedoms enshrined in the 1984 Sino-British Joint Declaration and Hong Kong’s Basic Law. However, such U.S. measures have so far been limited in scope and have principally involved revoking Hong Kong’s special trading status and imposing sanctions on several senior Hong Kong and mainland Chinese government officials. No governmental entity within the Special Administrative Region (“SAR”) of Hong Kong has yet been sanctioned.
Under U.S. law, the Secretary of State must periodically certify that Hong Kong retains a “high degree of autonomy” from mainland China in order for the territory to continue receiving preferential treatment—including lower tariffs, looser export controls, and relaxed visa requirements—compared to the rest of China. On May 28, 2020, Secretary of State Mike Pompeo reported to the U.S. Congress that Hong Kong is no longer sufficiently autonomous to warrant such preferential treatment. Shortly thereafter, President Trump on July 14, 2020 issued Executive Order 13936 formally revoking Hong Kong’s special trading status and signed into law the Hong Kong Autonomy Act (“HKAA”), which authorizes the President to impose sanctions such as asset freezes and visa bans on individuals and entities that enforce the new Hong Kong national security law. The HKAA also authorizes “secondary” sanctions on non-U.S. financial institutions that knowingly conduct significant transactions with persons that enforce the Hong Kong national security law—potentially subjecting non-U.S. banks that engage in such dealings to a range of consequences, including loss of access to the U.S. financial system.
With that policy framework in place, various arms of the U.S. government soon implemented more targeted measures designed to hold Hong Kong’s leadership accountable and to conform Hong Kong’s legal status with the rest of China.
Notably, on August 7, 2020, OFAC designated to the SDN List 11 senior Hong Kong and mainland Chinese government officials—including Hong Kong’s chief executive, Carrie Lam—for their involvement in implementing the national security law. As a result of this action, U.S. persons (as well as non-U.S. persons when engaging in a transaction with a U.S. touchpoint) are, except as authorized by OFAC, generally prohibited from engaging in transactions involving these 11 individuals and their property and interests in property. Although OFAC has clarified in published guidance that the prohibition does not extend to routine dealings with the non-sanctioned government agencies that these individuals lead, U.S. persons should take care not to enter into contracts signed by, or negotiate with, government officials who are SDNs, activities which could trigger U.S. sanctions.
Meanwhile, the U.S. Department of Commerce in June 2020 suspended the availability of certain export license exceptions that treated Hong Kong more favorably than mainland China. As a result of this suspension—which appears to have been driven by concerns among U.S. policymakers that sensitive goods, software, and technology exported to Hong Kong could be diverted to the mainland—exports, reexports, or transfers to or within Hong Kong of items subject to the EAR may now require a specific license from the U.S. government. Further cementing this shift in U.S. policy, the U.S. Department of Commerce in December 2020 removed Hong Kong as a separate destination on the Commerce Country Chart, effectively ending Hong Kong’s preferential treatment for purposes of U.S. export controls.
While the implementation of tougher sanctions and export controls represents an escalation of U.S. pressure on the Chinese government, the Trump administration during its final year in office shied away from imposing more draconian measures with respect to Hong Kong. For example, the United States has to date refrained from targeting non-U.S. banks, the Hong Kong SAR government, or acted to undermine the longstanding peg that has linked the Hong Kong Dollar and the U.S. Dollar—likely out of concern for the heavy collateral consequences that such measures could inflict on Hong Kong’s pro-Western population, as well as on the many U.S. and multinational firms with operations in the city.
In our assessment, such severe measures—which could undermine Hong Kong’s historic role as a global financial hub—are unlikely to be imposed by the Biden-Harris administration absent significant further deterioration in relations between Washington and Beijing. Instead, particularly in light of reports of a wave of arrests in January 2021 pursuant to the Hong Kong national security law, the Biden-Harris administration could designate additional Chinese and Hong Kong government officials for their role in eroding Hong Kong’s autonomy. A further option available to President Biden could involve easing the path for Hong Kong residents to immigrate to the United States (in line with similar proposals mooted by the U.K. government)—which would both shield such individuals from repression and impose costs on Beijing by draining away some of Hong Kong’s considerable human capital.
E. Promoting Human Rights in Xinjiang
During 2020, the United States ramped up legislative and regulatory efforts to address and punish reported human rights abuses in China’s Xinjiang Uyghur Autonomous Region (“Xinjiang”). Although concerns about high-tech surveillance and harsh security measures against Muslim minority groups date back over a decade, the latest reports estimate that up to 1.5 million Uyghurs, Kazakhs, and other Turkic minorities have been detained in “reeducation camps” and that many others, including former detainees, have been forced into involuntary labor in textile, apparel, and other labor-intensive industries.
In response to these developments, President Trump on June 17, 2020 signed into law the Uyghur Human Rights Policy Act of 2020. The Act required the President to submit within 180 days a report to Congress—which as of this writing has yet to be issued—that identifies foreign persons, including Chinese government officials, who are responsible for flagrant human rights violations in Xinjiang. The Act authorizes the President to impose sanctions (including asset freezes and visa bans) on persons identified therein, and directs the Department of State, the Director of National Intelligence, and the Federal Bureau of Investigation to submit reports to Congress on human rights abuses, and the national security and economic implications of the PRC’s actions, in Xinjiang.
The Trump administration also took a number of executive actions against Chinese individuals and entities implicated in the alleged Xinjiang repression campaign. On July 9, 2020, OFAC designated to the SDN List the Xinjiang Public Security Bureau and four current or former Chinese government officials for their ties to mass detention programs and other abuses. On July 31, 2020, OFAC followed up on this action by sanctioning the Xinjiang Production and Construction Corps (“XPCC”)—a state-owned paramilitary organization and one of the region’s most economically consequential actors—plus two further government officials.
In tandem with sanctions designations, the United States during 2020 leveraged export controls to advance the U.S. policy interest in curtailing human rights abuses in Xinjiang—most notably through expanded use of the Entity List. As discussed in our 2020 Mid-Year Sanctions and Export Controls Update, BIS has over the past year continued to use its powerful Entity List designation tool to effectively ban U.S. exports to entities implicated by the interagency End-User Review Committee (“ERC”) in certain human rights violations.
While the ERC has long had the power to designate companies and other organizations for acting contrary to U.S. national security and foreign policy interests, these interests historically have been focused on regional stability, counterproliferation, and anti-terrorism concerns, plus violations of U.S. sanctions and export controls. Beginning in October 2019, however, the ERC added human rights to this list of concerns, focusing especially on human rights violations occurring in Xinjiang and directed against Uyghurs, Kazakhs, and other members of Muslim minority groups in China. Accelerating this trend, the ERC on three separate occasions this past year—including in June, July, and December 2020—added a total of 24 Chinese organizations to the Entity List for their conduct in Xinjiang. Among the entities targeted were Chinese firms that enable high-tech repression by producing video surveillance equipment and facial recognition software, as well as Chinese companies that benefit from forced labor in Xinjiang such as manufacturers of textiles and electronic components. In addition to denying these entities access to controlled U.S.-origin items, these designations also spotlight sectors of the Chinese economy that are likely to remain subject to regulatory scrutiny under the Biden-Harris administration and which may call for enhanced due diligence by U.S. companies that continue to engage with Xinjiang.
Consistent with the Trump administration’s whole-of-government approach to trade with China, the United States also used import restrictions—including a record number of withhold release orders issued by U.S. Customs and Border Protection (“CBP”)—to deny certain goods produced in Xinjiang access to the U.S. market.
CBP is authorized to enforce Section 307 of the Tariff Act of 1930, which prohibits the importation of foreign goods produced with forced or child labor. Upon determining that there is information that reasonably, but not conclusively, indicates that goods that are being, or are likely to be, imported into the United States may be produced with forced or child labor, CBP may issue a withhold release order, which requires the detention of such goods at any U.S. port. Historically, this policy tool was seldom used until the latter half of the Obama administration.
During 2020, CBP ramped up its use of this policy instrument, issuing 15 withhold release orders—the most in any single year for at least half a century. Of those orders, nine were focused on Xinjiang, including import restrictions on hair products and garments produced by certain manufacturers, as well as cotton and cotton products produced by XPCC, the Chinese paramilitary organization sanctioned by OFAC. On January 13, 2021, the Trump administration went further and imposed a withhold release order targeting all cotton products and tomato products originating from Xinjiang. Taken together, these developments suggest that the U.S. government is likely to continue its aggressive use of import restrictions against goods sourced from Xinjiang, further heightening the need for importers to scrutinize suppliers with ties to the region in order to minimize the risk of supply chain disruptions and reputational harm.
As a complement to the regulatory changes described above, the Trump administration during 2020 published multiple rounds of guidance to assist the business community in conducting human rights diligence related to Xinjiang. On July 1, 2020, the U.S. Departments of State, Treasury, Commerce, and Homeland Security issued the Xinjiang Supply Chain Business Advisory, a detailed guidance document for industry spotlighting risks related to doing business with or connected to forced labor practices in Xinjiang and elsewhere in China. The Advisory underscores that businesses and individuals engaged in certain industries may face reputational or legal risks if their activities involve support for or acquisition of goods from commercial or governmental actors involved in illicit labor practices and identifies potential indicators of forced labor, including factories located within or near known internment camps.
Separately, and as discussed further below, the U.S. Department of State on September 30, 2020 issued guidance specifically focused on exports to foreign government end-users of products or services with surveillance capabilities with an eye toward preventing such items from being used to commit human rights abuses of the sort reported in Xinjiang.
Underscoring the extent of U.S. concern about the situation in Xinjiang, then-Secretary of State Pompeo on the Trump administration’s last full day in office issued a determination that the Chinese government’s activities in the region constitute genocide and crimes against humanity—a declaration that was quickly echoed by current Secretary of State Antony Blinken in his Senate confirmation hearing. While the declaration triggers few immediate consequences under U.S. law, it could portend further U.S. sanctions designations related to China’s treatment of ethnic and religious minorities.
F. Trade Imbalances and Tariffs
Also in 2020, the Trump administration continued to make broad use of its authority to impose tariffs on Chinese-made goods. This policy approach met with significant opposition from private plaintiffs, setting the stage for substantial and largely unresolved litigation at the U.S. Court of International Trade. The year began with significant tariffs already in place through two mechanisms: Section 232 of the Trade Expansion Act of 1962 (“Section 232”), which allows the President to adjust the imports of an article upon the determination of the U.S. Secretary of Commerce that the article is being imported into the United States in such quantities or under such circumstances as to impair the national security, and Section 301 of the Trade Act of 1974 (“Section 301”), which allows the President to direct the U.S. Trade Representative to take all “appropriate and feasible action within the power of the President” to eliminate unfair trade practices or policies by a foreign country.
1. Section 232
On January 24, 2020, President Trump issued a proclamation under Section 232 expanding the scope of existing steel and aluminum tariffs (25 percent and 10 percent, respectively) to cover certain derivatives of aluminum and steel such as nails, wire, and staples, which went into effect on February 8, 2020. President Biden has stated that he plans to review the Section 232 tariffs, although no immediate timetable for that review has been set forth to date.
Two cases of note regarding the scope of the President’s power to impose Section 232 tariffs were decided this year. In Transpacific Steel LLC v. United States, 466 F.Supp. 3d 1246 (CIT 2020), the court held that Proclamation 9772, which imposed a 50 percent tariff on steel products from Turkey, was unlawful because it violated Section 232’s statutory procedures and the Fifth Amendment’s Equal Protection guarantees. The court noted that Section 232 “grants the President great, but not unfettered, discretion,” and agreed with the importers that the President acted outside the 90-day statutorily mandated window and without a proper report on the national security threat posed by steel imports from Turkey. The court also agreed that Proclamation 9772 denied the importers the equal protection of law because it arbitrarily and irrationally doubled the tariff rate on Turkish steel products and there was “no apparent reason to treat importers of Turkish steel products differently from importers of steel products from any other country listed in the” relevant report. While Transpacific limited the President’s power to impose Section 232 tariffs, on February 28, 2020, the Federal Circuit rejected a constitutional challenge to Section 232 itself and held that Section 232 did not unlawfully cede authority to control trade to the President in violation of the Constitution’s nondelegation doctrine, and the 232 tariffs remain in place.
On December 14, 2020, the Commerce Department published a notice announcing changes to the Section 232 steel and aluminum tariffs exclusions process. Changes include (1) the adoption of General Approved Exclusions for specific products; (2) a new volume certification requirement meant to limit requests for more volume than needed compared to past usage; and (3) a streamlined review process for “No Objection” exclusion requests.
2. Section 301
Although the Trump administration initiated Section 301 tariff investigations involving multiple jurisdictions, the Section 301 tariffs that have dominated the headlines are the tariffs imposed on China in retaliation for practices with respect to technology transfer, intellectual property, and innovation that the Office of the U.S. Trade Representative (“USTR”) has determined to be unfair (“China 301 Tariffs”). The China 301 Tariffs were imposed in a series of waves in 2018 and 2019, and as originally implemented they together cover over $500 billion in products from China.
On January 15, 2020, the United States and China signed a Phase One Trade Agreement, leading to a slight reprieve in the U.S.-China trade dispute. As part of that agreement, the United States agreed to suspend indefinitely its List 4B tariffs and to reduce its List 4A tariffs to 7.5 percent. Pursuant to the agreement, China committed (1) to purchase an additional $200 billion in U.S. manufactured, agriculture, and energy goods and services as compared to a 2017 baseline; (2) to address U.S. complaints about intellectual property practices by providing stronger Chinese legal protections and eliminating pressure for foreign companies to transfer technology to Chinese firms as a condition of market access; (3) to implement certain regulatory measures to clear the way for more U.S. food and agricultural exports to China; and (4) to improve access to China’s financial services market for U.S. companies. A “Phase Two” trade deal never materialized following strained relations between the two countries catalyzed in part over the coronavirus pandemic.
As the statute of limitations to challenge two of the larger China 301 Tariff tranches (List 3 and List 4A) approached with no further progress beyond the Phase One Trade Agreement, in an unprecedented act thousands of parties affected by the tariffs filed suit at the Court of International Trade, alleging that the tariffs were not properly authorized by the Trade Act of 1974, and that USTR violated the Administrative Procedure Act when it imposed them. More than 3,500 actions, some filed jointly by multiple plaintiffs, were filed, and case management issues are still under development: the U.S. Court of International Trade has not yet designated a “test” case or cases—the case(s) which will be resolved first, while the rest of the cases are stayed pending resolution—or determined if the case(s) will be heard by a three-judge panel. These arguments are playing out on the docket of HMTX Industries LLC v. United States, Ct. No. 20-00177, which we presume will be a lead case.
Although the China 301 Tariffs were a hallmark of the Trump administration’s trade policy, we expect them to remain in place under the Biden-Harris administration, at least during an initial period of review. President Biden has nominated Katherine Tai, the former lead trade attorney for the U.S. House of Representatives Ways and Means Committee, to serve as USTR. Her background includes significant China-related expertise—including successful litigation at the World Trade Organization, involvement in drafting proposed legislation on China-related issues, such as Uyghur forced labor, and experience as USTR’s chief counsel for China enforcement—suggesting that China will remain a focus of U.S. trade policy going forward.
G. China’s Counter-Sanctions – The Chinese Blocking Statute
The Chinese Blocking Statute, which we discuss at greater depth in our recent client alert, creates a reporting obligation for Chinese persons and entities impacted by extra-territorial foreign regulations. Critically, this reporting obligation is applicable to Chinese subsidiaries of multinational companies. The Chinese Blocking Statute also creates a private right of action for Chinese persons or entities to seek civil remedies in Chinese courts from anyone who complies with prohibited extra-territorial measures.
While the Chinese regulations remain nascent and the initial list of extra-territorial measures that the Chinese Blocking Statute will cover has yet to be published, the law marks a material escalation in the longstanding Chinese threats to impose counter-measures against the United States (principally) by establishing a meaningful Chinese legal regime that could challenge foreign companies with operations in China. If the European model for the Chinese Blocking Statute continues to serve as Beijing’s inspiration, we will likely see both administrative actions to enforce the measure as well as private sector suits to compel companies to comply with contractual obligations, even if doing so is in violation of their own domestic laws.
The question for the United States with respect to this new Chinese law will be how to balance the aggressive suite of U.S. sanctions and export control measures levied against China—which the U.S. government is unlikely to pare back—against the growing regulatory risk for global firms in China that could be caught between inconsistent compliance obligations. As has long been the case, international companies will continue to be on the front lines of Washington-Beijing tensions and they will need to remain flexible in order to respond to a fluid regulatory environment and maintain access to the world’s two largest economies.
H. New Chinese Export Control Regime
On December 1, 2020, the Export Control Law of the People’s Republic of China (“China’s Export Control Law”) officially took effect. This marks a milestone on China’s long-running efforts towards a comprehensive and unified export control regime and to large parts has been discussed in detail in our recent client alert.
By passing China’s Export Control Law, China has formally introduced concepts common to other jurisdictions, yet new to China’s export control regime such as, inter alia, embargos, into its export control regime, and particularly expands the scope of China’s Export Control Law to have an extraterritorial effect. Compared to China’s prior export control rules scattered in various other laws and regulations, China’s Export Control Law has also imposed significantly enhanced penalties in case of violations. Pursuant to China’s Export Control Law, the maximum monetary penalties in certain violations could reach 20 times the illegal income. Any foreign perpetrators may also be held liable, although unclear how.
Before this new law came into effect, China already took actions to curb the export control of sensitive technologies. On August 28, 2020, in the midst of the forced TikTok sale demanded by the U.S. government, China amended its Catalogue of Technologies Whose Exports Are Prohibited or Restricted to capture additional technologies, including “personalized information push service technology based on data analysis” that is relied upon by TikTok. Such inclusion would make it extremely challenging, if not impossible, to export the captured technologies because “substantial negotiation” of any technology export agreement with respect to such technology may not be conducted without the approval of the relevant Chinese authorities.
In addition to China’s Export Control Law, detailed provisions with respect to China’s unreliable entity list were unveiled on September 19, 2020, namely, the Provisions on the Unreliable Entities List. This unreliable entity list, which may include foreign companies and individuals (although none has been identified so far), has been deemed by some as China’s attempt to directly counter BIS’s frequent use of its entity list. For those listed in China’s unreliable entity list, China-related import and export, investment and other business activities may be restricted or prohibited.
Although there has been no official update so far with respect to exactly whom or which entity would be placed on China’s control list or unreliable entity list, China has imposed sanctions on a number of U.S. individuals and entities in the second half of 2020, which has been perceived as a counter measure against U.S.’s sanctions of Chinese (including Hong Kong) entities and officials.
For instance, on December 10, 2020, shortly after the Hong Kong-related designations by the U.S. Department of the Treasury on December 7, 2020, a spokesperson from China’s Ministry of Foreign Affairs announced sanctions against certain U.S. officials for “bad behavior” over Hong Kong issues and revoked visa-free entry policy previously granted to U.S. diplomatic passport holders when visiting Hong Kong and Macau.
II. U.S. Sanctions Program Developments
A. Iran
During the second half of 2020, the outgoing Trump administration and then-candidate Biden articulated sharply contrasting positions on Iran sanctions—both bearing the hallmarks of their broader approaches to foreign policy. In its final push for “maximum economic pressure,” the Trump administration sought to impose additional sanctions that would make it more difficult for the Biden-Harris administration to reenter the JCPOA, the nuclear deal negotiated by the Obama administration. At the same time, then-candidate Biden laid out his plan to reengage with Iran, reinstate compliance with the JCPOA, and roll back the U.S. sanctions that had been re-imposed.
With the international community rebuffing efforts to abandon the JCPOA and Iran’s current government signaling interest in a quick return to the deal, the stage could be set for the Biden-Harris administration to achieve its goals for Iran, although the timing is uncertain. Domestic political concerns in both countries, a global pandemic, and pressure from U.S. allies in the Middle East could frustrate these efforts and ensure the sanctions status quo remains in the near term.
The Trump administration’s effort in August and September to snap United Nations sanctions back into effect marked the culmination of a years-long campaign intended to drive Iran to negotiate a more comprehensive deal for relief. Where the JCPOA only addressed Iran’s nuclear program, the Trump administration sought an agreement regulating more facets of Iran’s “malign activities” in return for sanctions relief. The “maximum economic pressure” campaign began in earnest in November 2018 with the full re-imposition of sanctions that had been lifted under the terms of the JCPOA. As we discussed in our 2019 Year-End Sanctions Update, the campaign continued throughout 2019, as the United States targeted new industries and entities and ramped up pressure on previously sanctioned persons.
The Trump administration continued increasing this pressure over the course of 2020, while clarifying the scope of humanitarian exemptions in response to the global coronavirus pandemic. Our 2020 Mid-Year Sanctions and Export Controls Update details re-imposition of restrictions on certain nuclear activities, a steady stream of new designations, and the expansion of U.S. secondary sanctions to target new sectors of the Iranian economy. This increasing pressure was accompanied by several measures designed to facilitate Iran’s response to the coronavirus pandemic, including additional interpretive guidance, approved payment mechanisms, and a new general license.
Trump administration efforts in the latter half of 2020 were more focused on maximizing economic pressure on Iran. OFAC made use of new secondary sanctions authorities to impose additional sanctions on Iran’s financial sector, and announced further authorities targeting conventional arms sales to Iran, responding directly to the impending rollback of UN sanctions. The steady stream of designations also continued, with OFAC focusing particularly on entities operating in or supporting Iran’s petroleum and petrochemicals trade (see e.g., designation announcements in September, October, and December), including additional restrictions on the Iranian Ministry of Petroleum, the National Iranian Oil Company (“NIOC”), and the National Iranian Tanker Company (“NITC”). OFAC also designated several rounds of new targets, including senior officials in the Iranian government, for alleged involvement in human rights violations.
Despite this mounting economic pressure, Iran has still found ways to slip through the grasp of the tightening embargo. In the fall of 2020, market watchers observed a sharp uptick in Iranian oil exports. Increasing demand among U.S. adversaries—including China and Venezuela—along with steep discounts from Iran have likely contributed to the spike in exports. Increasingly-sophisticated evasion tactics have helped too—despite State Department guidance published in May 2020 to address these deceptive shipping practices.
The U.S. also continued to pursue criminal penalties for entities that tried to evade U.S. sanctions. In August, the United States charged an Emirati entity and its managing director for implementing a scheme to circumvent U.S. sanctions and supply aircraft parts to Mahan Air, an Iranian airline and longtime target of U.S. export controls and sanctions designated for supporting Iran’s Islamic Revolutionary Guard Corps’ Quds Force. OFAC simultaneously imposed sanctions on those Emirati targets, as well as several other associated entities. These enforcement efforts hit one notable setback in July, when a judge in the Southern District of New York dismissed a case against Ali Sadr Hashemi Nejad, who had been convicted of using the U.S. financial system to process payments to Iran. The judge vacated Mr. Nejad’s conviction after the U.S. Attorney’s office revealed alleged misconduct by the prosecutors that originally tried the case—including efforts to “bury” evidence turned over to the defense.
Efforts to increase pressure on Iran reached their zenith with the Trump administration’s unilateral push to trigger the snapback of broad international sanctions on Iran. In an effort to ensure that the JCPOA remained responsive to concerns about Iran’s compliance, the original parties included a mechanism that would allow the UN-based international sanctions regime to snap back into place if a party to the agreement brought a compliant that Iran was not in compliance. The United States attempted to trigger this snapback mechanism by submitting allegations of Iranian noncompliance to the UN Security Council on August 20, 2020. The other members of the Security Council flatly rejected the U.S. efforts. They argued that the United States, which had withdrawn from the agreement in 2018, no longer had standing to trigger the snapback, and, although they acknowledged Iran’s noncompliance, they expressed a preference for resolving the issue within the confines of the JCPOA. Nevertheless, in keeping with the timelines provided in the JCPOA, Secretary Pompeo announced “the return of virtually all previously terminated UN sanctions” on September 19. The remaining members of the JCPOA ignored the announcement and did not re-impose restrictions.
This fatigue with the current U.S. position and the calls for further leniency in response to the pandemic have created an international environment that may facilitate the Biden-Harris administration’s plans to return to the JCPOA. President Biden and his National Security Adviser, Jake Sullivan, have clearly stated that, if Iran returns to “strict compliance,” the administration would rejoin the JCPOA. For its part, Iranian President Hassan Rouhani has announced that Iran would hasten to comply with the JCPOA if the U.S. were to rejoin. Iran’s supreme leader, Ayatollah Ali Khamenei, may also favor a return to the JCPOA, as more reliable oil revenues are important to help ensure future domestic stability.
However, the window for a return to the JCPOA may be narrow and may not accommodate the Biden-Harris administration’s desire for follow-on agreements addressing other aspects of Iran’s malign activities. Iranian elections are coming up in June, and hard-liners have signaled their opposition to a revived JCPOA. Iran has also increased its uranium enrichment and begun construction projects at its most significant nuclear facilities. This activity could embolden domestic opposition in the United States, where there is already limited appetite for a return to the basic JCPOA structure. Even close Biden ally Senator Chris Coons (D-DE) has suggested that a revised deal should address not only the nuclear issues covered by the JCPOA but also Iran’s missile program. If domestic political concerns prevent a return to the agreement, sanctions could continue to tighten and could even return to pre-JCPOA levels if Iran intensifies its noncompliance.
B. Venezuela
Despite the far reaching effects of OFAC’s current Venezuela sanctions program, which has crippled Venezuela’s state-owned oil company, Petróleos de Venezuela, S.A. (“PdVSA”), the regime of President Nicolás Maduro remains firmly entrenched, and emerged victorious from a December 2020 legislative election that U.S. Secretary of State Mike Pompeo described as a “political farce.” The results have made it increasingly difficult for Venezuela’s opposition movement seeking to oust Maduro, further undermining opposition leader and Interim President Juan Guaidó. The economic devastation, political instability, and compounding impacts of the pandemic have continued the refugee crisis pressuring some of Venezuela’s neighbors and creating an even more delicate security environment for the Biden-Harris administration.
At the end of 2020, Biden-Harris transition representatives suggested that the new administration would push for free and fair elections in Venezuela in exchange for sanctions relief, but not necessarily to require Maduro’s surrender as a condition of negotiations. The approach is expected to be coordinated with international allies, and Maduro’s foreign backers in Russia, China, Iran and Cuba will likely be involved. The Biden-Harris team has promised to review existing OFAC sanctions with respect to Venezuela, assessing which potential measures may be lifted as part of any future discussions.
As we described in our 2020 Mid-Year Sanctions and Export Controls Update, last year the Trump administration deployed an array of tools to deny the Maduro regime the resources and support necessary to sustain its hold on power—from indicting several of Venezuela’s top leaders to aggressively targeting virtually all dealings with Venezuela’s crucial oil sector with sanctions, including designating prominent Chinese and Russian companies involved with the sector. In February and March 2020, OFAC designated two subsidiaries of the Russian state-controlled oil giant Rosneft for brokering the sale and transport of Venezuelan crude—prompting Rosneft to sell off the relevant assets and operations to a unnamed company. On November 30, 2020, OFAC announced another major designation under the Venezuela sanctions program, China National Electronic Import-Export Company (“CEIEC”). OFAC explained that CEIEC supported the Maduro regime’s “malicious cyber efforts,” including online censorship, strategically timed intentional electricity and cellphone blackouts, and a fake website purportedly for volunteers to participate in the delivery of international humanitarian aid that was actually designed to phish for personal information. CEIEC has over 200 subsidiaries and offices worldwide, and through the application of OFAC’s 50 Percent rule any subsidiaries that are at least half-owned by CEIEC will be subject to the same restrictions as CEIEC.
On December 18, 2020, OFAC designated a Venezuelan entity and two individuals for providing material support to the Maduro regime, including by providing goods and services used to carry out the “fraudulent” parliamentary elections. On December 30, 2020, OFAC designated a Venezuelan judge and prosecutor for involvement in the unfair trial of the “Citgo 6,” six executives of PdVSA’s U.S. subsidiary Citgo who were lured to Venezuela under false pretenses and arrested in 2017.
OFAC also narrowed the scope of activities authorized by several general licenses. In April 2020, OFAC further restricted dealings with Venezuela’s oil sector by narrowing one of the few remaining authorizations for U.S. companies to engage in dealings with PdVSA. On November 17, 2020, OFAC extended this narrowed version of General License 8 through June 3, 2021. On January 4, 2021, OFAC revised General License 31A, which authorized certain transactions involving the Venezuelan National Assembly and Guaidó, to specify that it applies only to the members of the National Assembly seated on January 5, 2016, i.e. prior to the December 2020 election.
C. Cuba
The Trump administration continued its pressure on Cuba in 2020, in an ostensible attempt to appeal to Cuban-American and other voters in Florida prior to the election and then to bind the incoming Biden-Harris administration from shifting course in U.S.-Cuba relations. The new U.S. administration had previously nodded to changes in U.S.-Cuba relations, with then-candidate Biden criticizing the Trump administration for inflicting harm on the Cuban people and promising to roll back certain Trump’s policies. That said, Biden-Harris representatives acknowledged that significant change was unlikely to happen anytime soon.
1. Designations and Remittance Restrictions
As we analyzed in our 2020 Mid-Year Sanctions and Export Controls Update, the Trump administration added numerous entities to the State Department’s Cuba Restricted List this year, thus prohibiting U.S. persons and entities from engaging in direct financial transactions with them and imposing certain U.S. export control licensing requirements. Between June and September 2020, the State Department added numerous Cuban military-owned sub-entities—most operating in Cuba’s tourism industry—to the Cuba Restricted List, including the financial services company Financiera Cimex (“FINCIMEX”) and its subsidiary American International Services (“AIS”). In October 2020, OFAC amended the Cuban Assets Control Regulations (“CACR”) to prohibit indirect remittance transactions with entities on the Cuba Restricted List, including transactions relating to the collection, forwarding, or receipt of remittances. The U.S. administration turned the screws again on FINCIMEX in December 2020, designating it, Kave Coffee, and their Cuban military-controlled umbrella enterprise Grupo de Administración Empresarial (“GAESA”) to the SDN List. On January 15, 2021, five days before President Biden’s inauguration, OFAC designated the Cuban Ministry of Interior (“MININT”) and its leader, Lazaro Alberto Álvarez Casas, for human rights abuses relating to the monitoring of political activity. According to OFAC, Cuban dissident Jose Daniel Ferrer was beaten, tortured, and held in isolation in a MININT-controlled prison in September 2019.
2. State Sponsor of Terrorism Determination
Furthermore, on January 11, 2021, the State Department re-designated Cuba as a State Sponsor of Terrorism (“SST”), on the grounds that Cuba “repeatedly provid[es] support for acts of international terrorism in granting safe harbor to terrorists,” and in a direct reversal of a May 2015 decision by the Obama administration to remove that designation. An SST designation imposes several restrictions, including a ban on Cuba-related defense exports, credits, guarantees, other financial assistance, and export licensing overseen by the State Department (Section 40 of the Arms Export Control Act); a license requirement (with a presumption of denial) for exports of dual-use items to Cuba (Section 1754(c) of the National Defense Authorization Act for Fiscal Year 2019); and a ban on U.S. foreign assistance to Cuba (Section 620A of the Foreign Assistance Act). The SST designation opens the door for other U.S. federal agencies to impose further restrictions, and it remains to be seen how the new Biden-Harris administration will navigate the course. When President Obama lifted the designation, that procedure required months of review by the State Department, a 45-day pre-notification period for Congress, and a cooperative Congress that did not exercise the blocking authority made available to it under the Arms Export Control Act.
3. Travel Restrictions
In September 2020, OFAC amended the CACR for the first time since September 2019. In this amendment, OFAC targeted Cuba’s travel, alcohol, and tobacco industries by prohibiting any U.S. person from engaging in lodging transactions, either directly or indirectly, with any property that the Secretary of State has identified as owned or controlled by the Cuban government or its prohibited officials and their relatives. Concurrent with this change, the State Department published the new Cuba Prohibited Accommodations List to identify the lodging properties that would trigger this prohibition. Additionally, the CACR amendment eliminated certain general licenses to restrict attendance at professional meetings or conferences in Cuba and attendance at or transactions incident to public performances, clinics, workshops, other athletic or non-athletic competitions, and exhibitions in Cuba.
4. Helms-Burton Act
As we wrote in May 2019, on April 17, 2019, the Trump administration lifted long-standing limitations on American citizens seeking to sue over property confiscated by the Cuban regime after the revolution led by Fidel Castro six decades ago. Title III of the Cuban Liberty and Democratic Solidarity (“LIBERTAD”) Act of 1996, commonly known as the Helms-Burton Act, authorizes current U.S. citizens and companies whose property was confiscated by the Cuban government on or after January 1, 1959 to bring suit for monetary damages against individuals or entities that “traffic” in that property. The policy rationale for this private right of action was to provide recourse for individuals whose property was seized by the Castro regime. As part of the statutory scheme, Congress provided that the President may suspend this private right of action for up to six months at a time, renewable indefinitely. Until May 2019, U.S. Presidents of both parties had consistently suspended that statutory provision in full every six months. While President Biden could suspend the private right of action, already-existing Title III lawsuits are authorized under the Helms-Burton Act to run to completion, inclusive of any appeals.
D. Russia
Although the COVID-19 pandemic and resulting economic crisis dominated President Biden’s first few days in office, his administration was forced to act fast to achieve an extension of the New Strategic Arms Reduction Treaty (“New START”) arms control treaty ahead of a February 5, 2021 deadline. The extension to February 4, 2026, does not necessarily portend any greater degree of cooperation between the two countries, however, as the new U.S. administration has suggested that it may impose new measures on Russia pending an intelligence assessment of its recent activities.
1. CAATSA Section 224 Russian Cyber Sanctions
As noted above, U.S. federal agencies are still assessing the scope and impact of the recent Russian cyberattack that breached network security measures of at least half a dozen cabinet-level agencies and many more private sector entities, which could lead to sanctions under a 2015 Executive Order targeting persons engaged in malicious cyber activities or Section 224 of the Countering America’s Adversaries Through Sanctions Act (“CAATSA”). There is recent precedent for such actions—on October 23, 2020, OFAC designated Russia’s State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (“TsNIIKhM”) pursuant to Section 224 of CAATSA for TsNIIKhM’s involvement in the development and spread of Triton malware, also known as TRISIS or HatMan, which targets and manipulates industrial safety systems and has been described as “the most dangerous” publicly known cybersecurity threat. Triton first made news in 2017 after it crippled a petrochemical plant in Saudi Arabia, and OFAC warned that Russian hackers had turned their attention to U.S. infrastructure, where at least 20 electric utilities have been probed by hackers for vulnerabilities since 2019.
2. CAATSA Section 231 Russian Military Sanctions
On December 14, 2020, the United States imposed sanctions on the Republic of Turkey’s Presidency of Defense Industries (“SSB”), the country’s defense procurement agency, and four senior officials at the agency, for its dealings with Rosoboronexport (“ROE”), Russia’s main arms export entity, in procuring the S-400 surface-to-air missile system. As we described in December 2020, Section 231 of CAATSA required the imposition of sanctions on any person determined to have knowingly engaged in a significant transaction with the defense or intelligence sectors of the Russian government. Notwithstanding Section 231’s mandatory sanctions requirement, the Trump administration repeatedly tried to pressure Turkey to abandon the ROE deal before sanctions were imposed. In line with a growing list of non-SDN measures managed by OFAC (including the Sectoral Sanctions and the Communist Chinese Military Companies investment restrictions), these sanctions are not full blocking measures and the SSB listing led OFAC to construct a new Non-SDN Menu-Based Sanctions List.
3. CAATSA Section 232 Nord Stream 2 and TurkStream Sanctions
U.S. efforts to block Russia’s ongoing construction of major gas export pipelines to bypass Ukraine have been a longstanding source of tension not just between Washington and Moscow but also with the United States’ core European allies. In Section 232 of CAATSA, Congress authorized—but did not require—the President to impose certain sanctions targeting Russian energy export pipelines “in coordination with allies of the United States,” a statement of apparent deference to NATO allies like Germany and Turkey that would benefit most from the construction of the Nord Stream 2 and the TurkStream pipelines. That deference waned in the intervening years, and as we wrote in our 2019 Year-End Sanctions Update, the National Defense Authorization Act for Fiscal Year 2020 (“2020 NDAA”) included provisions requiring the imposition of sanctions against vessels and persons involved in the construction of the Nord Stream 2 and the TurkStream pipelines. Although the inclusion of these sanctions signaled U.S. support for Ukraine, their impact was thought to be minimal as the pipelines’ construction was nearly complete (only one 50-mile gap remained of the Nord Stream 2 pipeline).
But the impact was more severe than anticipated. On July 15, 2020, the Department of State updated its guidance concerning the applicability of sanctions under Section 232 of CAATSA, expanding its scope to almost all entities involved in the construction of the Nord Stream 2 or TurkStream gas pipelines, not just to those who initiated their work after CAATSA’s enactment. And on January 1, 2021, as part of the NDAA for Fiscal Year 2021, Congress amended CAATSA to authorize sanctions for foreign persons whom the Secretary of State, in consultation with the Secretary of the Treasury, deems to have knowingly helped provide pipe-laying vessels for Russian energy export pipelines.
Despite these sanctions—as well as growing domestic opposition to Russia in the aftermath of the poisoning of Russian opposition leader Aleksei Navalny—Germany remains committed to completing Nord Stream 2, which is now over 90 percent finished. Indeed, in early January, Germany’s Mecklenburg-Vorpommern State Parliament voted to create a state-owned foundation to facilitate the pipeline’s construction, taking advantage of an exemption added on January 1 for EU governmental entities not operating as a business enterprise.
4. Other Recent Russian Designations
In July 2020, OFAC targeted Russian financier Yevgeniy Prigozhin’s wide-ranging network of companies in Sudan, Hong Kong and Thailand. Prigozhin has been the target of U.S. sanctions since 2016, and purportedly financed the Internet Research Agency, a Russian troll farm designated by OFAC in 2018, as well as Private Military Company (“PMC”) Wagner, a Russian military proxy force active in Ukraine, Syria, Sudan and Libya that was designated by OFAC in 2017. OFAC highlighted Prigozhin’s role in Sudan and the “interplay between Russia’s paramilitary operations, support for preserving authoritarian regimes, and exploitation of natural resources.” OFAC also targeted Prigozhin’s network of financial facilitators in Hong Kong and Thailand. In September 2020, OFAC imposed sanctions on entities and individuals working on behalf of Prigozhin to advance Russia’s interest in the Central African Republic (“CAR”).
Also in September, OFAC imposed blocking sanctions on Andrii Derkach, a member of the Ukrainian parliament and an alleged agent of Russia’s intelligence services. According to the U.S. Department of the Treasury, Derkach waged a “covert influence campaign” against then-candidate Biden by distributing false and unsubstantiated narratives through media outlets and social media platforms with the aim of undermining the 2020 U.S. presidential election. An additional round of sanctions was announced on January 11, targeting individuals and news outlets in Ukraine that cooperated with Derkach in his efforts to interfere in the 2020 U.S. election. OFAC also extended two Ukraine-related General Licenses, 13P and 15J, that permit U.S. persons to undertake certain transactions related to GAZ Group, which was among the Russian entities designated on April 6, 2018 for being owned by one or more Russian oligarchs or senior Russian government officials. Among other actions, the regulatory authorizations, extended for over one year to January 26, 2022, allow U.S. persons to transfer or divest their holdings in GAZ Group to non-U.S. persons, allow U.S. persons to facilitate the transfer of holdings in GAZ Group by a non-U.S. person to another non-U.S. person, and allow U.S. persons to engage in certain transactions related to the manufacture and sale of automobiles, trucks, and other vehicles produced by GAZ Group or its subsidiaries.
E. North Korea
As we described in our 2020 Mid-Year Sanctions and Export Controls Update, the United States continued to expand its campaign to isolate North Korea economically and to cut off illicit avenues of international support for its nuclear, chemical, and biological weapons programs. In addition to amending the North Korea Sanctions Regulations (“NKSR”), U.S. authorities issued sanctions advisories and pursued multiple enforcement actions against persons who violated these sanctions.
1. NKSR Amendments
On April 10, 2020, OFAC issued amendments to the NKSR, 31 C.F.R. part 510, to implement certain provisions of the North Korea Sanctions and Policy Enhancement Act of 2016 (“NKSPEA”), as amended by CAATSA, and the 2020 NDAA. Changes included implementing secondary sanctions for certain transactions; adding potential restrictions to the use of correspondent accounts for non-U.S. financial institutions that provide significant services to identified SDNs; prohibiting non-U.S. subsidiaries of U.S. financial institutions from transacting with the government of North Korea or any SDN designated under the NKSR; and revising the definitions of “significant transactions” and “luxury goods.”
These amendments mark a significant jurisdictional expansion; in addition to potential secondary sanctions for foreign financial institutions that conduct significant business with North Korea, foreign banks that are subsidiaries of U.S. financial institutions are now directly subject to the NKSR. Thus, although the ailing condition of North Korea’s economy may limit the impact of these measures on the international community, they put global financial institutions on notice to be vigilant with sanctions compliance and mindful of any dealings with North Korea.
2. Ballistic Missile Procurement Advisory
On September 1, 2020, the U.S. Departments of State, Treasury, and Commerce issued an advisory on North Korea’s ballistic missile procurement activities. The advisory identified key North Korean procurement entities, including the Korea Mining Development Trading Corporation (“KOMID”), the Korea Tangun Trading Corporation (“Tangun”), and the Korea Ryonbong General Corporation (“Ryonbong”), and provided an annex identifying the main materials and equipment that North Korea is looking to source internationally for its ballistic missile program. The guidance also highlighted various procurement tactics that North Korea employs, including using North Korean officials accredited as diplomats to orchestrate the acquisition of sensitive technology; collaborating with foreign-incorporated companies (often Chinese and Russian entities) to acquire foreign-sourced basic commercial components; and mislabeling sensitive goods to escape export control requirements or to conceal the true end user.
The advisory emphasized that suppliers must not only watch for items listed in the Annex—or on U.S. or UN control lists—but also for widely available items that may end up contributing to the production or development of weapons of mass destruction (“WMD”). The electronics, chemical, metals, and materials industries, as well as the financial, transportation, and logistics sectors, are at particular risk of such end-use exposure and must pay heed to “catch-all” controls, such as United Nations Security Council Resolution (“UNSCR”) 2270, that require authorization, like a license or permit, if there is any risk that their products may contribute to WMD-related programs. Consistent with OFAC’s compliance framework, the advisory encouraged companies to take a risk-based approach to sanctions compliance.
3. SDN Designations in the Shipping Industry
In May 2020, OFAC, the Department of State, and the U.S. Coast Guard issued a global advisory warning the maritime industry, as well as the energy and metals sectors, about deceptive shipping practices used to evade sanctions. Numerous designations throughout the course of 2020 demonstrate OFAC’s continued focus on the shipping industry and North Korean trade. On December 8, 2020, OFAC designated six entities and four vessels for violating UNSCR 2371’s restrictions on transporting or exporting North Korean coal. Designees include several Chinese entities (two of which were also registered in the United Kingdom), as well as companies in Hong Kong and Vietnam.
4. Criminal Enforcement
The violation of North Korean sanctions also continues to be an enforcement priority for both OFAC and U.S. Department of Justice. As we described in our 2020 Mid-Year Sanctions and Export Controls Update, on May 28, 2020, DOJ unsealed an indictment charging 33 individuals, acting on behalf of North Korea’s Foreign Trade Bank, for facilitating over $2.5 billion in illegal payments to support North Korea’s nuclear program.
DOJ and OFAC have also focused on non-North Korean companies who have supported the efforts of their North Korean customers to access the U.S. financial system. In July 2020, OFAC and DOJ announced parallel resolutions with UAE-based Essentra FZE Company Limited (“Essentra”) for violating the NKSR by exporting cigarette filters to North Korea using deceptive practices, including the use of front companies. On August 31, 2020, DOJ announced that Yang Ban Corporation (“Yang Ban”), a company established in the British Virgin Islands that operated in South East Asia, pled guilty to conspiring to launder money in connection with evading sanctions on North Korea and deceiving correspondent banks into processing U.S. dollar transactions.
Lastly, on January 14, 2021, OFAC announced a settlement with Indonesian paper products manufacturer PT Bukit Muria Jaya (“BMJ”) to resolve alleged violations of the NKSR connected to the exportation of cigarette paper to North Korea. DOJ announced a parallel resolution with BMJ through a Deferred Prosecution Agreement (“DPA”) to resolve allegations of conspiracy to commit bank fraud shortly thereafter. The Yang Ban and BMJ matters highlight DOJ’s increasing use of the money laundering and bank fraud statutes to pursue criminal cases related to sanctions violations, as neither case included an alleged violation of IEEPA.
F. Syria
OFAC continues to maintain a comprehensive and wide-ranging sanctions regime against the Bashal al-Assad regime in Syria. On August 20, 2020, OFAC designated Assad’s press officer and the leader of the Syrian Ba’ath Party under Executive Order 13573 as senior Government of Syria officials, while the State Department simultaneously imposed sanctions on several individuals under Executive Order 13894 for their role in “the obstruction, disruption, or prevention of a political solution to the Syrian conflict and/or a ceasefire in Syria.”
On September 30, 2020, OFAC and the State Department designated additional “key enablers of the Assad regime,” including the head of the Syrian General Intelligence Directorate, the Governor of the Central Bank of Syria, and a prominent businessman (and his businesses) who served as a local intermediary for the Syrian Arab Army, while on November 9 OFAC and State designated additional individuals and entities, focusing on stymying Syria’s attempt to revive its petroleum industry. Rounding out the year, on December 22, 2020, OFAC and the State Department sanctioned additional senior government officials and entities, including Assad’s wife, Asma al-Assad—who had already been designated in June 2020—as well as several members of her family.
Additionally, on December 22, OFAC officially designated the Central Bank of Syria (“CBS”) as an SDN. However, as the accompanying press release noted, the CBS has been blocked under Executive Order 13582 since 2011. As a simultaneously issued FAQ states, the designation “underscore[es] its blocked status” but “does not trigger new prohibitions.” The FAQ includes the reminder that “non-U.S. persons who knowingly provide significant financial, material, or technological support to, or knowingly engage in a significant transaction with the Government of Syria, including the [CBS], or certain other persons sanctioned with respect to Syria, risk exposure to sanctions.” Another FAQ, issued on the same date, reiterated that U.S. and non-U.S. persons can continue engage with CBS in authorized transactions that provide humanitarian assistance to Syria, and clarified that OFAC will not consider transactions to be “significant” if they are otherwise authorized to U.S. persons, and therefore non-U.S. persons are not prohibited from participating in transactions that provide humanitarian assistance to the people of Syria.
G. Other Sanctions Developments
1. Belarus
During the second half of 2020, OFAC designated several individuals and entities for their role in participating in the fraudulent August 9, 2020 Belarus presidential election or the violent suppression of the peaceful protests that followed. Beginning in August 2020, the Belarusian government instituted a violent crackdown on wide scale protests that had erupted following the reelection of longtime leader Aleksandr Lukashenko, which had been widely denounced as fraudulent. The crackdown was broadly condemned internationally, with both the U.S. and EU imposing sanctions on those determined to have been involved in orchestrating the election fraud or the subsequent violence.
On October 2, 2020, OFAC, in coordination with the United Kingdom, Canada, and EU, designated eight individuals under Executive Order 13405, which was initially promulgated in response to Lukashenko’s questionable reelection in 2006. The eight individuals include Belarus’s Interior Minister and his deputy, the leaders of organizations involved in violently suppressing protesters, the Commander and Deputy Commander of the Ministry of the Interior’s Internal Troops, and the Central Election Commission’s Deputy Chairperson and Secretary. Several months later, on December 23, OFAC designated the Chief of the Criminal Police as well as four entities involved in the administration of the election and subsequent crackdown. The EU similarly imposed three rounds of sanctions on a total of 88 individuals and 7 entities following the August 9, 2020 election, while Canada and the United Kingdom also imposed sanctions on Belarus.
2. Ransomware Advisory
On October 1, 2020, OFAC issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” which details the sanctions risk posed by paying ransom to malicious cyber actors on behalf of victims of cyberattacks. The Advisory provides several examples of SDNs who have been designated due to their malicious cyber activities, and underscores the prevalence of such actors on OFAC’s sanctions lists. While the Advisory did not break new ground, it emphasizes that facilitating a ransomware payment, even on behalf of a victim of an attack, could constitute a sanctions violation, including in cases where a non-U.S. person causes a U.S. person to violate sanctions (in this case, to make the ransom payment to an SDN on behalf of the U.S. victim).
3. Art Advisory
One month later, on October 30, 2020, OFAC issued an “Advisory and Guidance on Potential Sanctions Risks Arising from Dealings in High-Value Artwork.” The Advisory underscores the sanctions risk posed by dealing in high value artwork—in particular artwork valued in excess of $100,000—due to the prevalence of SDNs’ participation in the market. The Advisory details how SDNs take advantage of the anonymity and confidentiality characteristic of the market to evade sanctions and even provides several examples of SDNs—including a top Hizballah donor, two Russian oligarchs, and a sanctioned North Korean art studio—who have taken advantage of the high-end art market to evade sanctions.
The Advisory further encourages U.S. persons and companies, including galleries, museums, private collectors, and art brokers, to implement risk-based compliance programs to mitigate against these risks. Further, and significantly, the Advisory clarifies that although the import and export of artwork is exempted from regulation under the Berman Amendment to IEEPA (which exempts from sanctions the export of information), OFAC does not interpret this exemption to encompass the intentional evasion of sanctions via the laundering of financial assets through the purchase and sale of high value artwork.
4. Hizballah Designations
OFAC has continued to put pressure on Hizballah through the imposition of sanctions in the second half 2020, particularly in the wake of the explosion at the Port of Beirut in August 2020, which highlighted the corruption and mismanagement that had become endemic to the Lebanese government. By the end of 2020, over 95 Hizballah-affiliated individuals and entities had been designated by OFAC since 2017. On September 8, 2020, OFAC designated two Lebanese government ministers for having “provided material support to Hizballah and engaged in corruption.” Both ministers reportedly took bribes from Hizballah in return for granting the organization political and business favors. Fewer than two weeks later, on September 17, 2020, OFAC designated two Lebanese companies for being owned or controlled by Hizballah, as well as a senior Hizballah official, who is “closely associated” with the companies. The companies, which are controlled by Hizballah’s Executive Council, reportedly had been used by Hizballah to evade sanctions and conceal the organization’s funds. One month later, on October 22, 2020, OFAC designated two members of Hizballah’s Central Council, which is the body that elects the organization’s ruling Shura Council.
5. International Criminal Court-Related Designations
On September 2, 2020, the United States designated the chief prosecutor of the International Criminal Court (“ICC”), as well as an ICC senior official, to the SDN List, the first promulgation of sanctions pursuant to a June 11, 2020 Executive Order—which we discussed in more detail in our 2020 Mid-Year Sanctions and Export Controls Update—declaring the ICC to be a threat to the national security of the United States due to its ongoing investigation of U.S. military actions in Afghanistan.
On January 21, 2020, a court in the Southern District of New York issued a preliminary injunction against the government, enjoining it from enforcing aspects of the Executive Order and its implementing regulations (that had been published on September 30, 2020). In so doing, the court determined that, by preventing U.S. persons and organizations from providing advice or other speech-based support to the designated individuals, the restrictions infringe on the plaintiffs’ constitutional right to free speech. Although the court has yet to issue a final ruling, the case may become mooted if the Biden-Harris administration revokes or allows the Executive Order to lapse, as commentators speculate.
III. U.S. Export Controls
Although China was often an explicit or implicit focus of many developments in U.S. export controls, 2020 was also year of significant innovation more broadly in export controls, especially those administered by the Department of Commerce. Each innovation has brought with it added complexities for compliance.
A. Commerce Department
1. Emerging Technology Controls
The Department of Commerce’s Advanced Notice of Proposed Rule Making on Emerging Technologies in late 2018 sparked strong concern within many economic sectors that the Department was planning to swiftly act on its mandate under the Export Control Reform Act (“ECRA”) of 2019 to identify and impose new and broadly framed controls concerning emerging technologies. However, as 2020 began—and even before the coronavirus took hold—it became clear that Commerce, for a few reasons, planned to take it slow. Commerce took well into late 2019 to analyze the public comments and to host many non-public meetings with a range of private sector actors, interagency, and non-government stakeholders on emerging technology controls. Among the key takeaways Commerce has shared publicly is its determination that emerging technology controls need to be tailored narrowly, and that Commerce needed to persuade other countries to adopt similar export controls to minimize the impact on the U.S. private sector companies and other organizations that are developing them.
The United States has several different ways to promote multilateral controls, including through its participation in the 42 member Wassenaar Arrangement (“WA”). Through its inter-plenary work in 2019, the participating states of the WA achieved consensus to impose new controls on six specific technologies at the December 2019 Wassenaar Arrangement Plenary, and in October 2020, Commerce added new controls on: hybrid additive manufacturing (AM)/computer numerically controlled (“CNC”) tools; computational lithography software designed for the fabrication of extreme ultraviolet (“EUV”) masks; technology for finishing wafers for 5 nm production; digital forensics tools that circumvent authentication or authorization controls on a computer (or communications device) and extract raw data; software for monitoring and analysis of communications and metadata acquired from a telecommunications service provider via a handover interface; and sub-orbital craft. Due to COVID, the Wassenaar Arrangement did not convene its annual plenary in December 2020 and consequently no new controls were adopted. However, the United States will Chair the General Working Group of Wassenaar in 2021, and given the significant work completed by Commerce and other U.S. Government agencies over the past several years to identify emerging technologies for control, the United States will be well-positioned to push for new controls over the course of 2021 for adoption at the Plenary meeting in December 2021.
Commerce made one exception in 2020 to its policy of waiting to build international consensus before imposing U.S. controls on emerging technologies. On January 3, 2020 it imposed new export controls on artificial intelligence software that is specially designed to automate the analysis of geospatial imagery in response to emergent national security concerns related to the newly covered software. As a result, a license from Commerce is now required to export the geospatial imagery software to all countries, except Canada, or to release the software to foreign nationals employees working with the software in the United States. To impose the new control, Commerce deployed a rarely used tool for temporarily controlling the export of emerging technologies—the 0Y521 Export Controls Classification Number (“ECCN”). This special ECCN category allows BIS to impose export restrictions on previously uncontrolled items that have “significant military or intelligence advantage” or when there are “foreign policy reasons” supporting restrictions on its export. In early 2021, Commerce opted to extend this unilateral control for another year while it continues to work towards consensus with other countries to impose parallel controls.
2. Foundational Technology Controls
ECRA also mandates Commerce to identify and impose new export controls on foundational technologies, and Commerce released an Advance Notice of Proposed Rule-making (“ANPRM”) on this topic in August 2020. However, in contrast to its more open-ended ANPRM on emerging technologies, in this request for comments, Commerce suggested that new, item-based controls on foundational technologies may not be warranted provided that their export is being controlled to certain destinations through other means. Specifically, Commerce noted that the expanded list of ECCNs it added to the EAR’s Military End User controls, which includes technologies that might be used by the governments of China, Russia, and Venezuela to build their respective defense industrial capabilities, could be deemed foundational technologies. Commerce also noted that it might draw on recent DOJ enforcement actions to help identify technologies that other countries have deemed critical enough to target for economic espionage. Overall, the approach taken in this ANPRM suggests that Commerce will be looking for other ways to impose controls on foundational technologies that would be less sweeping than the near globally-applicable, item-based licensing requirements it has imposed on the emerging technologies it has identified to date.
3. Removal of CIV License Exception
On June 29, 2020, as part of its efforts to curtail the export of sensitive technologies to countries that have policies of military-civil fusion, Commerce removed the license exception Civil End Users (“CIV”) from Part 740 of the EAR, which previously allowed eligible items controlled only for National Security (NS) reasons to be exported or reexported without a license for civil end users and civil end uses in certain countries.
NS controls are BIS’s second most-frequently applied type of control, applying to a wide range of items listed in all categories of the Commerce Control List (“CCL”). The countries included in this new restriction are from Country Group D:1, which identifies countries of national security concern for which the Commerce Department will review proposed exports for potential contribution to the destination country’s military capability. D:1 countries include China, Russia, Ukraine, and Venezuela, among others. By removing License Exception CIV, the Commerce Department now requires a license for the export of items subject to the EAR and controlled for NS reasons to D:1 countries. As with the expansion of the Military End Use and End User license requirements described above, the Commerce Department has stated that the reason for the removal of License Exception CIV is the increasing integration of civilian and military technological development pursued by countries identified in Country Group D:1, making it difficult for exporters or the U.S. Government to be sufficiently assured that U.S.-origin items exported for apparent civil end uses will not actually also be used to enhance a country’s military capacity contrary to U.S. national security interests.
4. Direct Product Rule Change
Although Commerce’s initial expansion of its Entity List-based controls targeted Huawei, it may point the way toward other Entity List-based and new end-user and end use-based licensing controls in 2021. As noted above, to further constrain Huawei and its affiliates, Commerce created a new Entity List-specific rule that significantly expands the Direct Product Rule to include a wide range of software, technology, and their direct products, many of which used to develop and produce semiconductor and other items that Huawei uses in its products. We expect further experimentation with Entity List-based controls in 2021, including potentially, lowered the “De Minimis Rule” thresholds, which could greatly expand the range of foreign products incorporating controlled U.S. content that would require Commerce licensing when specific parties are involved.
5. Expanded Crime Control and Human Rights Licensing Policy
Commerce also focused efforts in 2020 on a review and update of controls imposed on U.S. origin items under its Crime Control policy. Most of the items controlled by the EAR for Crime Control reasons today are items that have been used by repressive regimes for decades, such as riot gear, truncheons, and implements of torture. In July 2020, Commerce issued a Notice of Inquiry signaling its intention to update the list of items to include advanced technology such as facial recognition software and other biometric surveillance systems, non-lethal visual disruption lasers, and long range acoustic devices. While, as of this writing, Commerce continues to work through the comments submitted in response to the Notice, on October 6, 2020 it imposed new controls on exports of water cannon systems for riot and crowd control to implement a specific mandate from Congress to restrict the export of commercial munitions to the Hong Kong Police Force.
On the same day, Commerce amended the EAR to reflect a new licensing policy to deny the export of items listed on the Commerce Control List for crime control reasons to countries where there is either civil disorder or it assesses that there is a risk that items will be used in the violation or abuse of human rights. This amendment changed the Commerce Department’s licensing policy in two ways. First Commerce licensing officers no longer require evidence that the government of an importing country has violated internationally recognized human rights. Instead, BIS will consider whether an export could enable non-state actors engage in or enable the violation or abuse of human rights.
Second, Commerce noted that it would extend its Crime Control review policy to proposed exports of other items that are not specifically listed on the CCL for Crime Control reasons. This second expansion is particularly noteworthy because it expressly allows Commerce licensing officers to consider human rights concerns when reviewing proposed exports of many other items used by repressive governments today to surveil and stifle dissent or engage in other kinds of human rights violations, such as more generally benign telecommunications, information security, and sensor equipment.
B. State Department
1. Directorate of Defense Trade Controls (DDTC)
There were far fewer legal or regulatory developments at DDTC than occurred at Commerce in 2020, and DDTC appeared to focus much more effort on several practice-related changes. Indeed, DDTC spent significant time to launch a single digital platform for the processing of registrations, license applications, and correspondence requests, among other submissions.
The most significant rule change came in January when DDTC issued its final rule to revise Categories I, II, and III of the United States Munitions List to remove from Department of State jurisdiction the controls on certain firearms, close assault weapons, and combat shotguns, other guns and armament, and ammunition. The Department of Commerce now regulates the export and reexport of the items transferred to the Commerce Control List going forward.
DDTC also implemented a long awaited change to the ITAR’s export licensing treatment of encrypted communications on March 25, 2020. The rule change affords similar (but not thesame) treatment to encrypted communications as does the EAR and should make it easier for companies and other organizations to use Internet and international cloud networks to transmit and store encrypted ITAR technical data without triggering licensing requirements.
DDTC made greater use in 2020 of Frequently Asked Questions to provide guidance on a range of topics. Most significantly, the DDTC shared, in real time, its evolving policy on whether U.S. person nationals working outside of the United States and providing defense services need to maintain separate registrations and obtain ITAR authorizations in a series of FAQs published on January 8, February 21, and April 4. DDTC also issued FAQs providing guidance on its recently revamped “By or For” license exemption, 22 CFR § 126.4, which will make it significantly easier for U.S. Government contractors to export defense articles and defense services without ITAR authorization when these exports are being done at the direction of U.S. Government agencies and meet certain criteria. On October 20, DDTC used an FAQ to provide an explanation of a frequently invoked but not always clearly understood licensing rule referred to as the ITAR “see-through rule.” Curiously, DDTC found it necessary to inform the exporting public in a May FAQ that Puerto Rico is in fact a U.S. territory, along with American Samoa, Guam, and the U.S. Virgin Islands, and did not require ITAR licensing.
