As the 2020 legislative session in New York state gets under way, one of the topics on the agenda is sure to be whether New York will for the first time allow New Yorkers to engage in mobile sports betting. In that context, whether the Legislature even has the power to legalize mobile sports wagering, in light of the restrictions on gambling set forth in the state’s Constitution, is an issue that will be front and center. Ultimately, looking to the traditional methods of constitutional interpretation, the state Constitution should not be construed to bar mobile sports wagering in New York State; the Legislature should be free to offer it.

Currently, New York law does not allow mobile sports wagering, unlike the laws of an increasing number of states. But as the Legislature takes up this important issue, the questions surrounding whether New York should authorize mobile sports gambling should ultimately be ones of policy, not constitutionality. Mobile sports wagering can be authorized in New York state consistent with the state Constitution.

Mylan Denerstein, Akiva Shapiro and Lee Crain discuss these developments in their article, which was published in the New York Law Journal:

The Constitutionality of Mobile Sports Wagering in New York State (click on link)

Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, or the authors in New York:

Mylan L. Denerstein – Co-Chair, Public Policy Practice (+1 212-351-3850, [email protected])
Akiva Shapiro (+1 212-351-3830, [email protected])
Lee R. Crain (+1 212-351-2454, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On December 11, 2020 the FDA granted Emergency Use Authorization for the Pfizer/BioNTech COVID‑19 vaccine candidate.[2] That vaccine, which appears to be more than 90% effective in preventing the virus’s spread,[3] was soon joined by a similarly effective vaccine developed by Moderna.[4]

With their blazing-fast production time and extraordinary efficacy, the COVID-19 vaccines are among our most impressive recent medical achievements. They may also be the most controversial. Despite near-universal healthcare consensus as to the vaccines’ overall safety and efficacy, early polling suggests deep skepticism, with many in the population indicating that, if offered the vaccine, they will refuse.[5] And in a time of endemic disinformation and controversy, this resistance may only deepen.

Given the choice, employers might prefer to stay on the sidelines in an effort to avoid the coming “vaccine wars.” Like it or not, however, America’s workplaces will be on the front lines and likely will find themselves caught between public health imperatives, liability fears, and a restive workforce. And while current guidance indicates that employers generally can mandate employee vaccination (subject to religious and medical exceptions), unless the Occupational Safety & Health Administration (OSHA) or other authority requires them to do so, employers will face strong and countervailing pressures in deciding whether or how to implement such policies.

This article offers a “Playbook” for employers to navigate these choppy waters. Below we set out key considerations, both for employers who want or ultimately may be required to pursue a mandatory vaccination program and for employers who wish to encourage voluntary compliance.

Each employment context, of course, will differ. A mandatory vaccination policy that works well for a close-quarters or contact-heavy workplace, such as a healthcare facility or even a meatpacking plant, might be too heavy handed for a low-contact team of remote computer coders. Likewise, different states, cities, and industries may adopt very different workplace vaccination rules, creating a thicket of regulation (this article limits its scope to nationally applicable federal regulation, but state and local rules may differ). Despite this variation, though, there are nevertheless strategies and insights that can offer guidance.

I. Deciding Who Decides: Should Employers Mandate Vaccination?

As a threshold question, employers will need to decide whether to require employees to be vaccinated or instead to make vaccination voluntary. Below are some key considerations in making this choice.

A. Why Require the Vaccine?

Protecting Workplace and Community Health: In the absence of a regulatory requirement, the single most important reason for a workplace vaccine mandate is that it will protect workers’ health and lives. Both the Pfizer/BioNTech and the Moderna COVID-19 vaccines have been found by the FDA to be “safe and effective” and have been supported by the VRBPAC, an FDA advisory panel of outside scientific and public health experts that has independently reviewed the data.[6] The upshot is that, based on the best evidence available, the vaccines now being rolled out will protect the health and lives of employees, customers, and communities.

To be sure, vaccinations will not ensure everyone’s safety: we do not yet have long-term data on the duration of immunity, even the most effective vaccine candidates will protect no more than 90 to 95% of patients, and bona fide medical or religious reasons mean that some individuals cannot be vaccinated. Accordingly, even in the best-case scenario, a significant minority of the population will still be exposed and dependent upon the development of herd immunity to protect them. But these caveats should not distract from this reality: by an order of magnitude, COVID-19 vaccines will be our most effective medical strategy to prevent transmission of the virus and save lives.

Ensuring Vaccines Become Vaccinations: These powerful health benefits, however, will only be realized if workers actually get the vaccine. In other words, as public health experts have noted, we must “turn vaccines into vaccinations.”[7] Here, a mandatory approach may be important because voluntary vaccine programs have often had relatively low compliance, even in industries like healthcare,[8] and even for vaccines that have been the subject of massive “persuasion” campaigns (such as for the flu).[9] Given the amount of disinformation surrounding the coronavirus in general and vaccines in particular, such opt-in rates may, without a mandate, be even lower here. Put another way, a mandatory vaccine policy likely will be vastly more successful than a voluntary one at ensuring workers actually get protected.

Reducing Costs of Absences, Lost Productivity, and Long-Run Medical Care: Because a mandatory vaccination program creates a more vaccinated workforce, it also can significantly reduce workplace costs. Vaccinated workers will be less likely to fall ill to COVID-19, impose fewer costs from absences or lost productivity, require fewer instances of acute medical care, and impose lower long-term health costs. This last point is an important one: COVID-19 might be best known for short-term (and often horrific) acute consequences, but its long-term health impacts are poorly understood, yet believed to be significant for some.[10] Therefore, the virus may lead to worker illness and impairment that can span for months or even years. A higher vaccination rate is likely to curb each of these costs.

Getting and Staying Open: A mandatory vaccination approach also makes it more likely that a business can open and stay open. Even if there are no medical consequences, a single positive COVID-19 test can lead an employer to fully stop operations, particularly in industries like dining and hospitality.[11] A highly vaccinated workplace reduces the likelihood of such stoppages. At the same time, high vaccination rates can accelerate a “return to normal” by making it safer for the workforce to return to the office or otherwise resume normal operations, and by creating a safer environment for customers.

Defend Against Civil Liability for COVID-19 Cases: Further, and especially as vaccination rates increase, an un- or under-vaccinated workforce may pose a liability risk, as individuals infected on premises look to pin the blame on employers.

Under tort law principles employers that fail to take reasonable care to protect employees (or, for that matter, vendors, visitors, customers, or others on premises) risk liability. Applying this concept, individuals who become sick based on alleged on-premises exposure can argue (and in some cases have argued) that a business’s negligent safety practices (whether related to personal protective equipment (PPE), vaccines, cleaning, or anything else) caused their illness.

For employees themselves, such COVID-19 suits are likely to be limited by workers’ compensation statutes. Indeed, companies are already seeing lawsuits seeking relief from employee injuries ranging from wrongful workplace exposure to COVID-19 to wrongful death from COVID-19.[12] In many cases, damages related to on-the-job COVID-19 exposure (or subsequent illness) will be considered occupational injuries and so are very likely covered under the relevant state’s workers’ compensation statutes. But employees’ lawyers will no doubt argue that this bar may not provide full protection, as evidenced by extensive (and, as of this writing, unsuccessful) efforts by federal lawmakers to provide businesses with greater immunity from employee COVID-19 claims,[13] as well as by a surge of interest in drafting (potentially unenforceable) employee COVID-19 liability waivers.[14]

More importantly, workers’ compensation statutes do not account for other stakeholders who may claim COVID-19 damages from exposure to an unvaccinated workforce. This includes suits by contractors, vendors, visitors, or customers—particularly in contact-intensive industries like education, lodging, hospitality, healthcare, or fitness where PPE may not provide sufficient protection.

A mandatory vaccination policy reduces these risks. First, and most obviously, mandatory vaccination makes it less likely individuals get sick in the first place, and therefore less likely anyone suffers legally actionable damages. Separately, the adoption and implementation of a mandatory vaccine plan can itself be important evidence of the high standard of care a company provided for those on premises, which also may be important in beating back potential liability.

Unless a broad liability shield is enacted by Congress, civil suits for COVID-19 infection damages, whether by employees, contractors, visitors, or customers, will remain a threat for the foreseeable future, and mandatory vaccination could be a key tool to address it.

Potential Protection Against Enforcement Action: Apart from civil liability from private plaintiffs, businesses without vaccine mandates could confront regulatory risk as well. Under OSHA’s “general duty” clause, for instance, employers are required to furnish each employee with a workplace free from recognized hazards that could cause serious harm.[15] While current OSHA guidance suggests this “general duty” can be satisfied by measures like PPE or distancing,[16] in the longer-run the agency might take the position that a robust vaccination program is required and that workplaces without such policies are not safe. This may be particularly true for healthcare and other industries where social distancing or similar measures may not be viable.

Further, even if OSHA does not enforce the “general duty” clause in this way, private litigants, unions, or others may seize on this language to argue that employers without mandatory vaccination policies are not providing a safe workplace.

B. Why Make the Vaccine Optional?

Employee Morale and Retention: Any “mandate,” as opposed to an optional program, would need to be carefully messaged and framed to the workforce. If the purposes behind the requirement are not explained (and even if they are), it may become a source of employee discontent or dissatisfaction. Day-to-day, such a requirement may lead employees opposed to the vaccine to view the company more negatively, and to respond accordingly.

Even with excellent messaging and buy-in, it is likely that some portion of the workforce, out of “anti-vaccine” belief, political views, or other reasons, will refuse to get the vaccine, and at the extreme may choose separation of employment rather than being vaccinated. And laws like the National Labor Relations Act (NLRA) could arguably protect various forms of employee protest as to the requirement, such as through social media campaigns.

Administrative Ease: Even for “mandatory” vaccines, by law those with medical conditions or sincerely held religious beliefs that preclude vaccination are entitled to make exemption requests and to seek appropriate reasonable accommodation (both possibilities discussed in detail below). Given the controversy around the vaccine, many workers may try to claim such exemptions. Without thoughtful processes, this could put Human Resources (HR) at risk of being overwhelmed by needing to decide, on a case-by-case basis, who qualifies for an exemption. In a voluntary program, by contrast, no (or much less) formal process is needed.

Less Liability Risk for Discrimination Claims: On this point, individuals who seek an exemption but are denied may pursue legal claims, such as on the grounds that they were unlawfully discriminated against under the Americans with Disabilities Act (ADA) based on a medical condition their employer did not treat with sufficient seriousness,[17] or under Title VII of the Civil Rights Act[18] for their religious beliefs. Careful applications of the exemption process will minimize this risk, but cannot eliminate it.

Potentially Less Necessary to Certain Industries: Finally, while in some industries, like healthcare or personal services, close contact is unavoidable, in others, it is less of a concern. For workplaces that do not require close contact, and so can more effectively avoid or mitigate the potential spread of the virus on-site, a vaccine mandate might be unnecessary.

II. Playbook For Employer Vaccine Policies

As the above shows, employers may have sound safety, business, and legal reasons to pick either a mandatory or a voluntary approach to a COVID-19 vaccine. But without attention to risk points, either approach can run into trouble. Here are ways to minimize the danger, no matter which approach employers take.

A. Assess the Right to Require Vaccinations

An employer’s first step is to confirm its right to require vaccinations. For obvious reasons, this is important to workplaces that want to mandate vaccines. But even workplaces that want to pursue voluntary vaccination policies may want to confirm this information, both because conditions may change over time, and also because, even if employers do not make vaccination a condition of employment, they may want to make it a condition for certain employment activities.

For most private-sector U.S. employers, current guidance strongly suggests that vaccinations can be required as a condition of employment for at-will employees. In its December 16, 2020 guidance on vaccination policies, the EEOC discusses at length the possibility that employers could “require” the vaccine, including how to best to “communicat[e] with employees about compliance with [an] employer’s vaccination requirement.”[19] This is in line with earlier approaches to (far less severe) pandemics. In the context of the H1N1 flu, for example, OSHA guidance indicates that, so long as a private employer makes appropriate religious and medical exceptions, an employer may require vaccination as a condition of employment.[20] Accordingly, employers are on strong ground to assume that, as a general matter, vaccination requirements are permissible.

That said, a given workplace may be subject to special conditions, so it is important to assess, at the outset, whether a vaccination requirement would be permissible. One example is if a collective bargaining agreement (CBA) governs the terms of employment, in which case it may speak to vaccine requirements.[21] Further, if employees are not at-will, but rather work under a contract, that contract may dictate whether a vaccine can be required.

Likewise, while to date no state or local law or regulation appears to impose any general bar to private employers requiring vaccination, the situation at the federal, state, and local level is evolving rapidly,[22] so employers should obtain legal advice and ensure no new rule (or relevant agency guidance or court decision) has changed the landscape before getting started.

B. Make a Plan to Process Exemption Requests

Even if employers choose to “mandate” a vaccine, they must still be prepared to provide legally required exceptions for employees who (1) cannot take the vaccine due to a medical disability or (2) seek an exemption from the vaccine based on sincerely held religious beliefs. Virtually all employers must comply with these important legal protections. But employers should also recognize that they can structure such requests, and the resulting accommodations, in a way that satisfies the law while ensuring that those who are not truly motivated by such concerns, but instead merely would prefer to be unvaccinated, do not take advantage of them.

1. Medical Exemptions

For medical reasons, some individuals may be unable to safely take the vaccine. We know, for example, that the vaccine should not be administered to individuals with a known history of a severe allergic reaction to any component of the vaccine. Under the ADA, if an employee claims to require an exemption based on a “disability,” [23] a workplace must engage in an “interactive process” with that individual to arrive, if possible, at a “reasonable accommodation” (which, potentially, would relieve the employee from having to get the vaccine).

Employee requests for medical exemptions should be treated like any other ADA request for accommodation.[24] However, if employers are concerned that vaccine qualms will lead to insincere accommodation requests, there are steps they can take. First, the ADA permits requests for reasonable documentation of the disability, which an employer can enforce.[25]

Second, workers with disabilities do not have the right to the accommodation of their choice, but rather to a “reasonable accommodation,” viz, one that “reasonably” accommodates their disability, and that does not impose an “undue hardship” on an employer.[26] For example, employees who cannot be vaccinated do not necessarily need to be offered the “accommodation” of simply not receiving the vaccine but then otherwise resuming work as normal, nor must they be offered the accommodation of continuing to work from home after their colleagues have returned to work. Rather, under appropriate circumstances, an employer might instead require unvaccinated employees to attend work, but continue to distance and wear masks and PPE, even after vaccinated employees may in the future be permitted to halt such measures.[27]

Other possible accommodations may include shifting unvaccinated workers to other workplace roles or positions, relocating work sites within a building, or requiring that employees work remotely even if they want to return.[28] This process will typically require a case-by-case assessment of the relevant facts.

In sum, employers should recognize that the ADA does not create an automatic right for anyone to “opt-out” of the vaccine, but only a right to a fair interactive process that leads to a reasonable accommodation.[29]

2. Religious Exemptions

The second major category for possible exemptions are accommodation requests based on sincerely held religious beliefs or religion-like philosophical systems.[30] Under Title VII, such beliefs must be taken into account, and if it would not pose “undue hardship,” a reasonable accommodation must be granted.

Compared to medical exemption requests, Title VII religious accommodation requests are (1) easier to establish, with employees permitted to substantiate the “sincerity” of their beliefs with little documentation; but (2) less demanding on employers, in that the accommodations granted need only be provided if they would impose “de minimis” burdens on the employer. Both of these distinctions are relevant to any COVID-19 vaccination mandate.

On the “sincerity” of the religious belief at issue, the EEOC has noted that an employer is entitled to “make a limited inquiry into the facts and circumstances of the employee’s claim that the belief or practice at issue is religious and sincerely held, and gives rise to the need for the accommodation.”[31] That said, an employee can provide sufficient proof of sincerity by a wide variety of means, including “written materials or the employee’s own first-hand explanation,” or verification of “others who are aware of the employee’s religious practice or belief.”[32] Beyond that, probing the “sincerity” of a religious belief is risky business. So to the extent employees provide such substantiation, and even if their interpretation of a religious tenet differs from that religion’s mainstream, employers would be wise, at that point, to accept it.

However, the EEOC has further made clear that employers are only obligated to accommodate “religious” beliefs or comprehensive religious-type philosophical systems, as opposed to other strongly held types of beliefs. For instance, there is no legal requirement to accommodate political, scientific, or medical views, or isolated ideas (such as “vaccines are dangerous”).[33]

Given these principles, workplaces with vaccine mandates may want to create standardized Title VII exemption-request forms that (1) expressly state and remind employees that political, social, scientific, or other non-religious views are not sufficient justification and that it is not appropriate to request a Title VII exemption on those grounds, but that (2) otherwise permit employees to explain, in their own words, their religious or religious-type beliefs and why those beliefs prevent vaccination. As noted, however, to the extent an employee then completes the form and provides such an explanation, the explanation generally should be credited.

However, for the accommodation itself, as in the ADA context, even a sincere religious exception does not guarantee the right to be accommodated, but only the right to a process that may, if legally required, lead to an accommodation. And unlike the medical context, where the “undue hardship” an employer must show to deny accommodation is a “significant difficulty or expense,”[34] in the Title VII context “undue burden” is defined to require only a showing of more than a “de minimis” cost on the business.[35]

Accordingly, in addition to requiring unvaccinated employees to keep using PPE and other measures even after the rest of the workforce returns to normal, an employer likely has much more latitude to indicate that, where the risk of non-vaccination imposes burdens on the company, non-vaccination will not be allowed.[36]

C. Build Buy-In and Plan for Conflict Diffusion

Even with the legal authority to impose a mandate, employers that go this route still must be sure to build employee buy-in for compliance. This is particularly important in light of concerns regarding how a vaccine requirement might impact employee morale or office culture.

The more a workforce understands why the employer chose a mandate, and the more they have the chance to feel “heard” on the subject, the less friction there will be (and the fewer workers will attempt to claim potentially unneeded exemptions). Best practices for building buy-in include:

Informing employees of the policy change in advance, so that they can meaningfully share their views.
Clear communication as to the purpose of the requirement: employee safety and allowing a return to normal.
Tying the vaccine mandate to concrete and visible changes (e.g., once the vaccine is in place, re-open formerly closed off recreation areas or office space).
Providing accurate and reader-friendly information on the vaccine. Given the amount of mis- or disinformation available, employers and HR in particular will play a key educational role.

On this point, given the incendiary rhetoric around vaccines and strong beliefs held by individuals on many topics related to vaccination, it is possible that the accommodation process, if not carefully handled, could lead to workplace tension. Workplaces should be aware of this risk and ensure that at no time does it rise to the level of impermissible discrimination or a hostile workplace.[37]

D. Minimize (and if Possible, Eliminate) Vaccination Costs to Employees

As a further way to ensure buy-in, whether for a mandatory or a voluntary program, employers should consider as many steps as possible to reduce the cost to employees of getting the vaccine. The vaccine itself will be provided, free of charge, by the federal government.[38] But unless already covered by employee insurance, employees may still be charged an “administrative fee.”[39] Employers should consider covering those or other incidental costs, even if otherwise “out of plan” for workers.

Another “cost” to employees is that of time—such as the time to travel off-site to get a vaccine. Accordingly, contracting with a third-party provider to conduct on-site vaccination can help reduce this cost, as it brings vaccines on-site. That said, the EEOC has recently clarified that, to the extent an employer either directly administers a vaccine or contracts with a third-party to do so on its behalf, it incurs special medical-privacy obligations that may pose additional record-keeping and compliance burdens.[40] Employers considering requiring or encouraging vaccines should carefully consider these tradeoffs in deciding whether or not to bring vaccination “in-house.”

Finally, for the small minority of workers who experience symptoms or bad reactions to the vaccine, employers should consider adopting a permissive approach to allowing (or extending further) paid sick leave to the extent necessary, even if a worker might otherwise not be entitled to it.

As shown above, such measures, while they may not be legally required in certain circumstances (depending on wage-hour and sick leave laws, among other things), are likely to be critical to increase and encourage buy-in.

E. Take a Thoughtful Approach to Continued PPE and Distancing Requirements

One common question will be whether a vaccination policy can or should supplant mask requirements, distancing, and other measures. Because the vaccines are not one-hundred percent effective, there is no guarantee that even a vaccinated employee will be fully protected. And because no one yet knows whether vaccinated individuals can still spread the virus, employers should be mindful of the safety of individuals who, for medical or religious reasons, are unable to be vaccinated. Finally, even the most optimistic projections indicate that, for at least some period of time, there will not be enough vaccines to cover everyone in the workforce.[41] Each of these considerations suggests that, at least in the short term, policies like masks and social distancing will still be necessary.

In the long run, however, providing the prospect of a return to relative normal for those who are vaccinated could be a powerful force toward boosting morale and commitment to a vaccination program, and toward getting greater employee buy-in.

F. Be Aware of Labor Law Issues

One further area to be aware of in rolling out a vaccine policy is the possibility of concerted labor action. Section 7 of the NLRA protects certain “concerted activity” regarding working conditions,[42] which might extend to protests or other labor action regarding a vaccine policy. Crucially, however, the NLRA does not protect non-compliance with workplace safety rules (such as employees attempting to style refusal to be vaccinated as a legally protected labor protest).[43] Further, to the extent there is a risk of labor activity against a vaccine mandate, employers should be aware that there is a countervailing risk of labor activity for a mandate, such as strikes by employees who refuse to come to work until their colleagues have been vaccinated.

G. Don’t Lean Too Hard (or Perhaps at All) on Waivers

Finally, for those employees who, whether by choice or a valid exemption, are not vaccinated, some employers are considering requiring a waiver indicating that the employee understands the medical risks of this decision and accepts any associated risk. Given the limitations on the enforceability and permissibility of such waivers, however, a robust disclosure may be a better format. OSHA, for instance, has long required an attestation for employees in the context of bloodborne pathogen vaccines acknowledging their understanding of the risks should they not be vaccinated.[44] Seeing the risks of declining the vaccine clearly laid out in writing may, at the margin, increase buy-in.

That said, as a liability protection device, there is reason to be skeptical about such disclosures or waivers. In many jurisdictions, courts will find that employee liability waivers for workplace illnesses and injuries are not enforceable or even permissible, given the perceived imbalance of bargaining power or the operation of state workers’ compensation laws (which in some cases are read to preclude such waivers).[45] Accordingly, while it may make sense to provide certain disclosures to unvaccinated employees, an actual waiver of liability may be prohibited or unenforceable.

* * *

As noted at the outset, no one size fits all, especially given the different levels of risk of infection spread in different industries and workplaces, as well as the fast-evolving legislative and regulatory environment around COVID-19. Consulting with experienced employment law counsel is essential to ensuring that your workplace can best address these complex and fast‑moving questions.

____________________

[1] An earlier version of this article originally appeared as a Gibson Dunn & Crutcher Client Alert titled, “An Employer Playbook for the COVID ‘Vaccine Wars’”, available at https://www.gibsondunn.com/wp-content/uploads/2020/12/an-employer-playbook-for-the-covid-vaccine-wars.pdf. For additional legal resources and guidance regarding the impact of COVID-19 in the workplace, see https://www.gibsondunn.com/coronavirus-covid-19-resource-center/.

[2] Jessica Glenza, “FDA approves Pfizer/BioNTech coronavirus vaccine for emergency use in US,” The Guardian (Dec. 11, 2020), available at https://www.theguardian.com/world/2020/dec/11/fda-approves-pfizer-biontech-covid-19-coronavirus-vaccine-for-use-in-us.

[3] Lauran Neergaard and Linda A. Johnson, “Pfizer says COVID-19 vaccine is looking 90% effective,” Associated Press (Nov. 10, 2020), available at https://apnews.com/article/pfizer-vaccine-effective-early-data-4f4ae2e3bad122d17742be22a2240ae8.

[4] Denise Grady et al., F.D.A. Authorizes Moderna Vaccine, Adding Millions of Doses to U.S. Supply, N.Y. Times (Dec. 18, 2020), available at https://www.nytimes.com/2020/12/18/health/covid-vaccine-fda-moderna.html; see also Denise Grady, “Early Data Show Moderna’s Coronavirus Vaccine Is 94.5% Effective,” N.Y. Times (Nov. 16, 2020), available at https://www.nytimes.com/2020/11/16/health/Covid-moderna-vaccine.html.

[5] See, e.g., RJ Reinhart, “More Americans Now Willing to Get COVID-19 Vaccine,” Gallup (Nov. 17, 2020), available at https://news.gallup.com/poll/325208/americans-willing-covid-vaccine.aspx (survey indicating that, as of late November, 42% of Americans would not agree to be vaccinated against COVID-19, up from 34% in July); Bill Hutchinson, “Over half of NYC firefighters would refuse COVID-19 vaccine, survey finds,” ABC News (Dec. 7, 2020), available at https://abcnews.go.com/Health/half-nyc-firefighters-refuse-covid-19-vaccine-survey/story?id=74582249.

[6] For an accessible introduction to this process, see FDA, “Vaccine Development – 101,” available at https://www.fda.gov/vaccines-blood-biologics/development-approval-process-cber/vaccine-development-101.

[7] See, e.g., Testimony to the Subcomm. on Oversight and Investigation of the H. Comm. on Energy and Commerce 1 (Sept. 30, 2020) (statement of Ashish K. Jha, Dean of Brown University School of Public Health), available at https://docs.house.gov/meetings/IF/IF02/20200930/111063/HHRG-116-IF02-Wstate-JhaA-20200930.pdf.

[8] See, e.g., Carla Black et al., CDC, Health Care Personnel and Flu Vaccination, Internet Panel Survey, United States, November 2017 (2017), available at https://www.cdc.gov/flu/fluvaxview/hcp-ips-nov2017.htm (noting a 60-70% flu vaccination rate among healthcare personnel).

[9] See, e.g., CDC, Flu Vaccination Coverage, United States, 2019–20 Influenza Season (Oct. 1, 2020), available at https://www.cdc.gov/flu/fluvaxview/coverage-1920estimates.htm.

[10] See, e.g., Rita Rubin, As Their Numbers Grow, COVID-19 ‘Long Haulers’ Stump Experts, J. of Am. Med. (Sept. 23, 2020), available at https://jamanetwork.com/journals/jama/fullarticle/2771111 (noting scientific studies estimating that approximately 10% of people who have had COVID-19 experience long-term symptoms, from fatigue to joint pain, and that these effects manifested even in individuals who were not initially seriously ill).

[11] See, e.g., “Some Savannah restaurants close due to positive COVID-19 cases,” WTOC (June 19, 2020), available at https://www.wtoc.com/2020/06/24/some-savannah-restaurants-close-due-positive-covid-cases/.

[12] See, e.g., Jean Casarez, “Wrongful death lawsuit filed against long-term care facility over staffer’s Covid‑19 death,” CNN (July 10, 2020), available at https://www.cnn.com/2020/07/10/us/wrongful-death-lawsuit-care-facility/index.html.

[13] See, e.g., “CEOs Seek Liability Shield in Next Relief Bill: Congress Update,” Bloomberg News (Dec. 22, 2020), available at https://www.bloomberg.com/news/articles/2020-12-22/trump-has-a-week-to-sign-massive-year-end-bill-congress-update.

[14] See discussion infra.

[15] 29 U.S.C. § 654.

[16] See generally U.S. DOL, OSHA Report 4045-06 2020, Guidance on Returning to Work (2020), available at https://www.osha.gov/Publications/OSHA4045.pdf.

[17] 42 U.S.C. § 12112 (barring discrimination on the basis of a “disability”). Because “disability,” as defined in the ADA and further defined in subsequent ADAAA, includes any “physical or mental impairment that substantially limits one or more major life activities of [an] individual,” id. § 12102, employees who do not wish to be vaccinated may argue that they have a disability that prevents them from being vaccinated.

[18] Id. § 2000e-2 (prohibiting discrimination on the basis of an “individual’s race, color, religion, sex, or national origin”).

[19] See, e.g., EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶¶ K2, K3, K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

[20] See, e.g., OSHA, Standards Interpretation of Nov. 9, 2019, available at https://www.osha.gov/laws-regs/standardinterpretations/2009-11-09 (“[A]lthough OSHA does not specifically require employees to take the vaccines, an employer may do so”).

[21] Note, however, that to the extent OSHA or state regulators ultimately require, as a generally applicable workplace safety rule, that certain workplace vaccination policies be put into place, such health and safety rules would likely trump contrary (that is, more permissive) CBA terms. See discussion infra; see also United Steelworkers of America v. Marshall, 647 F.2d 1189, 1236 (D.C. Cir. 1980) (noting duty to bargain with unions over safety and health matters does not excuse employers from complying with OSHA safety standards); Paige v. Henry J. Kaiser Co., 826 F.2d 857, 863 (9th Cir. 1987) (same, as applied to California’s state-level OSHA equivalent).

[22] See, e.g., Joe Sonka, “Kentucky legislator pre-files bill prohibiting colleges from mandating vaccines,” Louisville Courier J. (Dec. 4, 2020), available at https://www.courier-journal.com/story/news/politics/ky-general-assembly/2020/12/04/kentucky-bill-would-prohibit-colleges-mandating-covid-19-vaccine/3827327001/.

[23] See 42 U.S.C. §12102 (defining “disability” to include any “physical or mental impairment that substantially limits one or more major life activities of [an] individual.”).

[24] See generally EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (setting out “interactive process” for employees seeking exemption from workplace COVID-19 vaccination requirements).

[25] See EEOC, Enforcement Guidance on Reasonable Accommodation and Undue Hardship under the ADA, EEOC-CVG-2003-1, Oct. 17, 2002 (“May an employer ask an individual for documentation when the individual requests reasonable accommodation? . . . Yes. When the disability and/or the need for accommodation is not obvious, the employer may ask the individual for reasonable documentation about his/her disability and functional limitations.”); see also EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (describing possibility, in context of COVID-19 vaccination requirement, of “obtain[ing] supporting documentation about the employee’s disability”).

[26] See EEOC, Enforcement Guidance on Reasonable Accommodation and Undue Hardship under the ADA, EEOC-CVG-2003-1 (Oct. 17, 2002), available at https://www.eeoc.gov/laws/guidance/enforcement-guidance-reasonable-accommodation-and-undue-hardship-under-ada; accord EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

[27] For analysis of an analogous question, see, for example, EEOC v. Baystate Med. Ctr., Inc., No. 3:16-cv-30086, Dkt. No. 125 (D. Mass. June 15, 2020) (Order upholding policy that required unvaccinated healthcare workers to, as a condition of employment, wear masks even though vaccinated colleagues were not required to) [Order text accessible via PACER and CM/ECF and partially reprinted at Vin Gurrieri, “EEOC Religious Bias Suit Over Hospital Worker Firing Tossed,” Law360 (June 16, 2020), available at https://www.law360.com/articles/1283456/eeoc-religious-bias-suit-over-hospital-worker-firing-tossed]; see also Holmes v. Gen. Dynamics Mission Sys., Inc., No. 19-1771, 2020 WL 7238415, at *3 (4th Cir. Dec. 9, 2020) (suggesting that as “long as [a workplace safety] requirement is valid, any employee who is categorically unable to comply . . . will not be considered a ‘qualified’ individual for ADA purposes,” and so may independently be denied a particular requested accommodation on such basis) (internal punctuation and citation omitted).

[28] See generally EEOC, Enforcement Guidance on Reasonable Accommodation and Undue Hardship under the ADA, EEOC-CVG-2003-1 (Oct. 17, 2002), available at https://www.eeoc.gov/laws/guidance/enforcement-guidance-reasonable-accommodation-and-undue-hardship-under-ada; accord EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

[29] See EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K7, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (“If an employee cannot get vaccinated for COVID-19 because of a disability or sincerely held religious belief, practice, or observance, and there is no reasonable accommodation possible, then it would be lawful for the employer to exclude the employee from the workplace.”).

[30] Specifically, EEOC guidance indicates such protections extend to “[r]eligious beliefs include theistic beliefs (i.e. those that include a belief in God) as well as non-theistic ‘moral or ethical beliefs as to what is right and wrong which are sincerely held with the strength of traditional religious views.’” EEOC, Questions and Answers: Religious Discrimination in the Workplace, EEOC-NVTA-2008-2 (July 22, 2008), available at https://www.eeoc.gov/laws/guidance/questions-and-answers-religious-discrimination-workplace/.

[31] Id.; accord EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K6, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (“If, however, an employee requests a religious accommodation, and an employer has an objective basis for questioning either the religious nature or the sincerity of a particular belief, practice, or observance, the employer would be justified in requesting additional supporting information.”).

[32] See EEOC, Section 12 Religious Discrimination, EEOC-CVG-2008-1 (July 22, 2008), available at https://www.eeoc.gov/laws/guidance/section-12-religious-discrimination.

[33] Id.

[34] See EEOC, Enforcement Guidance on Reasonable Accommodation and Undue Hardship under the ADA, EEOC-CVG-2003-1 (Oct. 17, 2002), available at https://www.eeoc.gov/laws/guidance/enforcement-guidance-reasonable-accommodation-and-undue-hardship-under-ada.

[35] EEOC, Questions and Answers: Religious Discrimination in the Workplace, EEOC-NVTA-2008-2 (July 22, 2008), available at https://www.eeoc.gov/laws/guidance/questions-and-answers-religious-discrimination-workplace/; accord EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K6, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

[36] See, e.g., Robinson v. Children’s Hosp. Bos., No. CV 14-10263-DJC, 2016 WL 1337255, at *10 (D. Mass. Apr. 5, 2016) (finding that for Title VII purposes, healthcare worker’s requested accommodation of non‑vaccination based on religious beliefs would have imposed “undue hardship” on employer and so did not need to be granted).

[37] Likewise, employers must remain mindful that, to the extent employees exercise legally protected rights with respect to vaccination, they cannot be punished for doing so. See, e.g., EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K5, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (warning that, in the context of employees requesting disability accommodations related to COVID-19 vaccine mandates, “[m]anagers and supervisors are reminded that it is unlawful to disclose that an employee is receiving a reasonable accommodation or retaliate against an employee for requesting an accommodation”).