2. Bureau of Democracy, Human Rights, and Labor
On September 30, the State Department Bureau of Democracy, Human Rights, and Labor issued due diligence guidance on transactions that might result in the sale of products and services with surveillance capabilities foreign government end-users (hereinafter “Guidance”). The non-binding Guidance tracks and applies human rights diligence international standards set out in the United Nations Guiding Principles and Organization for Economic Co-operation and Development (OECD) Guidelines for Multinational Enterprises to surveillance product and service transactions. State’s surveillance guidance identifies “red flags” members of the regulated community should watch for prior to entering into a transaction with a government end-user, along with suggested safeguards—such as contractual provisions and confidential reporting mechanisms—to detect and halt rights abuses should they occur. Although the Guidance does not break new ground for many large manufacturers of these products that already incorporate human rights-related diligence in their evaluation of proposed sales of these products and services, sensitive jurisdictions, mid- and smaller-size firms might find it helpful. Especially for resource-constrained entities that may not know what resources might be available to inform their due diligence, the Guidance identifies specific U.S. and non-U.S. Government publications and tools. For those companies not yet conducting human rights diligence on transactions involving these products, the Guidance helps set the bar on the expectations that investors, non-government organizations, and other stakeholders have for their business conduct going forward.
IV. European Union
A. EU-China Relationship
In 2020, the EU charted a somewhat different course than Washington in its economic relations with China. It finalized a comprehensive agreement on investment focused on enabling an increase in outbound investment in China from the EU, and at the same time, EU and its member states enhanced their framework for reviewing foreign direct investment (“FDI”) to address concerns regarding, inter alia, Chinese investments in certain sectors in the EU.
On December 30, 2020, the EU and China concluded negotiations for a Comprehensive Agreement on Investment (“CAI”). China has committed to a greater level of market access for EU investors, including opening certain markets for foreign investments from the EU for the first time. China has also made commitments to ensure fair treatment of investors from the EU, with the EU hoping for a level playing field in China (specifically vis-à-vis state owned enterprises), transparency of subsidies granted and rules against the forced transfer of technologies. China has also agreed to ambitious provisions on sustainable development, including certain commitments on forced labor and the ratification of certain conventions of the International Labor Organization. The EU has committed to a high level of market entry for Chinese investors and that all rules apply in a reciprocal manner. As next steps, China and the EU will be working towards finalizing the text of CAI, before then being submitted for approval by the EU Council and the European Parliament.
On October 11, 2020, Regulation (EU) 2019/452 of 19 March 2019 establishing a framework for screening of foreign direct investments into the EU (the “EU Screening Regulation”) entered into force, marking the beginning of EU-wide coordination regarding FDIs among EU member states and the European Commission. While FDI screening and control remains a member state competency, the EU Screening Regulation increases transparency and awareness of FDI flows into the EU. (For details on the EU Screening Regulation and the newly applicable EU-wide cooperation process, see our respective client alert of March 2019.)
A notable case of enforcing FDI control in particular with respect to China is the prohibition by the German government in December 2020 of the indirect acquisition of a German company with expertise in satellite/radar communications and 5G millimeter wave technology by a Chinese state-owned defense group. Germany has seen an increased number and complexity of foreign investments and takeover (attempts) over the past couple of years, especially by Chinese investors, which has resulted in a continuous tightening of FDI rules in Germany. For additional details on the developments in 2020 with regard to the German FDI rules, including an overview of the investment screening process in Germany, please refer to our client alerts in May 2020 and November 2020.
B. EU Sanctions Developments
Currently, the EU has over forty different sanctions regimes or “restrictive measures” in place, adopted under the EU’s common foreign and security policy (“CFSP”). Some are mandated by the United Nations Security Council, whereas others are adopted autonomously by the EU. They can broadly be categorized in EU Economic and EU Financial Sanctions. Further, EU member states may implement additional sanctions. EU economic sanctions, broadly comparable to U.S. sectoral sanctions, are restrictive measures designed to restrict trade, usually within a particular economic sector, industry or market—e.g., the oil and gas sector or the defense industry (“EU Economic Sanctions”).
EU financial sanctions are restrictive measures taken against specific individuals or entities that may originate from a sanctioned country, or may have committed a condemned activity (“EU Financial Sanctions”). These natural persons and organizations are identified and listed by the EU in the EU Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions (“EU Consolidated List”), broadly comparable to U.S. Specially Designated Nationals (“SDN”) listings.
It is noteworthy that, on a regular basis, third-party countries align with EU Sanctions, such as recently North Macedonia, Montenegro, Albania, Iceland and Norway with regards to the Belarus Sanctions.
For a full introduction into EU Sanctions, including the EU Blocking Statute, as well as, exemplary, the German export control regime, please take a look at a recent GDC co-authored publication, the International Comparative Legal Guide to Sanctions 2020.
While EU sanctions are enforced by EU member states, the EU Commission has announced that it plans to take steps to strengthen sanctions enforcement. On January 19, 2021, the EU Commission published a Communication to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions titled “The European economic and financial system: fostering openness, strength and resilience” (the “Communication”). The Communication describes EU sanctions as “key instrument” playing a “critical role in upholding the EU’s values and in projecting its influence internationally”. To improve the design and effectiveness of EU sanctions, the EU Commission will from 2021 will conduct a review of practices that circumvent and undermine sanctions. It will further develop a database, the Sanctions Information Exchange Repository, to enable “prompt reporting and exchange of information between the Member States and the Commission on the implementation and enforcement of sanctions.” In addition, the Commission is setting up an expert group of Member States’ representative on sanctions and extra-territoriality and intends to improve coordination on certain cross-border sanctions-related matters between Member States. The Commission will also work with Member States to establish a single contact point for enforcement and implementation issues when there are cross-border implications.
To supervise the harmonized enforcement of EU sanctions, the EU Commission—among other measures—plans to create a dedicated system to report sanctions’ evasion anonymously, including a confidential whistleblowing system.
1. EU Human Rights Sanctions
On December 7, 2020, the Foreign Affairs Council of the Council of the European Union, adopted Decision (CFSP) 2020/1999 and Regulation (EU) 2020/1998, together establishing the EU’s first global and comprehensive human rights sanctions regime (“EU Human Rights Sanctions”) (as discussed in detail in our recent client alert). The EU Human Rights Sanctions will allow the EU to target individuals and entities responsible for, involved in or associated with serious human rights violations and abuses and provides for the possibility to impose travel bans, asset freeze measures and the prohibition of making funds or economic resources available to those designated.
EU Human Rights Sanctions mirror in parts the U.S. Magnitsky Act of 2012, and its 2016 expansion, the U.S. Global Magnitsky Human Rights Accountability Act as well as similar Canadian and United Kingdom sanction regimes. Notably, in contrast to the U.S. and Canadian human rights sanctions regimes, and similar to the United Kingdom human rights sanctions regime, the list of human rights violations does not include corruption.
While human rights violations have been subject to EU sanctions in the past, imposed on the basis of a sanctions framework linked to specific countries, conflicts or crises, the newly adopted EU Human Rights Sanctions are a significantly more flexible tool for the EU to respond to significant human rights violations. Although no specific individual or entity have yet been designated under the EU human rights sanctions, companies active in the EU should be mindful of this new sanctions regime and take it into consideration in their compliance efforts.
On December 17, 2020, the European Commission published the Commission Guidance Note of the Implementation of Certain Provisions of Council Regulation (EU) 2020/1998 (“Human Rights Guidance Note”) regarding the implementation of certain provisions of the EU Human Rights Sanctions, advising on the scope and implementation in the form of 13 “most likely” questions that may arise and the respective answers.
2. EU Cyber Sanctions
On May 17, 2019, the EU established a sanctions framework for targeted restrictive measures to deter and respond to cyber-attacks that constitute an external threat to the EU or its Member States. The framework was expounded in two documents, Council Decision (CFSP) 2019/797 and Council Regulation 2019/796 (as discussed in detail in our previous client alert). In July 2020, the EU imposed its first ever sanctions listing related to cyber-attacks against Russian intelligence, North Korean and Chinese firms over alleged cyber-attacks. The EU targeted the department for special technologies of the Russian military intelligence service for two cyber-attacks in June 2017. Four individuals working for the Russian military intelligence service were sanctioned for their alleged participation in an attempted cyber-attack against the Organization for the Prohibition of Chemical Weapons in the Netherlands in April 2018. Further, North Korean company Chosun Expo was sanctioned due to suspicions of it having supported the Lazarus Group, which is deemed responsible for a series of major cyber-attacks and cybercrime activities worldwide. In addition, Chinese firm Haitai Technology Development and two Chinese individuals were sanctioned. The EU alleged cyber-attacks aimed at stealing sensitive business data from multinational companies. On October 22, 2020, the EU used the framework to impose further sanctions on two Russian officials and part of Russia’s military intelligence agency (GRU) over a cyberattack against the German parliament in 2015.
The Council of the EU recently extended the EU Cyber Sanctions until May 18, 2021.
3. EU Chemical Weapons Sanctions
On October 12, 2020, the European Council decided to extend the sanctions concerning restrictive measures against the proliferation and use of chemical weapons by one year, until October 16, 2021. Such EU Chemical Weapons Sanctions were initially introduced in 2018 with the aim to counter the proliferation and use of chemical weapons which pose an international security threat. The restrictive measures consist of travel bans and asset freezes. Further, persons and entities in the EU are forbidden from making funds available to those listed. Currently, restrictive measures are imposed on nine persons and one entity. Five of the persons are linked to the Syrian regime and the sanctioned entity is understood to be the Syrian regime’s main company for the development of chemical weapons. The remaining four of the nine persons are linked to the 2018 attack in Salisbury using the toxic nerve agent Novichok.
4. EU Iran Sanctions & Judicial Review
In January 2020, France, Germany and the UK (the “E3”) issued a joint statement reaffirming their support to the JCPOA, repeating their commitment throughout the year, and roundly rejecting the United States’ attempts to trigger a UN sanctions snapback. In September 2020, the E3 also warned the United States that its claim to have the authority to unilaterally trigger the so-called JCPOA snap-back mechanism that would have led to reimposing UN mandated nuclear-related sanctions on Iran would have no effect in law. On December 21, 2020, a Meeting of the E3/EU+2 (China, France, Germany, the Russian Federation, the United Kingdom, and the High Representative of the European Union for Foreign Affairs and Security Policy) and the Islamic Republic of Iran stressed that JCPOA remains a key element of the global nuclear non-proliferation architecture and a substantial achievement of multilateral diplomacy that contributes to regional and international security. The Ministers reiterated their deep regret towards the U.S. withdrawal and agreed to continue to dialogue to ensure the full implementation of the JCPOA. Finally, the Meeting also acknowledged the prospect of a return of the U.S. to the JCPOA, and expressed they were ready to positively address this move in a joint effort.
Regarding litigation, on October 6, 2020, the Court of Justice of the European Union (“CJEU”) gave its long-awaited judgment in Bank Refah Kargaran v. Council (C-134/19 P), an appeal against the judgment of the General Court in T-552/15, raising the question of the EU Courts’ jurisdiction in sanctions damages cases. By this judgment, the General Court dismissed the action by Bank Refah Kargaran seeking compensation for the damage it allegedly suffered as a result of the inclusion in various lists of restrictive measures in respect of the Islamic Republic of Iran.
In its judgment, the CJEU ruled that the General Court erred in law by declaring that it lacked jurisdiction to hear and determine the action for damages for the harm allegedly suffered by the appellant as a result of the Common Foreign and Security Policy (“CFSP”) decisions adopted under Article 29 TEU. According to the CJEU, and in sync with Advocate General Hogan’s Opinion delivered in that case in May 2020, the General Court’s jurisdiction extends to actions for damages in matters relating to the CFSP. In fact, it is to be understood that jurisdiction is given for the award of damages arising out of both targeted sanctions decisions and regulations. However, the CJEU dismissed the appeal on account of the lack of an unlawful conduct capable of giving rise to non-contractual liability on the part of the EU and upheld the General Court’s interpretation that the inadequacy of the statement of reasons for the legal acts imposing restrictive measures is not in itself sufficiently serious as to activate the EU’s liability
5. EU Venezuela Sanctions
The EU’s Venezuela Sanctions include an arms embargo as well as travel bans and asset freezes on listed individuals, targeting those involved in human rights violations, and those undermining democracy or the rule of law.
On January 9, 2020, the EU’s High Representative, Josep Borrell, declared that the EU is “ready to start work towards applying additional targeted measures against individuals” involved in the recent use of force against Juan Guaidó, the president of Venezuela’s National Assembly, and other lawmakers to impede their access to the National Assembly on January 5, 2020.
On November 12, 2020, the European Council extended sanctions on Venezuela until November 14, 2021, and replaced the list of designated individuals, which now includes 36 listed individuals in official positions who are deemed responsible for human rights violations and for undermining democracy and the rule of law in Venezuela.
Recently, the EU has issued a Declaration stating that it is prepared to impose additional targeted sanctions in response to the decision of the Venezuelan National Assembly to assume its mandate on January 5, 2021, on the basis of non-democratic elections.
6. EU Russia Sanctions & Judicial Review
Since March 2014, the EU has progressively imposed increasingly harsher economic and financial sanctions against Russia in response to the destabilization of Ukraine and annexation of Crimea. EU Russia Economic Sanctions continue to include an arms embargo, an export ban on dual-use goods for military use or military end-users in Russia, limited access to EU primary and secondary capital markets for major Russian state-owned financial institutions and major Russian energy companies, and limited Russian access to certain sensitive technologies and services that can be used for oil production and exploration. On December 17, 2020, the EU renewed such sanctions for six months. The EU Russia Economic Sanctions imposed in response to the annexation of Crimea and Sevastopol have been extended until June 23, 2021.
Russia has imposed counter-measures in response to EU Russia Economic and Financial Sanctions. In particular, Russia decided to ban agricultural imports from jurisdictions that participated in sanctions against Moscow. The measures included a ban on fruit, vegetables, meat, fish, milk and dairy products. On December 22, 2020, in response to new EU Russia Financial Sanctions imposed on Russians officials in connection with the poisoning of opposition leader Alexei Navalny, Russia imposed additional travel bans on representatives of EU countries and institutions.
As to related judicial review, on June 25, 2020, the CJEU dismissed appeals brought by VTB Bank (C-729/18 P) and Vnesheconombank (C-731/18 P) against the General Court’s judgments confirming their inclusion in 2014 in the EU’s sanctions list, which restricted the access of certain Russian financial institutions to the EU capital markets. The Court inter alia remarked that the measures were justified and proportionate because they were capable of imposing a financial burden on the Russian government, because the government might need to have to rescue the banks in the future.
On September 17, 2020, the CJEU rejected an appeal (C-732/18 P) brought by Rosneft (a Russian oil company) against the General Court’s decision to uphold its 2014 EU listing (T‑715/14). The CJEU confirmed the General Court’s assessment that the measures were appropriate to the aims they sought to attain. More specifically, given the importance of the oil sector to the Russian economy, there was a rational connection between the restrictions on exports and access to capital markets and the objective of the sanctions, which was to put pressure on the government, and to increase the costs of Russia’s actions in Ukraine.
Following the same line of reasoning as in a series of previous judgments by the EU Courts in 2018[1] and 2019,[2] the General Court decided in a number of new cases that certain individual listings on the EU’s Ukraine sanctions list (which, inter alia, targets those said to be responsible for the “misappropriation of State funds”) are unlawful because the EU has not properly verified whether the decisions of the Ukrainian authorities contained sufficient information or that the procedures respected rights of defence. More specifically:
On December 16, 2020, the General Court annulled the 2019 designation of Mykola Azarov, the former Prime Minister of Ukraine (T-286/19). Mr. Azarov is no longer subject to EU sanctions after his delisting in March 2020. The Court ruled that the Council of the European Union had made an error of assessment by failing to establish that the Ukrainian judicial authorities had respected Mr Azarov’s rights of the defence and right to judicial protection.
Earlier in 2020, on June 25, 2020, the General Court issued its judgment in Case T-295/19 Klymenko v Council, in which the Court held that it was not properly determined whether Mr Klymenko’s rights of defence were respected in the ongoing criminal proceedings against him in Ukraine. In particular, the Council had not responded to or considered Mr Klymenko’s arguments such as that the pre-conditions for trying him in his absence had not been fulfilled, he had been given a publicly appointed lawyer who did not provide him with a proper defence, the Ukrainian procedure did not permit him to appeal against the decision of the investigating judge, and he was not being tried within a reasonable time. Mr Klymenko was relisted in March 2020 and so remains on the EU sanctions list.
Furthermore, on September 23, 2020, with its Judgments in cases T-289/19, T-291/19 and T-292/19, the General Court annulled the 2019 designation of Sergej Arbuzov, the former Prime Minister of Ukraine, Victor Pshonka, former Prosecutor General and his son Artem Pshonka, respectively. All remain on the EU’s sanctions list, because their designations were renewed in March 2020.
7. EU Belarus Sanctions
On August 9, 2020, Belarus conducted presidential elections and, based on what were considered credible reports from domestic observers, the election process was deemed inconsistent with international standards by the EU. In light of these events and acting with partners in the United States and Canada, the EU foreign ministers agreed on the need to sanction those responsible for violence, repression and the falsification of election results. In addition, EU foreign ministers called on Belarusian authorities to stop the disproportionate violence against peaceful protesters and to release those detained.
Shortly afterwards, on August 19, 2020 the EU heads of state and government met to discuss the situation and, in declarations to the press, President Charles Michel affirmed that the EU does not recognize the election results presented by the Belarus authorities and that EU leaders condemned the violence against peaceful protesters. On this occasion, EU leaders agreed on imposing sanctions on the individuals responsible for violence, repression, and election fraud. However, Cyprus opposed the adoption of measures by insisting that the EU should first agree on the adoption of restrictive measures against Turkey. This episode highlighted that a single EU member state or small group of EU member states can complicate EU foreign policy goals and push for trade-offs on unrelated matters.
Yet, restrictive measures were effectively imposed on October 2, 2020 against 40 individuals identified as responsible for repression and intimidation against peaceful demonstrators, opposition members and journalists in the wake of the 2020 presidential election, as well as for misconduct of the electoral process. The restrictive measures included a travel ban and asset freezing.
On November 6, 2020, the set of restrictive measures was expanded, and the Council of the EU added 15 members of the Belarusian authorities, including Alexandr Lukashenko, as well as his son and National Security Adviser Viktor Lukashenko, to the list of individuals sanctioned.
Lastly, on December 17, 2020, the set of restrictive measures was further expanded in order to adopt 36 additional designations, which targeted high-level officials responsible for the ongoing violent repression and intimidation of peaceful demonstrators, opposition members and journalists, among others. The listings also target economic actors, prominent businessmen and companies benefiting from and/or supporting the regime of Aleksandr Lukashenko. Therefore, after three rounds of sanctions on Belarus, there are currently a total of 88 individuals and 7 entities designated under the sanctions’ regime in place for Belarus.
8. EU North Korea Sanctions
On July 30, 2020, the EU North Korea Economic Sanctions targeting North Korea’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programs or for sanctions evasion were confirmed, and will continue to apply for one year, until the next annual review.
9. EU Turkey Sanctions
On December 10, 2020, EU leaders agreed to prepare limited sanctions on Turkish individuals over an energy exploration dispute with Greece and Cyprus, postponing any harsher steps until March 2021 as countries sparred over how to handle Ankara.
Josep Borrell, the High Representative of the European Union for Foreign Affairs and Security Policy, is now expected to come forward with a broad overview report on the state of play concerning the EU-Turkey political, economic and trade relations and on instruments and options on how to proceed, including on the extension of the scope of the above-mentioned decision for consideration at the latest at the March 2021 European Council.
10. EU Syria Sanctions – Judicial Review
On December 16, 2020, the General Court dismissed the applications of two Syrian businessmen, George Haswani (T-521/19) and Maen Haikal (T-189/19), to annul their inclusion on the EU’s Syria sanctions list. In both cases, the General Court held that the Council of the European Union had provided a sufficiently concrete, precise and consistent body of evidence capable of demonstrating that both Applicants are influential businessmen operating in Syria.
Similarly, on July 8, 2020, the General Court rejected an application by Khaled Zubedi to annul his inclusion on the EU’s Syria sanctions (T-186/19) and on July 9, 2020 the CJEU rejected an appeal by George Haswani (C-241/19 P). In both cases the Courts concluded that the Council of the European Union could appropriately demonstrate that both men were leading businessmen operating in Syria and that neither had rebutted the presumption of association with the regime of President Assad. Also, on December 2, 2020, the General Court dismissed Nader Kalai’s similar application of annulment (T-178/19).
In addition, maintaining its established position on the subject, the CJEU dismissed a series of appeals brought before it by 6 Syrian entities, Razan Othman (Rami Makhlouf’s wife), and Eham Makhlouf (vice-president of one of the listed entities) challenging the General Court’s decision to uphold their 2016-2018 listings (see cases C-350/19 P; C‑349/19 P, C-348/19 P, C‑261/19 P, C‑260/19 P, C‑159/19 P, C‑158/19 P and C‑157/19 P, published on October 1, 2020). The CJEU held that the General Court was right to uphold the appellants’ listings because the EU’s Syria sanctions include membership of the Makhlouf family as a criterion on which a designation can be based. Considering that the Appellants were all found to be wholly or by majority owned by Rami Makhlouf, their assets were liable to be frozen without the need to demonstrate that they actively supported or had derived some benefit from the regime.
11. EU Egypt Sanctions – Judicial Review
On December 3, 2020, the CJEU delivered its ruling on Joined Cases C‑72/19 P and C‑145/19 P, concluding that the sanctions on deceased former Egyptian leader Hosni Mubarak and several members of his family should be lifted because of due process errors. The CJEU found that the Council of the EU took as its basis for listing Mr. Mubarak and his family members the mere existence of judicial proceedings against them in Egypt for misappropriation of State funds, i.e., the decision of an authority of a third State. As the Council of the EU took assurances from Egyptian authorities that these rights were being observed when it should have independently confirmed that the legal protections were in place before designating the individuals, the CJEU found that the Council of the EU failed to verify whether that decision had been adopted in accordance with the rights of the defense and the right to effective judicial protection of the individuals listed.
Nevertheless, the asset freeze on the Mubarak family members will remain in place as the judgment only overturns the Council of the EU’s decisions to impose sanctions on the family in 2016, 2017 and 2018. The 2019 and 2020 renewals of the original legal framework are still undergoing litigation.
C. EU Member State Export Controls
1. Belgium
On June 26, 2020 the Belgian Federal Parliament adopted of a resolution urging the government to prepare a list of countermeasures against Israel in case it annexes the occupied Palestinian territories.
2. France
On June 3, 2020, the Court of Appeal of Paris (international commercial chamber) issued its Judgment in SA T v Société N. The Court of Appeal dismissed an appeal by a French contractor seeking the annulment of an arbitral tribunal’s award on the grounds that it had breached French international public policy by failing to take into account UN, EU and US sanctions. The tribunal had ordered the contractor to pay €1 million to an Iranian company following a dispute over the conversion of a gas field into an underground storage facility. The Court of Appeal concluded that UN and EU sanctions regulations constitute “mandatory overriding provisions.”
On July 24, 2020, the French Cour de Cassation lodged a request for a preliminary ruling to the CJEU, regarding the interpretation of UN and EU Iran sanctions, and more specifically on questions concerning creditors’ ability to take enforcement action against assets frozen by EU sanctions regulations (registered under Case C-340/20).
The French Court referred the questions to the CJEU in order to decide appeals brought in case Bank Sepah v Overseas Financial Ltd and Oaktree Finance Ltd.
On December 9, 2020, the French government published an Ordinance n° 2020-1544 in the Official Journal, which expands controls on digital assets as part of efforts to combat money laundering and terrorist financing.
3. Germany
The German Federal Court of Justice (Bundesgerichtshof) (“BGH”) decided on August 31, 2020, that the procurement of materials for a foreign intelligence service, while circumventing EU Sanctions, fulfills the elements of a crime under section 18 para. 7 No. 1 of the Foreign Trade and Payments Act (Aussenwirtschaftsgesetz) (“AWG”). Espionage or affiliation with an intelligence service are not necessary to act “for the intelligence service of a foreign power.”
In the case, a man sold machine tools to Russian companies for around €8 million in seven cases between 2016 and 2018. The man’s actual contractual partner—a member of a Russian intelligence service—subsequently supplied the machines to a Russian state-owned arms company for military use. The arms company operates in the field of carrier technology and develops cruise missiles. The machine tools are considered dual-use technology, and the sale and export of such items to Russia is prohibited since 2014 under the EU Russia Sanctions, specifically Regulation (EU) 883/2014 as amended.
The BGH decided that it is sufficient if the delivery of the machines is a result of the perpetrator’s involvement in the procurement structure of foreign intelligence services. An organizational integration of the perpetrator into the foreign intelligence service is not required to justify the higher penalty of section 18 para. 7 No. 1 AWG (imprisonment of not less than one year) compared to the regular sentencing range of section 18 para. 1 AWG (imprisonment from three months up to five years) imposed for embargo violations under the AWG.
4. Latvia / Lithuania / Estonia
On August 31, 2020, Latvia, as well as Lithuania and Estonia, imposed travel bans on 30 officials including the President of Belarus Alexander Lukashenko, on the basis of their contribution to violations of international electoral standards and human rights, as well as repression against civil society and opposition to democratic processes. Following this designation, on September 25, 2020, the aforementioned EU Member States added 98 Belarusian officials to this list.
In November 2020, the aforementioned EU Member States proceeded to further designations. More specifically, Estonia and Lithuania imposed travel bans on an additional 28 Belarusian officials, and Latvia imposed a travel ban on 26 officials, all of whom are said to have played a central role in falsifying election results and using violence against peaceful protesters in Belarus. Overall, Latvia has now listed a total of 159 officials, who are banned from entering its territory indefinitely. Estonia and Lithuania have both listed 156 officials in total.
In February 2020, the Administrative Regional Court in Riga, Latvia rejected a request to suspend a ban issued by Latvia’s National Electronic Mass Media Council on the broadcasting of 9 Russian television channels due to the designation of their co-owner, Yuriy Kovalchuck, who is listed pursuant to Council Regulation (EU) 269/2014 (undermining or threatening the territorial integrity, sovereignty and independence of Ukraine).
5. Luxembourg
On December 27, 2020, a law allowing Luxembourg to implement certain sanctions in financial matters adopted by the UN and the EU entered into force. The restrictive measures in financial matters envisaged by the law include asset freeze measures, prohibitions/restrictions of financial activities and financial services to designated people, entities or groups.
The measures can be imposed on Luxembourg nationals (residing or operating in or outside Luxembourg), legal persons having their registered office, a permanent establishment or their center of main interests in Luxembourg and which operate in, from or outside the territory, as well as all other natural and legal persons operating in Luxembourg.
Under this legislation, domestic supervisory and regulatory bodies are responsible for supervising the implementation of the law. This includes (i) the power to access any documentation; (ii) request information from any person; (iii) request disclosure of communications from regulated persons; (iv) carry out on-site inspections; and (v) refer information to the State prosecutor for criminal investigation.
Failure to comply with the newly adopted restrictive measures shall be punishable by criminal penalties, such as imprisonment and/or a fine up to €5 million. Where the offence has resulted in substantial financial gain, the fine may be increased to four times the amount of the offence.
6. The Netherlands
On April 21, 2020, the Dutch Senate adopted an Act implemented amendments to the Fourth Anti-Money Laundering Directive (Directive EU 2015/849). This Act—which entered into force on May 18, 2020—provides that professional and commercial cryptocurrency exchange and wallet providers seeking to provide services in the Netherlands must register themselves at the Dutch Central Bank. For successful registration, adequate internal measures and controls to ensure compliance with EU and national (Dutch) sanctions must be demonstrated. Failure to show adequate sanctions compliance systems could lead to registration being denied, in which case such crypto companies would need to refrain from providing services. Further, the adoption in December 2019 by the Dutch Ministry of Foreign Affairs of guidelines for companies compiling an internal compliance programme (ICP) for “strategic goods, torture goods, technology and sanctions” is noteworthy. These guidelines resemble that of the EU’s guidance aside from the inclusion of shipment control (rather than physical and information security) in its seven core elements.
7. Slovenia
On November 30, 2020, the Slovenian government issued a statement proscribing Hezbollah as a terrorist organisation, becoming the sixth EU member, after the Netherlands, Germany, Lithuania, Estonia, and Latvia to recognize the Iranian-sponsored Hezbollah as a terrorist organization.
8. Spain
On June 12, 2020, the Spanish Ministry of Economic Affairs and Digital Transformation published a Draft Law, amending Law 10/2010 of April 28 on the prevention of money laundering and terrorist financing, to transpose into Spanish domestic law the EU’s Fifth Money Laundering Directive. The legislation also sets out the legal framework for enforcing compliance with EU and UN sanctions. More specifically, when it comes to the enforcement of sanctions, the Draft Law increases the limitation periods for sanctions: in the case of very serious offenses from three to four years, and in the case of serious offenses, from two to three years. In addition, fines will always be accompanied by other sanctions such as public or private reprimands/warnings, temporary suspensions or removals from office, while with the current Law 10/2010 this only occurs in case of sanctions for grave infractions.
C. EU Counter-Sanctions
The EU and its member states are also deeply concerned about the extraterritorial effects of both U.S. and Chinese sanctions and the recent approval of U.S. sanctions in relation to the Nord Stream 2 pipeline have further focused attention on this issue. With respect to Nord Stream 2, Josep Borrell affirmed that the EU does not recognize the extraterritorial application of U.S. sanctions and that it considers such conduct to be contrary to international law.
As discussed above, Germany has taken concrete steps to fend off the threat of U.S. sanctions targeting the Nord Stream 2 pipeline. The German state of Mecklenburg-Vorpommern approved the establishment of the Mecklenburg-Vorpommern Climate and Environmental Protection Foundation (the “Foundation”) to, inter alia, ensure the completion of the Pipeline, which is already more than 94% completed. While the declared aim of the Foundation is to counter climate change and to protect the environment (e.g., to avoid a pipeline run on the bottom of the ocean), the Foundation is also outspokenly designed to provide protection against U.S. sanctions by acquiring, holding and releasing necessary hardware to complete the Pipeline.
If successful, the move to shield companies or projects with state-owned/state-supported foundations might be copied by other governments in the EU, replacing or at least complimenting reliance on the EU Blocking Statute, which, at least in its current form, has been perceived as being insufficient to achieve its stated goal.
The EU has also been taking steps to provide itself with a toolkit that would allow to adopted block or counter non-EU sanctions with which it disagrees. A recent study requested by the European Parliament foreshadows possible upcoming counter sanctions and blocking measures aimed at defending the sovereignty of the European Union. The study suggests, for example, that EU businesses should be encouraged and assisted in bringing claims in international investor-state arbitration and in U.S. courts against sanctions imposed by the U.S. or other States and the blocking of financial transactions by the SWIFT system, which is constituted under Belgian law, subjected to European legislation and has been used in connection with the EU implementation of UN sanctions in the past. It remains to be seen if the EU will take onboard any of the suggestions put forward by the study.
Finally, on January 19, 2021, the EU Commission published a Communication to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions titled “The European economic and financial system: fostering openness, strength and resilience” (the “Communication”). The Communication notes that the EU plans to enforce the policy goals of the EU Blocking Statute through the general investment screening processes, which is enforced by the EU member states. Accordingly, U.S. investments in EU companies could be subject to more intense investment scrutiny if such investments could result in the EU target having to comply with U.S. extra-territorial sanctions.
According to the Communication, the EU Commission also plans to strengthen cooperation on sanctions, in particular with the G-7 partners. Also, the EU Commission will put in place measures to strengthen the Blocking Statute as the EU’s most powerful tool to respond to sanction regimes of third countries, including (i) clearer procedures and rules; (ii) strengthened measures to block the recognition and enforcement of foreign decisions and judgments; (iii) streamlines processing for authorization requests; and (iv) possible involvement in foreign proceedings to support EU companies and individuals.
V. United Kingdom Sanctions and Export Controls
A. Sanctions Developments
1. New U.K. Sanctions Regime
Following the end of the Brexit Transition period on December 31, 2020, EU sanctions regulations are no longer being enforced by the U.K. However, the EU sanctions regime has been substantially retained in law in the U.K. through the introduction of multiple new U.K. sanctions regulations under the Sanctions and Anti-Money Laundering Act 2018 (“SAMLA”). The full list of these sanctions regulations can be found here. Certain of the new regulations relate to specific geographic regions (essentially those also subject to EU sanctions regimes). There are also a number of sanctions and related regulations imposing thematic sanctions (again, largely reflecting existing EU regimes), such as those relating to chemical weapons, terrorism, cybersecurity, human rights and kleptocracy.
The U.K. is also now maintaining the U.K. sanctions list, which provides details of all persons designated or ships specified under regulations made under SAMLA, the relevant sanctions measures which apply, and for U.K. designations, reasons for the designation. The U.K. sanctions list is updated in light of decisions making, varying or revoking a designation or specification. The U.K.’s Office of Financial Sanctions Implementation (“OFSI”) maintains a consolidated list of persons and organizations under financial sanctions, including those under SAMLA and other U.K. laws. It should be noted that not all persons designated under EU sanctions regimes have been designated under the new U.K. regulations.
The new U.K. regime differs in certain modest, albeit significant ways, from the EU regime as implemented in the U.K. that went before. Perhaps the most significant of these is the fact that the U.K. sanctions regulations provide a greater degree of clarity than has been present to date in EU instruments as to the circumstances in which a designated person may “own or control” a corporate entity. The relevant provisions typically provide that a person will own or control a company where (s)he holds, directly or indirectly, more than 50 percent of its shares or voting rights or a right to remove or appoint the majority of the board, or where it is reasonable in all the circumstances to expect that (s)he would be able to “achieve the result that affairs of” the company are conducted in accordance with his/her wishes, by whatever means.
The geographic scope of liability under U.K. sanctions regimes is clarified by section 21(1) of SAMLA, and generally extends only to conduct in the U.K. or by U.K. persons elsewhere. Certain U.K. sanctions regulations contain provisions allowing the effect of the sanctions regulation in question to be overridden in the interests of national security or prevention or detection of crime; a provision which has no analogue in the EU sanctions instruments. “No claims” clauses of the kind typically present in EU sanctions regulations (i.e., provisions prohibiting satisfaction of a claim occasioned by the imposition of a sanctions regime) are not a feature of U.K. sanctions regulations.
The provisions in the U.K. sanctions regulations relating to asset-freezes also differ in certain limited, but material respects. For example, the provisions creating offences for breaches of asset-freezes require a prosecuting authority must prove that the accused had knowledge or reasonable cause for suspicion that (s)he was dealing in frozen funds or economic resources.
The framework for U.K. sanctions designations, administrative ministerial and periodic review of designations, and judicial challenges to designation decisions under Chapters 2 and 4 of SAMLA is now in effect.
2. New U.K. Human Rights Sanctions Regime
On July 9, 2020, the U.K. Government introduced into law in the U.K. the Global Human Rights Sanctions Regulations 2020 and began designating individuals under those regulations in connection with their alleged involvement in gross human rights violations. A link to our client alert on these Magnitsky-style sanctions can be found here.
3. The “U.K. Blocking Statute”
Following the end of the Brexit transition period, the EU Blocking Statute (Council Regulation No 2271/96) and related Commission Implementing Regulation 2018/1101) will no longer be directly applicable in the U.K., but will form part of the retained EU law applying in the U.K. through the Protecting against the Effects of the Extraterritorial Application of Third Country Legislation (Amendment) (EU Exit) Regulations 2020, which amends the Extraterritorial US Legislation (Sanctions against Cuba, Iran and Libya) (Protection of Trading Interests) Order 1996, the law which implemented the EU Blocking Statute. The explanatory memorandum to the 2020 Regulations can be found here, and related (albeit likely non-binding) summary guidance here.
It therefore remains an offence in the U.K. to comply with a prohibition or requirement imposed by the proscribed U.S. laws relating to Iran and Cuba, or by a decision or judgment based on or resulting from the legislation imposing the proscribed sanctions, and such decisions and judgments may not be executed in the U.K. The offence can be committed by anyone resident in the U.K., a legal person incorporated in the U.K., any legal person providing maritime transport services which is a U.K. national or (where for U.K.-registered vessels) controlled by a U.K. national, or by any other natural person physically present within the U.K. acting in a professional capacity.
4. U.K. Sanctions Enforcement in 2020
On February 18, 2020, OFSI published the fact that two fines totaling £20.47 million had been issued to Standard Chartered for violations of the Ukraine (European Union Financial Sanctions) (No. 3) Regulations 2014, which implemented EU Council Regulation 833/2014 imposing sanctions in view of Russia’s actions in Ukraine. Article 5(3) of the EU Regulation prohibits any EU person from making loans or credit or being part of an arrangement to make loans or credit, available to sanctioned entities, where those loans or credit have a maturity of over 30 days. This enforcement action, which was in connection with loans made by Standard Chartered to Turkey’s Denizbank, which was at the time owned almost to 100% Russia’s Sberbank (then subject to restrictive measures), was OFSI’s highest fine to date. The Report of Penalty can be found here.
The decision followed a review by the Economic Secretary to the Treasury under section 147 of the Policing and Crime Act 2017, which permits a party on whom a monetary penalty is imposed by the Treasury (of which OFSI forms part) under section 146 of that Act to request a review by the relevant minister. The Economic Secretary upheld OFSI’s decision to impose two monetary penalties, but substituted smaller fine amounts. The fines originally imposed by OFSI were of £11.9 million and £19.6 million. The Economic Secretary reduced these to £7.6 million and £12.7 million. These numbers included a 30 percent reduction in accordance with OFSI’s Guidance on Monetary Penalties to reflect the fact that Standard Chartered made a voluntary disclosure in this case. OFSI determined that this case should be considered in the ‘most serious’ category for fining purposes, allowing a maximum reduction of 30 percent.
The fine reductions granted by the Economic Secretary were on the basis of further findings that the bank did not willfully breach the sanctions regime, had acted in good faith, had intended to comply with the relevant restrictions, had fully co-operated with OFSI and had taken remedial steps following the breach. While these factors had been considered in OFSI’s assessment, the Economic Secretary felt they should have been given more weight in the penalty recommendation.
B. Export Controls Developments
Following the end of the Brexit transition period, the domestic regime for exporting controlled goods (primarily military and dual-use items, and goods subject to trade sanctions) remains substantially unchanged in the U.K., save that the U.K.’s relationship with the EU and the equivalent EU regime will change. The Export Control Joint Unit (“ECJU”) remains the body responsible for control and licensing exports of such items. Under the Northern Ireland Protocol to the EU-U.K. Trade and Cooperation Agreement of December 30, 2020, EU regulations governing on export of controlled goods continue to apply in Northern Ireland.
Controls on the export of military items from the U.K. are largely unchanged; such exports remain subject to licensing, although open individual export licenses (“OIELs”) exist for the export of military items from Great Britain (i.e., the U.K. excluding Northern Ireland) to the EU.
The former EU regime for export control of dual use items established under EU Regulation No 428/2009 is largely retained in English law through The Trade etc. in Dual-Use Items and Firearms etc. (Amendment) (EU Exit) Regulations 2019, the Export Control (Amendment) (EU Exit) Regulations 2020 and the Export Control Act 2002, which remains in force.
U.K. persons will now need an export license issued by the U.K. for exports of dual-use items from Great Britain to the EU, however, such exports are covered by a new open general export licence (“OGEL”) published by the ECJU, which reduces the burdens for Great Britain exporters in having to apply for individual licenses. For exports of such items from the EU to the U.K., a license issued by an EU member state will now be needed, although it has been proposed by the European Council that the U.K. be added as a permitted destination under GEA EU001 to avoid licensing burdens for such exports.
An OGEL or individual export license to export dual-use items to a non-EU country issued by the U.K. remains valid for export from Great Britain. Registrations made with the U.K. for the EU General Export Authorisations (“GEAs”) will continue to be valid for exports from Great Britain, as they will automatically become registrations for the retained GEAs. However, an export license issued by an EU member state will no longer be valid for export from Great Britain. Moreover, licenses issued by the U.K. will no longer be valid for export from an EU member state.
* * *
Finally, our entire team wishes you and yours health and safety during what continue to be very challenging circumstances. We recognize that the coronavirus pandemic has affected our clients and friends in different ways over the course of the last year—some have thrived, some are starting to rebuild, and others can never regain what has been lost. Our hearts go out to those who have struggled the most. We aim to be of service in the best and worst of times, and we certainly all hope for better days ahead in 2021.
_________________________
[1] Judgment of the Court of Justice of the European Union of December 19, 2018 in case C‑530/17 P, Mykola Yanovych Azarov v The Council of the European Union, para. 26, EU:C:2018:1031.
[2] Judgment of the General Court of the European Union of July 11, 2019 in cases T‑244/16 and T‑285/17, Viktor Fedorovych Yanukovych v The Council of the European Union, EU:T:2019:502; Judgment of the General Court of the European Union of July 11, 2019 in case T‑274/18, Oleksandr Viktorovych Klymenko v The Council of the European Union, EU:T:2019:509; Judgment of the General Court of the European Union of July 11, 2019 in case T‑285/18, Viktor Pavlovych Pshonka v The Council of the European Union, EU:T:2019:512.
The following Gibson Dunn lawyers assisted in preparing this client update: Judith Alison Lee, Attila Borsos, Patrick Doris, Markus Nauheim, Adam M. Smith, Michael Walther, Wilhelm Reinhardt, Qi Yue, Stephanie Connor, Chris Timura, Matt Butler, Laura Cole, Francisca Couto, Vasiliki Dolka, Amanda George, Anna Helmer, Sebastian Lenze, Allison Lewis, Shannon C. McDermott, Jesse Melman, R.L. Pratt, Patrick Reischl, Tory Roberts, Richard Roeder, Sonja Ruttmann, Anna Searcey, Samantha Sewall, Audi Syarief, Scott Toussaint, Xuechun Wen, Brian Williamson, Claire Yi, Stefanie Zirkel, and Shuo Josh Zhang.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade practice group:
United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Jose W. Fernandez – New York (+1 212-351-2376, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Laura R. Cole – Washington, D.C. (+1 202-887-3787, [email protected])
Jesse Melman – New York (+1 212-351-2683, [email protected])
R.L. Pratt – Washington, D.C. (+1 202-887-3785, [email protected])
Samantha Sewall – Washington, D.C. (+1 202-887-3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, [email protected])
Asia:
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing – (+86 10 6502 8534, [email protected])
Europe:
Peter Alexiadis – Brussels (+32 2 554 72 00, [email protected])
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Nicolas Autet – Paris (+33 1 56 43 13 00, [email protected])
Susy Bullock – London (+44 (0)20 7071 4283, [email protected])
Patrick Doris – London (+44 (0)207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 20 7071 4205, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Steve Melrose – London (+44 (0)20 7071 4219, [email protected])
Matt Aleksic – London (+44 (0)20 7071 4042, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Richard W. Roeder – Munich (+49 89 189 33-160, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
President-elect Joseph Biden’s public statements and pick for Attorney General suggest that the U.S. Department of Justice, under a Biden-Harris administration, will focus additional resources on criminal and civil corporate enforcement. Please join our panelists, including two white collar practice group co-chairs and two key members of the firm’s global White Collar Defense and Investigations Practice Group, in a discussion of recent cases, current Department of Justice policies, and the expected landscape of U.S. white collar enforcement in the upcoming year in the areas of sanctions/export controls, anti-money laundering and healthcare fraud.
View Slides (PDF)
PANELISTS:
Nicola Hanna is a partner in the Los Angeles office and co-chair of the firm’s global White Collar Defense and Investigations practice. Mr. Hanna previously served as the presidentially appointed and Senate-confirmed United States Attorney for the Central District of California for three years. In this role, he was the chief federal law enforcement officer for the Los Angeles-based district, the largest Department of Justice office outside of Washington, D.C., and oversaw approximately 280 Assistant U.S. Attorneys. Under his leadership, the Central District brought and litigated some of the most impactful cases in the country and recovered nearly $4.5 billion in criminal penalties, civil recoveries, forfeited assets, and restitution. During his tenure as U.S. Attorney, Mr. Hanna served as the Chair of the Attorney General’s Advisory Committee’s White Collar Fraud Subcommittee. He also was a member of the Department of Justice Corporate Enforcement and Accountability Working Group, and one of two U.S. Attorneys on the Task Force on Market Integrity and Consumer Fraud chaired by the Deputy Attorney General.
F. Joseph Warin is a partner in the Washington, D.C. office and co-chair of the firm’s global White Collar Defense and Investigations practice. He also is chair of the Washington, D.C. office’s 200-person Litigation Department. Mr. Warin has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers and government regulators. He is ranked annually in the top-tier by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience.
John D. W. Partridge, a Co-Chair of Gibson Dunn’s FDA and Health Care Practice Group, focuses on white collar defense, internal investigations, regulatory inquiries, and complex commercial litigation for companies in the life sciences and health care industry, among others. He has particular experience with the Anti-Kickback Statute, the False Claims Act, and the Foreign Corrupt Practices Act. He also regularly counsels major corporations regarding their international anti-corruption and domestic fraud and abuse compliance programs.
Courtney M. Brown is a senior associate in Gibson Dunn’s Washington, D.C. office, where she practices primarily in the areas of white collar criminal defense and corporate compliance. Ms. Brown has experience representing and advising multinational corporate clients and boards of directors in internal and government investigations on a wide range of topics, including anti-corruption, anti-money laundering, healthcare fraud, sanctions, securities, and tax. She has participated in two government-mandated FCPA compliance monitorships and conducted compliance trainings for in-house counsel and employees.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.5 credit hours, of which 1.5 credit hours may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.5 hours.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
The New York State Department of Financial Services (“DFS”) is the state’s primary regulator of financial institutions and activity, with jurisdiction over approximately 1,500 financial institutions and 1,800 insurance companies. Heading into 2021, DFS stands ready to expand its regulatory footprint, with increased efforts in new areas following the 2020 Presidential Election and a consistent focus on regulating emerging issues of significance such as financial technology and data privacy.
This year was of course marked by the sweeping COVID-19 pandemic, which affected financial institutions, insurers, and consumers around the world. That was nowhere more true than in New York, which sat at an epicenter of the crisis. As expected, DFS was active throughout the year, taking a preeminent role in mitigating the effects of the disaster by imposing new measures in a dizzying array of areas ranging from health and travel insurance to mortgages and student loans. Unfortunately, the crisis is unlikely to abate in the immediate future. Despite the preliminary rollout of a COVID-19 vaccine, the agency’s efforts are likely to continue into 2021. Just this month, Governor Andrew Cuomo proposed “comprehensive reforms to permanently adopt COVID-19-era innovations that expanded access to physical health, mental health and substance use disorder services,” including requiring commercial health insurers to offer a telehealth program, ensuring that telehealth is reimbursed at rates that incentivize use when appropriate, and mandating that insurers offer e-triage platforms, all of which could fall within the regulatory ambit of DFS.
More broadly, the agency has continued its focus on areas that it previously expressed were principal concerns. This Spring, for example, DFS will host a “Techsprint” in order to promote digital reporting for virtual currency companies. The agency also will continue expanding consumer protection through increased focus on prescription drug prices and has continued to increase pressure on companies regarding data protection. Looking forward this year, DFS has been signaling that it expects a change in tone and agenda on environmental matters from the new federal administration, and that it will stay the course on increasing efforts to mitigate the effects of climate change. Indeed, DFS has indicated that it is “developing a strategy for integrating climate-related risks into its supervisory mandate” and that it intends to publish detailed guidance and best practices with input from industry in the future.
This DFS Round-Up summarizes recent key developments regarding the agency. Those developments are organized by subject.
To view the Round-Up, click here.
The following Gibson Dunn lawyers assisted in preparing this client update: Mylan Denerstein, Akiva Shapiro, Seth Rokosky, Bina Nayee and Lavi Ben Dor.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Public Policy practice group, or the following in New York:
Mylan L. Denerstein – Co-Chair, Public Policy Practice (+1 212-351-3850, [email protected])
Akiva Shapiro (+1 212-351-3830, [email protected])
Seth M. Rokosky (+1 212-351-6389, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
As we do each year, we offer our observations on new developments and recommended practices for calendar-year filers to consider in preparing their Form 10-K. In addition to the many challenges of the past year, the U.S. Securities and Exchange Commission (“SEC”) adopted and provided guidance on a number of changes to public company reporting obligations impacting disclosures in the 10-K annual report for 2020. In particular, we discuss the recent amendments to Regulation S-K, disclosure considerations in light of COVID-19, a number of technical considerations that may impact your Form 10-K annual report, and other considerations in light of recent and pending changes in the executive branch and at the SEC.
An index of the topics described in this alert is provided below.
______________________
Table of Contents
I. Amendments to Regulation S-K Requirements
A. Amendments to 100 Series of Regulation S-K Requirements (Part I of Form 10-K)
1. Business (Part I, Item 1 of For 10-K)
a. General Development of Business
b. Description of Business
c. Spotlight on Human Capital Disclosure.2. Legal Proceedings (Part I, Item 3 of Form 10-K)
3. Risk Factors (Part I, Item 1A of Form 10-K)
a. Organization of Risk Factors under Headings
b. “Materiality” Replaces “Most Significant” Standard
c. Risk Factor Summary
d. Cautionary Note about Hypothetical Language
B. Amendments to 300 Series of Regulation S-K Requirements (Part II of Form 10-K)
1. Selected Financial Data (Part II, Item 6)
2. Supplementary Financial Data (Part II, Item 8)
a. New Item 303(a) – Objectives of MD&A.
b. Amended Item 303(b) – Full Fiscal Year Presentation
c. Amended Item 303(b) – Items no Longer Required
d. Amended Item 303(b) – Clarification on Discussion of “Underlying Reasons” for Period-to-Period Changes
e. Amended Item 303(b) – A Note on Product Lines
f. New Item 303(c) – Interim Period Discussion.
II. COVID-19 Disclosure Considerations
A. Impact on Management’s Discussion and Analysis of Financial Condition and Results of Operations
C. Impact on Non-GAAP Financial Measures
III. Other Considerations and Reminders
A. Key Performance Indicators (KPIs)
B. Impact of Changes to Filer Definitions
C. Omitting Third Year of MD&A
1. Exhibit 4 – Description of registered securities
2. No lookback period for material contracts
3. Omission of schedules to exhibits
4. Omission of information from exhibits without confidential treatment request
5. Exhibit 22 – List of guarantors
E. Extending confidential treatment
H. Critical Accounting Matters
I. Updates to Disclosure Controls and Procedures
______________________
I. Amendments to Regulation S-K Requirements
A. Amendments to 100 Series of Regulation S-K Requirements (Part I of Form 10-K)
As discussed in our prior client alert,[1] in August 2020, the SEC adopted amendments to Item 101 (Description of Business), Item 103 (Legal Proceedings) and Item 105 (Risk Factors) designed to result in improved disclosure that is tailored to reflect a company’s particular circumstances (the “Business Disclosure Amendments”).[2] These rules went into effect on November 9, 2020, making the upcoming Form 10-K the first SEC filing for which most calendar-year filers will need to implement these new rules.
1. Business (Part I, Item 1 of For 10-K)
The recent amendments to Item 101 of Regulation S-K (Description of Business) introduce flexibility by replacing certain prescriptive requirements with a more principles-based approach. The amendments also introduce a new area of focus: human capital management.
a. General Development of Business
Principles-based approach. Item 101(a) of Regulation S-K focuses on the general development of a company’s business. The Business Disclosure Amendments make the general development of business disclosure more principles-based: first, by providing a non-exclusive list of topics that a company may need to disclose; and second, by requiring disclosure of a topic only to the extent such information is material to an understanding of the general development of a company’s business.
General development disclosure topics. Three of the four disclosure topics in the non-exclusive list should be familiar to companies from the pre-amendment requirements: (1) bankruptcy or similar proceedings; (2) material reclassification or mergers, and (3) acquisitions / dispositions of material amount of assets. The fourth (new) topic relates to material changes to a previously disclosed business strategy. In its final rule, the SEC declined to define “business strategy” in order to allow companies to tailor such disclosure as appropriate for their business. The SEC emphasized that the new principles-based approach to this disclosure should mitigate any disincentives in disclosing a business strategy as companies have the flexibility to determine the appropriate level of detail for such disclosure based on materiality.
No longer required. The Business Disclosure Amendments delete the requirement in Item 101(a) of Regulation S-K to disclose the company’s year and form of organization and any material changes in the mode of conducting business. In addition, the Business Disclosure Amendments eliminate the five-year prescribed timeframe for disclosure of general developments of the business, allowing companies to focus on the aspects of the development of their business they deem material, regardless of when the developments occurred.
Updates only in lieu of full discussion. The Business Disclosure Amendments eliminate the requirement to provide a full discussion of the general developments of the business each time Item 101 disclosure is required. Instead a company can provide “an update to the general development of its business, disclosing all of the material developments that have occurred since the most recent registration statement or report that includes a full discussion of the general development of its business.” If the company provides these updates only, it must also incorporate by reference (including an active hyperlink) the relevant disclosure from such registration statement or report with the latest full discussion of the general development of the business. The SEC staff has explained that it anticipates that this updating method will apply mainly to registration statements.[3] Companies are cautioned that using the updating method in a Form 10-K is likely to cause incorporation issues for registration statements and subsequent Form 10-K filings. Accordingly, including a full description, as opposed to providing an update, is a cleaner, simpler approach that is likely no more burdensome than merely disclosing updates.
b. Description of Business
Principles-based approach. Continuing with the principles-based approach, Item 101(c) of Regulation S-K was also updated to provide a non-exclusive list of the types of information that a company may need to disclose if material to an understanding of the business. This approach is in lieu of the 12 enumerated disclosure topics, some of which the SEC noted may not be relevant to all companies. Item 101(c) now focuses on seven disclosure topics, and continues to distinguish between topics for which segment disclosure should be the primary focus, and those for which the focus should be on the company’s business taken as a whole. It should be noted that under the principles-based approach, companies would have to provide disclosure about any other topics regarding their business as well if they are material to an understanding of the business and not otherwise disclosed. A discussion of the seven topics is set forth below.
Segment-level disclosure topics. For the following topics, companies should provide this information with a focus on their reporting segments. Note that when describing each segment, only information material to an understanding of the business taken as a whole is required.
1. “Revenue-generating activities, products and/or services, and any dependence on revenue-generating activities, key products, services, product families or customers, including governmental customers.”
This principles-based requirement replaces the prior line-item requirements related to (i) principal products and services and principal markets and methods of distribution, (ii) quantitative disclosure around the percentage of total revenue attributable to a class of product or services, and (iii) disclosure of key customers. Companies should take this opportunity to carefully comb through the disclosures that have historically been included in the Business section to confirm that the information and any metrics provided are still material and to determine whether it would be appropriate to add disclosure regarding any additional revenue-generating activities. Some companies may determine that continued disclosure of the information required by the former prescriptive requirements (e.g., ≥10% customers) is still an appropriate way to communicate the extent to which certain revenue-generating activities are material to an understanding of the business.
2. “Status of development efforts for new or enhanced products, trends in market demand and competitive conditions.”
This principles-based requirement replaces the current line-item requirements related to (i) status of a new product or services and (ii) competitive conditions in the business. Companies should be mindful of the requirement to disclose trends in market demand to the extent material to an understanding of the business. While discussion of such trends has been required under the MD&A rules, this is the first time trend information has been specifically called for in the Business section. Among other things, it may be important for companies to think through broader societal trends (e.g., increased use of social media, increased use of and access to big data, increased focus on environmental, social, and governance issues, etc.) and whether those are a material to an understanding of the business.
3. “Resources material to a [company’s] business, such as: (a) sources and availability of raw materials; and (b) the duration and effect of all patents, trademarks, licenses, franchises, and concessions held.”
This principles-based requirement is more broad than the prior line-item requirements related to raw materials and intellectual property, asking about resources generally and using those specific items as examples. Companies should think through the resources required to run their businesses (e.g., to determine whether any of those merit additional attention). The previous focus on raw materials made sense in the context of manufacturing, but with an increasing number of digitally focused businesses, resources such as information and technology are becoming increasingly important.
4. “A description of any material portion of the business that may be subject to renegotiation of profits or termination of contracts or subcontracts at the election of the Government.”
This requirement remained unchanged from the prior line-item requirement.
5. “The extent to which the business is or may be seasonal.”
This requirement remained unchanged from the prior line-item requirement.
Company-Level Disclosure Requirements. For the following topics, companies should provide this information to the extent material to an understanding of the business taken as a whole. Note that if the topic is material to a particular segment, then information should be provided with respect to that segment.
6. “The material effects that compliance with government regulations, including environmental regulations, may have upon the capital expenditures, earnings and competitive position of the [company] and its subsidiaries, including the estimated capital expenditures for environmental control facilities for the current fiscal year and any other material subsequent period.”
While all companies are impacted by government regulation to one extent or another, not all companies will determine that their compliance with those regulations materially affects their capital expenditures, earnings, or competitive position, so we expect a portion of companies to not provide any new disclosure in response to this requirement. Even before the Business Disclosure Amendments, it was relatively common for companies, especially those in highly regulated industries, to provide a summary of applicable government regulations. When including a discussion of government regulations for the upcoming Form 10-K filing, companies should consider that the mention of a regulation may suggest that the company views compliance with that regulation as having a material effect on the company. A laundry list of every regulation impacting the company is not required.
7. “A description of the [company’s] human capital resources, including the number of persons employed by the [company], and any human capital measures or objectives that the [company] focuses on in managing the business (such as, depending on the nature of the [company’s] business and workforce, measures or objectives that address the development, attraction and retention of personnel).”
The new disclosure topic regarding human capital received particular attention at the meeting at which the rules were adopted, and we expect this topic and related disclosure will continue to evolve. A discussion of this new topic is set forth below.
c. Spotlight on Human Capital Disclosure
In addition to retaining the former prescriptive requirement to disclose the number of employees, the Business Disclosure Amendments now impose a principles-based requirement to describe the company’s “human capital resources . . . and any human capital measures or objectives that the [company] focuses on in managing the business.” Although the disclosure is required “to the extent material to an understanding of the business,” it will be rare for a company to conclude such disclosure is not material to the business.
The rules do not include any specific reporting framework or define “human capital” instead leaving it to companies to determine what information about human capital resources is material to an understanding of the business. The new rule emphasizes that disclosure will vary depending on the nature of the company’s business and workforce. The disclosure should not be boilerplate and should be relevant to each company’s facts and circumstances. When preparing your human capital disclosure, reviewing disclosures from companies in the same industry will be the most helpful. Disclosure by a small professional services company headquartered in a major US city will be different than disclosure by a multinational manufacturer of consumer goods that primarily employs low wage workers, because their human capital resources will be vastly different, as will the measures and objectives they employ.
Getting Started. Before putting pen to paper on these human capital disclosures, management should begin the process by reviewing the following:
- Existing internal and external statements regarding key human capital resources, measures, and objectives (e.g., proxy statement, website, recruiting materials, ESG reports, internal memos, PR videos, employee handbooks);
- Past and current discussions at the board and executive level regarding human capital topics;
- Past engagement with and input from shareholders on this topic; and
- The list of disclosure topics suggested by the SEC. Specifically, depending on the nature of the company’s business and workforce: measures or objectives that address the development, attraction and retention of personnel.
Description of Human Capital Resources. The first requirement is to describe the company’s human capital resources. Who are the people who make the products or provide the services that generate revenues for the company? There are many different ways in which a company can describe its work force, and the description should be relevant to understanding the company’s business as a whole. If, for example, the company has two segments, one of which entails manufacturing products in China and Mexico and the other is providing consulting services to Silicon Valley and Wall Street, then the workforces of these two segments will be very different and may need to be described separately. Companies should also be mindful of what they have said about the composition of their workforce in their CEO pay ratio disclosures.
Examples of Measures and Objectives. While the Business Disclosure Amendments stress the need for each company to consider how to make its human capital disclosure specific to its industry and workforce approach and relevant to its unique facts and circumstances, the proposing release and public comments referred to in the adopting release shed light on potential measures or objectives that might be material and worth discussing, including:
- worker recruitment, employment practices and hiring practices;
- employee benefits and grievance mechanisms;
- employee engagement or investment in employee training;
- strategies and goals related to human capital management;
- legal or regulatory proceedings related to employee management;
- whether employees are covered by collective bargaining agreements;
- employee compensation or incentive structures;
- types of employees, including the number of full-time, part-time, seasonal, and temporary workers;
- measures with respect to the stability of the workforce, such as voluntary and involuntary turnover rates;
- information regarding human capital trends, such as competitive conditions and internal rates of hiring and promotion;
- measures regarding worker productivity;
- measures of employee engagement; and
- workplace health and safety measures.