[38] Andrea Kane, “Federal government says it will pay for any future coronavirus vaccine for all Americans,” CNN (Oct. 28, 2020), available at https://www.cnn.com/2020/10/28/health/cms-medicare-covid-vaccine-treatment/index.html.

[39] Katie Connor, “Coronavirus vaccines may be free, but you could still get a bill. What we know,” CNET (Dec. 7, 2020), available at https://www.cnet.com/personal-finance/coronavirus-vaccines-may-be-free-but-you-could-still-get-a-bill-what-we-know/.

[40] See, e.g., EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, (Dec. 16, 2020), at ¶ K1, available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (noting that while vaccination itself is not a “workplace medical examination,” such that it would trigger special ADA requirements, an employer’s administration of a vaccine, which would necessarily include “pre-screening questions,” likely would be such an “examination,” thus requiring the employer to show the pre-screening questions are “job-related and consistent with business necessity”); id. at K ¶¶ K2, K3 (noting that while requiring employees merely to show proof of vaccination is not a “disability-related inquiry” for ADA purposes, an employer that mandates vaccination and that administers the vaccine itself or contracts with a third party to do so must show that the administration of vaccines (and the pre-screening questions administration required), were prompted by a “direct threat to the health or safety” of the workplace); id. at K ¶¶ 8-9 (noting that to the extent employers administer vaccines directly or through contracted third parties, they may take on obligations under the Genetic Information Non-Discrimination Act (GINA)).

[41] Noah Higgins-Dunn, “Trump COVID Vaccine Chief Says Everyone in U.S. could be vaccinated by June,” CNBC (Dec. 1, 2020), available at https://www.cnbc.com/2020/12/01/trump-covid-vaccine-chief-says-everyone-in-us-could-be-immunized-by-june.html; see also Kathleen Dooling et al., “The Advisory Committee on Immunization Practices’ Updated Interim Recommendation for Allocation of COVID-19 Vaccine — United States, December 2020,” CDC Morbidity and Mortality Weekly Report (Dec. 22, 2020), available at https://www.cdc.gov/mmwr/volumes/69/wr/mm695152e2.htm (setting out CDC guidance for allocating scare vaccine resources, and indicating which sectors might have priority in allocation).

[42] 29 U.S.C. § 157.

[43] See, e.g., Board Opinion, NLRB Case No. 12-CA-196002, Argos USA LLC d/b/a Argos Ready Mix, LLC and Construction and Craft Workers Local Union No. 1652, Laborers’ International Union of North America, AFL‒CIO, Cases 12–CA–196002 and 12–CA–203177 (Feb. 5, 2020), at 4, available at https://apps.nlrb.gov/link/document.aspx/09031d4582f8f960 (finding, in the context of cellphone-while-driving rules, that workplace rules that “ensure the safety of [workers] and the general public” do not interfere with the exercise of Section 7 rights).

[44] See, e.g., OSHA Standard 1910.1030 App A – Hepatitis B Vaccine Declination (requiring workers who opt out of the bloodborne pathogen vaccine to attest that they understand the medical risks of declining a vaccine should they decide to do so).

[45] See, e.g., Richardson v. Island Harvest, Ltd., 166 A.D.3d 827, 828-29 (N.Y. App. Div. 2018) (reasoning that employers and employees are in unequal bargaining positions, and that therefore prospective liability waivers for negligent employer conduct would be held unenforceable).

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the lawyer with whom you usually work in the firm’s Labor and Employment practice group, or the authors:

Jessica Brown – Denver (+1 303-298-5944, [email protected])
Lauren Elliot – New York (+1 212-351-3848, [email protected])
Daniel E. Rauch – Denver (+1 303-298-5734 , [email protected])

Please also feel free to contact the following practice group leaders:

Labor and Employment Group:
Catherine A. Conway – Co-Chair, Los Angeles (+1 213-229-7822, [email protected])
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202-955-8242, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The books are now closed on another decade of False Claims Act (FCA) enforcement, and what a decade it was. During the last ten years, the government recovered nearly $38 billion dollars under the FCA from companies that do business with the federal government. This ten-year total is more than double the amount recovered in the prior decade (2000 to 2009), and there are no signs of relief in sight.

This past year, as in preceding years, the government continued to rely on the FCA to combat alleged fraud and corruption by companies doing business with the government, and the Department of Justice (DOJ) obtained more than $3 billion in recoveries. This figure marks a slight uptick from 2018 and remains relatively consistent with recent recovery trends. The pipeline of new cases—which will drive recoveries in future years—also remains full. More than 780 new FCA matters were initiated in 2019, marking the tenth year in a row in which over 700 new FCA cases were filed.

In other news, while this year has seen no major legislative developments at the federal level, states continue to enact or amend false claims statutes that will enable states to receive a higher percentage share of any recoveries under such laws. Meanwhile, the courts continued to develop a body of law beneath the statutory text. During the last year, there were a number of noteworthy circuit court decisions that concern the scope of the statute’s reach in relation to government programs, materiality, causation, and even DOJ’s authority to seek dismissal of qui tam suits pursued by whistleblowers, among other important topics.

We address these and other developments in greater depth below. We first focus on enforcement activity during the fiscal year ending on September 30, 2019 and recent, noteworthy FCA settlements. Next, we turn to legislative and policy updates at the federal and state levels. Finally, we analyze significant case law developments.

As always, Gibson Dunn’s recent publications on the FCA may be found on our website, including industry-specific articles, webcasts, presentations, and practical guidance to help companies avoid or limit liability under the FCA. And, of course, we would be happy to discuss these developments—and their implications for your business—with you.

I. FCA ENFORCEMENT ACTIVITY

A. Total Recovery Amounts: 2019 Recoveries Exceed $3 Billion

The federal government recovered more than $3 billion during fiscal year 2019.[1] This amount is a slight increase from last year ($2.9 billion), and marks the eleventh straight year that total FCA recoveries have been $2.45 billion or more.[2] With the exception of 2012, 2014, and 2016, when DOJ hit high-water marks of $5 to $6 billion (driven in part by mortgage-related settlements resulting from the 2008 financial crisis), the modern era of FCA enforcement appears to have settled into a remarkable rhythm: every year, the federal government recovers somewhere in the neighborhood of $3 billion dollars using the FCA.

There are no signs of these staggering recovery amounts abating, and this trend has held regardless of the administration. Although the Trump Administration had overseen a slight downtick in the annual recoveries during each of the prior two years, this year’s recoveries reversed the trend with an increase from last year.

These recoveries, while very high in their own right, do not even include all of the recoveries attributable to false claims activity, because the DOJ figures represent only federal recoveries, not state recoveries. Yet, in FCA cases there is very often a state component to any settlement or judgment, especially in health care cases where there is a nexus with state Medicaid programs. Indeed, DOJ touted in its press release announcing these figures that “in many of these cases the department was instrumental in recovering additional millions of dollars for state Medicaid programs.”[3]

B. Qui Tam Activity

The total number of FCA cases filed each year remains remarkably high, too. This year, there were 782 new FCA cases. Of those, 146 (or 19%) were initiated by the government, while the other 636 (or 81%) were initiated by qui tam whistleblowers.[4] This is consistent with past years, as demonstrated in the chart below.

Number of FCA New Matters, Including Qui Tam Actions

Source: DOJ “Fraud Statistics – Overview” (Jan. 9, 2020)

Qui tam suits (particularly those in which the government decides to intervene) also continue to drive the bulk of the recovery amounts. This year, more than $2.2 billion of the total $3 billion in settlements and judgments resulted from lawsuits originally filed under the FCA’s qui tam provisions.[5]

Notably, the federal government recovered $1.9 billion (63% of the total amount of recoveries) in qui tam cases where the government intervened, and $844 million (28% of total recoveries) in non-qui tam cases (i.e., cases initiated by the government, not a whistleblower). This also means the government recovered $293 million (10% of the total) in cases where DOJ declined to intervene in a qui tam, the third highest total in declined cases during the last 20 years. This is also a significant increase from last year, when recoveries in declined cases were $135 million, and signifies the ongoing threat of FCA cases even if a company can convince the government to stand down in the first instance.[6]

Settlements or Judgments in Cases Where the Government Declined Intervention as a Percentage of Total FCA Recoveries

Source: DOJ “Fraud Statistics – Overview” (Jan. 9, 2020)

C. Industry Breakdown

Once again, the vast majority of the federal government’s FCA recoveries came from the health care industry. This year, $2.6 billion (more than 85%) of the $3 billion in recoveries came from the health care sector, including providers, pharmaceutical companies, and medical device manufacturers. Recoveries from the defense industry accounted for another approximately $250 million.[7]

FCA Recoveries by Industry

Source: DOJ “Fraud Statistics – Overview” (Jan. 9, 2020)

Enforcement efforts in the health care industry are notable for both their breadth and depth, targeting a wide variety of companies under a wide variety of theories. As in past years, however, a large number of the FCA settlements with health care companies were premised on alleged kickbacks, including violations of the Anti-Kickback Statute (AKS) and Stark Law. This year, in particular, DOJ also continued its strong focus on companies involved with the opioid crisis, including both opioid manufacturers and companies that provided services to opioid manufacturers.[8]

Stemming from these theories and enforcement priorities, settlements with health care companies included both relatively small settlements with small businesses (e.g., a health clinic) as well as blockbuster settlements with large companies. But this latter category—big settlements with big companies—once again drove the high dollar volumes. As summarized below (and in our 2019 Mid-Year False Claims Act Update), some of the biggest settlements of 2019 included settlements of $500 million and $195 million from opioid manufacturers; and settlements of $124 million and $122 million by pharmaceutical companies in connection with charitable foundations. There were also 505 new health care FCA cases initiated in the last year,[9] making it all but certain that health care will remain the leading source of FCA recoveries in years to come.

Outside of the health care space, the theories of liability and types of companies that DOJ targeted were more disparate. Among the most notable and novel theories this year included $162 million in settlements premised on a hybrid antitrust-FCA theory (a theory we discussed in our recent webcast on antitrust enforcement in the government procurement space). In that case, in particular, South Korean companies allegedly drove up fuel prices charged to the United State military through concerted anticompetitive conduct, as we covered in our 2019 Mid-Year False Claims Act Update.[10] In another novel case, DOJ and a coalition of state attorneys general secured the first-ever FCA settlement premised on cybersecurity vulnerabilities, after a technology company failed to report or remedy flaws in the security surveillance system it sold to multiple states and the federal government. There was also an array of more traditional procurement and government contracting settlements, as discussed below.

II. NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2019

We summarize below some of the notable FCA settlements announced since July 2019 (we covered notable settlements and judgments from the first half of 2019 in our 2019 Mid-Year False Claims Act Update). These summaries reveal details of some of the most notable settlements and provide insight into the theories of liability and industries that have been a focus of government (and relator) enforcement efforts during the last year.

A. Health Care and Life Science Industries

On July 11, an international consumer goods conglomerate agreed to pay the federal government $1.4 billion to resolve potential criminal and civil liability related to the marketing of an opioid addiction treatment drug. The resolution is the largest recovery by the United States related to opioid drugs, and includes forfeiture of proceeds totaling $647 million, civil settlements with the federal government and the states totaling $700 million, and an administrative resolution with the FTC for $50 million. DOJ alleged that the consumer goods conglomerate directly, or through its subsidiary pharmaceutical company, knowingly (1) promoted the sale and use of the drug to physicians who were writing prescriptions for unsafe and medically unnecessary uses; (2) promoted the sale or use of the drug to physicians and state Medicaid agencies with false claims that the drug was less susceptible to diversion, abuse, and accidental pediatric exposure than alternative drugs; and (3) took measures to delay the entry of generic competitor drugs in an attempt to control pricing of the drug.[11]
On July 24, a Pennsylvania-based addiction treatment hospital agreed to pay almost $2.9 million to settle allegations that it violated the FCA by submitting bills to Medicare, Medicaid, and the Federal Employees Health Benefits Program for detoxification treatment services on behalf of patients who did not meet the qualifying medical criteria or lacked documentation to support their claims. The hospital also entered into a Corporate Integrity Agreement. The whistleblower will receive over $500,000 for his share of the recovery.[12]
On August 8, a California-based medical group and one of its physicians agreed to pay more than $5 million to resolve allegations that they reported invalid diagnoses to Medicare Advantage plans and in doing so caused the plans to receive inflated payments from Medicare and increased their own share of payments received from the Medicare Advantage Organizations. The whistleblower, a former employee of the medical group, will receive approximately $850,000 as his share of the federal recovery.[13]
On August 29, a provider of overseas health care services for the federal government agreed to pay $940,000 to resolve allegations that it overcharged TRICARE, the federal health care program for military members and their families, for aeromedical evacuation services. DOJ alleged that the company concealed discounts it received from air ambulance providers that it was required to pass along to TRICARE, resulting in inflated invoices. The whistleblower will receive $165,000 as his share of the recovery.[14]
On September 4, a pharmaceutical company agreed to pay $15.4 million to settle allegations that it paid illegal kickbacks under the FCA and AKS by providing meals and entertainment to health care providers allegedly to induce them to prescribe the company’s drug. The whistleblowers will receive approximately $2.9 million as their share of the settlement. The government is continuing to pursue other FCA claims against the pharmaceutical company related to allegations that the company paid illegal kickbacks in the form of co-pay subsidies.[15]
On September 18, a compounding pharmacy, two of its executives, and a private equity firm agreed to a $21.4 million settlement in total to resolve allegations that they violated the FCA through their involvement in an alleged kickback scheme to induce referrals of prescriptions that were reimbursed by TRICARE. DOJ alleged that the compounding pharmacy (1) paid kickbacks to outside “marketers” that paid telemedicine doctors to prescribe military members and their families compounded creams and vitamins that were formulated to ensure the highest reimbursement from TRICARE; (2) regularly paid patient copayments without verifying patients’ financial needs and disguised the source of the payments as a sham charitable organization; and (3) continued to seek reimbursement for prescriptions despite receiving complaints from patients that prescriptions were being written without patient consent or a valid relationship between the patient and prescriber. DOJ alleged that the private equity firm that managed the pharmacy agreed to and financed the plan to pay kickbacks to outside marketers to help generate prescriptions.[16]
On September 25, a national provider of mobile health diagnostic services agreed to pay $8.5 million to settle allegations that it engaged in a kickback scheme with skilled nursing facilities. DOJ alleged that the diagnostic services company provided x-rays to nursing facilities at prices below fair market value in an effort to induce the facilities to refer federal health care business to the company. The settlement was announced months after the company filed for bankruptcy earlier this year. The two whistleblowers will receive a total of more than $2 million as their share of the federal recovery.[17]
On September 26, a California-based pharmaceutical company was charged for allegedly paying kickbacks to a health care provider to prescribe the company’s drug to beneficiaries of federal health care programs. The company agreed to pay more than $108 million in criminal penalties, forfeiture, and civil damages. Of the total settlement, the pharmaceutical company agreed to pay over $95 million to resolve FCA allegations. DOJ alleged that the pharmaceutical company paid kickbacks in the form of money, honoraria, travel, and meals to health care providers of elderly patients at long-term care facilities to induce them to prescribe the company’s drug for behaviors associated with dementia patients, which is not an approved use of the drug. Three whistleblowers will share more than $17.7 million from the civil settlement. Additionally, the pharmaceutical company will pay approximately $7 million to resolve state Medicaid claims and has agreed to cooperate with indictments against four individuals alleged to be involved in the alleged kickback scheme. The company also entered into a Corporate Integrity Agreement.[18]
On October 4, a California-based medical group, its former CEO, and several physicians paid the United States and California nearly $6.7 million to settle allegations that they billed for medically unnecessary eye exams, improperly waived Medicare co-payments, and violated other regulations. The settlement resolves claims that personnel improperly billed Medicare and Medicaid/Medi-Cal by misclassifying simpler exams as being more complex, and also waived Medicare co-payments and deductibles without proper documentation of patients’ financial hardship in an effort to receive referrals.[19]
On October 9, a genetic testing company and its three principals agreed to pay $42.6 million in total to settle claims that they violated the FCA by paying kickbacks to physicians in exchange for laboratory referrals and for providing and billing medically unnecessary tests. The company and its principals allegedly paid the kickbacks to induce orders of pharmacogenetic tests, in return for the physicians’ participation in a clinical trial. The federal government also alleged that the company and its principals furnished tests that were not medically necessary and billed Medicare. The company also agreed to a 25-year exclusion period from participation in federal health care programs.[20]
On October 9, an operator of kidney dialysis clinics agreed to pay $5.2 million to settle claims that the company tested dialysis patients for Hepatitis B more than medically necessary and then billed Medicare for those tests. The government alleged that the company conducted, and billed Medicare for, tests of patients it knew to be immune to Hepatitis B infection. The whistleblower will receive 27.5% of the federal government’s recovery.[21]
On October 18, seven clinics and their owners agreed to pay the federal government more than $7.1 million to settle allegations that they violated the FCA by submitting false claims to Medicare for medically unnecessary viscosupplementation injections and knee braces. The settling clinics and related parties also entered into a Corporate Integrity Agreement with the Department of Health and Human Services Office of Inspector General that requires implementation of compliance controls and annual claims review. The whistleblower will receive $857,550 of the settlement amount.[22]
On November 7, the U.S. Attorney for the Southern District of New York announced a civil settlement in which a medical device company and two executives agreed to pay nearly $6 million in total to settle the federal government’s FCA claims that they violated the AKS by paying surgeons to use and promote their products, resulting in false claims for payment from Medicare and Medicaid. The settlement resolves allegations that the company and the executives recruited doctors and paid them millions in consulting fees, royalties, and intellectual property purchase fees to induce them to use the company’s products. The government had intervened in a private qui tam lawsuit.[23]
On October 28, several South Dakota-based hospital entities agreed to pay $20.25 million to settle FCA allegations that they submitted false claims to federal health care programs resulting from violations of the AKS and medically unnecessary spinal surgeries. The settlement resolves allegations that the hospital entities received repeated warnings that one of its top neurosurgeons was improperly receiving kickbacks from his use of implantable devices distributed by his physician-owned distributorship and was performing medically unnecessary procedures. The United States alleged that, despite these warnings, the companies continued to employ the physician, allowed him to profit from use of his device, and continued to submit claims for medically unnecessary procedures. The whistleblowers will receive $3.4 million from the federal government.[24]
On November 7, a pharmaceutical company agreed to pay $20.5 million to settle allegations concerning the establishment of false and inflated Average Wholesale Prices (AWPs) for active pharmaceutical ingredients used in compound prescriptions. The settlement resolves claims that the company knowingly inflated the AWPs for its ingredients to increase the reimbursement that its pharmacy customers received from federal health care programs for using the company’s ingredients to prepare and fill specially-made compound prescriptions. The company allegedly promoted its high AWPs and profit potential as an inducement to pharmacies to purchase its ingredients. The settlement also resolved other allegations against other related entities. The whistleblowers will receive $3.7 million from the federal government.[25]
On November 8, a hospital company and its affiliate agreed to pay $12.3 million to settle claims that it violated the FCA by submitting false claims to Medicare for procedures only partially performed or supervised by attending surgeons. The settlement resolves allegations that the hospital billed for endoscopic and robotic procedures that were insufficiently supervised by medical residents instead of the attending physician, and that it administered unnecessary and improperly documented treatments. The alleged scheme centered on the practice of the former chairman of the urology department conducting a high-revenue robotic operation in one operating room while unsupervised residents were performing surgeries on patients in the other room.[26]
On November 15, several hospitals agreed to pay the federal government $46 million to resolve allegations arising from claims they submitted to Medicare. The settlement resolves allegations that one hospital violated the Stark Law by billing Medicare for services referred by an affiliated physician group, to whom it allegedly paid amounts under a series of compensation agreements that exceeded the fair market value for the services provided. The United States also alleged that the physician group submitted duplicative bills to Medicare for services performed by physicians’ assistants it was leasing to the hospital. The hospital also agreed to settle claims related to other self-disclosed conduct. The whistleblower will receive $5.9 million as her share of the federal government’s recovery.[27]
On November 20, a hospital pharmacy agreed to pay $10 million to the federal government to settle claims that it violated the FCA by submitting false claims to Medicare for prescription drugs that did not meet Medicare coverage requirements. The settlement also resolves allegations that the company submitted claims to Medicare that resulted from improper remuneration provided to Medicare beneficiaries in the form of free blood glucose testing supplies and waiver of co-payments and deductibles for insulin, in violation of the AKS. The whistleblower will receive $1.9 million from the United States.[28]
On November 26, a Massachusetts-based laboratory company agreed to pay $26.7 million to settle allegations that it violated the AKS and the Stark Law, as well as allegations that it improperly billed claims to the federal government for laboratory testing. The settlement resolves claims that the laboratory agreed to provide laboratory testing for small Texas hospitals in exchange for per-test payments. To generate more referrals for the hospitals and more money for itself, the company allegedly conspired with the hospitals’ independent marketers to make payments to referring physicians that were disguised as investment returns, but were actually based on, and offered in exchange for, the physicians’ referrals. These physicians allegedly referred patients to the Texas hospitals for laboratory testing performed by the company, which were then billed to Medicare, Medicaid, and TRICARE. The whistleblowers will receive approximately $4.4 million of the settlement.[29]

B. Government Contracting

On July 16, a producer of electrical connectors agreed to pay $11 million to settle allegations that it violated the FCA by supplying connectors to the U.S. military that did not comply with testing protocols. DOJ alleged that the company did not conduct required periodic testing on six models of electrical connectors from 2008 to 2017. The whistleblower will receive $2.1 million from the federal government.[30]
On July 31, a manufacturer of security camera software agreed to pay $8.6 million to settle multistate litigation alleging that the company violated the FCA and state whistleblower acts because it allegedly knowingly failed to report or remedy flaws in the security surveillance system it sold to multiple states and the federal government that made the system vulnerable to hackers. The settlement provided refunds to the federal government and sixteen states that had purchased the allegedly defective software.[31]
On August 5, a New York-based construction company admitted to underpaying its workers on two federally funded construction projects and submitting payroll records to the federal government that falsely described the nature of the employees’ work. The construction company agreed to pay $435,000 to resolve lawsuits alleging civil fraud and FCA violations.[32]
On August 8, a company that provides medical supplies to the Departments of Defense and Veterans Affairs agreed to pay $3.3 million to settle FCA allegations that it manufactured products in China and Malaysia, knowing that these countries did not comply with the Trade Agreements Act’s requirement that all products sold to government agencies come from countries with which the United States has a trade agreement.[33]
On August 19, a Georgia-based producer of prefabricated modular structures agreed to pay $2.4 million to settle allegations that it violated the FCA by allegedly selling products to the Army, Department of Veterans Affairs, and General Services Administration that did not comply with electrical and structural standards. As part of the settlement agreement, the company also agreed to repair all allegedly deficient products previously supplied to the federal government.[34]
On August 20, the majority owner and former CEO of a Virginia-based defense contractor agreed to pay $20 million to resolve allegations that it violated the FCA by fraudulently procuring federal contracts reserved for small businesses. DOJ alleged that, based on misrepresentations made by the former CEO, the company was awarded multiple small business set-aside contracts for which it was ineligible. DOJ previously resolved claims against the defense contractor and its former general counsel related to the alleged scheme, resulting in combined settlements totaling more than $36 million, making it the largest FCA recovery related to allegations of small business contracting fraud.[35]
On August 20, an international airline headquartered in Texas agreed to pay approximately $22.1 million to resolve allegations under the FCA that the airline falsely reported the times at which it delivered United States mail to foreign postal administrations or other intended mail recipients allegedly to conceal its noncompliance with contractual obligations to the United States Postal Service.[36]
On November 13, a development corporation agreed to pay $2.8 million and give up $16 million in potential administrative claims to settle allegations that the company fraudulently induced the Army to award the company a contract for renovation of a shipyard by falsely representing that it would perform the contract when, in fact, its Israeli parent company intended to do so, and for presenting false claims to the United States certifying that it was performing the work as the prime contractor when in fact the work was being performed by its parent company.[37]

III. LEGISLATIVE AND POLICY DEVELOPMENTS

A. Federal Developments

The second half of the year remained quiet on the legislative front, and 2019 passed without any major federal legislative developments pertaining to the FCA. But we did identify some noteworthy developments on topics that we detailed in our 2019 Mid-Year False Claims Act Update.

1. Attention on Application of the Granston Memo

Section 3730(c)(2)(A) of the FCA provides the government with authority to seek to dismiss declined qui tam cases, stating that “the Government may dismiss the action notwithstanding the objections of the person initiating the action if [1] the person has been notified by the Government of the filing of the motion and [2] the court has provided the person with an opportunity for a hearing on the motion.”

DOJ continued its more active exercise of discretion to seek dismissals pursuant to Section 3730(c)(2)(A) in 2019, guided by the Granston Memo DOJ released in January 2018, which is codified in DOJ’s Justice Manual,[38] and which we discussed most recently in this year’s Mid-Year Update. As we have explained, the Granston Memo set forth a non-exhaustive list of factors for DOJ to consider when determining whether to move to dismiss a qui tam relator’s case under Section 3730(c)(2)(A), including whether dismissal would serve the government’s interests.[39]

In the wake of the Granston Memo, lower courts have faced an increasing number of government requests to dismiss qui tam cases pursuant to the government’s authority under Section 3730(c)(2)(A). Courts have been split on the proper legal standard to apply to such requests, a question that the FCA’s text does not directly address.

Some lower courts have followed the Ninth Circuit’s Sequoia test, also adopted by the Tenth Circuit, under which the government may only dismiss if: (1) it identifies a valid government purpose; (2) a rational relation exits between the dismissal and accomplishment of that purpose; and (3) dismissal is not fraudulent, arbitrary and capricious, or illegal. United States ex rel. Sequoia Orange Co. v. Baird-Neece Packing Corp., 151 F.3d 1139, 1145 (9th Cir. 1998). Other courts have followed the D.C. Circuit’s more government-friendly test under which the government has “an unfettered” right to dismiss such that dismissals are “unreviewable” (with a possible exception for “fraud on the court”). Swift v. United States, 318 F.3d 250, 252-53 (D.C. Cir. 2003).

In a decision exploring this issue, the Third Circuit held last year that “the dismissal provisions in the FCA . . . do not guarantee an automatic in-person hearing in every instance,” notwithstanding the requirement that a court provide the “opportunity for a hearing.” United States ex rel. Chang v. Children’s Advocacy Ctr. of Del., 938 F.3d 384, 387-88 (3d Cir. 2019). There, the district court granted the government’s request to dismiss after the government asserted that it had declined the case because the relator’s allegations were “factually incorrect and legally insufficient.” Id. at 386. Although the relator opposed the request, he did not specifically request a hearing and was not provided one.

On appeal, the Third Circuit concluded that “an in-person hearing is unnecessary unless the relator expressly requests a hearing or makes a colorable threshold showing of arbitrary government action.” Id. at 388. The court also affirmed the dismissal, but—despite requests from the parties—declined to “take a side in this circuit split” regarding the proper standard to apply to the government’s dismissal requests under Section 3730(c)(2)(A). Instead, the Third Circuit concluded that the government’s request passed muster under “even the more restrictive standard” requiring a “rational relation” between dismissal and accomplishment of a valid purpose. Id. at 387.

The Third Circuit’s decision reaffirms that the government’s dismissal power under Section 3730(c)(2)(A) remains a forceful tool in its arsenal, and it highlights the challenges that relators face in opposing such requests for dismissal.

Other courts also continued to grapple with the implications of the Granston Memo during the second half of 2019.

On November 5, 2019, the U.S. District Court for the Northern District of California granted the government’s motion to dismiss the qui tam relators’ FCA claims in United States ex rel. Campie v. Gilead Sciences, Inc., No. 11-cv-00941-EMC, 2019 WL 5722618 (N.D. Cal. Nov. 5, 2019). FCA defendants and practitioners have watched this case closely in hopes of discerning more about the impact of the Granston Memo. (We have covered Campie in past updates, including here and here.) The government previewed late last year in an amicus brief before the U.S. Supreme Court that if Campie were remanded to the district court, the government would move to dismiss the case under Section 3730(c)(2)(A).[40]

The government stayed true to its word. In its motion after remand, the government asserted that dismissal of the relators’ FCA claim would serve the government’s interests by (1) preventing the relators “from undermining the considered decisions of [the U.S. Food and Drug Administration (FDA)] and [Centers for Medicare and Medicaid Services (CMS)] about how to address the conduct at issue here,” and (2) avoiding “the additional expenditure of government resources on a case that it fully investigated and decided not to pursue,” especially given that FDA already had taken regulatory actions it deemed appropriate. United States ex rel. Campie, 2019 WL 5722618 at *5. The district court granted the government’s motion, applying the test for dismissal set forth in Sequoia, under which the court examines whether the government has set forth a valid reason for dismissal, as discussed above. The court observed that the government investigated the relators’ claims for more than two years after the suit was filed, and that FDA was involved with oversight of Gilead even before the relators filed the suit, so the decision to move for dismissal was not “cursory.” Id. at *5-7. The court also rejected relators’ assertion that the government lacked sufficient basis to argue for dismissal based on the cost of continued litigation; according to the district court, the ultimate question is whether the government engaged in a meaningful consideration of cost and benefit such that its decision to seek dismissal is supported by a rational basis. Id. at *7.

It is clear that the Granston Memo and the scope of DOJ’s dismissal authority will remain important topics in the coming year. Indeed, just before the district court handed down its decision in Campie, Senator Charles E. Grassley of Iowa, Chairman of the Senate Committee on Finance, wrote to Attorney General William Barr expressing concerns with DOJ’s implementation of the Granston Memo and “efforts to dismiss greater numbers of qui tam cases for reasons that appear primarily unrelated to the merits of individual cases”—this, according to Senator Grassley, “could undermine the purpose of the False Claims Act.”[41] Senator Grassley highlighted three cases in which DOJ moved to dismiss relators’ claims and cited the cost of litigation, including Campie, United States ex rel. Polansky v. Executive Health Res., Inc., No. 12-CV-4239-MMB, 2019 WL 5790061 (E.D. Pa. Aug. 20, 2019), and United States ex rel. Cimznhca, LLC v. UCB, Inc., No. 17-CV-765-SMY-MAB, 2019 WL 1598109 (S.D. Ill. April 15, 2019), the latter of which we discussed in our 2019 Mid-Year Update. The Senator also asked DOJ to answer a number of questions about DOJ’s utilization of dismissal authority, including what role the Granston Memo played in DOJ’s decision to dismiss in Campie, whether DOJ would have moved to dismiss the case absent the Memo, and what resources have been devoted to dismissing qui tam claims since the Memo.[42] DOJ responded to Senator Grassley’s letter on December 19, stating that it shares the Senator’s view on the importance of the FCA and its qui tam provisions and that, since January 1, 2018, DOJ has moved to dismiss only 45 cases under Section 3730(c)(2)(A) out of 1,170 qui tam cases filed, or less than 4%.[43] DOJ provided some additional detail regarding the cases it sought to dismiss, including the fact that ten were filed by the same for-profit private investment group advancing the same allegations, which DOJ determined lacked merit.[44] Further, DOJ stated that it has recovered more than $60 billion under the FCA since 1986, “more than 70% of which was recovered in connection with lawsuits filed pursuant to the statute’s qui tam provisions.”[45] We will be watching carefully to see how this saga unfolds.

2. Action on Opioids

As discussed above, the government has indicated that it will make fighting the opioid crisis a priority. In the press release announcing the government’s $1.4 billion settlement with an international consumer goods conglomerate, for example, the government stated that the settlement demonstrated that it “will work tirelessly to address all facets of the opioid epidemic.”[46] In December 2019, DOJ announced that it would award more than $333 million to help communities affected by the opioid crisis, adding that DOJ has made fighting opioid addiction “a national priority.”[47] This announcement came on the heels of DOJ’s statement in July that ten districts with some of the highest drug overdose death rates in the country would focus on prosecuting every “readily available” case involving synthetic opioids,[48] and HHS’s statement in September that it had released more than $1.8 billion in funding to states to combat the opioid crisis.[49] We will continue to closely watch DOJ’s approach to opioids in the coming year.

3. Additional Developments

A few other recent government announcements bear mentioning as examples of how the current administration is thinking about the scope of FCA enforcement activity.

As we described in an alert earlier this year, DOJ announced on October 28, 2019, that it signed a memorandum of understanding with Housing and Urban Development (“HUD”) that establishes guidance for the use of the FCA in actions against Federal Housing Administration (“FHA”) lenders.[50] The memorandum makes clear that FHA requirements will be enforced primarily through HUD’s administrative proceedings, absent extenuating circumstances, and it follows a series of settlements with significant recoveries related to the FHA loan program.[51]

On October 31, 2019, HHS’s Office of the General Counsel, including Deputy General Counsel and CMS Chief Legal Officer Kelly Cleary, issued a memorandum (the “Cleary Memo”) assessing the impact of the Supreme Court’s recent opinion in Azar v. Allina Health Services, 139 S. Ct. 1804 (2019) on Medicare payment rules that form the basis of compliance actions.[52] As the Cleary Memo sets forth, the Court held that “any Medicare issuance that establishes or changes a ‘substantive legal standard’ . . . must go through notice-and-comment rulemaking.”[53] HHS cautioned in the Memo that guidance that should have been promulgated through notice-and-comment rulemaking under Allina (but was not) cannot validly be used to bring an enforcement action.[54] That is, an enforcement action cannot be predicated on a guidance document unless it was issued through notice-and-comment rulemaking.[55] HHS also acknowledged, however, that under long-standing legal principles recently articulated in the Brand Memo, which we discussed in our 2018 Mid-Year and Year-End False Claims Act Updates, even guidance documents consistent with Allina may not be used as the sole basis for an enforcement action, although they may be relevant for questions of scienter and materiality.[56]

Turning briefly to address Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989 (2016), HHS stated that “the touchstone of materiality is whether the government would have paid the claims at issue had it known of a defendant’s alleged noncompliance with a law or regulation,” and that cases where a violation “may be material even if the government continued to pay with full knowledge of that violation” are “exceedingly rare” after Escobar.[57] Addressing specifically “healthcare qui tam suits” in which HHS would be the government payor in question, HHS explained that “the critical question is whether the alleged violation would have influenced our decision to pay.”[58] The Cleary Memo offers interesting insight from HHS on important FCA issues relating to materiality and the substantive standards underlying potential FCA theories.