The amended rule requires disclosure of the number of employees. In addition, companies that run their business through a workforce that includes persons who are not technically employees (e.g., consultants or management services arrangements) should discuss those non-employee workforce arrangements and the management of that human capital.
Companies should also discuss the progress that management has made with respect to any objectives it has set regarding its human capital resources. Former Chairman Clayton commented that he would expect companies to “maintain metric definitions constant from period to period or to disclose prominently any changes to the metrics.”
We have monitored human capital disclosures made by S&P 500 companies since the effective date of the rule through the date of this alert. Based on that benchmarking, common focus areas we have seen addressed include (parenthetical represents the number of companies which included the topic):
- Talent attraction, development and retention (28): Focus on overarching human capital, talent recruitment, retention strategies and goals; talent development; succession planning.
- Diversity (22): Discussion of disclosure and inclusivity programs.
- Workforce statistics (20): Breakdown of employee base by employee classification (full-time, part-time, contractor) and geography; Turnover rates; Diversity representation stats (e.g., % male/female, % minority, etc.). Not all companies include each statistic noted above.
- Employee compensation (19): Compensation/incentive mechanisms; potentially pay equity.
- Health and safety (18): Workplace safety; Employee mental health.
- Culture and engagement (17): How a company monitors its workplace culture; Culture initiatives taken by the company.
- COVID-19 (15): Health and safety of employees in light of COVID-19 and work from home measures.
- Governance (10): Organizational and governance structure through which human capital is managed (C-suite level) and overseen (board level).
Consider Investors and Other Stakeholders. Human capital has rapidly emerged as a growing focus area for stakeholders, which means companies cannot simply consider what is required to comply with SEC rules. In a 2020 survey, 64% of institutional investors said they would focus on human capital management when engaging with boards (second only to climate change, at 91%).[4] BlackRock’s approach to engagement on human capital highlights one reason for this focus: “Most companies BlackRock invests in on behalf of clients have, to varying degrees, articulated in their public disclosures that they are operating in a talent constrained environment, or put differently, are in a war for talent. It is therefore important to investors that companies explain as part of their corporate strategy how they establish themselves as the employer of choice for the workers on whom they depend.”[5]
Expect an Evolution of Disclosures. We expect human capital disclosures to evolve over time and companies should be prepared to develop their disclosure over the course of the next couple 10-Ks. In the initial year, companies may opt for conservative disclosure, adding additional disclosure as appropriate in subsequent years as they observe peer practices or to address regulatory changes. You should not be surprised by a growing group of companies that will disclose granular details about human capital, not necessarily because it is material to the company, but because they might perceive other advantages in doing so. We anticipate that the SEC will be focused on this disclosure as part of the comment letter process. In the first year, the SEC staff likely to go after low-hanging fruit (e.g., companies that omit human capital disclosure altogether), but in subsequent years, as industry practices develop, we may see the SEC staff probe deeper into what information is material and should be disclosed in certain industries. The SEC staff may also issue a report of observations regarding human capital disclosure in the first year.
In addition, the recent change in the administration and shift to a Democrat-controlled SEC, as well as increasing attention placed by institutional investors on ESG matters, may result in additional requirements for companies in this area. In this regard, we note that the two Democrat Commissioners’ dissent from the adoption of the amended rules pushed back on the principles-based approach and noted the lack of specific disclosure requirements concerning ESG matters and prescriptive requirements for metrics on diversity, climate change and human capital. As further evidence of the SEC likely focus on the area, a senior position was added to the Office of the Chairman devoted exclusively to ESG matters.
2. Legal Proceedings (Part I, Item 3 of Form 10-K)
The Business Disclosure Amendments provided two helpful updates to legal proceedings disclosure. While the requirement of Item 103 of Regulation S-K to disclose any material pending legal proceedings, other than ordinary routine litigation incidental to the company’s business, has not changed, the Business Disclosure Amendments expressly allow a company to provide the information required by Item 103 by hyperlink or cross-reference to disclosure located elsewhere in the document. This approach confirms a common practice by many companies to cross-reference to the duplicate or similar disclosure in the notes to the financial statements.
The second update to Item 103 raised the threshold for disclosure of governmental environmental proceedings. Previously, companies were required to disclose environmental proceedings involving potential monetary sanctions of $100,000 or more. That threshold has been raised to $300,000 to adjust for inflation. However, in line with its principles-based approach to business disclosure, the Business Disclosure Amendments acknowledge that a bright-line threshold may not be indicative of materiality on a company-specific basis and therefore allow a company to establish a different disclosure threshold as high as $1 million (or, if lower, one percent of the current assets of the company). Interpretive guidance may be required to confirm whether disclosure of this alternative threshold for environmental proceedings must be disclosed even when the company has no such proceedings to report, or only when a proceeding involves sanctions exceeding the $300,000 threshold. Disclosing the dollar amount of a company-determined materiality threshold is not currently a common practice.
3. Risk Factors (Part I, Item 1A of Form 10-K)
Companies are no doubt familiar with the prior Item 105 of Regulation S-K requirement to disclose the most significant factors that make investing in the company speculative or risky. Developments in securities litigation and risk profiles have caused risk factor disclosure to grow over the years. The Business Disclosure Amendments attempt to curb the ever-expanding list of risk factors in three ways.
a. Organization of Risk Factors under Headings
Companies are required to organize logically their risk factors into groups under headings that adequately describe the type of risk. Many companies already breakdown their risk factors into 3-4 categories, with some companies presenting subcategories. Examples of such categories include “Risks Related to our Business”, “Risks Related to our Assets”, “Legal and Regulatory Risks”, “Financial Risks” and “Market Risks.” With the focus on discouraging lengthy disclosure of generic risk factors, the Business Disclosure Amendments emphasize that the presentation of risks that could apply generically to any company is discouraged; however, to the extent any such risk factors are presented, they must be disclosed at the end of the risk factor section under the caption “General Risk Factors.”
b. “Materiality” Replaces “Most Significant” Standard
Continuing with the effort to reduce the use of generic risk factors and shorten the risk factor disclosure, the Business Disclosure Amendments change the standard for disclosure from the “most significant” factors to factors that are “material.” The adopting release expresses the view that this will result in risk factor disclosure more tailored to a company’s facts and circumstances, with a focus on the risks to which reasonable investors would attach importance in making investment or voting decisions. For most companies, this is unlikely to result in a major overhaul of their risk factors, but rather a review of current disclosure to confirm it is consistent with the new materiality standard.
c. Risk Factor Summary
The third update to Item 105 of Regulation S-K added a requirement that, if the risk factor disclosure exceeds 15 pages, the company must provide a series of concise, bulleted or numbered statements that is no more than two pages summarizing the principal factors that make an investment in the company speculative or risky. The adopting release noted that “the requirement to provide a risk factor summary may create an incentive for companies to reduce the length of their risk factor discussion to avoid triggering the summary requirement.” Companies who have already filed their Forms 10-K with risk factor summaries have generally listed the captions or abbreviated versions of the captions of their risk factors. Companies are not required to list all of the risk factors in the bulleted list.
If a risk factor summary is required, it must be included in “the forepart of the … annual report.” There is no clear guidance on what is considered the “forepart” of Form 10-K. Placement of the summary in pages preceding Item 1 (Business) seems most consistent with the spirit of the requirement; however, we have also seen the summary included at the beginning of Item 1A (Risk Factors).
d. Cautionary Note about Hypothetical Language
As a reminder for companies when reviewing risk factors for the recent changes, two enforcement cases brought by the SEC in 2019 emphasized the need to revisit risk factor disclosure regularly and treat it as “living” as much as the rest of the Form 10-K. Companies should thoroughly review their risk factor disclosures so that the disclosures do not speak about events hypothetically (e.g., “could” or “may”) if those events have occurred or are occurring. If a risk has manifested itself, that factual event should be appropriately reflected in the body of the risk factors. Companies should be careful with how they describe significant events (e.g., material cyber breaches, material events impacting operating results) as well as more routine items (e.g., fluctuations in demand, inventory write-downs, customer reimbursement claims, intellectual property claims, poorly performing investments, and tax audits). If a risk involves a situation that arises from time to time, then it would likely be preferable to refer to the consequences of such situation as a material contingency, instead of referring to the situation as a hypothetical contingency.
B. Amendments to 300 Series of Regulation S-K Requirements (Part II of Form 10-K)
On November 19, 2020, the SEC announced[6] that it had adopted amendments to Item 301 (Selected Financial Data), Item 302 (Supplementary Financial Information) and Item 303 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) of Regulation S-K designed to improve disclosure by enhancing its readability, discouraging repetition and eliminating information that is not material, and to “allow investors to view the [company] from management’s perspective” (the “Financial Disclosure Amendments”).[7]
The Financial Disclosure Amendments will become effective on February 10, 2021, though companies will not be required to comply with the new requirements until their first fiscal year ending on or after August 9, 2021. This means compliance will first be required in the Form 10-K for 2021 for calendar year end companies. Companies are permitted to update their Form 10-K disclosure consistent with the Financial Disclosure Amendments any time after the effective date; provided that, if they choose to apply the amended requirements for one item of Regulation S-K, they must apply all of the provisions of that amended item. As a result, companies filing their Form 10-K prior to February 10, 2021 will be required to comply with the pre-amendment Regulation S-K requirements, but companies filing after February 10, 2021 will have the option of whether to adopt the changes to one, two, or three of the amended items. Companies should exercise caution in early adopting the amendments to any of Items 301, 302 or 303. In light of President Biden’s January 21 Executive Order and the change in acting Chairman at the SEC, there is a possibility that, prior to February 10th, effectiveness of the amendments is delayed 60 days and, once the new Chairman is confirmed, the amendments do not become effective. Of course, any company is entitled to early adopt and apply the amended rules once they are effective on or after February 10th, even if the rules are further amended at a later time.
The discussion below provides a high-level summary of the Financial Disclosure Amendments. We also refer you to our prior post, which contains a summary chart and comparative blackline reflecting the Financial Disclosure Amendments.[8]
1. Selected Financial Data (Part II, Item 6)
Elimination of Presentation of Past Five Years of Financial Data. The Financial Disclosure Amendments will “[r]emove and reserve” Item 301 of Regulation S-K and Part II, Item 6 of Form 10-K, completely eliminating the requirement to furnish in the Form 10-K selected financial data in comparative tabular form for each of the company’s last five fiscal years. The SEC has not indicated when it plans to update the Form 10-K pdf available on its forms site, but we suspect it will do so shortly after the February 10, 2021 effective date.
The adopting release emphasizes that, despite removal of this requirement, the material trend disclosures that Item 301 was meant to highlight continue to be elicited by the MD&A requirements, and companies should consider whether trend information for periods earlier than those presented in the financial statements may be necessary as part of MD&A’s objective to “provide material information relevant to an assessment of the financial condition and results of operations.” The release also encouraged companies to “consider whether a tabular presentation of relevant financial or other information, as part of an introductory section or overview, including to demonstrate material trends, may help a reader’s understanding of MD&A.”
2. Supplementary Financial Data (Part II, Item 8)
Elimination of Presentation of Quarterly Financial Data. The Financial Disclosure Amendments also eliminate the requirement to disclose in the Form 10-K and Form 10-Qs selected quarterly financial data of specified operating results and variances in these results from amounts previously reported on a prior Form 10-Q.
Replace with Principles-Based Requirement For Material Retrospective Changes. Under the new rule, if there are retrospective changes to the statements of comprehensive income for any of the quarters within the two most recent fiscal years that are material individually or in the aggregate, a company must (a) explain the reasons for the changes, and (b) for each affected quarterly period and the fourth quarter in the affected year, disclose (i) summarized financial information related to the statements of comprehensive income (net sales, gross profit, income from continuing operations, net income, and net income attributable to the entity), and (ii) earnings per share reflecting the changes. Material retrospective changes might include correction of an error, discontinued operations, reorganization of entities under common control, or change in accounting principle.
To comply with this rule, companies should have in place an annual procedure whereby retrospective changes are identified and then evaluated to determine whether disclosure is required. Such a procedure will likely be similar to what companies use to comply with the requirement in the current rule to provide an explanation whenever the amounts disclosed in the Form 10-K table vary from the amounts previously reported on the Form 10-Q.
3. Management’s Discussion and Analysis of Financial Condition and Results of Operations (Part II, Item 7)
a. New Item 303(a) – Objectives of MD&A
The Financial Disclosure Amendments add a new first paragraph to Item 303 to emphasize the objective of MD&A for both full fiscal years and interim periods, which incorporates much of the substance of current instructions and codifies the guidance that MD&A should enable investors to view the company from management’s perspective. While many companies may ultimately determine that no changes to their disclosure need to be made in response to this rule, focusing on the objective when preparing and reviewing MD&A is always a worthwhile exercise.
b. Amended Item 303(b) – Full Fiscal Year Presentation
Amended Item 303(b) focuses on the full fiscal year presentation and lists three main components, (i) liquidity and capital resources, (ii) results of operations, and (iii) critical accounting estimates. The primary updates from the Financial Disclosure Amendments are described below.
Liquidity and Capital Resources. The Financial Disclosure Amendments codify past guidance and require each company to describe its “material cash requirements, including commitments for capital expenditures, as of the end of the latest fiscal period, the anticipated source of funds needed to satisfy such cash requirements and the general purpose of such requirements.” Companies must identify and disclose all known material cash requirements, not just those needed for capital expenditures (e.g., funds necessary to maintain current operations, complete projects underway, and achieve stated objectives or plans). The adopting release notes that “while capital expenditures remain important in many industries, certain expenditures and cash commitments that are not necessarily capital investments in property, plant, and equipment may be increasingly important to companies, especially those for which human capital or intellectual property are key resources.” The adopting release also emphasizes that these changes solicit information that may otherwise be lost with the deletion of the contractual obligations table (discussed below).
Results of Operations. The Financial Disclosure Amendments require a company to disclose events that are reasonably likely to (as opposed to events that “will” or that the company “reasonably expects will”) have a material impact on revenue/income or cause a material change in the relationship between costs and revenues, syncing with the disclosure standard used elsewhere in MD&A. This new phrasing emphasizes that the standard for disclosure of trends in MD&A is not an unreasonably high one where forward-looking disclosure is only required in instances where there is certainty about what will happen.
In addition, the Financial Disclosure Amendments codify past guidance and specify that discussion of changes in price/volume and new products is required whenever there are “material changes” to revenue, rather than simply when there are “material increases” in revenue.
Critical Accounting Estimates. The Financial Disclosure Amendments codify past guidance and require companies to provide qualitative and quantitative disclosure necessary to understand the uncertainty and impact a critical accounting estimate has had or is reasonably likely to have on financial condition or results of operations of the company, including why each estimate is subject to uncertainty. This disclosure is only required to the extent the information is material and reasonably available, and should include “[(i)] how much each estimate and/or assumption has changed over a relevant period, and [(ii)] the sensitivity of the reported amount to the methods, assumptions and estimates underlying its calculation.”
The adopting release clarifies that this disclosure of critical accounting estimates is not a recitation of what is required under U.S. GAAP. For example, there is no general requirement to disclose underlying assumptions for material accounting estimates included in the financial statements, and U.S. GAAP does not require a discussion of material changes in the underlying assumptions over a relevant period. The adopting release notes that “[to] the extent the financial statements include information about specific changes in the estimate or underlying assumptions, the [Financial Disclosure Amendments] include an instruction that specifies that critical accounting estimates should supplement, but not duplicate, the description of accounting policies or other disclosures in the notes to the financial statements.”
c. Amended Item 303(b) – Items no Longer Required
Inflation and Price Changes. The Financial Disclosure Amendments eliminate the requirement that companies discuss the impact of inflation and price changes on their net sales, revenue, and income from continuing operations. Despite these deletions, companies are still expected to discuss the impact of inflation or changing prices if they are part of a known trend or uncertainty that has had, or the company reasonably expects to have, a material impact.
Off-Balance Sheet Arrangements. The Financial Disclosure Amendments eliminate the requirement to present a separately captioned section discussing off-balance sheet arrangements and instead add a principles-based instruction to discuss certain commitments or obligations (including those formerly disclosed as off-balance sheet arrangements).
Contractual Obligations. The Financial Disclosure Amendments eliminate the requirement to provide a contractual obligations table, as much of the information is included in the notes to the financials under GAAP or elsewhere in MD&A under the new requirements to discuss cash commitments. The Financial Disclosure Amendments add a provision reiterating that material cash requirements from known contractual or other obligations should be discussed in Liquidity and Capital Resources, and also add an instruction that material requirements from known contractual obligations may include, for example, lease obligations, purchase obligations, or other liabilities reflect on the balance sheet. While the Form 10-K and Form 10-Q are no longer required to include a contractual obligations table and material updates, care should be taken that any material cash requirements are discussed elsewhere in the Liquidity and Capital Resources discussion. In addition, a company’s accounting personnel should confirm whether there is any information currently contained in the table that is required by GAAP and, therefore, must be added elsewhere in the notes to the financials.
d. Amended Item 303(b) – Clarification on Discussion of “Underlying Reasons” for Period-to-Period Changes
The Financial Disclosure Amendments also clarify that, where there are material changes from period-to-period in one or more line items, companies must describe the underlying reasons for such changes in both quantitative and qualitative terms, rather than only the “cause” for such changes. The Financial Disclosure Amendments also amend the language to clarify that companies should discuss material changes within a line item even when such material changes offset each other. These amendments codify what the SEC staff has been asking companies to include via the comment letter process for some time.
Companies should more closely examine the drivers behind changing operating results and how those drivers are described in the Form 10-K. Superficial discussions of, for example, decreased sales volumes or increased compensation expenses may not be sufficient. Evaluating the disclosure required by this rule will likely be done in tandem with the evaluation of whether certain trends should be identified in MD&A.
e. Amended Item 303(b) – A Note on Product Lines
The Financial Disclosure Amendments add “product lines” as an example of subdivisions of a company’s business that should be discussed where, in the company’s judgment, such a discussion would be necessary to an understanding of the company’s business. The prior rule requested discussion of “segment information and/or of other subdivisions (e.g., geographic areas) of the company’s business.” Similar to the rule change in Item 101 requiring disclosure of “any dependence on … product families,” this rule change should focus companies’ attention on groups of products about which information may be material to investors’ understanding of the business.
f. New Item 303(c) – Interim Period Discussion
The Financial Disclosure Amendments permit companies to compare the operating results from their most recently completed quarter to the operating results from either the corresponding quarter of the prior year (as is currently required) or to the immediately preceding quarter. If a company changes the comparison from the prior interim period comparison, the company is required to explain the reason for the change and present both comparisons in the filing where the change is announced. Notwithstanding this change, a discussion of any material changes in the company’s results of operations for the most recent the year-to-date period would still need to be compared to the results of operations from the corresponding year-to-date period of the preceding fiscal year.
For companies who choose to adopt new Item 303(c) for their first quarter 2021 Form 10-Q, a new comparison of Q1 2021 to Q4 2020 will be required, as well as the existing comparison of Q1 2021 to Q1 2020 results and an explanation as to the change. Going forward, a comparison of the current quarter to the previous quarter will be sufficient, so long as a comparison of any material changes from the current quarter to the prior year’s corresponding quarter is provided. Given the cyclical nature of many businesses, we expect that many companies will not make any changes as result of this amendment; however, companies whose businesses lend themselves to sequential analysis will probably welcome the change.
II. COVID-19 Disclosure Considerations
As we round the one-year mark of the COVID-19 pandemic, it is important for companies to evaluate whether their COVID-19 disclosure adequately and accurately reflects the impact of COVID-19. This should continue to be a focus of disclosure controls and procedures and may continue to draw scrutiny from the SEC staff. While many companies have crafted and tailored this disclosure over the past several months, it is helpful to refer back to prior SEC guidance[9] and SEC enforcement actions, a helpful summary of which is included in our prior client alerts.[10] As we look towards the 2020 Form 10-K filing, we reflect on a few important considerations below.
A. Impact on Management’s Discussion and Analysis of Financial Condition and Results of Operations
As reflected in the new MD&A objectives statement in the Financial Disclosure Amendments, the purpose of MD&A is to provide material information relevant to an assessment of the financial condition and results of operations of the company. The company should aim to allow investors to understand the business results through the eyes of management. New Item 303(a) specifically calls out a focus on material events and uncertainties known to management that are reasonably likely to cause reported financial information not to be necessarily indicative of future operating results or of future financial condition. As companies review their MD&A disclosure, they should pay particular attention to how the COVID-19 pandemic, including (i) actions taken by governments, customers, suppliers, and other third-parties, (ii) work from home measures and employee safety, and (iii) impact on the economy or industry in which they operate, has impacted their results of operations or financial condition. Companies should continue to evaluate whether it is necessary to revise their liquidity and capital resources section to reflect the historical and any future impacts to the COVID-19 pandemic. In characterizing the impact of the pandemic, companies should be specific and clarify the time periods involved in the disclosure. It is no longer appropriate to provide only generic statements about the company’s inability to predict the impact of the pandemic, which may have been included in the Form 10-K for 2019.
B. Impact on Risk Factors
A great number companies have included a COVID-19 risk factor in one of their quarterly reports since the outset of the pandemic. As companies review their risk factor disclosure in light of the Business Disclosure Amendments, it is important that the COVID-19 risk factor disclosure be appropriately tailored to the facts and circumstances of the particular company, whether due to (i) risks that directly impact the company’s business, (ii) risks impacting the company’s suppliers or customers, or (iii) ancillary risks, including a decline in the capital markets, a recession, a decline in employee relations or performance, governmental regulations, an inability to complete transactions, and litigation. The SEC has reiterated that risk factors should not use hypotheticals to address events that are actually impacting the company’s operations and brought enforcement actions against certain companies for portraying realized risks as hypothetical.[11] Accordingly, companies should be specific in providing examples of risks that have already manifested themselves.
C. Impact on Non-GAAP Financial Measures
When reviewing 2020 operating results and performance, companies may consider presenting non-GAAP financial measures for historical periods impacted by the COVID-19 pandemic that reflect adjustments from the required GAAP measures. If such non-GAAP measures are presented in the Form 10-K, the disclosure should be clear and the rationale for the presentation explained. Management may articulate the position that these adjustments are critical in order for investors to be able to compare the performance of the business period over period.
Companies should be mindful of the rules relating to non-GAAP supplemental measures under Regulation G and Item 10(e) of Regulation S-K. In guidance issued on March 25, 2020, the Division of Corporation Finance reminded companies that “we do not believe it is appropriate for a company to present non-GAAP financial measures or metrics for the sole purpose of presenting a more favorable view of the company.”[12] Additionally, companies should be mindful of Non-GAAP Financial Measures CD&I 100.02, which states that non-GAAP measures can be misleading if presented inconsistently between periods, and CD&I 100.03, which states that non-GAAP measures can be misleading if they exclude charges, but do not exclude any gains. In addition, to the extent a company discloses any key performance metrics and changes have been made to such metrics to exclude items related to the crises or address such items in a different manner, the company should be clear to call out such changes and provide updated comparable prior period information to the extent practicable.
III. Other Considerations and Reminders
A. Key Performance Indicators (KPIs)
As mentioned in our prior post,[13] the SEC issued an Interpretative Release[14] in January 2020 providing guidance on key performance indicators and metrics discussed in MD&A. The release was a reminder that companies must disclose key variables and other qualitative and quantitative factors that management uses to manage the business and that would be peculiar and necessary for investors to understand and evaluate the company’s performance, including non-financial and financial metrics.
The guidance instructs companies that, when including metrics in their disclosure, they should consider existing MD&A requirements and the need to include such further material information, if any, as may be necessary in order to make the presentation of the metric, in light of the circumstances under which it is presented, not misleading. The disclosure of such additional metrics, based on the facts and circumstances, should be accompanied by the following disclosures:
- a clear definition of the metric and how it is calculated;
- a statement indicating the reasons why the metric provides useful information to investors;
- a statement indicating how management uses the metric in managing or monitoring the performance of the business; and
- whether the disclosure of any estimates or assumptions underlying such metric or its calculations are necessary to be disclosed for the metric not to be materially misleading.
In addition, if a company changes the method by which it calculates or presents the metric from one period to another or otherwise, the company should disclose, to the extent material, the differences between periods, the reasons for the changes and the effect of the changes. Changes may necessitate recasting the prior period’s presentation to help ensure the comparison is not misleading.
B. Impact of Changes to Filer Definitions
On March 12, 2020, the SEC announced[15] the adoption of a final rule amending the “accelerated filer” and “large accelerated filer” definitions.[16] The amendments became effective April 27, 2020 and first impacted annual reports on Form 10-K due after the effective date. The amendments exclude from the “accelerated filer” and “large accelerated filer” definitions issuers that are otherwise eligible to be a “smaller reporting company” and that had annual revenues of less than $100 million in the most recent fiscal year for which audited financial statements are available. The most notable effect of these amendments is that a smaller reporting company with less than $100 million in revenues, while obligated to establish and maintain internal control over financial reporting (“ICFR”) and have management assess the effectiveness of ICFR, will not be subject to the requirements of Section 404(b) of the Sarbanes-Oxley Act, which requires that an issuer’s independent auditor attest to, and report on, management’s assessment of the effectiveness of ICFR (i.e., the so-called auditor attestation report). Note that these smaller companies will continue to be subject to a financial statement audit by an independent auditor, who is required to consider ICFR in the performance of that audit, but will not be required to obtain an auditor attestation report.
The amendments also (i) increase the public float transition threshold for an accelerated and a large accelerated filer becoming a non-accelerated filer from $50 million to $60 million and for existing large accelerated filer status from $500 million to $560 million; and (ii) add the Smaller Reporting Company revenue test to the transition threshold for both accelerated filer and large accelerated filer status. Please see our prior post for more information regarding these amendments.[17]
C. Omitting Third Year of MD&A
In 2019, the SEC adopted amendments to modernize and simplify various disclosure requirements, which included the option for companies to omit from MD&A a discussion of the earliest of the three years of financials included in the Form 10-K if such discussion was included in a prior filing with the SEC.[1] When a company takes this approach, the location of the omitted discussion must be identified in the current Form 10-K, but that previous disclosure should not be incorporated by reference. On January 24, 2020, the Division of Corporation Finance issued three new Compliance and Disclosure Interpretations (C&DIs)[18] addressing common questions regarding Instruction 1 to Item 303(a). A brief overview of this guidance is discussed below and in more detail in our prior post.[19]
Question 110.03 – May not Omit Earliest Year if Necessary to Understanding of Financial Condition. Provides that a company may not omit a discussion of the earliest of three years from its current MD&A if it believes a discussion of that year is necessary to an understanding of its financial condition, changes in financial condition and results of operations. When determining whether to omit the earliest year discussion, a company should analyze whether the entirety of the discussion of its financial condition and operating results from three years ago (e.g., 2018 for the 2020 10-K), either as previously reported or updated to reflect trends or developments, is necessary to understand its financial condition, changes in financial condition and results of operations. If so, that discussion should be included in the Form 10-K. In our survey of S&P 500 companies that filed a 10-K between the effective date of the revised instruction through the date of our alert on the topic in early 2020, approximately 54% have opted to exclude the earliest year’s discussion in the MD&A.
Question 110.02 – Earliest Year Discussion Not Incorporated Unless Explicitly Stated. Clarifies that when a company omits a discussion of the earliest of three years and includes the required statement that identifies the location of such discussion in a prior filing with the SEC, such discussion is not incorporated by reference into the filing unless the company expressly states that the information is incorporated by reference. According to our survey mentioned above, less than 10% of companies chose to expressly incorporate the prior discussion by reference.
Question 110.04 – Incorporation by Reference in Registration Statements. Given that the Form 10-K operates as the Section 10(a)(3) update to an effective registration statement, once the Form 10-K is filed without an MD&A discussion for the earliest year of financials, the effective registration statement would not include the MD&A discussion for the earliest year. As such, the company will not incur Securities Act liability on such discussion. When filing a new registration statement or commencing an offering, a company should analyze whether the entirety of the discussion of its financial condition and operating results from three years ago, either as previously reported or updated to reflect trends or developments, is necessary to understand its financial condition, changes in financial condition and results of operations. While in many cases such information will not be material to a current investment decision, in those cases when such information (or any other earlier information) is deemed necessary, companies and their counsel should discuss how best to incorporate such information into the offering documents.
Most companies that choose to exclude the earliest year of financials have tended to include the statement identifying the location of the prior disclosure at the beginning of the MD&A, the beginning of the Results of Operation section, or the end of the Results of Operation section before Liquidity and Capital Resources.
D. Exhibit List Reminders
In 2019, a number of changes were made to the exhibit requirements in Exchange Act reports.[20] While companies may be familiar with these changes in connection with their Form 10-K filing last year, the short summary below serves as a reminder of the key changes to exhibits when preparing the 2020 Form 10-K this year.
1. Exhibit 4 – Description of registered securities
Companies are required to provide a brief description of all securities registered under Section 12 of the Exchange Act (i.e., the information required by Item 202(a) through (d) and (f) of Regulation S-K) as an exhibit to their Forms 10‑K. The securities covered by this exhibit are the same as those required to be listed on the cover of the Form 10‑K. While many companies prepared this exhibit for their 2019 Form 10-K, the previously filed exhibit should be reviewed for any changes to the information called for by Item 202 of Regulation S-K. If no changes since the prior filing, the company may simply incorporate by reference to the previously filed exhibit.
2. No lookback period for material contracts.
Companies other than “newly reporting registrants” need only disclose material contracts to be performed in whole or in part at or after the filing of their Forms 10‑K. Previously, there was a two-year lookback period with respect to material contracts for most companies, which often resulted in filing copies of stale / terminated contracts. (See Item 601(b)(10)(i) of Regulation S‑K.)
3. Omission of schedules to exhibits
Companies may omit entire schedules or similar attachments to exhibits, unless the schedules or attachments contain material information that is not otherwise disclosed in the exhibit or SEC filing. A brief list identifying the contents of the omitted schedules or other attachments must be included in the exhibit, unless the exhibit already includes information that conveys the subject matter of the omitted material. Companies are no longer required to state that they will furnish a copy of the omitted schedules or attachments to the SEC upon request (which was typically done through a notation in the exhibit index); though they must still provide a copy if requested by the SEC. (See Item 601(a)(5) of Regulation S‑K.)
4. Omission of information from exhibits without confidential treatment request
Companies are permitted to omit confidential information from material contracts filed under Item 601(b)(10) and agreements filed under Item 601(b)(2) without requesting confidential treatment from the SEC where this information is both (i) not material and (ii) would likely cause competitive harm to the company if publicly disclosed. Companies must mark the exhibit index to indicate that portions of the material contract have been omitted; include a prominent statement on the first page of the redacted material contract indicating certain information has been omitted; and indicate with brackets where this information has been omitted within the material contract.
Companies are also allowed to omit personally identifiable information (such as bank account numbers, social security numbers, telephone numbers, home addresses, and similar information) from all exhibits without submitting a confidential treatment request for this information.
Although companies are no longer required to file confidential treatment requests with respect to exhibits filed pursuant to Item 601(b)(10) and Item 601(b)(2), they are still responsible for ensuring all material information is disclosed and limiting redactions to those portions necessary to prevent competitive harm. The SEC staff will continue to selectively review companies’ filings and assess whether companies have satisfied their disclosure responsibility with respect to these redactions.
5. Exhibit 22 – List of guarantors
In March 2020, the SEC adopted amendments to Rules 3-10 and 3-16 of Regulation S-X, which became effective on January 4, 2021. These amendments relate to the financial disclosure requirements applicable to registered debt offerings and were adopted in an effort to “improve the quality of disclosure and increase the likelihood that issuers will conduct debt offerings on a registered basis.”[21] Please see our prior post for a detailed description of these amendments, which became effective on January 4, 2021.[22] In connection with the amendments, companies with registered debt securities are required to include a new Exhibit 22, which requires a list, as applicable, the company’s subsidiaries and affiliates covered by new Rules 13-01 and 13-02 of Regulation S-X. Specifically the list must include each of the company’s subsidiaries that is a guarantor, issuer, or co-issuer of the guaranteed security and each of the company’s affiliates whose security is pledged as collateral for the company’s security. For each affiliate, the security or securities pledged as collateral must also be identified.
E. Extending confidential treatment
As discussed in our prior post,[23] on September 9, 2020, the Division of Corporation Finance updated its guidance on confidential treatment requests to provide companies with the ability to transition to the new redaction rules under certain circumstances.[24] When the SEC first amended its exhibit filing requirements to allow redactions without a confidential treatment request in March 2019, companies that had previously submitted confidential treatment requests were not able to simply refile a redacted exhibit, but rather were required to file an extension to their prior request. The updated guidance now provides that:
“[if] it has been more than three years since the initial confidential treatment order was issued, and if the contract continues to be material, companies have the option to transition to compliance with the requirements set out in Regulation S-K Item 601(b)(10) and other parallel rules, referred to here as the redacted exhibit rules. The redacted exhibit rules allow for the filing of redacted exhibits without submitting an explanation or substantiation to the SEC, or providing an unredacted copy of the exhibit, except upon request of the staff.
In order to transition to the redacted exhibits rules in these situations, a company would only be required to refile the material contract in redacted form and comply with the legend and other requirements of the applicable redacted exhibit rule, most commonly Item 601(b)(10)(iv) of Regulation S-K. We anticipate that many, if not most, companies will chose to transition to this process since substantiation of compliance and submission of unredacted materials to the staff is only required upon staff request.”
There are two other options that remain available to companies faced with a soon-to-expire confidential treatment. The first alternative is for the company to simply refile the unredacted exhibit. The second alternative is to apply for an extension to the confidential period pursuant to Rule 406 or Rule 24b-2 prior to the confidential treatment order’s expiration, which can be done by submitting a short-form application (available here) to [email protected] (if the initial order was issued less than three years ago) or a complete application (if the initial order was issued more than three years ago).
F. E-signature Rules
On November 17, 2020, the SEC approved amendments to Regulation S-T and the EDGAR Filer Manual relating to the use of electronic signatures for SEC filings, including Form 10-K.[25] The new rules expressly provide for the use of e-signature methods (e.g., “DocuSign” and “AdobeSign”). In general, where a document submitted electronically to the SEC is required to be signed, the signature appearing in the filing must appear in the electronic filing in typed form, not in manual or graphic form. Signatures that are not required in a filing may appear as in manual or graphic form (e.g., the signature in a letter to shareholders included in a Proxy Statement).
Under Rule 302(b) of Regulation S-T, when an SEC filing must be signed, the signatory must either manually sign the actual signature page or electronically sign the signature page or some other document that authenticates, acknowledges or otherwise adopts the signature appearing in the filing. Before allowing a signatory to electronically sign an SEC filing, a company must obtain a manually signed attestation from the signatory agreeing that the signatory’s electronic signature of an SEC filing has the same effect as a manual signature. This attestation must be retained for a minimum period of seven years after the date of the most recent electronically signed authentication document for the applicable signatory. Companies who plan on shifting to electronic signatures may wish to send a form attestation to their board for manual signature when sending the Form 10-K to the board for approval. A form of attestation document is included in our prior post,[26] which also discusses other applicable considerations and requirements associated with the Regulation S-T and EDGAR Filer Manual amendments.
G. Cover Page Changes
When the SEC adopted amendments to the definitions of “accelerated filer” and “large accelerated filer” back in March 2020, a new check box was added to the cover page of the Form 10-K to indicate whether an auditor attestation report under Section 404(b) of the Sarbanes-Oxley Act is included in the filing. As a reminder, companies that are large accelerated filers or accelerated filers will be required to tag this new cover page check box disclosure in Inline XBRL. All other companies will be required to comply with the new XBRL tagging requirements for fiscal periods ending on or after June 15, 2021.
H. Critical Accounting Matters
Form 10-Ks for all companies (except emerging growth companies) require a company’s auditor to include disclosures in its audit report about critical audit matters (“CAMs”) that the auditor identifies during the course of the audit. The audit standard, AS 3101,[27] requires that for each CAM communicated in the auditor’s report, the auditor must: (i) identify the CAM; (ii) describe the principal considerations that led the auditor to determine that the matter is a CAM; (iii) describe how the CAM was addressed in the audit; and (iv) refer to the relevant financial statement accounts or disclosures that relate to the CAM. As noted in our previous client alert,[28] companies should consider possible scenarios where this standard might put the auditor in a position of having to make disclosures of original information, and prepare in advance for how to address such situations. Since CAMs will typically address a topic that also is discussed in financial statement footnotes or MD&A, companies should make sure that their language is consistent with the discussion in the CAM.
I. Updates to Disclosure Controls and Procedures
In light of the substantial number of changes to the Form 10-K requirements and disclosure guidance, it is important for personnel and counsel to consider the manner in which the company’s disclosure controls and procedures are addressing the changes. It is also important that the disclosure committee and audit committee are briefed on the changes and the company’s approach to addressing them.
_____________________
[1] For further discussion on these amendments, please see our prior client alert “SEC Continues to Modernize and Simplify Disclosure Requirements” (March 26, 2019), available at https://www.gibsondunn.com/wp-content/uploads/2019/03/sec-continues-to-modernize-and-simplify-disclosure-requirements.pdf.
[1] Available at https://www.gibsondunn.com/a-double-edged-sword-examining-the-principles-based-framework-of-the-sec-recent-amendments-to-disclosure-requirements/.
[2] See Modernization of Regulation S-K Items 101, 103, and 105, Release No. 33-10825 (August 26, 2020), available at https://www.sec.gov/rules/final/2020/33-10825.pdf.
[3] See Transitional FAQs Regarding Amended Regulation S-K Items 101, 103 and 105 (November 5, 2020), Question 3, available at https://www.sec.gov/corpfin/transitional-faqs-amended-regulation-s-k-items-101-103-105.
[4] See Morrow Sodali 2020 Institutional Investor Survey, available at https://morrowsodali.com/insights/institutional-investor-survey-2020.
[5] See BlackRock’s Commentary, Investment Stewardship’s Approach to Engagement on Human Capital Management, available at https://www.blackrock.com/corporate/literature/publication/blk-commentary-engagement-on-human-capital.pdf.
[6] See “SEC Adopts Amendments to Modernize and Enhance Management’s Discussion and Analysis and other Financial Disclosures” (November 19, 2020), available at https://www.sec.gov/news/press-release/2020-290.
[7] See Management’s Discussion and Analysis, Selected Financial Data, and Supplementary Financial Information, Release No. 33-10890 (November 19, 2020), available at https://www.sec.gov/rules/final/2020/33-10890.pdf.
[8] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=432.
[9] See CF Disclosure Guidance: Topic No. 9 (March 25, 2020), available at https://www.sec.gov/corpfin/coronavirus-covid-19, and CF Disclosure Guidance: Topic No. 9A (June 23, 2020), available at https://www.sec.gov/corpfin/covid-19-disclosure-considerations.
[10] See “Perspectives from One Month into the COVID-19 U.S. Outbreak: Public Company Disclosure Considerations” (April 9, 2020), available at https://www.gibsondunn.com/wp-content/uploads/2020/04/perspectives-from-one-month-into-the-covid-19-u-s-outbreak-public-company-disclosure-considerations.pdf. See “SEC Brings First Enforcement Action Against a Public Company for Misleading Disclosures About the Financial Impacts of the Pandemic” (December 7, 2020), available at https://www.gibsondunn.com/sec-brings-first-enforcement-action-against-a-public-company-for-misleading-disclosures-about-the-financial-impacts-of-the-pandemic/.
[11] See “2019 Year-End Securities Enforcement Update” (January 14, 2020), available at https://www.gibsondunn.com/2019-year-end-securities-enforcement-update/.
[12] See CF Disclosure Guidance: Topic No. 9 (March 25, 2020), available at https://www.sec.gov/corpfin/coronavirus-covid-19.
[13] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=394.
[14] See Commission Guidance on Management’s Discussion and Analysis of Financial Condition and Results of Operations, Release No. 3310751 (January 30, 2020), available at https://www.sec.gov/rules/interp/2020/33-10751.pdf.
[15] See “SEC Adopts Amendments to Reduce Unnecessary Burdens on Smaller Issuers by More Appropriately Tailoring the Accelerated and Large Accelerated Filer Definitions” (March 12, 2020), available at https://www.sec.gov/news/press-release/2020-58.
[16] See Accelerated Filer and Large Accelerated Filer Definitions, Release No. 34-88365 (March 12, 2020), available at https://www.sec.gov/rules/final/2020/34-88365.pdf.
[17] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=400.
[18] Available at https://www.sec.gov/divisions/corpfin/guidance/regs-kinterp.htm#110.02.
[19] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=393.
[20] See FAST Act Modernization and Simplification of Regulation S-K, Release No. 33-10618 (March 20, 2019), available at https://www.sec.gov/rules/final/2019/33-10618.pdf.
[21] See Financial Disclosures about Guarantors and Issuers of Guaranteed Securities and Affiliates Whose Securities Collateralize a Registrant’s Securities, Release No. 33-10762 (March 2, 2020), available at https://www.sec.gov/rules/final/2020/33-10762.pdf.
[22] See “SEC Amends Rules to Encourage Issuers to Conduct Registered Debt Offerings” (March 7, 2020), available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=396.
[23] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=425.
[24] See Confidential Treatment Applications Submitted Pursuant to Rules 406 and 24b-2 (December 19, 2019, Amended September 9, 2020), available at https://www.sec.gov/corpfin/confidential-treatment-applications#options.
[25] See “Electronic Signatures in Regulation S-T Rule 302, Release No. 33-10889 (November 17, 2020), available at https://www.sec.gov/rules/final/2020/33-10889.pdf.
[26] Available at https://www.securitiesregulationmonitor.com/Lists/Posts/Post.aspx?ID=431.
[27] Available at https://pcaobus.org/Standards/Documents/Implementation-of-Critical-Audit-Matters-The-Basics.pdf.
[28] See “PCAOB Adopts New Model for Audit Reports” (June 2, 2017), available at https://www.gibsondunn.com/pcaob-adopts-new-model-for-audit-reports/.
The following Gibson Dunn attorneys assisted in preparing this client update: Hillary H. Holmes, Elizabeth Ising, Thomas J. Kim, Brian J. Lane, James J. Moloney, Ronald O. Mueller, Michael Scanlon, Michael A. Titera, and Justine Robinson.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the Securities Regulation and Corporate Governance and Capital Markets practice groups, or any of the following practice leaders and members:
Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Orange County, CA (+ 949-451-4343, [email protected])
Lori Zyskowski – New York (+1 212-351-2309, [email protected])
Brian J. Lane – Washington, D.C. (+1 202-887-3646, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, [email protected])
Michael A. Titera – Orange County, CA (+1 949-451-4365, [email protected])
Capital Markets Group:
Andrew L. Fabens – New York (+1 212-351-4034, [email protected])
Hillary H. Holmes – Houston (+1 346-718-6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415-393-8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213-229-7242, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
As we wrap up a particularly unique year in the legal industry, Gibson Dunn’s Media, Entertainment and Technology Practice Group highlights some of the notable rulings, developments, and trends that will inform industry litigation long after the COVID-19 pandemic has faded from view.
A. Copyright Litigation
1. Second Circuit Finds 50 Cent’s Right of Publicity Claim Against Rick Ross Preempted
On August 19, 2020, the Second Circuit held that the Copyright Act preempted a Connecticut common law right of publicity claim brought by Curtis James Jackson III (the hip-hop artist known as 50 Cent) against William Roberts (the hip-hop artist known as Rick Ross).[1] Jackson alleged that Roberts violated Jackson’s personal right of publicity when Roberts used a sample from one of Jackson’s best-known songs, “In Da Club,” in a free mixtape that Roberts released in 2015.[2] Affirming the district court’s grant of summary judgment, Judge Pierre Leval wrote for the panel that the Copyright Act impliedly preempted and, in the alternative, expressly preempted, Jackson’s state law right of publicity claim.
As to implied preemption, the Second Circuit examined the state interests at play and the potential for conflict between the state law claim and the operation of federal copyright law. First, the circuit court held that “Roberts’s mere reproduction of a sound that can be recognized as Jackson’s voice, . . . do[es] not violate any substantial state law publicity interest.”[3] In reaching that conclusion, the Second Circuit emphasized that Roberts had not used Jackson’s name or persona “in a manner that falsely implied Jackson’s endorsement of Roberts” or his mixtape—i.e., Jackson’s right of publicity claim was not seeking to vindicate an interest in preventing consumer confusion or false endorsements.[4] Nor had Roberts used Jackson’s music “in any way derogatory, or an invasion of Jackson’s privacy”—i.e., Jackson’s claim was not seeking to vindicate a reputational or privacy interest.[5] Rather, in the circuit court’s view, the “predominant focus” of Jackson’s right of publicity claim was simply to challenge the unauthorized use of a copyright-protected sound recording.[6] But, as the Second Court noted, Jackson holds no copyright interest in “In Da Club,” which is owned by Shady Records/Aftermath Records—non-parties to the litigation.[7] If such a right of publicity claim were allowed to proceed, it “would impair the ability of a copyright holder or licensee to exploit the rights guaranteed under the Copyright Act.”[8]
Second, the appellate court examined the potential for conflict between state law and federal copyright law, finding two potential conflicts weighing in favor of a finding of preemption: (a) applying the right of publicity to the publication, reproduction, or performance of the many works featuring depictions or appearances of real persons raises an “obvious and substantial” “potential for impairment of the ability of copyright holders and licensees to exploit the rights conferred by the Copyright Act”; and (b) Jackson’s suit “is more properly seen as a thinly disguised effort by the creator and performer of a work within the subject matter of copyright—who owns no copyright interest in the work—to nonetheless exert control over its distribution.”[9] The Second Circuit thus found Jackson’s claim impliedly preempted by the Copyright Act.
The Second Circuit held in the alternative that Jackson’s claim was expressly (i.e., statutorily) preempted by Section 301 of the Copyright Act, finding that Jackson’s right of publicity claim focused on Roberts’s use of a work that plainly fell “within the subject matter of copyright,” as opposed to a use of Jackson’s voice independent of a work covered by the Copyright Act for the purpose of an endorsement.[10] The circuit court also found that the basis for Jackson’s right of publicity claim was “in no meaningful fashion distinguishable from infringement of a copyright.”[11] Thus, the claim was expressly preempted.
2. Ninth Circuit Adopts New “Asserted Truths” Doctrine for Nonfiction Works
On September 8, 2020, as part of a long-running dispute, the Ninth Circuit affirmed the U.S. District Court for the District of Nevada’s decision granting judgment as a matter of law in favor of Frankie Valli, his former Four Seasons bandmates, and others involved in the creation of the musical Jersey Boys, holding that they did not infringe the copyright in a biography about the Four Seasons when creating and performing the musical.[12] Donna Corbello, widow of the ghostwriter and copyright owner of Tommy Devito’s unpublished autobiography about the band, alleged that the creators of Jersey Boys had access to the autobiography and that, in addition to infringing the copyright in the book, they had also breached a contract among the band members. At trial, a jury found that Jersey Boys infringed the book and was not a fair use. The district court subsequently vacated the jury’s verdict and entered judgment as a matter of law in favor of the defendant on the grounds that the musical was a fair use, and ordered a new trial on damages apportionment as it related to the contract issues.
The Ninth Circuit affirmed without reaching the district court’s analysis of the fair use defense, finding instead that Jersey Boys did not infringe Corbello’s copyright in the work in the first place. Applying the extrinsic test for substantial similarity, the Ninth Circuit found that half of the alleged similarities between the musical and the book were common phrases, scenes-a-faire, or otherwise non-protectable, non-copyrightable elements, and the other half were non-protectable because they were held out by the book’s authors as factual.[13]
In so holding, the Ninth Circuit adopted a new circuit standard for copyright protection for non-fiction works, which it dubbed the “asserted truths” doctrine, adapted from what other circuits and district courts have called “copyright estoppel”—a doctrine in which “elements of a work presented as fact are treated as fact, even if the party claiming infringement contends that the elements are actually fictional.”[14] Under this doctrine, “[a]n author who holds their work out as nonfiction [] cannot later claim, in litigation, that aspects of the work were actually made up and so are entitled to full copyright protection.”[15] The Ninth Circuit described the breadth of the asserted truths doctrine, noting that it “applies not only to the narrative but also to dialogue reproduced in a historical nonfiction work represented to be entirely truthful,”[16] and found it applied to bar the assertion of infringement as to numerous alleged similarities given the book’s “emphatic representation that it is a nonfiction autobiography.”[17]
3. Seinfeld Prevails in “Comedians in Cars” Copyright Ownership Dispute
On May 7, 2020, the Second Circuit rejected a copyright lawsuit targeting Jerry Seinfeld’s hit Netflix show, “Comedians in Cars Getting Coffee.”[18] Shortly after Netflix announced a deal to stream the show, Christian Charles, whom Mr. Seinfeld hired to direct the show’s pilot, filed suit against Mr. Seinfeld, Netflix, and Sony Pictures, alleging that Mr. Seinfeld stole the concept for the show and that he—not Mr. Seinfeld—was the owner of the show’s copyrights.[19] Judge Nathan of the U.S. District Court for the Southern District of New York dismissed the copyright claims with prejudice, ruling that they were time-barred by the Copyright Act’s three-year statute of limitations and that the facts pled in the complaint were self-defeating.[20] The district court found that Mr. Charles’s “attempts to distinguish Second Circuit precedent” were “unavailing” and concluded that, “[b]ecause Charles was on notice that his ownership claim had been repudiated since at least 2012, his infringement claim is time-barred.”[21] Specifically, the court held that Mr. Seinfeld expressly repudiated Mr. Charles’s ownership claim “in 2011 [when he] twice rejected Charles’s request for backend compensation and made it clear that Charles’s only involvement was to be on a ‘work-for-hire’ basis” and in 2012 when Mr. Seinfeld “went on to produce and distribute the show without giving any credit to Charles.”[22] The court also recognized the opportunistic nature of the lawsuit, finding that Charles was prompted to sue after the announcement in 2017 that “Netflix inked a lucrative new deal for the show to join their platform.”[23]
The Second Circuit issued a summary order affirming the judgment of the district court “for substantially the same reasons that [the district court] set out in its well-reasoned opinion.”[24] The Second Circuit agreed that the case concerned a copyright ownership dispute, as opposed to an infringement dispute—a key distinction for determining accrual of the Copyright Act’s statute of limitations, as while an infringement claim accrues after each separate infringement, an ownership claim accrues only once. The Second Circuit reaffirmed its precedent by holding that if “the ownership claim is time-barred, the infringement claim itself is also time-barred, even if any allegedly infringing activity occurred within the limitations period.”[25] Siding with the defendants’ classification of the dispute as one over copyright ownership, the Second Circuit found that Mr. Charles’s arguments to the contrary were “seriously undermined by his statements in various filings throughout this litigation which consistently assert that ownership is a central question.”[26] The Second Circuit then agreed with the defendants’ argument that Charles’s self-defeating allegations in his complaint were “enough to place [him] on notice that his ownership claim was disputed [as of 2012] and therefore this action, filed six years later, was brought too late.”[27]
Shortly thereafter, Charles filed a petition for panel rehearing.[28] Citing a recently decided Sixth Circuit Court of Appeals copyright case, Everly v. Everly[29]—discussed below in this update—Charles argued that the Second Circuit erred by failing to distinguish between authorship and ownership claims in the context of determining when the statute of limitations accrued.[30] On June 10, 2020, the Second Circuit declined to adopt Everly and summarily denied Charles’s petition for panel rehearing.[31] Charles filed a petition for a writ of certiorari—arguing that Everly created a circuit split—which the U.S. Supreme Court denied on December 14, 2020.[32] The defendants’ motion for attorneys’ fees and costs is currently pending before Judge Nathan.[33] [Disclosure: Gibson Dunn represents the defendants in this action.]
4. Ninth Circuit Rules Dr. Seuss–Star Trek Mashup Not a Fair Use
On December 18, 2020, the Ninth Circuit held that a comic book “mashup” of Dr. Seuss and Star Trek was not protected against copyright claims as a fair use.[34] The mashup, which combined Dr. Seuss’s Oh, the Places You’ll Go! with elements of the television program Star Trek, is entitled Oh, the Places You’ll Boldly Go! The Ninth Circuit’s ruling revived the 2016 infringement lawsuit brought by Dr. Seuss Enterprises against ComicMix, the creator of the comic book, after the district court entered summary judgment in favor of ComicMix last year on the basis that the comic was a fair use, but affirmed the district court’s Rule 12(c) dismissal and grant of summary judgment in favor of ComicMix on Seuss Enterprises’ trademark claim.[35]
On the copyright infringement claim, the Ninth Circuit rejected the district court’s fair use conclusion, finding that each of the four statutory fair use factors weighs against Boldly! being considered a fair use. The circuit court found Boldly! was not a fair use because it placed characters in a “Seussian world that is otherwise unchanged,” was not transformative, failed to parody or comment on Dr. Seuss’s work, used a substantial quantitative amount of Go! (“replicat[ing], as much and as closely as possible from Go!, the exact composition, the particular arrangements of visual components, and the swatches of well-known illustrations”), “took the heart of Dr. Seuss’s works,” and harmed Seuss’s ability to sell derivative works, particularly where Seuss had a history of licensing authorized derivatives.[36]
The Ninth Circuit, however, affirmed the district court’s ruling that Seuss’s trademark infringement claim failed because Boldly! is protected as an expressive work under the Rogers test (of Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989), as adopted and extended by the Ninth Circuit’s precedents).[37] Under the Rogers test, “which balances artistic free expression and trademark rights,” the Ninth Circuit held that the Lanham Act does not apply because Boldly! was “not explicitly misleading as to its source.”[38]
5. Liability for “Making Available” Works Protected by Copyright
Federal courts continue to grapple with the bounds of the exclusive distribution right under the Copyright Act and whether an owner’s copyright has been infringed when a protected work is “made available” to the public for permanent download or streaming, even if no one purchases the work or listens to the clip. In June 2020, in Sony Music Entertainment et al. v. Cox Communications Inc., the U.S. District Court for the Eastern District of Virginia upheld a jury verdict finding Cox, an Internet service provider, vicariously and contributorily liable for its subscribers’ infringement of the plaintiffs’ copyrights in their sound recordings and musical compositions.[39] Cox argued that direct infringement by its subscribers was not sufficiently proven at trial as the evidence supported only that the plaintiffs’ works were available for sharing, but not that they were disseminated.[40] The court considered prior Fourth Circuit caselaw holding that a work made available to the “borrowing or browsing public [ ] has completed all the steps necessary for distribution to the public,”[41] but found that line of cases to be of limited applicability, noting that direct proof of dissemination is unnecessary to bring a claim under the Copyright Act.[42] Consequently, the court found overwhelming circumstantial evidence of direct infringement through distribution based on Cox’s subscribers’ use of P2P (peer-to-peer) networks such as BitTorrent to share files.[43] On January 12, 2021, the court upheld the $1 billion award against Cox and entered judgment.
The U.S. District Court for the Western District of Washington considered similar issues in SA Music, LLC v. Amazon.com, Inc., et al., addressing whether a violation of a copyright owner’s exclusive distribution rights requires actual dissemination of the infringed works by sale or other transfer of ownership, or by rental, lease or lending.[44] The plaintiffs—heirs to the rights of composers Harold Arlen, Ray Henderson, and Harry Warren—alleged that a content provider had pirated thousands of recordings of their compositions and then made them available, and sold them, in the United States through Amazon’s digital music store.[45] Amazon moved to dismiss the plaintiffs’ “making available” theory of liability (i.e., liability for making the allegedly infringing works available in Amazon’s digital music store, without corresponding sales).[46] The court granted the motion, holding that distribution of a copyright-protected recording under § 106(3) of the Copyright Act on a digital music store requires the transfer or download of a file containing the work from one computer to another.[47] In so holding, the court distinguished Fourth Circuit precedent, reasoning that although a protected work may be deemed distributed when made available in a public library or a file-sharing network, when it comes to an online music store, the work is not distributed simply by being made available because the user cannot access the full work without first paying for the right to download the work.[48]
B. Trademark Litigation
1. Supreme Court Holds that Combining “.com” with a Generic Term Can Create a Protectable Mark.
As we wrote last summer, on June 30, 2020, the Supreme Court voted 8-1 to reject a bright-line rule promulgated by the U.S. Patent and Trademark Office (PTO) that would prevent registration of an otherwise generic term in combination with a top-level Internet domain (such as “.com”), finding that the combination can create a protectable mark if consumers recognize the term to identify a specific source of goods or services.[49] Booking.com, a hotel reservation website, applied to register the mark BOOKING.COM. The PTO denied registration because it broke down the proposed mark into its constituent elements and determined that “booking” is the generic term for hotel reservation services and “.com” is a generic indicator of a website.[50] Booking.com appealed that decision in district court, which ruled in favor of Booking.com, relying heavily on evidence that consumers recognized the term as a unique brand name and not a generic term.[51] The Fourth Circuit affirmed.[52]
The Supreme Court affirmed, with Justice Ruth Bader Ginsburg writing for the Court.[53] The Court based its holding on the “principle that consumer perception demarcates a term’s meaning.”[54] That principle applies even to marks that combine generic elements; “[b]ecause ‘Booking.com’ is not a generic name to consumers, it is not generic.”[55] The Court, however, did not adopt its own bright-line rule that all “.com” marks are protectable. Rather, the Court made clear that the protectability of marks is a fact question under the Lanham Act, and all relevant evidence must be taken into account in deciding the ultimate question of whether consumers understand a particular term to serve as a trademark, including consumer surveys, dictionaries, and usage by consumers and competitors. The Court noted that the likelihood of confusion element of a trademark claim and affirmative defenses such as fair use will prevent companies like Booking.com from claiming a monopoly over otherwise generic terms, like “booking.”[56] [Disclosure: Gibson Dunn submitted an amicus brief on behalf of Salesforce.com, Inc. et al. in support of Booking.com BV.]
2. Videogame’s Depiction of Humvees Protected Under First Amendment
On March 31, 2020, District Judge George B. Daniels of the U.S. District Court for the Southern District of New York ruled that the First Amendment protects Activision Blizzard’s depiction of real-life Humvee vehicles in the popular Call of Duty series of war videogames.[57] Humvee manufacturer AM General brought claims under the Lanham Act and New York state law against Activision over its widespread depiction of the vehicles across nine Call of Duty games, which allow players to ride in and interact with Humvees.[58]
The court held that because the Call of Duty games are “artistic or expressive,” the “Rogers test” of Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989) applied to the videogames’ depictions of Humvees.[59] Under the Rogers test, courts must determine whether the contested use is an “‘integral element’ of the artistic expression.”[60] The court held that, even accepting AM General’s evidence of some actual confusion by consumers, the depiction of Humvee vehicles in Call of Duty that bear recognizable trademarks does not infringe the trademark holder’s rights because “[i]f realism is an artistic goal, then the presence in modern warfare games of vehicles employed by actual militaries undoubtedly furthers that goal.”[61] In doing so, the district court acknowledged that commercial and artistic motivations behind a depiction can coexist, and that “an artist can sell her art without the First Amendment abandoning her.”[62]
C. First Amendment Litigation & Developments
1. United States Agency for Global Media Senior Officials Preliminarily Enjoined from Interfering with Journalistic Activity
On November 20, 2020, Chief Judge Beryl A. Howell of the U.S. District Court for the District of Columbia issued a preliminary injunction in Turner v. USAGM, prohibiting the Trump-appointed CEO of the United States Agency for Global Media (“USAGM”), Michael Pack, and his appointed officials, from “continuing” activities likely to violate the First Amendment.[63] The defendants’ conduct at issue was directed towards journalists and editors of USAGM’s publicly funded international broadcasting networks, such Voice of America (“VOA”), and included “taking or influencing personnel actions against” journalists or editors, “attempting to influence content through communications with individual journalists or editors, and investigating purported breaches of journalistic ethics.”[64]
The case was brought by career civil servants of USAGM and VOA who asserted that soon after the Senate’s June 4, 2020 confirmation of Pack as CEO of USAGM, Pack and his co-defendants “commenced a series of events designed to fundamentally undermine the networks’ independence” from the agency’s political leadership.[65] Plaintiffs claimed these events—including (among other things) attempts by the defendants to interfere “directly in the newsrooms at VOA and [other] networks” and to commence investigations into purported “breaches of journalistic ethics . . . to root out perceived liberal bias”—violated the International Broadcasting Act, 22 U.S.C. §§ 6201-16, and associated regulations, designed to “guarantee . . . the networks’ journalistic independence in the face of government oversight”—as well as the First Amendment.[66]
While the district court found that subject matter jurisdiction was “likely lacking over plaintiffs’ statutory and regulatory claims,” it held that one of the plaintiffs, VOA’s Program Director, was likely to succeed on the merits of her First Amendment claim.[67] The district court rejected the defendants’ argument that this plaintiff had “no First Amendment protection for speech taken pursuant to [her] official duties,” holding that “network speech made in relation to editorial and journalistic activities is protected under the First Amendment,” specifically under the standard set forth in Pickering v. Board of Education, 391 U.S. 563 (1968).[68] Applying that standard, the court concluded that to the extent defendants had “taken or influenced personnel actions against individual journalists or editors,” had tried “to monitor VOA and network content through communications with individual editors or journalists,” and had undertaken “their own investigations of alleged discrete breaches of journalistic ethics,” the plaintiff was likely to succeed on her First Amendment claim.[69] The court found that each of the remaining preliminary injunction factors favored issuing an injunction. The court’s preliminary injunction order is currently on appeal before the D.C. Circuit.[70] [Disclosure: Gibson Dunn represents the plaintiffs in this action.]