Finally, on January 27, 2020, Deputy Associate Attorney General Stephen Cox gave a speech at the 2020 Advanced Forum on False Claims and Qui Tam Enforcement where he reviewed DOJ’s recent enforcement priorities and took a look ahead at the next year.[59] Many of the topics he addressed are covered above or in our 2019 Mid-Year Update—including opioid enforcement, the Granston Memo, reliance on subregulatory guidance, and cooperation credit. In addition to these topics, Cox also addressed the emerging issue of third-party litigation financing in qui tam actions. In class actions and other private cases, third-party financing for litigation is a common, albeit often secretive, feature of modern litigation. In his comments, Cox noted various reform efforts that are underway to address this issue, and acknowledged that third-party financing for litigation is very likely behind some qui tam suits as well. Notably, however, Cox indicated that the government often has “little insight into the extent to which they are backing the qui tam cases we are investigating, litigating, or monitoring.”[60] Given that qui tam cases are ostensibly undertaken in the government interest, this is remarkable: even the government does not know who is financing (and perhaps influencing) the direction of FCA lawsuits. Cox pledged that DOJ is “considering what, if any, interests the United States has with respect to third-party litigation financing in qui tam litigation and whether it is worth seeking some disclosure, at least to the department, of such arrangements.”[61]

B. State Developments

We detailed the HHS’s Office of Inspector General’s (HHS OIG) review and approval of state false claims statutes and other developments in state laws in our 2019 Mid-Year Update. Since then, HHS OIG also has reviewed and approved Hawaii’s false claims statute, bringing the total number of states with approved statutes to twenty-one.[62] As we explained mid-year, to receive approval, state statutes must contain provisions that are at least as effective in “rewarding and facilitating qui tam actions” as those in the federal FCA and contain civil penalties of at least an equivalent amount, among other requirements. As an incentive for implementing such requirements, states with qualifying laws can receive a 10% greater share of any damages recovered under those laws.[63] HHS OIG has yet to approve false claims statutes it has reviewed in eight states—Florida, Louisiana, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, and Wisconsin.[64]

We also reported in our 2019 Mid-Year Update on a bill passed by the California Assembly, Assembly Bill No. 1270, which would broaden the state’s false claim act considerably, including by amending the act to include consideration of “the potential effect” of an alleged false record or statement “when it is made,” and extending the act to tax-related cases where the damages pleaded exceed $200,000 and a defendant’s state-taxable income or sales exceed $500,000. The California Senate has amended the bill slightly to clarify that it would not apply retroactively to tax-related cases where the alleged false statement or record occurred before January 1, 2020, and the bill currently remains pending in the state senate.[65] The South Carolina bill that we also discussed in our mid-year update, which would enact the state’s first false claims act, likewise remains stalled in the state senate’s judiciary committee, where it has been sitting since January of 2019.[66] We will continue to watch state legislation in these states and others for signs of further movement or revisions.

IV. NOTABLE CASE LAW DEVELOPMENTS

The second half of 2019 was active on the case law front, featuring a number of notable circuit court decisions touching on various aspects of the FCA, including the statute’s materiality and causation requirements, and the statute’s reach in relation to government programs.

A. Second Circuit Holds that the FCA Applies to Federal Reserve Banks

Although broad in many respects, the FCA is cabined by its purpose of protecting the government fisc, and thus the statute expressly does not apply to efforts to defraud private entities who are not administering or using government funds. Under 31 U.S.C. § 3729(b)(2)(A), fraudulent “claims” are thus actionable when they are presented either (1) to an “officer, employee, or agent” of the United States, or (2) to a private “contractor, grantee, or other recipient” so long as a portion of the money is (a) “provided” or “reimburse[d]” by the United States and (b) used to advance its “interest[s].”

In United States v. Wells Fargo & Co., the Second Circuit grappled with this dividing line between public and private, holding that the FCA reaches allegedly fraudulent claims relating to emergency loans made by the twelve Federal Reserve Banks (FRBs). 943 F.3d 588 (2d Cir. 2019). There, relators pursued FCA claims based on allegations that certain banks had misrepresented their financial condition to the FRBs to qualify for emergency loans at favorable interest rates for which they were not, in fact, qualified. The district court concluded that the allegedly fraudulent loan requests were not “claims” within the meaning of the FCA because FRBs were not government “agents” and because the United States did not provide the money involved in the FRB emergency loan program. Id. at 594.

The Second Circuit reversed, holding that the FCA reaches claims to FRBs because they are “governmental instrumentalities operating under direct supervision of a government agency where the disbursement itself is part of a government program and where the money is created ex nihilo pursuant to congressional authority.” Id. at 605. The court held that FRBs act as “agents” of the United States in the context of emergency loans at issue because they “extend emergency loans pursuant to a statutory delegation from Congress” and are supervised by a government agency, the Federal Reserve Board, which “exercises substantial control over FRB emergency lending activities.” Id. at 599-600. The court reached its conclusion even though FRBs are not part of any executive department or agency, but instead are corporations with private banks as nominal shareholders, and even though that FRB loans are delivered in the form of credit to the borrowing bank, not lent out of treasury funds. As the Second Circuit explained, the “United States is the source of the purchasing power conferred on the banks when they borrow from the Fed’s emergency lending facilities.” Id. at 603.

Although the Second Circuit emphasized that its holding that the FCA applied was limited to “the narrow context” of claims involving FRBs with respect to “the Fed’s emergency lending facilities,” the decision may nevertheless encourage future arguments in other contexts that a broader swath of entities are “governmental instrumentalities” that fall within the statute’s scope. Id. at 605-06.

B. Eleventh Circuit Rejects FCA Liability Based on Reasonable Differences in Opinion

In United States v. AseraCare, Inc., the Eleventh Circuit held that claims cannot be “deemed false” under the FCA based solely on “a reasonable difference of opinion among physicians” as to a medical provider’s clinical judgment. 938 F.3d 1278, 1281 (11th Cir. 2019). There, the government relied on a false certification theory that claims for treatment for hospice patients were based on the provider’s representation of the patients as “terminally ill” when, according to expert physician witness testimony as to a sample subset of patients, they were, in fact, not. Id. at 1284-85. The district court vacated a jury finding in the government’s favor and entered summary judgment against it, concluding that the mere difference of opinion between physicians (the government’s expert and the provider) could not establish “falsity” as a matter of law. Id. at 1285-86.

On appeal, the Eleventh Circuit agreed, holding that when a certification to the government—including that a patient is terminally ill—is based on a physician’s clinical judgment, it cannot be “false,” and therefore is not actionable, unless the underlying clinical judgment reflects an “objective falsehood.” Id. at 1296-97. Concluding that a “mere difference of reasonable opinion” among medical providers alone does not constitute an “objective falsehood,” the court explained that plaintiffs instead “must identify facts and circumstances surrounding the patient’s certification that are inconsistent with the proper exercise of a physician’s clinical judgment. Where no such facts or circumstances are shown, the FCA claim fails as a matter of law.” Id. at 1297.

Although the Eleventh Circuit’s ruling reversed a grant of summary judgment for defendants, the opinion nonetheless articulated a standard for proving the specific alleged false claims at trial: “crucially, on remand the Government must be able to link this evidence of improper certification practices to the specific . . . claims at issue in its case. Such linkage is necessary to demonstrate both falsehood and knowledge.” Id. at 1305.

In reaching its conclusion regarding falsity, the AseraCare court considered but declined to follow decisions by both the Tenth and Sixth Circuits. Id. at 1300 n.15 (citing United States ex rel. Polukoff v. St. Mark’s Hospital, 895 F.3d 730 (10th Cir. 2018); and United States v. Paulus, 894 F.3d 267 (6th Cir. 2018)). The government had argued, unsuccessfully, that these cases established that a mere difference of medical opinion can be sufficient to show that a statement is false for FCA liability. Id. Whether AseraCare creates a circuit split of sorts on this issue will become clearer as other circuits consider it, as the AseraCare court sought expressly to distinguish Paulus and Palukoff on the grounds that the clinical standards at issue in the former case were capable of objective factual evaluation and the opinions at issue in the latter may not have been reasonable or even genuinely-held.

Although nominally a win for the government, the Eleventh Circuit’s AseraCare decision undoubtedly will reverberate in health care fraud cases of many types, given that the treating physician’s clinical judgment is the linchpin for reimbursement in many different federal health program settings. Under AseraCare, the government will have to show more than mere differences in medical opinions to prove falsity; and, the case likely will require more rigor in the use of statistical sampling to support evidence of false claims, insofar as the government will be required to establish a specific link between the government’s evidence and the particular false claims at issue.

C. Courts Continue to Interpret the FCA’s Materiality Requirement Post-Escobar

In 2019, as in past years, lower courts continued to develop the growing body of jurisprudence regarding materiality and government knowledge under the FCA in the wake of the Supreme Court’s decision in Escobar, 136 S. Ct. 1989, the landmark decision on the implied certification theory of liability. Consistent with the Supreme Court’s directive in Escobar, circuit courts continued to examine whether FCA plaintiffs have adequately alleged facts to satisfy the rigorous and demanding materiality standard at the pleadings stage, with mixed outcomes.

In Godecke v. Kinetic Concepts, Inc., the Ninth Circuit addressed materiality allegations in an FCA claim predicated on the theory that the defendants allegedly submitted claims for Medicare payment without disclosing that no written order had been received before delivery, in violation of regulatory requirements. 937 F.3d 1201 (9th Cir. 2019). As to materiality, the complaint alleged that Medicare would not have paid for the claims had it been aware of the lack of prior written orders, because that requirement was part of relevant government reimbursement rules (i.e., an express “condition of payment”). Further, according to the complaint, the requirement was not just some “paperwork issue” but instead was the result of “extensive negotiations” between the defendant and Medicare “in order to prevent fraud and abuse.” Id. at 1213. The Ninth Circuit held that these allegations indicated that noncompliance with the requirement was not “minor or insubstantial” and thus were sufficient to establish materiality (even though the allegations did not address how Medicare “has treated similar violations”). Id. at 1213-14.

In contrast, in United States ex rel. Patel v. Catholic Health Initiatives, the Fifth Circuit, in a per curiam opinion, affirmed dismissal of an FCA complaint because the alleged false claim—failure to report a change in ownership of a hospital—was not “material.” No. 18-20395, 2019 WL 6208665, at *4 (5th Cir. Nov. 20, 2019). The case involved an ownership dispute over a hospital that had originally been structured with individual doctors as partners. The hospital system then purchased or terminated their shares and then allegedly received reimbursements through an entity designated as the owner even after a court determined that, due to the partnership dispute, that entity was not really the owner. Invoking Escobar, the court held that the relator failed to adequately allege materiality. Despite the allegations as to misrepresentation of the ownership of the hospital, there was no evidence that the government “consistently refuses to pay claims” with incorrect statements regarding ownership, and the fact that the government had paid the claims at issue suggested that the government did not care who the rightful owner of the hospital was. Id. (citation omitted).

Although FCA defendants have had some success in recent years disputing materiality, cases like Patel reaffirm that challenges to allegations of materiality remain a strong potential basis for dismissal at the pleading stage.

D. Courts Continue to Analyze Rule 9(b)’s Particularity Requirement in FCA Claims

Rule 9(b) heightens the standard for pleading fraud claims, requiring that a party alleging fraud “must state with particularity the circumstances constituting fraud or mistake.” As we have noted in past updates, circuit courts have struggled with how to apply Rule 9(b)’s particularity requirement in FCA cases. This year was no exception, as is clear from two recent cases arising in the context of the Stark Act and AKS.

In United States ex rel. Bookwalter v. UPMC, the Third Circuit reversed a lower court’s decision dismissing an FCA case that involved claims predicated on productivity-based physician compensation structures. No. 18-1693, 946 F.3d 162, 166-67, 178 (3d Cir. 2019). The relator alleged that the compensation structures between physician practices and neurosurgeons resulted in improper bill-padding. The Third Circuit concluded that the relators had plausibly alleged the conduct at issue violated the Stark Law and, therefore, the claims were “false” for purposes of the FCA. Id. at 169-70. The court also explored the limits of Rule 9(b)’s heightened pleading standard, holding that the relators did not have to allege “the date, time, place, or content of every single allegedly false Medicare claim” involved in the allegedly unlawful compensation scheme. Id. at 176. Rather, the court determined that since the alleged “falsity” came not from a particular misrepresentation, but from a set of circumstances of alleged bill-padding that made a whole set of claims allegedly false, it was enough to allege the circumstances of that scheme with particularity. Id. The court focused on “[t]he sum total of the[] allegations,” which it concluded told a “detailed story about how the defendants designed a system to reward surgeons for creating and submitting false claims.” Id. at 177. This, the court reasoned, was “particular enough” to achieve Rule 9(b)’s goals of precision, substantiation of the fraud allegation, and notice to the defendant of the misconduct with which it is charged. Id. at 176-77.

In Bingham v. HCA, Inc., the Eleventh Circuit similarly explored the intersection between Rule 9(b) and FCA cases predicated on violations of the AKS and the Stark Law, but reached the opposite conclusion. 783 F. App’x 868, 870 (11th Cir. 2019). There, the relator’s FCA theory relied on his allegations the defendants allegedly provided “sweetheart deals to certain physicians who leased space in [its] medical office buildings . . . in exchange for patient referrals,” which constituted unlawful remuneration in violation of the AKS and Stark Law. Id. at 870-71. The court held, however, that the complaint was properly dismissed by the district court because it did not satisfy the heightened pleading requirements of Rule 9(b). Id. at 877. Specifically, the critical elements of the alleged kickback scheme relied entirely on “conclusory” allegations that were “based on information and belief,” and were “devoid of facts regarding the substance of [the] alleged misconduct,” including “when it occurred, and who engaged in it.” Id.

E. Fifth Circuit Clarifies Causation Standard for Mortgage Fraud Claims Under the FCA

Until recently, federal circuit courts were divided as to the standard for demonstrating proximate causation in FCA cases predicated on claims involving mortgage fraud. While the Fifth Circuit had articulated a rigorous causation standard widely viewed as difficult to meet, other circuits, including the Ninth and D.C. Circuits, employed a much more relaxed standard under which a false statement was deemed a proximate cause of the loss if the statement concerned factors that affected the likelihood of repayment, such as a borrower’s creditworthiness.

In United States v. Hodge, however, the Fifth Circuit clarified its standard, electing to step back from the “restrictive” causation standard that its prior precedent had been read to articulate, and expressly brought its standard into alignment with the more relaxed requirements imposed by other circuits. 933 F.3d 468, 474-75 (5th Cir. 2019), as revised (Aug. 9, 2019).

In Hodge, the Fifth Circuit affirmed a nearly $300 million treble damages judgment against two mortgage companies and their owner for allegedly fraudulently obtaining FHA insurance for loans that later defaulted. Id. at 472. After a five-week trial, a jury found that the defendants had misrepresented compliance with FHA underwriting guidelines and had concealed the use of unregistered branches to originate loans. Id.

On appeal, the Fifth Circuit rejected a challenge to the sufficiency of the evidence, holding that the government had shown scienter, materiality, and causation. Id. at 473-75. Specifically, evidence the defendants had continued to originate loans from unregistered branches after being notified by HUD that it was unlawful demonstrated scienter. Id. at 473. As to materiality, the court relied on the fact that HUD demanded indemnification from defendants after discovering a handful of loans were originated from unregistered branches, and later barred them from the FHA program entirely. Id. at 474. As to causation, the court held that the government’s evidence—which relied on sampling of loan files and extrapolation showing that loans from unregistered branches had higher default rates—was sufficient to show causation between the alleged misconduct and ultimate defaults (leading to alleged damages) even though it did not connect the alleged misconduct to specific loans. Id. at 475. The court concluded that “[e]ven if the defendants did not know which specific loans would eventually default, it was foreseeable that a higher percentage of them would,” which sufficiently demonstrated causation under the FCA. Id.

The decision, which allows the government to show causation at a higher level of generality using sampling, may encourage DOJ and relators to pursue similar theories in FCA claims with large numbers of alleged misstatements.

F. Several Circuits Address Causation and Other Issues in FCA Retaliation Claims

In the second half of 2019, several courts of appeals also addressed issues under the FCA’s anti-retaliation provision, which protects would-be whistleblowers from retaliation based on certain protected activity undertaken in furtherance of a potential FCA claim. We briefly summarize these decisions below.

In a matter of first impression for FCA retaliation claims before the Tenth Circuit, the court joined several other circuits in holding that when there is no direct evidence of retaliation, the McDonnell Douglas framework applies to FCA retaliation claims. Miller v. Inst. for Def. Analyses, No. 19-1110, 2019 WL 6997900, at *4 (10th Cir. Dec. 20, 2019) (citing McDonnell Douglas Corp. v. Green, 411 U.S. 792 (1973)). Under this three-step framework, “a plaintiff first must set forth a prima facie case of retaliation,” second, “the burden then shifts to the defendant to articulate a legitimate, nonretaliatory reason for the adverse employment action,” and then third, “if the employer produces evidence of a legitimate nonretaliatory reason, the plaintiff must assume the further burden of showing that the proffered reason is a pretext calculated to mask retaliation.” Id. at *4-5 (citations omitted). The Tenth Circuit affirmed a grant of summary judgment in the defendant’s favor, holding that although, at the first step, a short “temporal proximity between [a plaintiff’s] protected conduct and the adverse action” alone can be “relied on to prove causation,” the nearly five-month gap the plaintiff identified was insufficient. Id. at *5-6.

The Fifth Circuit, in a pair of decisions, likewise addressed the proper standard for analyzing causation in FCA retaliation claims under the McDonnell Douglas framework. In Garcia v. Professional Contract Services, the Fifth Circuit similarly ruled that in the first step of McDonnell Douglas, “a plaintiff can meet his burden of causation simply by showing close enough timing between his protected activity and his adverse employment action,” but that at the third step (the pretext stage), a “heightened but-for causation requirement applies.” 938 F.3d 236, 243 (5th Cir. 2019). Applying this framework to a retaliation claim brought by an employee with some responsibilities for ensuring “the company was complying with its contracts with the government,” the court reversed a grant of summary judgment in the defendants’ favor at the third step, holding that the plaintiff had pointed to enough evidence of pretext—including the temporal proximity between the alleged protected activity and termination of less than three months, as well as other factors, such as disparate treatment of a similarly situated employee—to survive summary judgment. Id. at 238, 244.

In Musser v. Paul Quinn College, however, the Fifth Circuit affirmed a grant of summary judgment for the defendant at the third step in a claim brought by an independent contractor “tasked with providing financial and accounting services” as an interim controller to defendant, where the plaintiff’s alleged evidence of retaliation did not include “other significant evidence of pretext” apart from temporal proximity, and thus fell “short of the . . . evidence described in Garcia.” 944 F.3d 557, 559-64 (5th Cir. 2019).

Finally, a split of the D.C. Circuit held that the plaintiff-veterinarian’s termination, allegedly in retaliation for complaints about the defendant’s violations of conditions of federal funding in animal research, could support an FCA retaliation claim even where the plaintiff’s warnings “did not accuse the [defendant] of fraud in terms.” Singletary v. Howard Univ., 939 F.3d 287, 297-98 (D.C. Cir. 2019). The majority held that despite the lack of direct accusations of fraud, the plaintiff had alleged a reasonable belief of an FCA violation because she alleged that the university was required to make annual certifications of compliance, and that her complaints “coincided” with the annual reporting period. Id. According to the dissent, however, because the defendant was never warned “about possible fraud,” the university had no reason to think the plaintiff was reporting in an effort to stop fraud. Id. at 307. The dissent further held that the claim was not viable because mere violations of contract or regulation do not equate to fraud unless they are material to a false claim for money, under Escobar—a topic the majority declined to address. Id.

V. CONCLUSION

As always, Gibson Dunn will continue to monitor these developments and others in the FCA space and stands ready to answer any questions you may have. We will report back to you on the latest news mid-year, in early July.

______________________

[1] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Recovers over $3 Billion from False Claims Act Cases in Fiscal Year 2019 (Jan. 9, 2020), https://www.justice.gov/opa/pr/justice-department-recovers-over-3-billion-false-claims-act-cases-fiscal-year-2019 [hereinafter DOJ FY 2019 Recoveries Press Release].

[2] See U.S. Dep’t of Justice, Fraud Statistics Overview (Jan. 9, 2020), https://www.justice.gov/opa/press-release/file/1233201/download [hereinafter DOJ FY 2019 Stats].

[3] DOJ FY 2019 Recoveries Press Release.

[4] See DOJ FY 2019 Stats.

[5] Id.

[6] Id.

[7] Id.

[8] DOJ FY 2019 Recoveries Press Release.

[9] See DOJ FY 2019 Stats.

[10] DOJ FY 2019 Recoveries Press Release.

[11] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Obtains $1.4 Billion from Reckitt Benckiser Group in Largest Recovery in a Case Concerning an Opioid Drug in United States History (Jul. 11, 2019), https://www.justice.gov/opa/pr/justice-department-obtains-14-billion-reckitt-benckiser-group-largest-recovery-case.

[12] See Press Release, U.S. Atty’s Office for the E. Dist. of Pa., Eagleville Hospital Pays $2.85 Million to Resolve Allegations of Improper Billing for Detox Treatment (Jul. 24, 2019), https://www.justice.gov/usao-edpa/pr/eagleville-hospital-pays-285-million-resolve-allegations-improper-billing-detox.

[13] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medicare Advantage Provider and Physician to Pay $5 Million to Settle False Claims Act Allegations (Aug. 8, 2019), https://www.justice.gov/opa/pr/medicare-advantage-provider-and-physician-pay-5-million-settle-false-claims-act-allegations.

[14] See Press Release, U.S. Atty’s Office for the E. Dist. of Pa., Defense Contractor to Pay $940,000 to Resolve Allegations of Withholding Discounts from TRICARE (Aug. 29, 2019), https://www.justice.gov/usao-edpa/pr/defense-contractor-pay-940000-resolve-allegations-withholding-discounts-tricare.

[15] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Drug Maker Mallinckrodt Agrees to Pay Over $15 Million to Resolve Alleged False Claims Act Liability for “Wining and Dining” Doctors (Sept. 4, 2019), https://www.justice.gov/opa/pr/drug-maker-mallinckrodt-agrees-pay-over-15-million-resolve-alleged-false-claims-act-liability.

[16] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Compounding Pharmacy, Two of Its Executives, and Private Equity Firm Agree to Pay $21.36 Million to Resolve False Claims Act Allegations (Sept. 18, 2019), https://www.justice.gov/opa/pr/compounding-pharmacy-two-its-executives-and-private-equity-firm-agree-pay-2136-million.

[17] See Press Release, U.S. Atty’s Office for the E. Dist. of Pa., Trident USA Health Services LLC to Pay $8.5 Million to Resolve False Claims Act Liability for Alleged Kickback Scheme (Sept. 25, 2019), https://www.justice.gov/usao-edpa/pr/trident-usa-health-services-llc-pay-85-million-resolve-false-claims-act-liability.

[18] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Pharmaceutical Company Targeting Elderly Victims Admits to Paying Kickbacks, Resolves Related False Claims Act Violations (Sept. 26, 2019), https://www.justice.gov/opa/pr/pharmaceutical-company-targeting-elderly-victims-admits-paying-kickbacks-resolves-related.

[19] See Press Release, U.S. Atty’s Office for the C. Dist. of Cal., Eye Doctor Group, Physicians Pay $6.65 Million to Settle Allegations They Submitted Fraudulent Bills to Medicare and Medicaid (Oct. 4, 2019), https://www.justice.gov/usao-cdca/pr/eye-doctor-group-physicians-pay-665-million-settle-allegations-they-submitted.

[20] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Genetic Testing Company and Three Principals Agree to Pay $42.6 Million to Resolve Kickback and Medical Necessity Claims (Oct. 9, 2019), https://www.justice.gov/opa/pr/genetic-testing-company-and-three-principals-agree-pay-426-million-resolve-kickback-and.

[21] See Press Release, U.S. Atty’s Office for the Dist. of Mass., Fresenius Agrees to Pay $5.2 Million to Resolve Allegations that it Overbilled Medicare for Hepatitis B Tests (Oct. 9, 2019), https://www.justice.gov/usao-ma/pr/fresenius-agrees-pay-52-million-resolve-allegations-it-overbilled-medicare-hepatitis-b.

[22] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Former Osteo Relief Institutes and Their Owners to Pay Over $7.1 Million to Resolve Allegations of Unnecessary Knee Injections and Braces (Oct. 18, 2019), https://www.justice.gov/opa/pr/former-osteo-relief-institutes-and-their-owners-pay-over-71-million-resolve-allegations.

[23] See Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Manhattan U.S. Attorney Announces Settlement Of Lawsuit Against Spinal Implant Company, Its CEO, And Another Executive For Paying Millions Of Dollars In Kickbacks To Surgeons (Nov. 7, 2019), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-settlement-lawsuit-against-spinal-implant-company-its.

[24] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Sanford Health Entities to Pay $20.25 Million to Settle False Claims Act Allegations Regarding Kickbacks and Unnecessary Spinal Surgeries (Oct. 28, 2019), https://www.justice.gov/opa/pr/sanford-health-entities-pay-2025-million-settle-false-claims-act-allegations-regarding.

[25] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Compound Ingredient Supplier Fagron Holding USA LLC to Pay $22.05 Million to Resolve Allegations of False and Inflated Average Wholesale Prices for Ingredients Used in Compound Prescriptions (Nov. 7, 2019), https://www.justice.gov/opa/pr/compound-ingredient-supplier-fagron-holding-usa-llc-pay-2205-million-resolve-allegations.

[26] See Stipulation and Order of Settlement, U.S. ex rel. Markelson v. Lenox Hill Hospital et al., No. 1:17-cv-07986 (S.D.N.Y. Nov. 8, 2019)

[27] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, California Health System and Surgical Group Agree to Settle Claims Arising from Improper Compensation Agreements (Nov. 15, 2019), https://www.justice.gov/opa/pr/california-health-system-and-surgical-group-agree-settle-claims-arising-improper-compensation.

[28] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Kentucky Hospital to Pay over $10 Million to Resolve False Claims Act Allegations (Nov. 20, 2019), https://www.justice.gov/opa/pr/kentucky-hospital-pay-over-10-million-resolve-false-claims-act-allegations.

[29] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Laboratory to Pay $26.67 Million to Settle False Claim Act Allegations of Illegal Inducements to Referring Physicians (Nov. 26, 2019), https://www.justice.gov/opa/pr/laboratory-pay-2667-million-settle-false-claims-act-allegations-illegal-inducements-referring.

[30] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, ITT Cannon to Pay $11 Million to Settle False Claims Allegations for Untested Electrical Connectors (Jul. 16, 2019), https://www.justice.gov/opa/pr/itt-cannon-pay-11-million-settle-false-claims-allegations-untested-electrical-connectors.

[31] See Press Release, NY State Office of the Attorney General, Attorney General James Secures $6 Million From Cisco Systems In Multistate Settlement (Aug. 1, 2019), https://ag.ny.gov/press-release/2019/attorney-general-james-secures-6-million-cisco-systems-multistate-settlement; Mark Chandler, Executive Platform: A Changed Environment Requires a Changed Approach, Cisco Blogs (Jul. 31, 2019), https://blogs.cisco.com/news/a-changed-environment-requires-a-changed-approach.

[32] See Press Release, U.S. Atty’s Office for the S. Dist. of NY, Manhattan U.S. Attorney Announces Settlement With Construction Company For Underpaying Workers And Submitting False Payroll Reports On Two Federally Funded Projects (Aug. 5, 2019), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-settlement-construction-company-underpaying-workers-and.

[33] See Press Release, U.S. Atty’s Office for the E. Dist. of PA, Defense Contractor to Pay $3.3M to Resolve False Claims Act Allegations (Aug. 8, 2019), https://www.justice.gov/usao-edpa/pr/defense-contractor-pay-33m-resolve-false-claims-act-allegations.

[34] See Press Release, U.S. Atty’s Office for the S. Dist. of GA, Government Settles Alleged False Claims Act Violations with Sesolinc Group (Aug. 19, 2019), https://www.justice.gov/usao-sdga/pr/government-settles-alleged-false-claims-act-violations-sesolinc-group.

[35] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Former CEO of Virginia-Based Defense Contractor Agrees to Pay $20 Million to Settle False Claims Act Allegations Related to Fraudulent Procurement of Small Business Contracts (Aug. 20, 2019), https://www.justice.gov/opa/pr/former-ceo-virginia-based-defense-contractor-agrees-pay-20-million-settle-false-claims-act.

[36] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, American Airlines Inc. Agrees To Pay $22 Million to Settle False Claims Act Allegations for Falsely Reporting Delivery Times of U.S. Mail Transported Internationally (Aug. 20, 2019), https://www.justice.gov/opa/pr/american-airlines-inc-agrees-pay-22-million-settle-false-claims-act-allegations-falsely.

[37] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, ABS Development Corporation Agrees to Pay $2.8 Million to Settle False Claims Act Allegations and to Waive Administrative Claims (Nov. 13, 2019), https://www.justice.gov/opa/pr/abs-development-corporation-agrees-pay-28-million-settle-false-claims-act-allegations-and.

[38] U.S. Dep’t of Justice, Justice Manual, Section 4-4.111.

[39] See Memorandum, U.S. Dep’t of Justice, Factors for Evaluating Dismissal Pursuant to 31 U.S.C. 3730(c)(2)(A) (Jan. 10, 2018), https://assets.documentcloud.org/documents/4358602/Memo-for- Evaluating-Dismissal-Pursuant-to-31-U-S.pdf.

[40] Brief for the United States as Amicus Curiae at 15, Gilead Sciences, Inc. v. United States ex rel. Campie, 139 S. Ct. 783 (2019).

[41] Letter from Sen. Charles E. Grassley to Att’y Gen. William Barr at 1 (Sept. 4, 2019), https://www.grassley.senate.gov/sites/default/files/documents/2019-09-04%20CEG%20to%20DOJ%20%28FCA%20dismissals%29.pdf.

[42] Id. at 5-6.

[43] Letter from Assistant Att’y Gen. Stephen E. Boyd, Office of Legis. Affairs, U.S. Dep’t of Justice, to Sen. Charles E. Grassley at 1 (Dec. 19, 2019), https://www.grassley.senate.gov/sites/default/files/2019-12-19%20DOJ%20to%20CEG%20%28FCA%20dismissals%29.pdf.

[44] Id. at 2.

[45] Id. at 1.

[46] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Obtains $1.4 Billion from Reckitt Benckiser Group in Largest Recovery in a Case Concerning an Opioid Drug in United States History (Jul. 11, 2019), https://www.justice.gov/opa/pr/justice-department-obtains-14-billion-reckitt-benckiser-group-largest-recovery-case.

[47] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Awards More than $333 Million to Fight Opioid Crisis (Dec. 13, 2019), https://www.justice.gov/opa/pr/justice-department-awards-more-333-million-fight-opioid-crisis.

[48] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Announces Results in Fight Against the Opioid Crisis At One Year Mark of Operation S.O.S. (July 16, 2019), https://www.justice.gov/opa/pr/justice-department-announces-results-fight-against-opioid-crisis-one-year-mark-operation-sos.

[49] See Press Release, U.S. Dep’t of Health & Human Servs., Trump Administration Announces $1.8 Billion in Funding to States to Continue Combating Opioid Crisis (Sept. 4, 2019), https://www.hhs.gov/about/news/2019/09/04/trump-administration-announces-1-8-billion-funding-states-combating-opioid.html.

[50] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Departments of Justice and Housing and Urban Development Sign Interagency Memorandum on the Application of the False Claims Act (Oct. 28, 2019), https://www.justice.gov/opa/pr/departments-justice-and-housing-and-urban-development-sign-interagency-memorandum-application.

[51] See, e.g., U.S. Dep’t of Justice, Recent Accomplishments of the Housing and Civil Enforcement Section (January 7, 2020), https://www.justice.gov/crt/recent-accomplishments-housing-and-civil-enforcement-section.

[52] See Memorandum, Dep’t of Health & Human Servs., Dep. Gen. Counsel & CMS Chief Legal Officer Kelly M. Cleary & Dep. Gen. Counsel Brenna E. Jenny, Impact of Allina on Medicare Payment Rules (Oct. 31, 2019).

[53] Id.

[54] Id.

[55] Id.

[56] Id.

[57] Id.

[58] Id.

[59] See Press Release, Office of Pub. Affairs, Deputy Associate Attorney General Stephen Cox Provides Keynote Remarks at the 2020 Advanced Forum on False Claims and Qui Tam Enforcement (Jan. 27, 2020), https://www.justice.gov/opa/speech/deputy-associate-attorney-general-stephen-cox-provides-keynote-remarks-2020-advanced.

[60] Id.

[61] Id.

[62] Dep’t of Health & Human Servs., Office of Inspector Gen., State False Claims Act Reviews, https://oig.hhs.gov/fraud/state-false-claims-act-reviews/index.asp.

[63] Id.

[64] Id.

[65] AB-1270 False Claims Act, California Legislative Information (Aug. 13, 2019), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1270, https://leginfo.legislature.ca.gov/faces/billStatusClient.xhtml?bill_id=201920200AB1270.

[66] See S. 40, A Bill to Amend Title 15 of the 1976 Code, by Adding Chapter 85, to Enact the “South Carolina False Claims Act” (123d Session), https://www.scstatehouse.gov/sess123_2019-2020/bills/40.htm.

The following Gibson Dunn lawyers assisted in preparing this client update: Stuart Delery, Jim Zelenay, John Partridge, Jon Phillips, Joseph Warin, Joseph West, Robert Blume, Ryan Bergsieker, Karen Manos, Charles Stevens, Winston Chan, Andrew Tulumello, Benjamin Wagner, Alexander Southwell, Reed Brodsky, Robert Walters, Monica Loseman, Geoffrey Sigler, Sean Twomey, Reid Rector, Alli Chapin, Jeremy Ochsenbein, Meghan Dunn, Jennifer Bracht, and Julie Hamilton.

Gibson Dunn’s lawyers have handled hundreds of FCA investigations and have a long track record of litigation success. From U.S. Supreme Court victories, to appellate court wins, to complete success in district courts around the United States, Gibson Dunn believes it is the premier firm in FCA defense. Among other notable recent victories, Gibson Dunn successfully overturned one of the largest FCA judgments in history in United States ex rel. Harman v. Trinity Indus. Inc., 872 F.3d 645 (5th Cir. 2017), and the Daily Journal recognized Gibson Dunn’s work in U.S. ex rel. Winter v. Gardens Regional Hospital and Medical Center Inc. as a Top Defense Verdict in its annual feature on the top verdicts for 2017. Our win rate and immersion in FCA issues gives us the ability to frame strategies to quickly dispose of FCA cases. The firm has dozens of attorneys with substantive FCA experience, including nearly 30 Assistant U.S. Attorneys and DOJ attorneys. For more information, please feel free to contact the Gibson Dunn attorney with whom you work or the following attorneys.

Washington, D.C.
F. Joseph Warin (+1 202-887-3609, [email protected])
Stuart F. Delery (+1 202-887-3650, [email protected])
Joseph D. West (+1 202-955-8658, [email protected])
Andrew S. Tulumello (+1 202-955-8657, [email protected])
Karen L. Manos (+1 202-955-8536, [email protected])
Jonathan M. Phillips (+1 202-887-3546, [email protected])
Geoffrey M. Sigler (+1 202-887-3752, [email protected])

New York
Zainab N. Ahmad (+1 212-351-2609, [email protected])
Matthew L. Biben (+1 212-351-6300, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])

Denver
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
John D.W. Partridge (+1 303-298-5931, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])

Dallas
Robert C. Walters (+1 214-698-3114, [email protected])

Los Angeles
Timothy J. Hatch (+1 213-229-7368, [email protected])
James L. Zelenay Jr. (+1 213-229-7449, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])

Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])

San Francisco
Charles J. Stevens (+1 415-393-8391, [email protected])
Winston Y. Chan (+1 415-393-8362, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

At 11 pm GMT, the United Kingdom left the European Union.

What has changed?

The UK will immediately enter into a transition period which is scheduled to last until December 31, 2020 to provide time for a new relationship between the UK and the EU to be agreed.

During the transition it may seem as if nothing has changed. The UK will remain in the EU Customs Union and Single Market and will continue to apply and be bound by all EU laws. This will include EU laws on free movement of goods, services and capital, competition laws, sanctions laws, worker’s rights, environmental protections, etc.

British and EU citizens will continue to benefit from free movement during the transition period. Companies established in the UK will continue to be able freely to sell their goods and services throughout the EU.

The principal changes to the Withdrawal Agreement negotiated by Prime Minister Johnson related to the positon of Northern Ireland, with Northern Ireland becoming in effect a special economic zone from the end of the transition period with largely unrestricted access to both the EU and UK markets. In practice, this will require some form of customs controls between Northern Ireland and the rest of the UK but the extent of the checks to be required is unclear. It has been agreed that there will be no checks on the land border between the Republic of Ireland and Northern Ireland.

The main immediate impacts of tonight’s withdrawal are that the UK’s ministers will no longer participate in the Council of the EU, it gives up its European Commissioners and there will no longer be any UK members of the European Parliament or UK representatives in any other EU institution. The UK will no longer influence EU law, regulation or policy.

And, critically, negotiations now begin on the future relationship. As the Irish Taoiseach Leo Varadkar said recently, “Brexit is not yet done, it is only half time”.[1]

The key issues for negotiation

Alongside the Withdrawal Agreement, the UK and EU agreed a revised Political Declaration setting out the basis of their future relationship. It explicitly states that it established “…the parameters of an ambitious, broad, deep and flexible partnership …with a comprehensive and balanced free trade agreement at its core…”. The UK and the EU will each publish their negotiating mandates for the new relationship prior to the commencement of negotiations which are expected to begin after February 25, 2020 and it remains to be seen how closely those mandates reflect that ambition.

The fundamental issue for negotiation will be the EU’s desire for a regulatory level playing field, particularly in relation to labour, environmental and state aid rules. The UK has made clear its requirement to diverge from EU standards while the EU is saying it wants the UK to maintain “dynamic alignment” with the EU whereby the UK must achieve similar outcomes to EU rules as they evolve in the future.

At one level the fact that the UK and EU are currently aligned on trading rules is helpful. But the negotiation over how far the UK can diverge from EU rules and the price it may pay for doing so by way of diminished access to EU markets, combined with the EU’s fear that the UK will become a lightly regulated competitor, will be highly controversial. The UK Government has said that it will not seek divergence for the sake of it but that some businesses will be winners and some losers in the new post Brexit world.

Access for coastal EU States to UK fishing waters will also be a highly charged political issue for both sides notwithstanding its relatively small economic importance. Financial services will inevitably be a significant issue given its economic importance to the UK and the extent to which EU businesses will need to have continued access to London’s financial capability.

Residency rights for EU citizens in the UK and vice-versa, and the extent of any role for the Court of Justice of the EU in adjudicating on the arrangements will also be contentious.

Time line to the next cliff edge

The terms of the Withdrawal Agreement allow the UK-EU Joint Committee to extend the transition period by up to two years but requires any extension to be agreed before July 1, 2020. Ursula von der Leyen, President of the European Commission, has suggested the negotiations will need to take place in stages, with the transition period being used to prioritise key EU issues such as trade in goods and fisheries. But – for now – Prime Minister Johnson has ruled out this approach and has formally legislated against any extension to the transition period which he can only reverse through new legislation. The new cliff edge is therefore December 31, 2020.

It is clear, not least from the three extensions of the original Article 50 deadline, that both sides want to avoid a “no deal scenario”. If however there is no deal by the end of the transition period, the Withdrawal Agreement will still be in place. This means the UK would still be committed to the financial settlement and Northern Ireland trade would be covered by the protocol. However, from that point, UK-EU trade will be on World Trade Organization terms, there would be no deal on financial services and the UK would have to rely on previous international conventions to which the EU States are party for issues such as co-operation in matters relating to security.

The domestic mood

Prime Minister Johnson’s victory in the December General Election gave him a substantial majority in the UK Parliament which has enabled him to press forward with Brexit. While it is likely there will be a number of demonstrations from both sides of the debate, the UK Government is only planning a modest acknowledgement of Brexit today.

Indeed, the UK Government appears to be focusing on domestic issues. There is much emphasis on regional infrastructure projects including the possibility of a new high speed rail line to be built initially from London to Birmingham and then on to link key northern English cities. There has long been talk of the “Northern Powerhouse”, an initiative to boost investment in the north of England, and the Government recently provided support to a failing regional airline as a further indication of its willingness to intervene to protect domestic commercial interests.

____________________

[1] See also the European Commission paper “Questions and Answers on the United Kingdom’s withdrawal from the European Union on 31 January 2020” (January 24, 2020).

This client alert was prepared by Charlie Geffen, Patrick Doris and Anne MacPherson in London.

We have a working group in London (led by Patrick Doris, Charlie Geffen, Ali Nikpay and Selina Sagayam) addressing Brexit related issues. Please feel free to contact any member of the working group or any of the other lawyers mentioned below.

Ali Nikpay – Antitrust [email protected] Tel: 020 7071 4273	Charlie Geffen – Corporate [email protected] Tel: 020 7071 4225	Sandy Bhogal – Tax [email protected] Tel: 020 7071 4266
Philip Rocher – Litigation [email protected] Tel: 020 7071 4202	Jeffrey M. Trinklein – Tax [email protected] Tel: 020 7071 4224	Patrick Doris – Litigation; Data Protection [email protected] Tel: 020 7071 4276
Alan Samson – Real Estate [email protected] Tel: 020 7071 4222	Penny Madden QC – Arbitration [email protected] Tel: 020 7071 4226	Selina Sagayam – Corporate [email protected] Tel: 020 7071 4263
Thomas M. Budd – Finance [email protected] Tel: 020 7071 4234	James A. Cox – Employment; Data Protection [email protected] Tel: 020 7071 4250	Gregory A. Campbell – Restructuring [email protected] Tel: 020 7071 4236

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

This update provides an overview and summary of key class action developments during the fourth quarter of 2019 (October through December).

Part I discusses the Second Circuit’s decision in Jock v. Sterling Jewelers Inc., 942 F.3d 617 (2d Cir. 2019), affirming the power of an arbitrator to bind absent class members.

Part II addresses several important appellate decisions reversing class certification orders or affirming the denial of certification that could help defendants opposing class certification in other cases.

Part III reviews further developments on the issue of Article III standing in class actions after Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).

_____________________

Part I: The Second Circuit Rejects Challenge to Class Arbitration, and Holds That an Arbitrator Has the Power to Bind Absent Class Members

The Supreme Court made clear in Lamps Plus, Inc. v. Varela, 139 S. Ct. 1407 (2019), and Stolt-Nielsen S.A. v. AnimalFeeds International Corp., 559 U.S. 662 (2010), that class arbitration so fundamentally changes the nature of dispute resolution that the parties must expressly agree to it. (Gibson Dunn’s analyses of those cases can be found here and here.) Against that backdrop, the Second Circuit recently issued an important ruling about the terms that indicate an express agreement to class arbitration.

In Jock v. Sterling Jewelers Inc., 942 F.3d 617 (2d Cir. 2019), current and former female employees of a jewelry maker filed a demand for class arbitration, asserting various claims on the theory that they were paid less than their male counterparts. The arbitrator certified a mandatory, non-opt-out class of approximately 44,000 women, despite the fact only 254 plaintiffs had chosen affirmatively to participate in the arbitration proceedings. Id. at 621.

At the defendant’s urging, the district court vacated the arbitrator’s class certification order because the arbitration agreement did not expressly authorize the arbitrator to certify a class that included members who had not opted in to arbitration. Id. at 622. The agreement provided that “questions of arbitrability” and “procedural questions” “shall be decided by the arbitrator,” and that claims arising under the agreement would be arbitrated “in accordance with the National Rules for the Resolution of Employment Disputes of the American Arbitration Association [(‘AAA’)].” Id. at 620, 624.

The Second Circuit reversed for two reasons. Id. at 623–24. First, the agreement incorporated the AAA Rules, which provide that “the arbitrator shall determine as a threshold matter . . . whether the applicable arbitration clause permits the arbitration to proceed on behalf of . . . a class.” Id. at 623 (alterations in original). Second, in a holding with potentially broader application, the court ruled that the arbitrator had authority to decide “the availability of class procedures” in light of her express authority under the agreement to decide “questions of arbitrability” and “procedural questions.” Id. at 624. The court left open on remand the question of whether the arbitrator had exceeded her authority by certifying a mandatory class, as opposed to an opt-out class. Id. at 626.

Jock is particularly significant in light of the Supreme Court’s repeated emphasis that class arbitration is unusual. Few other appellate cases have addressed, much less endorsed, the use of class arbitration. The Second Circuit’s word may not be final, though, as Sterling Jewelers plans to seek review from the Supreme Court.

Part II: Appellate Courts Issue Several Important Decisions Rejecting Class Certification

During the last quarter of 2019, the Eleventh, Eighth, and Third Circuits issued several rulings reversing or vacating class certification. In one case, individualized questions regarding whether absent class members had standing led to a remand for a district court to reassess whether those issues predominated over any common issues. In another, a state consumer protection law was rejected as the basis for a nationwide class alleging injury arising from out-of-state transactions. And in the third, individual issues were found to predominate in an employment dispute where class members would have to prove if and when they had performed unpaid work. Defendants may be able to leverage these important decisions in opposing class certification in similar cases.

In Cordoba v. DIRECTV, LLC, 942 F.3d 1259 (11th Cir. 2019), the Eleventh Circuit vacated the certification of a class where “a large portion” of it “d[id] not have standing” and “individualized questions” about which members had standing “may predominate over common issues susceptible to class-wide proof.” Id. at 1275, 1277.

The named plaintiff had alleged that DIRECTV and a telemarketing contractor, Telecel, violated Federal Communications Commission regulations promulgated under the Telephone Consumer Protection Act by failing to maintain an internal do-not-call list. Id. at 1266. The named plaintiff alleged that he had received eighteen calls even though his phone number appeared on the National Do Not Call Registry and he had specifically requested that Telecel stop calling him. Id. The district court certified a Rule 23(b)(3) class defined as “all individuals who received more than one telemarketing call from Telecel” during the period that Telecel failed to maintain an internal do-not-call-list. Id.

On appeal, the defendants argued that absent class members who never requested that Telecel stop calling them necessarily lacked Article III standing because they had not suffered an injury-in-fact that was fairly traceable to the defendants’ conduct. Id. at 1268. The Eleventh Circuit concluded that “the receipt of more than one unwanted phone call is enough to establish injury in fact” because “a phone call intrudes upon the seclusion of the home, fully occupies the recipient’s device for a period of time, and demands the recipient’s immediate attention.” Id. at 1269–70. As to traceability, however, the court agreed that absent class members who did not request that Telecel stop calling them could not trace their injury to Telecel’s alleged misconduct, because they would have received unsolicited calls even if Telecel had maintained an internal do-not-call list. Id. at 1271–72.

The Eleventh Circuit then vacated the certification order and remanded so that the district court could determine in the first instance whether individualized standing questions would predominate, precluding certification under Rule 23(b)(3). Id. at 1277. Although the Eleventh Circuit agreed that the class’s claims were justiciable—because the named plaintiff had standing—the court held that district courts must consider whether and how to certify a class “[i]f many or most of the putative class members could not show that they suffered an injury fairly traceable to the defendant’s misconduct.” Id. at 1273 (emphasis omitted).

In Hale v. Emerson Electric Co., 942 F.3d 401 (8th Cir. 2019), the Eighth Circuit reversed a district court’s order certifying a nationwide class of vacuum purchasers and applying Missouri’s consumer-protection laws to all of their claims. The Eighth Circuit explained that because “every part of the challenged transaction”—including the purchase and alleged failure of the product to perform as advertised—“took place in a class member’s home state,” the consumer-protection laws of their home states would apply. Id. at 403–04. The Eighth Circuit also remanded so that the district court could apply Missouri’s choice-of-law rules to the class members’ non-consumer-protection claims in the first instance. Id. at 404.

The Third Circuit also reversed a class certification order in Ferreras v. American Airlines, Inc., 946 F.3d 178 (3d Cir. 2019). There, the district court had certified multiple subclasses of employees who sued their employer under New Jersey’s employment laws. In reversing, the Third Circuit noted, among other things, that the purported “common questions” that the district court had identified—“whether hourly-paid American employees at Newark airport are not being compensated for all hours worked, and . . . whether American has a policy that discourages employees from seeking exceptions for work done outside of their shifts”—could not “generate common answers” amenable to class-wide treatment, since each plaintiff would still have to prove when they were working. Id. at 185–86.

Significantly, the Third Circuit distinguished the Supreme Court’s decision in Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036 (2016), which held that “representative evidence” could in some circumstances be a “permissible means of establishing the employees’ hours worked in a class action.” Id. at 1046–47. The Third Circuit held that such evidence could not be used because, unlike the employees in Tyson Foods, American’s employees did not all perform the same unpaid activity, and thus representative evidence would not be used solely to determine the amount of time they spent performing the activity. Ferreras, 946 F.3d at 186–87.

Part III: Appellate Courts Issue a Range of Rulings Dealing with Non-Traditional “Injuries”

The federal courts of appeals continue to grapple with Article III standing after the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), as we have discussed in prior updates. This past quarter, courts attempted to apply Spokeo in situations involving non-traditional purported injuries. The decisions suggest that whether courts will find standing in a given case is likely to be highly dependent on the particular claims and factual allegations at issue.

In Nayab v. Capital One Bank (USA), N.A., 942 F.3d 480 (9th Cir. 2019), the Ninth Circuit held that a plaintiff has Article III standing when a third party obtains his or her credit report for a purpose not authorized by the Fair Credit Reporting Act (FCRA). Id. at 487. Citing existing precedent as well as historical practice, the court concluded that because the FCRA “protect[s] the consumer’s privacy interest” in his or her credit report, obtaining a credit report for an unauthorized purpose “violates a substantive provision of the FCRA.” Id. at 490. The court therefore held that a plaintiff “has standing to vindicate her right to privacy under the FCRA when a third-party obtains her credit report without a purpose authorized by statute, regardless of whether the credit report is published or otherwise used by that third-party.” Id. at 493.

The Eleventh Circuit likewise found standing under the Food, Drug, and Cosmetic Act (FDCA) and the Dietary Supplement Health and Education Act (DSHEA) in Debernardis v. IQ Formulations, LLC, 942 F.3d 1076 (11th Cir. 2019). The plaintiffs alleged they suffered economic loss when they purchased dietary supplements that the FDCA and DSHEA banned from sale. Id. at 1080. The district court dismissed their claims, stating that “even if the supplements could not legally be sold, the plaintiffs received the benefit of their bargain because there was no allegation that the supplements failed to perform as advertised, that the supplements caused any adverse health effects, or that the plaintiffs paid a premium for the supplements.” Id. at 1083. The Eleventh Circuit reversed. Id. at 1089. It concluded that because the supplements had been deemed unsafe under the FDCA and DSHEA, the plaintiffs plausibly alleged that they received a product that had no value. Id. at 1085. The plaintiffs thus had standing under “the well-established benefit-of-the-bargain theory of contract damages, which recognizes that some defects so fundamentally affect the intended use of a product as to render it valueless.” Id. The court cautioned, however, that its decision was “limited to the specific facts alleged in this case.” Id. at 1088. And in a concurring opinion, Judge Sutton (sitting by designation) suggested that the plaintiffs’ injuries were on “the razor’s edge of Article III jurisdiction.” Id. at 1089.

By contrast, the Seventh Circuit declined to find Article III standing in a different “benefit-of-the-bargain” case brought under the FDCA. The plaintiffs in Benson v. Fannie May Confections Brands, Inc., 944 F.3d 639 (7th Cir. 2019) alleged that they were deceived by boxes of chocolate that contained roughly 33%-40% “slack-fill” or empty space, which supposedly caused consumers to believe that the boxes contained more chocolate than they actually did. Id. at 644. The Seventh Circuit affirmed dismissal of the complaint, holding that plaintiffs “failed to raise a plausible theory of actual damage” because they “never said that the chocolates they received were worth less than the $9.99 they paid for them, or that they could have obtained a better price elsewhere.” Id. at 648. In addition to that “fatal” defect, the court noted that “their request for damages based on the percentage of nonfunctional slack-fill is quite vague” insofar as they failed to “explain how a percentage refund of the purchase price based on the percentage of nonfunctional slack-fill corresponds to their alleged harm.” Id.

The following Gibson Dunn lawyers prepared this client update: Christopher Chorba, Theane Evangelis, Kahn Scolnick, Bradley Hamburger, Lauren Blas, Vince Eisinger, and Madeleine McKenna.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Co-Chair, Litigation Practice Group – Los Angeles (+1 213-229-7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7396, [email protected])
Theane Evangelis – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7726, [email protected])
Kahn A. Scolnick – Los Angeles (+1 213-229-7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In its judgment of 30 January, 2020, the European Court of Justice (“ECJ”) adopted a very strict standard for the assessment of settlement agreements entered into between originator and generic pharmaceutical suppliers. The ruling, which has been welcomed by the European Commission (“EC”) and the UK Competition and Markets Authority (“CMA”), threatens to limit the ability of the settling parties to defend such settlements by relying on the strength of the underlying patents and illustrates a very sceptical attitude towards reverse-payment settlements.

Key Facts

The judgment is a preliminary ruling sought by the UK’s Competition Appeal Tribunal (“CAT”) in relation to proceedings concerning settlement agreements covering an anti-depressant pharmaceutical. The underlying disputes between the originator and the generic suppliers took place after the expiry of the patents covering the active ingredient itself but at a period where the originator still held a process patent that it contended covered the pharmaceutical product at issue.

Following what the ECJ recognised was a “genuine” patent dispute (and not simply a cover for a market sharing arrangement), the parties entered into a series of settlement agreements. The key characteristics of these agreements were that the generic company would become a limited distributor of the originator’s medicine, would receive some compensation, and would refrain from challenging the patent and entering the market with a generic drug for a certain period.

The CMA found those settlements to be an infringement of European competition rules and also found the originator’s overall conduct of the parallel settlement agreements to constitute an abuse of a dominant position.

When are Generic Suppliers Potential Competitors?

The ECJ first explains that the gating item for the application of Article 101 TFEU is if the originator and generics suppliers are potential competitors. The ECJ frames the question as being if “there are real and concrete possibilities of the [generics supplier] joining the market”. In order to determine this, the authorities/courts must look at the “structure of the market and the economic and legal context”. Market entry need not be demonstrated “with certainty” but must be more than “purely hypothetical”.

The ECJ expresses the test as being if the generics supplier “has in fact a firm intention and an inherent ability to enter the market, and that market entry does not meet barriers to entry that are insurmountable”. In relation to the former, it will be relevant to analyze the generics supplier’s actions to seek the required administrative authorisations and its ability to produce or source the generic medicine. In relation to the latter, the potential for insurmountable barriers to entry, the ECJ appears to largely dismiss the relevance of patent rights. It holds that even where the originator has obtained an injunction, which was the case here, this “in no way prejudge[s] the merits of an infringement” and therefore is not enough to demonstrate that the IP represented an insurmountable barrier to entry. Further, the ECJ refers to such patent disputes being common in pharmaceutical markets and finds that the existence of the IP dispute in fact “constitutes evidence of the existence of a potential competitive relationship” between the generics supplier and the originator.

It should be noted that the patents in the relevant case were process patents and that the active ingredient was already in the public domain. However, the judgment does not appear to make any distinction between the different types of patents.

As a result of the test set out by the ECJ, even strong patent rights may not constitute an adequate defence to a patent settlement with a reverse payment, and the test for a finding that the generics supplier is a potential competitor appears to have a very low threshold.

Does the Settlement Amount to a Restriction of Competition by Object or Effect?

The ECJ recognises that, as a result of the patent dispute, a generics supplier may decide to abandon the market entry and in that context may enter into a settlement. Furthermore, the fact that the settlement involves transfers of value from the originator to the generics supplier “is not sufficient to classify it as a ‘restriction by object’”. This may be the case where the value transfer corresponds to “compensation for the costs of or disruption caused by the litigation”, “to remuneration for the actual supply […] of goods or services” to the originator, or when the generics supplier “discharges undertakings, particularly financial, given by the patent holder to him, such as cross-undertaking in damages”.

According to the judgment, the critical test is whether the transfer of value is “sufficiently beneficial to encourage the manufacturer of generic medicines to refrain from entering the market concerned and not to compete on the merits”. The ECJ clarified that the uncertainty as to the outcome of the patent dispute is not sufficient to justify the transfer of value as it “is precisely the uncertainty as to the outcome of the court proceedings in relation to whether the patent held by the manufacturer of the originator medicine is valid and whether the generic version of that medicine infringes that patent which contributes, for as long as it lasts, to the existence of at least potential competition”. The focus is therefore on the value transferred to the generics supplier and the settlement will be regarded a ‘restriction by object’ where the transfer of value “can have no other explanation that the commercial interest of the parties to the agreement not to engage in competition on the merits” unless there are “proven pro-competitive effects capable of giving rise to a reasonable doubt that it causes a sufficient degree of harm to competition”.

Consequently, where a patent settlement includes a transfer of value to the generics supplier, it will be critical for the settling parties to demonstrate that this transfer of value is compensation for something other than the absence from the market and challenge of the patent.

In a similarly restrictive finding, the ECJ also held that a settlement agreement can be classified as a “restriction by effect”, without having to demonstrate that the generics supplier “would probably have been successful in the proceedings” or “would probably have concluded a less restrictive agreement”. In line with earlier case-law, “potential” effects are sufficient provided that they are “sufficiently appreciable”.

Abuse of Dominance

While likely of less practical importance, the ECJ also confirmed that an originator’s strategy, in a market where it is dominant, to enter into a series of settlements to temporarily keep generic medicines out of the market may also amount to an abuse of that dominant position.

Implications

As evidenced by the EC’s and the CMA’s eagerness to welcome and comment on the judgment, the ECJ’s judgment sets out a very stringent test for settlements in which there is some transfer of value to the generics supplier. Focus will need to be on the justifications for making any such transfer of value. The risks and litigation costs involved in patent litigation are, however, given no clear relevance in this test. The judgment may therefore make it harder to reach settlements in this type of patent disputes and have the unfortunate consequence of leading to more drawn out patent litigation in the pharmaceutical sector. On the other hand, the limited prospects of achieving a quick and lucrative settlement may reduce the number of attempts by generic suppliers to enter markets early on.

There is hope that the application of this judgment is limited to cases involving process patents, but the reasoning does not suggest that this was the intention.

Finally, the ECJ’s reluctance to consider the merits of the underlying patent litigation raises a question as to whether the court’s reasoning would extend to private litigation. Presumably, for a private claimant to demonstrate damages, some showing that the generics supplier was likely to succeed in the underlying IP case would be necessary in order to show harm to the claimant. The ECJ had no occasion to reach that question at this time.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Christian Riis-Madsen and Eric Stock.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn attorney with whom you work or any member of the Antitrust & Competition practice group:

Brussels
Peter Alexiadis (+32 2 554 7200, [email protected])
Attila Borsos (+32 2 554 72 11, [email protected])
Jens-Olrik Murach (+32 2 554 7240, [email protected])
Christian Riis-Madsen (+32 2 554 72 05, [email protected])
Lena Sandberg (+32 2 554 72 60, [email protected])
David Wood (+32 2 554 7210, [email protected])

Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])

London
Patrick Doris (+44 20 7071 4276, [email protected])
Charles Falconer (+44 20 7071 4270, [email protected])
Ali Nikpay (+44 20 7071 4273, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Deirdre Taylor (+44 20 7071 4274, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])

Washington, D.C.
D. Jarrett Arp (+1 202-955-8678, [email protected])
Adam Di Vincenzo (+1 202-887-3704, [email protected])
Scott D. Hammond (+1 202-887-3684, [email protected])
Kristen C. Limarzi (+1 202-887-3518, [email protected])
Joshua Lipton (+1 202-955-8226, [email protected])
Richard G. Parker (+1 202-955-8503, [email protected])
Cynthia Richman (+1 202-955-8234, [email protected])
Jeremy Robison (+1 202-955-8518, [email protected])
Chris Wilson (+1 202-955-8520, [email protected])

New York
Eric J. Stock (+1 212-351-2301, [email protected])

Los Angeles
Daniel G. Swanson (+1 213-229-7430, [email protected])
Samuel G. Liversidge (+1 213-229-7420, [email protected])
Jay P. Srinivasan (+1 213-229-7296, [email protected])
Rod J. Stone (+1 213-229-7256, [email protected])

San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])

Dallas
Veronica S. Lewis (+1 214-698-3320, [email protected])
Mike Raiff (+1 214-698-3350, [email protected])
Brian Robison (+1 214-698-3370, [email protected])
Robert C. Walters (+1 214-698-3114, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

For the second consecutive year, following the publication of Gibson Dunn’s eighth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.

Like many recent years, 2019 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“EU”):

Several EU Member States continued to adapt their national legal frameworks, and data protection authorities started to apply and enforce these laws and the GDPR.
The Court of Justice of the EU (“CJEU”) has started to hear cases and delivered rulings that concern the application of the General Data Protection Regulation (“GDPR”)[1] and EU data privacy legislation. The European Data Protection Board (“EDPB”), the EU’s regulatory body that took office in 2018 and is composed by representatives of all EU data protection authorities, continued to adopt relevant opinions and guidance documents regarding the interpretation of the GDPR.
The Council of the EU, which represents the governments and administrations of the EU Member States, pursued its internal discussions regarding the adoption of an EU regulation with respect to private life and the protection of personal data in electronic communications, intended to repeal the currently applicable legal framework (“ePrivacy Regulation”).
EU Member States continued to work on the transposition and application of the EU Directive on the security of network and information systems (“NIS Directive”). We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

In addition to the EU, different legal developments occurred in other jurisdictions around the globe, including in other local European jurisdictions, Asia-Pacific region, Africa and Latin America.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

__________________________

I. European Union

A. EU GDPR: Implementation Application and Enforcement

1. National Data Protection Initiatives Implementing and Applying the GDPR
2. GDPR Cases, Investigations and Enforcement|
3. CJEU Case Law

a) Territorial Scope of the “Right To Be Forgotten” under the GDPR
b) Cookie Consent under the ePrivacy Directive
c) Obligations of Website Providers and Social Network Services Offering Social Plug-ins
d) Validity of Data Transfer Mechanisms: Standard Contract Clauses and the EU-U.S. Privacy Shield

4. Guidance Adopted by the EDPB
5. International Transfers: Adequacy Declarations and Challenges

B. EU Cybersecurity Directive (“NIS Directive”)

C. Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation Bill

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A. Russia

B. Switzerland

C. Turkey

III. Developments in Asia-Pacific and Africa

A. China

B. Singapore

C. India

D. Other Developments in Africa & Asia

IV. Developments in Latin America and in the Caribbean Area

A. Brazil

B. Other Developments in the Caribbean Area

__________________________

I. European Union

As is widely known, in 2018 the GDPR became the main legislative act for the protection of personal data and privacy in the EU. Its numerous and lengthy provisions have made the object of interpretation on their application and enforcement by the CJEU and by the EU data protection authorities gathered in the EDPB.[2]

Since the adoption of the GDPR, some Member States have adapted their legal frameworks in order to transpose and implement some of the GDPR provisions into their respective national legislation.

In the 2019 International Outlook and Review, we provided an overview of the national laws and regulations adopted by the Member States in 2018 in order to adapt their legislation to the GDPR.

Below is an overview of the national data protection reforms implemented throughout the EU during 2019:

Member State	National Data Protection Law Adopted
Bulgaria	Personal Data Protection Act of 4 January 2002 implementing the GDPR, published in the State Gazette on 26 February 2019.
Czech Republic	Act No. 110/2019 Coll. on the Processing of Personal Data (Data Protection Act), applicable as of its publication in the Official Gazette on 24 April 2019.
Finland	Data Protection Act (1050/2018), approved on 13 November 2018 and applicable as of 1 January 2019.
France	Decree No. 2019-536 of 29 May 2019.
Germany	Second Law on the Adaptation of Data Protection Legislation to the GDPR, published in the Federal Gazette on 25 November 2019.
Greece	Law 4624/2019 on the protection of personal data of 29 August 2019.
Poland	Act of 21 February 2019 amending other legal acts in relation to the implementation of the GDPR.
Portugal	Law No. 58/2019 of 8 August 2019, which repealed the previous data protection law, Law No. 67/98, of 26 October 1998.
Romania	Law no. 129 of 15 June 2018 amending the Law No. 102 of 2005.
Slovenia	The new Slovenian Data Protection Act (the “ZVOP-2”) is currently in the legislative pipeline, and it will repeal the current Data Protection Act (the “ZVOP-1”). On 6 March 2019, the Ministry of Justice released a draft Personal Data Protection Act.

2019 saw the end of the transition period that supervisory authorities granted to companies to implement the GDPR, and investigations and infringement proceedings have sky-rocketed in the Member States. The most significant cases in important EU jurisdictions are set out below.

In France, the French National Data Protection Commission (“CNIL”) received group complaints from the associations None Of Your Business and La Quadrature du Net in May 2018, shortly after the application of the GDPR. In these complaints, the associations complained against Google LLC for not having a valid legal basis to process the personal data of the users of its services, particularly for the purposes of customizing and delivering targeted ads. The CNIL concluded that Google had breached its transparency and information obligations and its obligation to rely on a valid legal basis to customize and deliver personalized ads. Based on these grounds, the CNIL imposed a financial penalty of EUR 50 million to Google LLC on 21 January 2019.[3]

The CNIL has also imposed a 500,000 EUR fine on a company specialized in private homes insulation, Futura Internationale, for violations of the GDPR. Further to a complaint, the CNIL investigated and found Futura Internationale to have committed the following GDPR violations: (i) the absence of a procedure to ensure the right of data subjects to object to personal data processing; (ii) the presence of irrelevant data in the company’s client database (e.g., offensive comments and comments related to health); (iii) insufficient information provided to individuals regarding the processing of their personal data and their rights; (iv) lack of cooperation with the CNIL; and (v) lack of mechanisms of supervision and compliance of data transfers outside the EU.

In Ireland, a social network service is currently being investigated by Irish privacy authorities over its refusal to give a user information about how it tracks users when they click on links in public messages. The company refused to disclose the data it recorded when a user clicked on links in other people’s messages, claiming that it benefitted from a GDPR exemption to disclose the requested data, as providing it would involve a “disproportionate effort” for the company.

In December 2018, the Irish Data Protection Commission opened a statutory inquiry into the company’s compliance with the relevant provisions of the GDPR following receipt of a number of breach notifications from the company since the introduction of the GDPR.[4] In 2019, the Irish Data Protection Commission concluded its investigation into the social network service over potential violations of the GDPR, and moved into the decision-making phase. During this phase, the Irish Data Protection Commission will issue a draft decision, which is expected in early 2020.