2. New York Passes New Right of Publicity Law.
As we noted in our Fall 2020 update, in July 2020, the New York state legislature passed a much-anticipated right of publicity bill.[71] On November 30, 2020, Governor Andrew Cuomo signed the bill into law.[72] The bill, Senate Bill S5959D/Assembly Bill No. A05605B, replaced New York Civil Rights Law § 50 and changed the right of publicity landscape in the state.[73] Significantly, the bill makes a person’s right of publicity an independent property right that is freely transferable and creates postmortem rights for forty years after the death of an individual.[74] It further “protects a deceased performer’s digital replica in expressive works to protect against persons or corporations from misappropriating a professional performance.”[75]
After signing the bill into law, Governor Cuomo stated that “[i]n the digital age, deceased individuals can often fall victim to bad actors that seek to capitalize on their death and profit off of their likeness after they pass away—that ends today.”[76] He said that “[t]his legislation is an important step in protecting the rights of deceased individuals while creating a safer, fairer New York for decades to come.”[77] SAG-AFTRA praised Governor Cuomo for signing the legislation, which it believes protects its members and their families who are at risk for post-mortem exploitation.[78] The New York State Broadcasters Association, Inc., on the other hand, noted elements of the law that may narrow its scope and reduce the risk of litigation, including: (i) decedents must be domiciled in New York at the time of death; (ii) the law applies only to those who die after the legislation takes effect; (iii) rights extend for only 40 years after death; and (iv) the decedent’s estate must register with the New York Secretary of State before filing a lawsuit.[79]
Governor Cuomo’s signing of the right of publicity bill followed his signing in November 2020 of another notable piece of media-related legislation: New York’s revised anti-SLAPP law. We wrote about the details of that law in a prior alert, here.
3. First Amendment Bars Right of Publicity Claim for Alleged Inspiration of Gears of War Character
In September 2020, the Third Circuit rejected a former professional wrestler’s right of publicity lawsuit against Microsoft over a character in the Gears of War videogame, finding that the former athlete’s suit was barred by the First Amendment.[80] Lenwood Hamilton, a former professional wrestler and entertainer, alleged that Microsoft misappropriated his likeness to create the Augustus “Cole Train” Cole character.[81] The U.S. District Court for the Eastern District of Pennsylvania granted Microsoft’s motion for summary judgment, finding that the Cole character appears in such a “profoundly transformative context” that its use in Gears of Wars is protected by the First Amendment under the Transformative Use Test employed by the Third Circuit.[82]
The Third Circuit affirmed.[83] Applying the Transformative Use Test, the Third Circuit found that no reasonable juror could conclude that Hamilton was the “sum and substance” of the Cole character.[84] Despite acknowledging that Hamilton and Cole undoubtedly shared similarities—such as skin tone, facial features, and build—the Third Circuit found that significant differences revealed that Hamilton was at most, one of the “raw materials” that inspired the Cole character.[85] The circuit court explained that while Cole fights “a fantastic breed of creatures in a fictional world,” Hamilton “of course, does not.”[86] Similarly, the Third Circuit noted that in the game, the Cole character is not a wrestler—as Hamilton was—but a fictional soldier.[87] It also remarked that Hamilton himself admitted the “Cole character’s persona [was] alien to him” and unreflective of Hamilton’s actual personality.[88] Finding that the Cole character had been “so transformed as to become primarily the defendant’s own expression,” the Third Circuit held that the First Amendment barred Hamilton’s claims.[89]
D. Music Litigation & Related Developments
1. D.C. Circuit Finds Copyright Royalty Board Improperly Set Streaming Royalties
On August 7, 2020, the D.C. Circuit held that the Copyright Royalty Board (the “Board”) failed to provide fair notice or adequately explain its decision making when setting royalty rates for the period from January 1, 2018 through December 31, 2022.[90] The Copyright Act charges the Board with setting the royalty rates and terms every five years for the compulsory mechanical licenses that allow musicians to record their own versions of songs that have been publicly released in return for set compensation.[91] On January 27, 2018, the Board issued its Initial Determination of the royalty rates and terms for the 2018-2022 mechanical license, replacing the use of different formulas and percentages for different categories with a single, uncapped total content cost rate for all categories of offerings. The Board also increased the total content cost rate to 26.2% (the rates previously ranged from about 17% to 22%) and the revenue rate from 10.5% (for most but not all categories) to 15.1%. On November 5, 2018, the Board issued its Final Determination, which closely tracked the Initial Determination, but redefined how “Service Revenue” would be calculated for bundled offerings.[92]
Ruling in favor of streamers Spotify, Amazon, Google, and Pandora, the D.C. Circuit held that the Board failed to provide adequate notice of the rate structure it adopted, which deviated “substantially and unforeseeably” from the parties’ proposals, the arguments made during the evidentiary hearing, and preexisting rate structures.[93] The D.C. Circuit emphasized that the parties were deprived of the opportunity to object to the new structure, address the interplay between the new structure and increased rates, and create a record confronting the “significant, and significantly adverse, overhaul of the mechanical license royalty scheme.”[94] It further held that the Board failed to explain its rejection of prior settlements as benchmarks.[95] Finally, it held that the Board failed to explain what authority it had to redefine “Service Revenue” after publishing its Initial Determination, and remanded to the Board for further consideration.[96]
2. Sixth Circuit Revives Suit Concerning One Everly Brother’s Termination Rights to Best-Selling Song Cathy’s Clown
On May 4, 2020, the Sixth Circuit revived a copyright dispute between Don Everly and the successors-in-interest of his deceased brother, Phil Everly, over termination rights to the former duo’s best-selling single, Cathy’s Clown.[97] When the song was written, recorded, and copyrighted by Don and Phil in 1960, both brothers were listed as authors, received royalties, and took credit publicly for having co-authored the song.[98] But, the brothers granted the copyrights to a third party, Acuff-Rose Publications.[99] Following a personal dispute, Don and Phil executed a Release and Assignment in 1980, under which Phil relinquished to Don all of his rights and interests in the song, including as to royalties and any claim of co-authorship.[100] Even after the agreement was executed, however, both brothers continued to make public statements crediting Phil as co-author.[101] Over 30 years later, in 2011, Don sought to terminate the 1960 copyright grant to Acuff-Rose Publications, and, in doing so, claimed to have exclusive copyright ownership of the song.[102] Then, in 2016, Phil’s successors-in-interest attempted to terminate the 1980 assignment of Phil’s rights to Don.[103]
Don filed a complaint for declaratory relief in 2017, seeking an order declaring that he was the sole author of Cathy’s Clown and that the 1980 agreement did not grant Phil termination rights under the Copyright Act of 1976.[104] Phil’s successors-in-interest filed a counter-claim, seeking a declaration that Phil was a co-author of the song and that he had termination rights under the 2018 agreement.[105] Judge Aleta Trauger of the U.S. District Court for the Middle District of Tennessee granted summary judgment in favor of Don, finding that Phil’s authorship had been expressly repudiated no later than 2011, when he filed his notice of termination of the 1960 grant.[106] Phil’s claim of authorship was thus barred by the Copyright Act’s statute of limitations.[107]
Reversing the district court, the Sixth Circuit held that a genuine factual dispute existed as to whether Don’s actions constituted express repudiation of Phil’s claims for authorship, when Phil was indisputably not the owner of the song.[108] The circuit court held that in the rare case where a dispute involves “authorship claim[s] without [] corresponding ownership claim[s],” the statute of limitations on the authorship claim does not begin until an individual claiming authorship expressly repudiates authorship status, rather than ownership status, (1) privately through direct communication; (2) publicly, including in a listed credit on the published work; or (3) implicitly by receiving remuneration for the work to which the plaintiff is entitled.[109] The Sixth Circuit explained that its test of express repudiation in the ownership context is “consistent” with the Second Circuit’s test and “should apply to such a claim for a declaration of authorship rights.”[110] Because a reasonable juror could find that no repudiation of Phil’s authorship status had taken place, the circuit court held that summary judgment was improper.[111] Judge Ralph B. Guy, Jr. dissented, reasoning that the 1980 Release constituted express repudiation and that “one cannot avoid the accrual of a claim based on a dispute over co-authorship by agreeing to give up the right to claim to be a co-author.”[112]
3. High School Prevails in Copyright Appeal Over Choral Performances
On March 24, 2020, the Ninth Circuit upheld the U.S. District Court for the Central District of California’s grant of summary judgment in favor of Burbank High School and its competitive show choirs—the same choirs that reportedly inspired the television program Glee—in a copyright infringement suit brought by Tresóna Multimedia.[113] Tresóna had alleged that Burbank High violated its copyrights interests by failing to obtain licenses before incorporating segments of four songs into choir performances.[114] The district court had granted summary judgment in favor of Burbank High with regard to the alleged infringement of three of the songs, reasoning that Tresóna did not have standing to sue under the Copyright Act because it held only non-exclusive licenses in those works.[115] As to the fourth work, Olivia Newton John’s song “Magic,” the district court ruled that the choir director was entitled to qualified immunity and that the Booster Club and parent-members could not be held liable for any alleged infringement.[116]
The Ninth Circuit largely affirmed the district court in an opinion that strongly criticized Tresóna for its “aggressive litigation strategy” against a public high school engaging in educational extracurricular activities.[117] The court agreed that Tresóna’s licenses in the three songs were not exclusive because Tresóna received its interests “from individual co-owners of copyright, without the consent of the other co-owners.”[118] With respect to one of the songs (“Magic”), the Ninth Circuit affirmed on the ground that the school’s “non-profit educational and transformative” use of the song constituted fair use.[119]
After this ruling was handed down, Tresóna asked the Ninth Circuit to stay its mandate to allow Tresóna to petition for a writ of certiorari in the United States Supreme Court, contending that the Ninth Circuit incorrectly interpreted the Copyright Act.[120] Approximately five months after this motion was filed, the parties reached a settlement.[121]
4. Musicians Sue Trump Campaign Over Song Usage
On August 4, 2020, Neil Young filed a copyright infringement lawsuit against Donald Trump’s campaign for unauthorized use of his songs at campaign rallies, stating that “Plaintiff in good conscience cannot allow his music to be used as a ‘theme song’ for a divisive, un-American campaign of ignorance and hate.”[122] The complaint objected to use of the songs “Rockin’ the Free World” and “Devil’s Sidewalk.”[123] On December 7, 2020, following the election, Young filed papers to dismiss the suit.[124] Lawsuits such as Young’s do not often prevail, as campaign venues obtain public performance licenses from ASCAP and BMI. However, due to recent controversies over the Trump campaign (primarily) performing artists’ songs against their wishes, ASCAP and BMI have begun to allow songwriters to exclude their music for political use, and warn candidates that a performance license may not cover all claims by musicians.[125] Courts have yet to determine whether this limitation is permitted under ASCAP and BMI consent decrees.
Weeks after Young’s suit, on September 1, 2020, Eddy Grant filed a lawsuit against the Trump campaign, alleging the use of his song “Electric Avenue” in a campaign video tweeted by Trump infringed Grant’s copyright.[126] Trump’s campaign filed a motion to dismiss the suit on November 11, 2020.[127] Grant’s complaint, however, did not raise the issue of public performance, such as at campaign rallies, because his rights were allegedly infringed by unauthorized use in a recorded video. In its motion to dismiss, the Trump campaign claimed that its use of the song constitutes fair use, arguing that the song has been transformed by a clear “comedic, political purpose,” and that the video was “choreographed to mock President Trump’s political opponent.”[128] A ruling on the motion to dismiss is pending.
E. Social Media Litigation
1. TikTok Challenges Trump’s Executive Order
On December 7, 2020, U.S. District Judge Carl J. Nichols of the U.S. District Court for the District of Columbia issued a preliminary injunction barring enforcement of a set of restrictions that the Trump administration issued to ban the operation of social media application TikTok in the United States.[129] The challenged restrictions, which were published by the Secretary of Commerce in September 2020, prohibited five different types of transactions, including the provision of internet hosting services and content delivery network services, and the utilization of constituent code.[130] Plaintiffs TikTok and ByteDance filed suit on September 18, 2020, arguing that the restrictions violate the Administrative Procedure Act (“APA”) as well as several constitutional provisions, and exceed the President and Secretary’s authority under the International Emergency Economic Powers Act (“IEEPA”). On September 27, 2020, the court granted a partial preliminary injunction, enjoining the first of the five restrictions.[131] A month later, on October 30, 2020, in a separate case brought by a different plaintiff, a federal district court in Pennsylvania preliminarily enjoined all five prohibitions.[132]
TikTok then renewed its motion to enjoin all five restrictions in the District of Columbia. Following a hearing, Judge Nichols found that TikTok was likely to succeed on the merits of its APA and IEEPA claims. The IEEPA expressly provides that the President’s authority “does not include the authority to regulate or prohibit, directly or indirectly,” certain activities, including “personal communications and the import or export of informational materials.”[133] The court looked to the government’s “stated goals” in issuing the prohibitions, which included “stopping the exportation of data” and “stopping the importation of propaganda,”[134] and concluded that those intended regulatory objects constituted “informational materials” and likely exceeded the President and Secretary’s IEEPA authority.[135] As to the APA claim, the court found that TikTok was likely to succeed in its claim that the Secretary’s action was arbitrary and capricious, as a result of “the Secretary’s failure to adequately consider an obvious and reasonable alternative” before issuing the prohibitions.[136] The court also declined to refrain from issuing the injunction because the restrictions at issue were also enjoined in the parallel Pennsylvania case, concluding that the Pennsylvania order was subject to appeal and could be “modified, stayed, or vacated at any time.”[137]
_______________________
[1] In re Jackson, 972 F.3d 25 (2d Cir. 2020).
[11] Id. at 54 (citation omitted).
[12] Corbello v. Valli, 974 F.3d 965, 984 (9th Cir. 2020).
[18] Charles v. Seinfeld, 803 F. App’x 550, 552 (2d Cir. 2020), cert. denied, 2020 WL 7327869 (U.S. Dec. 14, 2020).
[19] Charles v. Seinfeld, 410 F. Supp. 3d 656, 658 (S.D.N.Y. 2019).
[24] Charles, 803 F. App’x at 551.
[28] Charles v. Seinfeld, No. 19-3335-cv, Pet. for Rehearing, ECF 94 (2d Cir. May 21, 2020) [hereinafter, Pet. for Rehearing].
[29] Everly v. Everly, 958 F.3d 442 (6th Cir. 2020).
[30] Pet. for Rehearing at 8-12.
[31] Charles v. Seinfeld, No. 19-3335-cv, Order Denying Pet. for Rehearing, ECF 101 (2d Cir. June 10, 2020).
[32] Charles v. Seinfeld, 2020 WL 7327869, at *1 (U.S. Dec. 14, 2020).
[33] Charles v. Seinfeld, No. 18-cv-01196, Motion for Attorneys’ Fees and Costs, ECF 124 (S.D.N.Y. July 1, 2020).
[34] Dr. Seuss Enterprises L.P. v. ComicMix LLC, 983 F.3d 443 (9th Cir. 2020).
[35] Dr. Seuss Enterprises L.P. v. ComicMix LLC, 372 F. Supp. 3d 1101, 1128 (S.D. Cal. 2019).
[36] Dr. Seuss Enterprises L.P., 983 F.3d at 451–61.
[39] 464 F. Supp. 3d 795, 805 (E.D. Va. June 2, 2020).
[41] Id. at 810 (quoting Hotaling v. Church of Jesus Christ of Latter-Day Saints, 118 F.3d 199, 203 (4th Cir. 1997)).
[44] No. 2:20-cv-00105-BAT (Arlen Docket), 2020 WL 3128534 (W.D. Wash. June 12, 2020).
[49] U.S. Patent and Trademark Office v. Booking.com B.V., 140 S.Ct. 2298 (2020).
[51] Id.; see also, Booking.com B.V. v. Matal, 278 F. Supp. 3d 891, 918 (2017).
[52] Id. at 2304; see also, Booking.com B.V. v. U.S. Patent and Trademark Office, 915 F. 3d 171, 184 (2019).
[54] U.S. Patent and Trademark Office v. Booking.com B.V., 140 S.Ct. 2298, 2304 n.3 (2020).
[57] AM General LLC v. Activision Blizzard, Inc., 450 F. Supp. 3d 467 (S.D.N.Y. 2020).
[63] No. 20-2885 (BAH), 2020 WL 6822780, at *34.
[70] Grant Turner v. U.S. Agency for Global Media, No. 20-5374 (D.C. Cir. Dec. 18, 2020).
[71] Senate Bill S5959D, 2019-2020 Legislative Session of The New York State Senate (last accessed Aug. 26, 2020), https://www.nysenate.gov/legislation/bills/2019/s5959.
[72] Governor Cuomo Signs Legislation Establishing a “Right To Publicity” for Deceased Individuals to Protect Against the Commercial Exploitation of their Name or Likeness, Office of New York Governor Andrew M. Cuomo (last accessed Jan. 8, 2021), https://www.governor.ny.gov/news/governor-cuomo-signs-legislation-establishing-right-publicity-deceased-individuals-protect.
[73] Jennifer E. Rothman, New York Reintroduces Right of Publicity Bill with Dueling Versions, Rothman’s Roadmap to the Right of Publicity (May 22, 2019), https://www.rightofpublicityroadmap.com/news-commentary/new-york-reintroduces-right-publicity-bill-dueling-versions.
[74] Senate Bill S5959D, Summary Memo, supra note 72.
[76] Governor Cuomo Signs Legislation, supra note 73.
[78] Kevin Stawicki, Cuomo Signs Bill Recognizing Post-Mortem Publicity Rights, Law360, https://www.law360.com/articles/1333362/cuomo-signs-bill-recognizing-post-mortem-publicity-rights.
[79] Senate Bill S5959D, Summary Memo, supra note 72; Governor Signs New Right of Publicity/Digital Replica and Deep Fakes Bill – Broadcasters Protected from Unwarranted Lawsuits; New York State Broadcasters Association, Inc., https://nysbroadcasters.org/2020/12/governor-signs-new-right-of-publicity-digital-replica-and-deep-fakes-bill-broadcasters-protected-from-unwarranted-lawsuits/.
[80] Hamilton v. Speight, 827 F. App’x 238 (3d Cir. 2020).
[82] Hamilton v. Speight, 413 F. Supp. 3d 423, 433-34 (E.D. Penn. 2019).
[83] Hamilton, 827 F. App’x at 241.
[90] Johnson v. Copyright Royalty Bd., 969 F.3d 363 (D.C. Cir. 2020).
[91] 17 U.S.C. §§ 115, 801(b).
[92] 84 Fed. Reg. 1918 (Feb. 5, 2019).
[93] Johnson, 969 F.3d at 382.
[97] Everly v. Everly, 958 F.3d 442 (6th Cir. 2020).
[112] Id. at 470 (Guy, J., dissenting).
[113] Tresóna Multimedia, LLC v. Burbank High Sch. Vocal Music Ass’n, 953 F.3d 638, 642, 655 (9th Cir. 2020).
[115] Tresóna Multimedia, LLC v. Burbank High Sch. Vocal Music Ass’n, No. CV 16-4781-SVW-FFM, 2016 WL 9223889, at *3 (C.D. Cal. Dec. 22, 2016).
[116] Id. at *8; Tresóna Multimedia, LLC v. Burbank High Sch. Vocal Music Ass’n, No. CV 16-04781-SVW-FFM, 2017 WL 2728589, at *6 (C.D. Cal. Feb. 22, 2017).
[117] Tresóna Multimedia, LLC, 953 F.3d at 647, 652–53.
[118] Tresóna, 953 F.3d at 646–67.
[120] Tresóna Multimedia, LLC v. Burbank High Sch. Vocal Music Ass’n, Nos. 17-56006, 17-56417, 17-56419, Tresóna Multimedia, LLC’s Motion For Stay of Mandate (9th Cir. May 21, 2020).
[121] Tresóna Multimedia, LLC v. Burbank High Sch. Vocal Music Ass’n, Nos. 17-56006, 17-56417, 17-56419, Tresóna Multimedia, LLC’s Notice of Settlement and Stipulation of Dismissal (9th Cir. Oct. 13, 2020).
[122] Complaint ¶ 1, Young v. Donald J. Trump for President, Inc., No. 20-cv-06063 (S.D.N.Y.) (ECF No. 6).
[124] Notice of Voluntary Dismissal, Young v. Donald J. Trump for President, Inc., No. 20-cv-06063 (S.D.N.Y.) (ECF No. 21).
[125] See “Using Music In Political Campaigns,” ASCAP, https://www.ascap.com/~/media/files/pdf/advocacy-legislation/political_campaign.pdf.
[126] Complaint, Grant v. Trump, No. 20-cv-07103 (S.D.N.Y.) (ECF No. 1).
[127] Motion to Dismiss, Grant v. Trump, No. 20-cv-07103 (S.D.N.Y.) (ECF No. 19).
[129] TikTok Inc. v. Trump, No. 1:20-cv-02658, 2020 WL 7233557, at *1 (D.D.C. Dec. 7, 2020).
[132] Marland v. Trump, No. 20-4597, 2020 WL 6381397, at *14-15 (E.D.Pa. Oct. 30, 2020).
[133] TikTok, 2020 WL 7233557, at *7 (citing 50 U.S.C. § 1702(b)).
The following Gibson Dunn lawyers assisted in the preparation of this client update: Howard Hogan, Ilissa Samplin, Brian Ascher, Nathaniel Bach, Marissa Moshell, Doran Satanove, Afia Bonner, Dillon Westfall, Kaylie Springer, Amanda LeSavage, David Kusnetz, Jeremy Bunting, Sarah Scharf, Adrienne Liu, Melanie Sava, and Hannah Yim.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Media, Entertainment & Technology Practice Group:
Scott A. Edelman – Co-Chair, Media, Entertainment & Technology Practice, Los Angeles (+1 310-557-8061, [email protected])
Kevin Masuda – Co-Chair, Media, Entertainment & Technology Practice, Los Angeles (+1 213-229-7872, [email protected])
Orin Snyder – Co-Chair, Media, Entertainment & Technology Practice, New York (+1 212-351-2400, [email protected])
Brian C. Ascher – New York (+1 212-351-3989, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Ilissa Samplin – Los Angeles (+1 213-229-7354, [email protected])
Nathaniel L. Bach – Los Angeles (+1 213-229-7241,[email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
On January 29, 2021, Pharmaceutical Care Management Association (“PCMA”), a national trade association representing pharmacy benefit managers (“PBMs”), secured a one-year stay in a challenge to a new regulation issued by the Department of Human Health and Services Office of Inspector General (“HHS-OIG”) that sought to prohibit PBMs and plan sponsors from accepting retrospective manufacturer rebates under Medicare Part D plans. In response to a complaint and a motion for partial summary judgment, together with a request for expedited consideration, filed by Gibson Dunn behalf of PCMA in the United States District Court for the District of Columbia, HHS-OIG offered to delay the effective date of a challenged regulation while it considers whether to withdraw or modify the rule.
PBMs administer prescription drug plans for more than 270 million Americans with health coverage through their employers, the health insurance market, or federal programs including Medicare Part D. Plan sponsors engage PBMs to maximize the value of prescription drug benefits by negotiating price concessions from drug manufacturers and pharmacies, in addition to providing numerous other services. Since the mid-1990s and through the earliest days of Part D, PBMs and manufacturers in both the commercial and Part D contexts have converged around a business model in which manufacturers pay retrospective rebates to PBMs after the product is dispensed to the enrollee, and PBMs pass rebates on to plan sponsors.
On November 30, 2020, HHS-OIG issued the “Rebate Rule,” a new regulation that attempted to prohibit PBMs and plan sponsors from accepting retrospective manufacturer rebates under Medicare Part D plans. HHS-OIG issued the rule despite concerns from within the Trump administration that the Rule would weaken PBMs’ ability to negotiate price concessions, drive up net drug prices, increase premiums for Medicare Part D enrollees by 25 percent, and increase federal spending by $196 billion over the next decade—concerns confirmed by actuarial analyses from multiple federal agencies and the Department of Health and Human Services’ own actuaries. HHS-OIG set the Rebate Rule’s provisions eliminating retrospective rebates to take effect January 1, 2022, even though the process of negotiating with drug manufacturers, designing Medicare Part D plans, and submitting bids to the government to provide coverage in 2022 was already well underway, with bids due in June 2021.
The timing of the rule thus interrupted ongoing negotiations and left PBMs and plan sponsors without adequate guidance or regulation from the government about how the new rule would impact bidding and the operation of Medicare Part D for the 2022 contract year. PCMA and its member PBMs sought immediate relief because the Rebate Rule had disrupted their work midstream and left them in regulatory limbo without enough time to receive necessary operational guidance and regulations before they submit bids in June.
In response, Gibson Dunn developed a strategy to challenge the rule as arbitrary and capricious under the Administrative Procedure Act and to delay its effective date. After filing a complaint on January 12, 2021, Gibson Dunn then filed a motion for partial summary judgment on January 25, 2021 targeting the Rebate Rule’s impending effective date. Gibson Dunn contemporaneously filed a motion asking for an expedited ruling on the effective date’s validity within five weeks.
At a status hearing on January 29, 2021 before Judge John D. Bates, the government responded to the motion for partial summary judgment by offering to delay the effective date of the Rebate Rule for a full calendar year, with a new effective date of January 1, 2023. The parties stipulated to that approach, and the court approved the delayed effective date, which restored the status quo and provided plan sponsors and PBMs clarity as they work to submit bids in June 2021 to provide Medicare coverage for millions of Americans, and held the case in abeyance. During the stay, the Biden administration will study the rule adopted by its predecessors and determine whether to repeal or modify it. If HHS-OIG ultimately elects to leave the Rule in place, or fails to make a decision before planning for contract year 2023 begins, Gibson Dunn is prepared to proceed with its remaining challenges to the Rule.
The case is Pharmaceutical Care Management Association v. U.S. Department of Health and Human Services, et al., No. 21-cv-95 (D.D.C.).
The following Gibson Dunn lawyers assisted in the litigation and in the preparation of this client update: Helgi C. Walker, Matthew Rozen, Brian Richman, Aaron Smith, and Max Schulman.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Administrative Law and Regulatory Practice Group, or the following authors:
Helgi C. Walker – Chair, Administrative Law and Regulatory Practice, Washington, D.C. (+1 202-887-3599, [email protected])
Matthew S. Rozen – Member, Administrative Law and Regulatory Practice, Washington, D.C. (+1 202-887-3596, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
A California federal court issued the first decision in the country in a securities class action arising out of the COVID-19 pandemic, dismissing the case on the ground that the issuer could not have anticipated the extent of the pandemic in early January 2020. The decision, Berg v. Velocity Financial, Inc.,[1] offers some hope for issuers that their public statements made before or in the early days of the pandemic will be protected from suit to the extent they failed to predict the COVID-19 crisis and its impact on the issuer’s business.
COVID-19 Securities Lawsuits
The COVID-19 pandemic and resulting “Coronavirus Crash” brought on a surge of event-driven securities lawsuits. The initial wave of pandemic-related securities lawsuits began in the Spring of 2020 and targeted primarily businesses in the travel and healthcare industries that were directly impacted by the ongoing public health crisis.[2] Several of these lawsuits centered on allegations that the issuer-defendants had downplayed the impact of COVID-19 on their business and/or concealed incidences of COVID-19 outbreaks at their places of business.
Despite a relatively steady stock market recovery through the Summer and Fall of 2020, pandemic-related securities lawsuits continued to be filed,[3] targeting defendants in a wider range of industries that were less directly impacted by COVID-19, including the software,[4] financial services,[5] and energy industries.[6] These cases alleged that companies failed to disclose the impact of COVID-19 on their financial performance and misstated their ability to weather the storm. Pandemic-related securities lawsuits have now become so numerous that the U.S. Chamber Institute for Legal Reform and the Chamber’s Center for Capital Markets Competitiveness filed a petition with the U.S. Securities and Exchange Commission urging the SEC to “act without delay to place reasonable limits on securities litigation arising out of the COVID-19 pandemic.”[7]
Berg v. Velocity Financial, Inc.
Berg involves claims against Velocity Financial, Inc. (“Velocity”), a real estate finance company specializing in lending for small commercial and residential properties. After Velocity went public in January 2020, its shares rapidly declined in value. The plaintiff filed a putative securities class action in July 2020, accusing Velocity of misrepresenting or failing to disclose material facts in its offering materials concerning: (i) the company’s “disciplined” underwriting process; (ii) the growth of non-performing and short-term, interest-only loans in its investment portfolio; (iii) a “substantial and durable” market for real estate investors; and (iv) risks facing its business, including those relating to the pandemic.
On January 25, 2021, the Court granted Velocity’s motion to dismiss, finding that the allegations of fraud were based on information that was either not available at the time of Velocity’s initial public offering or contradicted by Velocity’s offering materials. Regarding COVID-19, specifically, the Court grounded its decision on the fact that Velocity could not have anticipated the extent of the pandemic in early January 2020. Even so, the Court noted that Velocity’s offering materials had cautioned investors that Velocity’s business might be affected by “changes in national, regional or local economic conditions or specific industry segments,” including those caused by “acts of God,” which disclosure the Court found covered the pandemic. Similarly, the Court found that Velocity could not have anticipated that the rate of its nonperforming loans would increase to the extent that it did and, more specifically, that the extent of the increase due to the pandemic was not foreseeable when the company filed its offering materials in January 2020.
Conclusion
The COVID-19 crisis continues to cause disruptions and uncertainty in the economy, and companies can be certain that plaintiffs’ lawyers will continue to monitor securities filings and stock price performance for potential claims—groundless or otherwise. Companies can take some comfort that courts, starting with the Berg decision and possibly more to follow, will take a sensible and pragmatic approach in recognizing the unprecedented nature of the COVID-19 pandemic and dismissing cases premised on a failure early-on to anticipate the extent of the crisis. The Berg decision further shows that seemingly generic risk disclosures that did not call out COVID-19 risks in particular were sufficient in the early days of the COVID-19 pandemic. And public companies will no doubt hope that the decision provides a roadmap for other courts to dismiss similar securities complaints premised on a failure to predict the extent or commercial impact of the COVID-19 crisis.
____________________
[1] No. 20 Civ. 6780, 2021 WL 268250 (C.D. Cal. Jan. 25, 2021).
[2] See, e.g., Douglas v. Norwegian Cruise Lines, 20-cv-21107 (S.D. Fla. Mar. 12, 2020); Service Lamp Corp. Profit Sharing Plan v. Carnival Corp., 20-cv-22202 (S.D. Fla. May 27, 2020); McDermid v. Inovio Pharm. Inc., 20-1402 (E.D. Pa. Mar. 12, 2020); Yannes v. SCWorx Corp., 20-cv-03349 (S.D.N.Y. Apr. 29, 2020).
[3] See, e.g., Tang v. Eastman Kodak Company, No. 20-cv-10462 (D.N.J. Aug. 13, 2020); City of Riviera Beach Gen. Emps. Ret. Sys. v. Royal Caribbean Cruises LTD, No. 20-cv-24111 (S.D. Fla. Oct. 7, 2020).
[4] See Arbitrage Fund v. ForescoutTechs., No. 20-cv-03819 (N.D. Cal. June 10, 2020).
[5] See SEC v. Wallach, No. 20-cv-06756 (N.D. Cal. Sept. 29, 2020).
[6] See Hessel v. Portland Gen. Elec. Co., No. 20-cv-01523 (D. Or. Sept. 3, 2020).
[7] Tom Quaadman & Harold Kim, Petition for Rulemaking on COVID-19 Related Litigation, (Oct. 30, 2020), https://instituteforlegalreform.com/petition-for-rulemaking-on-covid-19-related-litigation/.
The following Gibson Dunn attorneys assisted in preparing this client update: Brian M. Lutz, Jennifer Conn, Avi Weitzman, Michael Nadler, Dillon M. Westfall, Tyler Andrew Hammond, and Maxwell Peck.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the Securities Litigation practice group, or the following authors:
Brian M. Lutz – San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Jennifer L. Conn – New York (+1 212-351-4086, [email protected])
Avi Weitzman – New York (+1 212-351-2465, [email protected])
Securities Litigation Group:
Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Robert F. Serio – Co-Chair, New York (+1 212-351-3917, [email protected])
Jefferson Bell – New York (+1 212-351-2395, [email protected])
Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Jennifer L. Conn – New York (+1 212-351-4086, [email protected])
Thad A. Davis – San Francisco (+1 415-393-8251, [email protected])
Ethan Dettmer – San Francisco (+1 415-393-8292, [email protected])
Mark A. Kirsch – New York (+1 212-351-2662, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, [email protected])
Alex Mircheff – Los Angeles (+1 213-229-7307, [email protected])
Craig Varnen – Los Angeles (+1 213-229-7922, [email protected])
Robert C. Walters – Dallas (+1 214-698-3114, [email protected])
Avi Weitzman – New York (+1 212-351-2465, [email protected])
Aric H. Wu – New York (+1 212-351-3820, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Gov. Andrew Cuomo’s recently released 2022 budget includes a proposal for a comprehensive data privacy bill, and with Democratic supermajorities in both houses of the state Legislature for the first time in history, it is likely that New York may soon have a comprehensive data privacy law that rivals the California Consumer Protection Act and the newly enacted California Privacy Rights and Enforcement Act.
This focus on data protection is not new in New York — the state recently enacted the Stop Hacks and Improve Electronic Data Security, or SHIELD, Act, an update to the state data breach notification law, and the New York Department of Financial Services, or NYDFS, has increased pressure on companies regarding data security.
The continuing shift in data privacy and data security law is set to have a significant impact on businesses’ compliance efforts and operational risk, as well as on the expectations of consumers. Below we discuss what businesses can do to prepare.
Originally published by Law360 on January 29, 2021.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group, or the following authors in New York:
Mylan L. Denerstein (+1 212-351-3850, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Amanda M. Aycock (+1 212-351-2356, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Over this past week, the stock market has experienced a turbulent and acutely volatile series of events related to the trading of a small group of public companies’ shares. With echoes of the 2010 “Flash Crash” and a mid-2020 surge in the share price of Hertz while Hertz remained mired in ongoing bankruptcy proceedings,[1] numerous companies’ stock prices have become unglued from their financials, valuations, and other fundamental analyses. Perhaps most (in)famously, the stock price of GameStop surged from a low of less than $20 in early January to a high of nearly $500 on January 28th —an increase of well over 1,000%—for no discernible reason beyond the efforts of thousands, or perhaps even millions, of internet message board users[2] to force a “short squeeze” targeting asset managers who shorted the stock in anticipation of GameStop’s declining stock price based on their analysis of the company’s fundamentals.[3] The ramifications have been widespread, ranging from the temporary crash of Reddit, the very website on which these efforts originated,[4] to popular trading platforms restricting customers’ ability to trade in particularly volatile securities,[5] and prominent financial institutions changing their investment approaches and abandoning certain short-sale trading positions.[6] Reactions have equally run the gamut, ranging from pundits who find these events “hilarious” or view this as a story of “an underdog against a mighty foe,” on the one hand, to those, on the other, who view the volatility as “a story of utter nihilism” and a “terrifying proof of concept” as to what can happen in financial markets when there is seemingly no connection between price and financial fundamentals.[7] For better or worse, many have analogized the increasingly powerful role of non-institutional investors to a “democratization of the markets.”[8]
While these events continue to unfold in real time, all three branches of the federal government have indicated an intent to address them. On January 28th, the Chairwoman of the House of Representatives’ Committee on Financial Services announced that it would hold hearings “with a focus on short selling, online trading platforms, gamification and their systemic impact on our capital markets and retail investors,”[9] while the incoming Chairman of the Senate Committee on Banking, Housing, and Urban Affairs similarly announced plans for forthcoming hearings “on the current state of the stock market.”[10] That very same day, the first litigation relating to these events was filed in the Southern District of New York, as an investor brought a putative class action lawsuit against the electronic trading platform Robinhood, alleging that limitations on trading implemented amidst this volatility had “deprived retail investors of the ability to invest in the open market” with intent “to manipulate the market for the benefit of . . . financial institutions.”[11] A dozen other lawsuits against Robinhood and others quickly followed in courts across the country.[12] In addition, the SEC announced that it was “actively monitoring the on-going market volatility in the options and equities markets” and working to “assess the situation and review the activities of regulated entities, financial intermediaries, and other market participants,”[13] with news media reporting that the SEC is “eyeing a possible market manipulation case” analogizing traders’ online efforts to hype shares of particular companies to “a classic pump and dump” scheme.[14] At least two state attorneys general announced that they had initiated their own probes.[15]
I. Litigation Considerations
In light of the significant sums of money being made and lost, and the media blitz about the new reality and impact of retail investors taking collective action, it was almost inevitable that disputes would arise. Accordingly, it is no surprise that a wave of litigation is already finding its way to the courthouse.
What form is such litigation taking? Generally, the suits filed against Robinhood to date have been brought by certain of the company’s customers and have focused on Robinhood’s trading restrictions, sounding in alleged breaches of contract, breaches of the implied duty of good faith and fair dealing, negligence, and breaches of fiduciary duty. Other suits against Robinhood and various other parties have alleged antitrust claims under state law and both Sections 1 and 2 of the Sherman Act, and have asserted (without citing any evidence or making particularized allegations) improper coordination in prohibiting the purchase of certain securities to unreasonably restrain trade in the stock market, as well as exclusionary and anticompetitive conduct in prohibiting plaintiffs from effectuating trades.[16] In addition, claims have now also been brought under Rule 10b-5.[17]
Market manipulation can be prosecuted criminally by the United States Department of Justice, or pursued through civil litigation brought by agencies such as the SEC and/or private parties who have personally been harmed, including the aforementioned asset managers who have been subjected to a “short squeeze.” Many such claims may rely on Rule 10b-5, adopted by the SEC pursuant to the Securities Exchange Act of 1934, which broadly prohibits all schemes and artifices, including deception, in the trading of securities.[18] Rule 10b-5 is likely to be the most common basis of securities fraud causes of action when market participants are alleged to have perpetrated a fraud, deception, or other willful wrongdoing that results in the manipulation of a stock price—including in classic, or novel, “pump and dump” schemes—although there may be other potential causes of action available as well. For instance, Section 9(a)(2) of the Securities Exchange Act of 1934 has been litigated far less than Rule 10b-5, but it might also apply given its prohibition on “effect[ing] . . . a series of transaction in any security . . . creating actual or apparent active trading in such security, or raising or depressing the price of such security, for the purpose of inducing the purchase or sale of such security by others.”[19]
Of course, the application of Rule 10b-5, Section 9(a)(2), or any other cause of action to a particular set of transactions, and whether such claims can be economically litigated against those engaging in relatively small transactions, including through the novel use of a defendant class action,[20] are questions that are necessarily fact-specific and cannot be addressed in the abstract. Whether an asset manager would file suit against a group of traders circulating materially, false and misleading information, for example, for purposes of artificially inflating the stock price is uncertain given the commercial reality that many of the traders do not have sufficient assets to cover the losses, that litigation is a two-way street and would require a plaintiff asset manager to open up their internal analyses and communications to discovery, and it might create optics issues for a resourceful asset manager bringing action against a group of retail investors. Accordingly, the more likely prosecutor of such market manipulation is the government.
Another type of claim regulators may investigate in these circumstances is open-market manipulation. Open-market manipulation is a more ambiguous and amorphous violation of the securities laws that is effectuated solely through facially legitimate trading.[21] A typical example of prosecutable open market manipulation is known as “marking” or “banging the close,” which occurs when a trader with the intent to defraud purchases a large quantity of shares at or near the close of the trading day. This can boost the trader’s portfolio value, or allow the trader to avoid losing out on an option position. A related form of manipulation called “painting the tape” occurs when a trader with the intent to defraud purchases or sells shares throughout the day to increase the trading volume in an effort to attract more investment in the stock. Such transactions may appear legitimate on their face because they are simply open market trades, but if their intent and effect is to artificially drive up a stock’s closing price for the purposes of defrauding others, they may be actionable under Rule 10b-5.[22] While difficult to prove and heavily dependent on the facts and circumstances, claiming open market manipulation is not without precedent. Two examples are illustrative.
First, Markowski v. SEC involved executives of Global America, Inc., an underwriter, who challenged an SEC order sustaining disciplinary action taken against them by the National Association of Securities Dealers. Global America had underwritten an IPO of a security, after which it accounted for nearly all of the open market purchases and sales in the first six months of that security’s trading. The SEC alleged that Global America’s trading activity kept the stock price artificially inflated, until Global America stopped trading in the stock and its price cratered. Although all of Global America’s transactions were real trades at the market price and did not involve any misrepresentations, the SEC alleged that the effect and intent of Global America’s trading was nevertheless to boost the share price of the security in question. In December 2001, the D.C. Circuit affirmed Rule 10b-5 liability for the Global America executives involved in this stock market manipulation.[23]
United States v. Mulhern provides another example of a claim of open market manipulation that satisfied the elements (though in this instance the government failed to meet its burden of proof). Mulhern involved famed financier Ivan Boesky, who acquired 4.9% of Gulf & Western Industries’ common stock. The government’s unproven allegations were as follows: Boesky first made a failed attempt at a leveraged buyout, after which he subsequently offered to sell his stake back to Gulf & Western at an above-market price. When Gulf & Western rejected that proposal, Boesky next allegedly caused his associate John Mulhern, the chief trader and general partner of a broker-dealer, to make a series of purchases of additional Gulf & Western stock that soon pushed its share price up to Boesky’s desired level. With the stock price rising, Gulf & Western eventually agreed to the earlier proposal and purchased from Boesky his entire 4.9% stake. In addition to losing Mulhern approximately $65,000 on his Gulf & Western investment when the price subsequently went back down, the U.S. Attorney for the Southern District of New York criminally charged Mulhern with multiple counts of market manipulation under Rule 10b-5. The Second Circuit subsequently overturned Mulhern’s conviction on four counts of market manipulation. Crucially, however, the Second Circuit did not reject the legal theories at the heart of the prosecution, but rather determined that the government had failed to satisfy its burden of proof.[24]
II. Other Options to Maintain Market Integrity
Aside from litigation, both the private sector and regulators have a number of options to preserve the integrity of financial markets.
a. Regulatory Intervention
The SEC and other regulators have a wide variety of tools at their disposal to “protect[ ] investors, maintain[ ] fair, orderly and efficient markets, and facilitat[e] capital formation.”[25] Although it has yet to invoke this power, for example, the SEC may suspend trading in a security for up to ten days, either outright or with respect to particular types of trading.[26] Notably, during the 2008 financial crisis the SEC suspended short selling to protect the integrity of the market.[27] Self-regulatory organizations (“SRO”), such as stock exchanges, can also halt trading in circumstances where there is a significant imbalance in the volume of buy and sell orders in a security.[28]
Neither the SEC nor the various SROs handling GameStop and the other securities with similar patterns of extremely volatile trading divorced from their financial fundamentals have chosen to exercise this authority during the current short squeeze event to-date. Robinhood, a trading platform used by retail investors, did choose to temporarily limit certain types of trading in approximately 50 different securities—including GameStop—as a risk management decision that Robinhood asserted was necessary to protect the platform and its clearinghouses, and to ensure its compliance with various regulatory requirements.[29]
b. Practical Considerations for Hedge Funds and Other Financial Institutions
Short of litigating claims based on market manipulation, market participants might also consider other approaches to these tumultuous times.
As an initial matter, recent market events have underscored the importance of securities law compliance and monitoring. Hedge funds and other financial institutions could consider expanding their current compliance programs, if needed, to include monitoring of message boards and social media postings to determine whether other market participants are complying with the securities laws. Such monitoring could allow hedge funds and others to more proactively anticipate and respond to market disrupting events. To the extent that they have not already done so, for instance, hedge funds and other financial institutions could create a process for swiftly compiling and analyzing online chatter in order to remain alert as to emerging efforts to coordinate investment activities.
When it comes to information circulated online, hedge funds and others might also consider proactively engaging with retail investors and the media by correcting any misinformation being disseminated online. Specifically, institutional investors might consider identifying and correcting false information discovered in the marketplace through counsel and external investigators. Financial institutions could also collaborate with public relations consultants to engage online and traditional media platforms to assist in correcting emerging inaccuracies before they attain undue momentum.
Hedge funds and others should also consider proactively engaging with online platforms to request that false, misleading and/or reckless allegations concerning a company or its personnel be taken down pursuant to the hosting companies’ policies and processes. “Take Down” requests might not be feasible on the grand scale currently seen on Reddit message boards, however, and targeting particularly problematic posts may be more effective. For social media platforms hosting stock trading discussions, such as Reddit and Yahoo!, it is important to note that Section 230 of the Communications Decency Act of 1996 provides them with broad protection in connection with content posted by third-parties on their platforms. Accordingly, the hosting entities themselves generally cannot be held liable for what others say on their platform.[30] Market participants can nevertheless work with counsel to familiarize themselves with the user policies of social media companies and online message boards in order to flag instances of misconduct that may violate the hosting platform’s policies. On the evening of January 27th, for example, online platform Discord briefly removed a “WallStreetBets” thread for violating its guidelines on hate speech and spreading misinformation.[31] Notably, the “WallStreetBets” forum on Reddit has rules that prohibit posts that “contain[ ] false or misleading information . . . made for the purpose of manipulating the market for a security” and provide that “[a]ny activity of this sort is against the securities laws and will not be tolerated on this forum.”[32] Efforts to pinpoint specific violations can thus aid online platforms in the expedient removal of false and misleading posts.
c. Practical Considerations for Issuers of Securities
As markets are liberalized and retail investors can more readily access equities markets and coordinate efforts therein to create massive volatility, issuers should be aware of their strategic options if they become a target of a similar GameStop-style campaign. As with all aspects of a business, the first step in addressing any potential harm is monitoring and becoming aware of the situation before it gets out of control.
Rising share prices seemingly present opportunities for issuers that should be carefully considered with legal counsel and other advisors. For instance, those with shelf offerings or at-the-market equity programs in place may attempt to capitalize on their good fortune. To provide an example, AMC Entertainment, another issuer recently impacted by significant retail investor activity, completed a pre-planned at-the-market equity program by selling 63.3 million shares after seeing its stock price increase significantly in the first weeks of January, allowing it to raise $304.8 million.[33] An issuer finding itself in the strange situation of not believing in the value of its own share price nevertheless must be careful to avoid making any material misstatements or omissions supporting such unjustified enthusiasm, especially when considering making any form of stock issuance. For example, an issuer might consider if it is appropriate under the circumstances to make a public statement explaining that there is no material information to account for the rising share price. Companies issuing securities based on a price they believe to be inflated may well run the risk of regulatory inquiries, and/or securities litigation if and when the share price eventually declines. And, as always, issuers and employees of issuers must be cautious to avoid even the appearance of trading on inside information when dealing in the company’s securities.
Of course, instead of the next volatility event of this nature driving stock prices up, it is just as likely an issuer could be targeted with a run of short-selling that drives the stock price down. In this case, issuers should be ready to engage in the “take down” efforts, discussed above. Issuers might also consider engaging, as appropriate under the circumstances, legal counsel, crisis management experts, accountants, and a public relations team to ensure they are correcting any false information and assuring the public of the issuers fundamental health. Issuers in such a situation might also avail themselves of one of the author’s prior writings on this very topic.[34]
* * * * * * *
By developing sound crisis management plans and executing them with the right mix of offensive and defensive strategies, hedge funds, financial institutions and issuers can weather these turbulent times. And as always, Gibson Dunn remains available to help its clients in doing so.
________________________
[1] See, e.g., Theron Mohamed, Day Traders Are Piling into Hertz, JCPenney, and Other Bankruptcy Stocks Despite Massive Risks, Business Insider (Jun 11, 2020), https://www.businessinsider.com/robinhood-traders-bet-hertz-bankruptcy-stocks-despite-huge-risks-2020-6.
[2] Some have analogized the current activity of message board users to “idea dinners” or gatherings of hedge fund managers to discuss stocks, markets, and trends. Such dinners and other idea exchanges were previously investigated by the United States Securities and Exchange Commission (“SEC”) and the United States Department of Justice. In 2010, for example, the Department of Justice investigated a number of hedge funds for allegedly colluding in betting against the Euro after one such idea dinner. No charges were ever brought.
[3] See, e.g., Ian Sherr, Reddit’s GameStop Stock Battles with Wall Street are Turning Into a War, CNET (Jan. 28, 2021), https://www.cnet.com/personal-finance/reddits-gamestop-stock-battles-with-wall-street-are-turning-into-a-war; Yun Li, GameStop Mania Explained: How the Reddit Retail Trading Crowd Ran Over Wall Street Pros, CNBC (Jan. 27, 2021), https://www.cnbc.com/2021/01/27/gamestop-mania-explained-how-the-reddit-retail-trading-crowd-ran-over-wall-street-pros.html.
[4] Katie Canales, Reddit Says It’s Down Amid a Stock-Market Frenzy Caused by Subredditors and Skyrocketing GameStop Shares, Business Insider (Jan. 27, 2021), https://www.businessinsider.com/reddit-is-down-outage-amid-gamestop-stock-market-interest-2021-1.
[5] Elana Dure, Robinhood, Interactive Brokers Latest to Restrict Trading of GameStop and Others, Investopedia (Jan. 28, 2021), https://www.investopedia.com/robinhood-latest-broker-to-restrict-trading-of-gamestop-and-others-5100879.
[6] See, e.g., Yun Li, Melvin Capital, Hedge Fund Targeted by Reddit Board, Closes out of GameStop Short Position (Jan. 27, 2021), https://www.cnbc.com/2021/01/27/hedge-fund-targeted-by-reddit-board-melvin-capital-closed-out-of-gamestop-short-position-tuesday.html; Maggie Fitzgerald, Citron Research, Short Seller Caught Up in GameStop Squeeze, Pivoting to Finding Long Opportunities (Jan. 29, 2021), https://www.cnbc.com/2021/01/29/citron-research-short-seller-caught-up-in-gamestop-squeeze-pivoting-to-finding-long-opportunities.html.
[7] Compare David Dayen, The GameStop Craziness Pulls Back the Curtain on the Stock Market, The American Prospect (Jan. 28, 2021), https://prospect.org/power/gamestop-craziness-pulls-back-curtain-on-stock-market/, and Sarah Jones, The Final Boss is Capitalism, New York Magazine (Jan. 29, 2021), https://nymag.com/intelligencer/2021/01/gamestop-saga-shows-the-final-boss-is-capitalism.html; with Matt Levine, The GameStop Game Never Stops, Bloomberg (Jan. 25, 2021), https://www.bloomberg.com/opinion/articles/2021-01-25/the-game-never-stops.
[8] Zachary Karabell, How the GameStop Trading Surge Will Transform Wall Street, Time (Jan. 28, 2021), https://time.com/5934285/gamestop-trading-wall-street/; see also, e.g., John Detrixhe, The Dark Side of the Democratization of Trading, Quartz (Jan. 29, 2021), https://news.yahoo.com/dark-side-democratization-trading-161358522.html.
[9] Following Recent Market Instability, Waters Announces Hearing on Short Selling, Online Trading Platforms (Jan. 28, 2021), here.
[10] Brown: Wall Street Only Cares About Rules When Hedge Funds Get Hurt (Jan. 28, 2021), https://www.brown.senate.gov/newsroom/press/release/brown-wall-street-hedge-funds.
[11] Nelson v. Robinhood Financial LLC, No. 21 Civ. 777, Dkt. 1 (S.D.N.Y. Jan. 28, 2021).
[12] See, e.g., Courtney v. Robinhood Financial LLC et al., 21 Civ. 60220 (S.D. Fla.); Daniels v. Robinhood Financial, LLC et al., No. 21 Civ. 290 (D. Colo.); Gatz v. Robinhood Financial, LLC, No. 12 Civ. 490 (N.D. Ill.); Kayali v. Robinhood Financial, LLC et al., No. 21 Civ. 510 (E.D. Ill.); Lavin v. Robinhood Financial, LLC et al., No. 21 Civ. 115 (E.D. Va.); Ross v. Robinhood Financial LLC et al., No. 21 Civ. 292 (S.D. Tex.); Schaff v. Robinhood Markets, Inc. et al., No. 21 Civ. 216 (M.D. Fla.); Simpson v. Robinhood Financial, LLC, No. 21 Civ. 207 (N.D. Tex.); Weig v. Robinhood Financial, LLC et al., No. 21 Civ. 693 (N.D. Cal.); Ziegler v. Robinhood Financial LLC et al., No. 21 Civ. 123 (D. Conn.); Zybura v. Robinhood Financial, LLC et al., No. 21 Civ. 1348 (D.N.J.).
[13] Dean Seal, White House, SEC ‘Monitoring’ Volatile GameStop Stock, Law360 (Jan. 27, 2021), https://www.law360.com/media/articles/1349195/white-house-sec-monitoring-volatile-gamestop-stock?nl_pk=ef15795b-2462-46f9-bdad-117fcfcc6a0f&utm_source=newsletter&utm_medium=email&utm_campaign=media.
[14] Charles Gasparino, Sic the SEC? Not so Fast – Case Near Impossible to Prove, N.Y. Post (Jan. 28, 2021), https://nypost.com/2021/01/28/will-the-sec-probe-the-gamestop-stock-mania-not-so-fast/. In a “pump and dump” scheme an investor spreads false or misleading information about a company in an attempt to induce other market participants to buy stock in that company. Once the stock price has been “pumped” up by the increased, but unwarranted, market enthusiasm, the investor will then “dump” their shares at a profit before the market accounts for the false information and returns the stock to a more appropriate baseline price.
[15] The Texas Attorney General issued civil investigative demands. See Diane Bartz, Texas Attorney General Probes GameStop Trade Curbs from Robinhood, Others (Jan. 29, 2021), https://www.reuters.com/article/us-retail-trading-robinhood-texas/texas-attorney-general-probes-gamestop-trade-curbs-from-robinhood-others-idUSKBN29Y2US. The New York Attorney announced an inquiry. See Ben Feuerherd, NY AG Letitia James ‘Reviewing’ Robinhood Over GameStop Trade Restrictions (Jan. 28, 2021), https://nypost.com/2021/01/28/ny-ag-letitia-james-reviewing-robinhood-over-gamestop-trading/.
[16] See Kayali v. Robinhood Financial, LLC et al., No. 21 Civ. 510 (N.D. Ill.); Lavin v. Robinhood Financial, LLC et al., No. 21 Civ. 115 (E.D. Va.); Ross v. Robinhood Financial LLC et al., No. 21 Civ. 292 (S.D. Tex.).
[17] See Daniels v. Robinhood Financial, LLC et al., No. 21 Civ. 290 (D. Colo.); Gatz v. Robinhood Financial, LLC, No. 12 Civ. 490 (N.D. Ill.).
[18] 17 C.F.R. § 240.10b-5(a)-(c).
[20] See Fed. R. Civ. P. 23(a) (“One or more members of a class may sue or be sued as representative parties on behalf of all members . . . .”) (emphasis added).
[21] For an in-depth analysis of open market manipulation see Gina-Gail S. Fletcher, Legitimate Yet Manipulative: The Conundrum of Open-Market Manipulation, 68 DUKE L.J. 479 (2018).
[22] See e.g., SEC v. Masri, 523 F. Supp. 2d 361 (S.D.N.Y. Nov. 20, 2007); CFTC v. Amaranth Advisors , L.L.C., 554 F. Supp. 2d 523 (S.D.N.Y. May 21, 2008).
[23] Markowski v. SEC, 274 F.3d 525 (D.C. Cir. 2001).
[24] United States v. Mulheren, 938 F.2d 364 (2d Cir. 1991).
[25] What We Do, SEC, https://www.sec.gov/about/what-we-do.
[26] Investor Bulletin: Trading Suspensions, U.S. Securities and Exchange Commission (Dec. 3, 2018), https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-bulletins/investor-5.
[27] SEC Halts Short Selling of Financial Stocks to Protect Investors and Markets, U.S. Securities and Exchange Commission (Sept. 19, 2008), https://www.sec.gov/news/press/2008/2008-211.htm.
[28] Trading Halts and Delays, U.S. Securities and Exchange Commission (July 3, 2010), https://www.sec.gov/fast-answers/answerstradinghalthtm.html.
[29] See, e.g., Kate Kelly, Matt Phillips, and Gillian Friedman, Trading Curbs Reverse GameStop Rally, Angering Upstart Traders, NYTimes (Jan. 28, 2021), here; Catherine Ross, Robinhood CEO on Trading Halts: ‘We Made the Correct Decision,’ Yahoo! Finance (Jan. 28, 2021), https://finance.yahoo.com/news/robinhood-ceo-trading-halts-made-001505664.html; Maggie Fitzgerald, Robinhood is Still Severely Limiting Trading, Customers Can Only Buy One Share of GameStop, CNBC (Jan. 29, 2021), https://www.cnbc.com/2021/01/29/robinhood-is-still-severely-limiting-trading-gamestop-holders-can-only-buy-one-additional-share.html; Nicholas Jasinski, Why Did Robinhood Stop GameStop Trading? Everything to Know., Barron’s (Jan. 29, 2021), https://www.barrons.com/articles/why-did-robinhood-stop-gamestop-trading-51611967696.
[30] See 47 U.S.C. § 230 (“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”).
[31] Connor Smith, Reddit’s WallStreetBets Briefly Goes Private After Discord Shuts Down Server, Barron’s (Jan. 27, 2021), https://www.barrons.com/articles/reddits-wallstbets-goes-private-shortly-after-discord-shuts-down-server-51611792059.
[32] r/wallstreetsbets/rules, Reddit (last accessed January 31, 2021), https://www.reddit.com/r/wallstreetbets/about/rules.
[33] See AMC Completes At the Market Equity Program, Yahoo! Finance (Jan. 27, 2021), https://finance.yahoo.com/news/amc-completes-market-equity-program-170800262.html.
[34] See Avi Weitzman, Barry Goldsmith & Jonathan Seibald, What to Know About Short-Seller Risks During Pandemic, Law360 (June 3, 2020), https://www.law360.com/articles/1278319.
The following Gibson Dunn attorneys assisted in preparing this client update: Alexander H. Southwell, Reed Brodsky, Jennifer L. Conn, Avi Weitzman, Michael Nadler, Liesel N. Schapira and Trevor Gopnik.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For additional information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Securities Enforcement Group, or the following authors in New York:
Alexander H. Southwell (+1 212-351-3981, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
Jennifer L. Conn (+1 212-351-4086, [email protected])
Avi Weitzman (+1 212-351-2465, [email protected])
Securities Enforcement Group:
New York
Matthew L. Biben (+1 212-351-6300, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
Joel M. Cohen (+1 212-351-2664, [email protected])
Jennifer L. Conn (+1 212-351-4086, [email protected])
Lee G. Dunst (+1 212-351-3824, [email protected])
Barry R. Goldsmith (+1 212-351-2440, [email protected])
Mary Beth Maloney (+1 212-351-2315, [email protected])
Mark K. Schonfeld (+1 212-351-2433, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Avi Weitzman (+1 212-351-2465, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])
Washington, D.C.
Stephanie L. Brooker (+1 202-887-3502, [email protected])
Daniel P. Chung (+1 202-887-3729, [email protected])
M. Kendall Day (+1 202-955-8220, [email protected])
Richard W. Grime (+1 202-955-8219, [email protected])
Patrick F. Stokes (+1 202-955-8504, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])
San Francisco
Winston Y. Chan (+1 415-393-8362, [email protected])
Thad A. Davis (+1 415-393-8251, [email protected])
Joshua H. Lerner (+1 415-393-8254, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])
Michael Li-Ming Wong (+1 415-393-8234, [email protected])
Palo Alto
Michael D. Celio (+1 650-849-5326, [email protected])
Paul J. Collins (+1 650-849-5309, [email protected])
Benjamin B. Wagner (+1 650-849-5395, [email protected])
Denver
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
Los Angeles
Michael M. Farhang (+1 213-229-7005, [email protected])
Douglas M. Fuchs (+1 213-229-7605, [email protected])
Nicola T. Hanna (+1 213-229-7269, [email protected])
Debra Wong Yang (+1 213-229-7472, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
This edition of Gibson Dunn’s Federal Circuit Update summarizes the three pending Supreme Court cases originating in the Federal Circuit and key filings for certiorari review. We address the Federal Circuit’s updates to its Oral Argument Guide and its new procedures for handling highly sensitive information. And we discuss other recent Federal Circuit decisions concerning the validity of assignment agreements, motions to transfer from the Western District of Texas, waiver, forfeiture, and venue for ANDA cases.