On another note, in Germany, the Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of approximately 14.5 million EUR on a German real estate company for violations of the privacy by design and storage-limitation principles. In particular, the Berlin authority found that the archive system of the company did not enable personal data that were no longer required to be removed, and personal data were retained for longer than necessary.[5] This is the highest fine imposed so far by a German company over data protection.

The German Federal Data Protection Supervisory Authority also imposed a 9.55 million EUR fine on a telecommunications service provider for violations of the GDPR. The authority concluded that individuals calling the provider’s customer service hotline could obtain, merely by providing a customer’s name and date of birth, extensive information about other customers. The authority considered that this constituted a breach of Article 32 of the GDPR, which requires data controllers to implement technical and organizational measures to ensure a level of security appropriate to risks.[6] The company announced that it would challenge the order, arguing that the amount of the fine is disproportionate.

In the UK, on 9 July 2019, the Information Commissioner Office (“ICO”) issued a notice of its intention to fine a hospitality company approximately 99 million GBP for infringements of the GDPR. The proposed fine relates to an incident that affected personal data contained in approximately 30 million guest records of residents in the European Economic Area.[7] The cyber-incident and possible data breach affected the company while it was subject to one ownership, but the breach was exposed and investigated after the company was transferred to another ownership.

On 8 July 2019, the ICO also issued a notice of its intention to fine British Airways 183.39 million GBP for infringements of the GDPR. The proposed fine relates to a cyber-incident reported to the ICO by British Airways in September 2018, according to which personal data of approximately 500,000 customers were compromised.[8]

On 17 December 2019, the ICO imposed a fine of 275,000 GBP, the first issued in the UK in application of the GDPR, on a pharmacy for failing to comply with security requirements for special categories of data. The pharmacy allegedly left approximately 500,000 documents (containing clients’ personal data including names, addresses, dates of birth, National Health Service numbers, as well as other medical information) in unlocked containers at the back of its premises. The ICO was alerted to this incident by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate investigation into the pharmacy. After completing its investigation, the ICO concluded that the pharmacy failed to process data in a manner that ensured appropriate security against unauthorized or unlawful processing and accidental loss, destruction or damage, in violation of the GDPR.[9]

In Austria, the Austrian data protection authority imposed a fine of 18 million EUR on the Austrian Postal Service, due to the processing of personal data on political opinions of data subjects and for direct marketing purposes. The authority specified that the high amount of the fine imposed on the Austrian Postal Service aimed to prevent other violations.[10]

Finally, in Italy, the Italian data protection authority recently imposed a fine of 11.5 million EUR on energy company Eni Gas and Luce for its unlawful processing of personal data in the context of promotional activities (telemarketing) and the activation of unsolicited contracts. The fines were determined in line with the GDPR requirements, taking into account the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of the company.[11]

3. CJEU Case Law

Building on the body of case law developed throughout the last years, as we indicated in the 2019 International Outlook and Review, 2019 has continued to witness numerous cases before the CJEU on the application of the EU Data Protection Directive, the GDPR and the ePrivacy Directive. Set forth below are the most relevant cases and updates concerning the interpretation and application of EU privacy legislation.

On 24 September 2019, the CJEU delivered a judgment in a case facing Google LLC to the French supervisory authority (“CNIL”). In the underlying proceedings under French law, Google LLC had a fine imposed for its failure to implement on all domain extensions, worldwide, those requests from data subjects to remove search results that referenced their personal data. The CNIL considered it insufficient that “right to be forgotten” requests from French data subjects would only be executed in results on the “.fr” domain of Google Search (i.e., www.google.fr), as well as only with regard to users located within the French territory.[12]

In its judgment, the CJEU concluded that a search engine operator is not required to carry out that de-referencing on all versions of its search engine, but only on the versions of that search engine corresponding to all the EU Member States.

On 1 October 2019, the CJEU issued a ruling on the topic of cookie information and consent obligations under the ePrivacy Directive and under the GDPR. The judgment was delivered in the context of proceedings followed in Germany against Planet49 GmbH, a company that organized a promotional lottery online and which required users to input certain personal data in order to participate, followed by pre-selected checkboxes authorizing Planet49 GmbH to share the personal data with analytics providers, sponsors and cooperation partners for commercial purposes.[13]

In the judgment, the CJEU considered that the “consent” referred to in the ePrivacy Directive, which is based on the definition provided in the GDPR, is not valid if it is collected by way of pre-selected checkboxes, which the user must deselect in order to refuse his or her consent. Accordingly, in the context of the use of checkboxes, valid “consent” may only be expressed through the use of blank boxes that users must actively select.

The ruling applies in principle to the processing of data contained in cookies, stored and accessed in users’ devices, regardless of whether these data may be considered to be personal data. However, given that the CJEU expressly referred to and based its decision on the definition of “consent” under the GDPR, it is possible that this ruling will set a new trend in the definition of “consent” applicable to the processing of personal data in general.

Furthermore, the CJEU ruled that online service providers must make available to website users information on the operation of cookies, including the duration of the operation of cookies and whether or not third parties may have access to any cookie data received.

On 29 July 2019, the CJEU delivered a judgment regarding the identification of controllers and defining the scope of information obligations imposed on online service providers. The ruling was issued in the proceedings followed against Fashion ID, an online clothing retailer, which had embedded in its website a “Like” social plug-in from a third-party social network service. Because of the manner in which the Internet works, when a visitor consulted the website of Fashion ID, that visitor’s personal data (e.g., IP addresses, cookie data and other browser technical data) were transmitted to the social network service through the social plug-in. Such transmission occurred without the knowledge or awareness of the visitor, and independently from the visitor’s membership with the social network.[14]

In the judgment, the CJEU concluded that the operator of a website, such as Fashion ID, which embeds in its website a social plug-in that transmits personal data to a third-party provider, can be considered to be a “controller.” However, the CJEU limited the role of Fashion ID as a “controller” only for the purposes of those data processing operations in respect of which it actually determined the purposes and means.

Furthermore, the CJEU found that both the provider of the website (Fashion ID) and of the social plug-in (the social network service provider) should each pursue a legitimate interest in order to benefit from the legal basis provided for in Article 7(f) of Directive 95/46/EC (Article 6(1)(f) of the GDPR).

Finally, the CJEU concluded that the website provider (Fashion ID) needed to obtain any valid consent required, and needed to provide users with the necessary information to comply with Directive 95/46/EC (replaced by the GDPR), but only with regard to the data processing operations in respect of which the provider determined the purposes and means as a “controller.”

d) Validity of Data Transfer Mechanisms: Standard Contract Clauses and the EU-U.S. Privacy Shield

As it was indicated in the 2018 and 2019 International Outlook and Review, on 3 October 2017, the Irish High Court decided to refer the issue of the validity of the standard contractual clauses decisions to the CJEU for a preliminary ruling.[15] Several questions were referred to the Court in May 2018 which relate, in particular, to the validity of Decision 2010/87 on standard contractual clauses (“SCCs”) for the transfer of personal data to processors established in third countries. On 19 December 2019, the EU Advocate General issued a favorable opinion on the validity of the EU’s SCCs.[16]

According to the Advocate General, Decision 2010/87 is compatible with the Charter of Fundamental Rights of the EU since there are sufficiently sound mechanisms to ensure that transfers based on the SCCs be suspended or prohibited where those clauses are breached or impossible to honor. Decision 2010/87 places obligations on data controllers and, where the latter fail to act, on EU data protection authorities, to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.[17] The final judgment of the CJEU should be adopted and released in the coming months.

As it was also indicated in the 2018 and 2019 International Outlook and Review, on 12 July 2016, the European Commission formally approved the EU-U.S. Privacy Shield. The Privacy Shield replaced the EU-U.S. Safe Harbor framework for the transatlantic transfer of personal data, which was invalidated by the CJEU on 6 October 2015 in the case Maximilian Schrems v. Data Protection Commissioner.[18] Since the adoption of the Privacy Shield program in 2016, more than 5,000 companies have adhered to the Privacy Shield framework.

On 22 November 2017, the CJEU declared an action brought by Digital Rights Ireland Ltd. against the Privacy Shield inadmissible. However, the EU’s General Court admitted a similar challenge of the Privacy Shield brought by French NGO La Quadrature du Net.[19] These proceedings are currently ongoing, and an opinion of the EU’s Advocate General and a Judgment are expected in the course of 2020.

In October 2019 the European Commission published its third annual review of the EU-U.S. Privacy Shield, which concluded that the Privacy Shield continues to ensure an adequate level of protection of personal data transferred to participating companies in the U.S.[20] The European Commission noted the adoption of several improvements to the Privacy Shield, such as a more systematic oversight performed by the U.S. Department of Commerce, an improvement of the enforcement action by the Federal Trade Commission, the use of Privacy Shield rights by an increasing number of European individuals, or the appointment of the permanent Ombudsperson. Nevertheless, the European Commission recommended the adoption of additional measures to ensure the effective functioning of the Privacy Shield, including the strengthening of the certification/recertification process, the development of additional guidance related to human resources data, and the expansion of compliance checks.

On 12 November 2019, the EDPB published its own report relating to this third annual review, which contains its main findings regarding the commercial aspects of the Privacy Shield and the access by public authorities to data transferred from the EU to the U.S. under the Privacy Shield.[21]

4. Guidance Adopted by the EDPB

The EDPB, which took office on 25 May 2018, has continued to hold public consultations and adopt Guidelines on the interpretation and application of certain key provisions and aspects of the GDPR. The Guidelines adopted in the course of 2019 include the following:[22]

GDPR applicability: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

These Guidelines analyze the different elements that determine whether an entity is subject to the GDPR, depending on whether or not it has an establishment in the EU. Remarkably, the EDPB clarified in the Guidelines that controllers or processors not established in the EU could be subject to the GDPR if they intentionally target EU data subjects to offer goods or services, or if they monitor their behavior. Furthermore, these foreign entities would not benefit from the “one-stop shop” rule if they do not have one or more establishments in the EU.

Processing on the basis of the performance of the contract: Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

These Guidelines assess the application of the legal basis contained in Article 6(1)(b) of the GDPR, which may be relied upon when personal data are processed for the performance of a contract with a data subject or in order to take steps at the request of the data subject prior to entering into a contract. In particular, the EDPB found that Article 6(1)(b) of the GDPR may not cover certain processing activities not necessary for the provision of individual services requested by a data subject, but rather for the controller’s wider business model.

Right to be forgotten: Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1).

In these Guidelines, the EDPB has dissected each of the grounds that data subjects may rely on to exercise their right to be forgotten, and the exceptions on which data controllers may rely on to dismiss this kind of requests, including the necessity to safeguard the right of freedom of expression and information.

Privacy-friendly techniques and practices: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default.

The EDPB issued these Guidelines in order to shed some light into one of the most unclear obligations imposed by the GDPR. The EDPB clarified that privacy “by design and by default” required companies to implement necessary and effective safeguards in the form of technical and organizational measures. These should include state-of-the-art technology considered appropriate regarding the costs of implementation, the nature, scope, context and purpose of the processing, and the risks identified at the time of the processing.

Processing of personal data through video devices: Guidelines 3/2019 on processing of personal data through video devices.

In these long-awaited Guidelines, the EDPB expressed a common EU approach to the use of video devices (e.g., CCTV cameras) and the processing of personal data. The EDPB analyzed the possible application of a number of legal bases (e.g., consent, legitimate interests, or performance of a task in the public interest) and assessed the application of the data protection principles to video footage recording (e.g., technical and organizational measures, storage periods). It also addressed the conditions for the disclosure of video footage to third parties, and the exercise of rights by data subjects.

Certification bodies and criteria:Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679).Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679.

The GDPR foresees the appointment of accredited bodies that can certify the compliance of companies and organizations with data protection rules. In these Guidelines, the EDPB outlined the procedure for the accreditation of these certification bodies, and set out the substantive requirements for certification of entities’ compliance with the substantive requirements of the GDPR.

Codes of conduct: Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679.

Under the GDPR, trade associations and other institutional bodies representing controllers or processors may prepare codes of conduct for the purposes of specifying the application of the GDPR in specific fields. These Guidelines provided the criteria for the admissibility and approval of codes, including at the national and EU level, and set up a procedure for their monitoring by accredited bodies, approval and revocation.

5. International Transfers: Adequacy Declarations and Challenges

Both under the former EU Data Protection Directive and the current GDPR, transfers of personal data outside of the EU are generally prohibited unless, inter alia, the European Commission formally concludes that the legislation of the country where personal data is being transferred protects personal data adequately.

Thus far, the adequacy decisions adopted by the European Commission under the previous legal framework (the Data Protection Directive 95/46/EC) are still in force, and cover data transfers to the following jurisdictions: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the U.S. (limited to the EU-U.S. Privacy Shield framework).[23]

As indicated in the 2019 International Outlook and Review, the European Commission had engaged with a number of jurisdictions with a view to recognizing the validity of data transfers to more countries worldwide.

During 2019, adequacy talks have continued with regard to South Korea, with a view to adopting an adequacy decision in 2020. Although the negotiations have remained confidential so far, it has been reported that the main concerns of the EU authorities related to the independence and powers of the South Korean data protection authority.[24] Some amendments to the Personal Information Protection Act have been submitted to the South Korean National Assembly, in order to grant enforcement power and functions to the Personal Information Protection Commission.

India, which is preparing a personal data protection bill, would also plan to obtain an adequacy decision following the finalization and adoption of this bill.[25] In addition, the evolution of the situation in Indonesia and Taiwan could also lead to future adequacy decisions. Finally, preparatory work has started in order to initiate discussions regarding the adequacy of several Latin American countries (such as Chile or Brazil).[26]

B. EU Cybersecurity Directive (“NIS Directive”)

In the EU, cybersecurity legislation addressing incidents affecting essential service and digital service providers is primarily covered by the NIS Directive,[27] adopted on 6 July 2016. As it was explained in the 2019 International Outlook and Review, the NIS Directive is the first set of cybersecurity rules to be adopted at the EU level, which aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches.

In the course of 2019, the European Union Agency for Cybersecurity (“ENISA”) has been particularly active in issuing guidance and evaluating the responsiveness of the EU authorities, stakeholders and systems in responding to cyberattacks. In particular:

ENISA has published a number of guidance documents aimed to assist private parties in their evaluation of security measures adopted in application of EU instruments, such as the GDPR[28] and the NIS Directive.[29]
Following the trends for increased use of consumer products and services relying on cloud services and Internet of Things, ENISA has continued to issue guidance documents providing companies with an overview of the potential risks and redress measures in this context. For example, in January 2019, ENISA issued its gap analysis into the security standards observed in the field of “Internet of Things.”[30]
ENISA has also strived to adopt guidance documents assisting companies in their day-to-day business practices, such as the adoption of good practices on the implementation of regulatory technical standards,[31] or the adoption of measures to reinforce trust and security in electronic communications and services.[32]

C. Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation Bill

As it was explained in the 2019 International Outlook and Review, 2016 saw the initiation of the procedures for the reform of the EU’s main set of rules on ePrivacy, the ePrivacy Directive. In this context, further to a public consultation held by the European Commission, the first proposal of the future EU ePrivacy Regulation (the “draft ePrivacy Regulation”) was released on 10 January 2017.[33] In 2017, the draft ePrivacy Regulation was subject to an opinion of the WP29 (4 April 2017)[34] and an amended version was issued by the European Parliament (20 October 2017).[35]

Since then, internal discussions have been ongoing at the level of the Council of the EU during 2018 and 2019. Despite the progress made on this front, in November 2019, it was made public that the EU Council could still not find a common position on a variety of topics concerning the ePrivacy Regulation. Press reports have identified the following outstanding aspects as being at the origin of the disagreement among Member States:[36]

The processing of electronic communications data for the purposes of prevention of child abuse imagery: Member States have diverging views on whether and how to achieve this objective.
The protection of terminal equipment information: Member States have been reported to discuss extensively regarding conditional access to website content (so-called “cookie walls”), which underlies numerous existing business models. The positions of the Council and of the European Parliament differ vastly in this area.
Processing of electronic communications data by third parties: While the latest draft proposal included a recital clarifying the concept of third parties, there are other ongoing discussions regarding whether the scope of these obligations should be extended to electronic communications providers in general, or to services covered by current sectoral legislation.
Cooperation among data protection and telecommunications regulatory authorities: A number of Member States have raised concerns regarding the cooperation among various enforcement authorities.

In light of the disagreement among Member States within the Council, it has been reported that the European Commission has recently retrieved the ePrivacy Regulation bill, in order to update it in light of the various positions expressed by the Member States to date. The European Commission allegedly aims to resubmit a new ePrivacy Regulation bill for discussion during the Croatian Presidency of the Council (January to June 2020).[37]

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

As we indicated in the 2019 International Outlook and Review, the increasing impact of digital services in Europe and the overhaul brought about by the GDPR in the EU have led certain jurisdictions in the vicinity of the EU to improve and enforce more vigorously their data protection regulations.

A. Russia

Local data privacy laws have continued to be heavily enforced, reflecting the activity of the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”) in monitoring and enforcing data protection compliance.

For example, in January 2019, it became public that the Roskomnadzor had sent letters to two social network services regarding their compliance with Russian data localization laws. In February and March 2019, the Roskomnadzor announced reports on administrative proceedings against these companies for alleged violations of Russian data protection laws.

In July 2019, Roskomnadzor imposed a 700,000 RUB fine (approx. 10,000 EUR) on Google for its alleged failure to remove prohibited search engine results. According to Roskomnadzor, more than a third of the links from a single Google search registry contained prohibited information under Russian law.

On 2 December 2019, the fines for violations of data localization and data processing requirements were increased. In particular, the failure by operators to collect, systemize and store personal data in Russian databases will be fined with 1 million to 6 million RUB (approx. 14,000 EUR to 84,500 EUR) for legal entities. In addition, the Law highlights that repeat offences will lead to fines up to 18 million RUB (approx. 250,000 EUR) for legal entities.

B. Switzerland

As indicated in the 2019 International Outlook and Review, to prepare for the entry into force of the GDPR, the Swiss government had issued a draft of a new Data Protection Act (the “Draft FDPA”)[38] that aims to:

Modernize Swiss data protection law and, to a certain extent, align it to the requirements of the GDPR; and,
Maintain its adequacy status granted by the European Commission, to ensure the free flow of personal data between the EU and Switzerland.

The Draft FDPA was published by the Swiss Federal Council on 15 September 2017, in order to replace the Federal Act on Data Protection of 19 June 1992 (the “FADP”).

In November 2019, the Swiss Federal Assembly announced that the State Political Commission of the Council of States (“PCI-S”) had completed its detailed consultation on the Draft FDPA, which had been unanimously accepted after consultation of the representatives of the cantonal data protection officers. In order to approach the Draft FDPA to the GDPR, the PCI-S departed from the decisions of the National Council, for example, including trade union membership as a category of sensitive personal data. It is therefore expected that the Draft FDPA will be adopted in the course of 2020.

C. Turkey

Throughout 2019, the Turkish data protection authority (the “KVKK”) has issued a number of regulations and guidance documents regarding a number of issues related to the application and enforcement of the Turkish Data Protection Act No. 6698 of 2016. These regulations and guidance documents include the following:

Data protection obligations: On 18 March 2019, the KVKK issued guidelines on data protection in Turkey, addressing data processing requirements such as consent, transfers of data within and outside of Turkey, and data controller obligations, among other topics.
Subject access requests: On 13 February 2019, the KVKK issued a decision on the time-frames to lodge a complaint with the KVKK further to a subject access request. The decision focuses on cases where a request made under the Turkish Data Protection Act was rejected, replied to insufficiently or not replied to in due time.
Data processing registry: On 28 April 2019, the KVKK published a guide on the preparation of processing registry. The guide specifies the content of the registry and the preparation process, such as determining the purpose of the data processing and the data retention period.
Data processing guide: On 6 August 2019, the KVKK published a guide, which aims at making it easier for companies to understand data protection requirements under the Turkish Data Protection Act, such as obligations of data disclosure, deletion, and anonymization, obligations to register with the data controller and exceptions to the obligation to handle a registry of operations, among other things.
Transparency requirements: On 8 November 2019, the KVKK issued a statement on the transparency requirements, in order to bring the practices of companies in further compliance with the Turkish Data Protection Act. In January 2020, the KVKK announced the launch of its online portal on data violations, which is expected to increase the supervisory activity and enforcement actions of the KVKK.

Furthermore, the KVKK continued with its enforcement of the Turkish Data Protection Act. For example, in May 2019, the KVKK imposed fines up to 4.65 million TRY (approx. 250,000 EUR) on a social network service for its alleged failures to notify data breaches. In July 2019, the KVKK imposed a fine of 1.45 million TRY (approx. 220,000 EUR) on a hospitality company for an alleged data breach that affected Turkish citizens. Overall, the KVKK found and imposed fines over 1 million EUR on several companies for data breaches that occurred in several sectors.

III. Developments in Asia-Pacific and Africa

As we indicated in the 2019 International Outlook and Review, in an increasingly connected world, 2019 also saw many other countries try to get ahead of the challenges within the cybersecurity and data protection landscape. Several international developments bear brief mention here:

A. China

As indicated in the 2019 International Outlook and Review, China’s Cybersecurity Law was adopted on 1 June 2017, becoming the first comprehensive Chinese law to regulate the management and protection of digital information by companies. The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before they are exported.[39] On 10 September 2018, the National People’s Congress of China announced, as part of its legislative agenda, that its Standing Committee would consider draft laws with relatively mature conditions, including a draft personal information protection law and a draft data security law.[40]

On 25 January 2019, the Ministry of Industry and Information Technology of the People’s Republic of China (“MIIT”), the Cyberspace Administration of China (“CAC”), the Ministry of Public Security, and the State Administration for Market Regulation released a statement on privacy practices for applications. In particular, the announcement outlined the consent requirements from the perspective of the Chinese Cybersecurity Law, which requires controllers to provide privacy notices in clear, concise wording, to obtain freely given consent, to discourage “bundled” forms of consent, and to encourage app operators to provide an opt-out mechanism for personalized advertisements.

In March, the MIIT identified a number of organizations that had been involved in nuisance calls and the use of illegal apps to collect personal information. The MIIT noted that it had made arrangements for companies involved to immediately shut down phone lines used to facilitate the illegal calls. It also highlighted that it would cooperate with the Central Network Information Office, the Ministry of Public Security and the General Administration of Market Supervision in order to strengthen the protection of personal information collected by mobile apps.

The CAC has also been involved in the adoption of bills and rules regarding the protection of personal data in China, including the following:

On 24 May 2019, the CAC published draft measures to enhance the security and management of critical information infrastructure, and launched a public consultation on the same topic.
On 28 May 2019, the CAC published draft measures on data security management including, among others, provisions for privacy, data processing, notifications, and consent.
On 31 May 2019, the CAC issued draft measures on the collection, storage, use, transfer and disclosure of children’s personal information. The draft measures apply to children under 14 years of age and, among other things, specify that network operators should set up dedicated children’s personal information protection user agreements as well as designate personnel to be responsible for protecting children’s personal information.
On 13 June 2019, the CAC issued draft measures on cross-border data transfers. In particular, the draft measures require network operators to provide a declaration form, signed contract between network operators and receivers, and a security risk assessment, among other things, prior to personal information being transferred out of China.
In July 2019, the CAC announced the release of an Internet information service complaint platform in order to facilitate and encourage data subjects to defend their rights.

B. Singapore

As indicated in the 2019 International Outlook and Review, the Personal Data Protection Commission of Singapore issued on 7 November 2017 the proposed advisory guidelines for the collection and use of national registration identification numbers. The Commission gave businesses and organizations 12 months from the date of publication to review their processes and implement necessary changes to ensure compliance.[41]

Following the expiration of this grace period, the Singapore Personal Data Protection Commission (“PDPC”) has initiated enforcement action and issued fines against numerous companies across all sectors for violations of Singapore data protection laws. For example, in January 2019, the PDPC imposed a fine of 750,000 SGD (approx. 500,000 EUR) on Integrated Health for data security failures.

C. India

As we indicated in the 2019 International Outlook and Review, the Indian Ministry of Electronics and Information Technology published, on 27 July 2018, the Personal Data Protection Bill (the “Bill”) and the Data Protection Committee Report (the “Report”).[42]

In December 2019, after further deliberations, the Bill was approved by the Cabinet Ministry of India, and was tabled in the Indian Parliament by the Minister of Electronics and Information Technology. At the end of December 2019, the Bill started being analyzed by a Joint Parliamentary Committee in consultation with various groups.

D. Other Developments in Africa & Asia

Throughout 2019, a number of jurisdictions in Asia and Africa have adopted data protection legislation, including the following:

Kenya: On 8 November 2019, the Kenya Data Protection Bill 2019 was signed into law.
Nigeria: The National Information Technology Development Agency issued the Nigeria Data Protection Regulation 2019.
Togo: In October 2019, Law No. 2019-014 Relating to the Protection of Personal Data was published in the Official Gazette.
Uganda: In 2019, the Data Protection and Privacy Act entered into force.
Indonesia: In October 2019, Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions became effective.
New Zealand: In 2019, the Parliament discussed the Privacy Amendment Bill, which should become law in the course of 2020.
Thailand: In May 2019, the Personal Data Protection Act and the Cybersecurity Act entered into force.

IV. Developments in Latin America and in the Caribbean Area

The overhaul of data protection rules in important jurisdictions around the globe has also impacted Latin America and the Caribbean countries, where some local administrations have bolstered their respective legislation and undertaken initiatives to bring their framework closer to that of the EU.

A. Brazil

As we indicated in the 2019 International Outlook and Review, a new General Data Protection Law was adopted in Brazil on 14 August 2018, after several years of discussions among decision-makers.[43]

In July 2019, the President of Brazil promulgated Law No 13.853 amending the General Data Protection Law. In its final form, the General Data Protection Law introduced some important revisions, such as the creation of an enforcement authority (the National Data Protection Authority), the extension of its application to public bodies as well as to private entities, the extensive appointment of Data Protection Officers, and the postponement of its application until 2022.

In the midst of the adoption of the General Data Protection Law, enforcement action of the Brazilian authorities has thrived to protect the privacy of its citizens. For example, on 30 December 2019, it was announced that the Ministry of Justice and Public Security had fined a social network service 6.6 million BRL (approx. 1.4 million EUR) for the alleged transfer to and misuse of personal data of Brazilian users by a political marketing consultancy firm.

B. Other Developments in the Caribbean Area

Throughout 2019, a number of jurisdictions in the Caribbean area have adopted data protection legislation, including the following:

Barbados: In August 2019, the bill for the Data Protection Act 2019 was passed by the House of Assembly after its approval by the Senate.
Cayman Islands: On 30 September 2019, the Data Protection Law, 2017 (Law 33 of 2017) entered into force.
Jamaica: In July 2019, the Minister of Science, Energy and Technology had submitted to the Parliament a bill to reform the Data Protection Act 2017.

______________________

[1] See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119 4.5.2016, p. 1.

[2] The EDPB is an EU body that is formed by the representatives of the data protection authorities of the EU Member States, the EEA States (Iceland, Lichtenstein and Norway), and the European Data Protection Supervisor (the data protection agency that supervises the compliance of the EU institutions with EU data protection legislation). Under the GDPR, the EDPB has certain advisory, enforcement and decision-making powers.

[3] See: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.

[4] See: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-opens-statutory-inquiry-twitter.

[5] See: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf.

[6] See: here.

[7] See: here.

[8] See: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/.

[9] See: https://ico.org.uk/media/action-weve-taken/mpns/2616742/doorstop-mpn-20191217.pdf.

[10] See: https://edpb.europa.eu/news/national-news/2019/administrative-criminal-proceedings-austrian-data-protection-authority_en.

[11] See: https://edpb.europa.eu/news/national-news/2020/italian-supervisory-authority-fines-eni-gas-e-luce-eur-115-million-account_en.

[12] See CJEU, Case C-507/17 Google LLC v. CNIL (24 September 2019).

[13] See CJEU, Case C-673/17 Verbraucherzentrale Bundesverband e.V. v. Planet49 GmbH (1 October 2019).

[14] See CJEU, Case C-40/17 Fashion ID GmbH & Co.KG v. Verbraucherzentrale NRW eV (29 July 2019).

[15] See Irish High Court Commercial, The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, 2016 No. 4809 P.

[16] See Opinion of Advocate General Saugmandsgaard Øe on Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, available here.

[17] See Opinion of the Advocate General in the case C-311/18 Facebook Ireland and Schrems, available here.

[18] See CJEU, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (6 October 2016).

[19] See General Court, Case T-738/16, La Quadrature du Net and Others v. Commission.

[20] See Report from the commission to the European parliament and the council on the third annual review of the functioning of the EU-U.S. Privacy Shield, available here.

[21] See “EU – U.S. Privacy Shield – Third Annual Joint Review,” available here.

[22] See: https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en.

[23] See: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.

[24] See IAPP, “South Korea’s EU adequacy decision rests on new legislative proposals” (27 November 2018), available at https://iapp.org/news/a/south-koreas-eu-adequacy-decision-rests-on-new-legislative-proposals/.

[25] See IAPP, “India to seek adequacy status with EU” (31 July 2019), available at https://iapp.org/news/a/india-to-seek-adequacy-status-with-eu/.

[26] See “Communication from the Commission to the European Parliament and the Council – Data protection rules as a trust-enabler in the EU and beyond – taking stock,” available here.

[27] See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, pp. 1-30, available here.

[28] See: https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions, https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions-part-2, and https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices.

[29] See: https://www.enisa.europa.eu/publications/eu-ms-incident-response-development-status-report.

[30] See: https://www.enisa.europa.eu/publications/iot-security-standards-gap-analysis.

[31] See: https://www.enisa.europa.eu/publications/good-practices-on-the-implementation-of-regulatory-technical-standards.

[32] See: https://www.enisa.europa.eu/publications/reinforcing-trust-and-security-in-the-area-of-electronic-communications-and-online-services.

[33] See: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation.

[34] See: http://ec.europa.eu/newsroom/document.cfm?doc_id=44103.

[35] See: here.

[36] See: https://iapp.org/news/a/how-the-eprivacy-regulation-failed-again/.

[37] See: https://www.euractiv.com/section/data-protection/news/commission-to-present-revamped-eprivacy-proposal/.

[38] The Draft FDPA is available in the official languages of Switzerland:

An unofficial English version of the Draft FDPA is also available here.

[39] See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (30 May 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996.

[40] See: http://www.npc.gov.cn/npc/xinwen/2018-09/10/content_2061041.htm (Press Release in Chinese).

[41] See Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers, published 7 November 2017, available here.

[42] See http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill%2C2018_0.pdf.

[43] See IAPP, “GDPR matchup: Brazil’s General Data Protection Law” (4 October 2018), available at https://iapp.org/news/a/gdpr-matchup-brazils-general-data-protection-law/.

The following Gibson Dunn lawyers prepared this client update: The following Gibson Dunn lawyers assisted in the preparation of this client alert: Ahmed Baladi, Alexander Southwell, Alejandro Guerrero, Guillaume Buhagiar and Clémence Pugnet.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero Perez – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Guillaume Buhagiar – Paris (+33 (0)1 56 43 13 00, [email protected])
Clémence Pugnet – Paris (+33 (0)1 56 43 13 00, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

2019 marked another exciting year for trade secret litigation. Approximately 1,400 new cases were filed in federal courts, holding fairly steady with the number filed in 2018. Successful federal plaintiffs were awarded more than $45 million total for their trade secret claims, with an average award of about $1.1 million. 2020 is expected to be equally eventful for trade secret litigation.

Similarly, 2019 was eventful for legislation and enforcement related to trade secrets. Seven states amended or enacted statutes restricting noncompete agreements—an important tool in protecting an employer’s trade secrets—and California federal courts restricted nonsolicitation agreements. The Trump administration heightened efforts to combat intellectual property theft and espionage from China. The Department of Justice also argued that indictments for conspiracy or attempt to steal trade secrets need not identify those secrets. Looking ahead, legislative and agency focus on limiting noncompete—and potentially nonsolicit—agreements is likely to continue in 2020.

Jason Schwartz, Greta Williams, Christine Demana, Megan Hulce and Joseph Barakat highlight these and other notable trade secrets developments from 2019 and trends for 2020 in their two-part article, recently published by Bloomberg Law.

Part 1: Trade Secrets 2019 Litigation Roundup and 2020 Trends

Part 2: Trade Secrets 2019 Legislative, Executive Roundup and 2020 Trends

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the developments discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or the following authors:

Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, [email protected])
Greta B. Williams – Washington, D.C. (+1 202-887-3745, [email protected])
Christine Demana – Dallas (+1 214-698-3246, [email protected])

Please also feel free to contact any of the following practice group leaders and members:

Labor and Employment Group:
Catherine A. Conway – Los Angeles (+1 213-229-7822, [email protected])
Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, [email protected])

Intellectual Property Group:
Wayne Barsky – Los Angeles (+1 310-557-8183, [email protected])
Josh Krevitt – New York (+1 212-351-2490, [email protected])
Mark Reiter – Dallas (+1 214-698-3360, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])

Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Antitrust and competition law considerations are often important factors in planning an M&A transaction. In recent years, as overall M&A activity has continued a decade-long climb, antitrust and competition enforcers around the world have continued to scrutinize thousands of transactions for their impact on competition. In a number of cases, this scrutiny resulted in prolonged investigations, closing delays, significant divestiture remedies, litigation, and abandoned deals. Enforcers and legislators in the United States, Europe and elsewhere are considering significant overhauls to their traditional frameworks for evaluating transactions, including those involving nascent competitors and transactions in the tech and pharmaceutical sectors.

The potential legislative and policy changes on the horizon, along with the ongoing evolution of enforcement priorities and practices, are relevant across all industries and jurisdictions. Gibson Dunn’s 2020 Antitrust Merger Enforcement Update and Outlook addresses a number of important trends and enforcement priorities for firms and companies planning M&A transactions that may raise antitrust or competition law questions.

Gibson Dunn’s Antitrust and Competition Law Practice

Repeatedly recognized by Chambers and other publications as one of the top antitrust practices in the world, Gibson, Dunn & Crutcher’s worldwide Antitrust and Competition Law Practice Group numbers over 150 lawyers located throughout the United States, Europe and Asia. Our antitrust team includes former high-ranking officials from the U.S. Department of Justice (“DOJ”), the U.S. Federal Trade Commission (“FTC”), the U.S. Solicitor General’s Office and the European Commission, as well as Fellows of the American College of Trial Lawyers.

Gibson Dunn’s Antitrust and Competition Law Practice Group has extensive experience successfully representing clients in a broad range of industries in antitrust investigations of mergers conducted by enforcement agencies in the United States, Europe and other jurisdictions. Gibson Dunn’s merger clearance practice draws on its skilled competition lawyers in the United States, Europe and Asia, using its deep experience with enforcement authorities throughout the world.

Gibson Dunn takes a highly proactive approach to merger clearance and related investigations through early analysis of potential antitrust issues and engagement with regulators to efficiently obtain approval of the largest and most complex transactions. In the past several years, we have successfully assisted clients in securing clearance for transactions in a wide range of industries, including obtaining unconditional clearance for several transactions after second request investigations by the DOJ and the FTC.

In addition, no law firm has a more distinguished record of success than Gibson Dunn in handling high-stakes antitrust litigation. Our results demonstrate why the largest companies in the world call on us when the stakes are highest and when the path to success is most challenging.

_______________________

The United States (DOJ and FTC)

By the Numbers: HSR Filings Increase with M&A Activity as DOJ Second Request Investigations Fall

Congress Weighs in on Merger Enforcement
Tech Acquisitions under the Microscope
Is the FTC Adopting a New Approach to Pharma and Medical Device M&A?
Vertical Mergers: New Draft Guidelines Are Published Following Controversial Cases
The DOJ Turns to Arbitration to Resolve Merger Challenge
The DOJ Updates Model Timing Agreement

China

Legislative Developments
Noteworthy Transactions
Failure to File

The European Union

The 2019 Prohibition Decisions

Siemens/Alstom – February 2019
Wieland/Aurubis – February 2019
Tata Steel/ThyssenKrupp – June 2019

The Ensuing Political Debate

Other Trends

Continued Focus on Procedural Infringements
The Commission’s Fine to Canon for Gun-Jumping

Increased Relevance of Internal Documents during Merger Review

_______________________

The United States (DOJ and FTC)

The DOJ and the FTC continue to be aggressive in enforcing the nation’s antitrust laws. The agencies have allocated substantial resources to reviewing mergers in specific sectors—namely tech and pharma—and have developed new guidelines for vertical mergers.

State antitrust enforcers also came to the fore in 2019, perhaps most visibly in the pending trial of the states’ challenge to T-Mobile’s proposed acquisition of Sprint. The states’ efforts to litigate this pending merger, despite its approval by the DOJ (subject to divestitures), along with multiple state AG-led antitrust investigations in the tech industry, show that state enforcers’ have an increasingly active merger enforcement docket.

Looking ahead, 2020 is an election year. Although it is far too early to speculate on how the election or its results may impact antitrust enforcement with respect to mergers, the topic of antitrust enforcement and corporate consolidation has been widely discussed on the campaign trail. Major candidates on the Democratic side have advocated strengthening antitrust enforcement. Some have co-sponsored legislation that, if passed into law, may make it far more difficult for certain mergers (particularly large mergers) to win antitrust approval. There have also been bipartisan efforts to investigate antitrust concerns in burgeoning markets, which include more investigations into so-called “killer acquisitions” where an alleged dominant firm acquires an upstart competitor.

Thus, it is safe to predict that the results of the election will influence the direction of antitrust merger enforcement, but how and to what degree remain unclear. Meanwhile, the FTC and the DOJ have been quite active on multiple fronts.

By the Numbers: HSR Filings Increase with M&A Activity as DOJ Second Request Investigations Fall

In the wake of the Great Recession of 2008, M&A activity dropped to historically low levels. In fiscal year (“FY”) 2009, the number of transactions reported to the DOJ and the FTC under the Hart-Scott-Rodino (“HSR”) Act dropped to less than one-third of the number reported in the fiscal year before the financial crisis began.[1]

In the decade that followed, U.S. economic activity and M&A volume steadily increased year-over-year. HSR filings reached decade-high levels over the past two years, indicating that M&A has fully recovered from the financial crisis.[2]

But what about the level of antitrust scrutiny? Changes in the percentage of second requests issued can serve as one proxy for the intensity of federal merger enforcement. Because they require substantial investigative resources, second requests are typically reserved for transactions that, in the agencies’ view, raise serious competition concerns.

On that score, the rate of second request investigations of HSR-reportable transactions has fallen since FY 2016. The percentage of HSR-reportable transactions subject to a second request declined to 2.2% in FY 2018, marking the second year in a row the second request rate fell under 3%. By comparison, the agencies’ second request rate averaged approximately 3.5% during the prior eight years (FY 2009 through FY 2016), and a full percentage point below the annual rate since 2002 (3.2%).

The decline is significant. Had the second request rate matched the 3.5% average in prior years, the DOJ and the FTC would have issued 74 second requests in FY 2018—that would have meant 29 (or 39%) more second requests than they actually issued (45).

There has been a particularly large decline in the rate of DOJ second requests. DOJ-issued second requests represented only 0.9% of all HSR-reportable transactions in FY 2017 and FY 2018, half the DOJ’s average rate over the prior eight fiscal years (1.8%).

Similarly, although M&A activity has increased significantly in recent years, merger challenges have remained relatively flat. Challenges involve instances in which the agencies file a complaint in court claiming a transaction violates Section 7 of the Clayton Act, resulting in a trial, settlement, or abandonment of the deal. The number of challenges in each of the past two reported fiscal years (41 and 39, respectively) is in line with the average number of challenges per year (approximately 41) the prior eight years.[3] HSR filings, however, have increased by 15%. Thus, the agencies’ challenges have not increased at the same clip as reportable M&A activity.

To be sure, these figures are not the final word on whether antitrust scrutiny of mergers has increased or decreased, or whether a merger is more likely to receive scrutiny today than it was several years ago, or a year from now. The analysis of whether any particular merger is likely to harm competition is a fact-intensive exercise and outcomes will vary from case to case. In the aggregate, however, these figures show (i) the percentage of HSR-reportable deals that result in a second request has declined in recent years, (ii) the decline in the second request rate is particularly pronounced for the DOJ, and (iii) the number of mergers challenged by the agencies has not increased in recent years despite a marked increase in HSR-reportable M&A activity.

Congress Weighs in on Merger Enforcement

Congressional interest in antitrust enforcement and reform has been high this past year, likely in anticipation of the 2020 primaries and presidential election.

Senator and presidential candidate Elizabeth Warren (D–MA) proposed legislation that would transform merger enforcement. The bill’s most notable provisions would effectively ban “mega-mergers”—that is, mergers where either company has annual revenue of at least $40 billion; each company has annual revenue of at least $15 billion; the merged company would have more than 45% of relevant market share as a seller or more than 25% as a buyer; or where the deal would result in there being fewer than four remaining competitors with at least a 10% market share. Other presidential candidates have also put forward proposed reforms to agency merger review. Senator Amy Klobuchar has twice introduced legislation that would make it more difficult to obtain antitrust approval for contested mergers.[4]

Both bills would shift the burden of proof to defendants in large mergers to prove that their transaction is not anticompetitive and would prohibit the FTC from accepting remedies to address antitrust violations.

Although these bills have little chance of becoming law this year, depending on the results of upcoming elections, they signal attempts to fundamentally change antitrust enforcement when it comes to M&A transactions. These efforts could gain traction under a new administration. And given the bipartisan interest in antitrust enforcement and corporate consolidation generally, congressional interest in antitrust is unlikely to abate anytime soon.

Tech Acquisitions under the Microscope

Over the past year, the DOJ and the FTC launched significant antitrust investigations of U.S. tech companies. According to the DOJ’s press release, their review would examine “whether and how market-leading online platforms have achieved market power” and if such entities “are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers.”[5] The DOJ explained that their review would “consider the widespread concerns that consumers, businesses, and entrepreneurs have expressed about search, social media, and some retail services online.”[6] Likewise, the FTC announced its Technology Task Force as a body “dedicated to monitoring competition in U.S. technology markets, investigating any potential anticompetitive conduct in those markets, and taking enforcement actions when warranted.”[7] As part of these broader investigative efforts into the tech industry, state and federal regulators appear to be reviewing consummated acquisitions of smaller start-up tech companies.

As the FTC has noted, these recent tech investigations resemble past efforts to retrospectively review hospital mergers. In 2004, for example, the FTC filed a complaint in its administrative court challenging Evanston Northwestern’s acquisition of a competing hospital in Cook County, Illinois (Highland Park Hospital), which had been consummated four years earlier.[9] After four more years of litigation, in 2008, the FTC and the parties agreed to the imposition of remedies (short of unwinding the merger) to address the FTC’s concerns.[10]

The effort was widely credited for reinvigorating the FTC’s hospital merger enforcement program, but required years of litigation and appeals to bear fruit. The FTC and the DOJ appear to be on a more accelerated track in investigating tech mergers. FTC Chairman Joseph Simons recently remarked that this is “an important area” and that his goal is for the FTC to make decisions on how to move forward this year.[11] Attorney General William Barr has said that he would like to have the DOJ’s tech antitrust investigations completed in 2020.[12] Any effort to remedy tech mergers through litigation, however, is likely to take much more time.

The agencies’ review will include an assessment of the substantive antitrust standards applicable to nascent competitor acquisitions. Challenges to consummated mergers have relied heavily on evidence that higher prices resulted from the merger, which provided direct evidence that the merger had anticompetitive effects. The impact of tech mergers, which often involve “free” products and services, may call for novel approaches to measuring any such effects.

FTC officials have stated that new guidelines applicable to large tech companies are in the works,[13] which may shed additional light on the agencies’ approach to such issues. Recent speeches by agency officials and enforcement actions provide a few clues. For example, officials have signaled they plan to look beyond traditional price metrics in demonstrating competitive effects. In particular, Assistant Attorney General Makan Delrahim cited “decreased innovation, and reductions in quality and consumer choice” as being possible competitive harms that could support cases against such mergers.[14] A senior DOJ economist also stated that “[w]e are keeping in mind other tools in areas such as privacy, consumer protection and public safety as part of a broader review of online platforms.”[15]

Relatedly, in a potential test case for claims that a dominant incumbent harms competition by acquiring small but innovative competitors, the DOJ filed a complaint to prevent a merger between Sabre Corporation and Farelogix in August 2019.[16] The DOJ submitted that Sabre’s acquisition of Farelogix would remove a “significant and growing threat” to Sabre’s alleged market dominance in providing booking services to airlines[17] because it “has introduced new technology to the travel industry and is poised to grow significantly” absent the transaction.[18]

Unlike more traditional merger cases, in this case the target, Farelogix, is a relatively small player. Nevertheless, the DOJ alleged that “Farelogix’s market share substantially understates its competitive significance” because its “disruptive” technology will allow it to grow significantly in the future, allowing airline customers to bargain for lower prices. The DOJ asserts that Farelogix is punching above its weight, competitively speaking. Given this case’s parallels, the agencies might be considering using similar theories to police M&A across the tech sector.

Is the FTC Adopting a New Approach to Pharma and Medical Device M&A?

Although less widely publicized than its tech investigations, the FTC has also prioritized enforcement of pharmaceutical and medical device transactions. The FTC has long devoted substantial resources to scrutinizing transactions in these industries, but Commissioners’ comments in connection with several recent cases suggest the FTC is focusing on different theories of harm than it has in the past.

In November 2019, the FTC closed its investigation of Bristol-Myers Squibb Company’s acquisition of Celgene Corporation, in which the parties agreed to divest Celgene’s Otezla for $13.4 billion—the largest divestiture remedy ever obtained by either the FTC or the DOJ.[20] Despite the historic value of the divestiture, it was cleared by a slim 3-2 majority of Commissioners. The three Republican Commissioners in the majority signaled their adherence to the traditional framework, which examines potential competition between existing and pipeline treatments, and tailors remedies to address those competitive overlaps.

Commissioners Rohit Chopra and Rebecca Slaughter, the two Democrats, dissented and called for a fundamentally different approach. Commissioner Chopra said he is “deeply skeptical” that the FTC’s traditional framework “can unearth the complete set of harms to patients and innovation” from a “massive” pharmaceutical merger.[21] Commissioner Slaughter also favored taking a “more expansive approach to analyzing the full range of competitive consequences of pharmaceutical mergers.”[22]

Although the two Democrats were in the minority, the FTC appears to be casting a wider net in investigating pharmaceutical and medical device mergers. A pair of enforcement actions announced in December shed some light on the theories of competitive harms the Commissioners will be targeting under this broader approach.

First, in its investigation of Roche’s acquisition of Spark Therapeutics,[23] the FTC examined whether the transaction would “leave the incumbent with the incentive to degrade or eliminate the acquired firm’s products or services, or to delay development of a next-generation product.”[24] After a thorough Second Request investigation, the FTC unconditionally approved the deal in large part because intense competition from others to develop similar treatments was sufficient to ensure the incumbent (Roche) would retain a strong incentive to continue developing the target’s (Spark’s) pipeline treatment.

Second, the day after announcing its clearance of Roche/Spark, the FTC reached the opposite conclusion in deciding to challenge Illumina’s proposed acquisition of Pacific Bio (“PacBio”).[25] The complaint alleges the merger, if consummated, “would eliminate a nascent competitive threat that an independently owned PacBio poses to Illumina’s monopoly power.”[26] The FTC asserted each party’s internal documents “consistently and routinely refer to each other as competitors[.]” In addition to asserting that the merger was unlawful under Section 7 of the Clayton Act, the complaint alleges the merger amounted to unlawful monopolization under Section 2 of the Sherman Act. While not unprecedented, the use of Section 2 in the merger context is unusual and could foreshadow the agencies’ approach to future enforcement cases.

These and other recent FTC cases suggest the FTC is open to examining a broader range of theories. More specifically, these cases suggest the FTC is focused on the effect of mergers on the development of potentially competing early-stage pipeline treatments, even if the treatments are years away from reaching patients. The FTC will also consider whether a merger is likely to substantially lessen competition under Section 7 of the Clayton Act, and, in some cases, whether it is a means of acquiring or protecting a monopoly in violation of Section 2 of the Sherman Act.[26a]

Vertical Mergers: New Draft Guidelines Are Published Following Controversial Cases

In February 2019, the D.C. Circuit Court of Appeals affirmed the lower court’s denial of the DOJ’s request for a permanent injunction of the proposed merger between AT&T and Time Warner.[27] This ruling ended years of investigations and litigation that culminated in the first vertical merger case fully litigated by the DOJ since 1977. A group of antitrust scholars filed an amici brief asking the court to address the “proper legal standard for evaluating vertical mergers,” but the court declined to do so. Instead, it affirmed the district court’s conclusion that the DOJ had failed to demonstrate the merger would harm competition.[28]

The federal district court judge for the AT&T/Time Warner trial, Judge Richard Leon of the District Court for the District of Columbia, had another opportunity to address issues pertaining to vertical mergers during his review of the DOJ’s proposed settlement with CVS and Aetna regarding their $69 billion merger.[29] In September 2019, Judge Leon approved the DOJ’s proposed remedy, but only after overseeing prolonged trial-like proceedings on the merits of the deal that included third-party witnesses.[30] Judge Leon allowed several third parties to intervene as amici curiae and file briefs that addressed issues that were outside the scope of the Complaint or the Final Judgment,[31] such as the contention that a vertically integrated pharmacy benefit manager would harm consumers.[32]

In the end, Judge Leon ruled that the proposed settlement was “well within the reaches of the public interest.”[33] And yet, this case was a notable departure from the vast majority of Tunney Act proceedings. It is also a sign that there remains considerable uncertainty and debate regarding the treatment of mergers between vertically related entities.

On the FTC side, the Commission ruled on three mergers over the course of 2019 in which the Commissioners debated vertical issues. First, Staples Inc., the world’s largest office supply retailer, acquired Essendant Inc.,[34] the largest office products wholesale distributor in the United States. In approving this vertical transaction, the FTC agreed to a consent decree requiring Staples to restrict access to commercially sensitive information regarding Essendant’s customers, who were also Staples’s competitors.[35] The majority statement from the three Republican commissioners, including Chairman Simons, emphasized that when evaluating vertical mergers, the Commission must provide concrete evidence and theories “supported by factors” rather than “hypothetical” anticompetitive results.[36] Commissioners Chopra and Slaughter dissented, criticizing the remedy and the majority’s argument that vertical mergers are generally efficiency-enhancing and procompetitive.[37]

Second, the FTC cleared health insurer UnitedHealth’s acquisition of DaVita’s kidney dialysis centers, but Commissioners Slaughter and Chopra voiced concern that the merger would incentivize UnitedHealth to steer its insured patients to its own dialysis centers, harming competing centers.[38] While urging the FTC to challenge the transaction in court, the two Democratic Commissioners acknowledged the “significant litigation risks” of any such challenge.[39]

Third, another kidney dialysis-related merger, in which Fresenius Medical Care acquired NxStage Medical, was also approved by a split (3-2) Commission vote based on disagreements regarding the vertical aspects of the merger.[40] The three Republican Commissioners explained that foreclosure or higher costs to rivals were unlikely, based on the staff’s investigation, given the merged company’s incentive to maximize the profits of the acquired business. They also pointed to evidence of recent entry as assuaging any concern that the merger would raise entry barriers. The two Democratic Commissioners dissented, voicing the view that Fresenius would have strong profit incentives to raise rivals’ costs and foreclose access to NxStage’s machines.

In the wake of this string of vertical merger cases, the DOJ and the FTC published draft Vertical Merger Guidelines (“Draft Guidelines”) on January 10, 2020.[41] The Draft Guidelines address the analytical framework the agencies use to assess competitive harms that may result from mergers that “combine two or more companies that operate at different levels of the supply chain.”[42] The Draft Guidelines are open for public comment until February 11, 2020, and are expected to be finalized shortly thereafter.

The Draft Guidelines are a significant and much-needed update to the existing “1984 Non-Horizontal Merger Guidelines,” which no longer reflected modern agency enforcement practices or the economic tools the agencies use to evaluate vertical mergers. As such, it is the hope that, as FTC Chairman Simons has stated, the Draft Guidelines will bring “[g]reater transparency about the complex issues surrounding vertical mergers.”[43]

The Draft Guidelines do not represent a significant departure from existing agency policies or enforcement priorities. At a high level, the Draft Guidelines:

Describe how relevant markets and newly defined related products are assessed in vertical mergers.
Provide insight as to how the agencies evaluate market shares and concentration in conjunction with other evidence when determining whether a merger will substantially lessen competition. Specifically, the agencies:
- May look at output shares in a relevant market that uses the related products as an indicator of the competitive significance of the related products.
- Consider a safe harbor in vertical mergers where the parties’ share of the relevant market and the related product is 20% or less.
Describe the ways in which a vertical merger could have unilateral anticompetitive effects, including by (1) allowing the merged firm to foreclose a rival from or raise a rival’s costs to a related product, and (2) enabling the merged firm to access competitively sensitive information of its upstream or downstream rivals, causing the merged firm to restrain its competitive response.
Describe the ways in which a vertical merger could lead to anticompetitive coordinated effects by, for example, eliminating (or weakening) a disruptive “maverick” competitor or by facilitating anticompetitive coordination.
Discuss how the elimination of double marginalization through a vertical merger can benefit both the merged firm and downstream buyers. The Draft Guidelines note that “[t]he Agencies will not challenge a merger if the net effect of elimination of double marginalization means that the merger is unlikely to be anticompetitive in any relevant market.”
State that the agencies will consider other efficiency claims using the same approach set forth in Section 10 of the Horizontal Merger Guidelines.

Despite these provisions in the Draft Guidelines, however, there remains a degree of uncertainty on several fronts going forward.

The most significant open issue is that the Draft Guidelines do not discuss the agencies’ prevailing policies on the appropriate remedies in cases in which they conclude the vertical merger is likely to harm competition. The DOJ’s 2011 Policy Guide to Merger Remedies (“2011 Remedies Guide”) included both structural and conduct remedies for vertical mergers.[44] But in 2018, Assistant Attorney General Makan Delrahim withdrew the 2011 Remedies Guide and expressed his strong preference for structural remedies, such as divestitures, over behavioral remedies as they are easier to enforce.[45] The DOJ has voiced this position multiple times in the past two years, including during the AT&T/Time Warner trial[46] and separately.[47] One DOJ official recently signaled that revised remedy guidelines are in the works, although there is no timetable for their publication.

The FTC has also noted that it “typically disfavors behavioral remedies,” even in the vertical merger context.[48] Nevertheless, the Commission recently approved deals with behavioral remedies, including Northrop Grumman’s acquisition of Orbital ATK in mid-2018[49] and the Staples/Essendant [50] transaction in early 2019.

Finally, aside from the 20% safe harbor, the agencies do not provide specifics regarding what levels of market share or foreclosure trigger antitrust concerns, or whether concerns arise even in cases in which the merged firm’s upstream or downstream share is low. That determination will depend on the specific facts and businesses at issue.

The FTC’s two Democratic Commissioners abstained from supporting the Draft Guidelines. Although the Draft Guidelines will reflect the policy of the FTC, it remains to be seen whether the Guidelines are retained if and when there is a change in administrations.

For more on the Draft Guidelines, please review our publication on the subject.[51]

The DOJ Turns to Arbitration to Resolve Merger Challenge

On September 4, 2019, the DOJ filed a complaint challenging Novelis Inc.’s proposed acquisition of Aleris Corporation.[52] According to the complaint, Novelis and Aleris are two of four North American producers of aluminum auto body sheet metal. The DOJ alleged the merger between them would harm competition if left unremedied.

Rather than approve a remedy, however, the DOJ agreed to refer the issue of market definition to binding arbitration pursuant to the Administrative Dispute Resolution Act of 1996.[53] Under the terms, if the DOJ prevailed on its proffered (and more narrow) definition of the market, the parties would execute an agreed-upon remedy. If the parties prevailed, then the merger would proceed without any remedy.

This new arbitration approach would avoid the time and expense of proceeding through trial. It may also serve as a test case for merger matters involving disputes over core issues relating to the marketplace. As explained in a separate client alert, however, the availability of arbitration may well be limited to cases in which the issues in dispute are well-defined and discrete.[54]

The DOJ Updates Model Timing Agreement

The DOJ revised its Model Timing Agreement in December 2019. Timing agreements, which are a fixture of merger investigations involving the DOJ and the FTC, ensure that the agencies have sufficient time to evaluate a transaction prior to closing.

The revised 2019 agreement seems to further Assistant Attorney General Delrahim’s goal of shortening the time needed to complete merger reviews. The 2019 agreement removes references from the model agreement that allowed the Deputy Assistant Attorney General to authorize an extension of time for the Division if a decision is not reached within 60 days after compliance with the second request, a document search of more than 20 individuals, and depositions of more than 12 individuals for each merging party. The import of these changes remains to be seen, but it appears to alleviate the burden of complying with a second request.

_______________________

China

2019 was another very active year for China’s State Administration for Market Regulation (“SAMR”). Out of the 448 transactions reviewed, five were subject to remedies but none was prohibited. The conditional approval decisions show that the SAMR continues to rely on creative remedies such as hold-separate remedies, commitments to supply products and services on fair, reasonable and non-discriminatory terms, and the implementation of antitrust compliance mechanisms.

In addition, the SAMR has continued going after merger parties for failing to notify. On the procedural side, the SAMR’s decision in Novelis’s proposed acquisition of Aleris shows the risks in opting for a simplified decision.

Finally, 2020 is likely to be a very important year for merger enforcement. Indeed, the SAMR has published proposed amendments to the Anti-Monopoly Law for comments. The proposed changes include higher fines for merger-related conduct, in response to long-standing concerns that the current fines are too low.

Legislative Developments

Since its establishment in March 2018, the SAMR has introduced a number of legislative enactments and guidelines, which not only codify the practices of its predecessors, but also introduce notable changes to merger enforcement.

Most recently, on January 2, 2020, the SAMR released a draft amendment to the Anti-Monopoly Law (the “Draft Amendment”) for public consultation.[55] The Draft Amendment seeks to increase penalties for breaches of merger-related conduct, including gun-jumping, failure to notify reportable transactions and breach of commitments in conditionally approved cases. The increased fines for gun-jumping are notable. The current version of the Anti-Monopoly Law (“AML”) imposes a maximum fine of RMB 500,000 (approximately $72,200) for merger-related conduct. The Draft Amendment proposes to change the maximum fine to 10% of the infringing party’s turnover in the previous financial year.

The Draft Amendment now explicitly defines “control” as the ability to “exert or potentially exert a decisive influence on another undertaking’s production and operation activities or other major decisions.” Both the new fine and the definition of control are in line with the practice in the European Union.

In addition, the Draft Amendment now allows the SAMR to “stop the clock” during a merger investigation (for instance, if the transaction parties supplement their notification with additional materials) and codifies the SAMR’s ability to carry out sub-threshold investigations and to amend the turnover notification thresholds from time to time. Lastly, the Draft Amendment now explicitly states that parties are “responsible for the authenticity of their submissions.”

From a practical standpoint, the SAMR has improved the transparency of its merger review process by increasing the frequency of its publication of unconditional approvals. Since the second quarter of 2019, the SAMR has been issuing its unconditional clearance decisions on its website on a weekly, instead of monthly basis.

Noteworthy Transactions

In 2019, the SAMR reviewed a total of 448 concentrations, which represents a slight increase from 2018. Out of 448 concentrations, 443 were approved unconditionally and five were approved subject to remedies. There were no prohibited concentrations in 2019.[56] The SAMR took between seven to 17 months to complete its review of conditionally approved cases. Notably, the SAMR asked the parties in all five conditionally approved cases to withdraw and refile their notifications, allowing the SAMR to further extend its review period. Each of the conditional approvals is discussed in turn, below.

KLA-Tencor’s proposed acquisition of Orbotech.[57] On February 13, 2019, California-based semiconductor company KLA-Tencor secured the SAMR’s conditional approval of its proposed acquisition of Orbotech, an Israeli manufacturer of semiconductor equipment. The SAMR found that the parties had multiple vertical and adjacent relationships in the broader market for semiconductor equipment. In order to address the SAMR’s concerns regarding foreclosure, tying and information exchange, the parties agreed to the following remedies: (1) continue to supply semiconductor process-control equipment and services to downstream Chinese manufacturers on fair, reasonable and non-discriminatory (“FRAND”) terms; (2) not bundle or tie semiconductor process-control, deposition and etching equipment or impose unreasonable conditions in sales of such products; and (3) ensure that they do not obtain competitively sensitive information about Chinese manufacturers of deposition and etching equipment.

Cargotec’s proposed acquisition of TTS.[58] On July 5, 2019, the SAMR issued its conditional approval of Cargotec’s proposed acquisition of TTS. The parties, two Scandinavian cargo-handling equipment suppliers, had horizontal overlaps in eight product markets: hatch covers; roll-on equipment; cargo lifters; anchor winches; and the aftersales services for each of these products. The SAMR identified competition concerns in the markets for hatch covers, roll-on equipment and cargo lifters, as the parties had combined market shares between 50% and 60% in each of these markets. The SAMR imposed a range of behavioural remedies, including a hold-separate remedy. Cargotec and TTS agreed to hold their businesses separate in China for two years and to set up firewalls to ensure that the businesses are independent and do not exchange competitively sensitive information. This hold-separate remedy would automatically expire after two years. Cargotec also agreed to continuously supply the relevant products to Chinese customers and to refrain from increasing prices in China for five years.

II-VI’s proposed acquisition of Finisar.[59] On September 18, 2019, the SAMR granted its conditional approval of II-VI Incorporated’s proposed acquisition of Finisar. The parties, two photonics companies based in the United States, had horizontal overlaps in four markets, vertical relationships in three markets, and were also active in adjacent markets. To address the SAMR’s competition concerns in the market for wavelength selector switches (in which the top three players, including the parties, had a combined market share of 95%), the parties agreed to a hold-separate remedy for three years, as well as firewalls to prevent the exchange of competitively sensitive information. Moreover, the parties agreed to continue supplying wavelength selector switches to customers on FRAND terms. Unlike in Cargotec/TTS, the SAMR did not grant an automatic sunset clause; the parties in this transaction are required to apply to the SAMR to lift the commitments.

Proposed joint venture between Royal DSM and Garden Bio-Chem.[60] On October 18, 2019, the SAMR published its conditional approval decision in respect of Netherlands-based Royal DSM and China’s Zhejiang Garden Biochemical High-Tech’s (“Garden Bio-Chem”) proposed joint venture. The scope of the joint venture was limited to the production of DHC, a chemical precursor for cholesterol-based vitamin D3. The SAMR expressed concerns that the JV parties may coordinate the prices and amounts of core raw material for vitamin D3 production. The SAMR referenced the parties’ strength in the market: they are the top two suppliers of veterinary vitamin D and two out of the top three suppliers of human vitamin D in China and worldwide. The SAMR also noted that the parties had a large amount of technical knowledge and patents which further strengthened their market powers and barriers to entry. Garden Bio-Chem’s high market shares in the global and Chinese markets for lanolin cholesterol, a key ingredient in the production of vitamin D3 also gave rise to foreclosure concerns. In light of these concerns, the SAMR required a comprehensive set of behavioural remedies that would expire automatically after five years. The parties agreed to a hold-separate remedy, pursuant to which they must keep their vitamin D3 businesses completely independent, including the procurement of cholesterol needed for the JV’s production of DHC. Garden Bio-Chem also committed to supply cholesterol to vitamin D3 suppliers on FRAND terms. The parties also committed to maintain independent operations in the JV, including measures to prevent the exchange of competitively sensitive information, separation of the JV’s offices, IT systems and production facilities from those of the parent companies, independent employees, and a prohibition on the executive management of the JV from manufacturing or selling vitamin D3 and cholesterol for three years after the termination of their employment by the JV. The scope of the JV would be limited to DHC production and both the JV and the parties committed not to publicly disclose the prices of cholesterol and vitamin D3 absent a customer request or where disclosure is required by the law. Lastly, the SAMR required the JV to implement mechanisms to ensure its compliance with the various commitments.

Novelis’s proposed acquisition of Aleris.[61] In August 2018, U.S. aluminium producer, Novelis, filed a notification to SAMR under the simplified procedure regarding its proposed acquisition of rival Aleris. The SAMR initially accepted the notification, but upon the receipt of a third party’s objections, revoked its acceptance in October 2018 and asked the parties to refile under the regular procedure. More than a year after the initial filing, on December 20, 2019, the SAMR published its conditional clearance decision. The SAMR identified competition concerns in two separate markets for interior and exterior aluminium auto-body sheets in which the parties had a combined market share of 70 to 80%. The SAMR expressed concerns that the transaction may eliminate competitive constraints and narrow downstream car manufacturers’ procurement options. In addition, the SAMR expressed concerns about coordination, in light of a Novelis joint venture with one of its major competitors, which led SAMR to conclude that Novelis has been “maintaining a good cooperative relationship” with competing firms. To address these concerns, Aleris agreed to divest its interior and exterior aluminium auto-body sheet business in the European Economic Area. The combined entity would also refrain from supplying cold-rolled plates in China to any competitors that operate in the market for auto-body sheets for a period of 10 years unless the parties applied to the SAMR for an early release. This decision is a useful reminder that there is a risk of significant delays if the parties elect to file under the simplified procedure using market definitions that are too narrow.

Failure to File

The SAMR continued to proactively enforce against failures to notify reportable transactions. In 2019, the SAMR published 17 failure-to-file decisions, imposing financial penalties ranging between RMB 300,000 (approximately $43,300) to RMB 400,000 (approximately $57,800) on each infringing party.[62] In one noteworthy action, the SAMR imposed a penalty of RMB 300,000 (approximately $43,300) on each of Praxair and Nanjing Oil Refinery for failing to notify a joint venture that they established six years prior, in 2013. This decision signals to transaction parties that the SAMR’s probe is not limited to only recent joint ventures and mergers.

_______________________

The European Union

After reaching a historic high point in 2018 with 414 mergers notified to the European Commission (the “Commission”), the number of notified mergers decreased to 382 in 2019, which is more in line with the number of notified mergers in previous years.[63]

2019 also brought about a decrease in the number of Phase II investigations: eight investigations launched compared to 12 in the previous year.

Most notably, however, in 2019, the Commission issued three prohibition decisions in Phase II merger investigations, the highest number since 2001.

Another notable development in 2019 was that no Phase II mergers were cleared unconditionally under Article 8(1) (compared to four in 2018), while six Phase II mergers were cleared subject to commitments (similar to 2018).

The 2019 Prohibition Decisions

Siemens/Alstom – February 2019[64]

The Commission’s prohibition of the Siemens/Alstom merger was the most debated case in 2019 and continues to spark conversation about whether wider public interest considerations, such as creating European champions fit for competition on global markets, should factor into EU merger control.

The Commission prohibited the transaction on grounds of horizontal overlaps creating anticompetitive effects in the European markets for high-speed and very high-speed trains as well as mainline signalling systems. As part of its investigation, the Commission assessed the global competitive landscape, in particular potential competition from Chinese suppliers. However, with regard to both signalling systems and trains, the Commission concluded that the entry of Chinese competitors into Europe was highly unlikely to be a competitive constraint on the merging parties in a foreseeable future.

Furthermore, the Commission rejected the parties’ proposed divestitures, which included the grant of a license for the high-speed train businesses of the respective parties, as well as the divestiture of one of Siemens’s urban signalling businesses, Siemens’s entire on-board Automatic Train Protection (“ATP”) business, and Alstom’s ATP European Train Control System, as insufficient to alleviate the competitive concerns.