In case you missed it, on January 11, 2021, Gibson Dunn published its eighth “Federal Circuit Year In Review,” providing a statistical overview and substantive summaries of the 130 precedential patent opinions issued by the Federal Circuit between August 1, 2019, and July 31, 2020.
Federal Circuit News
Supreme Court:
The Supreme Court has three pending cases originating in the Federal Circuit.
Minerva Surgical Inc. v. Hologic Inc. (U.S. No. 20-440): As we summarized in our May 2020 update, a Federal Circuit panel (Stoll, J., joined by Wallach and Clevenger, JJ.) held that, under Federal Circuit precedent, the doctrine of assignor estoppel barred Minerva, the original assignor of the asserted patents, from challenging invalidity of the asserted patents in the district court. The doctrine did not apply to IPRs, however, which allowed Minerva to challenge the validity of the asserted patents via an IPR. The Supreme Court granted certiorari on the following issue: “Whether a defendant in a patent infringement action who assigned the patent, or is in privity with an assignor of the patent, may have a defense of invalidity heard on the merits.” Briefing is complete, but oral argument has not yet been scheduled.
United States v. Arthrex, Inc. (U.S. Nos. 19-1434, 19-1452, 19-1458): As we summarized in our November 2019 update and in our November 5, 2019 alert, a panel of the Federal Circuit (Moore, J., joined by Reyna and Chen, JJ.) held that PTAB administrative patent judges (APJs) were improperly appointed principal Officers under the Appointments Clause. To cure this defect, the court ruled that the statutory provision of for-cause removal for PTO officials is unconstitutional as applied to APJs. In the Supreme Court, no party defends the Federal Circuit’s decision. The United States and Smith & Nephew argue that APJs are inferior Officers because, “from soup to nuts,” their work is supervised by principal Officers, such as the Director. By contrast, Arthrex maintains that APJs are principal Officers solely because the Director does not have the power to directly “review and modify” APJ decisions, which Arthrex claims is an “indispensable” component of supervision. Briefing is nearly complete (Arthrex will file its final brief in mid-February) and oral argument is calendared for March 1, 2021. Gibson Dunn partner Mark Perry is co-counsel for Smith & Nephew.
Google LLC v. Oracle America, Inc. (U.S. No. 18-956): As we summarized in our March 2018 update, our November 2019 update, and our May 2020 update, a Federal Circuit panel (O’Malley, J., joined by Plager and Taranto, JJ.) held in 2014 that a software interface comprising of declaring code for the Java programming language was copyrightable. The same panel of the Federal Circuit ruled in 2018 that Google’s use of the Java declaring code in its Android operating system was not fair use. The Supreme Court granted certiorari to consider two issues: “(1) Whether copyright protection extends to a software interface; and (2) whether, as the jury found, the petitioner’s use of a software interface in the context of creating a new computer program constitutes fair use.” On October 7, 2020, the Court heard oral argument in this case. On the first issue, the Court challenged both sides’ arguments concerning the applicability of the merger doctrine (under which there is no copyright protection if there is only one conceivable form of expression) in this case. The Court also questioned whether merger should be evaluated when the program was first written or when it was used, particularly if the use occurs well after the program becomes the accepted method in the industry. On the second issue, the Court was concerned that the Federal Circuit applied an incorrect standard of review and did not give the jury verdict of fair use sufficient deference. Gibson Dunn partners Mark Perry and Blaine Evanson serve as counsel for Amicus Curiae Rimini Street, Inc. supporting reversal.
Noteworthy Petitions for a Writ of Certiorari:
There are two potentially impactful petitions that are asking for clarification of Section 101 jurisprudence currently pending before the Supreme Court.
American Axle & Manufacturing, Inc. v. Neapco Holdings LLC (U.S. No. 20-891): “[1] What is the appropriate standard for determining whether a patent claim is ‘directed to’ a patent-ineligible concept under step 1 of the Court’s two-step framework for determining whether an invention is eligible for patenting under 35 U.S.C. § 101? [2] Is patent eligibility (at each step of the Court’s two-step framework) a question of law for the court based on the scope of the claims or a question of fact for the jury based on the state of art at the time of the patent?”
Ariosa Diagnostics, Inc. v. Illumina, Inc. (U.S. No. 20-892): “Whether a patent that claims nothing more than a method for separating smaller DNA fragments from larger ones, and analyzing the separated DNA for diagnostic purposes, using well-known laboratory techniques is unpatentable under Section 101 and Myriad.”
The Court will consider American Axle during its February 19 conference. Ariosa has not yet been scheduled for conference.
Noteworthy Federal Circuit En Banc Petitions:
This month we highlight the pending en banc petition in In re Apple Inc. (Fed. Cir. No. 20-135).
The panel majority, over Judge Moore’s dissent, granted Apple’s mandamus petition, finding that Judge Albright (Western District of Texas) clearly abused his discretion in denying Apple’s motion for transfer to the Northern District of California. The panel opinion is further summarized below. Uniloc 2017 (plaintiff in the district court) filed an en banc petition presenting the issues of the level of deference that should be afforded, on mandamus review, to discretionary transfer decisions, and the circumstances in which a clear abuse of discretion can occur. US Inventor, Inc., filed an amicus brief in support of rehearing. At the court’s invitation, Apple responded to Uniloc 2017’s petition on December 29, 2020.
Other Federal Circuit News:
Dan Bagatell published his fourth annual article, providing an empirical review of the Federal Circuit’s decisions in patent cases during calendar year 2020. Bagatell found that the Federal Circuit’s affirmance rate in PTAB appeals rose over 5% to nearly 86% in 2020. IPR appeals, specifically, were affirmed 83% of the time. Notably, appellants prevailed outright in only 6% of PTAB appeals and 7% of IPR appeals. Patent challenger appellants fared slightly better than patent owner appellants, prevailing outright 17% of the time as compared to only 10% for patent owner appellants.
Federal Circuit Practice Update
In response to recent disclosures of widespread breaches of both private sector and government computer systems, the Federal Circuit has adopted new procedures for the handling of highly sensitive documents outside of the court’s electronic case filing system (CM/ECF) as well as for documents already electronically filed in CM/ECF. The administrative order and new procedures go into effect immediately and are available on the court’s website here and here.
The Clerk’s Office has also updated the Federal Circuit’s Guide for Oral Argument, which includes minor procedural clarifications and designates new Access Coordinators responsible for coordinating auxiliary aids and services to participants in proceedings who have communication disabilities.
Our May 2020 update summarized the key rule changes the Federal Circuit first proposed last spring. The December 2020 updated rules have taken effect and are now available on the court’s website.
Upcoming Oral Argument Calendar
The list of upcoming arguments at the Federal Circuit are available on the court’s website.
The court is scheduled to hear argument in 52% of the cases on its February 2021 calendar. This is up from the early days of the pandemic when, for example, the court heard argument in only 29% of its April 2020 cases. The number of argued cases, however, is still dramatically lower than pre-pandemic numbers. For example, in February 2020, the court heard argument in 81% of its scheduled cases.
Case of Interest:
On Friday, February 12, the court will hear argument in Mylan Laboratories Ltd. v. Janssen Pharmaceutica, N.V. on Janssen’s motion to dismiss Mylan’s appeal. Janssen and the USPTO, as intervenor, argue that Mylan’s appeal should be dismissed for lack of jurisdiction because the Director’s institution decision is “final and nonappealable.” 35 U.S.C. § 314(d). Mylan maintains that judicial review remains available because the PTAB exceeded its congressional authority and violated Mylan’s due process rights by denying Mylan’s timely IPR petition based on the NHK/Fintiv rule.
Key Case Summaries (November 2020–January 2021)
Whitewater W. Indus., Ltd. v. Alleshouse, 981 F.3d 1045 (Fed. Cir. 2020): Alleshouse, while an employee of Whitewater, signed an agreement assigning to Whitewater, all of his rights or interests in any invention he “may make or conceive,” “whether solely or jointly with others,” if the invention is either “resulting from or suggested by” his “work for” Whitewater or “in any way connected to any subject matter within the existing or contemplated business of” Whitewater. Alleshouse left Whitewater to start his own venture, Pacific Surf. Alleshouse then began filing patent applications. Whitehouse sued, alleging breach of contract and that Alleshouse had to assign Pacific Surf’s patents to Whitehouse. The district court upheld the agreement as valid and determined that Alleshouse breached the contract by failing to assign the patents.
The Federal Circuit panel (Taranto, J., joined by Dyk and Moore, JJ.) reversed. The Federal Circuit held that the agreement’s assignment provision was invalid for violating California Business and Professions Code § 16600, which as applied by California courts, forbids employers from impairing post-employment liberties of former employees.
In re Google Tech. Holdings LLC, 980 F.3d 858 (Fed. Cir. 2020): Google appealed a PTAB decision that sustained the Examiner’s final rejection of certain claims for obviousness, arguing that the Board relied on incorrect claim constructions.
The Federal Circuit panel (Chen, J., joined by Taranto and Stoll, JJ.) affirmed, and found that Google had forfeited the claim construction arguments by not presenting them to the Board. The court also noted the distinction between forfeiture and waiver: “Whereas forfeiture is the failure to make the timely assertion of a right, waiver is the ‘intentional relinquishment or abandonment of a known right.’”
In re Apple Inc., 979 F.3d 1332 (Fed. Cir. 2020): Apple moved to transfer Uniloc 2017’s lawsuit from the Western District of Texas (“WDTX”) to the Northern District of California (“NDCA”). Judge Alan Albright held a hearing and stated that he would deny the motion to transfer, but did not enter an order. After holding a Markman hearing, issuing a claim construction order, holding a discovery hearing, and issuing a discovery order, Apple filed a writ of mandamus at the Federal Circuit. Judge Albright issued his order denying the transfer a week later.
The Federal Circuit (Prost, C.J., joined by Hughes, J.) granted Apple’s mandamus petition. The majority held that the district court made several errors in assessing whether the Fifth Circuit’s public and private factors favor transfer. First, the majority held that the factor dealing with the relative ease of access to sources of proof analyzes only non-witness evidence, such as documents and physical evidence. Second, the majority held that the district court erred by too rigidly applying the Fifth Circuit’s 100-mile rule regarding witness inconvenience. The majority found that New York–based witnesses will only be slightly more inconvenienced by having to travel to California than to Texas. Third, the district court erred by faulting Apple for the fact that significant steps, such as the Markman hearing, had occurred in the case because those steps occurred after Apple moved for a transfer. Fourth, the panel found that the district court erred in its analysis of court congestion and time to trial. The panel found that WDTX and NDCA have had comparable times to trial and that the district court cannot set an aggressive trial date and then conclude other forums are more congested. Fifth and finally, the panel held that the consideration of local interests analyzes whether there are significant connections between a particular venue and the events that gave rise to the suit and not the parties’ connections to each forum writ large.
Judge Moore dissented, emphasizing the deferential clear abuse of discretion standard of review.
Valeant Pharm. N. Am. LLC v. Mylan Pharm. Inc., 978 F.3d 1374 (Fed. Cir. 2020): Valeant filed a Hatch-Waxman action against Mylan Pharmaceuticals Inc. (“MPI”), a West Virginia corporation; Mylan Inc., a Pennsylvania Corporation; and Mylan Laboratories Ltd. (“MLL”), a foreign corporation based in India. The defendants moved to dismiss for improper venue under § 1400(b) because the only alleged act of infringement—submission of the ANDA—did not occur in New Jersey, and the defendants do not reside or have regular and established places of business in New Jersey. The district court granted the motion to dismiss.
The Federal Circuit (O’Malley, J., joined by Newman and Taranto, JJ.) affirmed-in-part, reversed-in-part, and remanded. The panel held that, in cases brought under 35 U.S.C. § 271(e)(2)(A), infringement occurs for venue purposes only in districts where actions related to the submission of the ANDA occur, and not in all locations where future distribution of the generic products specified in the ANDA is contemplated. The Federal Circuit therefore affirmed the district court’s dismissal of MPI and Mylan Inc. for improper venue. The Federal Circuit, however, reversed the venue-based dismissal against the foreign-based entity MLL, which is subject to venue in any district, and remanded for consideration of the failure to state a claim defense, based on whether MLL’s involvement in submission of the ANDA is sufficient for it to be considered a “submitter,” and thus amenable to suit.
The court denied Valeant’s petition for en banc rehearing on January 26, 2021.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work or the authors of this alert:
Blaine H. Evanson – Orange County (+1 949-451-3805, [email protected])
Jessica A. Hudak – Orange County (+1 949-451-3837, [email protected])
Please also feel free to contact any of the following practice group co-chairs or any member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:
Appellate and Constitutional Law Group:
Allyson N. Ho – Dallas (+1 214-698-3233, [email protected])
Mark A. Perry – Washington, D.C. (+1 202-887-3667, [email protected])
Intellectual Property Group:
Wayne Barsky – Los Angeles (+1 310-552-8500, [email protected])
Josh Krevitt – New York (+1 212-351-4000, [email protected])
Mark Reiter – Dallas (+1 214-698-3100, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.
Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“EU”):
- On 16 July 2020, the Court of Justice of the EU (“CJEU” or “Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law also compels these companies to ensure that personal data will be safeguarded.
- As a consequence of the COVID-19 pandemic, a number of public, corporate and workplace practices have emerged to limit the spread of the virus, all which have privacy implications. To respond to this, many EU Member States have issued rules and guidelines with respect to the processing of personal data in the context of the pandemic.
- Negotiations among EU Member States have been ongoing regarding the adoption of a new e-Privacy Regulation, due to replace the soon 20-year-old e-Privacy Directive. Meanwhile, EU supervisory authorities have continued to publish guidance on cookie practices and other e-privacy matters, as well as to impose heavy fines on companies in breach of cookies-related requirements.
- Before Brexit was completed on 31 December 2020, the EU and the UK adopted the Trade and Cooperation Agreement, which includes an overall six-month “bridging mechanism” to cover transfers of personal data into the UK. The European Commission and the UK are in negotiations to adopt an adequacy decision that can enable the free flow of personal data beyond this six-month period, as in the pre-Brexit scenario.
In addition to the EU, different legal developments occurred in other jurisdictions around the globe, including in other European jurisdictions, the Asia-Pacific region, the Middle East, Africa and Latin America.
We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.
__________________________________________
Table of Contents
A. International Data Transfers
1. The Schrems II Ruling
2. Guidance Adopted by the EDPB and Member State Authorities
3. Conclusions on Data Transfers
1. Guidance Adopted by Supervisory Authorities
2. Guidance at EU Member State Level
3. Next Challenges for the Fight against the COVID-19 Pandemic
1. Guidance Adopted by the EDPB and Member State Authorities
2. Reform of the e-Privacy Directive
3. Enforcement in Relation to Cookies
D. Cybersecurity and Data Breaches
1. Guidance and Initiatives Adopted by ENISA
2. Enforcement in Relation to Cybersecurity
1. Transfers from and into the EU/EEA and the UK
2. Transfers from and into the UK and other Jurisdictions
F. Other Significant Developments in the EU
II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia
1. Access Restriction Trend in Privacy Laws Enforcement
2. The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies
3. Legislative Updates
1. The Revised FADP
2. The Swiss-U.S. Privacy Shield
1. Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents
2. Turkish Data Protection Act Continues to be Enforced
III. Developments in Asia-Pacific, Middle East and Africa
1. New Developments in Chinese Legislation
2. Enforcement of Chinese Data Protection and Cybersecurity Legislation
1. Legislative initiatives
2. Regulatory opinions and guidance
3. Enforcement of data protection laws
M. Other Developments in Africa
N. Other Developments in the Middle East
O. Other Developments in Southeast Asia
IV. Developments in Latin America and in the Caribbean Area
B. Other Developments in South America
1. Argentina
2. Chile
3. Colombia
4. Mexico
5. Uruguay
__________________________________________
I. European Union
A. International Data Transfers
1. The Schrems II Ruling
On 16 July 2020, the CJEU struck down as legally invalid the EU-U.S. Privacy Shield, which some companies had relied upon to transfer personal data from the EU to the U.S. The Court also ruled that the Standard Contractual Clauses (“SCCs”) approved by the European Commission, another mechanism used by many companies to transfer personal data outside of the EU, remained valid with some caveats. The Court’s landmark decision has forced companies on both sides of the Atlantic to reassess their data transfer mechanisms, as well as the locations where they store and process personal data.[1]
2. Guidance Adopted by the EDPB and Member State Authorities
Following the Schrems II ruling, several supervisory authorities shared their views and opinions on its interpretation.[2] On its side, the UK Information Commissioner’s Office (“ICO”) invited companies to continue transferring data on the basis of the invalidated Privacy Shield and, on the contrary, several German Authorities have advised against it.
These initial reactions were overcome by the Frequently Asked Questions (“FAQ”) report issued by the European Data Protection Board (“EDPB”) on 23 July 2020. In its FAQs on Schrems II, the EDPB stated, in particular, the following:
|
i. |
No “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield. Entities relying on the now invalidated Privacy Shield should immediately put in place other data transfer mechanisms or frameworks. | ||
|
ii. |
Data controllers relying on SCCs and BCRs to transfer data should contact their processors to ensure that the level of protection required by EU law is respected in the third country concerned. If personal data is not adequately protected in the importing Member State, the controller or the processor responsible should determine what supplementary measures would ensure an equivalent level of protection. | ||
|
iii. |
If data transferred cannot be afforded a level of protection essentially equivalent to that guaranteed by EU law, data transfers should be immediately suspended. Companies willing to continue transferring data under these circumstances should notify the competent supervisory authority(ies).[3] |
In October 2020, the U.S. Department of Commerce and the European Commission announced that they had initiated discussions to evaluate the potential for a new version of the Privacy Shield that would be compliant with the requirements of the Schrems II ruling.[4]
Pending the discussions between the EU and the U.S. on a new data transfer framework, on 10 November 2020, the EDPB issued important new guidance on transferring personal data out of the EEA, namely:
|
i. |
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[5] which aim to provide a methodology for data exporters to determine whether and which additional measures would need to be put in place for their transfers; and | ||
|
ii. |
Recommendations 02/2020 on the European Essential Guarantees (“EEG”) for surveillance measures,[6] which aim to update the EEG, in order to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a receiving country, whether national security agencies or law enforcement authorities, can be regarded as a justifiable interference. |
The EDPB’s guidance lessened some of the uncertainty caused by the Schrems II ruling. However, since this guidance was issued in the form of a public consultation closing on 21 December 2020, it may be subject to further changes or amendments.
In the Recommendations on supplementary transfer tools, the EDPB recommends that data exporters: (i) map all transfers of personal data to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary; (ii) verify the transfer tool on which the transfers are based; (iii) assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards, and document this assessment; (iv) identify and adopt additional measures (examples are provided in Annex 2 of the Recommendations); (v) take any formal procedural steps that the adoption of the supplementary measure may require; and (vi) re-evaluate at appropriate intervals the level of protection afforded to the data transferred. Although the guidance takes the form of non-binding recommendations, companies that transfer personal data outside of the EEA would be well served to review their approach to such transfers in light of the EDPB guidance.
On 12 November 2020, the European Commission published a draft implementing decision on SCCs for the transfer of personal data to third countries along with a draft set of new SCCs. The new SCCs include several modules to be used by companies, depending on the transfer scenario and designation of the parties under the GDPR, namely: (i) controller-to-controller transfers; (ii) controller-to-processor transfers; (iii) processor-to-processor transfers; and (iv) processor-to-controller transfers.
These new SCCs also incorporate some of the contractual supplementary measures recommended by the EDPB, as described above. They have been opened for public consultation that closed on 10 December 2020 and the final new set of SCCs is expected to be adopted in early 2021. At this stage, the draft provides for a grace period of one year during which it will be possible to continue to use the old SCCs for the execution of contracts concluded before the entry into force of the new SCCs.[7]
Besides, the European Commission also published on 12 November 2020 draft of SCCs for contracts between controllers and processors. These SCCs are intended to be optional (the parties may choose to continue using their own data processing agreements) and have also been opened for public consultation that closed on 10 December 2020. The final draft of SCCs are also expected to be adopted in early 2021.[8]
On 15 January 2021, the EDPB and European Data Protection Supervisor adopted joint opinions on both sets of SCCs (one opinion on the SCCs for contracts between controllers and processors, and another one on SCCs for the transfer of personal data to third countries).[9]
3. Conclusions on Data Transfers
As explained above, 2020 was a year of changes when it comes to data transfer mechanisms.
The EU-U.S. Privacy Shield, once believed to have put an end to the issues raised by the EU-U.S. Safe Harbour, has again been deemed to be insufficient to safeguard the data protection rights of individuals in the EU. It is expected that, with a change in the U.S. federal administration, and the need for authorities to give legal certainty and facilitate cross-border commercial activity in the current economic context, the EU and the U.S. will work swiftly towards a mechanism that can resolve transatlantic transfers once and for all.
The adoption of new SCCs, expected to occur in 2021, will also bring more certainty to companies that relied on this framework to transfer personal data. The new sets of SCCs will cover wider scenarios than those under the current framework, reducing implementation costs and limiting uncertainty. However, given the limited grace period expected to apply to pre-GDPR SCCs, and the introduction of changes to the new SCCs, companies should take the opportunity to review the new contractual framework and adapt it to their data transfer needs.
B. COVID-19 Pandemic
The COVID-19 pandemic and the ensuing health crisis has led to the emergence of new practices to limit the spread of the virus, such as the issuance of tracing apps and the implementation of temperature checks at public administration buildings or at the workplace. These practices involve the processing of various health data, and may therefore have privacy implications. On the other hand, remote working has increased the exposure of companies and their employees to cybersecurity risks, such as the use of private (unprotected and non-certified) assets to review, print or process company information.[10]
1. Guidance Adopted by Supervisory Authorities
On 19 March 2020, the EDPB adopted a statement on the processing of personal data in the context of COVID-19. In the statement, the EDPB emphasised that while data protection rules should not hinder the fight against the virus, data controllers and processors must ensure the protection of personal data even in these exceptional times.[11]
Further, on 17 April 2020, the European Commission set out the criteria and requirements that applications supporting the fight against COVID-19 must meet in order to ensure compliance with data protection regulations.[12] Building on this guidance, the EDPB adopted Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak as well as Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak.[13]
Since the beginning of the pandemic, European authorities have also focused on pooling resources at the EU level. The European Commission and the EDPB published materials relating to the interoperability between the Members States’ contact tracing applications, in order for users to be able to rely on a single app wherever they are located in the EU.[14]
The EDPS also issued a Preliminary Opinion on the European Health Data Space, which aims to promote better exchange and access to different types of health data within the EU.[15]
2. Guidance at EU Member State Level
Member State supervisory authorities have also issued their own guidance with respect to the processing of personal data in the context of the COVID-19 pandemic. Although authorities have emphasised the general principles set forth under the GDPR, they have failed to adopt a unified approach.
As regards national tracing applications, the UK ICO issued a notice on the joint initiative by two tech companies to enable the use of Bluetooth technology in contact research applications,[16] as well as on the development of contact tracing applications in accordance with the principles of privacy by design and privacy by default.[17] In France, the French supervisory authority (the “CNIL”) opened and closed a formal enquiry into the national tracing app sponsored and developed by the French government,[18] after requesting the Ministry of Solidarity and Health to remedy certain breaches identified in the app.[19] In Germany, as in France, the authority emphasised that the use of the national COVID-19 app should be voluntary.[20]
On a different note, supervisory authorities have also intervened in different degrees in the testing and tracing efforts of public authorities. In the UK, for example, the ICO issued a notice on the recording and retention of personal data in support of the test and trace scheme, where it advised in particular to only collect data requested by the government, not to reuse the data for other purposes, and to delete the data as soon as it is no longer necessary.[21] In Germany, a regional supervisory authority even issued warnings for excessive health requests.[22]
Supervisory authorities have also issued substantial guidance in respect of measures to fight the COVID-19 pandemic in an employment context, for example, in the UK,[23] France,[24] Italy,[25] Belgium[26] and the Netherlands.[27] The topics covered by supervisory authorities include the implementation of tests and the monitoring of employees, the reporting of sensitive information to the employer, and in turn the communication of such information to the health authorities, as well as remote work.
The use of smart and thermal cameras has also been strictly regulated both in France and in Germany.[28]
3. Next Challenges for the Fight against the COVID-19 Pandemic
While data protection laws were not meant to hinder the deployment of necessary measures to trace and contain the evolution of the virus, EU supervisory authorities have been adamant that this should not come at a cost in terms of privacy.
Privacy standards are likely to remain high as Member States commence their vaccination plans and prepare for the post-COVID-19 economic recovery. For example, in the Member States the monitoring of doses and medical supervision of patients are generally conducted by qualified medical staff, and health and pharmaceutical institutions. However, there is still some debate whether private and public institutions can issue or request vaccination “passports” or certificates to facilitate the safe movement of people.[29] With regard to tracing and detection data, public administrations and companies have to assess the proper retention periods that apply to the storage and archive of such information.
C. E-Privacy and Cookies
Against the backdrop of the ongoing EU discussions on the future e-Privacy Regulation, guidance has been released by Member State supervisory authorities. Meanwhile, significant fines continue to be imposed on companies that do not comply with applicable e-privacy rules.
1. Guidance Adopted by the EDPB and Member State Authorities
On 5 April 2020, the EDPB updated its Guidelines (05/2020) on consent, which now specifically address the practice of so-called “cookie walls” (a practice which consists in making access to online services and functionalities conditional on the consent of a user to cookies). Among others, in these Guidelines the EDPB explicitly states that continuing browsing on a website does not meet the requirements of valid consent.[30]
As a result of the additional clarifications provided by the EDPB, the Spanish supervisory authority (“AEPD”) updated its guidance on the use of cookies, denying the validity of consent obtained through cookie walls or continued browsing.[31]
In France, the CNIL adopted a different approach set by the French Administrative Court, which in a 2020 ruling invalidated the general and absolute ban on cookie walls. Consequently, the CNIL adopted amending guidelines and a recommendation on the use of cookies and other tracing devices, offering practical examples of the collection of user’s consent.[32]
2. Reform of the e-Privacy Directive
The e-Privacy Regulation was proposed by the European Commission in 2017 in order to update the legislative rules applicable to digital and online data processing and to align e-privacy laws to the GDPR. Ambitious and promising at first, eight presidencies of the Council of the EU have been unable to push the project over the finish line.
In January 2021, the Portuguese Presidency of the Council of the EU (January to June 2021) proposed a new version (the 14th) of the e-Privacy Regulation, with the aim to simplify the text and further align it with the GDPR.[33]
While the new Regulation is not expected to be applicable before 2022, its adoption process should be closely monitored in order to anticipate compliance efforts that will be required, in particular in view of the shorter transition period (from 24 to 12 months) set out in the proposal of the Portuguese Presidency.
3. Enforcement in Relation to Cookies
In parallel, Member State supervisory authorities continued to enforce their national e-privacy legislation transposing the e-Privacy Directive.
In Spain, a social network service was fined €30,000 for breaching the rules relating to cookies, specifically because its cookie banner did not enable users to reject the use of trackers or to issue consent per type of cookie.[34] Similarly, the AEPD imposed a fine of the same amount to an airline for implementing a “cookie wall” on its website.[35]
In France, hefty fines have been imposed for violations of the legal provisions on cookies. First, two companies of a food and goods retail distribution group were fined €2,250,000 and €800,000 euros for various violations, including the automatic setting of cookies on users’ terminals.[36] More recently, two U.S. tech companies have been imposed fines of €100 million and €35 million, respectively, due to violation of the legal framework applicable to cookies. In particular, the CNIL observed that these companies placed advertising cookies on user’s computers without obtaining prior consent and without providing adequate information.[37]
D. Cybersecurity and Data Breaches
As in previous years, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards.
1. Guidance and Initiatives Adopted by ENISA
The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity, including management of personal data.
In 2020, ENISA continued to issue guidelines and to spearhead initiatives to achieve these objectives:
- On 27 January 2020, ENISA released an online platform to assist companies in the security of personal data processing. Among others, the platform focuses on the analysis of technical solutions for the implementation of the GDPR, including the principle of privacy by design. The platform may assist data controllers and processors in the determination of their approach when developing personal data protection policies.[38]
- On 4 February 2020, ENISA published a report outlining frameworks, schemes and standards of possible future EU cybersecurity certification schemes. The report focuses in particular on the current standards applied to fields such as the Internet of Things, cloud infrastructure and services, the financial sector and electronic health records. The Report also addresses gaps in the current cybersecurity certification schemes, paving the way for the adoption of future EU cybersecurity certification schemes.[39]
- On 19 March 2020, ENISA issued a report on security requirements for digital service providers and operators of essential services, based on Directive (EU) 2016/1148 of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (“NISD”) and the GDPR. Among other things, the report proposes and sets the outline for a risk-based approach to security. It identifies the guidelines relevant to NISD and GDPR security measures, recommends the establishment of certification mechanisms, and sets the need for competent EU bodies and research bodies to continue providing specialised guidance on state-of-the-art data protection and security techniques.[40]
- On 9 June 2020, ENISA made available a visual tool to ensure transparency with regard to cybersecurity incidents. The tool provides information on eight years of telecommunications security incidents, as well as four years of trust services incident reports. In total, the tool provides information on a total of 1,100 cybersecurity incidents notified as mandated by EU legislation for over nine years. In its release, ENISA noted that, over the last four years, system failure was the most common cause behind both telecom security incidents and trust services incidents.[41]
Finally, it is worth noting the Strategy for a Trusted and Cyber Secure Europe released by ENISA on 17 July 2020. The Strategy aims to achieve a high common level of cybersecurity across the EU, containing ENISA’s strategic objectives to boost cybersecurity, preparedness, and trust across the EU. The Strategy sets out a list of seven objectives that it aims to reach, including the effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.[42]
2. Enforcement in Relation to Cybersecurity
Member State supervisory authorities have been particularly active in sanctioning data breaches and the lack of appropriate security measures, with significant monetary penalties.
For example, in the UK, three sanctions have been especially significant. First,an airline company was fined £20 million following a cyberattack in 2018, compromising the personal and financial data of more than 400,000 of its customers for over two months.[43] ICO investigators found that the airline company should have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the cyber-attack.
Second, a hotel chain was fined £18.4 million after an estimated 339 million guest records worldwide were affected following a cyberattack that occurred in 2014, but remained undetected until September 2018.[44] According to the ICO, the investigation revealed failures on the side of the hotel chain to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR. In those two cases, the ICO significantly reduced the amount of the fine originally considered in its notice of intention to fine the companies, taking into account the company’s representations and the economic impact of the COVID-19 pandemic in setting the final amount of the fine.
Third, a ticket sales and distribution company was imposed a £1.25 million fine for failing to comply with its security obligations, in the context of a cyberattack on a chatbot installed on its online payment page, potentially affecting the data of 9.4 million people.[45] The ICO concluded that the company failed to assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner.
In Germany, a German telecommunications service provider was fined by the German Federal Data Protection Authority for insufficient data security procedures established in a call centre that lead to an inappropriate disclosure of a cell phone number of an individual who then complained to a data protection authority. While the fine initially amounted to €9.5 million, it was challenged by the telecommunications service provider and later reduced by the competent district court in Bonn to €900,000.
More recently, in Ireland, a social network service was fined €450,000 concerning its 2019 data breach. This decision bears great importance, as it represented the outcome of the first application of the GDPR dispute resolution mechanism, where the Irish Data Protection Commission adopted a decision further to the adoption of a prior decision by the EDPB.[46]
On 30 July 2020, the Council of the EU imposed its first ever sanctions on cyberattacks. In particular, the Council adopted restrictive measures against six individuals and three entities responsible for or involved in various cyberattacks, including a travel ban and an asset freeze. In addition, EU individuals and entities are forbidden from making funds available to these individuals and entities.[47]
E. The UK and Brexit
The UK regained full autonomy over its data protection rules at the end of the Brexit transition period, on 31 December 2020. However, before Brexit was concluded, the EU and the UK entered into the EU-UK Trade and Cooperation Agreement on 30 December 2020.[48] This Agreement regulates data flows from the EU/EEA to the UK under a so-called “bridging mechanism”, and sets a timeline for the adoption of an EU-UK adequacy decision thereafter.
The Trade and Cooperation Agreement includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism. The EU does not have the power to block changes to the UK’s framework or use of its powers. However, if the EU objects to changes considered by the UK, and the UK implements them despite these objections, the EU/EEA-UK bridge will be terminated.
1. Transfers from and into the EU/EEA and the UK
As indicated above, the bridging mechanism contained in the EU-UK Trade and Cooperation Agreement covers personal data transfers from the EU/EEA to the UK. According to the provisions in the Agreement, it will apply for up to a maximum period of six months, unless an adequacy decision comes into effect earlier. The adoption of an EU adequacy decision for the UK, which is expected to be adopted in 2021, would enable the ongoing free flow of personal data from the EEA to the UK thereafter, without needing to implement additional safeguards.
Notwithstanding the stability offered by the Trade and Cooperation Agreement, the UK Government has advised companies to put in place alternative transfer mechanisms that may safeguard personal data received from the EEA against any interruption to the free flow of personal data.[49] SCCs have been identified as the most relevant mechanism that organisations may resort to in order to safeguard such transfers.
On the other side, regarding personal data transfers from the UK to the EU/EEA and Gibraltar, the conditions under which such transfers may be made will remain unchanged and unrestricted, according to the UK Government.[50]
2. Transfers from and into the UK and other Jurisdictions
The transfer of personal data from third countries and territories to the UK generally raises questions of legal compliance in the exporting jurisdiction. The impact of Brexit has been particularly significant regarding the regulation of data transfers into the UK from jurisdictions that were already covered by an adequacy decision of the European Commission.
Pre-Brexit, the European Commission had made findings of adequacy of personal data transfers to a number of jurisdictions.[51] These adequacy decisions generally address the inbound transfer of personal data from these jurisdictions into the EU/EEA. However, in order to obtain and maintain these adequacy decisions, these jurisdictions put in place legal restrictions on (onward) transfers of personal data to countries outside the EEA, which now include the UK.
To resolve potential issues on transfers of personal data from these jurisdictions to the UK, the governments of most of these jurisdictions have issued statements, resolutions and even modified their legal regimes in order to permit the continued transfer of personal data into the UK. The UK ICO has indicated that it is continuing to work with these jurisdictions in order to make specific arrangements for transfers of personal data to the UK.[52]
On the UK side, the 2019 Brexit regulations applicable to data protection matters recognised the European Commission’s adequacy decisions, and rendered permissible cross-border transfers of personal data to these jurisdictions.[53] The Government and the ICO are working on the adoption of new UK adequacy regulations, to confirm that particular countries, territories or international organisations ensure an adequate level of protection, so as to allow transfers of personal data from the UK to these jurisdictions, without the need for adoption of additional safeguards. SCCs and other mechanisms for lawful international data transfers may be put in place to cover transfers of personal data from the UK to jurisdictions not covered by adequacy decisions.
F. Other Significant Developments in the EU
More generally, this year has been marked by the adoption of important EDPB Guidelines. In addition to those mentioned above, the EDPB released new Guidelines on the concepts of controller and processor, on the targeting of social media users, and on data protection by design and by default.[54]
Furthermore, hefty fines were imposed as mentioned in Sections I.A to D above, in particular in France with the €100 million fine imposed on a tech company which is the highest penalty ever imposed by a supervisory authority as of end of December 2020.
Fines were also imposed on topics other than those addressed above. In particular, in Germany, the Hamburg supervisory authority fined a retail company €35.3 million for illegally collecting and storing sensitive personal data from employees, such as information about health condition, religious beliefs and family matters. According to the authority’s investigation, data about the personal life of the company’s employees had been collected comprehensively and extensively by supervisors since at least 2014, and stored on the company’s network drive. This information was accessible to up to 50 managers of the company and was used, among other things, to create profiles of individual employees in order to evaluate their work performance and to adopt employment decisions. In sum, the practice of the company amounted to a number of data protection violations, including a lack of legal basis for the data processing, illegal processing of the data, and the absence of controls to limit storage and access to the data.[55]
Significant monetary penalties have also been imposed due to the lack of valid consent under the GDPR:
- In Italy, two telecommunications operators were fined approximately €17 and €12 million for processing hundreds of unsolicited marketing communications without having obtained users’ prior consent, without having offered to users their right to object to the processing, and for aggressive telemarketing practices, respectively.[56]
- In Spain, the AEPD fined a bank €5 million for violations of the right to information and for lack of valid consent. In particular, the bank used imprecise terminology to define the privacy policy, and provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through financial products, services, and channels. Moreover, the bank failed to obtain consent before issuing promotional SMS messages, and did not have in place a specific mechanism for consent to be obtained by customers and account managers.[57]
As regards the requirements for valid consent under the GDPR, the CJEU, in its ruling on Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, decided that valid consent cannot be inferred from a preselected box in a contract for the provision of telecommunications services, whereby the customer allegedly consents to the collection and storage of his/her identity document. The Court specified that this is also the case where the customer is misled as to the possibility of concluding the contract if he/she refuses to consent to the processing of his/her data, or where the freedom to choose to object to that collection and storage is affected by the requirement to complete an additional form setting out that refusal.[58]
In addition to increased scrutiny by data protection authorities, there is also a slightly increasing trend in private enforcements actions from consumers and (former) employees. These actions primarily relate to both the enforcement of transparency and access rights to personal data as well as claims for compensation for alleged GDPR violations.
II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia
As explained in the 2020 International Outlook and Review, the increasing impact of digital services in Europe and the overhaul brought about by the GDPR in the EU have continued to influence the regulatory and enforcement actions of jurisdictions in the vicinity of the EU.
A. Russia
1. Access Restriction Trend in Privacy Laws Enforcement
Russian local data privacy laws have continued to be heavily enforced by the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”). This activity reflects the growing priority and concern that personal data protection represents for the Russian population. According to Roskomnadzor’s statistics, in the previous year the number of complaints concerning personal data protection had increased to 50,300. The largest number of complaints related to the actions of the owners of internet sites, including social networks, credit institutions, housing and communal services organisations, and collection agencies.[59]
The most notable activity of Roskomnadzor in 2020 was its use of its regulatory powers to manage activities of numerous Internet-based services. Below we describe three noteworthy cases where the access to Internet resource was restricted by Roskomnadzor until the respective company satisfied certain expectations and /or requests of the regulator.
On 29 January 2020, Roskomnadzor announced that it would restrict access to the mail service of a tech company. In deciding so, Roskomnadzor noted that the company was used by cybercriminals to send false messages under the guise of reliable information, and that it had categorically refused Roskomnadzor’s repeated requests for information to be included in the register of information dissemination organisers on the Internet.[60] However, the company has taken actions to address the situation, and currently it is accessible for the Russian users.
On 20 February 2020, Roskomnadzor took a similar measure and temporarily restricted access to another email service provider.[61] The authority stated that, in 2019 and in February 2020, the email service had been used by cyber-attackers to send false messages under the guise of reliable information about the massive mining of social transport infrastructure and ships in the Russian Federation.
On 18 June 2020, Roskomnadzor also announced that it had removed the requirements to restrict access to the messaging application of a tech company.[62] This decision was paired with Roskomnadzor’s declaration of its readiness to cooperate with internet companies operating in Russia to quickly suppress the spread of terrorist and extremist information, child pornography, and the promotion of suicide and drugs. In addition, Roskomnadzor noted that, through joint efforts with leading Russian and foreign companies, it had removed, on average and weekly, 2,500 materials relating to suicidal behaviours, 1,300 materials of an extremist and terrorist nature, 800 materials propagandising drug use, and 300 materials containing pornographic images of minors.
2. The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies
In 2020, Roskomnadzor followed its set trend in targeting large, multinational digital companies. On 31 January 2020 the authority announced that it had initiated administrative proceedings against two social network services.[63] In particular, Roskomnadzor stated that these companies did not meet the requirements for data localisation of Russian users on servers located in the Russian Federation.
Following the authority’s proceedings, on 13 February 2020, the Tagansky District Court of Moscow fined both social network services RUB 4 million (approx. €45,000) for these violations.[64] The Court affirmed the authority’s finding that one of the companies had violated Russia’s legal requirement to record, organise and store the personal data of Russian citizens in databases located in the Russian Federation.[65]
3. Legislative Updates
Several notable laws have been adopted at the end of 2020.
New amendments to the Code of Administrative Offenses of the Russian Federation entail considerable fines for failure to delete prohibited information upon the request of Roskomnadzor.[66] The fines can be imposed on hosting providers or any person enabling other persons to publish information on the Internet for failure to restrict access to prohibited information and owners of the websites or Internet resources for non-deletion of prohibited information may be up to RUB 4,000,000 (approx. €45,000) for the first offence and up to 10% of the company’s annual turnover from the preceding calendar year (but not less than RUB 4,000,000) for the subsequent offence. If prohibited information contains propaganda of extremism, child pornography, or drugs, liability is increased for up to RUB 8,000,000 (approx. €90,000) for the first offence or up to 20% of the company’s annual revenue from the preceding calendar year (but not less than RUB 8,000,000) for the subsequent offence. This law is aimed at establishing liability for hosting providers, owners of websites and information resources who fail to restrict access to or delete the information, dissemination of which is prohibited in Russia, and has come into force on 10 January 2021.
Another amendment to Russian law[67] increases significantly the risks of blocking of internet resources in Russia. The law introduces the status of the owner of an Internet resource involved in violations of the fundamental human rights of Russian citizens. The Prosecutor General, in consultation with the Russian Foreign Ministry, may assign this status to the owner of an Internet resource that discriminates against materials from the Russian media. Such a decision can be made if the internet resource limits access to socially important information based on the nationality, language, or in connection with the imposition of sanctions against Russia or its citizens. If the owner of the internet resource censors or anyhow restricts the access to accounts of Russian media, Roskomnadzor is entitled to restrict access to such internet resource, fully or partially. This law has come into force on 10 January 2021.
The law amending the Personal Data Law significantly changes the legal landscape with regard to the processing of publicly available personal data.[68] As per the new law, data controllers making personal data publicly available for further processing by third parties must obtain individuals’ explicit consents, which shall not be bundled to any other consents and data subjects have a wide range of rights in this regard.
Third parties who intend processing publicly available personal data have three options: (i) to rely on the consent obtained by the controller when making the data publicly available, subject to compliance with the rules of data processing; (ii) to rely on the consent provided by an individual to Roskomnadzor via a dedicated web-based platform to be set up under the law, but also subject to compliance with the rules of data processing; or (iii) to ensure on their own that they have appropriate legal grounds as per the general requirements of Russian Personal Data Law. The above rules will enter into force as of 1 March 2021.
In addition, the new law introduces the data controller’s obligation to publish information on the processing terms and existing prohibitions and conditions for processing of personal data, permitted by a data subject for dissemination, by an unlimited number of persons. These new requirements will come into force as of 1 July 2021. According to the amendments to the Law on Information, Information Technologies, and Information Protection, if a resource is considered a social network, it will be included in the register maintained by the Roskomnadzor.[69] These amendments impose moderation obligations on social networks regarding the content published by users, and require them to make available certain information on their websites.
In practice, social networks will now be required to identify and restrict access to illegal content.[70] Furthermore, the following information must be posted on the social network by its owner: (i) name, email address and an electronic form for sending requests about the illegal content; (ii) annual reports on the results of the consideration of requests and monitoring activities; (iii) terms of use of the social network. This amendment will enter into force on 1 February 2021.
The recently adopted laws evidence the trend of the increased regulation of IT-industry activities in Russia. With these new regulations, the Russian authorities increase the regulatory mechanisms that may affect the activities of websites, news media, social media, social networks and video hosting services in Russia.
B. Switzerland
1. The Revised FADP
On 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”).[71] The Revised FADP is not in force yet, as it was subject to approval by referendum until 14 January 2021 (which was not held). The Federal Council will decide on entry into force which is expected during 2021 or at the beginning of 2022. The specific date is particularly important because the Revised FADP does not provide for any transitional periods.
One of the main reasons behind the adoption of the Revised FADP was to ensure that the EU recognises Switzerland as providing an adequate level of protection to personal data according to GDPR standards.
The most significant differences between the Revised FADP and the previous version, are the following:
- The Revised FADP now codifies expressly the international principle of the effects doctrine, subject to the principles governing civil and criminal enforcement that remain in place.[72] Hence, the Revised FADP will also apply on persons that are domiciled outside of Switzerland if they process personal data and this data processing has an effect in Switzerland.
- Personal data pertaining to legal entities is no longer covered by the Revised FADP, which in line with the GDPR, and most foreign data protection laws.[73]
- The Revised FADP will extend the term of sensitive data by adding two new categories: (i) genetic data; and (ii) biometric data that uniquely identifies an individual.[74]
- The Revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR.[75]
- The Revised FADP distinguishes controllers and processors.[76]
- Like the GDPR, the Revised FADP contains provisions concerning data protection by design and by default.[77]
- The Revised FADP provides that a processor can hire a sub-processor only with the prior consent of the controller.[78]
- Under the Revised FADP and subject to specific exemptions, controllers and processors must maintain records of data processing activities under their respective responsibility. The former duty to notify data files to and register with the Federal Data Protection and Information Commissioner (“FDPIC”) has been abolished.[79]
- Under the Revised FADP and under specific conditions, controllers that are domiciled or resident abroad and process personal data of Swiss individuals must designate a representative in Switzerland.[80]
- The Revised FADP provides that individuals must (at the time of collection) be informed about certain minimum information[81] and have a new right to intervene in case of automated decision-making.[82]
- Under the Revised FADP, the FDPIC will have the power to issue binding decisions. However, it will not have the unilateral power to impose fines, unlike most data protection authorities in Europe – resort to Swiss courts will be required.
- Controllers are required to conduct a Data Protection Impact Assessment (“DPIA”) where there is a high risk for the privacy and the fundamental rights of data subjects.[83]
- Controllers will have a data breach notification obligation to the FDPIC where an incident results in high risk for data subjects.[84]
- The Revised FADP introduces the right to data portability, which was not covered by the previous data protection law.[85]
- The maximum amount of sanctions for individuals will be CHF 250,000 (approx. €232,000),[86] and the Revised FADP also extends criminal liability to the violation of additional data protection obligations.
As can be seen, there are significant similarities between the Revised FADP and the GDPR. The entry into force of the Revised FADP is therefore expected to lead to continuity in the cross-border data transfers between the EU and Switzerland.
2. The Swiss-U.S. Privacy Shield
On 8 September 2020, the FDPIC published an assessment on the Swiss-U.S. Privacy Shield where it found that the cross-border transfer mechanism did not guarantee an adequate level of protection regarding data transfers from Switzerland to the U.S.[87] Prior to FDPIC’s assessment, the CJEU had delivered its judgment in Schrems II,[88] in July 2020, which rendered the European Commission’s decision on the EU-U.S. Privacy Shield invalid.
The FDPIC identified two key problems concerning the Swiss-U.S. Privacy Shield, namely: (i) the lack of an enforceable legal remedy for persons concerned in Switzerland in particular due to the inability to assess the effectiveness of the Ombudsman mechanism because of a lack of transparency; and (ii) the inability to assess the decision-making abilities of the Ombudsman and its independence with respect to U.S. intelligence services. Since FDPIC’s assessment is a soft-law instrument without legally binding nature, the Swiss-U.S. Privacy Shield will remain valid and binding for the companies registered unless and until it is repealed or annulled on a case-by-case basis by the competent Swiss courts or in its entirety by the U.S.
C. Turkey
1. Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents
In 2020, the Turkish Data Protection Authority (“KVKK”) and the Turkish Data Protection Board (the “Board”) continued to issue a number of statements, decisions and guidance documents regarding the application and enforcement of Turkish data protection provisions. We outline and briefly explain below the most relevant ones:
- On 16 December 2020, the KVKK issued a statement on the data protection rules related to publicly available personal data. In the statement, the KVKK acknowledged that the Law on Protection of Personal Data No. 6698 (“Turkish Data Protection Act”) allows personal data to be processed where the data concerned is made available to the public by the data subject themselves.[89] However, the KVKK clarified that the concept of “making data public” has a narrow meaning under the Turkish Data Protection Act, and only covers scenarios where the data subjects wish the data to be public for data processing – the mere act of making personal data available to the public is not sufficient.
- On 26 October 2020, the KVKK issued a statement on cross-border data transfers outside of Turkey.[90] The statement noted that the Turkish Data Protection Act allowed a grace period for compliance with relevant data transfer provisions, and that several deadlines had been extended due to the COVID-19 pandemic. The KVKK also committed to eliminate and correct any misunderstandings arising from the interpretation and implementation of the Act, which had led to criticism from practitioners and scholars. As a start, the KVKK clarified that the Board will carry out assessments on the adequacy of foreign jurisdictions for data transfers based on a number of factors, including the reciprocity concerning data transfers between the importing country and Turkey. The KVKK also indicated that “Binding Corporate Rules” (“BCRs”) may be applicable and used in data transfers between multinational group companies. Indeed, on 10 April 2020, the KVKK introduced BCRs to the Turkish data protection law, to be used in cross-border personal data transfers of multinational group companies.[91] In its announcement, the KVKK described the undertaking letter procedure for data transfers outside of Turkey, and states that although the undertaking letters make bilateral data transfers easier; they may be inadequate in terms of data transfers between multinational group companies. Therefore, the KVKK determined BCRs as another mean that could be used in international data transfers between group companies.
- On 17 July 2020, the KVKK issued a statement on de-indexing of personal data from search engine results[92] based on the Board’s decision with number 2020/481.[93] The KVKK stated in its announcement that, they have evaluated the applications submitted before the KVKK with regards to the requests as to de-indexing web search results and within the scope of “right to be forgotten”, the Board decided that search engines should be considered as “data controllers” under the Turkish Data Protection Act, that individuals may primarily convey their de-indexing requests to the search engines and file complaints before the KVKK and search engines should make a balance test between fundamental right and freedoms and public interest. Additionally, KVKK also published a criteria document[94] by indicating that de-indexing requests should be considered per the issues indicated therein, which is mainly based on Article 29 Working Party’s Opinion on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on Costeja Case.
- On 26 June 2020, the KVKK issued a statement on obligation to inform data subjects.[95] The statement concerns the general rules that are already regulated under the Turkish Data Protection Act and secondary legislation concerning the obligation to inform set forth for the data controllers. KVKK indicated in its announcement that privacy policies or data processing policies should not be used to fulfill the obligation to inform and thus, privacy notices should be separated from these texts. Following that, the KVKK listed several examples with regards to the deficiencies and illegalities as to obligation to inform.
- In the context of the COVID-19 pandemic, on 9 April 2020, the KVKK issued a statement on the processing of location data in light of the COVID-19 pandemic.[96] The statement highlights that many other countries have used and allowed the use of personal data, such as the health, location and contact information of individuals, to identify those who carry or are at risk of carrying this disease. The KVKK reminds that the processing of this data needs to be carried out within the framework of the basic principles enshrined in the Turkish Data Protection Act.
2. Turkish Data Protection Act Continues to be Enforced
2020 was also a year in which the KVKK enforced the Turkish Data Protection Act in a number of data protection proceedings.
On 6 February 2020, the KVKK fined an undisclosed bank TRY 210,000 (approx. €27,800) for illegally processing personal data to gain potential customers.[97] The case concerned the creation of bank accounts without the knowledge or consent of individuals, using information gained by the bank via a third party. The KVKK found that the bank had acted in breach of its security obligations to prevent unlawful processing of personal data.
On 22 July 2020, the KVKK fined an automotive company TRY 900,000 (approx. €101,840) for violations related to the transfer of personal data based on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”).[98] The software provider sought to rely on the fact that the receiving country was party to Convention 108 and, therefore, offered sufficient protection to personal data imported from Turkey. However, the KVKK outlined that the fact that a receiving country is a party to Convention 108 is in itself an insufficient measure in determining adequate protection of data. The data transfer had thus been carried out in breach of the Turkish Data Protection Act, without data subjects’ consent and not benefitting from any of the exceptions set out in the Turkish Data Protection Act. It is worth noting, in this regard, that the KVKK is yet to publish the list of countries deemed to provide sufficient protection under Turkish law. Finally, the decision notes that the data controller failed to comply with its data security obligations, as it had failed to prevent the unlawful processing and transfer of personal data. The KVKK ordered the data controller to delete/destroy the personal data unlawfully transferred outside of Turkey.
On 16 April 2020, the KVKK fined a gaming company TRY 1,100,000 (approx. €120,000) for failing to notify the KVKK of data breach within seventy-two (72) hours after becoming aware of the relevant data breach and to take required data security measures.[99]
On 27 February 2020, the KVKK fined an e-commerce company TRY 1,200,000 (approx. €120,000) mainly, TRY 1,100,000 for failing to fulfil the obligations relating to data security and TRY 100, 000 for failing to comply with the obligation to inform data subjects.[100] Besides, the Board also ordered the data controller to revise the data processing processes and privacy policy, Conditions of Sale and Use and Cookie Notice in accordance with the determined irregularities and in line with the Turkish Data Protection Act. The Board stated in its decision that (i) the privacy policy contains lots of information and general information about personal data processing and this does not mean that the data subjects are duly informed; (ii) although the data processing activities start with the cookies as soon as a user enters the website, information obligation is not complied with at any stages such as cookies or member login to the website; (iii) explicit consent is not obtained for commercial electronic communications and cross-border transfer of personal data; and (iv) considering that the undertaking letters submitted for cross-border transfer of personal data are not approved and the safe countries have not been announced, data controller may only transfer personal data abroad based on data subjects’ explicit consent.
III. Developments in Asia-Pacific, Middle East and Africa
A. Australia
The Australian government released the Terms of Reference and Issues Paper for the review of the Privacy Act 1988, and solicited public submissions by 29 November 2020. This wholesale review may update main provisions of the Privacy Act 1988, such as increasing maximum civil penalties, creating a binding privacy code for social media platforms, strengthening notification and consent requirements, modifying international data transfers, and expanding the definition of personal information. The government plans to issue a discussion paper seeking specific feedback on preliminary outcomes and possible areas of reform in early 2021.
B. China
1. New Developments in Chinese Legislation
The most significant legislative framework in China for the protection of personal data is the Cybersecurity Law (“Cybersecurity Law”) which came into effect on 1 June 2017. Two additional laws were introduced into the pipeline in 2020: the Draft Personal Information Protection Law[101] (“Draft PIPL”); and the Draft Data Security Law (“Draft DSL”). Once adopted, the combination of these three legal instruments (the Cybersecurity Law, the Draft Data Security Law and the Draft PIPL) are expected to become the fundamental laws in the field of cybersecurity and data protection in China.
The Draft PIPL is intended to be a general data protection law, which could harmonise the current fragmented legislative framework. However, even after the adoption of the Draft PIPL, personal information protection in China would remain sector based.
The Draft PIPL was partially inspired by the GDPR, but it has important differences that prevent a common cross-border approach (e.g., regarding the legal grounds for data processing, there is no legal basis of legitimate interest of the controller). Using a single privacy framework for EU and Chinese companies would consequently not result in adequate compliance.
The Draft PIPL introduces substantial new fines. For example, data processors are subject to fines of RMB 50 million (approx. €8 million, or $7.4 million), or 5% of the company’s revenue from the previous year.[102] In addition, the Cyberspace Administration of China would also have the competence to blacklist organisations and individuals for misusing data subjects’ data.[103]
On 18 November 2020, the Centre for Information Policy Leadership (“CIPL”) submitted recommendations on possible modifications of the Draft PIPL in order to ensure the protection of China’s citizens, businesses and government data,[104] including the following:
- The Draft PIPL includes definitions for sensitive personal information,[105] including biometric, financial, ethnic and religious information. The CIPL suggested a risk-based approach to assess personal data processing, rather than providing categories of predefined “sensitive information”.
- According to the CIPL, exemptions should be provided to the general requirement to appoint data protection officers and representatives, in line with other foreign privacy laws like the GDPR.
- The Draft PIPL should explain further what conditions or factors are required to satisfy the Cyberspace Administration’s security assessment for cross-border transfers of personal data.
- The Draft PIPL should clarify what constitutes a “serious” unlawful act.
- Finally, the CIPL recommended that organisations be afforded a two-year grace period from the date that the Draft PIPL is passed, to be fully compliant.
The other major legislative proposal, the Draft DSL, is intended to provide the fundamental rules of data security for both personal and non-personal data. The intended scope of application of the Draft DSL is broad, applying to “activities” (actions including collection, storage, processing, use, supply, trade and publishing) regarding “data” (any record of information in electronic or non-electronic form).
Finally, on 1 January 2021 the Civil Code of the People’s Republic of China entered into force, adopted by the third session of the 13th NPC. The Civil Code applies to all businesses in general (without distinguishing among controllers and processors), and introduces rules for the protection of personal information, including its collection, use, disclosure, and processing.
2. Enforcement of Chinese Data Protection and Cybersecurity Legislation
In August 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued two separate fines of RMB 1 million ($150,000) on two banks.[106] In both cases the banks were fined for failures to provide protection to personal data of credit card customers.
C. Hong Kong SAR
On June 30, 2020, the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “NSL”) passed by the Standing Committee of the National People’s Congress of the People’s Republic of China (the “PRC”) became effective in Hong Kong. The NSL empowers law enforcement authorities to search electronic devices and premises that may contain evidence of related offenses and carry out covert surveillance upon approval of the Chief Executive; criminalizes acts of terrorism, subversion, secession, or collusion with foreign or external forces to endanger national security; and holds incorporated or unincorporated entities accountable for violations of the NSL.
Furthermore, the Committee for Safeguarding National Security (the “Committee”), which consists of specified Hong Kong officials and an advisor appointed by the Central People’s Government of the PRC (the “CPR”), is established pursuant to the NSL and assumes various duties including formulating work plans and policies, advancing the enforcement mechanisms and coordinating significant operations for safeguarding national security in Hong Kong. Decisions made by the Committee are not subject to judicial review.
The Office for Safeguarding National Security of the CPG (the “Office”) may in specified circumstances assume jurisdiction over serious or complex cases which would be difficult or ineffective for Hong Kong to handle in light of, for example, involvement of a foreign country or external elements. Such cases shall be investigated by the Office and, upon prosecution by a body designated by the Supreme People’s Procuratorate, adjudicated by a court designated by the Supreme People’s Court of the PRC.
The NSL applies not only to offenses committed or having consequences in Hong Kong by any person or entity, but also offenses committed from outside Hong Kong against Hong Kong by any person or entity.
D. India
1. Legislative initiatives
As indicated in the 2020 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Parliament on 11 December 2019 adapted from the draft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018[107], by the committee of experts led by Justice Srikrishna. Thereafter the PDP Bill was referred to a Joint Parliamentary Committee for its review. As of January 2021, the PDP Bill is in its final stages of deliberation and is expected to be promulgated soon. Several industry bodies and stakeholders were asked to depose before the Joint Parliamentary Committee for their views on the amendments made in the PDP Bill and the desired requisites of a national data protection law. Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, continue to govern data protection in India.
In September 2019, the Ministry of Electronics and Information Technology constituted a committee of experts (“Committee”) to devise a framework for the regulation of non-personal data. Ultimately, on 12 July 2020, the Committee released a Report on Non-Personal Data Governance Framework (“NPD Framework”)[108], where it emphasised that the regulation of non-personal data is necessary to incentivise innovation, create value from data sharing, address privacy concerns, and prevent harm. The NPD Framework was met with criticism for the imposition of compulsory data sharing obligations and onerous compliance requirements on entities collecting and managing non-personal data. After reviewing feedback from public and stakeholders, the Committee released a revised version of the NPD Framework on 1 January 2021, wherein the Committee provided several clarifications to the earlier draft and streamlined the jurisdictions of the PDP Bill and the NPD Framework. The NPD Framework is still under public consultation and is yet to be presented before the Parliament as a bill for the promulgation of a single national-level regulation to establish rights over non-personal data collected and created in India.
In August 2020, the Government of India also proposed a data-sharing framework in the fintech sector. The National Institution for Transforming India (“NITI Aayog”) released a draft framework on the Data Empowerment and Protection Architecture[109] which will be implemented by the four government regulators: the Reserve Bank of India, the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority, and the Pension Fund Regulatory and Development Authority, and the Ministry of Finance. The draft aims to institute a mechanism for secure consent-based data sharing in the fintech sector, which may be an important step towards empowering individuals in relation to their personal data. The draft aims to enable individuals to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner.
In August 2020, the Government of India also launched the National Digital Health Mission (“NDHM”), a visionary project which intends to digitise the entire health care ecosystem of India. The National Health Data Management Policy, 2020[110] came into force on 15 December, 2020, and is the first step in realising the NDHM’s guiding principle of “security and privacy by design” for the protection of data principals’ personal digital health data privacy. It is intended to be a guidance document across the National Digital Health Ecosystem and sets out the minimum standard for data privacy protection for data relating to the physiological and psychological health of individuals in India.
2. Regulatory opinions and guidance
Indian institutions have also adopted certain measures in response to the challenges resulting from the COVID-19 pandemic. For instance, the Data Security Council of India (“DSCI”) issued the best practices on working from home in light of COVID-19[111] on 18 March, 2020. The guidance notes, among other things, that virtual private networks should only be used on company-owned devices, employees should access company data and applications through a browser-based webpage or virtual desktop, and a risk assessment should be conducted when selecting a remote access method. In addition, the guidance outlines a basic mandate for organisations and employees, which includes taking care of the confidentiality of valuable transactions and sensitive financial documents when working from home.
In a similar vein, the DSCI published, on 24 April 2020, its guidelines on data privacy during the COVID-19 pandemic, which highlights the privacy implications of COVID-19 for different sets of stakeholders and provides privacy and data protection practices.[112] The guidelines address healthcare privacy considerations and note the importance of notifying patients of all information that is collected, having specific protocols in place to ensure that consent is obtained, having internal and external audit mechanisms to assess privacy measures, and using health data solely for the specific purposes of their collection. Finally, the guidelines provide working from home considerations both for employers and employees, noting the importance of revisiting data protection strategies, data management practices, remaining compliant with regulatory obligations, conducting Data Protection Impact Assessments to ascertain privacy risks, and spreading privacy awareness and training across organisations.[113]
The DSCI also published its Report for Enabling Accountable Data Transfers from India to the United States Under India’s Proposed Personal Data Protection Bill on 8 September 2020[114] (“Report on Data Transfers”). The purpose of the Report on Data Transfers is to make additional recommendations to the existing draft of the PDP Bill to enable free flow of data between countries, especially with the U.S. owing to the value it adds to India’s digital economy, and to provide solutions for facilitating India-US data transfers. The Report on Data Transfers also suggests, among other things, that the PDP Bill’s provision on the creation of codes of practice should include certification requirements in order to increase interoperability between different privacy regimes as well as facilitate cross-border transfer mechanisms.
On 2 September 2020, the Artificial Intelligence Standardisation Committee for the Department of Telecommunication released its Indian AI Stack discussion paper.[115] The Discussion Paper notes that the AI Stack will, among other things, secure storage environments that simplify archiving and extraction from data based on the data classification, ensure the protection of data through data federation, data minimisation, an open algorithm framework, defined data structures, interfaces and protocols, and monitoring, auditing, and logging, as well as ensuring the legitimacy of backend services.
3. Enforcement of data protection laws
In 2020, the Government of India adopted three decisions to block applications following information that they were engaging in activities which were prejudicial to the integrity and the national security of India.[116]
In particular, the Government had received complaints regarding the misuse of mobile application data, stealing and secretly transmitting users’ data in an unauthorised manner to servers located outside of India. As a result, on 29 June 2020, the Government decided to disallow the use of 59 applications to safeguard the interests of Indian mobile and internet users.[117] Similarly, on 2 September 2020[118], and 29 November, 2020,[119] the Indian Government decided to further block 118 and 43 mobile applications respectively for misusing users’ data and engaging in activities which are prejudicial to the sovereignty, integrity and defence of India, as well as the security of the state and public order. According to the Government, the applications’ practices raised concerns relating to the fact that they were collecting and sharing data in a manner which compromised the personal data of users, posing a severe threat to the security of the State.
On 23 November 2020, the Orissa High Court delivered an important judgment emphasising the need to recognise the right to be forgotten, noting the presence of objectionable images and videos of rape victims on social media platforms.[120] The court emphasised that the principle of purpose limitation is already embodied in law by virtue of the precedent of the Supreme Court’s judgment in K.S. Puttaswamy v. Union of India, and that capturing images and videos with the consent of the victim cannot justify the subsequent misuse of such content. The court referred to existing case law and the PDP Bill, which provide for the right to be forgotten. Accordingly, the court recognised the right to be forgotten as a right in rem and stressed that, in the absence of legislation, victims may nevertheless seek appropriate orders to have offensive posts erased from public platforms to ensure protection their right to privacy.
E. Indonesia
On 24 January 2020, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives.[121] The PDP Bill consolidates the rules related to personal data protection in Indonesia, and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[122]
On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[123] However, it appears that the COVID-19 pandemic has led to delays in the adoption of the Bill.
Finally, on 10 March 2020, Kominfo submitted a new draft regulation on the Management of Privately Managed Electronic System Organiser (“Draft Regulation”) for approval. The Draft Regulation is intended to serve as an implementing regulation of Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, which, as noted in the 2020 International Outlook and Review, became effective in October 2019.
F. Israel
On 29 November 2020, the Israeli Ministry of Justice (“MoJ”) launched a public consultation on the introduction of amendments to the Protection of Privacy Law 5741-1981.[124] The MoJ also launched, on 23 July 2020, a public consultation on proposed amendments to privacy law database registration requirements which would reduce the scope of the obligation to register a database and amend certain definitions contained in the law.[125]
Moreover, the Privacy Protection Authority (“PPA”) published a number of reports and recommendations on a series of topics, including:
- privacy protection in the context of epidemiological investigations,
- security recommendations following security incidents,
- the protection of privacy in the context of money transfers and app payments,
- data processing and storage service providers,
- smart transportation services,
- digital monitoring tools for COVID-19 contact tracing,
- GSS assistance in contact tracing,
- recommendations in the context of the COVID-19 pandemic (e.g., remote learning, privacy for individuals entering workplaces, medical institutions privacy compliance).
Following the CJEU’s decision to annul the EU-U.S. Privacy Shield in Schrems II, the PPA issued, on 29 September 2020, a statement regarding transfers of personal information from Israel to the U.S. In this statement, the PPA indicated that data transfers from Israel to the U.S. could no longer rely on the EU-U.S. Privacy Shield or the Transfer of Information Regulations, and that alternative exceptions provided for in Section 2 of the Regulations could only be used where applicable. The PPA had nonetheless clarified that personal data could be transferred from Israel to EU Member States, as well as to countries which will cease to be EU Member States but will continue to apply and enforce the provisions of EU Law on the protection of personal data.[126]
On the enforcement side, in 2020 the PPA identified and investigated a number of violations, including the leak of personal data of 6.5 million Israeli voters.[127] The PPA also offered security recommendations following the security incident at an insurance company.
G. Japan
On 5 June 2020, the Parliament of Japan adopted a bill to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”).[128]
Under the bill, the rights of the data subjects have been expanded. For example, if the proposed amendments to the APPI are introduced, data subjects will be entitled to request an organisation to delete their personal information, but only if certain requirements are met. Consequently, the scope has remained narrower than the right to erasure and the right to object under the GDPR.
Regarding data retention periods, the currently applicable law provides that any data which was to be erased after six months is not considered as “retained personal data”, and therefore is not not subject to data subject requests. The Amendments will abolish this six-month rule, and data subjects will be able to exercise their data-related rights regardless of the retention period.
Under the current applicable law, organisations should “duly make an effort” to report data breaches to the Personal Information Commission (“PIC”). In contrast, the bill will introduce a mandatory obligation to notify data breaches, obliging organisations to report data breaches to the PIC and to notify the affected data subjects if their rights and interests are infringed. Although this requirement is similar to the corresponding provisions in the GDPR, the latter sets a strict deadline of 72 hours for notification, while the bill requires “prompt” reporting.
The amended APPI will include the concept of “pseudonymously processed information”, which similarly to the GDPR will mean personal information that cannot be used to identify an individual unless combined with other information. Pseudonymously processed information will not be subject to some requirements, such as requests for disclosure, utilisation, or correction. In the event of a data breach concerning pseudonymously processed information, reporting to the PIC will not be mandatory.
One of the main goals of the bill is to address the increasing risks associated with cross-border data transfers. Under the new provisions, data subjects should be informed about the details of any data transfer to a third party located in a foreign country. The bill has also increased the criminal penalties, such as the penalty for violating an order of the PIC (100 million yen; approx. €800,000). However, administrative fines will not be introduced.
The bill is expected to enter into force no later than June 2022. The new rules will bring the APPI into closer alignment with the EU’s data protection standards and strengthen Japan’s data protection regime.
H. Malaysia
On the legislative side, on 14 February 2020, a public consultation paper was released proposing amendments to the Malaysian Personal Data Protection Act 2010, which currently regulates data protection in Malaysia.[129] If adopted, the amendments would introduce significant changes to Malaysia’s data protection regime, including: the obligatory appointment of a data protection officer, mandatory breach reporting, the introduction of civil litigation against data users, the implementation of technical and organisational measures such as data portability and privacy by design, and the broadening of the Malaysian Personal Data Protection Act’s scope to data processors. Many of the proposed amendments have been inspired by the GDPR and aim to bring the Malaysian regime closer to EU data protection standards.
On 29 May 2020, the Department of Personal Data Protection (“PDP”) released advisory guidelines on the handling of personal data by businesses under the Conditional Movement Control Order.[130] The advisory guidelines highlight that only names, contact numbers, and the dates and times of attendance can be collected from customers, and requires a clearly visible notice detailing the purpose of collection. The PDP also advises that personal data should only be collected for informational purposes and must be permanently deleted six months after the Control Order is terminated.
I. Singapore
As explained in the 2020 International Outlook and Review, Data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).
The Personal Data Protection Commission (“PDPC”) conducted a review of the Singapore PDPA and, on 14 May 2020, the PDPC released a joint statement with the Ministry of Communications and Information announcing the launch of an online public consultation on a bill to amend the Singapore PDPA and the Spam Control Act 2007 (“SCA”).[131]
On the basis of this, the proposed amendments to the Singapore PDPA to address Singapore’s evolving digital economy needs, and related amendments to the SCA, were passed in Parliament on 2 November 2020.[132] The bill introduced several notable amendments, including mandatory data breach notification requirements, enabling meaningful consent where necessary and providing consumers with greater autonomy over their personal data through the incorporation of a data portability obligation.[133] Moreover, the bill strengthened the enforcement powers of the PDPC.[134]
Subsequently, on 20 November 2020, the PDPC issued the draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“Draft Advisory Guidelines”).[135] The Draft Advisory Guidelines provide clarifications on key provisions in the bill, covering, inter alia, the framework for the collection, use, and disclosure of personal data, mandatory breach notification requirements, financial penalties, and offences for mishandling personal data. The Draft Advisory Guidelines will be finalised and published when the amendments to the Singapore PDPA come into effect, i.e., upon their signing and publication in the Gazette, which is expected in early 2021.
J. South Korea
In January 2020, the National Assembly of the Republic of Korea adopted amendments (“Data 3 Act”) to the Personal Information Protection Act 2011 (“PIPA”)[136] and to other main data protection laws. The adoption of the Data 3 Act meant the implementation of a more streamlined approach to personal data protection in South Korea. In addition, it is expected that these legislative changes will facilitate the adequacy assessment under the GDPR and the adoption of an adequacy decision from the European Commission.
The Data 3 Act aims to extend the powers of the Personal Information Protection Commission (“PIPC”), which will be the supervisory authority for any data breaches. Data protection issues are currently handled by several different agencies, but with the entry into force of the reforms these will now be handled exclusively by the PIPC. In addition, the PIPC will have the competence to impose fines similar to those provided under the GDPR.
The Data 3 Act introduced to the PIPA the concept of “pseudonymised information” (i.e., personal information processed in a manner that cannot be used to identify an individual unless combined with other information). Pseudonymised information may be processed without the consent of the data subject for purposes of statistical compilation, scientific research, and record preservation for the public interest.
Finally, it should be noted that the cross-border transfer of the personal data of Korean data subjects has remained restricted as their consent is required prior to transferring their personal data abroad.
K. Thailand
As noted in the 2020 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020. However, in May 2020, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021, citing the negative effects of the COVID-19 pandemic as one of the main reasons for doing so.[137]
Subsequently, on 8 June 2020, the Ministry of Digital Economy and Society (“MDES”) issued a statement on the Thailand PDPA’s postponement, noting that government agencies, and private and public institutions, were not ready for the enforcement of the legislation.[138] This was followed by a notice published by the MDES on 17 July 2020 for data controller requirements and security measures to be implemented during the postponement period of the Thailand PDPA.[139]
Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation. Moreover, the Thailand PDPA provides for the creation of the Personal Data Protection Committee (“PDPC”), which is yet to be fully established. As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand. Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA by 27 May 2021.
L. United Arab Emirates
On 19 November 2020, the Abu Dhabi Global Market (“ADGM”)[140] announced the issuance of a public consultation on proposed new Data Protection Regulations 2020 amending the existing Data Protection Regulations 2015.[141] The proposed draft aims at aligning the ADGM with certain international standards, especially the GDPR,[142] and introduces, amongst other things, the following elements: definitions, the principles of accountability and transparency, the processing of special categories of data, individual rights, security obligations, and the notification of data breaches. The proposed data protection framework is aimed to have a broad scope of application, including the processing of personal data in the context of the activities of an establishment in ADGM, regardless of whether the processing takes place in ADGM. In a similar vein, it will apply to natural persons, whatever their nationality or place of residence, excluding cases where a data controller is only connected to ADGM because it uses a data processor located inside the ADGM. In the latter case, the Proposed Data Protection Framework would not apply to the data controller.[143]
On 1 July 2020, the Dubai International Financial Centre (the “DIFC”) published the Data Protection Regulations, which entered into effect on the same date with the Data Protection Law No. 5 of 2020.[144] In particular, the Regulations comprise provisions regarding, in particular, the content and format to be followed by personal data processing records, activities requiring data processing notifications to the Data Protection Commissioner, conditions to transfer data outside of the DIFC, and fines. Moreover, in September 2020, the DIFC became a fully accredited member of the Global Privacy Assembly (“GPA”).[145]
M. Other Developments in Africa
Data protection authorities in Africa have generally been monitoring compliance with data protection requirements, especially in the context of the COVID-19 pandemic. Moreover, Nigeria and other African nations have developed a framework that aims to harmonise laws on data protection and the digital economy.[146]
Egypt: On 17 July 2020, Resolution No. 151 of 2020 (“Egypt Data Protection Law”) was approved and published in the official gazette, and within three months it came into force.[147] The Egypt Data Protection Law governs the processing of personal data carried out electronically, in part or in full, and gives to data subjects’ rights in relation to the processing of personal data. The key elements that the law provides for are the following:
- consent is the main legal basis for the processing of personal data;
- conditions and principles for data processing must be respected;
- the Centre for the Protection of Personal Data is the regulatory body aiming to maintain compliance with the Egypt Data Protection Law; and
- activities covered include the processing of sensitive personal data, cross-border transfers, electronic direct marketing practices, monetary penalties and criminal sanctions for violations of the Egypt Data Protection Law itself.
Kenya:[148] The Information Technology Industry Council (“ITI”) announced, on 28 April 2020, that it had submitted comments to the Office of the U.S. Trade Representative on the U.S. and Republic of Kenya Trade Agreement negotiations. These comments include measures that should ensure protection of personal data by taking into account best international practices for privacy and interoperability, strengthen regulatory practices in emerging technologies such as artificial intelligence and machine learning, and promote risk-based cybersecurity and vulnerability disclosure in alignment with international standards.[149] The formal negotiations were launched in July 2020.[150]
Namibia: Namibia has not yet enacted a comprehensive data protection legislation. On 24 February 2020, the Council of Europe organised, in coordination with Namibia’s Ministry of Information and Communication Technology, a two-day stakeholders’ consultation workshop on a draft data protection bill for Namibia.[151] A draft of the bill is expected to be published in 2021.
Nigeria: In Nigeria, data privacy is currently protected by a comprehensive data protection regime comprising a variety of laws, regulations, and guidelines. As underlined in a statement, issued on 27 January 2020 by the National Information Technology Development Agency (“NITDA”), the Nigeria Data Protection Regulation concerns the use, collection, storage or transfer of personal data and intends to provide a clear framework for data protection in Nigeria. However, pursuant to the Nigerian Communications Commission, appropriate legal instruments must be put in place in order in order to strengthen cybersecurity.[152]
The NITDA issued, on 17 May 2020, its Guidelines for Management of Personal Data by Public Institutions in Nigeria.[153] On 20 August 2020, the NITDA had published the Draft Data Protection Bill 2020 for public comments. The Draft Bill aims primarily to promote a code of practice that ensures the protection of personal data and its lawful, fair and transparent process in accordance with the principles set out in the Draft Bill while taking into account the legitimate interests of commercial organisations as well as government security agencies. In addition, the Draft Bill provides for a Data Protection Commissioner, an impartial, independent and effective regulatory authority.
South Africa:[154] In 2013, the Protection of Personal Information Act (“POPIA”) was signed into law by the President of South Africa and the Information Regulator was established as the supervisory authority. In June 2020, the President announced that certain essential remaining sections of POPIA would commence to apply on 1 July 2020 and that, following a 12-month transition period, public and private bodies would need to comply from 30 June 2021.
In addition, on 3 April 2020, the South African Regulator published a guidance note on processing personal information during the Coronavirus pandemic encouraging proactive compliance by responsible parties when processing personal information belonging to COVID-19 cases and their contacts.[155]
Togo: On 9 December 2020, the National Assembly announced that it had adopted a draft decree on the organisation and functioning of the body for the protection of personal data, the IPDCP, which will have a power of investigation and enforcement in order to support the government’s policy on personal data protection.[156]
Rwanda: A final draft of the data protection bill was approved and published on 27 October 2020 by the Office of the Prime Minister of the Republic of Rwanda.[157] The Bill includes provisions on data subject rights, general rules for data collection and processing, and procedures for data activities, such as transfers, sharing and retention.[158] Moreover, the Ministry of ICT and Innovation (MINICT) published, on 5 May 2020, COVID-19 guidelines addressing cybersecurity measures.[159]
N. Other Developments in the Middle East
Whereas data protection was mainly provided for in sectoral regulations, privacy laws are progressively emerging across the region.
Oman: On 12 July 2020, the State Council of the Sultanate of Oman announced that it had held discussions on the draft law on the protection of personal data, which comprises in particular provisions regarding the role of the Ministry of Technology and Communications, the responsibility to protect the rights of personal data owners, and the obligations of controllers and processors, as well as the applicable sanctions.[160] The State Council also announced on 10 September 2020 that it had discussed a draft law of a new legislation dealing with cybersecurity. The Technology and Innovation Committee of the State Council had approved in part the content of the draft law.
Pakistan: Data protection is still governed through sectoral legislation. However, the Ministry of Information Technology and Telecommunication (“MOITT”) finalised the draft Personal Data Protection Bill 2020 which was presented to the Cabinet of Pakistan for approval.[161] The bill, which was introduced in April 2020, provides for the general requirements for personal data collection and processing and contains several similar provisions to those found within GDPR, but is silent regarding the right to data portability and does not require data controllers to notify data subjects of data breaches. In addition, the MOITT adopted, on 18 November 2020, social media rules setting measures and obligations applicable to social media and internet providers in order to prevent unlawful online content and to protect national security.[162]
O. Other Developments in Southeast Asia
Throughout 2020, developments related to the data protection and cybersecurity landscape occurred in certain other jurisdictions in the south-eastern subregion of Asia, including the following:
Cambodia: While the country does not have a general personal data protection law or a data protection authority, there have been recent legislative developments addressing relevant areas. In particular, a draft cybercrime law is currently being prepared that would regulate Cambodia’s cyberspace and security, aiming to prevent and combat cyber-related crimes.
Philippines: On 9 March 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. As such, the Philippines becomes the ninth APEC economy to join the CBPR system.
The institutions in the Philippines have been particularly active in formulating data protection measures and statements to address issues relating to the collection and processing of data in the wake of the COVID-19 pandemic. On 1 June 2020, the Philippines created a task force in order to drive practical responses to privacy issues emerging from the pandemic.
Vietnam: The data protection framework in Vietnam was fragmented, and relevant provisions can be found in numerous laws. In 2020, the government of Vietnam issued Decree No. 15/2020/ND-CP, providing for regulations on penalties for administrative offences in the sectors of post, telecommunication, radio frequency, information technology, and electronic transactions, which is in effect as of 15 April 2020. In February 2020, however, a draft personal data protection decree was released, which has already undergone public consultation. The draft decree sets out principles of data protection, including purpose limitation, data security, data subject rights, and the regulation of cross-border data transfers. Moreover, the draft decree contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, and the creation of a data protection authority.
IV. Developments in Latin America and in the Caribbean Area
A. Brazil
The biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018, the General Personal Data Protection Law[163] (as amended by Law No. 13.853[164] of 8 July 2019) (“LGPD”) on 18 September 2020. The specific enforcement provisions of the LGPD are expected to enter into force on 1 August 2021, further to an additional law passed in June 2020.
Compared to the EU’s GDPR, the LGPD shows both differences and similarities. The definitions of “personal data” are very similar in both instruments, both having the goal of assuring a high level of protection for any “information related to an identified or identifiable natural person”. Thus, anonymised data falls expressly out of scope in the two jurisdictions, with a caveat on the Brazilian side existing in the sense that if anonymised data is used to create or enhance the behavioural profiling of a natural person, it may also be deemed as personal data, provided that the impacted person can be identified in the process.
Both legislations apply to the processing of personal data carried out by both public and private entities, online and offline. As for the territorial scope, the rules apply to organisations that are physically present in the EU and Brazil as well as to organisations that, although not located in those states/regions, may offer goods or services there. When it comes to the handling of sensitive data, the LGPD sets forth a narrower list of legal grounds that can be elected to legitimise the processing of such data, such as the necessity to comply with a legal obligation, to protect the life and physical safety of the subject or a third party, for the exercise of rights in contractual or judicial proceedings and for the prevention of fraud.
The LGPD offers ten legal grounds for processing of personal data, which are comparable to the ones provided in the GDPR. In addition, the LGPD offers four additional grounds that may authorise the processing of personal data, namely for the conduction of studies of research bodies, for the exercise of rights in judicial, administrative, and arbitral proceedings, for the protection of health in procedures conducted by health professionals and health entities, and for the protection of credit.
Both the LGPD and the GDPR expressly provide for a set of rights granted to data subjects with respect to their personal data. Both norms recognise individuals’ right of access to their personal data, right to be informed of processing activities based on their personal data, and rights of rectification and erasure. Although the rights prescribed in both pieces of legislation are fairly similar, it could be argued that the major element that sets both norms apart are the timeframes for responding to data subject requests. While on the European side organisations must generally respond to requests within one month of the receipt of a request, the LGPD is limited to a 15-day period for complying with access requests, while requests for the exercise of other rights should be responded to immediately.
The role of data protection officers (“DPOs”) is fairly similar under both legislations. DPOs are legally tasked with acting as a point of contact between the organisation they represent, the supervisory authorities, and data subjects, as well as advising and orienting the organisation they represent with regard to its data protection obligations. There are, however, two major differences between the Brazilian and the EU rules concerning the position of DPOs. The first one is that the GDPR expressly specifies instances where an organisation is required to appoint a DPO, while the LGPD makes no such limitation, thus obliging virtually every organisation subject to its scope to appoint one. The second difference is that, while the GDPR establishes the need for DPOs to be independent within the organisational structure of their organisations and also to be provided with monetary and human resources to fulfil their tasks, the LGPD does not provide such express guidance.
A significant difference between the two instruments is their enforcement. The legal structure of the Brazilian supervisory authority lacks some traits of independence and autonomy when compared to the structure provided for under the GDPR. However, the LGPD has introduced a number of sanctions that can be imposed by the ANPD, such as public disclosure of a violation, erasure of personal data relating to a violation, and even a temporary suspension of data processing activities. The entry into force of the provisions of the LGPD governing administrative sanctions has been deferred to 1 August 2021.
On 23 September 2020, Bill 4695/2020,[165] seeking to protect the personal information of students when using distance learning platforms, was introduced. The bill would require distance learning platforms to follow data processing requirements provided by the LGPD and to, whenever possible, use the technology without collecting and sharing personal and sensitive data, revealing racial origin, religious or political beliefs, or genetics of the users. Furthermore, the bill requires that processing of personal data can only take place when prior and express consent has been obtained.
Finally, on 18 December 2020, the National Telecommunications Agency (“Anatel”) approved the Cybersecurity Regulation[166] applied to the telecommunications sector. The regulation is intended to promote cybersecurity in telecommunications networks and services and support ongoing supervision of the market, infrastructures, and the adoption of proportional corrective measures. Moreover, the regulation imposes an obligation on telecommunication providers to develop, maintain and implement a detailed cybersecurity policy, which must include, inter alia, national and international norms, best practices, risk mapping, incident response time and sharing and sending information to Anatel. The regulation came into force on 4 January 2021.
B. Other Developments in South America
1. Argentina
On 28 January 2020, The Argentinian data protection authority (“AAIP”) issued a resolution[167] against a telecommunication company for violations of Law No. 26.951 (“DNC Law”).[168] In particular, the AAIP issued a fine of ARS 3,000,000 (approx. €45,000) for 248 charges relating to violations of Article 7 of the DNC Law, which provides that those who advertise, offer, sell or give away goods or services by means of telephone communications may not address any individual who is registered in the “Do Not Call” registry.
On 6 June 2020, the AAIP imposed a fine[169] of ARS 280,000 (approx. €3,770) against a tech company for violations of the Personal Data Protection Act No. 25.326 of 2000. In particular, the AAIP found that the company did not allow a user to access their personal data in their email account and related applications after changes to their passwords were made by an un-authorised third party.
2. Chile
On 1 June 2020, the Chilean Transparency Council (“CPLT”) announced that an audit of 12,000 purchase orders made by 86 organisations in the health sector had revealed some disclosures of sensitive personal data of patients without their express consent.[170] Moreover, the CPLT highlighted that in some cases the data had even been made public through online platforms. To remedy that, the CPLT has offered technical support to the Chilean Ministry of Health.[171]
3. Colombia
On 26 November 2020, the Colombian data protection authority (“SIC”) announced that it had issued an order[172] requiring a videoconference service provider (with no physical presence in Colombia) to implement new measures guaranteeing the security of personal data of its users in Colombia. SIC emphasised that the measures should be effective and meet the standards of data security required under the Colombian Data Protection Law, and required the company to provide a certificate issued by an independent data security expert. SIC’s order raise significant jurisdictional question, since the Colombian Data Protection Law does not apply to processing that occurs outside of Colombia (and there was no allegation that any processing in violation of the Law occurred in Colombia).).[172a]
Through 2020, SIC also imposed a number of fines on various companies for non-compliance with data protection rules. Some of the biggest and most notorious fines were imposed on a health company[173] and on financial institutions[174]
4. Mexico
Since the beginning of the COVID-19 pandemic, the Mexican data protection authority, the National Institute of Transparency, Access to Information and Data Protection (“INAI”) began a series of actions to provide information to the general public on how to protect their personal data and the guidelines for data controllers on how to process personal and sensitive personal data.
Among these actions, it became imperative to announce to health-related data controllers, public and private hospitals, to comply with their legal obligations as per the Mexican data protection laws, on how to process personal data of patients diagnosed with COVID-19. This was especially the case because Mexican data protection laws consider health-related data to be sensitive and thus require stronger security measures.
One of the first actions by the Mexican data protection authority was that, on 29 March, 2020, it launched a COVID-19 microsite[175] dedicated specifically to provide useful information and guidelines to protect personal data and provide transparency during the pandemic. This microsite has been a useful tool for both data subjects and data controllers to handle personal data processed as a result of the COVID-19 pandemic.
On 2 April 2020, the INAI released a statement calling for the adoption of extreme precautions with regard to personal data of COVID-19 patients.[176] Medical personnel handling such data must use strict administrative, physical and technical safeguards to avoid any loss, destruction of improper use. The INAI also recommended that only minimum necessary personal data is collected, and only for purposes of preventing and containing the spread of the virus. This communication also speaks of the responsibility that all data processors bear when handling personal data.
As the pandemic grew, on 13 July 2020, the INAI expressed its concerns on the deficiencies of the health sector in the processing of personal data of COVID-19 patients. Francisco Javier Acuña Llamas, the then President Commissioner of INAI, noted that data bases that contain COVID-19 patients must be kept for a specific period of time and not indefinitely. He established that all data transferences of sensitive personal data should be under the specificities of the Mexican data protection laws. He also recognised that the Global Privacy Assembly, to be held in Mexico in 2021, should have at its core a discussion of the impact of the pandemic.[177]
The pandemic brought a series of events that had not been taken into consideration on a regular basis, because of the pandemic many companies allowed their employees to work from home. Because of this development, on 8 April 2020, the INAI issued recommendations for the protection of personal data in a home office environment. These guidelines highlighted the need to implement security measures that included only using computer equipment provided by the employer, not using public connections, using only official communication sites to share information, and using passwords on all equipment used at home for work-related activities.[178]
In Mexico this brought legislative changes to the Federal Labor Law[179] that now establishes how work from home is to be regulated. These modifications to the law establish both the employers and employees’ obligations when working from home. This comes to show how, due to the COVID-19 pandemic, a new normality is underway and will be here to stay.
This pandemic is far from over and it poses a challenge not only to the processing of sensitive personal data, but also to the implementation of health check points in every public space or while working from home. It has changed the way organisations protect their information from any loss or improper access putting cybersecurity at the forefront for any organisation. It has changed the way organisations interact with clients and how products or services are purchased, turning evermore to an online commerce activity. This will bring challenges not only regarding companies’ operations, but also how companies collect and process a data subjects’ information.
5. Uruguay
On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.[180]
The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours. Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.
The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection. The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.
[1] See http://curia.europa.eu/juris/document/document.jsf;jsessionid=2BDC80771D0FB7EA8B6F60B9A3C4F572?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=20032710.
[2] See, e.g., https://www.cnil.fr/en/invalidation-privacy-shield-cnil-and-its-counterparts-are-currently-analysing-its-consequences (French CNIL); https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/transferencias-internacionales/comunicado-privacy-shield (Spanish AEPD).
[5] See https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en.
[6] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.
[7] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.
[8] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12740-Data-protection-standard-contractual-clauses-between-controllers-processors-located-in-the-EU-implementing-act-
[9] See https://edpb.europa.eu/news/news/2021/edpb-edps-adopt-joint-opinions-new-sets-sccs_en#:~:text=The%20EDPB%20and%20EDPS%20have,of%20contractual%20clauses%20(SCCs).&text=The%20Controller%2DProcessor%20SCCs%20will,between%20controllers%20and%20their%20processors.
[10] See, e.g., https://www.enisa.europa.eu/news/executive-news/top-tips-for-cybersecurity-when-working-remotely. On 15 March 2020, the Director of the ENISA shared some views on teleworking conditions during COVID-19. The Director recommended that individuals work with a secure Wi-Fi connection and have up-to-date security software, regularly update their anti-virus systems and make periodic backups. Employers should also provide regular feedback to their employees on the procedures to follow in case of problems.
[11] See https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
[13] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf andhttps://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf.
[14] See https://ec.europa.eu/health/sites/health/files/ehealth/docs/contacttracing_mobileapps_guidelines_en.pdf andhttps://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statementinteroperabilitycontacttracingapps_en.pdf.
[15] See https://edps.europa.eu/sites/edp/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf.
[17] See https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf.
[18] See https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles andhttps://www.cnil.fr/fr/tousanticovid-la-cnil-revient-sur-levolution-de-lapplication-stopcovid.
[19] See https://www.cnil.fr/sites/default/files/atoms/files/deliberation_du_24_avril_2020_portant_avis_sur_un_projet_dapplication_mobile_stopcovid.pdf.
[21] See https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/contact-tracing-protecting-customer-and-visitor-details/ andhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/data-protection-guidance-for-collecting-customer-information/.
[22] See https://www.datenschutz.rlp.de/fileadmin/lfdi/Dokumente/Pruefschritte_Datenuebermittlung_in_Drittlaender_nach_Schrems_II.pdf.
[23] See https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/.
[24] See https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles andhttps://www.cnil.fr/fr/les-questions-reponses-de-la-cnil-sur-le-teletravail.
[26] See https://www.dataprotection.ie/sites/default/files/uploads/2020-07/Data%20Protection%20implications%20of%20the%20Return%20to%20Work%20Safely%20Protocol.pdf.
[27] See https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-onderzoekt-meten-temperatuur-werknemers-tijdens-corona.
[28] See https://www.cnil.fr/fr/cameras-dites-intelligentes-et-cameras-thermiques-les-points-de-vigilance-de-la-cnil-et-les-regles andhttps://www.datenschutzkonferenz-online.de/media/dskb/20200910_beschluss_waeremebildkameras.pdf.
[29] See https://ec.europa.eu/health/sites/health/files/vaccination/docs/2019-2022_roadmap_en.pdfhttps://ec.europa.eu/health/sites/health/files/vaccination/docs/2019-2022_roadmap_en.pdf.
[32] See https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignes-directrices-modificatives-et-sa-recommandation.
[36] See https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque.
[37] See https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland andhttps://www.cnil.fr/en/cookies-financial-penalty-35-million-euros-imposed-company-amazon-europe-core.
[39] See https://www.enisa.europa.eu/publications/recommendations-for-european-standardisation-in-relation-to-csa-ii/.
[40] See https://www.enisa.europa.eu/news/enisa-news/security-requirements-for-operators-of-essential-services-and-digital-service-providers.
[41] See https://www.enisa.europa.eu/news/enisa-news/spotlight-on-incident-reporting-of-telecom-security-and-trust-services.
[42] See https://www.enisa.europa.eu/news/enisa-news/enisa-unveils-its-new-strategy-on-cybersecurity-for-a-trusted-and-cyber-secure-europe.
[43] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/.
[44] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.
[45] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/.
[46] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf and https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf.
[47] See https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/.
[48] See https://ec.europa.eu/info/sites/info/files/draft_eu-uk_trade_and_cooperation_agreement.pdf.
[50] See https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/international-data-transfers/.
[51] The adequacy decisions adopted by the European Commission currently cover Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.
[52] Seehttps://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/international-data-transfers/.
[53] See Schedule 21 of the Data Protection Act 2018, as enacted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
[54] See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202008_onthetargetingofsocialmediausers_en.pdf and https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en.
[56] See https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435753 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9485754.
[59] The Statistics are (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71528.htm.
[60] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71612.htm. For more information in English seehttps://www.reuters.com/article/us-russia-protonmail-idUSKBN1ZS1K8.
[61] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news72026.htm.
[62] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news73050.htm. For more information (in English) seehttps://www.ft.com/content/b1e76905-29f2-4ac0-99e0-7af07cef280d. For more information see the 2020 Privacy and Cybersecurity International Review and Outlook.
[63] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71720.htm. More information (in English) available athttps://www.themoscowtimes.com/2020/01/31/russia-threatens-facebook-twitter-with-100k-fines-a69126.
[64] Press release (in Russian) available athttps://mos-gorsud.ru/rs/taganskij/news/mirovoj-sudya-rajona-taganskij-rassmotrel-dela-ob-administrativnyh-pravonarusheniyah-v-otnoshenii-tvitter-ink-i-fejsbuk-ink, and https://mos-gorsud.ru/rs/taganskij/news/mirovoj-sudya-rajona-taganskij-rassmotrel-dela-ob-administrativnyh-pravonarusheniyah-v-otnoshenii-tvitter-ink-i-fejsbuk-ink. More information (in English) available athttps://www.themoscowtimes.com/2020/02/13/russia-fines-twitter-and-facebook-63000-each-over-data-law-a69280.
[65] See https://www.themoscowtimes.com/2020/11/26/facebook-pays-russia-50k-fine-for-not-localizing-user-data-a72152.
[66] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300050.
[67] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300002.
[68] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300044.
[69] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300062.
[70] The Russian laws define the notion of illegal content broadly. Inter alia, illegal content is materials containing public calls for terrorist activities or publicly justifying terrorism, other extremist materials, as well as materials promoting pornography, the cult of violence and cruelty, and materials containing obscene language.
[71] The text of the Revised FADP (in German) is available athttps://www.parlament.ch/centers/eparl/curia/2017/20170059/Schluzssabstimmungstext%203%20NS%20D.pdf.
[72] See Revised FADP, Article 3.
[73] See Revised FADP, Article 5(a).
[74] See Revised FADP, Article 5(c).
[75] See Revised FADP, Article 5(f).
[76] See Revised FADP, Article 5(j) and (k).
[77] See Revised FADP, Article 7.
[78] See Revised FADP, Article 9(3).
[79] See Revised FADP, Article 12.
[80] See Revised FADP, Article 14.
[81] See Revised FADP, Article 19.
[82] See Revised FADP, Article 21.
[83] See Revised FADP, Article 22.
[84] See Revised FADP, Article 24.
[85] See Revised FADP, Article 28.
[86] See Revised FADP, Articles 60-63.
[87] Press release available at https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-80318.html.
[88] Judgment of the Court of 16 July 2020 in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, available athttp://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=rst&part=1&cid=9791227.
[89] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6843/-ALENILESTIRME-HAKKINDA-KAMUOYU-DUYURUSU.
[90] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6828/YURTDISINA-VERI-AKTARIMI-KAMUOYU-DUYURUSU.
[91] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET-KURALLARI-HAKKINDA-DUYURU.
[92] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6777/Kisilerin-Ad-ve-Soyadi-ile-Arama-Motorlari-Uzerinden-Yapilan-Aramalarda-Cikan-Sonuclarin-Indeksten-Cikarilmasina-Yonelik-Talepler-Hakkinda-Kamuoyu-Duyurusu.
[93] Full decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6776/2020-481.
[94] Full criteria (in Turkish available athttps://kvkk.gov.tr/SharedFolderServer/CMSFiles/68f1fb19-5803-4ef8-8696-f938fb49a9d5.pdf.
[95] Full statement (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6765/AYDINLATMA-YUKUMLULUGUNUN-YERINE-GETIRILMESI-HAKKINDA-KAMUOYU-DUYURUSU.
[96] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6726/COVID-19-ILE-MUCADELEDE-KONUM-VERISININ-ISLENMESI-VE-KISILERIN-HAREKETLILIKLERININ-IZLENMESI-HAKKINDA-BILINMESI-GEREKENLER-2-.
[97] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6733/2020-103.
[98] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6790/2020-559.
[99] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6763/2020-286.
[100] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6739/2020-173.
[101] English text available athttps://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/.
[102] See Article 62 of the Draft PIPL.
[103] See Article 42 of the Draft PIPL.
[104] Seehttps://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_comments_on_chinas_draft_personal_information_protection_law__18_november_2020_-_english_.pdf.
[105] See Article 29 of the Draft PIPL.
[106] CBIRC decisions (in Chinese) available athttp://www.cbirc.gov.cn/branch/shanghai/view/pages/common/ItemDetail.html?docId=920602&itemId=1000 and http://www.cbirc.gov.cn/branch/shanghai/view/pages/common/ItemDetail.html?docId=920603&itemId=1000.
[107] For the daft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018 by the committee of experts led by Justice Srikrishna, seehttps://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
[108] Report on Non-Personal Data Governance Framework available at https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf
[109] See “Data Empowerment and Protection Architecture: A Secure Consent-Based Data Sharing Framework to Accelerate Financial Inclusion – Draft for Discussion” (August 2020), available athttps://niti.gov.in/sites/default/files/2020-09/DEPA-Book_0.pdf.
[110] See the National Health Data Management Policy, available athttps://ndhm.gov.in/assets/uploads/NDHM%20Health%20Data%20anagement%20Policy.pdf.
[111] See DSCI, “Work from Home – Best Practices” (18 March 2020), available athttps://www.dsci.in/sites/default/files/DSCI-WorkfromHomeAdvisory-1.pdf.
[112] See DSCI, “COVID-19: Data Privacy Outlook” (24 April 2020), available athttps://www.dsci.in/sites/default/files/DSCI_COVID19_Data_Privacy_Outlook.pdf.
[113] See also DSCI, “Business Resiliency and Security During COVID-19” (24 May 2020), available at https://www.dsci.in/sites/default/files/Business-Resiliency-and-Security.pdf.
[114] See DSCI, “Report on Data Transfers” (8 September 2020), available athttps://www.dsci.in/sites/default/files/documents/resource_centre/DSCI-CIPL-Accountable-Data-Transfer-Report.pdf.
[115] The Discussion Paper is available athttps://www.tec.gov.in/pdf/Whatsnew/ARTIFICIAL%20INTELLIGENCE%20-%20INDIAN%20STACK.pdf.
[116] See “India bans 43 more mobile apps as it takes on China” Reuters (25 November 2020), available athttps://uk.reuters.com/article/uk-india-china-apps/india-bans-43-more-mobile-apps-as-it-takes-on-china-idUKKBN2841QI.
[117] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1635206#.XvoIE9L3Qpw.whatsapp.
[118] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1650669.
[119] The press release and a list of the apps that were blocked are available athttps://www.pib.gov.in/PressReleasePage.aspx?PRID=1675335.
[120] Case BLAPL/4592/2020 Subhranshu Rout @ Gugul v State of Odisha available at https://www.medianama.com/wp-content/uploads/display_pdf.pdf.
[121] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers; the PDP Bill (in Indonesian) is available athttps://web.kominfo.go.id/sites/default/files/users/4752/Rancangan%20UU%20PDP%20Final%20%28Setneg%20061219%29.pdf.
[122] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24041/menkominfo-indonesia-akan-menjadi-negara-ke-5-di-asean-pemilik-uu-pdp/0/berita_satker.
[123] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/29084/siaran-pers-no-104hmkominfo092020-tentang-pemerintah-apresiasi-pandangan-fraksi-terhadap-ruu-pdp/0/siaran_pers.
[124] Press release (in Hebrew) available at https://www.gov.il/he/departments/publications/Call_for_bids/amendment_privacy_protection
[125] Press release (in Hebrew) available at https://www.tazkirim.gov.il/s/law-item/a093Y00001RdRNXQA3/%D7%AA%D7%96%D7%9B%D7%99%D7%A8-%D7%97%D7%95%D7%A7-%D7%94%D7%92%D7%A0%D7%AA-%D7%94%D7%A4%D7%A8%D7%98%D7%99%D7%95%D7%AA-%D7%AA%D7%99%D7%A7%D7%95%D7%9F-%D7%9E%D7%A1-%D7%94%D7%92%D7%93%D7%A8%D7%95%D7%AA-%D7%95%D7%A6%D7%9E%D7%A6%D7%95%D7%9D-%D7%97%D7%95%D7%91%D7%AA-%D7%94%D7%A8%D7%99%D7%A9%D7%95%D7%9D-%D7%94%D7%AA%D7%A9%D7%A3-2020?language=iw
[126] See “Opinion regarding cross-border transfers of personal data, from Israeli based organisations to organisations based in countries complying with the data protection legislation of the EU” (1 July 2020), available athttps://www.gov.il/en/Departments/publications/reports/personaldata_the_european_union.
[127] See “Personal data of all 6.5 million Israeli voters is exposed” (10 February 2020), available athttps://www.nytimes.com/2020/02/10/world/middleeast/israeli-voters-leak.html. Press release, “Data Breach at Shirbit” (1 December 2020), available athttps://www.gov.il/en/departments/news/news_shirbit.
[128] English version of the of APPI available athttps://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf.
[129] Department of Personal Data Protection, “Public Consultation Paper No. 10/2020 – Review of Personal Data Protection Act 2010 (Act 709)” (14 February 2020), available athttps://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdf. See also a press release of 26 August 2020, where the Malaysian government announces the continued discussions on amending the Personal Data Protection Act 2010 (in Malay), available athttps://www.kkmm.gov.my/awam/berita-terkini/17616-bernama-26-ogos-2020-kerajaan-masih-bincang-keperluan-pinda-akta-perlindungan-data-peribadi.
[130] Advisory guidelines (in Malay) available athttps://www.kkmm.gov.my/images/AdHoc/200529-ADVISORY.pdf.
[131] See “MCI and PDPC launch online public consultation on Personal Data Protection (Amendment) Bill 2020”, Press Release (14 May 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/5/MCI-and-PDPC-launch-online-public-consultation-on–Personal-Data%20Protection-Amendment-Bill-2020; “Public Consultation on the Draft Personal Data Protection (Amendment) Bill” (28 May 2020), available athttps://www.mci.gov.sg/public-consultations/public-consultation-items/public-consultation-on-the-draft-personal-data-protection-amendment-bill.
[132] See Bill No. 37/2020 Personal Data Protection (Amendment) Bill, available athttps://www.parliament.gov.sg/docs/default-source/default-document-library/personal-data-protection-(amendment)-bill-37-2020.pdf; Ministry of Communications and Information, “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.
[133] See “Opening Speech by Mr S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020 on 2 November 2020” (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/opening-speech-by-minister-iswaran-at-the-second-reading-of-pdp-(amendment)-bill-2020.
[134] See “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.
[135] See PDPC, “Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill” (20 November 2020), available athttps://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en.
[136] English version of PIPA available athttps://elaw.klri.re.kr/kor_service/lawView.do?hseq=53044&lang=ENG.
[137] Royal Decree (in Thai) available athttp://www.ratchakitcha.soc.go.th/DATA/PDF/2563/A/037/T_0001.PDF.
[138] MDES statement (in Thai) is available athttps://www.mdes.go.th/news/detail/2760–ดีอีเอส–เตรียมคลอดประกาศมาตรการคุ้มครองความปลอดภัยข้อมูลส่วนบุคคลฯ.
[139] MDES notice (in Thai) available athttp://www.ratchakitcha.soc.go.th/DATA/PDF/2563/E/164/T_0012.PDF.
[141] See “Abu Dhabi Global Market Launches Public Consultation on New Data Protection Regulatory Framework” by Natasha G. Kohne, Jenny Arlington, Sahar Abas & Mazen Baddar, GDPR, International Privacy (7 December 2020), available at https://www.akingump.com/en/experience/practices/cybersecurity-privacy-and-data-protection/ag-data-dive/abu-dhabi-global-market-launches-public-consultation-on-new-data-protection-regulatory-framework.html.
[142] See “ADGM commences Public Consultation on proposed new Data Protection Regulations” (19 November 2020), available athttps://www.adgm.com/media/announcements/adgm-commences-public-consultation-on-proposed-new-data-protection-regulations.
[144] See Data Protection Regulations, available athttps://www.difc.ae/files/9315/9358/7756/Data_Protection_Regulations_2020.pdf and Data Protection Law No. 5 of 2020, available athttps://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf.
[145] For the full list of accredited GPA members, see https://globalprivacyassembly.org/participation-in-the-assembly/list-of-accredited-members/.
[146] See “Africa to harmonise laws for data protection, digital economy” by Gloria Nwafor, Guardian (8 October 2020), https://guardian.ng/appointments/africa-to-harmonise-laws-for-data-protection-digital-economy/?_sm_au_=iVV7MH8JqKDPF0RFFcVTvKQkcK8MG.
[147] See “Sisi endorses law on personal data protection”, Egypt Today (18 July 2020), available athttps://www.egypttoday.com/Article/1/89794/Sisi-endorses-law-on-personal-data-protection.
[148] Kenya’s high court ruled that the country’s new digital ID scheme could continue with some conditions and stronger regulations. The court banned the collection of DNA and geolocation data, See “Court orders safeguards for Kenyan digital IDs, bans DNA collecting“, by Humphrey Malalo, Omar Mohammed, (31 January 2020), available athttps://www.reuters.com/article/us-kenya-rights/court-orders-safeguards-for-kenyan-digital-ids-bans-dna-collecting-idUSKBN1ZU23D
[149] See “ITI Comments on the U.S.-Kenya Trade Agreement Negotiation” (27 April 2020), https://www.itic.org/policy/ITIUS-KenyaFTAComments_27APR2020_FINAL.pdf and “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade” (28 April 2020), available athttps://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade.
[150] See “Joint Statement Between the United States and Kenya on the Launch of Negotiations Towards a Free Trade Agreement” (7 August 2020), available athttps://ustr.gov/node/10204.
[151] See “Stakeholders’ Consultation Workshop on the Data Protection Bill in Namibia” (24-26 February 2020), available athttps://www.coe.int/en/web/cybercrime/glacyplusactivities/-/asset_publisher/ekq5KxUZwAqU/content/glacy-stakeholders-consultation-workshop-on-the-data-protection-bill-in-namibia?inheritRedirect=false&redirect=https%253A%252F%252Fwww.coe.int%252Fen%252Fweb%252Fcybercrime%252Fglacyplusactivities%253Fp_p_id%253D101_INSTANCE_ekq5KxUZwAqU%2526p_p_lifecycle%253D0%2526p_p_state%253Dnormal%2526p_p_mode%253Dview%2526p_p_col_id%253Dcolumn-4%2526p_p_col_count%253D1.
[152] See “Pantami Reiterates FG’s Commitment to Strengthening Cybersecurity” (14 April 2020), available athttps://www.ncc.gov.ng/media-centre/news-headlines/783-pantami-reiterates-fg-s-commitment-to-strengthening-cybersecurity.
[154] See “Annual Report for the 2019/2020 Financial Year”, available athttps://www.justice.gov.za/inforeg/docs/anr/ANR-2019-2020-InformantionRegulatorSA.pdf and “South Africa must implement privacy laws to protect citizens, says UN expert” (12 March 2020), available athttps://mg.co.za/article/2020-03-12-south-africa-must-implement-privacy-laws-to-protect-citizens-says-un-expert/. Moreover, two significant incidents were reported: Experian South Africa announced a data incident affecting 24 million South Africans and 793,749 businesses, see “Experian South Africa curtails data incident” (19 August 2020), available athttps://www.experian.co.za/content/dam/marketing/emea/soafrica/za/assets/experian-south-africa-statement-19082020.pdf. Nedbank announced a data incident concerning 1.7 million clients, see “Nedbank warns clients of potential impact of data incident at Computer Facilities (Pty) Ltd”, https://www.nedbank.co.za/content/nedbank/desktop/gt/en/info/campaigns/nedbank-warns-clients.html.
[155] See “Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA),” available athttps://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf and Press Release (3 April 2020), available athttps://www.justice.gov.za/inforeg/docs/ms-20200403-GuidanceNote-PPI-Covid19.pdf.
[156] See “Conseil des ministres: un projet de décret sur la protection des données à caractère personnel adopté” (9 December 2020), available athttps://presidence.gouv.tg/2020/12/09/conseil-des-ministres-un-projet-de-decret-sur-la-protection-des-donnees-a-caractere-personnel-adopte/.
[157] See “Statement on cabinet decisions of 27th October 2020”, available athttps://www.primature.gov.rw/index.php?id=131&tx_news_pi1%5Bnews%5D=933&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Baction%5D=detail&cHash=7a012c144e6b2eb6d384a0bf1f153c26.
[158] See “Rwanda data protection bill approved” (29 October 2020), available athttps://iapp.org/news/a/rwanda-data-protection-bill-approved/#:~:text=30%20and%20included%20provisions%20on,as%20transfers%2C%20sharing%20and%20retention.
[159] See Cybersecurity Regulation n˚ 010/r/cr-csi/rura/020 of 29/05/2020, available athttps://rura.rw/fileadmin/Documents/ICT/Laws/Cybersecurity_Regulation_in_Rwanda.pdf.
[160] See “Oman: Latest developments in data protection and cybersecurity,” Alice Gravenor, PWC-Middle East (19 November 2020), available athttps://www.pwc.com/m1/en/media-centre/articles/oman-latest-developments-data-protection-cybersecurity.html.
[161] See Draft Personal Data Protection Bill (9 April 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Personal%20Data%20Protection%20Bill%202020%20Updated(1).pdf.
[162] See social media rules adopted (6 October 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Corrected%20Version%20of%20Rules.pdf.
[163] Law (in English) available athttps://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf.
[164] Law (in Portuguese) available athttps://www.in.gov.br/en/web/dou/-/lei-n-14.058-de-17-de-setembro-de-2020-278155040.
[165] Bill (in Portuguese) available at: https://www.camara.leg.br/proposicoesWeb/prop_mostrarintegra;jsessionid=E847373CA5B3CD6F9C0FEF1AA14EED13.proposicoesWebExterno1?codteor=1931814&filename=Tramitacao-PL+4695/2020.
[166] Regulation (in Portuguese) available at https://sei.anatel.gov.br/sei/modulos/pesquisa/md_pesq_documento_consulta_externa.php?eEP-wqk1skrd8hSlk5Z3rN4EVg9uLJqrLYJw_9INcO760LFI_pHFdPDvhssf6GcKAE5_GJovBZUfi7_h9SO4EFu4GZ_rtRSkPAMggKV38swnbODIuh_k2ClcCwWdtg0X.
[167] Decision (in Spanish) available athttps://www.argentina.gob.ar/sites/default/files/rs-2020-33-apn-aaip.pdf.
[168] Law (in Spanish) available athttp://servicios.infoleg.gob.ar/infolegInternet/anexos/230000-234999/233066/norma.htm.
[169] Decision (in Spanish) available athttps://www.argentina.gob.ar/sites/default/files/rs-2020-25457045-apn-aaip_google.pdf.
[170] Press release (in Spanish) available athttps://www.consejotransparencia.cl/fiscalizacion-del-cplt-descubre-vulneracion-de-la-privacidad-de-pacientes-en-compras-de-hospitales-y-servicios-de-salud/.
[171] Letter (in Spanish) available athttps://www.consejotransparencia.cl/wp-content/uploads/2020/06/N%C2%B0000746-Patricio-Ferna%CC%81ndez-Pe%CC%81rez.-Superintendente-de-Salud.pdf.
[172] Order (in Spanish) available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/Res%2074519%20DE%202020%20ZOOM(1).pdf.
[172a] See https://www.sic.gov.co/slider/superindustria-ordena-la-plataforma-zoom-reforzar-medidas-de-seguridad-para-proteger-los-datos-personales-de-los-colombianos
[173] The imposed fine was of COP 894,365,280 (approx. €214,524), after confirming the violation of the personal data of a data subject whose data was being processed by EPS. Full Resolution available at https://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/1%20Apelacio%CC%81n%2018-179365%20%20EPS%20SANITAS%20VP%20F%20(1)%20(1).pdf.
[174] For the first bank, the imposed fine was of COP 702,000,000 (approx. €171,400) for including information that was not of a financial or credit nature in the credit history of 288,753 Colombians. Full Resolution available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/SANCIO%CC%81N%20CIFIN.pdf; for the second bank, the imposed fine was of COP 269,046,492 (approx. €60,030) for violating a data subject’s right to deletion. Full Resolution of SIC available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/19-141889%20VP.pdf; for the third bank, the imposed fine was of COP 356,070,000 (approx. €80,910) for violations of Law 1581 of 2012 and Decree 4886 of 2011. Full decision of SIC available athttps://www.sic.gov.co/sites/default/files/files/Noticias/2019/RE10720-2020(1).pdf.
[175] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-102-20.pdf.
[176] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-106-20.pdf.
[177] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-228-20.pdf.
[178] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-113-20.pdf.
[179] Mexico’s Official Gazzete publication of January 11, 2021 that modifies section XII Bis of the Federal Labor Law available athttp://dof.gob.mx/nota_detalle.php?codigo=5609683&fecha=11/01/2021.
[180] Decree (in Spanish) available athttps://www.impo.com.uy/bases/decretos/64-2020
The following Gibson Dunn lawyers assisted in the preparation of this article: Ahmed Baladi, Alexander Southwell, Alejandro Guerrero, Vera Lukic and Clémence Pugnet.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
With the 117th Congress now fully seated, the private sector is set to face greater scrutiny from the Legislative Branch than it has in a decade, as Democrats regain control of both chambers of Congress and the presidency for the first time since 2010. Democrats are assuming unitary control as a number of hot-button issues involving private sector entities are front and center in the public discourse—many of which are drawing bipartisan interest—including COVID-19 relief spending, climate change, healthcare and prescription drug costs, cybersecurity breaches, and regulation of big technology companies. And, because Democratic committee chairs are likely to spend significantly less time investigating the Executive Branch under a Biden Administration, additional staff resources will be deployed on the private sector, which should expect the spotlight to be even brighter.
Unlike receiving a civil complaint or compulsory process in an Executive Branch investigation, when a congressional letter or subpoena arrives, targeted organizations may have only a matter of days to consider their response and devise a strategy, and often must do so amid significant media scrutiny and public attention. Congressional investigations often involve public attacks on a company’s reputation, which can imperil the goodwill upon which the company has built its business and maintains its competitive advantages. It is therefore crucial that potential targets evaluate their exposure to likely investigations in the 117th Congress, familiarize themselves with how such inquiries unfold—including the rules and procedures that govern them—and consider potential responses.
To assist possible targets and interested parties in assessing their readiness for responding to a potential congressional investigation, Gibson Dunn presents our view of the new landscape that the 117th Congress will present. We also present a brief overview of how congressional investigations are often conducted, Congress’ underlying legal authorities to investigate, and various defenses that can be raised in response. In addition, we discuss missteps that subjects of investigations sometimes make when receiving an inquiry, and best practices for how to respond.
I. Lay of the Land in the 117th Congress
House of Representatives
As expected when Democrats regained control of the House Chamber in 2019 after eight years of GOP control, numerous private sector industries quickly saw a sharp uptick in congressional scrutiny. Moreover, as we explained in a prior client alert, upon assuming control of the House in the last Congress, Democrats expanded the investigative tools at their disposal in a number of ways. These expanded authorities have been carried over to the 117th Congress, and certain others have been added. Committees will organize over the coming weeks, and additional investigative tools could be added to their arsenals.
Expanding investigative powers: In the rules package for the 117th Congress, Democrats have continued the trend of expanding and strengthening their investigative powers. This includes permitting certain committees to issue subpoenas before the committees are formally organized. Specifically, the House has authorized the Chair of the Committee on Oversight and Reform to issue subpoenas related to the investigation into the accuracy and timing of the 2020 census, and the Chair of the re-authorized Select Subcommittee on the Coronavirus Crisis has the power to issue subpoenas related to its investigation into political interference at the Department of Health and Human Services and Centers for Disease Control and Prevention.
In addition to the strengthened subpoena power, Democrats will maintain broad deposition authority. In the prior Congress, Democrats expanded the House’s deposition authority by permitting staff counsel to conduct depositions and removing the requirement that a member be present during the taking of a deposition. As we previously noted, such broad authority makes it more difficult for minority members to affect, influence, or otherwise hinder investigations to which they are opposed. It is also important to remember that, unlike in the Senate, nearly every House committee chair is empowered to issue a deposition subpoena unilaterally, that is, without the ranking member’s consent or a committee vote, after mere “consultation” with the ranking member.
Likely investigative priorities: As for investigative priorities, a wide array of topics is likely to be covered by House committees; however, Democrats have signaled that immediate priorities include investigating issues related to climate change and the ongoing coronavirus pandemic response. To that end, in addition to re-authorizing the House Select Subcommittee on the Coronavirus Crisis, the House also re-authorized the Select Committee on the Climate Crisis. The Subcommittee on the Coronavirus Crisis has been actively investigating various aspects of the pandemic since it was established by the CARES Act; it has a full suite of authorities, including subpoena power, pursuant to its organizing resolution. While much of the Subcommittee’s focus during the last Congress was on the government’s pandemic response, we expect more of the Subcommittee’s attention will turn to private actors that are involved in the response or recipients of relief funds.
The Select Committee on the Climate Crisis was formed to deliver climate policy recommendations to Congress and was given the jurisdiction to “study, make findings, and develop recommendations on policies, strategies, and innovations” to tackle the climate crisis.[1] The Committee has the power to “hold public hearings in connection with any aspect of its investigative functions.”[2] The Committee does not have subpoena power of its own, but it can request that other committees issue subpoenas. The Committee has thus far focused on holding climate policy hearings on topics such as clean energy, industrial emissions, and the health impacts of the climate crisis rather than on conducting investigations. However, the Committee may turn its attention towards the private sector’s impact on climate change as the Biden Administration makes climate change a focus of its first term.
House Democrats have authorized another new committee, the Select Committee on Economic Disparity and Fairness in Growth. This Committee has been given broad jurisdiction covering “economic fairness, access to education, and workforce development.”[3] It is possible this Committee will be interested in a range of private sector industries, including consumer-facing financial institutions, student loan lenders, and credit agencies. Like the Climate Crisis Committee, this committee does not have its own subpoena power and must rely on standing committees to issue subpoenas in support of its investigations. This arrangement makes it unlikely that either of these select committees’ investigations will involve the issuance of subpoenas unless House Democratic leadership tasks this or the Climate Crisis Committee with a contentious investigation and instructs standing committees to back up the investigation with subpoena authority.
While the Democrats’ focus is likely to shift to the private sector as the Biden Administration begins its term, there will no doubt be a continued desire to investigate former President Trump and the outgoing administration, particularly in light of the violent events at the Capitol on January 6. To that end, the House Democrats’ new rules package includes explicit language allowing the House to issue subpoenas to “the President, and the Vice President, whether current or former, in a personal or official capacity” as well as White House and executive office employees.[4] Additionally, private parties with business connections to President Trump or his organization may continue to face scrutiny.
Senate
Democrats will steer the Senate’s investigative agenda during the 117th Congress after ten years of being in the minority. While Senate committees have yet to organize and publish their rules, it is likely that Democrats will spare little time in getting a number of investigations off the ground, particularly those that complement the Biden Administration’s first-100-days policy priorities.