Wieland/Aurubis – February 2019[65]

Wieland’s proposed acquisition of Aurubis Rolled Products and Aurubis’s stake in Schwermetall, would have resulted in a combined market share of more than 60% of European pre-rolled strip sales. The Commission found that the proposed transaction would have enabled Wieland to raise input costs for smaller competitors—which at the time were sourcing a significant part of their pre-rolled requirements from Schwermetall—as there were no suitable alternative suppliers. Although Wieland suggested divesting two Aurubis plants, the majority of the market participants considered this remedy inadequate to address the Commission’s competition concerns, as the two plants would have lost access to the cost-competitive and high quality supplies of pre-rolled strip from Schwermetall.

Tata Steel/ThyssenKrupp – June 2019[66]

The proposed creation of a joint venture between Tata Steel and ThyssenKrupp would have combined the flat carbon steel and electrical steel activities of the second- and third-largest producers of flat carbon steel in the EEA, respectively. The creation of the joint venture was prohibited, as the Commission found it would have led to anticompetitive effects in the market for metallic coated and laminated steel products for packaging and the market for automotive hot dip galvanized steel products. According to the Commission, the merger would have established a market leader in a highly concentrated industry, resulting in reduced choice of suppliers and higher prices for metallic-coated and laminated steel products for European customers. During its investigation, the Commission considered the role of imports from third countries, but found that customers of the relevant products could not turn to imports to offset potential price increases caused by the proposed merger. Furthermore, the proposed divestures were considered insufficient, as they did not include adequate assets capable of serving the customers in the relevant geographic market.

The Ensuing Political Debate

The Commission’s prohibition of the Siemens/Alstom merger, and to some extent of the Tata Steel/ThyssenKrupp joint venture, reignited the debate of whether wider public interest considerations should be included in EU merger control.[67]

Critics of the Commission argued that the competitive position of Europe was under threat, in part due to the potential entry of giant Chinese companies sponsored by government subsidies,[68] and considered an amendment of merger rules to enable the creation of “European Champions” in response to this threat.[69] On the other hand, the Commission, as well as a number of national competition authorities and economists, argued that the EU merger review system should not be politicized, so as not to jeopardize the level playing field within the EU[70] and to avoid a risk of authorizing anti-competitive transactions.[71]

In the wake of the Commission’s prohibition of the Siemens/Alstom merger, France and Germany proposed several measures designed to help European companies succeed in competing on the global stage. This included an update of the current merger guidelines to take greater account of competition at the global level, potential future competition, and the time frame for forecasting the development of competition to give the Commission more flexibility when assessing relevant markets.

The proposal also included a potential right to refer a prohibited merger to the Council of Europe, which could override Commission decisions on grounds of public interests.[72] A similar option exists under the German merger control regime, in which the Minister of Economics can authorize a merger that was prohibited by the German antitrust authority for anticompetitive effects if the restraint of competition is outweighed by advantages to the economy as a whole resulting from the concentration, or if the concentration is justified by an overriding public interest.[73]

Commenters asserted that if it was possible for the Council to overrule competition decisions or allow for non-competition considerations to play a decisive role in vetting mergers, “Europe could find itself in a downward spiral of economic inefficiency and political arbitrariness, ushering in mistrust and internal divisions as larger Member States would ultimately be able to impose their will on those with smaller economies – hardly contributing towards strengthening its position in the global economy.”[74]

Nonetheless, the Commission acknowledges the need to address the concerns that others are not playing by the same rules and could misuse Europe’s openness against Europe’s own strategic interests. On this basis, the Commission has set out a strategy to create a more level playing field, which includes making the World Trade Organization fit for purpose and growing the EU’s arsenal of defensive tools, such as foreign investment scrutiny.[75]

Other Trends

Continued Focus on Procedural Infringements

In 2019, we saw a continuation of the Commission’s increased focus on procedural infringements of merger control rules.[76]

The Commission’s Fine to Canon for Gun-Jumping[77]

Following Canon’s acquisition of Toshiba Medical Systems Corporation (“Toshiba”) by way of a so-called “warehousing” transaction, which included as a first step the acquisition of 5% of the share capital of Toshiba with non-controlling voting rights and an option to acquire all shares in Toshiba, and the exercise of the voting rights in the second step, the Commission imposed two fines totaling €28 million on Canon for so-called gun-jumping in June 2019. Canon notified the transaction between the two steps, and the Commission cleared the transaction on September 19, 2016. Subsequently, however, the Commission initiated proceedings regarding Canon’s completion of the first step of the transaction prior to notification and clearance. In the Commission’s view, Canon was obligated to notify the transaction prior to implementing the first step, as the two steps qualified as a single, notifiable transaction. By completing the first step prior to notification and clearance, Canon had “jumped the gun” by failing to observe stand-still requirements under EU merger control rules.

The Commission fines parties for allegedly providing incorrect information in merger filings. The Commission is also pursuing monetary fines against parties who allegedly provided incorrect information in their merger filing. One fine levied in 2019 reached €52 million. The fine highlights the Commission’s continued effort to battle what it claims are procedural infringements. As Commissioner Vestager made clear, “[the Commission’s] merger assessment and decision-making depends on the Commission being sure that companies are not jumping the gun and implementing mergers without our approval[].”[79] On a practical level, the Commission’s increased focus on procedural infringements underlines the necessity for companies to ensure that sufficient procedures are in place to secure compliance with competition law in relation to a transaction and to seek competition law advice at the earliest possible stage of the process.

Increased Relevance of Internal Documents during Merger Review

In 2019, the Commission continued a trend of increasing reliance on internal documents provided by parties as part of its investigations. Already in September 2014, the then-acting deputy director-general for mergers, Carles Esteva Mosso, stated that in addition to economic submissions, “internal documents play a more important role [for difficult merger investigations] than ten years ago.”[82] By way of example, the parties were required to submit 2.7 million documents in the merger proceedings concerning Bayer/Monsanto, 800,000 documents in the Siemens/Alstom case and 400,000 documents in the merger proceedings concerning Dow/Dupont.[83]

This increases the burden on the merging parties and risks slowing down merger reviews. Furthermore, it could result in an “information overload bias,” or rather, a situation in which the quality of the Commission’s assessment declines due to the huge amount of internal documents to process under time pressure.

In January 2018, Commissioner Vestager announced that best practices on the use of internal documents would be published, but this is still pending. So far, the requests for data are only governed by the request for information provisions in the EU Merger Regulation (“EUMR”). In the same vein, the EUMR provides little guidance on the extent of legal professional privilege when dealing with document requests during merger control proceedings.

[1] A “fiscal year” or “FY” covers the period of October 1 of the prior year through September 30 of the current year. For example, FY 2018 covers October 1, 2017 through September 30, 2018. Unless otherwise noted, the figures depicted in this section were derived from the FTC and DOJ Hart-Scott-Rodino Annual Report. Fed. Trade Comm’n, Bureau of Competition, and Dep’t of Justice, Antitrust Div., Hart-Scott-Rodino Annual Report: Fiscal Year 2018 (2019), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-bureau-competition-department-justice-antitrust-division-hart-scott-rodino/fy18hsrreport.pdf.

[2] Estimate of FY 2019 HSR filings based on public FTC early termination data.

[3] These figures include challenged transactions that were not HSR-reportable.

[4] Press Release, U.S. Senator Amy Klobuchar, Klobuchar Introduces Legislation to Modernize Antitrust Enforcement and Promote Competition (Feb. 1, 2019), https://www.klobuchar.senate.gov/public/index.cfm/2019/2/klobuchar-introduces-legislation-to-modernize-antitrust-enforcement-and-promote-competition.

[5] Press Release, Dep’t of Justice, Office of Pub. Affairs, Justice Department Reviewing the Practices of Market-Leading Online Platforms (Jul. 23, 2019), https://www.justice.gov/opa/pr/justice-department-reviewing-practices-market-leading-online-platforms.

[6] Id.

[7] Press Release, Fed. Trade Comm’n, FTC’s Bureau of Competition Launches Task Force to Monitor Technology Markets (Feb. 26, 2019), https://www.ftc.gov/news-events/press-releases/2019/02/ftcs-bureau-competition-launches-task-force-monitor-technology.

[9] Complaint, In the Matter of Evanston Northwestern Healthcare Corp. and ENH Medical Grp., Inc., Comm’n File No. 0110234 (F.T.C. Feb. 10, 2004), https://www.ftc.gov/sites/default/files/documents/cases/2004/02/040210emhcomplaint.pdf.

[10] Opinion of the Commission on Remedy, In the Matter of Evanston Northwestern Healthcare Corp. and ENH Medical Grp., Inc., Comm’n File No. 0110234 (F.T.C. Apr. 28, 2008), https://www.ftc.gov/sites/default/files/documents/cases/2008/04/080428commopiniononremedy.pdf.

[11] Monica Nickelsburg, FTC chair aims to resolve Big Tech antitrust probe this year, ending investigations or taking action, GeekWire (Jan. 7, 2020, 1:23 p.m.), https://www.geekwire.com/2020/ftc-chair-aims-resolve-big-tech-antitrust-probes-year-ending-investigations-taking-action/.

[12] Rupert Steiner and Daren Fonda, Attorney General Barr Says He Wants Antitrust Investigation Into Tech Giants Finished Next Year, Barron’s (Dec. 10, 2019, 4:18 p.m.), https://www.barrons.com/articles/william-barr-tech-antitrust-investigation-online-social-media-telecom-51576012529.

[13] Julie Masson, FTC will publish antitrust guidelines for big tech, Global Competition Review (Sept. 11, 2019), https://globalcompetitionreview.com/article/usa/1197428/ftc-will-publish-antitrust-guidelines-for-big-tech.

[14] Press Release, Dep’t of Justice, Office of Pub. Affairs, Assistant Attorney General Makan Delrahim Delivers Remarks at the Federalist Society National Lawyers Convention (Nov. 14, 2019), https://www.justice.gov/opa/speech/assistant-attorney-general-makan-delrahim-delivers-remarks-federalist-society-national.

[15] Press Release, Dep’t of Justice, Office of Pub. Affairs, Deputy Attorney General Jeffrey A. Rosen Delivers Remarks on the Review of Market-Leading Online Platforms at the American Bar Association’s 2019 Antitrust Fall Forum (Nov. 18, 2019), https://www.justice.gov/opa/speech/deputy-attorney-general-jeffrey-rosen-delivers-remarks-review-market-leading-online.

[16] Press Release, Dep’t of Justice, Office of Pub. Affairs, Justice Department Sues to Block Sabre’s Acquisition of Farelogix (Aug. 20, 2019), https://www.justice.gov/opa/pr/justice-department-sues-block-sabres-acquisition-farelogix; Complaint, United States v. Sabre Corp., et al., No. 1:19-cv-01548-UNA (D. Del. Aug. 20, 2019), https://www.justice.gov/atr/case-document/file/1196836/download.

[17] Complaint, United States v. Sabre Corp., et al., No. 1:19-cv-01548-UNA (D. Del. Aug. 20, 2019), https://www.justice.gov/atr/case-document/file/1196836/download.

[18] Press Release, Dep’t of Justice, Office of Pub. Affairs, Justice Department Sues to Block Sabre’s Acquisition of Farelogix (Aug. 20, 2019), https://www.justice.gov/opa/pr/justice-department-sues-block-sabres-acquisition-farelogix.

[20] Press Release, Fed. Trade Comm’n, FTC Requires Bristol-Myers Squibb Company and Celgene Corporation to Divest Psoriasis Drug Otezla as a Condition of Acquisition (Nov. 15, 2019), https://www.ftc.gov/news-events/press-releases/2019/11/ftc-requires-bristol-myers-squibb-company-celgene-corporation.

[21] Dissenting Statement of Commissioner Rohit Chopra, In the Matter of Bristol-Myers Squibb/Celgene, Comm’n File No. 1910061 (F.T.C. Nov. 15, 2019), https://www.ftc.gov/system/files/documents/public_statements/1554293/dissenting_statement_of_commissioner_chopra_in_the_matter_of_bristol-myers-celgene_1910061.pdf.

[22] Dissenting Statement of Commissioner Rebecca Kelly Slaughter, In the Matter of Bristol-Myers Squibb/Celgene, Comm’n File No. 1910061 (F.T.C. Nov. 15, 2019), https://www.ftc.gov/system/files/documents/public_statements/1554283/17_-_final_rks_bms-celgene_statement.pdf.

[23] Press Release, Fed. Trade Comm’n, Fed. Trade Comm’n Closes Investigation of Roche Holding AG’s Proposed Acquisition of Spark Therapeutics, Inc. (Dec. 16, 2019), https://www.ftc.gov/news-events/press-releases/2019/12/federal-trade-commission-closes-investigation-roche-holding-ags.

[24] Statement of the Fed. Trade Comm’n, In the Matter of Roche Holding/Spark Therapeutics, Comm’n File No. 1910086 (F.T.C. Dec. 16, 2019), https://www.ftc.gov/system/files/documents/public_statements/1558049/1910086_roche-spark_commission_statement_12-16-19.pdf.

[25] Press Release, Fed. Trade Comm’n, FTC Challenges Illumina’s Proposed Acquisition of PacBio (Dec. 17, 2019), https://www.ftc.gov/news-events/press-releases/2019/12/ftc-challenges-illuminas-proposed-acquisition-pacbio.

[26] Complaint, In the Matter of Illumina, Inc. and Pacific Biosciences of Cal., Inc., Comm’n File No. 1910035, at ¶ 81 (F.T.C. Dec. 17, 2019), https://www.ftc.gov/system/files/documents/cases/d9387_illumina_pacbio_administrative_part_3_complaint_public.pdf.

[26a] As of the time of this writing, the FTC mounted an unsuccessful challenge to Evonik’s proposed acquisition of fellow hydrogen peroxide manufacturer PeroxyChem, as the Honorable Timothy Kelly of the U.S. District Court for the District of Columbia rejected the FTC’s request for a preliminary injunction on January 24, 2020. Although the FTC’s response to this order remains unclear, the order provides a reminder of the value and necessity of strong advocacy even after the FTC has chosen to challenge a deal.

[27] United States v. AT&T, Inc., 916 F.3d 1029 (D.C. Cir. 2019).

[28] Id. at 1047.

[29] Press Release, Dept. of Justice, Office of Pub. Affairs, Judge Decides CVS-Aetna Final Judgment is in the Public Interest and Grants United States’ Motion (Sept. 4, 2019), https://www.justice.gov/opa/pr/judge-decides-cvs-aetna-final-judgment-public-interest-and-grants-united-states-motion.

[30] See United States v. CVS Health Corp., 407 F. Supp. 3d 45 (D.D.C. 2019).

[31] Id. at 52 (noting that “[t]hroughout this case, the Government has repeatedly asked this Court to dismiss out of hand many of amici’s objections to its proposed final judgment” because “consideration of harms that were not alleged in the complaint would aggravate constitutional difficulties that inhere in the Tunney Act” (internal quotation marks and citation omitted)).

[32] Id. at 50 (noting one amicus’s argument that the Government’s proposed divestiture remedy would be unsuccessful because the buyer—WellCare—relies on CVS for pharmacy benefit management, and CVS has the ability to deny or restrict WellCare’s access to the pharmacy benefit management and other services).

[33] Id. at 59 (internal citation and quotation marks omitted).

[34] Press Release, Fed. Trade Comm’n, FTC Imposes Conditions on Staples’ Acquisition of Essendant (Jan. 28, 2019), https://www.ftc.gov/news-events/press-releases/2019/01/ftc-imposes-conditions-staples-acquisition-office-supply.

[35] Id.

[36] Statement of Chairman Joseph J. Simons, Commissioner Noah Joshua Phillips, and Commissioner Christine S. Wilson, In the Matter of Sycamore Partners II, L.P., Staples, Inc. and Essendant Inc., Comm’n File No. 1810180 (F.T.C. Jan. 28, 2019), https://www.ftc.gov/system/files/documents/public_statements/1448328/181_0180_staples_essendant_majority_statement_1-28-19.pdf.

[37] Statement of Commissioner Rohit Chopra, In the Matter of Sycamore Partners II, L.P., Staples, Inc. and Essendant Inc., Comm’n File No. 1810180 (F.T.C. Jan. 28, 2019), https://www.ftc.gov/system/files/documents/public_statements/1448335/181_0180_staples_essendant_chopra_statement_1-28-19_0.pdf; Statement of Commissioner Rebecca Kelly Slaughter, In the Matter of Sycamore Partners II, L.P., Staples, Inc. and Essendant Inc., Comm’n File No. 1810180 (F.T.C. Jan. 28, 2019), https://www.ftc.gov/system/files/documents/public_statements/1448321/181_0180_staples_essendant_slaughter_statement.pdf.

[38] Press Release, Fed. Trade Comm’n, FTC Approves Final Order Imposing Conditions on UnitedHealth Group’s Proposed Acquisition of DaVita Medical Group (Aug. 22, 2019), https://www.ftc.gov/news-events/press-releases/2019/08/ftc-approves-final-order-imposing-conditions-unitedhealth-groups.

[39] Statement of Commissioners Rebecca Kelly Slaughter and Rohit Chopra, In the Matter of UnitedHealth Group and DaVita, Comm’n File No. 1810057 (F.T.C. June 19, 2019), https://www.ftc.gov/system/files/documents/public_statements/1529359/181_0057_united_davita_statement_of_cmmrs_s_and_c.pdf.

[40] Press Release, Fed. Trade Comm’n, FTC Approves Final Order Imposing Conditions on Merger of Fresenius Medical Care AG & KGaA and NxStage Medical, Inc. (Apr. 9, 2019), https://www.ftc.gov/news-events/press-releases/2019/04/ftc-approves-final-order-imposing-conditions-merger-fresenius.

[41] See Press Release, Fed. Trade Comm’n, FTC and DOJ Announce Draft Vertical Merger Guidelines for Public Comment (Jan. 10, 2020), https://www.ftc.gov/news-events/press-releases/2020/01/ftc-doj-announce-draft-vertical-merger-guidelines-public-comment; U.S. Dep’t of Justice and the Fed. Trade Comm’n, Draft Vertical Merger Guidelines (Jan. 10, 2020), https://www.ftc.gov/system/files/documents/public_statements/1561715/p810034verticalmergerguidelinesdraft.pdf.

[42] Press Release, Fed. Trade Comm’n, FTC and DOJ Announce Draft Vertical Merger Guidelines for Public Comment (Jan. 10, 2020), https://www.ftc.gov/news-events/press-releases/2020/01/ftc-doj-announce-draft-vertical-merger-guidelines-public-comment.

[43] Id.

[44] See Dep’t of Justice, Antitrust Div., Antitrust Div. Policy Guide to Merger Remedies at 5 (June 2011), https://www.justice.gov/sites/default/files/atr/legacy/2011/06/17/272350.pdf (noting that “a remedy that counteracts [changed incentives of the merging parties] or eliminates the merged firm’s ability to act on them may be appropriate” and that “the Division will consider tailored conduct remedies designed to prevent conduct that might harm consumers while still allowing the efficiencies that may come from the merger to be realized” and “will consider structural remedies,” particularly when the vertical integration is a small part of a larger deal); see also id. at 12 (conduct remedies); id. at 16 (transparency provisions); id. at 17 (prohibitions on restrictive contracting).

[45] Press Release, Dep’t of Justice, Office of Pub. Affairs, Assistant Attorney General Makan Delrahim Delivers Remarks at the 2018 Global Antitrust Enforcement Symposium (Sept. 25, 2018), https://www.justice.gov/opa/speech/assistant-attorney-general-makan-delrahim-delivers-remarks-2018-global-antitrust.

[46] See United States v. AT&T Inc., 310 F. Supp. 3d 161, 217 n.30 (D.D.C. 2018) (noting that the parties spent a good deal of the trial debating the “finer points” of Turner’s self-imposed arbitration commitments to roughly 1,000 video distributors, and finding that despite the DOJ’s assertions to the contrary, the arbitration commitments were fundamentally similar “to those blessed by the FCC, DOJ, and this Court in the Comcast-NBCU merger”); id. at 241 n.51 (“[T]he Court has reason to believe that, post-merger, AT&T will honor Turner’s commitment to arbitrate . . . . In short, the commitment, made by Turner shortly after the filing of this suit, will have real-world effects. . . . Contrary to the Government’s insinuations about the reasons for the arbitration offer, moreover, the Court does not view the offer as akin to an admission by defendants that the proposed merger would lead to the anticompetitive harms that the Government posits.”)

[47] See Press Release, Dep’t of Justice, Office of Pub. Affairs, Assistant Attorney General Makan Delrahim Delivers Remarks at the Fed. Telecomms. Institute’s Conference in Mexico City (Nov. 7, 2018), https://www.justice.gov/opa/speech/assistant-attorney-general-makan-delrahim-delivers-remarks-federal-institute (noting that “[i]f a structural remedy isn’t available, then, except in the rarest of circumstances, [the DOJ] will seek to block a merger” and that the DOJ “has a strong preference for structural remedies over behavioral ones”); see also David Hatch, DOJ’s Delrahim: We’re Committed to Structural Remedies Despite Losing AT&T Case, The Street (June 12, 2018, 6:35 p.m.), https://www.thestreet.com/investing/doj-committed-to-structural-remedies-despite-att-loss-says-delrahim-14620074 (noting that Delrahim told reporters following the DOJ’s loss in the District Court that the Antitrust Division would continue to favor structural remedies over behavioral remedies).

[48] Press Release, Fed. Trade Comm’n, FTC Imposes Conditions on Northrop Grumman’s Acquisition of Solid Rocket Motor Supplier Orbital ATK, Inc. (June 5, 2018), https://www.ftc.gov/news-events/press-releases/2018/06/ftc-imposes-conditions-northrop-grummans-acquisition-solid-rocket.

[49] Id. (noting that despite “typically disfavor[ing] behavioral remedies, given the special characteristics of the defense industry, [the FTC] accepted a remedy here”); see also Decision and Order, In the Matter of Northrop Grumman Corp. and Orbital ATK, Inc., Comm’n File No. 1810005 (F.T.C. June 5, 2015), https://www.ftc.gov/system/files/documents/cases/1810005_c-4652_northrop_grumman_orbital_decision_and_order_public_version_6-5-18.pdf (imposing information firewalls to protect competitively sensitive information from being shared within the merged firm and prohibiting the merged firm from discriminating against Northrop’s missile-system competitors in the supply of Orbital’s solid rocket motors).

[50] Press Release, Fed. Trade Comm’n, FTC Imposes Conditions on Staples’ Acquisition of Essendant (Jan. 28, 2019), https://www.ftc.gov/news-events/press-releases/2019/01/ftc-imposes-conditions-staples-acquisition-office-supply.

[51] Client Alert: U.S. Dep’t of Justice and Fed. Trade Comm’n Issue Draft Vertical Merger Guidelines, Gibson Dunn (Jan. 14, 2020), https://www.gibsondunn.com/us-department-of-justice-and-federal-trade-commission-issue-draft-vertical-merger-guidelines/.

[52] Press Release, Dep’t of Justice, Office of Pub. Affairs, Justice Department Sues to Block Novelis’s Acquisition of Aleris (Sept. 4, 2019), https://www.justice.gov/opa/pr/justice-department-sues-block-noveliss-acquisition-aleris-1.

[53] 5 U.S.C. § 571, et seq.

[54] Client Alert: DOJ’s Antitrust Division Elects Binding Arbitration to Resolve Merger Challenge, Gibson Dunn (Sept. 16, 2019), https://www.gibsondunn.com/doj-antitrust-division-elects-binding-arbitration-to-resolve-merger-challenge/.

[55] Announcement of the SAMR seeking public comment on the revised draft of the Antimonopoly Law (Draft for Public Comment) (市场监管总局就《<反垄断法>修订草案（公开征求意见稿）》公开征求意见的公告), State Admin. for Market Regulation (Jan. 2, 2020, 10:21 a.m.), http://www.samr.gov.cn/hd/zjdc/202001/t20200102_310120.html.

[56] Announcements of Unconditionally Approved Cases on Undertaking Concentrations (无条件批准经营者集中案件公示), State Admin. for Market Regulation, http://www.samr.gov.cn/fldj/ajgs/wtjjzajgs/.

[57] Announcement of SAMR’s Antimonopoly Review Decision to Conditionally Approve KLA-Tencor Corporation’s Share Acquisition of Orbotech Ltd. (市场监管总局关于附加限制性条件批准科天公司收购奥宝科技有限公司股权案反垄断审查决定的公告), State Admin. for Market Regulation (Feb. 20, 2019), http://gkml.samr.gov.cn/nsjg/xwxcs/201902/t20190220_290940.html.

[58] Announcement of SAMR’s Antimonopoly Review Decision to Conditionally Approve Cargotec Group’s Partial Business Acquisition of TTS Group (市场监管总局关于附加限制性条件批准卡哥特科集团收购德瑞斯集团部分业务案反垄断审查决定的公告), State Admin. for Market Regulation (July 12, 2019, 10:48 p.m.), http://www.samr.gov.cn/fldj/tzgg/ftjpz/201907/t20190712_303428.html.

[59] Announcement of SAMR’s Antimonopoly Review Decision to Conditionally Approve II-VI Incorporated’s Share Acquisition of Finisar Corporation (市场监管总局关于附加限制性条件批准高意股份有限公司收购菲尼萨股份有限公司股权案反垄断审查决定的公告), State Admin. for Market Regulation (Sept. 23, 2019, 9:38 p.m.), http://www.samr.gov.cn/fldj/tzgg/ftjpz/201909/t20190920_306948.html.

[60] Announcement of SAMR’s Antimonopoly Review Decision to Conditionally Approve New Joint Venture Between Zhejiang Garden Bio-chemical High-tech Co., Ltd. and Royal DSM N.V. (市场监管总局关于附加限制性条件批准浙江花园生物高科股份有限公司与皇家帝斯曼有限公司新设合营企业案反垄断审查决定的公告), State Admin. for Market Regulation (Oct. 18, 2019, 11:57 a.m.), http://www.samr.gov.cn/fldj/tzgg/ftjpz/201910/t20191018_307455.html.

[61] Announcement of SAMR’s Antimonopoly Review Decision to Conditionally Approve Novelis Inc.’s Share Acquisition of Aleris Corporation (市场监管总局关于附加限制性条件批准诺贝丽斯公司收购爱励公司股权案反垄断审查决定的公告), State Admin. for Market Regulation (Dec. 20, 2019, 4:07 p.m.), http://www.samr.gov.cn/fldj/tzgg/ftjpz/201912/t20191220_309365.html.

[62] Administrative Penalty Cases (行政处罚案件), State Admin. for Market Regulation, http://www.samr.gov.cn/fldj/tzgg/xzcf/.

[63] See 21 September 1990 to 31 December 2019, European Comm’n, https://ec.europa.eu/competition/mergers/statistics.pdf.

[64] See Case M.8677 – Siemens/Alstom, European Comm’n (June 2, 2019) https://ec.europa.eu/competition/mergers/cases/decisions/m8677_9376_3.pdf.

[65] See Press Release, European Comm’n, Mergers: Commission prohibits Wieland’s proposed acquisition of Aurubis Rolled Products and Schwermetall (Feb. 6, 2019), https://ec.europa.eu/commission/presscorner/detail/en/IP_19_883.

[66] See Press Release, European Comm’n, Mergers: Commission prohibits proposed merger between Tata Steel and ThyssenKrupp (June 11, 2019), https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2948.

[67] See Bertold Bär-Bouyssière, Daniel Wojtczak and Moustapha Assahraoui, Antitrust Matters – November 2019: EU Industrial policy and merger control: Advancement or pitfall?, Lexology (Nov. 18, 2019), https://www.lexology.com/library/detail.aspx?g=957a86a2-b87d-4108-b3ac-b0a30c829d4d.

[68] Id.

[69] See, e.g., Jorge Valero, 19 EU countries call for new antitrust rules to create ‘European champions’, Euractiv (Jan. 9, 2019), https://www.euractiv.com/section/economy-jobs/news/19-eu-countries-call-for-new-antitrust-rules-to-create-european-champions/; A Franco-German Manifesto for a European industrial policy fit for the 21^st Century, Bundesministerium für Wirtschaft und Energie and Ministère de L’économie et des finances, République Française, https://www.bmwi.de/Redaktion/DE/Downloads/F/franco-german-manifesto-for-a-european-industrial-policy.pdf%3F__blob%3DpublicationFile%26v%3D2.

[70] See, e.g., Press Release, European Comm’n, Keynote Speech by President Juncker at the EU Industry Days 2019 (Feb. 5, 2019), https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_19_870.

[71] See, e.g., EU Industrial Policy After Siemens-Alstom: Finding a new balance between openness and protection, European Political Strategy Centre, European Comm’n (Mar. 18, 2019), https://ec.europa.eu/epsc/sites/epsc/files/epsc_industrial-policy.pdf.

[72] See A Franco-German Manifesto for a European industrial policy fit for the 21^st Century, Bundesministerium für Wirtschaft und Energie and Ministère de L’économie et des finances, République Française, https://www.bmwi.de/Redaktion/DE/Downloads/F/franco-german-manifesto-for-a-european-industrial-policy.pdf%3F__blob%3DpublicationFile%26v%3D2. See also Modernising EU Competition Policy, Bundesministerium für Wirtschaft und Energie, Ministère de L’économie et des finances, République Française, and Ministerstwo Przedsiębiorczości I Technologii, https://www.bmwi.de/Redaktion/DE/Downloads/M-O/modernising-eu-competition-policy.pdf?__blob=publicationFile&v=4 (inviting the Commission to consider a number of proposals on modernizing merger control).

[73] See Bertold Bär-Bouyssière, Daniel Wojtczak and Moustapha Assahraoui, Antitrust Matters – November 2019: EU Industrial policy and merger control: Advancement or pitfall?, Lexology (Nov. 18, 2019), https://www.lexology.com/library/detail.aspx?g=957a86a2-b87d-4108-b3ac-b0a30c829d4d. Other jurisdictions that allow for public interest grounds to be taken into account are Portugal and South Africa.

[74] See EU Industrial Policy After Siemens-Alstom: Finding a new balance between openness and protection, European Political Strategy Centre, European Comm’n (Mar. 18, 2019), https://ec.europa.eu/epsc/sites/epsc/files/epsc_industrial-policy.pdf.

[75] Id.

[76] The decisions follow in the wake of several other procedures concerning procedural infringements, including a €124,5 million fine to Altice in April 2018 for gun-jumping.

[77] See Case M.8179 – Canon/Toshiba Medical Sys. Corp., European Comm’n (June 27, 2019), https://ec.europa.eu/competition/mergers/cases/decisions/m8179_759_3.pdf.

[79] See Press Release, European Comm’n, Mergers: Commission fines Canon €28 million for partially implementing its acquisition of Toshiba Medical Systems Corporation before notification and merger control approval (June 27, 2019), https://ec.europa.eu/commission/presscorner/detail/en/IP_19_3429.

[82] See Carles Esteva Mosso, Acting Deputy Director-General for Mergers, Mergers and the Regulatory Environment, European Comm’n (Sept. 11, 2014), https://ec.europa.eu/competition/speeches/text/sp2014_03_en.pdf.

[83] See Report on Competition Policy 2018, European Comm’n, (July 15, 2019), https://ec.europa.eu/competition/publications/annual_report/2018/part1_en.pdf.

The following Gibson Dunn lawyers assisted in preparing this client update: Adam Di Vincenzo, Jens-Olrik Murach, Christian Riis-Madsen, Sébastien Evrard, Andrew Cline, Stevie Pearl, Tine Rasmussen, Brian Ryoo, Emily Seo, Joshua Wade, Chris Wilson and Katie Zumwalt.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s Antitrust and Competition practice group:

New York
Eric J. Stock (+1 212-351-2301, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])

San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])

Denver
Ryan T. Bergsieker (+1 303-298-5774, [email protected])

Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In this alert, we look back at the key developments in UK employment law over the final six months of 2019 and look forward to anticipated developments in the six months to come.

A brief overview of developments and key cases which we believe will be of interest to our clients is provided below, with more detailed information on each topic available by clicking on the links.

1. Political Developments in the UK and the Impact of Brexit (click on link)

It continues to be a turbulent time in British politics. The 12 December 2019 general election resulted in the return of Boris Johnson as Prime Minister, with a significant majority Government. In this alert, we consider the potential impact of Brexit on international data transfers to and from the EU to the UK.

2. Whistleblowing (click on link)

We consider two recent decisions of the UK Supreme Court in respect of (1) whistleblowing claims concerning the right of judges as office-holders, to bring detriment claims as whistleblowers, and (2) the circumstances in which an employee may enjoy whistleblower protection on dismissal even though the person who made the decision to dismiss him was unaware that he was a whistleblower.

3. Patent for Employee Invention (click on link)

We report on a UK Supreme Court case which found that an employee of a Unilever subsidiary was entitled to compensation because the patents for his invention were of outstanding benefit to his employer.

4. Updated Guidance for Holiday Entitlement for Part-Year Workers (click on link)

There has been no shortage of holiday pay cases over recent years, and we report on revised government guidance published at the end of the Summer concerning the calculation of holiday pay for those who only work for part of each holiday year.

5. Forthcoming Changes (click on link)

We summarise a number of changes coming into force on 6 April 2020 that will affect employment law including those relating to taxation, such as new rules for off-payroll working in the private sector and a new NIC charge on termination payments. We also consider forthcoming changes proposed in the Employment Bill.

APPENDIX

1. Current Political Environment and Impact of Brexit

After winning the December 12 general election with a strong majority, Boris Johnson returned as Prime Minister, with the political capital to extract the UK from the European Union on 31 January 2020 and move on to negotiations about our future relationship. The precise implications of Brexit on UK law are still largely uncertain given the wider climate of uncertainty around Brexit. The European Union (Withdrawal Agreement) Act 2020 has been enacted. This means that the UK will most likely leave the EU on 31 January 2020, with a transition period until 31 December 2020.