Key committees to watch: Two committees to pay particular attention to will be the Senate Finance Committee and the Senate Committee on Banking, Housing and Urban Affairs. Senator Ron Wyden (D-OR) is expected to become Chairman of the Senate Finance Committee. Senator Wyden has a reputation as an aggressive investigator, and his past work has included investigations into international trade issues, the NRA, tax benefit abuse, and other topics. Recently, Senator Wyden, together with Senator Grassley (R-IA), issued a report illuminating the extensive connections among opioid manufacturers, opioid-related products, and tax-exempt entities. Wyden and Grassley also teamed up last Congress on a two-year investigation into insulin pricing. Companies can expect Senator Wyden to continue to pursue investigations into a wide range of consumer protection issues and other topics.
The Senate Committee on Banking, Housing and Urban Affairs is similarly likely to be active. Senator Sherrod Brown (D-OH) is expected to become Chairman of the Committee and likely will conduct aggressive oversight of the banking industry. Senator Elizabeth Warren (D-MA) may become Chairwoman of the Subcommittee on Financial Institutions and Consumer Protection, or even of a newly-created oversight committee. This would give Senator Warren oversight and investigation authority, including the ability to hold hearings and to issue subpoenas. Senator Warren has long been a proponent of broader regulation of financial institutions, including calling for stricter separation between commercial banks and investment banks and for efforts to expand access to lenders for average Americans.
Another committee to watch is the Commerce, Science, and Transportation Committee, which Senator Maria Cantwell (D-WA) is expected to chair. The panel has a wide set of responsibilities, including overseeing the regulation of technology companies and handling transportation infrastructure—both issues that are likely to demand attention in the new Congress. It also sets policy for research agencies including NSF, the National Oceanic and Atmospheric Administration, and the National Institute of Standards and Technology. Senator Cantwell, a former technology industry executive, has a strong interest in research and climate issues, which could influence the panel’s work, particularly in light of the Biden Administration’s stated commitment to advancing climate change legislation. While Senator Cantwell has historically not been an active investigator, we can expect the Committee to be active in its legislative activities, and it may launch investigations that are ancillary to these legislative activities.
One final investigative body of note is the Senate Permanent Subcommittee on Investigations (“PSI”), which is a subcommittee of the Senate Homeland Security and Government Affairs Committee. PSI has the responsibility of studying and investigating the efficiency and economy of operations relating to all branches of the government and is also tasked with studying and investigating the compliance or noncompliance with rules, regulations, and laws, investigating all aspects of crime and lawlessness within the United States which have an impact upon or affect the national health, welfare, and safety, including syndicated crime, investment fraud schemes, commodity and security fraud, computer fraud, and the use of offshore banking and corporate facilities to carry out criminal objectives. While it is unclear who will chair PSI at this time, we can expect it to be active in its investigations.. When Democrats last controlled the Senate, former Michigan Senator Carl Levin chaired PSI and launched a series of high profile and wide-ranging investigations of the financial sector. It’s likely the next Democratic Chair will follow Levin’s lead and adopt an aggressive posture. Also worth watching is who will fill former Senator Kamala Harris’s seat on PSI.
Potential Changes to Subpoena and Deposition Authority: We will also be closely watching whether Senate Democrats strengthen their investigative arsenal, particularly when it comes to subpoena and deposition authority. With respect to subpoenas, currently only the Chair of PSI is authorized to issue a subpoena unilaterally, a significant difference with the House where nearly all committee chairs may do so. Because Senate investigations have historically been more bipartisan than those in the House, there has been a longstanding hesitation on both sides to expand unilateral subpoena power. It remains to be seen if that philosophy will continue to hold sway in the 117th Congress.
It is also important to keep a close watch on Senate deposition authority. In the last Congress, seven Senate bodies had authorization to take depositions: (1) Judiciary, (2) Homeland Security and Governmental Affairs (“HSGAC”), (3) PSI, (4) Aging, (5) Indian Affairs, (6) Ethics, and (7) Intelligence. Of these, HSGAC, PSI, Judiciary, and Aging can subpoena an individual to appear at a deposition. HSGAC, Judiciary, and Aging rules require concurrence of the ranking member or a Committee vote to authorize the issuance of a subpoena, while the Chair of PSI is empowered to issue a subpoena unilaterally. Moreover, staff is expressly authorized to take depositions in each of these committees except in the Indian Affairs and Intelligence Committees. However, heretofore the Senate’s view is that Senate Rules do not authorize staff depositions pursuant to subpoena. Hence, Senate committees cannot delegate that authority to themselves through committee rules, absent a Senate resolution or a change in Senate rules. It remains to be seen whether and to what extent Democrats may expand these authorities.
II. Unique Features of Congressional Investigations
As a practical matter, numerous motivations (not always legitimate) often drive a congressional inquiry, including: advancing a chair’s political agenda or public profile, exposing alleged criminal wrongdoing or unethical practices, pressuring a company to take certain actions, and responding to public outcry. Recognizing the presence of these underlying objectives and evaluating the political context surrounding an inquiry can therefore be a key component of developing an effective response strategy.
Congress’s power to investigate is broad—as broad as its legislative authority. The “power of inquiry” is inherent in Congress’s authority to “enact and appropriate under the Constitution.”[5] And while Congress’s investigatory power is not a limitless power to probe any private affair or to conduct law enforcement investigations, but rather must further a valid legislative purpose,[6] the term “legislative purpose” is understood broadly to include gathering information not only for the purpose of legislating, but also for overseeing governmental matters and informing the public about the workings of government.[7]
Congressional investigations present a number of unique challenges not found in the familiar arenas of civil litigation and Executive Branch investigations. Unlike the relatively controlled environment of a courtroom, congressional investigations often unfold in a hearing room in front of television cameras and on the front pages of major newspapers and social media feeds.
III. Investigatory Tools of Congressional Committees
Congress has many investigatory tools at its disposal, including: (1) requests for information; (2) interviews; (3) depositions; (4) hearings; (5) referrals to the Executive Branch for prosecution; and (6) subpoenas for documents and/or testimony. If these methods fail, Congress can use its contempt power in an effort to punish individuals or entities who refuse to comply with subpoenas. It is imperative that targets be familiar with the powers (and limits) of each of the following tools to best chart an effective response:
- Requests for Information: Any member of Congress may issue a request for information to an individual or entity, which request may seek documents or other information.[8] Absent the issuance of a subpoena, responding to such requests is entirely voluntary as a legal matter (although of course there may be public and/or political pressure to respond). As such, recipients of such requests should carefully consider the pros and cons of different degrees of responsiveness.
- Interviews: Interviews also are voluntary, led by committee staff, and occur in private (in person or over the phone). They tend to be less formal than depositions and are sometimes transcribed. Committee staff may take copious notes and rely on interview testimony in subsequent hearings or public reports. Although interviews are typically not conducted under oath, false statements to congressional staff can be criminally punishable as a felony under 18 U.S.C. § 1001.
- Depositions: Depositions can be compulsory, are transcribed, and are taken under oath. As such, depositions are more formal than interviews and are similar to those in traditional litigation. The number of committees with authority to conduct staff depositions has increased significantly over the last few years. In the last Congress, the House required (with limited exceptions) that one or more Members of Congress be present during a deposition. Importantly, the House rules for the 117th Congress have eliminated this requirement (see infra, Section IV), which will likely result in an increase in the use—or at least threatened use—of depositions as an investigative tool.[9] It is expected that the House Rules Committee soon will issue guidance on how staff depositions are to be conducted. In the 116th Congress, staff of five Senate committees/subcommittees were authorized to conduct staff depositions: Judiciary, HSGAC, PSI, Aging and Ethics.[10] However, Judiciary required that a member be present during deposition, unless waived by agreement of the chair and ranking member.The House Rules Committee’s regulations for staff depositions in the 117th Congress will likely mirror in many respects the regulations issued by that Committee in the 116th Congress. Significantly, those regulations changed past practice by authorizing the immediate overruling of objections raised by a witness’s counsel and immediate instructions to answer, on pain of contempt. Those regulations also appeared to eliminate the witness’s right to appeal rulings on objections to the full committee (although committee members may still appeal). Assuming these changes are preserved in the 117th Congress, as seems likely, they will continue to enhance the efficiency of the deposition process, as prior to the 116th Congress the staff deposition regulations required a recess before the chair could rule on an objection. Additionally, the regulations for the 116th Congress expressly allowed for depositions to continue from day to day and permit, with notice from the chair, questioning by members and staff of more than one committee. Finally, the regulations removed a prior requirement that allowed objections only by the witness or the witness’s lawyer. This change appears to allow objections from staff or members who object to a particular line of questioning.[11]
- Hearings: While both depositions and interviews allow committees to acquire information quickly and (at least in many circumstances) confidentially,[12] testimony at hearings, unless on a sensitive topic, is conducted in a public session led by the members themselves (or, on occasion, committee counsel).[13] Hearings can either occur at the end of a lengthy staff investigation or take place more rapidly, often in response to an event that has garnered public and congressional concern. Most akin to a trial in litigation (though without many of the procedural protections or the evidentiary rules applicable in judicial proceedings), hearings are often high profile and require significant preparation to navigate successfully.
- Executive Branch Referral: Congress also has the power to refer its investigatory findings to the Executive Branch for criminal prosecution. After a referral from Congress, the Department of Justice may charge an individual or entity with making false statements to Congress, obstruction of justice, or destruction of evidence. Importantly, while Congress may make a referral, the Executive Branch retains the discretion to prosecute, or not.
Subpoena Power
As noted above, Congress will usually seek voluntary compliance with its requests for information or testimony as an initial matter. If initial requests for voluntary compliance meet with resistance, however, or if time is of the essence, it may compel disclosure of information or testimony through the issuance of a congressional subpoena.[14] Like Congress’s power of inquiry, there is no explicit constitutional provision granting Congress the right to issue subpoenas.[15] But the Supreme Court has recognized that the issuance of subpoenas is “a legitimate use by Congress of its power to investigate” and its use is protected from judicial interference in some respects by the Speech or Debate Clause.[16] Congressional subpoenas are subject to few legal challenges,[17] and “there is virtually no pre-enforcement review of a congressional subpoena” in most circumstances.[18]
The authority to issue subpoenas is initially governed by the rules of the House and Senate, which delegate further rulemaking to each committee.[19] While nearly every standing committee in the House and Senate has the authority to issue subpoenas, the specific requirements for issuing a subpoena vary by committee. These rules are still being developed by the committees of the 117th Congress, and can take many forms.[20] For example, several House committees authorize the committee chair to issue a subpoena unilaterally and require only that notice be provided to the ranking member. Others, however, require approval of the chair and ranking member, or, upon the ranking member’s objection, require approval by a majority of the committee.
Contempt of Congress
Failure to comply with a subpoena can result in contempt of Congress. Although Congress does not frequently resort to its contempt power to enforce its subpoenas, it has three potential avenues for seeking to implement its contempt authority.
- Inherent Contempt Power: The first, and least relied upon, is Congress’s inherent contempt power. Much like the subpoena power itself, the inherent contempt power is not specifically authorized in the Constitution, but the Supreme Court has recognized its existence and legitimacy.[21] To exercise this power, the House or Senate must pass a resolution and then conduct a full trial or evidentiary proceeding, followed by debate and (if contempt is found to have been committed) imposition of punishment.[22] As is apparent in this description, the inherent contempt authority is cumbersome and inefficient, and it is potentially fraught with political peril for legislators. It is therefore unsurprising that Congress has not used it since 1934.[23]
- Statutory Criminal Contempt Power: Congress also possesses statutory authority to refer recalcitrant witnesses for criminal contempt prosecutions in federal court. In 1857, Congress enacted this criminal contempt statute as a supplement to its inherent authority.[24] Under the statute, a person who refuses to comply with a subpoena is guilty of a misdemeanor and subject to a fine and imprisonment.[25] “Importantly, while Congress initiates an action under the criminal contempt statute, the Executive Branch prosecutes it.”[26] This relieves Congress of the burdens associated with its inherent contempt authority. The statute simply requires the House or Senate to approve a contempt citation. Thereafter, the statute provides that it is the “duty” of the “appropriate United States attorney” to prosecute the matter, although the Department of Justice maintains that it always retains discretion not to prosecute, and often declines to do so.[27] Although utilized as recently as the 1980s, the criminal contempt power has largely fallen into disuse.[28]
- Civil Enforcement Authority: Finally, Congress may seek civil enforcement of its subpoenas, which is often referred to as civil contempt. The Senate’s civil enforcement power is expressly codified.[29] This statute expressly authorizes the Senate to seek enforcement of legislative subpoenas in a U.S. District Court. In contrast, the House does not have a civil contempt statute, but it may pursue a civil contempt action “by passing a resolution creating a special investigatory panel with the power to seek judicial orders or by granting the power to seek such orders to a standing committee.”[30] In the past, the full House has typically “adopt[ed] a resolution finding the individual in contempt and authorizing a committee or the House General Counsel to file suit against a noncompliant witness in federal court.”[31] In the 116th Congress, however, the Chairman of the House Rules Committee took the position that the House rules empower the Bipartisan Legal Advisory Group (“BLAG”; consisting of the Speaker, the Majority and Minority Leaders, and the Majority and Minority Whips) to authorize a civil enforcement action without the need for a House vote.[32] The House subsequently endorsed that position, and the BLAG authorized at least one civil enforcement action during the 116th Congress.[33] It seems likely that this authority will be continued in the 117th Congress.
IV. Defenses to Congressional Inquiries
While potential defenses to congressional investigations are limited, they are important to understand—likely more so now with Democrats taking control of both chambers. The principal defenses are as follows:
Jurisdiction and Legislative Purpose
As discussed above, a congressional investigation is required generally to relate to a legislative purpose, and must also fall within the scope of legislative matters assigned to the particular committee at issue. In a challenge based on these defenses, the party subject to the investigation must argue that the inquiry does not have a proper legislative purpose, that the investigation has not been properly authorized, or that a specific line of inquiry is not pertinent to an otherwise proper purpose within the committee’s jurisdiction. Because courts generally interpret “legislative purpose” broadly, these challenges can be an uphill battle. Nevertheless, this defense should be considered when a committee is pushing the boundaries of its jurisdiction or pursuing an investigation that arguably lacks any legitimate legislative purpose.
Constitutional Defenses
Constitutional defenses under the First and Fifth Amendments may be available in certain circumstances. While few of these challenges are ever litigated, these defenses should be carefully evaluated by the subject of a congressional investigation.
When a First Amendment challenge is invoked, a court must engage in a “balancing” of “competing private and public interests at stake in the particular circumstances shown.”[34] The “critical element” in the balancing test is the “existence of, and the weight to be ascribed to, the interest of the Congress in demanding disclosures from an unwilling witness.”[35] Though the Supreme Court has never relied on the First Amendment to reverse a criminal conviction for contempt of Congress, it has recognized that the First Amendment may restrict Congress in conducting investigations.[36] Courts have also recognized that the First Amendment constrains judicially compelled production of information in certain circumstances.[37] Accordingly, it would be reasonable to contend that the First Amendment limits congressional subpoenas at least to the same extent.
The Fifth Amendment’s privilege against self-incrimination is available to witnesses—but not entities—who appear before Congress.[38] The right generally applies only to testimony, and not to the production of documents,[39] unless those documents satisfy a limited exception for “testimonial communications.”[40] Congress can circumvent this defense by granting transactional immunity to an individual invoking the Fifth Amendment privilege.[41] This allows a witness to testify without the threat of a subsequent criminal prosecution based on the testimony provided. Supreme Court dicta also suggests the Fourth Amendment can be a valid defense in certain circumstances related to the issuance of congressional subpoenas.[42]
Attorney-Client Privilege & Work Product Defenses
Although committees in the House and Senate have taken the position that they are not required to recognize the attorney-client privilege, in practice the committees generally acknowledge the privilege as a valid protection. Moreover, no court has ruled that the attorney-client privilege does not apply to congressional investigations. Committees often require that claims of privilege be logged as they would in a civil litigation setting. In assessing a claim of privilege, committees balance the harm to the witness of disclosure against legislative need, public policy, and congressional duty. Notably, in 2020, the Supreme Court for the first time acknowledged in dicta that the attorney-client privilege is presumed to apply in congressional investigations. In Trump v. Mazars, the Supreme Court stated that “recipients [of congressional subpoenas] have long been understood to retain common law and constitutional privileges with respect to certain materials, such as attorney-client communications and governmental communications protected by executive privilege.”[43] It remains to be seen if members and committee staffers will take the same view going forward.
The work product doctrine protects documents prepared in anticipation of litigation. Accordingly, it is not clear whether or in what circumstances the doctrine applies to congressional investigations, as committees may argue that their investigations are not necessarily the type of “adversarial proceeding” required to satisfy the “anticipation of litigation” requirement.[44]
V. Top Mistakes and How to Prepare
Successfully navigating a congressional investigation requires a multifaceted mastery of the facts at issue, careful consideration of collateral political events, and crisis communications.
Here are some of the more common mistakes we have observed:
- Facts: Failure to identify and verify the key facts at issue;
- Message: Failure to communicate a clear and compelling narrative;
- Context: Failure to understand and adapt to underlying dynamics driving the investigation;
- Concern: Failure to timely recognize the attention and resources required to respond;
- Legal: Failure to preserve privilege and assess collateral consequences;
- Rules: Failure to understand the rules of each committee, which can vary significantly; and
- Big Picture: Failure to consider how an adverse outcome can negatively impact numerous other legal and business objectives.
The consequences of inadequate preparation can be disastrous on numerous fronts. A keen understanding of how congressional investigations differ from traditional litigation and even Executive Branch or state agency investigations is therefore vital to effective preparation. The most successful subjects of investigations are those that both seek advice from experienced counsel and employ multidisciplinary teams with expertise in government affairs, media relations, e-discovery, and the key legal and procedural issues.
* * *
Democratic control of both congressional chambers and the White House is certain to usher in a more perilous landscape over the next two years for a wide array of public-facing industry actors, particularly those intertwined with current policy debates and hot button issues. Gibson Dunn lawyers have extensive experience in both running congressional investigations and defending targets of and witnesses in such investigations. If you or your company become the subject of a congressional inquiry, or if you are concerned that such an inquiry may be imminent, please feel free to contact us for assistance.
____________________
[1] H.R. Res. 6, 116th Cong. § 104(f)(2)(B) (2019).
[3] H.R. Res. 8, 117th Cong. § 4(g)(2)(B) (2021).
[4] H.R. Res. 8, 117th Cong. § 2(m) (2021).
[5] Barenblatt v. United States, 360 U.S. 178, 187 (1957).
[6] See Wilkinson v. United States, 365 U.S. 399, 408-09 (1961); Watkins v. United States, 354 U.S. 178, 199-201 (1957).
[7] Michael D. Bopp, Gustav W. Eyler, & Scott M. Richardson, Trouble Ahead, Trouble Behind: Executive Branch Enforcement of Congressional Investigations, 25 Corn. J. of Law & Pub. Policy 453, 456 (2015).
[9] See H.R. Res. 6, 116th Cong. § 103(a)(1) (2019).
[10] See The Power to Investigate: Table of Authorities of House and Senate Committees for the 116th Congress, https://www.gibsondunn.com/wp-content/uploads/2019/07/Power-to-Investigate-Table-of-Authorities-House-and-Senate-Committees-116th-Congress-07.2019.pdf. Consistent with past practice, Gibson Dunn will release a client alert outlining the specific subpoena rules for each committee in the 117th Congress as soon as they become available.
[11] See 165 Cong. Rec. H1216 (Jan. 25, 2019) (statement of Rep. McGovern).
[12] Bopp, supra note 7, at 457.
[16] Eastland v. U.S. Servicemen’s Fund, 421 U.S. 491, 504-05 (1975).
[17] Bopp, supra note 7, at 458.
[18] Id. at 459. The principal exception to this general rule arises when a congressional subpoena is directed to a custodian of records owned by a third party. In those circumstances, the Speech or Debate Clause does not bar judicial challenges brought by the third party seeking to enjoin the custodian from complying with the subpoena, and courts have reviewed the validity of the subpoena. See, e.g., Trump v. Mazars, 140 S. Ct. 2019 (2020); Bean LLC v. John Doe Bank, 291 F. Supp. 3d 34 (D.D.C. 2018).
[20] Gibson Dunn will detail these rules when they are finalized in an upcoming publication.
[21] Bopp, supra note 7, at 460 (citing Anderson v. Dunn, 19 U.S. 204, 228 (1821)).
[25] See 2 U.S.C. §§ 192 and 194.
[26] Bopp, supra note 7, at 462.
[28] Bopp, supra note 7, at 467.
[29] See 2 U.S.C. §§ 288b(b), 288d.
[30] Bopp, supra note 7, at 465. However, the law on this point is currently unsettled after a panel of the U.S. Court of Appeals for the D.C. Circuit ruled in August of 2020 that the House may not seek civil enforcement of a subpoena absent statutory authority. Committee on the Judiciary of the United States House of Representatives v. McGahn, No. 19-5331 (D.C. Cir. 2020). The ruling is currently being considered en banc.
[32] See 165 Cong. Rec. H30 (Jan. 3, 2019) (“If a Committee determines that one or more of its duly issued subpoenas has not been complied with and that civil enforcement is necessary, the BLAG, pursuant to House Rule II(8)(b), may authorize the House Office of General Counsel to initiate civil litigation on behalf of this Committee to enforce the Committee’s subpoena(s) in federal district court.”) (statement of Rep. McGovern); House Rule II.8(b) (“the Bipartisan Legal Advisory Group speaks for, and articulates the institutional position of, the House in all litigation matters”).
[33] See H. Res. 430 (116th Cong.) (“a vote of [BLAG] to authorize litigation . . . is the equivalent of a vote of the full House of Representatives”); Br. for House Committee at 33, Committee on Ways and Means, United States House of Representatives v. U.S. Dep’t of the Treasury, No. 1:19-cv-01974 (D.D.C. 2019) (stating BLAG authorized suit by House Ways & Means Committee to obtain President Trump’s tax returns pursuant to 26 U.S.C. § 6103(f)).
[34] Barenblatt, 360 U.S. 109, 126 (1959).
[37] See, e.g., Perry v. Schwarzenegger, 91 F.3d 1147, 1173 (9th Cir. 2009).
[38] See Quinn v. United States, 349 U.S. 155, 163 (1955).
[39] See Fisher v. United States, 425 U.S. 391, 409 (1976).
[40] See United States v. Doe, 465 U.S. 605, 611 (1984).
[41] See 18 U.S.C. § 6002; Kastigar v. United States, 406 U.S. 441 (1972).
[42] Watkins, 354 U.S. at 188.
[43] See Trump v. Mazars USA, LLP (591 U.S. ___ (2020)).
[44] See In re Grand Jury Subpoena Duces Tecum, 112 F.3d 910, 924 (8th Cir. 1997).
The following Gibson Dunn attorneys assisted in preparing this client update: Michael D. Bopp, Thomas G. Hungar, Roscoe Jones Jr., Alexander W. Mooney, Rebecca Rubin and Jillian N. Katterhagen.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work or the following lawyers in the firm’s Congressional Investigations group in Washington, D.C.:
Michael D. Bopp – Chair, Congressional Investigations Group (+1 202-955-8256, [email protected])
Thomas G. Hungar (+1 202-887-3784, [email protected])
Roscoe Jones, Jr. (+1 202-887-3530, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
In 2020, companies and regulators faced unprecedented challenges as they navigated the COVID-19 crisis and a rapidly evolving set of issues and policy proposals on the regulation of Artificial Intelligence and Automated Systems (“AI”). After a slow start, the second half of 2020 saw a noticeable surge in AI-related regulatory and policy proposals as well as growing international coordination. We may be seeing an inflection point in AI governance,[1] and 2021 is poised to bring consequential legislative and policy changes.
In the U.S., the fourth quarter 2020 saw federal rulemaking gather real pace. At the very end of 2020, Congress passed landmark legislation, the National Defense Authorization Act (“NDAA”), boosting the nascent U.S. national AI strategy, increasing spending for AI research funding, and raising the profile of the U.S. National Institute of Standards and Technology (“NIST”) as the need for more coordination with respect to technical standards emerges as a policy priority. The expansion of AI research funding and coordination by the new National AI Initiative Office places the federal government in a more prominent role in AI research. Amid waning public trust in the use of tools for automated decision-making, 2020 also saw a number of federal bills promoting the ethical and equitable use of AI technologies and consumer protection measures.
The European Union (“EU”) has emerged as a pacesetter in AI regulation, taking significant steps towards a long-awaited comprehensive and coordinated regulation of AI at EU level—evidence of the European Commission’s (the “Commission”) ambition to exploit the potential of the EU’s internal market and position itself as a major player in sustainable technological innovation. This legislation is expected imminently, and all signs point to a sweeping regulatory regime with a system for AI oversight of high-risk applications that could significantly impact technology companies active in the EU.
Our 2020 Artificial Intelligence and Automated Systems Annual Legal Review examines a number of the most significant developments affecting companies as they navigate the evolving AI landscape, focusing on developments within the United States. We also touch, albeit non-exhaustively, on developments within the EU and the UK that may be of interest to domestic and international companies alike.
__________________________
Table of Contents
I. INTERNATIONAL POLICY DEVELOPMENTS
II. U.S. NATIONAL POLICY & KEY LEGISLATIVE EFFORTS
III. EU POLICY & REGULATORY DEVELOPMENTS
IV. UK POLICY & REGULATORY DEVELOPMENTS
V. REGULATION OF AI APPLICATIONS AND ALGORITHMS
A. Algorithmic Accountability & Consumer Safety
B. Facial Recognition Software
__________________________
I. INTERNATIONAL POLICY DEVELOPMENTS
2020 saw a number of international initiatives looking to provide guidance and build a global consensus on the development and regulation of AI, including the OECD member states’ recent adoption of OECD Principles on AI—the first international AI standards—and the establishment of the Global Partnership on Artificial Intelligence (“GPAI”) in June 2020. We anticipate further international activity in 2021, including the Commission’s forthcoming legislative proposals (see III. below).
A. Global Partnership on AI
In May 2019, Canada and France announced plans for a new international body for the G7 countries to study and steer the effects of AI on the world’s people and economies by creating best practices, modeled on the UN’s Intergovernmental Panel on Climate Change.[2] After previously expressing reluctance due to fears that the initiative’s recommendations would harm innovation, on May 28, 2020, the U.S. Department of State announced that the United States had joined the GPAI—becoming the last of the G7 countries to sign on. On June 15, 2020, the UK Government issued a joint statement announcing the creation of the GPAI along with 14 other founding members, including the EU and the United States.[3] In the joint statement, GPAI is described as an “international and multistakeholder initiative to guide the responsible development and use of AI, grounded in human rights, inclusion, diversity, innovation, and economic growth.” The initiative plans to support research and the “responsible and human-centric development and use of AI” by reference to the OECD Recommendation on AI.[4] GPAI’s short term priority, however, is to investigate how AI can be used to help with the response to, and recovery from, COVID-19.
B. UK-U.S. Partnership on AI
On September 25, 2020, the UK and U.S. signed a “Declaration on Cooperation in Artificial Intelligence Research and Development,” intended to promote a “shared vision” for AI in the areas of “economic growth, health and wellbeing, the protection of democratic values, and national security.” The new partnership envisages that the UK and U.S. governments will collaborate by (i) using bilateral science and technology cooperation and multilateral cooperation frameworks; (ii) recommending priorities for future cooperation, particularly in research and development (R&D) areas; (iii) coordinating the planning and programming of relevant activities in areas that have been identified; and (iv) promoting R&D in AI, focusing on challenging technical issues.
II. U.S. NATIONAL POLICY & KEY LEGISLATIVE EFFORTS
In February 2019, President Trump issued an Executive Order “Maintaining American Leadership in Artificial Intelligence,” which marked the launch of the “American AI Initiative” and sought to accelerate AI development and regulation to secure the United States’ place as a global leader in AI technologies.
Almost two years later, we have seen a significant increase in AI-related legislative and policy measures in the U.S. In particular, the federal government has been active in coordinating cross-agency leadership and encouraging the continued research and development of AI technologies for government use. To that end, a number of key legislative and executive actions focused on the growth and development of such technologies for federal agency, national security and military uses.
A. Policy Developments
1. Bipartisan U.S. Lawmakers Introduce Legislation to Create a National AI Strategy
On September 16, 2020, Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), after coordination with experts and the Bipartisan Policy Center, introduced a concurrent resolution calling for the creation of a national AI strategy.[5] This Resolution proposes four pillars to guide the strategy:[6]
- Workforce: Fill the AI talent gap and prepare American workers for the jobs of the future, while also prioritizing inclusivity and equal opportunity;[7]
- National Security: Prioritize the development and adoption of AI technologies across the defense and intelligence apparatus;
- Research and Development: Encourage the federal government to collaborate with the private sector and academia to ensure America’s innovation ecosystem leads the world in AI; and
- Ethics: Develop and use AI technology in a way that is ethical, reduces bias, promotes fairness, and protects privacy.
2. OMB Guidance for Federal Regulatory Agencies
In January 2020, the Office of Management and Budget (“OMB”) published a draft memorandum featuring 10 “AI Principles”[8] and outlining its proposed approach to regulatory guidance for the private sector which echoes the “light-touch” regulatory approach espoused by the 2019 Executive Order, noting that promoting innovation and growth of AI is a “high priority” and that “fostering innovation and growth through forbearing from new regulations may be appropriate.”[9] As expected, the principles favored flexible regulatory frameworks consistent with the Executive Order[10] that allow for rapid change and updates across sectors, rather than one-size-fits-all regulations, and urge European lawmakers to avoid heavy regulation frameworks.
On November 17, 2020, the OMB issued its final guidance to federal agencies on when and how to regulate the private sector use of AI, presenting a broad perspective on AI oversight generally in keeping with its flexible, anti-regulatory approach eschewing “precautionary regulation” or “[r]igid, design-based regulations.”[11] The OMB guidance urges agencies to first assess the effects in order to avoid “regulatory and non-regulatory actions that needlessly hamper AI innovation and growth,” and provides technical guidance on rule-making, including a “regulatory impact assessment.”[12] The OMB then prompts immediate action by requiring federal agencies to provide compliance plans, which will then be made public via each agency’s website, by May 17, 2021. These plans should document the agency’s regulatory authorities over “high-priority AI applications,” collections of “AI-related information” from regulated entities (and any restrictions on the collection or sharing of such information), the outcomes of stakeholder engagements that identify existing regulatory barriers to AI applications within that agency’s purview, and any planned regulatory actions.[13] The OMB guidance also repeats its previous comments on the need “to address inconsistent, burdensome, and duplicative State laws” that might prevent the emergence of a national market, but to avoid regulatory action in instances where a uniform national standard is not essential.[14]
3. Executive Order on Federal Agency Use of AI
On December 3, 2020, President Trump signed a second Executive Order (“EO”) on AI, providing guidance for federal agency adoption of AI for government decision-making in a manner that protects privacy and civil rights. Numerous government agencies already use AI systems as predictive enforcement tools and to process and review vast amounts of data to detect trends and shape policymaking.[15]
The EO set out nine principles for the design, development, acquisition and use of AI in government in an effort “to foster public trust and confidence in the use of AI, and ensure that the use of AI protects privacy, civil rights, and civil liberties.” The order emphasizes AI use must be “lawful; purposeful and performance-driven; accurate, reliable, and effective; safe, secure, and resilient; understandable; responsible and traceable; regularly monitored; transparent; and accountable.”
The EO directs agencies to prepare inventories of AI-use cases throughout their departments (excluding classified or sensitive use cases) by July 2021, which could provide new insights into how federal agencies currently deploy AI technology. Emphasizing that ongoing adoption, deployment and acceptance of AI will depend significantly on public trust, the EO tasks the OMB with charting a roadmap for policy guidance by May 2021 for how agencies should use AI technologies in all areas excluding national security and defense.
B. NIST Report on the Four Principles of Explainable Artificial Intelligence
In February 2019, the Trump administration’s Executive Order on Maintaining American Leadership in Artificial Intelligence directed NIST to develop a plan that would, among other objectives, “ensure that technical standards minimize vulnerability to attacks from malicious actors and reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies; and develop international standards to promote and protect those priorities.” In response, NIST issued a plan in August 2019 for prioritizing federal agency engagement in the development of AI standards, identifying seven properties that characterize trustworthy AI—accuracy, explainability, resiliency, safety, reliability, objectivity, and security.[16]
In August 2020, NIST published a white paper on the Four Principles of Explainable Artificial Intelligence that “comprise the fundamental properties for explainable AI systems.”[17] The four principles for explainable AI are:
- Explanation: AI systems should deliver accompanying evidence or reasons for all their outputs.
- Meaningful: Systems should provide explanations that are meaningful or understandable to individual users.
- Explanation Accuracy: The explanation correctly reflects the system’s process for generating the output.
- Knowledge Limits: The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.
According to NIST, evaluating explainability in context of human decision-making also may lead to better understanding of human–machine collaboration and interfaces. Since humans demonstrate only a limited ability to meet the four principles described above, NIST discusses that human decision-making may provide a benchmark to evaluate explainable AI systems and informs the development of reasonable metrics. The public comment period closed on October 15, 2020.
C. Legislative Developments
In the first half of 2020, the effect of the unprecedented COVID-19 pandemic stalled much of the promised legislative progress, and many of the ambitious bills intended to build a regulatory framework for AI languished in committee and have not been passed. But, despite political gridlock, AI-related federal legislation continued to draw bipartisan Congressional enthusiasm in 2020, and at the end of the year, Congress passed—in dramatic fashion—the most significant and wide-ranging AI-related legislation to date. Bills pending before the last Congress that did not pass a floor vote will need to be reintroduced in the new Congress that was sworn in on January 3.
1. National Defense Authorization Act, H.R. 6395
On January 1, 2021, the 116th Congress overrode a presidential veto and passed the Fiscal Year 2021 National Defense Authorization Act (“NDAA”)—a $731.6 billion defense bill—into law.[18] The NDAA represents a significant step forward for AI policy in the U.S. far beyond national defense, and establishes a regulatory framework for coordinating AI research and policy across the federal government, as well as a national network of AI research institutes focusing on mission-driven research to be led by the National Science Foundation (“NSF), the Department of Energy (“DoE”), the Department of Commerce, NASA and the Department of Defense (“DoD”). The NDAA is likely to influence AI policy across the regulatory spectrum—from private sector development, testing, and deployment of AI systems, to mandatory federal guidelines, technical standards and voluntary risk management frameworks.
The legislation includes both DoD and non-DoD AI provisions and draws on legislation introduced earlier this year, the National Artificial Intelligence Initiative Act of 2020 (H.R. 6216), as well as the 2019 Artificial Intelligence Initiative Act (S. 1558), to establish a coordinated federal initiative to accelerate research and development and encourage investments in trustworthy AI systems.[19] The NDAA also includes select provisions from a number of other draft bills introduced in 2020, including four bills introduced by the nascent bipartisan Senate AI Caucus.[20]
Of particular note are measures to create a new “National Artificial Intelligence Initiative Office” to be led by the White House, to order the Pentagon to take steps to ensure the AI technologies it acquires are developed in an ethically and responsibly sourced manner, and to charge NIST with developing an “AI Risk Management Framework.” The NDAA also includes a provision to make computational resources and robust data sets publicly available for researchers across the country through a “National Research Cloud.”[21] The bill authorizes nearly $5 billion in funding for AI research at NSF over the next five years ($4.796 billion), $1.15 billion at the DoE, and $390 million at NIST. The NDAA affords industry stakeholders a number of opportunities to shape federal agencies’ use of AI systems as well as to participate in discussions surrounding best practices and technical standards.
a) Department of Defense AI Provisions
The NDAA directs the Secretary of Defense to assess, within 180 days of passage, whether the DoD has the ability, requisite resourcing, and sufficient expertise to ensure that any AI technology acquired by DoD is ethically and responsibly developed, and must provide a briefing of the assessment’s results to Congress within 30 days of its completion.[22]
The NDAA also assigns responsibility for DoD’s Joint Artificial Intelligence Center (“JAIC”) to the Deputy Secretary of Defense to “ensure data access and visibility for the JAIC.” Moreover, the NDAA grants the JAIC Director acquisition authority in support of defense missions of up to $75 million for new contracts for each year through FY2025.
b) Non-Department of Defense AI Provisions
The NDAA includes a measure for the creation of a new National AI Initiative Office to be established by the Director of the White House Office of Science and Technology Policy (“OSTP”) to lead U.S. global leadership in the development and use of trustworthy AI systems and prepare the nation’s workforce for the integration of AI across all sectors of the economy.[23] The office’s mission is to serve as the point of contact for federal AI activities for federal departments and agencies, as well as other public and private entities.
The initiative will functionally consist of two organizations. First, the Interagency Committee will be tasked with providing coordination of federal AI research and development activities as well as education and workforce training activities across the government.[24] Within two years of the passage of the NDAA, the Committee is to develop a strategic plan that establishes goals, priorities, and metrics for guiding and evaluating how federal agencies will “prioritize areas of AI research and development, examines long-term funding for interdisciplinary AI research, and supports research on ethical, legal, environmental, safety, security, bias, and other issues related to AI and society.”[25] The companion body to the Interagency Committee is a new external National AI Advisory Committee to be established by the Secretary of Commerce in consultation with Director of OSTP, the Attorney General, the Director of National Intelligence, and the Secretaries of Defense, Energy, and State.[26] The Advisory Committee will then create a subcommittee on AI and law enforcement to advise the White House on bias (including the use of facial recognition by government authorities), data security, adoptability, and legal standards (including those designed to ensure the use of AI systems are consistent with the privacy rights, civil rights and civil liberties, and disability rights issues raised by the use of these technologies.)[27]
The Director of the NSF, in coordination with OSTP, is tasked with establishing a National AI Research Task Force to investigate the feasibility of establishing and sustaining a National AI Research Resource and to propose a roadmap and implementation plan detailing how such a resource should be established and sustained.[28] The Director of the NSF is also permitted to establish a network of National AI Research Institutes that are focused on cross-cutting challenges for AI systems, like trustworthiness or foundational science, or those that are focused on a particular economic or social sector such as health care, education, manufacturing.[29] These institutes are to include a component addressing the ethical and safety implications of the relevant application of AI to that sector and are to be funded for a renewable period of five years.
While NIST has already been active on AI issues, particularly with respect to standard-setting and trust-worthy AI, the NDAA further increases NIST’s AI responsibilities through a legislative mandate on AI, expanding its mission to include advancing collaborative frameworks, standards, guidelines for AI, supporting the development of a risk-mitigation framework for AI systems, and supporting the development of technical standards and guidelines to promote trustworthy AI systems.[30] In addition to developing best practices and voluntary standards for privacy and security in training datasets, computer chips/hardware, and data management techniques, NIST will be responsible for developing, within two years, a Risk Management Framework that “identifies and provides standards for assessing the trustworthiness of AI systems, establishes common definitions for common terms such as explainability, transparency, safety, and privacy, provides case studies of successful framework implementation, and aligns with international standards no later than two years after the passage of the NDAA.”[31]
2. Securing American Leadership in Science and Technology Act of 2020
On January 28, 2020, Representative Frank Lucas (R-OK) and 12 Republican cosponsors, introduced the Securing American Leadership in Science and Technology Act of 2020 (“SALTA”), (H.R. 5685), a bill broadly focused on “invest[ing] in basic scientific research and support technology innovation for the economic and national security of the United States.”[32]
The bill would have the NIST promote U.S. “innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve Americans’ quality of life.”
3. Generating Artificial Intelligence Networking Security (“GAINS”) Act
May 2020 saw the introduction of the Generating Artificial Intelligence Networking Security (“GAINS”) Act (H.R. 6950), which directs the Department of Commerce and the Federal Trade Commission to identify the benefits and barriers to AI adoption in the U.S., survey other nations’ AI strategies and rank how the U.S. compares; and assess the supply chain risks and how to address them.[33] The bill, which was referred to the Committee on Energy and Commerce but did not advance, requires the agencies to report the results to Congress, along with recommendations to develop a national AI strategy.
4. The AI in Government Act of 2020
The AI in Government Act of 2020 (H.R. 2575) was passed by the House on September 14, 2020 by voice vote.[34] The bill aims to promote the efforts of the federal government in developing innovative uses of AI by establishing the “AI Center of Excellence” within the General Services Administration (“GSA”), and requiring that the OMB issue a memorandum to federal agencies regarding AI governance approaches. It also requires the OSTP to issue guidance to federal agencies on AI acquisition and best practices. An identical bill, S. 1363, which was approved by the U.S. Senate Homeland Security and Governmental Affairs Committee in November 2019, has not passed.[35]
III. EU POLICY & REGULATORY DEVELOPMENTS
In past years, EU discussions about regulating AI technologies had been characterized by a restrictive “regulate first” approach.[36] However, the regulatory road map presented by the Commission in February 2020 under the auspices of its new digital strategy eschewed, for example, blanket technology bans and proposed a more nuanced “risk-based” approach to regulation, emphasizing the importance of “trustworthy” AI but also acknowledging the need for Europe to both remain innovative and competitive in a rapidly growing space and avoid fragmentation of the single market resulting from differences in national legislation.
The Commission’s “White Paper on Artificial Intelligence – A European approach to excellence and trust” (the “White Paper”) sets out a road map designed to balance innovation, ethical standards and transparency.[37] As noted in our legal update “EU Proposal on Artificial Intelligence Regulation Released,” the White Paper favors a risk-based approach with sector- and application-specific risk assessments and requirements, rather than blanket sectoral requirements or bans—earmarking a series of “high-risk” technologies for future oversight, including those in “critical sectors” and those deemed to be of “critical use.”[38] The Commission also released a series of accompanying documents: the “European Strategy for Data” (“Data Strategy”)[39] and a “Report on the Safety and Liability Implications of Artificial Intelligence, the Internet of Things and Robotics” (“Report on Safety and Liability”).[40]
Although the Commission is seeking to impose a comprehensive and harmonious framework for AI regulation across all member states, there is no clear consensus as to the scope of regulatory intervention. In October 2020, 14 EU members (Denmark, Belgium, the Czech Republic, Finland, France, Estonia, Ireland, Latvia, Luxembourg, the Netherlands, Poland, Portugal, Spain and Sweden) published a joint position paper urging the Commission to espouse a “soft law approach” that takes into account the fast-evolving nature of AI technologies and favors self-regulation and voluntary practices to avoid harming innovation.[41] Germany, on the other hand, has expressed concern over certain Commission proposals to apply restrictions on AI applications deemed to be of high-risk only, and favors a broader regulatory reach for technologies that would be subject to the new framework, as well as mandatory, detailed rules for data retention, biometric remote identification and human supervision of AI systems.[42]
In short, while the Commission’s comprehensive legislative proposal is expected imminently, the EU policy landscape has remained dynamic in the lead up. Companies active in AI should closely follow recent developments in the EU, given the proposed geographic reach of the future AI legislation, which is likely to affect all companies doing business in the EU.
A. European Commission’s AI White Paper Consultation and “Inception Impact Assessment”
As we reported in our Artificial Intelligence and Automated Systems Legal Update (1Q20), in January 2020, the EC launched a public consultation period and requested comments on the proposals set out in the White Paper and the Data Strategy, providing an opportunity for companies and other stakeholders to provide feedback and shape the future EU regulatory landscape. In July, the Commission published a summary report on the consultation’s preliminary findings.[43] Respondents raised concerns about the potential for AI to breach fundamental rights or lead to discriminatory outcomes, but they were divided on whether new compulsory requirements should be limited to high-risk applications.
On the heels of the White Paper Consultation, the Commission launched an “Inception Impact Assessment” initiative for AI legislation in July 2020, aiming to define the Commission’s scope and goals for AI legislation with a focus on ensuring that “AI is safe, lawful and in line with EU fundamental rights.”[44] The Commission’s road map builds on the proposals in the White Paper and provides more detail on relevant policy options and policy instruments, from a “baseline” policy (involving no policy change at the EU level) through various alternative options following a “gradual intervention logic,” ranging from a non-legislative, industry-led, “soft law” approach (Option 1) through a voluntary labelling scheme (Option 2), to comprehensive and mandatory EU-level legislation for all or certain types of AI applications (Option 3), or a combination of any of the options above taking into account the different levels of risk that could be generated by a particular AI application (Option 4).[45] Another core question relates to the scope of the initiative, notably how AI should be defined (narrowly or broadly) (e.g., machine learning, deep neural networks, symbolic reasoning, expert systems, automated decision-making).
Substantively, the road map reiterates that the Commission is particularly concerned with a number of specific, significant AI risks that are not adequately covered by existing EU legislation, such as cybersecurity, the protection of employees, unlawful discrimination or bias, the protection of EU fundamental rights, including risks to privacy, and protecting consumers from harm caused by AI (both through existing and new product safety legislation). Continued focus remains on the need for legal certainty, both for business marketing products involving AI in the EU, and for market surveillance and supervisory authorities. The feedback period for the road map closed in September, and the completion of the Inception Impact Assessment was scheduled for December 2020. As noted, these policy proposals are intended to culminate in proposed regulation, which is expected to be unveiled by the Commission in the first quarter of 2021.
B. European Parliament Votes on Proposals regarding the Regulation of Artificial Intelligence
Earlier this year, the European Parliament set up a special committee to analyze the impact of artificial intelligence on the EU economy[46] to ensure that the EU “develops AI that is trustworthy, eliminates biases and discrimination, and serves the common good, while ensuring business and industry thrive and generate economic prosperity.”[47]
In April 2020, the Parliament’s Legal Affairs Committee (“JURI”) published three draft reports to the Commission providing recommendations on a framework for AI liability, copyright protection for AI-assisted human creations, safeguards within the EU’s patent system to protect the innovation of AI developers, and AI ethics and “human-centric AI.”[48] The three legal initiatives, summarized in final reports and recommendations outlined in more detail below, were adopted by the plenary on October 20, 2020.[49]
1. Report with Recommendations to the Commission on a Framework of Ethical Aspects of Artificial Intelligence, Robotics and Related Technologies
The legislative initiative urges the Commission to present a legal framework outlining the ethical principles and legal obligations to be followed when developing, deploying and using artificial intelligence, robotics and related technologies in the EU including software, algorithms and data, protection for fundamental rights. The initiative also calls for the establishment of a “European Agency for Artificial Intelligence” and a “European certification of ethical compliance.”[50]
The proposed legal framework is premised on several guiding principles, including “human-centric and human-made AI; safety, transparency and accountability; safeguards against bias and discrimination; right to redress; social and environmental responsibility; and respect for privacy and data protection.”[51] High-risk AI technologies, which include machine learning and other systems with the capacity for self-learning, should be designed to “allow for human oversight and intervention at any time, particularly where a functionality could result in a serious breach of ethical principles and could be dangerous.”[52] Some of the high-risk sectors identified are healthcare, public sector and finance, banking and insurance.
2. Report with Recommendations to the Commission on a Civil Liability Regime for Artificial Intelligence
The Report calls for a future-oriented civil liability framework that makes front- and back-end operators of high-risk AI strictly liable for any resulting damage and provides a “clear legal framework [that] would stimulate innovation by providing businesses with legal certainty, whilst protecting citizens and promoting their trust in AI technologies by deterring activities that might be dangerous.”[53] While it does not take the position that a new EU liability regime is necessary, the Report identifies a gap in the existing EU product liability regime with respect to the liability of operators of AI-systems in the absence of a contractual relationship with potential victims, proposing a dual approach: (1) strict liability for operators of “high-risk AI-systems” akin to the owner of a car or pet; or (2) a presumption of fault towards the operator for harm suffered by a victim by a non-“high-risk” AI system, with national law regulating the amount and extent of compensation as well as the limitation period in case of harm caused by the AI-system.[54] Multiple operators would be held jointly and severally liable, subject to a maximum liability of €2 million. The Report defines criteria on which AI-systems can qualify as high-risk in the Annex, proposing that a newly formed standing committee, involving national experts and stakeholders, should support the Commission in its review of potentially high-risk AI-systems.
3. Report on Intellectual Property Rights for the Development of Artificial Intelligence Technologies
The Report emphasizes that EU global leadership in AI requires an effective intellectual property rights system and safeguards for the EU’s patent system in order to protect and incentivize innovative developers, balanced with the EU’s ethical principles for AI and consumer safety.[55] Notably, the Report distinguishes between AI-assisted human creations and AI-generated creations, taking the position that AI should not have a legal personality and that ownership of IP rights should only be granted to humans. Where AI is used only as a tool to assist an author in the process of creation, the current intellectual property legal framework should remain applicable. Nonetheless, the Report recommends that AI-generated creations should fall under the scope of the EU intellectual property regime in order to encourage investment and innovation, subject to protection under a specific form of copyright.
C. European Commission’s Assessment List for Trustworthy AI
As we noted in our 2019 Artificial Intelligence and Automated Systems Annual Legal Review, in April 2019, the EC released a report from its “High-Level Expert Group on Artificial Intelligence” (“AI HLEG”): the EU “Ethics Guidelines for Trustworthy AI” (“Ethics Guidelines”).[56]
On July 17, 2020, the AI HLEG presented its final “Assessment List for Trustworthy AI,” a tool intended to help companies “self-assess” and identify the risks of AI systems they develop, deploy or procure, and implement the Ethics Guidelines in order to mitigate those risks.[57] A previous version of the Assessment List was included in the April 2019 Ethics Guidelines, and this final Assessment List represents an amended version following a piloting process in which over 350 stakeholders participated. The Assessment List is designed as a flexible framework that companies can adapt to their particular needs and the sector they operate in order to minimize specific risks an AI system might generate. The Assessment List proposes a tailored series of self-assessment questions for each of the seven principles for trustworthy AI set out in the AI HLEG’s Ethics Guidelines (Human Agency and Oversight; Technical Robustness and Safety; Privacy and Data Governance; Transparency; Diversity, Non-Discrimination and Fairness; Societal and Environmental Well-being; and Accountability). The AI HLEG recommends that the tool be used by a “multidisciplinary team.”
D. Council of Europe Publishes Feasibility Study on Developing a Legal Instrument for Ethical AI
On December 17, 2020, the Council of Europe’s Ad hoc Committee on Artificial Intelligence (“CAHAI”) published a report examining both the feasibility and possible constituent elements of a legal framework for the development and application of AI systems, based on “the Council of Europe’s standards in the field of human rights, democracy and the rule of law.”[58] The report identifies nine principles that are essential to respect human rights in the context of AI: Human Dignity; Prevention of Harm to Human Rights, Democracy, and the Rule of Law; Human Freedom and Human Autonomy; Non-Discrimination, Gender Equality, Fairness and Diversity; Principle of Transparency and Explainability of AI Systems; Data Protection and the Right to Privacy; Accountability and Responsibility; Democracy; and the Rule of Law.
The report concludes that current international and national regulations do not sufficiently address the challenges posed by AI, and proposes the development of a new legal framework for AI consisting of both binding (such as model national legislation) and nonbinding Council of Europe instruments. Much like the AI HLEG’s Ethics Guidelines for Trustworthy AI and the European Commission’s White Paper on AI, the Council of Europe’s study proposes a risk-based approach to regulating AI—acknowledging that not all AI systems pose an equally high level of risk—and seeks to balance legal certainty for AI stakeholders while providing broad regulatory guidance to companies implementing governance regimes. The study will be presented to the Committee of Ministers of the Council of Europe, who may instruct CAHAI to begin developing the specific elements of a legal framework for AI.
E. German Inquiry Committee Report on Artificial Intelligence
In November 2020, the German AI inquiry committee (Enquete-Kommission Künstliche Intelligenz des Deutschen Bundestages, “Committee”) presented its final report, which provides broad recommendations on how society can benefit from the opportunities inherent in AI technologies while acknowledging the risks they pose.[59]
The Committee’s work placed a focus on legal and ethical aspects of AI and its impact on the economy, public administration, cybersecurity, health, work, mobility, and the media. The Committee advocates for a “human-centric” approach to AI, a harmonious Europe-wide strategy, a focus on interdisciplinary dialog in policy-making, setting technical standards, legal clarity on testing of products and research, and the adequacy of digital infrastructure.
At a high level, the Committee’s specific recommendations relate to (1) data-sharing and data standards; (2) support and funding for research and development; (3) a focus on “sustainable” and efficient use of AI; (4) incentives for the technology sector and industry to improve scalability of projects and innovation; (5) education and diversity; (6) the impact of AI on society, including the media, mobility, politics, discrimination and bias; and (7) regulation, liability and trustworthy AI.
IV. UK POLICY & REGULATORY DEVELOPMENTS
In the past several years, the UK has focused on developing a national position on a number of specific AI-related issues, such as data protection, explainability, and autonomous vehicles, but otherwise has not enacted any laws or regulations that govern the use of AI technologies. As its national strategy on AI continues to take shape, the UK may soon find itself at a regulatory crossroads. While UK companies selling AI-related products or services into the EU would likely have to comply with the new European regime, the House of Lords Select Committee on AI—which was appointed in June 2017 to “consider the economic, ethical and social implications of advances” in AI—has generally indicated a reluctance to establish a cross-cutting regulatory framework for AI in favor of sector-specific regulation.
In February 2020, the UK Government’s Committee on Standards in Public Life published a report on “Artificial Intelligence and Public Standards,” addressing the deployment of AI in the public sector.[60] Although it also did not favor the creation of a specific AI regulator, it described the new Centre for Data Ethics and Innovation (“CDEI”) as a “regulatory assurance” body with a cross-cutting role, and went on to identify an urgent need for guidance and regulation on the issues of transparency and data bias, in particular. In June 2020, CDEI published its “AI Barometer,” a risk-based analysis which reviews five key sectors (criminal justice, health and social care, financial services, energy and utilities and digital and social media) and identifies opportunities, risks, barriers and potential regulatory gaps.[61] The UK also participated in the drafting of the Council of Europe’s Feasibility Study on Developing a Legal Instrument for Ethical AI (see III.D. above).
A. AI Council National AI Strategy
In January 2021, the AI Council, an independent expert and industry committee that advises the UK Government on artificial intelligence, published an “AI Roadmap,” recommending the deployment of a national UK AI strategy.[62] The AI Council’s 16 recommendations identify and address challenges to the advancement across a number of sectors: research, development and innovation; skills & diversity; data, infrastructure & public trust; and national, cross-sector adoption. The roadmap advises that the UK should lead in developing appropriate standards to frame the future governance of data and enact “clear and flexible regulation” building on existing guidance from regulators such as the Information Commissioner’s Office (“ICO”).
The AI Council also focuses on public trust and algorithmic accountability, noting that “the public should be reassured that the use of AI is safe, secure, fair, ethical and overseen by independent entities.” In addition to continuous development of industry standards and suitable regulations and frameworks for algorithmic accountability, it does not rule out the need for further legislation, such as a public interest data bill to ensure transparency about automated decision-making, the right for the public to give meaningful input (for example, through algorithmic impact assessments), and the ability for regulators to enforce sanctions.[63]
B. House of Lords’ Liaison Committee Report: “AI in the UK: No Room for Complacency”
In December 2020, the House of Lords’ Liaison Committee (“Committee”) published a report “AI in the UK: No Room for Complacency” (the “2020 Report”), a follow up on the 2018 Report by the House of Lords’ Select Committee (the “2018 Report”).[64]
The 2018 Report emphasized that blanket AI-specific regulation is not appropriate and existing sector-specific regulators are best placed to consider the impact on their sectors of any subsequent regulation which may be needed. It also noted that GDPR addressed many of the concerns with respect to AI and data, and tasked the CDEI with identifying any gaps in existing regulation.
The 2020 Report continued to espouse a regulator-led approach, noting that individual industry sectors are best placed to identify the regulation needed in their area, and proposing that industry stakeholders should take the lead in establishing voluntary mechanisms for informing the public when artificial intelligence is being used for significant or sensitive decisions in relation to consumers, tasking the AI Council with the development and implementation of these mechanisms. However, as previewed, the 2020 Report also raised concerns about deficiencies in the existing legal framework for certain AI use cases, such as facial recognition technology, and flags that a solely self-regulatory approach to ethical standards risks a lack of uniformity and enforceability as well as a lack of public trust in the use of AI.
Moreover, the 2020 Report recommended that, by July 2021, and with input from CDEI, Office for AI and Alan Turing Institute, the ICO should develop and roll out a training course for use by regulators to ensure they have a grounding in the ethical and appropriate use of public data and AI systems, and its opportunities and risks. CDEI is also tasked with establishing and publishing international standards for the ethical development of AI, including issues of bias, and for the ethical use of AI by policymakers and businesses.
C. UK ICO Guidance on AI and Data Protection
On July 30, 2020, the ICO published its final guidance on Artificial Intelligence (the “Guidance”).[65] Intended to help organizations “mitigate the risks of AI arising from a data protection perspective without losing sight of the benefits such projects can deliver,” the Guidance sets out a framework and methodology for auditing AI systems and best practices for compliance with the UK Data Protection Act 2018 and data protection obligations under the EU’s General Data Protection Regulation (“GDPR”). The Guidance proposes a “proportionate and risk-based approach” and recommends an auditing methodology consisting of three key parts: auditing tools and procedures for use in audits and investigations; detailed guidance on AI and data protection; and a tool kit designed to provide further practical support to organizations auditing the compliance of their own AI systems. The guidance addresses four overarching principles:
Accountability and governance in AI—including data protection impact assessments (“DPIAs”), understanding the relationship and distinction between controllers and processors in the AI context, as well as managing, and documenting decisions taken with respect to competing interests between different AI-related risks (e.g., trade-offs);
Fair, lawful and transparent processing—including how to identify lawful bases (and using separate legal bases for processing personal data at each stage of the AI development and deployment process), assessing and improving AI system performance, mitigating potential discrimination, and documenting the source of input data as well as any inaccurate input data or statistical flaw that might impact the output of the AI system.
Data minimization and security—including guidance to technical specialists on data security issues common to AI, types of privacy attacks to which AI systems are susceptible, compliance with the principle of data minimization (the principle of identifying the minimum amount of personal data needed, and to process no more than that amount of information), and privacy-enhancing techniques that balance the privacy of individuals and the utility of a machine learning system during the training and inference stages.[66]
Compliance with individual data subject rights—including data subject rights in the context of data input and output of AI systems, rights related to automated decision, and requirements to design AI systems to facilitate effective human review and critical assessment and understanding of the outputs and limitations of AI systems.
The Guidance also emphasizes that data protection risks should be considered at an early stage in the design process (e.g., “safety by design”) and that the roles of the different parties in the AI supply chain should be clearly mapped at the outset. Of note is also the recommendation that training data be stored at least until a model is established and unlikely to be retrained or modified. The Guidance refers to, but does not provide guidance on, the anonymization or pseudonymization of data as a privacy-preserving technique, but notes that the ICO is currently developing new guidance in this field.[67]
The ICO encouraged organizations to provide feedback on the Guidance to make sure that it remains “relevant and consistent with emerging developments.”
V. REGULATION OF SPECIFIC AI TECHNOLOGIES AND USE CASES
A. Algorithmic Accountability and Consumer Safety
In 2020, a number of potential bills and policy measures addressing algorithmic accountability and transparency hinted at a shift amid growing public awareness of AI’s potential to pose a risk to consumers, including by creating bias or harming certain groups.[68]
1. Consumer Safety Technology Act (H.R. 8128)
On September 29, 2020, the House passed the Consumer Safety Technology Act (H.R. 8128), previously named the “AI for Consumer Product Safety Act.” If enacted, the bill would direct the U.S. Consumer Product Safety Commission (“CPSC”) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: (1) tracking injury trends; (2) identifying consumer product hazards; (3) monitoring the retail marketplace for the sale of recalled consumer products; or (4) identifying unsafe imported consumer products. The bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
2. Senators’ Letter to EEOC Signals Scrutiny of AI Bias
On December 8, 2020, 10 U.S. senators sent a letter to the Chair of the U.S. Equal Employment Opportunity Commission (“EEOC”), urging the EEOC to use its powers under Title VII of the Civil Rights Act of 1964 to “investigate and/or enforce against discrimination related to the use of” AI hiring technologies.[69] The letter signals increased enforcement and regulatory activity on the horizon for employment-related uses of technology in the hiring and employment process.
Lawmakers expressed particular concerns over “tools used in the employee selection process to manage and screen candidates after they apply for a job”; “new modes of assessment, such as gamified assessments or video interviews that use machine-learning models to evaluate candidates”; “general intelligence or personality tests”; and “modern applicant tracking systems.”
The lawmakers recognize that “hiring technologies can sometimes reduce the role of individual hiring managers’ biases,” but that “they can also reproduce and deepen systemic patterns of discrimination reflected in today’s workforce data.” The letter includes three specific questions: (1) can the EEOC request access to “hiring assessment tools, algorithms, and applicant data from employers or hiring assessment vendors and conduct tests to determine whether the assessment tools may produce disparate impacts?”; (2) if the EEOC were to conduct such a study, could it publish its findings in a public report?; and (3) what additional authority and resources would the EEOC need to proactively study and investigate these AI hiring assessment technologies?
3. A.B. 2269
A.B. 2269, “the Automated Decision Systems Accountability Act of 2020,” failed to progress through the California state legislature.[70] The bill would have required any business that uses an “automated decision system” (“ADS”) to “continually test for biases during the development and usage of the ADS, conduct an ADS impact assessment on its program or device to determine whether the ADS has a disproportionate adverse impact on a protected class….” ADS is defined broadly as “a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts persons.” The bill had potentially significant consequences for a wide range of companies given that the definition of ADS, as it was defined, potentially implicated any computational process with an output that “impacts persons.”
B. Facial Recognition Software
1. Federal Regulation
Over the past several years, biometric surveillance, or “facial recognition technology,” emerged as a lightning rod for public debate regarding the risk of improper algorithmic bias and data privacy concerns, resulting in a string of efforts by various cities in the U.S.[71] to ban the use of facial recognition technology by law enforcement and some limited state legislation (California’s A.B. 1215).[72] During 2020, both federal, state governments indicated a willingness to enact regulations on the use of facial recognition technology by government agencies or law enforcement.
a) Ethical Use of Facial Recognition Act, S. 3284
On February 12, 2020, Senator Jeff Merkley (D-OR) introduced the Ethical Use of Facial Recognition Act, co-sponsored by Senator Cory Booker (D-NJ).[73] The bill would prohibit any federal officer, employee, or contractor from engaging in particular activities with respect to facial recognition technology without a warrant until a congressional commission recommends rules to govern the use and limitations of facial recognition technology for government and commercial uses. The prohibited activities include: setting up a camera to be used with facial recognition, accessing or using information obtain from facial recognition, or importing facial recognition to identify an individual in the U.S. Victims of violations of the bill would be permitted to bring a civil action for injunctive or declaratory relief in federal court. The bill would also prohibit state or local governments from investing in, purchasing, or obtaining images from facial recognition technology.
b) Facial Recognition and Biometric Technology Moratorium Act of 2020
In June 2020, Democratic Senators and Representatives introduced the Facial Recognition and Biometric Technology Moratorium Act of 2020, which would impose limits on the use of biometric surveillance systems, such as facial recognition systems, by federal and state government entities. The bill also provided that any information obtained in violation of this bill would not be admissible by the federal government in any proceeding or investigation, except in a proceeding alleging a violation of this bill.
2. State and City Regulations
In 2020, several states passed, and others introduced, bills directly targeting facial biometrics.[74] In September 2020, the city of Portland, Oregon joined the list of cities that have enacted bans on certain uses of facial recognition technology.[75] Portland’s law is the first in the U.S., however, to limit the use of facial recognition technology by the private sector. Subject to narrow exceptions,[76] the Ordinance prohibits its use by “private entities” in public places within the city, including stores, restaurants and hotels, taking effect on January 1, 2021.
a) Maryland, H.B. 1202
On May 8, 2020, Maryland enacted H.B. 1202, banning the use of “a facial recognition service for the purpose of creating a facial template during an applicant’s interview for employment,” unless the interviewee signs a waiver. The bill’s definitions of the technology is directly aimed at AI: “‘facial template’ means the machine–interpretable pattern of facial features that is extracted from one or more images….”[77] The legislation appears to address a concern for potential hiring discrimination that may be borne out of these automated systems, akin to Illinois’ Artificial Intelligence Video Interview Act (effective January 1, 2020), or “AI Video Act,” which similarly required applicants to be notified and consent to the use of AI video analysis during interviews.[78]
b) Washington, S.B. 6280
In March 2020, Washington Governor Jay Inslee approved S.B. 6280, which would curb governmental use of facial recognition, prohibiting the use of such technology for ongoing surveillance and limits its use to acquiring evidence of serious criminal offences following authorization of a search warrant. The new law requires bias testing, training to safeguard against potential abuses, and disclosure when the state of Washington or its localities would employ facial recognition. Governor Inslee also partially vetoed the law, eliminating a provision which would establish a legislative task force that would provide recommendations regarding the potential abuses, safeguards, and efficacy of facial recognition services.[79] The law becomes effective on July 1, 2021.
C. Autonomous Vehicles
1. U.S. Federal Developments
a) DOT Acts on Updated Guidance for AV Industry
In January 2020, the Department of Transportation (“DoT”) published updated guidance for the regulation of the autonomous vehicle (“AV”) industry, “Ensuring American Leadership in Automated Vehicle Technologies” or “AV 4.0.”[80] The guidance builds on the AV 3.0 guidance released in October 2018, which introduced guiding principles for AV innovation for all surface transportation modes, and described the DoT’s strategy to address existing barriers to potential safety benefits and progress.[81] AV 4.0 includes 10 principles to protect consumers, promote markets and ensure a standardized federal approach to AVs. In line with previous guidance, the report promises to address legitimate public concerns about safety, security, and privacy without hampering innovation, relying strongly on the industry self-regulating. However, the report also reiterates traditional disclosure and compliance standards that companies leveraging emerging technology should continue to follow.
b) DOT Issues First-Ever Proposal to Modernize Occupant Protection Safety Standards for AVs
Shortly after announcing the AV 4.0, NHTSA in March 2020 issued its first-ever Notice of Proposed Rulemaking (“Notice”) “to improve safety and update rules that no longer make sense such as requiring manual driving controls on autonomous vehicles.”[82] The Notice aims to “help streamline manufacturers’ certification processes, reduce certification costs and minimize the need for future NHTSA interpretation or exemption requests.” For example, the proposed regulation would apply front passenger seat protection standards to the traditional driver’s seat of an AV, rather than safety requirements that are specific to the driver’s seat. Nothing in the Notice would make changes to existing occupant protection requirements for traditional vehicles with manual controls.[83]
c) SELF-DRIVE Act Reintroduced in U.S. Congress
Federal regulation of AVs had so far faltered in Congress, leaving the U.S. without a federal regulatory framework while the development of autonomous vehicle technology continues apace. However, on September 23, 2020, Rep. Bob Latta (R-OH) reintroduced the Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution (“SELF DRIVE”) Act.[84] As we have addressed in previous legal updates,[85] the House previously passed the SELF DRIVE Act (H.R. 3388) by voice vote in September 2017, but its companion bill (the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (“AV START”) Act (S. 1885)) stalled in the Senate.
The bill empowers the National Highway Traffic Safety Administration (“NHTSA”) with the oversight of manufacturers of Highly Automated Vehicles (“HAVs”) through enactment of future rules and regulations that will set the standards for safety and govern areas of privacy and cybersecurity relating to such vehicles. The bill also requires vehicle manufacturers to inform consumers of the capabilities and limitations of a vehicle’s driving automation system and directs the Secretary of Transportation to issue updated or new motor vehicle safety standards relating to HAVs.
One key aspect of the bill is broad preemption of the states from enacting legislation that would conflict with the Act’s provisions or the rules and regulations promulgated under the authority of the bill by the NHTSA. While state authorities would likely retain their ability to oversee areas involving human driver and autonomous vehicle operation, the bill contemplates that the NHTSA would oversee manufacturers of autonomous vehicles, just as it has with non-autonomous vehicles, to ensure overall safety. In addition, the NHTSA is required to create a Highly Automated Vehicle Advisory Council to study and report on the performance and progress of HAVs. This new council is to include members from a wide range of constituencies, including members of the industry, consumer advocates, researchers, and state and local authorities. The intention is to have a single body (the NHTSA) develop a consistent set of rules and regulations for manufacturers, rather than continuing to allow the states to adopt a web of potentially widely differing rules and regulations that may ultimately inhibit development and deployment of HAVs.
In a joint statement on the bill, Energy and Commerce Committee Republican Leader Rep. Greg Walden (R-OR) and Communications and Technology Subcommittee Republican Leader Rep. Latta noted that “[t]here is a clear global race to AVs, and for the U.S. to win that race, Congress must act to create a national framework that provides developers certainty and a clear path to deployment.”[86] The bill was referred to the House Energy and Commerce Committee and awaits further action. While it is expected that the new administration will push legislative action on AVs, it is not yet clear what the scope of such legislation may be.
d) NHTSA Launched New Automated Vehicle Initiative to Improve Safety, Testing, And Public Engagement
On June 15, 2020, NHTSA announced a new initiative to improve the safety and testing transparency of AVs, the Automated Vehicle Transparency and Engagement for Safe Testing (“AV TEST”) Initiative.[87] The purpose of the AV TEST Initiative is to share information concerning the safe development and testing of AVs. In addition to “creating a formal platform for Federal, State, and local government to coordinate and share information in a standard way,” the Department is also creating a public-facing platform where companies and governments can choose to share on-road testing locations and testing activity data, such as vehicle types and uses, dates, frequency, vehicle counts, and routes.[88]
Although the AV TEST Initiative may provide welcome centralization, some safety advocates are critical of the Department’s voluntary approach and failure to develop minimum performance standards.[89]
e) NHTSA Released Report on Federal Motor Vehicle Safety Standards Considerations (“FMVSS”) for AVS
In April 2020, NHTSA released research findings on twelve Federal Motor Vehicle Safety Standards Considerations (“FMVSS”) related to vehicles with automated driving systems—six crash avoidance standards and six crashworthiness standards.[90] Specifically, the project evaluated options regarding technical translations of FMVSS, including the performance requirements and the test procedures, and related Office of Vehicle Safety Compliance (“OVSC”) test procedures, that may impact regulatory compliance of vehicles equipped with automated driving systems. The report evaluated the regulatory text and test procedures with the goal of identifying possible options to remove regulatory barriers for the compliance verification of ADS-dedicated vehicles (“ADS-DVs”) that lack manually operated driving controls. The regulatory barriers considered are those that pose unintended and unnecessary regulatory barriers, because the technical translation process does not change the performance standards of the FMVSS being considered.[91]
f) U.S. Department of Transportation Seeks Public Comment on Automated Driving System Safety Principles
On November 19, 2020, the DoT’s National Highway Traffic Safety Administration (“NHTSA”) announced that it is seeking public comment on the potential development of a framework of principles to govern the safe behavior of automated driving systems (“ADS”) for use in connected and autonomous vehicles (“CAVs”).[92] On the same day, NHTSA issued an advance notice of proposed rulemaking (“NPRM”) on a possible ADS framework (the “ADS NPRM”). [93] The ADS NPRM sends a strong signal that vehicles with ADS may in future be subject to a new generation of performance and safety (as well as design) standards. For more details, please see our Legal Update: U.S. Department of Transportation Seeks Public Comment on Automated Driving System Safety Principles.
g) U.S. State Law
State regulatory activity has continued to accelerate, adding to the already complex mix of regulations that apply to companies manufacturing and testing AVs. As outlined in our 2019 Artificial Intelligence and Automated Systems Annual Legal Review, state regulations vary significantly.
Given the fast pace of developments and tangle of applicable rules, it is essential that companies operating in this space stay abreast of legal developments in states as well as cities in which they are developing or testing AVs, while understanding that any new federal regulations may ultimately preempt states’ authorities to determine, for example, safety policies or how they handle their passengers’ data.
Washington’s HB 2676, which establishes minimum requirements for the testing of autonomous vehicles, went into effect on June 11, 2020. The bill requires companies testing AVs in Washington to report certain data regarding those tests to the state’s Department of Licensing and to carry $5 million minimum in umbrella liability insurance.[94]
Also, in November 2020, Massachusetts voters approved a ballot initiative amending the Commonwealth’s 2012 “Right to Repair Law.” The amendment provides that motor vehicles sold in Massachusetts “with model year 2022” will be required to equip vehicles that use telematics systems—systems that collect and wirelessly transmit mechanical data to a remote server—with a standardized open access data platform. With authorization of the owner, telematics data will be available to independent repair facilities and dealerships not otherwise affiliated with the OEM of the vehicle, who will “send commands to, the vehicle for repair, maintenance, and diagnostic testing.” Telematics data was purposefully excluded from the original law.[95]
2. European Commission Report on the Ethics of Connected and Automated Vehicles
In September 2020, the Commission published a report by an independent group of experts on the ethics of connected and automated vehicles (“CAVs”).[96] The report—which promotes the “systematic inclusion of ethical considerations in the development and use of CAVs”[97]—sets out twenty ethical recommendations on road safety, privacy, fairness, AI explainability, responding to dilemma situations, clear testing guidelines and standards, the creation of a culture of responsibility for the development and deployment of CAVs, auditing CAV algorithmic decision-making reducing opacity, as well as the promotion of data, algorithm and AI literacy through public participation. The report applies a “Responsible Research and Innovation” approach that “recognises the potential of CAV technology to deliver the […] benefits [reducing the number of road fatalities and harmful emissions from transport, improving the accessibility of mobility services]” but also incorporates a broader set of ethical, legal and societal considerations into the development, deployment and use of CAVs and to achieve an “inherently safe design” based on a user-centric perspective.[98] The report builds on the Commission’s strategy on Connected and Automated Mobility.[99]
3. Proposed German Legislation on Autonomous Driving
The German government intends to pass a law on autonomous vehicles (“Gesetz zum autonomen Fahren”) by mid-2021.[100] The new law is intended to regulate the deployment of CAVs in specific operational areas by the year 2022 (including Level 5 “fully automated vehicles”), and will define the obligations of CAV operators, technical standards and testing, data handling, and liability for operators. The proposed law is described as a temporary legal instrument pending agreement on harmonized international regulations and standards.
Moreover, the German government also intends to create, by the end of 2021, a “mobility data room” (“Datenraum Mobilität”), described as a cloud storage space for pooling mobility data coming from the car industry, rail and local transport companies, and private mobility providers such as car sharers or bike rental companies.[101] The idea is for these industries to share their data for the common purpose of creating more efficient passenger and freight traffic routes, and support the development of autonomous driving initiatives in Germany.
D. Intellectual Property
As AI systems evolve—producing “cultural artefacts, ranging from audio to text to images”[102]—intellectual property issues related to AI have been at the forefront of the new technology, as record numbers of U.S. patent applications involve a form of machine learning component. In January 2019, the United States Patent and Trademark Office (“USPTO”) released revised guidance relating to subject matter eligibly for patents and on the application of 35 U.S.C. § 112 on computer implemented inventions. On the heels of that guidance, on August 27, 2019, the USPTO published a request for public comment on several patent-related issues regarding AI inventions.[103]
In 2020, the USPTO, United Kingdom Intellectual Property Office (“UKIPO”), and European Patent Office (“EPO”) gave rulings on the questions of whether an AI system (“DABUS”) could be named as the inventor on a patent application. All came to the same conclusion: existing law provides that an inventor must be a human.[104] Subsequently, the USPTO sought insight into public opinion on how intellectual property laws and policy should develop as AI technology advances, and issued a Request for Comment (“RFC”) on August 27, 2019 (as reviewed in our client alert USPTO Requests Public Comments On Patenting Artificial Intelligence Inventions).
1. USPTO Report on Artificial Intelligence and Intellectual Property Policy
On October 6, 2020, the USPTO published a report “Public Views on Artificial Intelligence and Intellectual Property Policy” (the “Report”).[105] The Report catalogs the roughly 200 comments received in response to the USPTO’s RFC.[106] The USPTO requested feedback on issues such as whether current laws and regulations regarding patent inventorship and authorship of copyrighted work should be revised to take into account contributions other than by natural persons.
A general theme that emerged from the report was concern over the lack of a universally acknowledged definition of AI, and a majority view that current AI (i.e., AI that is not considered to be artificial general intelligence, or “AGI”) can neither invent nor author without human intervention. The vast majority of commenters stated that no changes should be necessary to the current U.S. law—that only a natural person or a company (via assignment) should be considered the owner of a patent or an invention. Many commenters asserted that there are no patent eligibility considerations unique to AI Inventions, and that AI inventions should not be treated any differently than other computer-implemented inventions. This is consistent with how the USPTO currently examines AI inventions today: claims to an AI invention that fall within one of the four statutory categories and are patent-eligible under the Alice/Mayo test[107] will be patent subject matter-eligible under 35 U.S.C. § 101.
The comments also suggested that existing U.S. intellectual property laws are “calibrated correctly to address the evolution of AI” (although commenters were split as to whether any new classes of IP rights would be beneficial to ensure a more robust IP system), and that “human beings remain integral to the operation of AI, and this is an important consideration in evaluating whether IP law needs modification in view of the current state of AI technology.”[108] Some commenters suggested that the USPTO should revisit the question when machines begin achieving AGI (i.e., when science agrees that machines can “think” on their own).
Finally, in response to a question about whether policies and practices of other global patent agencies should inform the USPTO’s approach, there was a divide between commentators advocating for an evolution of global laws in a common direction, and those who cautioned against further attempts to harmonize international patent laws and procedures “because U.S. patent law is the gold standard.”[109]
E. Financial Services
1. FINRA White Paper on AI
On June 12, 2020, the Financial Industry Regulatory Authority (“FINRA”), released a white paper on AI defining the scope of “AI” as it pertains to the securities industry, identifying areas in which broker-dealers are evaluating or using AI, and regulatory considerations for AI-based tools.[110]
The key areas in which the white paper contemplates AI being deployed are customer communications, investment processes, operational functions such as compliance and risk management, and administrative functions. FINRA notes that firms employing AI-based applications may “benefit from reviewing and updating their model risk management frameworks to address the new and unique challenges AI models may pose.”
Notably, FINRA Rule 3110 requires firms to supervise activities relating to AI applications to ensure that the functions and outputs of the application are properly understood and in line with the firm’s legal and compliance requirements. In addition, FINRA Rule 2010 requires firms to observe high standards of commercial honor and just and equitable principles of trade in the context of their AI applications. As such, FINRA recommends that firms review their data for potential biases and adopt data quality benchmarks and metrics as part of a comprehensive data governance strategy.
________________________
[1] Alex Engler, 6 developments that will define AI governance in 2021, Brookings (Jan, 21, 2020), available at https://www.brookings.edu/research/6-developments-that-will-define-ai-governance-in-2021/.
[2] Press release, Canada and France work with international community to support the responsible use of artificial intelligence (May 16, 2019), available at https://www.gouvernement.fr/sites/default/files/locale/piece-jointe/2019/05/23_cedrico_press_release_ia_canada.pdf.
[3] UK Government, Joint statement from founding members of the Global Partnership on Artificial Intelligence (Jun. 15, 2020), available at https://www.gov.uk/government/publications/joint-statement-from-founding-members-of-the-global-partnership-on-artificial-intelligence/joint-statement-from-founding-members-of-the-global-partnership-on-artificial-intelligence#fn:1.
[4] For further details, please see our 2019 Artificial Intelligence and Automated Systems Annual Legal Review.
[5] Robin Kelly, Kelly, Hurd Introduce Bipartisan Resolution to Create National Artificial Intelligence Strategy (Sept. 16, 2020), available at https://robinkelly.house.gov/media-center/press-releases/kelly-hurd-introduce-bipartisan-resolution-to-create-national-artificial?_sm_au_=iVV6kKLFkrjvZrvNFcVTvKQkcK8MG; H.Con.Res. 116, 116th Congress (2019-2020).
[6] Bipartisan Policy Center, A National AI Strategy (Sept. 1, 2020), available at https://bpcaction.org/wp-content/uploads/2020/09/1-Pager-on-National-AI-Strategy-Resolution-.pdf?_sm_au_=iVV6kKLFkrjvZrvNFcVTvKQkcK8MG.
[7] On September 10, 2020, the House Budget Committee held a hearing to discuss the impact of Artificial Intelligence on the U.S. economy, and specifically on what role technology should play in the country’s recovery post-COVID-19. Witness Darrell West, Ph.D., of Brookings Institution warned that the rapid integration of AI technologies developed in the private sector could affect the American workforce by causing job losses and job dislocation.
[8] The 10 AI principles are: Public Trust in AI; Public Participation; Scientific Integrity and Information Quality; Risk Assessment and Management; Benefits and Costs; Flexibility; Fairness and Nondiscrimination; Disclosure and Transparency; Safety and Security; and Interagency Coordination.
[9] Director of the Office of Management and Budget, Guidance for Regulation of Artificial Intelligence Applications (Jan. 7, 2020), at 5, available at https://www.whitehouse.gov/wp-content/uploads/2020/01/Draft-OMB-Memo-on-Regulation-of-AI-1-7-19.pdf.
[10] For an in-depth analysis, see our update, President Trump Issues Executive Order on “Maintaining American Leadership in Artificial Intelligence.”
[11] Director of the Office of Management and Budget, Guidance for Regulation of Artificial Intelligence Applications (Nov. 17, 2020), available at https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-06.pdf.
[13] Id., at 11; see also Appendix B: Template for Agency Plans, at 15-16.
[15] David Shepherdson, Trump signs order on principles for U.S. government AI use, Reuters (Dec. 3, 2020), available at https://www.reuters.com/article/us-trump-ai/trump-signs-order-on-principles-for-u-s-government-ai-use-idUSKBN28D357; see also Stanford University, New York University, Government by Algorithm: Artificial Intelligence in Federal Administrative Agencies (Feb. 2020), available at https://www-cdn.law.stanford.edu/wp-content/uploads/2020/02/ACUS-AI-Report.pdf (documenting 157 use cases of AI by 64 U.S. federal agencies).
[16] For more detail, see our 2019 Artificial Intelligence and Automated Systems Annual Legal Review.
[17] NIST, Four Principles of Explainable Artificial Intelligence (Aug. 2020), NISTIR 8312, available at https://www.nist.gov/system/files/documents/2020/08/17/NIST%20Explainable%20AI%20Draft%20NISTIR8312%20%281%29.pdf.
[18] H.R. 6395, 116th Congress (2019-2020).
[19] For more details, see our 2019 Artificial Intelligence and Automated Systems Annual Legal Review and Artificial Intelligence and Automated Systems Legal Update (2Q20).
[20] The Artificial Intelligence for the Armed Forces Act (S. 3965); the National AI Research Resource Task Force Act (H.R. 7096 and S. 3890); the Deepfakes Report Act (S. 2065), which was passed as a standalone bill in the Senate on October 24, 2019; and the Artificial Intelligence Education Act (H.R. 8390). For additional detail on these bills, see our previous 2020 Legal Updates (1Q20, 2Q20 and 3Q20).
[21] Stanford University, hai, Summary of AI Provisions from the National Defense Authorization Act 2021, available at https://hai.stanford.edu/policy/policy-resources/summary-ai-provisions-national-defense-authorization-act-2021.
[22] H.R. 6395, Title II, Sec. 235.
[23] Id., Title LI, Sec. 5102
[24] Id., Title LI, Sec. 5103
[25] Stanford University, Summary of AI Provisions from the National Defense Authorization Act 2021, supra n.21.
[26] H.R. 6395, Title LI, Sec. 5104.
[27] Stanford University, Summary of AI Provisions from the National Defense Authorization Act 2021, supra n.21.
[28] H.R. 6395, Title LI, Sec. 5106.
[29] Id., Title LII, Sec. 5201.
[30] Id., Title LIII, Sec. 5301.
[31] Stanford University, Summary of AI Provisions from the National Defense Authorization Act 2021, supra n.21.
[32] Comm. Sci. Space & Tech., Lucas Introduces Comprehensive Legislation to Secure American Leadership in Science and Technology (Jan. 29, 2020), available at https://republicans-science.house.gov/news/press-releases/lucas-introduces-comprehensive-legislation-secure-american-leadership-science.
[33] H.R. 6950, 116th Cong (2019–2020).
[34] H.R. 2575, 116th Congress (2019-2020).
[35] The Ripon Advance, GOP senators praise House passage of AI in Government Act (Sept. 16, 2020), available at https://riponadvance.com/stories/gop-senators-praise-house-passage-of-ai-in-government-act/?_sm_au_=iVV6kKLFkrjvZrvNFcVTvKQkcK8MG; Rob Portman, House Passes Portman, Gardner Bipartisan Legislation to Improve Federal Government’s Use of Artificial Intelligence (Sept. 14, 2020), available at https://www.portman.senate.gov/newsroom/press-releases/house-passes-portman-gardner-bipartisan-legislation-improve-federal?_sm_au_=iVV6kKLFkrjvZrvNFcVTvKQkcK8MG.
[36] H. Mark Lyon, Gearing Up For The EU’s Next Regulatory Push: AI, LA & SF Daily Journal (Oct. 11, 2019), available at https://www.gibsondunn.com/wp-content/uploads/2019/10/Lyon-Gearing-up-for-the-EUs-next-regulatory-push-AI-Daily-Journal-10-11-2019.pdf.
[37] European Commission, White Paper on Artificial Intelligence – A European approach to excellence and trust, COM(2020) 65 (Feb. 19, 2020), available at https://ec.europa.eu/info/sites/info/files/commission-white-paper-artificial-intelligence-feb2020_en.pdf.
[38] Id. Industries in critical sectors include healthcare, transport, police, recruitment, and the legal system, while technologies of critical use include such technologies with a risk of death, damage or injury, or with legal ramifications.
[39] European Commission, A European strategy for data, COM (2020) 66 (Feb. 19, 2020), available at https://ec.europa.eu/info/files/communication-european-strategy-data_en.
[40] European Commission, Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics, COM (2020) 64 (Feb. 19, 2020), available at https://ec.europa.eu/info/files/commission-report-safety-and-liability-implications-ai-internet-things-and-robotics_en.
[41] Innovative And Trustworthy AI: Two Sides Of The Same Coin, Position paper on behalf of Denmark, Belgium, the Czech Republic, Finland, France, Estonia, Ireland, Latvia, Luxembourg, the Netherlands, Poland, Portugal, Spain and Sweden, available at https://em.dk/media/13914/non-paper-innovative-and-trustworthy-ai-two-side-of-the-same-coin.pdf; see also https://www.euractiv.com/section/digital/news/eu-nations-call-for-soft-law-solutions-in-future-artificial-intelligence-regulation/.
[42] Stellungnahme der Bundesregierung der Bundesrepublik Deutschland zum Weißbuch zur Künstlichen Intelligenz – ein europäisches Konzept für Exzellenz und Vertrauen, COM (2020) 65 (June 29, 2020), available at https://www.ki-strategie-deutschland.de/files/downloads/Stellungnahme_BReg_Weissbuch_KI.pdf; see also Philip Grüll, Germany calls for tightened AI regulation at EU level, Euractiv (July 1, 2020), available at https://www.euractiv.com/section/digital/news/germany-calls-for-tightened-ai-regulation-at-eu-level/. Note also that German lawmaker Axel Voss has been appointed rapporteur of the European Parliament’s Special Committee on Artificial Intelligence in a Digital Age (“AIDA”), and will be in charge of drafting reports by the committee setting out EU goals and recommendations for AI.
[43] European Commission, White Paper on Artificial Intelligence: Public consultation towards a European approach for excellence and trust, COM (2020) (July 17, 2020), available at https://ec.europa.eu/digital-single-market/en/news/white-paper-artificial-intelligence-public-consultation-towards-european-approach-excellence.
[44] European Commission, Artificial intelligence – ethical and legal requirements, COM (2020) (June 2020), available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12527-Requirements-for-Artificial-Intelligence.
[46] European Parliament, Setting up a special committee on artificial intelligence in a digital age, and defining its responsibilities, numerical strength and term of office (June 18, 2020), available at https://www.europarl.europa.eu/doceo/document/TA-9-2020-0162_EN.html; the European Parliament is also working on a number of other issues related to AI, including: the civil and military use of AI (legal affairs committee); AI in education, culture and the audio-visual sector (culture and education committee); and the use of AI in criminal law (civil liberties committee).
[47] European Parliament, News Report, AI rules: what the European Parliament wants (Oct. 21, 2020), available at https://www.europarl.europa.eu/news/en/headlines/society/20201015STO89417/ai-rules-what-the-european-parliament-wants.
[48] European Parliament, Parliament leads the way on first set of EU rules for Artificial Intelligence (Oct. 20, 2020), available at https://www.europarl.europa.eu/news/en/press-room/20201016IPR89544/.
[49] In addition, the European Parliament announced that it had approved two separate legislative initiative reports calling on the Commission to address and tackle current shortcomings in the online environment in its Digital Services Act (“DSA”) package, due to be presented in December 2020. In particular, the Parliament noted that the EU aims to shape the digital economy at the EU level, as well as set the standards for the rest of the world. In addition, the Parliament outlined in its reports that all digital service providers established in non-EU must adhere to the DSA’s rules when their services are also aimed at consumers or users in the EU.
[50] European Parliament, Report with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies (2020/2012 (INL)) (Oct. 8, 2020), available at https://www.europarl.europa.eu/doceo/document/A-9-2020-0186_EN.pdf; European Parliament, Resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies (2020/2012 (INL)) (Oct. 20, 2020), available at https://www.europarl.europa.eu/doceo/document/TA-9-2020-0275_EN.pdf.
[51] Press Release, European Parliament, Parliament leads the way on first set of EU rules for Artificial Intelligence (Oct. 20, 2020), available at https://www.europarl.europa.eu/news/en/press-room/20201016IPR89544/.
[53] Press Release, European Parliament, Parliament leads the way on first set of EU rules for Artificial Intelligence (Oct. 20, 2020), available at https://www.europarl.europa.eu/news/en/press-room/20201016IPR89544/.
[54] European Parliament, Report with recommendations to the Commission on a civil liability regime for artificial intelligence (2020/2014 (INL)) (Oct. 5, 2020), available at https://www.europarl.europa.eu/doceo/document/A-9-2020-0178_EN.pdf; European Parliament, Resolution of 20 October 2020 with recommendations to the Commission on a civil liability regime for artificial intelligence (2020/2014 (INL)), available at https://www.europarl.europa.eu/doceo/document/TA-9-2020-0276_EN.pdf;
[55] European Parliament, Report on intellectual property rights for the development of artificial intelligence technologies (2020/2015(INI)) (Oct. 2, 2020), available at https://www.europarl.europa.eu/doceo/document/A-9-2020-0176_EN.pdf; European Parliament, Resolution of 20 October 2020 on intellectual property rights for the development of artificial intelligence technologies (2020/2015(INI)) (Oct. 20, 2020), available at https://www.europarl.europa.eu/doceo/document/TA-9-2020-0277_EN.pdf.
[56] AI HLEG, Ethics Guidelines for Trustworthy AI, Guidelines (Apr. 8, 2019), available at https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=60419.
[57] AI HLEG, Assessment List for Trustworthy Artificial Intelligence (ALTAI) for Self-Assessment (Jul. 17 2020), available at https://ec.europa.eu/digital-single-market/en/news/assessment-list-trustworthy-artificial-intelligence-altai-self-assessment.
[58] Council of Europe, Ad Hoc Committee on Artificial Intelligence (CAHAI), Feasibility Study (Dec. 17, 2020), available at https://rm.coe.int/cahai-2020-23-final-eng-feasibility-study-/1680a0c6da.
[59] Deutscher Bundestag, Enquete-Kommission, Künstliche Intelligenz – Gesellschaftliche Verantwortung und wirtschaftliche, soziale und ökologische Potenziale, Kurzzusammenfassung des Gesamtberichts (Oct. 28, 2020), available at https://www.bundestag.de/resource/blob/801584/102b397cc9dec49b5c32069697f3b1e3/Kurzfassung-des-Gesamtberichts-data.pdf.
[60] Committee on Standards in Public Life, Artificial Intelligence and Public Standards: report (Feb. 10, 2020), available at https://www.gov.uk/government/publications/artificial-intelligence-and-public-standards-report.
[61] Centre for Data Ethics and Innovation, AI Barometer Report (June 2020), available at https://www.gov.uk/government/publications/cdei-ai-barometer/cdei-ai-barometer
[62] UK Government, AI Council’s AI Roadmap (Jan. 6, 2021), available at https://www.gov.uk/government/publications/ai-roadmap.
[64] house of lords Liaison Committee, AI in the UK: No Room for Complacency, 7th Rep. of Session 2019-21 (Dec. 18, 2020), available at https://publications.parliament.uk/pa/ld5801/ldselect/ldliaison/196/196.pdf.
[65] UK ICO, Guidance on AI and data protection (July 30, 2020), available at https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/guidance-on-ai-and-data-protection/.
[66] Examples of such privacy-enhancing techniques include perturbation or adding ‘noise’, synthetic data, and federated learning.
[67] On the topic of data minimization, see also the European Data Protection Board’s (“EDPB”) Draft Guidelines on the Principles of Data Protection by Design and Default under Article 25 of the GDPR, adopted on October 20, 2020 after a public consultation and available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf.
[68] See, e.g., Karen Hao, Congress Wants To Protect You From Biased Algorithms, Deepfakes, And Other Bad AI, MIT Review (15 April 2019), available at https://www.technologyreview.com/s/613310/congress-wantsto- protect-you-from-biased-algorithms-deepfakes-and-other-bad-ai/; Meredith Whittaker, et al, AI Now Report 2018, AI Now Institute, 2.2.1 (December 2018), available at https://ainowinstitute.org/AI_Now_2018_Report.pdf.
[69] Letter to the Hon. Janet Dhillon, Chair of EEOC (Dec. 8, 2020), available at https://www.bennet.senate.gov/public/_cache/files/0/a/0a439d4b-e373-4451-84ed-ba333ce6d1dd/672D2E4304D63A04CC3465C3C8BF1D21.letter-to-chair-dhillon.pdf.
[70] A.B. 2269, 2019-2020 Reg. Sess. (Cal. 2020).
[71] See San Francisco Ordinance No. 103-19, the “Stop Secret Surveillance” ordinance, effective 31 May 2019 (banning the use of facial recognition software by public departments within San Francisco, California); Somerville Ordinance No. 2019-16, the “Face Surveillance Full Ban Ordinance,” effective 27 June 2019 (banning use of facial recognition by the City of Somerville, Massachusetts or any of its officials); Oakland Ordinance No. 18-1891, “Ordinance Amending Oakland Municipal Code Chapter 9.65 to Prohibit the City of Oakland from Acquiring and/or Using Real-Time Face Recognition Technology”, preliminary approval 16 July 2019, final approval 17 September 2019 (bans use by city of Oakland, California and public officials of real-time facial recognition); Proposed Amendment attached to Cambridge Policy Order POR 2019 #255, approved on 30 July 2019 for review by Public Safety Committee (proposing ban on use of facial recognition technology by City of Cambridge, Massachusetts or any City staff); Attachment 5 to Berkeley Action Calendar for 11 June 2019, “Amending Berkeley Municipal Code Chapter 2.99 to Prohibit City Use of Face Recognition Technology,” voted for review by Public Safety Committee on 11 June 2019 and voted for continued review by Public Safety Committee on 17 July 2019 (proposing ban on use of facial recognition technology by staff and City of Berkeley, California). All of these ordinances incorporated an outright ban of use of facial recognition technology, regardless of the actual form or application of such technology. For a view on how such a reactionary ban is an inappropriate way to regulate AI technologies, see Lyon, H Mark, Before We Regulate, Daily Journal (26 June 2019) available at https://www.gibsondunn.com/before-we-regulate.
[72] For more details, see our 2019 Artificial Intelligence and Automated Systems Annual Legal Review.
[73] S. 3284, available at https://www.congress.gov/bill/116th-congress/senate-bill/3284.
[74] E.g., Idaho’s Facial Recognition Technology Act, H.B. 492; Maryland’s Facial Recognition Privacy Protection Act, H.B. 1578; Louisiana’s Act Relative to Facial Recognition Software, H.B. 662; Portland, Oregon’s
[75] Ordinance No. 190114, Title 34 Digital Justice, Chapter 34.10, “Prohibit the use of Face Recognition Technologies by Private Entities in Places of Public Accommodation in the City of Portland”. The City Council also passed a separate ordinance banning the use of facial recognition technology by the city government (including local police)
[76] The prohibition does not apply to use of face recognition technologies to the extent necessary for a private entity to comply with federal, state, or local laws; for user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices; or in automatic face detection services in social media applications. See 34.10.040
[78] For more details, see Gibson Dunn’s Artificial Intelligence and Automated Systems Legal Update (1Q20).
[79] Letter from Jay Inslee, Governor of the State of Washington, to The Senate of the State of Washington (March 31, 2020), available at https://crmpublicwebservice.des.wa.gov/bats/attachment/vetomessage/559a6f89-9b73-ea11-8168-005056ba278b#page=1.
[80] U.S. Dep’t of Transp., Ensuring American Leadership in Automated Vehicle Technologies: Automated Vehicles 4.0 (Jan. 2020), available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/360956/ensuringamericanleadershipav4.pdf.
[81] U.S. Dep’t of Transp., Preparing for the Future of Transportation: Automated Vehicles 3.0 (Sept. 2017), available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf.
[82] U.S. Dep’t of Transp., NHTSA Issues First-Ever Proposal to Modernize Occupant Protection Safety Standards for Vehicles Without Manual Controls, available at https://www.nhtsa.gov/press-releases/adapt-safety-requirements-ads-vehicles-without-manual-controls.
[83] 49 CFR 571 2020, available at https://www.federalregister.gov/documents/2020/03/30/2020-05886/occupant-protection-for-automated-driving-systems.
[84] H.R. __ 116th Congress (2019-2020).
[85] For more information, please see our legal updates Accelerating Progress Toward a Long-Awaited Federal Regulatory Framework for Autonomous Vehicles in the United States and 2019 Artificial Intelligence and Automated Systems Annual Legal Review.
[86] Energy & Commerce Committee Republicans, Press Release, E&C Republicans Continue Leadership on Autonomous Vehicles (Sept. 23, 2020), available at https://republicans-energycommerce.house.gov/news/press-release/ec-republicans-continue-leadership-on-autonomous-vehicles/.
[87] U.S. Dep’t of Transp., U.S. Transportation Secretary Elaine L. Chao Announces First Participants in New Automated Vehicle Initiative to Improve Safety, Testing, and Public Engagement (June 15, 2020), available at https://www.nhtsa.gov/press-releases/participants-automated-vehicle-transparency-and-engagement-for-safe-testing-initiative.
[88] U.S. Dep’t of Transp., av test Initiative, available at https://www.nhtsa.gov/automated-vehicles-safety/av-test.
[89] See, e.g., Keith Laing, Michigan, Fiat Chrysler Join Federal Self-Driving Car Initiative, The Detroit News (June 15, 2020), available at https://www.detroitnews.com/story/business/autos/2020/06/15/michigan-fiat-chrysler-join-federal-self-driving-car-initiative/3194309001/.
[90] Blanco, M., Chaka, M., Stowe, L., Gabler, H. C., Weinstein, K., Gibbons, R. B., Fitchett, V. L. (2020, April). FMVSS considerations for vehicles with automated driving systems: Volume 1 (Report No. DOT HS 812 796), U.S. Dep’t of Transp., available at https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/ads-dv_fmvss_vol1-042320-v8-tag.pdf.
[92] U.S. Dep’t of Transp., Press Release, U.S. Department of Transportation Seeks Public Comment on Automated Driving System Safety Principles (Nov. 19, 2020), available at https://www.nhtsa.gov/press-releases/public-comment-automated-driving-system-safety-principles.
[93] Framework for Automated Driving System Safety, 49 Fed. Reg. 571 (Nov. 19, 2020), available here.
[94] H.B. 2676, Washington State Legislature, available at https://apps.leg.wa.gov/billsummary/?BillNumber=2676&Year=2020&Initiative=false.
[95] See Rob Stumpf, There’s Another Huge Right to Repair Fight Brewing in Massachusetts, The Drive (Oct. 13, 2020), available at https://www.thedrive.com/news/36980/theres-another-huge-right-to-repair-fight-brewing-in-massachusetts.
[96] European Commission, Press Release, New recommendations for a safe and ethical transition towards driverless mobility, COM (2020) (Sept. 18, 2020), available at https://ec.europa.eu/info/news/new-recommendations-for-a-safe-and-ethical-transition-towards-driverless-mobility-2020-sep-18_en.
[98] European Commission, Directorate-General for Research and Innovation, Independent Expert Report, Ethics of Connected and Automated Vehicles: Recommendations on road safety, privacy, fairness, explainability, and responsibility (Sept. 18, 2020), at 4, available here.
[99] EC, Connected and automated mobility in Europe, COM(2020) (June 22, 2020), available at https://ec.europa.eu/digital-single-market/en/connected-and-automated-mobility-europe.
[100] Bundesministerium für Verkehr und digitabe Infrastruktur, Gesetz zum autonomen Fahren (Oct. 2020), available at https://www.bmvi.de/SharedDocs/DE/Artikel/DG/gesetz-zum-autonomen-fahren.html; see also Josef Erl, Autonomes Fahren: Deutschland soll Weltspitze werden, Mixed.de (Oct. 31, 2020), available at https://mixed.de/autonomes-fahren-deutschland-soll-weltspitze-werden/.
[101] Daniel Delhaes, Deutsche Autoindustrie erwägt, ihre Datenschätze zu bündeln, Handelsblatt (July 9, 2020), available at https://www.handelsblatt.com/technik/sicherheit-im-netz/autonomes-fahren-deutsche-autoindustrie-erwaegt-ihre-datenschaetze-zu-buendeln/26164062.html?ticket=ST-2824809-tuIGjXYQywf7MHzRurpa-ap4.
[102] Jack Clark, ImportAI (Jan. 18, 2021), available at https://jack-clark.net/.
[103] Request for Comments on Patenting Artificial Intelligence Inventions, 84 Fed. Reg. 44889, 44889 (Aug. 27, 2019); see also our client alert USPTO Requests Public Comments on Patenting Artificial Intelligence Inventions.
[104] See Decision on Petition re App’n No. 16/524,350 (USPTO, April 27, 2020); Decision on Petition re App’n Nos. GB1816909.4 and GB1818161.0 (UKIPO, December 4, 2019); Stephen L Thaler v The Comptroller-General of Patents, Designs And Trade Marks [2020] EWHC 2412 (Pat); Press Release, European Patent Office, EPO publishes grounds for its decision to refuse two patent applications naming a machine as inventor (January 28, 2020), available at https://www.epo.org/news-events/news/2020/20200128.html.
[105] United States Patent and Trademark Office, USPTO releases report on artificial intelligence and intellectual property policy (Oct. 6, 2020), available at https://www.uspto.gov/about-us/news-updates/uspto-releases-report-artificial-intelligence-and-intellectual-property?_sm_au_=iVV6kKLFkrjvZrvNFcVTvKQkcK8MG. For more detail, see our Artificial Intelligence and Automated Systems Legal Update (3Q20).
[106] United States Patent and Trademark Office, Public Views on Artificial Intelligence and Intellectual Property Policy (Oct. 2020), available at https://www.uspto.gov/sites/default/files/documents/USPTO_AI-Report_2020-10-07.pdf. On October 30, 2019, the USPTO also issued a request for comments on Intellectual Property Protection for Artificial Intelligence Innovation, with respect to IP policy areas other than patent law. The October 2020 USPTO publication summarizes the responses by commentators at Part II from p. 19 of the Report onwards.
[107] Alice Corp. Pty. Ltd. v. CLS Bank Int’l, 573 U.S. 208, 221 (2014); Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66 (2012).
[110] finra, Artificial Intelligence (AI) in the Securities Industry (June 20, 2020), available at https://www.finra.org/sites/default/files/2020-06/ai-report-061020.pdf.
The following Gibson Dunn lawyers prepared this client update: H. Mark Lyon, Frances Waldmann, Haley Morrisson, Tony Bedel, Emily Lamm and Derik Rao.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Artificial Intelligence and Automated Systems Group, or the following authors:
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Frances A. Waldmann – Los Angeles (+1 213-229-7914,[email protected])
Please also feel free to contact any of the following practice group members:
Artificial Intelligence and Automated Systems Group:
H. Mark Lyon – Chair, Palo Alto (+1 650-849-5307, [email protected])
J. Alan Bannister – New York (+1 212-351-2310, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33 180, [email protected])
Ari Lanin – Los Angeles (+1 310-552-8581, [email protected])
Robson Lee – Singapore (+65 6507 3684, [email protected])
Carrie M. LeRoy – Palo Alto (+1 650-849-5337, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Michael Walther – Munich (+49 89 189 33 180, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
On January 26, 2021, the U.S. Court of Appeals for the Ninth Circuit reaffirmed the broad protections afforded to corporations and their officers when speaking about a company’s future plans and projections. See Wochos v. Tesla, Inc., –F.3d–, 2021 WL 246210 (9th Cir. Jan. 26, 2021). The Tesla opinion analyzes the scope of the “safe harbor” for forward-looking statements provided by the Private Securities Litigation Reform Act (“PSLRA”), which immunizes corporations and those speaking on their behalf from securities law liability premised on statements about a company’s plans, objectives, and projections of future performance, as well as the assumptions underlying those statements. See 15 U.S.C. § 78u-5. The Ninth Circuit reached the common sense conclusion that the Safe Harbor protects companies and senior officers when speaking about future plans and projections, even when those statements touch on the current state of affairs.
In Tesla, shareholder plaintiffs brought securities fraud claims against Tesla and certain of its officers regarding statements about Tesla’s progress in producing the Model 3 sedan. Plaintiffs alleged that statements about Tesla’s plans to meet certain production goals, including that Tesla was “on track” to meet these goals, were misleading because Tesla faced manufacturing challenges that made these goals hard to achieve. Plaintiffs claimed that the challenged statements were not forward-looking statements protected by the Safe Harbor because “these predictive statements contain embedded assertions concerning present facts that are actionable.”
The Ninth Circuit disagreed. While recognizing that a forward-looking statement may “contain[] non-forward-looking features” that are not protected by the Safe Harbor, the Court held a plaintiff can only make this showing by pleading “sufficient facts to show that the statement goes beyond the articulation of ‘plans,’ ‘objectives,’ and ‘assumptions’ and instead contains an express or implied ‘concrete’ assertion concerning a specific ‘current or past fact[].’” The Court reasoned that Tesla’s “statements that it was ‘on track’ to achieve” its goal of producing cars “and that ‘there are no issues’ that ‘would prevent’ Tesla from achieving the goal” were forward-looking, even though couched as statements about Tesla’s present state of affairs, “[b]ecause any announced ‘objective’ for ‘future operations’ necessarily reflects an implicit assertion that the goal is achievable based on current circumstances.” In other words, these statements about Tesla’s goals were “merely alternative ways of declaring or reaffirming the objective itself.” By contrast, if a statement about a future objective is accompanied by “a concrete factual assertion about a specific present or past circumstance,” the statement may fall outside the Safe Harbor because—“unlike ‘on track’ assertions—they do not rest on the sort of features that are intrinsic to all forward-looking statements.”
Separately, the Court offered helpful guidance on another element of securities fraud—loss causation, or the requirement that the plaintiff show that its losses were caused by fraud instead of something else. The Court found that it would be futile for plaintiffs to amend their complaint because even though Tesla’s stock price declined modestly following one of the challenged disclosures, the stock price rebounded the following day and was trading at prices above the pre-corrective disclosure price later in the week, which “refutes the inference that the alleged concealment of this particular fact caused any material drop in the stock price.”
* * *
The Ninth Circuit’s delineation between statements about concrete facts (which may be actionable), and unadorned statements about a company’s present belief in its ability to achieve future goals (which are not), should provide useful clarity for corporate speakers.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the Securities Litigation practice group, or the authors:
Brian M. Lutz – San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Michael J. Kahn – San Francisco (+1 415-393-8316, [email protected])
Securities Litigation Group:
Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Robert F. Serio – Co-Chair, New York (+1 212-351-3917, [email protected])
Jefferson Bell – New York (+1 212-351-2395, [email protected])
Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Jennifer L. Conn – New York (+1 212-351-4086, [email protected])
Thad A. Davis – San Francisco (+1 415-393-8251, [email protected])
Ethan Dettmer – San Francisco (+1 415-393-8292, [email protected])
Mark A. Kirsch – New York (+1 212-351-2662, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, [email protected])
Alex Mircheff – Los Angeles (+1 213-229-7307, [email protected])
Craig Varnen – Los Angeles (+1 213-229-7922, [email protected])
Robert C. Walters – Dallas (+1 214-698-3114, [email protected])
Aric H. Wu – New York (+1 212-351-3820, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Munich associate Marcus Geiss and of counsel Birgit Friedl are the authors of “German Corporate Law 2021: A New Dawn Beyond Covid-19, Protectionist Tendencies and the Wirecard Fall-Out,” [PDF] published by M&A Review on January 29, 2021.
Munich partner Lutz Englisch, of counsel Silke Beiter and associate Sonja Ruttmann and Frankfurt associate Stefanie Zirkel also contributed to the article.
The start of a new year is often greeted with the phrase “out with the old, in with the new”. For those involved in cross-border litigation, the phrase has rarely seemed as appropriate as it does at the start of 2021.
It will have escaped no-one’s attention that 1 January 2021 marked the end of the Brexit transition period. This has resulted in a number of significant changes to the applicable cross-border procedural rules which litigators and those responsible for drafting commercial contracts will need to have in mind. This note provides a high level overview of the key developments. It is worth noting at the outset that the Trade and Cooperation Agreement between the UK and the EU, which was announced on 24 December 2020, is silent on each of the topics discussed below.
1. Governing law
The old: EC Regulations No 593/2008 on the law applicable to contractual obligations (Rome I) and No 864/2007 on the law applicable to non-contractual obligations (Rome II)
Rome I allows parties to choose the law which will govern a contract, and provides a series of rules to determine which law should apply in the event that the contract does not make this clear. Rome II sets out rules which govern the law applicable to non-contractual obligations arising in a number of different contexts including unfair competition, infringement of intellectual property rights and in tort, and also allows parties to agree the governing law. The regulations require the courts of each Member State (apart from Denmark) to apply those rules to determine the applicable law in a dispute.
The new: still Rome I and II
Post-Brexit, for the remaining EU Member States the Rome regulations continue to apply. Importantly, both Rome I and Rome II make clear that parties can choose as governing law the law of a non-Member State. Subject to the existing exceptions contained within the regulations, therefore, EU courts ought to continue to respect parties’ choice of English law.
While the UK may no longer be a Member State, the UK government has already enacted domestic legislation which provides that the rules set out in Rome I and Rome II continue to apply in the UK too. Nothing in the Trade and Cooperation Agreement changes that.
|
What does this mean for our clients? In the current, shifting legal landscape, it is of some comfort that the rules on governing law remain unchanged. There is no reason to stop using English law as the choice of law in your contracts: the reasons which would have led you to do so in the first place, such the well-developed body of law and the reputation for delivering legal certainty and fairness, are unaffected by Brexit. |
2. Jurisdiction
The old: EC Regulation No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Recast)
Brussels Recast sets out rules governing which Member State’s courts can hear a dispute, and what happens when the courts in two different Member States are both seised of a claim involving the same parties and cause of action.
The new: the Hague Convention of 30 June 2005 on choice of court agreements, failing which national law
As a result of Brexit, Brussels Recast no longer applies in the UK. What happens now is not straightforward.
The first thing to establish in any new dispute is whether there is an exclusive jurisdiction clause in favour of courts in the UK or in a Member State. If there is, the Hague Convention on choice of court agreements may apply: the UK was previously a party to the convention in its capacity as an EU Member State, and has acceded in its own right as of 1 January 2021. The convention also applies to Singapore, Mexico and Montenegro.
However, there is already a dispute between the UK and the EU about when the Hague Convention will apply: the UK believes that it will apply where there is an exclusive jurisdiction clause in a contract entered into after 1 October 2015, which is the date on which the UK acceded to the convention in its capacity as an EU Member State; the EU’s position is that the convention will only apply where the contract has been entered into after 1 January 2021, when the UK acceded in its own right. How the courts in the UK and in the EU deal with this in practice remains to be seen.
If the convention does apply, the courts designated in the exclusive jurisdiction clause are required to hear the case, and if a court in another contracting state is seised of the matter, it will have to suspend or dismiss the proceedings.
If the convention does not apply, then it is the local law of the state(s) in question which will apply. This may arise because of the date on which the contract was entered into, because there is no jurisdiction clause at all, or because the jurisdiction clause is non-exclusive (it provides for proceedings to be heard in a particular jurisdiction, but does not prevent the parties from beginning proceedings in any other jurisdiction) or is asymmetric (it provides that one party must bring proceedings in a particular jurisdiction, but allows the other party to begin proceedings in any jurisdiction).
The position may yet change again. In April 2020, the UK applied to accede to the 2007 Lugano Convention on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. This would result in a very similar set of rules to those in force before Brexit under Brussels Recast. Note that one key difference is that, unlike Brussels Recast, the Lugano Contention has no solution to the infamous “Italian Torpedo”, whereby a party subject to an exclusive jurisdiction clause first brings proceedings before a court in a different country with a reputation for taking a long time to rule that it does not have jurisdiction, in order to delay and frustrate proceedings before the court designated in the exclusive jurisdiction clause. By contrast, Brussels Recast provides that the court designated in the exclusive jurisdiction clause must hear the dispute, and any other court seised of the matter must stay the proceedings, even if those proceedings began before those in the jurisdiction designed in the clause. We may therefore see the return of the Italian Torpedo, regardless of whether the UK accedes to the Lugano Convention.
The UK’s application to accede to the Lugano Convention must first be approved by all existing contracting parties: Switzerland, Iceland and Norway have indicated their support, but as at the time of writing the EU and Denmark (a contracting party in its own right) are yet to consent.
|
What does this mean for our clients? Having previously been able to rely on a single set of rules, we are now left with a different set of rules, potential disputes about whether those rules apply, defaulting to the national laws of each different EU Member State when the rules do not apply. This lack of clarity will inevitably give rise to litigation. When drafting contracts, clients may wish to opt for exclusive jurisdiction clauses if seeking certainty about the body of rules which will apply, and therefore about the courts which will hear any future dispute. However, it goes without saying that care must be taken in deciding whether this is the right option in all the circumstances, and legal advice should be taken as appropriate. |
3. Enforcement of judgments
The old: EC Regulations No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Recast) and No 805/2004 creating a European Enforcement Order for uncontested claims (EEO Regulation)
Under Brussels Recast, a judgment handed down by the courts of one Member State is enforceable not only in that Member State but also in any other Member State, as if it were a judgment of a court of that other Member State. The EEO Regulation sets out a simple process by which an uncontested judgment from one Member State can be enforced in another Member State (except Denmark). For proceedings brought from 1 January 2021 onwards, Brussels Recast and the EEO Regulation no longer apply in the UK.
The new: the Hague Convention of 30 June 2005 on choice of court agreements, failing which national law
The post-Brexit position for the enforcement of judgments is similar to that described above in relation to jurisdiction. Where an exclusive jurisdiction clause is involved, and subject to the date of the contract, the Hague Convention on choice of court agreements will apply and will mean that a judgment granted by the court designated in the exclusive jurisdiction clause must be recognised and enforced in the other contracting states.
In all other circumstances, it is the local law of the state(s) in which the judgment is being enforced which will apply. Note that, before joining the EU, the UK entered into a number of bilateral treaties for the reciprocal recognition and enforcement of judgments with certain current EU Member States, including France, Germany, Italy and the Netherlands: it may be that these can be revived and relied upon once again.
As mentioned above, the UK has applied to accede to the 2007 Lugano Convention and if that application is successful, the position would once again be very similar to the way it was under Brussels Recast. It remains to be seen if the EU (and Denmark) allow this to happen.
|
What does this mean for our clients? Where the Hague Convention does not apply, the enforcement of judgments is likely to be slower, more cumbersome and ultimately more expensive than it was under Brussels Recast. When drafting contracts, as things stand exclusive jurisdiction clauses may lead to judgments which are easier to enforce in the future. Of course, there is likely to be a significant gap between the entering into of a contract and the obtaining of a judgment following a related dispute, and the rules may well have changed several times in the intervening period. |
4. Service of documents
The old: EC Regulation 1393/2007 on the service in EU countries of judicial and extrajudicial documents in civil or commercial matters (Service Regulation)
Following Brexit, the Service Regulation will no longer apply between the UK and the EU. The regulation aims to establish a standardised and speedy procedure for the service of documents between parties in different Member States. Each Member State designates transmitting and receiving agencies, with the transmitting agency in one country sending the documents to the receiving agency in another, and the receiving agency is then responsible for service. Member States are also permitted to serve directly on a party in another Member State by registered post.
The new: the Hague Convention of 15 November 1965 on the service abroad of judicial and extrajudicial documents in civil and commercial matters
As of 1 January 2021, the Hague Convention of 15 November 1965 will apply instead in the UK. This instrument already applied to the service of documents between the UK and Denmark and the EFTA countries (apart from Lichtenstein), as well as between the UK and the USA and many other countries: there are some 78 contracting parties in total.
The good news is that all 27 EU Member States are signatories to the convention: you will not need to consider if some instrument other than the convention applies, regardless of which EU Member State you are dealing with. The bad news is that each of the 27 Member States has made reservations and declarations in relation to the convention. You will therefore have to look closely at the rules which apply in the relevant country.
In practice, the means of service may not turn out to be terribly different under the Hague Convention. Contracting states are required to designate a central authority to which requests for service can be addressed, and that authority will then arrange for service in accordance with the national laws of its country. Service by mail is also possible under the Hague Convention, although some contracting countries have objected and do not allow this.
Notably, as the UK reverts to a piece of legislation enacted in 1965, the EU is already looking to the future: a new regulation on the service of documents will come into force on 1 July 2022 and seeks to streamline the service process further, including allowing for electronic service.
|
What does this mean for our clients? The main impact you are likely to notice is on the time it takes to serve documents. Under the EC Regulation, receiving agencies were expected to serve documents within one month of receipt. In due course, electronic service ought to speed things up further. The Hague Convention contains no similar provision. We will have to wait to see how quickly EU Member States will deal with requests for service under the Hague Convention as opposed to the EC Regulation, but from experience, delays of several months would not be uncommon. Bear in mind, too, the need to consider the rules applied by the country in which you are seeking to serve: it may be that you need to seek local advice, which could add further delay and expense. If entering into a new contract with a counterparty in the EU, you would be well advised to include a process agent clause in the contract which makes clear who has authority to accept service on the counterparty’s behalf: this could save time and cost if you are later required to issue proceedings. |
5. Obtaining evidence
The old: EC Regulation 1206/2001 on cooperation between the courts of the EU countries in the taking of evidence in civil or commercial matters
As of 1 January 2021, EC Regulation 1206/2001 no longer applies in the UK. This regulation aims to speed up the process of obtaining evidence located in one Member State for use in proceedings in another, and allowed courts to make requests directly to the court in the other Member State.
The new: Hague Convention of 18 March 1970 on the taking of evidence abroad in civil and commercial matters
The UK is a contracting party to the Hague Convention of 18 March 1970, as are 24 of the remaining EU Member States (i.e. all but Austria, Belgium and Ireland). This convention will now govern requests for evidence between the UK courts and the courts of those 24 Member States. As with the Hague Convention on service discussed above, all of those Member States bar Slovenia have made reservations and declarations to the convention, so again you will have to look closely at the rules which apply in the relevant country.
In practice, as with service and subject to each Member State’s reservation, the process of obtaining evidence from an EU Member State which is a signatory to the convention may not be very different. A letter of request must be sent by the judicial authority of one state to the competent authority of the other state. The evidence sought must be for use in contemplated or commenced judicial proceedings. Note in particular Article 23, which permits a contracting state to declare that it will not execute letters of request issued for the purpose of obtaining pre-trial discovery: while documents can be obtained for the purposes of proceedings not yet commenced, these cannot take the form of fishing expeditions designed to establish what documents an opponent might hold.
In the cases of Austria, Belgium and Ireland, letters of request will need to be sent to the courts of those countries via diplomatic channels, which will almost certainly add further delay. You may need to take local advice if trying to obtain evidence form one of those countries.
This new state of affairs can be contrasted with the former position under the EC Regulation, which aims for requests to be executed within 90 days of receipt. There is no such expectation under the convention.
|
What does this mean for our clients? As with service, the main differences are likely to be the speed with which evidence can be obtained, which could result in delays in beginning or progressing proceedings, and the potential need for local advice in the country in which the evidence is sought, which will also add delay and expense. If seeking evidence from Austria, Belgium or Ireland, the potential for such delay and expense is even greater. It remains to be seen if EU Member States will execute requests made under the convention by a UK court more quickly than they currently respond to requests from other contracting parties such as the US, but our experience in dealing with such requests is that they can often be long, inefficient and cumbersome processes. |
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, or the following authors in London:
Philip Rocher (+44 (0) 20 7071 4202, [email protected])
Susy Bullock (+44 (0) 20 7071 4283, [email protected])
Christopher Loudon (+44 (0) 20 7071 4249, [email protected])
Please also feel free to contact any of the following members of the Dispute Resolution Group in London:
Patrick Doris (+44 (0) 207 071 4276, [email protected])
Charlie Falconer (+44 (0) 20 7071 4270, [email protected])
Osma Hudda (+44 (0) 20 7071 4247, [email protected])
Allan Neil (+44 (0) 20 7071 4296, [email protected])
Doug Watson (+44 (0) 20 7071 4217, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.