During the transition period the country will no longer be a member of the EU, but will still have to adhere to EU rules. During this period, the future relationship between the UK and the EU will be negotiated.

In relation to personal data transfers, during the transition period there will be no change. During this period, it is hoped that the EC would make an “adequacy decision” in favour of the UK which would allow the free flow of personal data from the EU to the UK once the transition period ends, without the EU data exporter having to implement additional safeguards. On a similar note, at the end of the transition period companies relying on Privacy Shield certification (the EU-US privacy shield framework of the US Department of Commerce and the European Commission) to receive personal data from the UK will need to update their public commitment to comply with the Privacy Shield to specifically include the UK.

2. Whistleblowing

Status challenges

In the case of Gilham v Ministry of Justice [2019] UKSC 44, the Supreme Court has held that judges are entitled to protection under UK whistleblowing legislation. The Supreme Court agreed that the Employment Rights Act 1996 (“ERA 1996”) excludes the judiciary from its protection, but found this to be incompatible with rights under the European Convention on Human Rights (“ECHR”). It found that the making of complaints about working conditions, in the vein of a protected disclosure, and allegations of reprisals for the same, engaged article 10 ECHR (freedom of expression). The failure to extend whistleblowing protection to the judiciary was found to be a violation of article 14 ECHR, which makes it unlawful to interfere with Convention rights (here, article 10 ECHR) by discriminating on prescribed grounds, including status. Occupational status is capable of falling within this category. Hence, the Supreme Court held that it is possible to interpret the definition of a worker under the ERA to include judicial office-holders and thereby extend whistleblowing protection to them. The case was remitted to the employment tribunal to decide the substantive merits of the claim on this basis.

Knowledge of the decision maker and the decision to dismiss

In Royal Mail Group v Jhuti [2019] UKSC 55, the Supreme Court considered whether an employee who made a protected disclosure to her manager could claim protection as a whistleblower when she was dismissed on grounds of poor performance by a decision-maker who had no knowledge of her protected disclosure.

During her trial period of employment at Royal Mail, Ms Jhuti made “protected disclosures” under section 43A of ERA 1996 (commonly described in the UK as whistleblowing) to her manager. He forced her to retract them and retaliated by bullying her and creating a false picture of inadequate performance. Ms Jhuti then went off sick with stress, and the Royal Mail began a process to decide whether she should be dismissed for poor performance. As she was off sick, she was unable to present her case to the decision-maker in meetings or otherwise. The decision-maker had no reason to doubt the evidence of poor performance and dismissed Ms Jhuti for poor performance.

Ms Jhuti made two claims: firstly, that she had made protected disclosures and she had been subjected to detriments by the company on grounds of her whistleblowing and, secondly, automatic unfair dismissal.

The Employment Tribunal found that Ms Jhuti had been subjected to detriments, including harassment and bullying, but that she had not been unfairly dismissed as the reason for her dismissal was her performance. Following a series of appeals, the case reached the Supreme Court which held that Ms Jhuti had been automatically unfairly dismissed on grounds of whistleblowing, notwithstanding that the decision-maker was unaware that she had blown the whistle to her manager. This was because the allegations of poor performance for which Ms Jhuti was dismissed were concocted by her manager as retaliation for whistleblowing.

The Supreme Court confirmed that in looking for the reason for dismissal, generally courts need only look at the reason given by the decision-maker. However, if the real reason is hidden from the decision-maker and an invented reason is presented, the court must look through the invention. In the particular circumstances of this case, the real reason for Ms Jhuti’s dismissal was the hidden reason and the UK Parliament clearly intended that if the real reason for dismissal was whistleblowing the automatic consequence should be a finding of unfair dismissal.

3. Patent for Employee Invention

In the recent Supreme Court case of Shanks v Unilever plc and others [2019] UKSC 45, an employee of a Unilever subsidiary was awarded compensation of £2 million because the patents for his invention created during employment, nearly 40 years ago, were found to be of “outstanding benefit” to his employer.

Professor Shanks, the appellant, was employed by Unilever UK Central Resources Ltd (“CRL”) in the 1980s. CRL was a wholly owned subsidiary of Unilever plc and employed the UK-based research staff of the Unilever group. During his employment, Professor Shanks conceived an invention. The rights, owned by CRL, were assigned to Unilever plc and other entities in its group. The Unilever group was later granted various patents relating to the invention (the “Shanks patents”). The Shanks patents provided a net benefit of approximately £24.3 million to the Unilever group over time. In 2006, Professor Shanks applied for compensation under section 40 of the Patents Act 1977 (the “Patents Act”) on the basis that the Shanks patents had been of outstanding benefit to CRL and that he was entitled to a fair share of that benefit. It was found that the benefit provided by the patents fell short of being outstanding. Professor Shanks’ High Court appeal was unsuccessful. His appeal to the Court of Appeal was partially successful but he was found not to be entitled to compensation. The Supreme Court allowed his appeal in 2019 for the reasons discussed below.

An employee whose invention belongs to his employer is entitled to compensation if a patent has been granted which is, having regard among other things to the size and nature of the employer’s undertaking, of outstanding benefit to the employer, and by reason of these matters, it is just that he be awarded compensation. Here, “employer” refers to the inventor’s actual employer, i.e. CRL. An “undertaking” is a unit or entity which carries on a business activity. CRL’s undertaking was the business of generating inventions and providing those inventions and the patents which protected them to the Unilever group for use in connection with its business. To assess the benefit derived by CRL from an assignment of the patents to the Unilever group, the Supreme Court considered the position of CRL and the benefit which the Unilever group gained or is expected to gain.

CRL operates a research facility for the benefit of the whole Unilever group and the resulting patents are assigned by CRL to other Unilever group members for their benefit. Therefore, the question of whether the Shanks patents are of outstanding benefit to CRL must be the extent of the benefit they provide to the Unilever group, and how that compares with the benefits derived by the Unilever group from other patents resulting from the work carried out at CRL. The hearing officer had been wrong to assess the benefit of the Shanks patents by comparing it to the patent owner’s overall turnover or profits. The Supreme Court found that the benefit CRL enjoyed from the Shanks patents was outstanding within the meaning of section 40 of the Patents Act.

The decision in Shanks may make it easier for inventors employed by large business entities to claim compensation under the Patents Act 1977. However, demonstrating that an “outstanding benefit” has been enjoyed by an employer is still a high threshold to meet and compensation will only be granted in exceptional cases.

4. Updated Guidance and Calculator for Holiday Entitlement

New government guidance has been published, following the decision in Harpur Trust v Brazel [2019] EWCA Civ 1402.

The Court of Appeal has affirmed the Employment Appeal Tribunal’s decision in Harpur Trust v Brazel [2019] EWCA Civ 1402 that holiday pay for part-year only permanent employees should not be pro-rated to reflect the number of weeks worked.

In this case, a school music teacher, Mrs Brazel, was employed under a permanent contract whereby she was only paid for the hours she worked, which varied, and she had long periods without work during the school holidays. Her contract provided for 5.6 weeks’ annual leave, which she was required to take during the school holidays. The school decided that Mrs Brazel’s holiday pay entitlement should be pro-rated because she worked fewer weeks than the standard working year. The school paid Mrs Brazel holiday pay of 12.07% of her annual earnings, in reliance on ACAS guidance which stated that the statutory 5.6 weeks’ holiday equates to 12.07% of the working year. Mrs Brazel brought a claim for unfair deduction from wages, and argued that her pay should be based on the 12-week period immediately before the holiday was taken, which would equate to 17.5% of her annual earnings.

The Court of Appeal ruled that pro-rating holiday pay was not appropriate. The EU Working Time Directive (2003/88/EC) (WTD) requires that workers accrue entitlement to paid annual leave in proportion to the time that they work but this is distinct from the remuneration payable in respect of such leave. The Working Time Regulations 1998 are clear that a worker on a permanent contract, engaged for the whole year, is entitled to 5.6 weeks paid holiday as calculated under the formula in the ERA 1996. The calculation exercise required by regulation 16 of the WTR 1998, which involves identifying a week’s pay and multiplying it by 5.6 weeks, should be followed even if it results in part-year workers receiving a higher proportion of their annual earnings as holiday pay (in Mrs Brazel’s case, 17.5%).

A key takeaway is that the requirement to use average earnings to calculate holiday pay applies only when there are no normal working hours. If there are fixed hours of work, then holiday pay should be paid at the same rate the individual earns for their normal week’s work. Regardless, this decision may lead to casual workers not employed on a permanent contract to make the same argument.

As mentioned below, from 6 April 2020, the 12-week reference period used to calculate statutory holiday pay will be extended to 52 weeks.

5. Forthcoming Changes

A number of changes to employment law will be introduced on 6 April 2020. Some key changes are considered in this section, including changes to off-payroll working and the extension of the right to written particulars to include workers as well as employees.

Off-payroll working in the private sector

The issue of “worker” status has often come up for debate before the courts and we have reported on this previously.

From April 2020, large and medium-sized private sector companies will become subject to off-payroll working rules. At present, under UK legislation known as IR35, an intermediary (usually a personal service company (“PSC”)) through which an individual supplies services to a private sector company is responsible for determining whether or not, but for the intermediary, that individual would be a deemed employee of the “client” company. If so, it must operate payroll and handle income tax and employee and employer national insurance contributions in respect of all sums received from the client engagement. Importantly, the burden to deduct payroll taxes falls on the intermediary (e.g. the PSC) and not the client.

However, all this is set to change from April 2020 in that the “client” company (rather than the intermediary/PSC) will become responsible for determining the individual’s employment status for tax purposes, taking into account all the working arrangements, and must operate payroll deductions and pay employer’s national insurance contributions on all fees paid to the intermediary in respect of the individual’s services (i.e. the burden will be shifted to the client).

Affected “client” companies are potentially subject to a materially increased administrative burden and increased tax exposure. The changes may affect the manner in which companies choose to engage workers in future and may require an audit of current working arrangements to ensure compliance or put in place new arrangements.

The government has launched a review into the operation of the reforms, aiming to address industry concerns and ensure a smooth and successful transition. The review is set to conclude in February 2020.

Employer national insurance contributions (NICs) on termination payments above £30,000

From 6 April 2020 employer NICs of 13.8% will be payable on termination payments over £30,000.

Changes to rules relating to agency workers

Currently, if an agency worker is on a permanent contract of employment and is paid between assignments, the “Swedish derogation” from the Agency Worker Regulations allows the employer to avoid pay parity obligations. From 6 April 2020, the Swedish derogation provisions will be abolished and temporary work agencies will be required to inform agency workers whose existing contracts contain a Swedish derogation provision of the change and their right to pay parity, in writing. Agency workers who assert their right to pay parity will be protected from detriment and unfair dismissal.

Employment businesses will also be required to provide those seeking agency work with a key information document before agreeing the terms on which the work seeker will undertake work. This must set out the type of contract under which the individual will work, the minimum rate of pay that the agency reasonably expects will be paid, any deductions to be made to pay, intervals at which the individual will be paid and by whom, and annual leave entitlement.

Changes to the reference period for determining an average week’s pay for holiday pay purposes

From 6 April 2020, the reference period for determining an average week’s pay for workers with variable remuneration in order to calculate statutory holiday pay will increase from 12 weeks to 52 weeks, or the number of complete weeks for which the individual has been employed if this is not yet 52 weeks. The aim is that workers who have an irregular working pattern over the year are not disadvantaged where their holiday pay may have previously been calculated by reference to a less busy part of the year.

Proposed changes in the forthcoming Employment Bill

The new Conservative government is unlikely to significantly strengthen employment rights in the UK but we can expect them to continue to progress various employment law reforms already underway. The forthcoming Employment Bill (a bill is a proposal for a new law that is presented for debate before Parliament) provides for a single labour market enforcement agency and the right to request a more predictable contract, all of which were anticipated by the Good Work Plan, on which we reported previously. The Employment Bill also looks to extend the period of special protection on redundancy afforded to new mothers so that they are protected from the point at which they notify their employer that they are pregnant until six months after the end of maternity leave.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these and other developments. Please feel free to contact the Gibson Dunn lawyer with whom you usually work or the following members of the Labor and Employment team in the firm’s London office:

James A. Cox (+44 (0)20 7071 4250, [email protected])

Georgia Derbyshire (+44 (0)20 7071 4013, [email protected])

Charlotte Fuscone (+44 (0)20 7071 4036, [email protected])

Heather Gibbons (+44 (0)20 7071 4127, [email protected])

Sarika Rabheru (+44 (0)20 7071 4267, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The subject of monopoly remains in the news almost every day but the law of monopolization is not just for companies in the headlines. Join us for another installment in our ongoing look at Sherman Act Section 2 monopolization law. Our topic for this panel is unilateral (single-firm) pricing practices, including low (or zero) prices, “high” prices, package prices and the definition of “price” and “pricing practices.” Our speakers will draw on extensive experience in dealing with antitrust enforcers and in litigating Section 2 issues in the trial and appellate courts.

View Slides (PDF)

PANELISTS:

Daniel G. Swanson serves as Co-Chair of Gibson Dunn’s Antitrust and Competition Practice Group and of the Antitrust Section of the International Bar Association. He is a trial and appellate litigator who holds a Ph.D. in economics from Harvard University. Mr. Swanson has litigated dozens of Sherman Act Section 2 monopolization and dominance cases based on a wide range of alleged conduct (e.g., exclusive dealing, refusals to deal, tying and bundling), including the successful defense of predatory pricing charges brought by the Department of Justice in United States v. AMR Corp. His practice has a strong focus on the technology sector, network industries, digital platforms, and media and entertainment businesses and he regularly handles antitrust matters involving intellectual property rights. Chambers USA gives Mr. Swanson a “Band 1” ranking and has reported that he “has a vast amount of antitrust expertise,” is “a highly regarded trial lawyer with a wealth of experience” and is “a ‘tough opponent’ in civil and criminal litigation.”

Cynthia (“Cindy”) Richman is Co-Partner-in-Charge of the Washington, D.C. office of Gibson, Dunn & Crutcher. She practices in the firm’s Litigation Department and is a member of the firm’s Antitrust and Competition Practice Group. Ms. Richman has been repeatedly recognized by her peers for inclusion in The Best Lawyers in America© in the field of Litigation: Antitrust and U.S. Legal 500 has identified her as a “Next Generation Lawyer” in the areas of merger control, cartels and civil litigation/class action defense. In 2019, she was recognized by Benchmark Litigation as a “Future Litigation Star” in Washington, D.C. She was also recognized in 2016 by Law360 as a Rising Star in the Competition category. Ms. Richman has experience handling a wide variety of antitrust matters in a broad range of industries. Her practice includes defending companies before state and federal courts, including appellate courts, in matters alleging a range of antitrust-based claims, such as price-fixing, tying, bundling, exclusive dealing, predatory pricing and other single-firm conduct theories.

Caeli A. Higney is a senior associate in the San Francisco office of Gibson, Dunn & Crutcher. She currently practices in the firm’s Litigation Department and is a member of the firm’s Antitrust and Competition Practice Group. Ms. Higney has represented companies before appellate and trial courts in matters alleging a range of antitrust-based claims, including allegations of monopolization and attempted monopolization, tying, bundling, exclusive dealing, refusal to deal, as well as price-fixing claims. For example, Ms. Higney was part of a team that defended a major consumer electronics company in a multi-week antitrust trial against conspiracy claims brought by the U.S. Department of Justice. Ms. Higney successfully obtained dismissal of conspiracy to monopolize and attempted monopolization claims against a major retailer.

Daniel P. O’Brien is a Senior Consultant at Compass Lexecon and former Senior Economic Policy Adviser and Deputy Director of the Federal Trade Commission’s Bureau of Economics, and former Chief of the Economic Regulatory Section at the Department of Justice’s Antitrust Division. While at the FTC, he oversaw the economic analysis in all of the agency’s antitrust investigations. He has led investigations across a wide range of industries, including mobile telephone and internet services, car rental services, retail products manufacturing and distribution, software, futures exchanges, banking, wholesale distribution, aerospace, pharmaceuticals, broadcast television, cable and satellite television programming and distribution, academic journals, aluminum manufacturing, and telecommunications, among others. Currently, Dr. O’Brien is working on research regarding conditional pricing practices (share-based discounts, exclusive dealing, and tying and bundling), common ownership by institutional investors, and the economics of privacy and disclosure, all topics motivated by his work at the antitrust agencies and consulting. Dr. O’Brien presents his antitrust research at various conferences and universities around the world.

On January 28, 2020, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”). Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product.

The size-of-transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $4.0 million, from $90.0 million in 2019 to $94.0 million for 2020. The new thresholds will take effect on February 27, 2020.

Original Threshold	Current Threshold	Revised Threshold
$10 million	$18 million	$18.8 million
$50 million	$90 million	$94.0 million
$100 million	$180 million	$188.0 million
$110 million	$198 million	$206.8 million
$200 million	$359.9 million	$376.0 million
$500 million	$899.8 million	$940.1 million
$1 billion	$1,799.5 million	$1,880.2 million

The maximum fine for violations of the HSR Act has increased from $42,530 per day to $43,280.

The amounts of the filing fees have not changed, but the thresholds that trigger each fee will increase:

Fee	Size of Transaction
$45,000	Valued at more than $94.0 million but less than $188.0 million
$125,000	Valued at $188.0 million or more but less than $940.1 million
$280,000	Valued at $940.1 million or more

The 2020 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $38,204,000 for Section 8(a)(l) and $3,820,400 for Section 8(a)(2)(A). The new Section 8 thresholds took effect on January 21, 2020.

If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact any of the partners or counsel listed below.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the HSR Act or antitrust issues raised by business transactions. To learn more about these issues, please contact the Gibson Dunn attorney with whom you work in the firm’s Antitrust and Competition practice group:

New York
Eric J. Stock (+1 212-351-2301, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])

San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])

On January 9, 2020, the U.S. Federal Trade Commission held a workshop to examine whether there is a sufficient legal and empirical basis to promulgate a Commission Rule restricting the use of non-compete clauses in employment contracts. This follows a workshop hosted by the U.S. Department of Justice’s Antitrust Division in September 2019 on the role of antitrust in labor markets. Together these workshops signal the agencies’ continued focus on labor competition and potential competitive harm from employment contracts.

For more analysis on these issues, Gibson Dunn will be hosting a webcast on Thursday, February 27th at 12:00pm EST to discuss these developments, as well as antitrust enforcement by State Attorneys General against no-poach and non-compete agreements and recent guidelines issued by regulators in Hong Kong and Japan (to register, please CLICK HERE).

FTC Workshop

In March 2019, a group of labor and public interest organizations, advocates, and scholars, led by the Open Markets Institute, petitioned the FTC to initiate rulemaking to prohibit employers from including non-compete clauses in agreements with employees and independent contractors and from enforcing or threatening to enforce existing non-compete clauses. The petition argues that non-compete clauses reduce labor mobility and depress wages even in states where they are not enforceable under state law. This petition comes at a time of increased scrutiny of non-competes by the states, with seven states—Maine, Maryland, New Hampshire, Oregon, Rhode Island, Utah, and Washington—enacting or amending statutes limiting their use and enforcement.

The FTC convened the recent workshop to examine whether there was sufficient legal basis and empirical support to initiate rulemaking. Economists reviewed literature showing that non-compete clauses are wide-spread, including in employment contracts with low-wage workers and in states where they are unenforceable under state law. While acknowledging that further study is necessary to understand the practical effects of non-compete clauses, several economists concluded that, on average, non-compete agreements are associated with lower wages and decreased job mobility. In one study of non-compete clauses in CEO agreements, however, the data showed that CEOs are usually compensated for agreeing to the non-compete clause. That study also found that CEOs are more likely to be fired for poor performance when a non-compete is in place.

Antitrust practitioners, including Gibson Dunn partner Kristen Limarzi, and administrative law scholars discussed legal challenges to regulating non-competes either as unfair methods of competition or unfair and deceptive practices under the FTC Act. Courts have held that the FTC has authority to adopt rules defining unfair methods of competition, although the last time the FTC used that authority was 1968. FTC rules defining unfair or deceptive practices are subject to a much more extensive administrative process. Several presenters expressed skepticism regarding a rule banning all non-compete clauses, explaining that it would be vulnerable to legal challenge.

Commissioner Rebecca Slaughter applauded the workshop as a valuable mechanism to gather information, but urged the Commission to go beyond information gathering and initiate a rulemaking process. She credited FTC Commissioner Rohit Chopra for previously calling for such rulemaking. FTC Commissioner Noah Phillips also expressed concern that non-compete clauses are so prevalent, including in low-wage workers’ employment contracts where at least one of the traditional justifications for non-competes—preservation of trade secrets—is not obvious. But Commissioner Phillips questioned the legal basis for rulemaking and expressed concern that the FTC’s claimed authority to regulate “unfair methods of competition” may be so unbounded, that it would violate the non-delegation doctrine that requires Congress to provide an intelligible principle to guide an agency in rulemaking.

There is no deadline for the FTC to act on the petition for rulemaking. The FTC is accepting public comments on this issue through March 11, 2020. Partners in Gibson Dunn’s Administrative Law and Regulatory Practice regularly work with companies and trade associations throughout the agency rulemaking process. Working closely with subject-matter experts in the firm’s Antitrust and Labor & Employment Practice Groups, our Administrative Law attorneys are available to assist in submitting comments.

DOJ Workshop

In September 2019, the Antitrust Division of the Department of Justice held its own workshop on the role of antitrust in labor markets. Assistant Attorney General Makan Delrahim opened the workshop by stating that the Antitrust Division’s goal for the workshop was to obtain a more nuanced understanding of the marketplace for workers within the United States and the role for antitrust enforcement within that marketplace.

Economists discussed the results of their respective research regarding the impacts of elasticity and concentration of labor markets on wages. All agreed that higher market concentration can affect wages, although data indicate that the effects vary based on industry-specific factors, geographical differences, and the skills required for specific job positions, among other considerations.

Gibson Dunn partner Rachel S. Brass and other antitrust practitioners, economists, and government enforcers discussed labor market definitions, civil litigation and government enforcement concerning labor restraints such as no-poaching agreements in complex business arrangements, as well as issues regarding labor organizations’ exemptions from antitrust laws.

In October 2016 the Antitrust Division and Federal Trade Commission issued their Guidance for Human Resource Professionals announcing DOJ’s intent to proceed criminally against naked no-poaching and wage-fixing agreements. Although no criminal enforcement proceedings have been announced publicly, state investigations and civil litigation have proliferated, and Assistant Attorney General Delrahim stated that criminal prosecution of naked wage-fixing and no-poaching agreements remains a “high priority” for the Antitrust Division.

Takeaways

The FTC and DOJ continue to look for ways in which the antitrust laws can be used to improve mobility and competition in the labor markets. Now more than ever companies should ensure that their hiring, employment, and compensation policies and practices conform with antitrust laws.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn attorney with whom you work in the Antitrust & Competition or Labor & Employment practice groups or the authors:

Kristen C. Limarzi – Washington, D.C. (+1 202-887-3518, [email protected])
Rachel S. Brass – San Francisco (+1 415-393-8293, [email protected])

Please also feel free to contact any of the following practice group leaders and members:

Antitrust and Competition Group:

New York
Eric J. Stock (+1 212-351-2301, [email protected])

San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])

Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])

Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])

Labor and Employment Group:

Catherine A. Conway – Co-Chair, Los Angeles (+1 213-229-7822, [email protected])
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202-955-8242, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In honor of Data Privacy Day—a worldwide effort to raise awareness and promote best practices in privacy and data protection—we offer this eighth edition of Gibson Dunn’s United States Cybersecurity and Data Privacy Outlook and Review.

In 2019, companies, courts, and regulators faced unprecedented challenges as they navigated a rapidly evolving set of cybersecurity and privacy issues. Congress and state legislatures proposed (and, in the case of some states, enacted) measures ranging from limits on the use of consumer data to protecting children’s internet privacy. Increasingly active federal and state regulators enforced data privacy, cybersecurity, and consumer protection standards in the face of novel cybersecurity threats. Private parties stepped up the pace of civil litigation in a year that saw numerous high-profile data breaches and continued questions over who can sue for damages. And questions regarding the government’s ability to access data, from biometric information to files stored overseas, came into sharper legislative and judicial focus.

This Review places these, and other, 2019 developments in broader context, addressing: (1) the regulation of privacy and data security, including key legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy issues in areas including privacy class actions, digital communications, and biometric information privacy laws; and (3) the collection of electronically stored information by government actors, including the extraterritoriality of subpoenas and warrants and the collection of data from electronic devices. While we do not attempt to address every development that occurred in 2019, this Review examines a number of the most significant developments affecting companies as they navigate the evolving cybersecurity and privacy landscape.

This Review focuses on cybersecurity and privacy developments within the United States. For information on developments outside the United States, please see Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review, which addresses developments in 2019 outside the United States that are of relevance to domestic and international companies alike. We have adopted the practice of referring to companies by generic descriptors in the body of the alert; for further details, please see the endnotes.

________________________

I. REGULATION OF PRIVACY AND DATA SECURITY

A.  Legislative Developments

1.  State
2.  Federal

B.  Enforcement and Guidance

1. Federal Trade Commission
2.  Department of Health and Human Services and HIPAA
3.  Securities and Exchange Commission
4.  Other Federal Agencies
5.  State Attorneys General and Other State Agencies

II. CIVIL LITIGATION

A.  Data Breach Litigation

B.  Telephone Consumer Protection Act Litigation

C.  Biometric Information Privacy Act Litigation

D.  Other Notable Cases

III. GOVERNMENT DATA COLLECTION

A. Collection of Data from Computers, Cellphones, and Other Devices

B. Other Notable Developments

IV. CONCLUSION

________________________

I. Regulation of Privacy and Data Security

A. Legislative Developments

1. State

a) California Consumer Privacy Act of 2018

As the first comprehensive consumer privacy law in the United States, the California Consumer Privacy Act of 2018 (“CCPA”) has changed the legal landscape. According to one observer, initial compliance with the CCPA will cost businesses around $55 billion.[1] As reported in detail in Gibson Dunn’s prior CCPA updates,[2] the law requires businesses to disclose what personal information they collect from California consumers (defined broadly as California residents), for what purpose, and to what third parties the information is shared or sold. The law also allows consumers the right to request deletion of their personal information and opt out of the sale of such information, among other provisions.

Despite passing in 2018, and coming into effect in January 2020, the law continued to evolve in 2019, and is still evolving. California’s Attorney General is set to release final regulations in the first part of 2020 (at the time of publishing this Review only a draft version of the regulations had been released, in October 2019).[3] Further, the California legislature passed multiple amendments just two months before the law became effective,[4] and continued attempts at amending the law are expected, along with another ballot initiative in November 2020 that would expand the CCPA’s reach.[5] And despite clarifying amendments and draft regulations aimed at implementing the CCPA, there are still a number of open issues for businesses to analyze.

As an example, the scope of “sale” continues to be the subject of extensive debate. The CCPA regulates the “sale” of personal information, which it defines as the exchange of personal information “for monetary or other valuable consideration.”[6] This definition creates some uncertainty for businesses that do not expressly sell user data in a traditional sense, but may receive some tangible benefit from sharing the data with a third party. In addition, where data is automatically collected and analyzed by a third party using web-browser cookies, it can be technologically difficult or impossible to identify what information is associated with the particular consumer and to wholly comply with the consumer’s request. Separately, the law’s private right of action for subjects of certain data breaches caused by a lack of “reasonable” security protections has caused concern regarding what constitutes “reasonable,” particularly in light of the statute’s potentially steep statutory damages.[7]

While California’s Attorney General will not bring enforcement actions under the CCPA until July 1, 2020, the law went into effect January 1, 2020, and the Attorney General indicated in late 2019 that he may consider prosecuting businesses not in compliance with the law as of the effective date.[8] That said, the Attorney General also has reported that enforcement initially will focus on companies that deal in large amounts of sensitive personal data—such as health data and Social Security numbers[9]—and on companies that collect the personal data of children.[10] Meanwhile, the CCPA’s narrow private right of action for data breaches is already in full effect.[11] While as of the time of this writing no such actions have been widely reported as filed, Gibson Dunn will continue to monitor CCPA-related developments.

b) Other State Laws

Aside from the CCPA, several other states also considered, passed, or began enforcement on their own data privacy and consumer protection laws in 2019.

i. Nevada

On October 1, 2019 Nevada’s “Act relating to Internet privacy” went into effect.[12] Compared to the CCPA, Nevada’s privacy law has a narrower definition of “sale” of personal information: “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”[13] This definition does not include the CCPA’s broader definition of an exchange of covered information for “other valuable consideration.” The Nevada law also has a narrower definition of “consumer”—a “consumer” is a “person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.” The law excludes from the definition of “operator”: (1) financial institutions and affiliates subject to the GLBA; (2) HIPAA-covered entities; and (3) certain manufacturers of motor vehicles and persons who repair or service motor vehicles.[14]

The law requires that website operators provide an online notice disclosing what covered information the operators maintain, and requires that they permit consumers to opt out of any sale of such information by the website to third parties.[15] Nevada’s privacy law contains no private right of action, and caps penalties at $5,000 per violation.[16]

ii. Maine

Like Nevada, Maine’s new data privacy law, “An Act to Protect the Privacy of Online Customer Information,” which will go into effect July 1, 2020, is narrower than the CCPA in many ways.[17] For example, it applies only to broadband providers in Maine and affects only those who are physically located and billed for broadband services in Maine.[18] The Act generally prohibits broadband providers from using, disclosing, selling, or permitting nonconsensual access to their customers’ personal information. The law imposes a transparency requirement on broadband providers to publish privacy notices informing customers of their rights and of the provider’s obligations at the point of sale. Similar to the CCPA, the law prohibits broadband providers from refusing service to customers who do not provide their consent or charging customers a penalty or offering customers a discount based on the customer’s decision to provide consent or not.[19]

iii. New York

The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act modifies New York’s data breach law by changing the definition of a data breach to include any unauthorized person gaining access to or acquisition of the protected information.[20] The Act also expands upon the definition of “private information” to include, in conjunction with a New York resident’s name, number, personal mark or other identifier, the following data: (1) bank account, credit, or debit card number, provided that the numbers could be used to access an individual’s account without more; and (2) biometric information.[21] The Act also adds to the definition of “private information” usernames or email addresses accompanied with passwords or security questions and answers that would grant access to an online account.[22] The Act requires covered entities to establish data security programs to safeguard personal user data, safeguards that are tailored to the size of the business.[23] The Act relieves covered entities, however, of their notification obligations if a breach was the result of an inadvertent disclosure by persons authorized to access private information and the entity determines that the exposure is unlikely to result in harm to the affected individuals. However, if the breach affects over 500 New York residents, the covered entity must provide a written determination as to the risk of harm to these individuals to the New York Attorney General.[24] Notably, 2019 also saw legislative attempts, ultimately unsuccessful, for New York to pass the New York Privacy Act,[25] a proposed law offering protections as broad, or broader, than those provided by the CCPA, as discussed more fully below.[26]

c) State Laws Under Consideration

Numerous states considered privacy legislation in 2019, and many of those states are expected to revive their failed 2019 bills in 2020.[27] For example, Washington is expected to adopt a version of the “Washington Privacy Act”—previously stalled in 2019—which, in addition to adopting many of the CCPA’s provisions, would set limits on the commercial use of facial recognition technology and would grant consumers the right to confirm whether a controller is processing personal data about the consumer and to access that data, to correct inaccurate data, to delete personal data, and to clearly opt out of the use of personal information for targeted advertising.[28] The draft legislation provides for no private right of action and caps penalties at $7,500 per violation.[29]

In addition, New York, Florida, Texas, Massachusetts, New Jersey, Virginia, and New Hampshire are a few of the many states considering adopting comprehensive privacy laws similar to CCPA (in the absence of preemptive federal legislation). In particular, New York’s proposed law contains more stringent requirements than the CCPA.[30] It would require consumer opt-in before a company could use, process, sell, share, or transfer that consumer’s data, and would impose upon controllers and data brokers who collect, sell, or license personal data a fiduciary duty of care, loyalty, and confidentiality.[31] The New York proposed law would also allow for a private right of action.[32] With so many diverging state privacy bills passed or gaining traction, many businesses are rightfully concerned that 2020 signals the beginning of a patchwork of comprehensive state privacy laws, resulting in an even more complex compliance environment.[33]

2. Federal

a) Comprehensive Privacy Legislation

Three comprehensive privacy bills are currently being considered in Congress, each discussed below. Democrats have published a “Senate Democratic Privacy Principles” list of minimum provisions required in any Democratic-backed privacy legislation,[34] and favor a federal privacy law that includes a private right of action.[35] Republicans favor a law that explicitly preempts state privacy laws like those in California, Nevada, and Maine.[36] Many commentators have suggested that enacting federal privacy legislation will be difficult in 2020 given the federal elections, and expect states to be more successful in enacting privacy legislation.[37] Indeed, comprehensive federal privacy legislation has been a topic of discussion for many years, but such legislation has not yet been enacted.

i. House Energy and Commerce Committee Staff Bipartisan Draft Privacy Bill

One bill that is likely to see action in 2020 is a bipartisan staff draft out of the House Energy and Commerce Committee. The House Energy and Commerce Committee draft bill is more comprehensive than the CCPA because it establishes within the FTC a specialized enforcement arm, the Bureau of Privacy, and an Office of Business Mentorship to assist with compliance.[38] Many parts of the bill, however, are still in flux.[39] Notably, it does not, in its current form, contain a private right of action or address state law preemption, despite advocates both proposing and opposing such measures.[40] In terms of consumers, the proposal would include, among other protections the right to request to know information collected and the purpose of collection; the right to correct personal information; the right to request to delete information; and the ability to port that information to another service provider.[41]

The draft bill also places requirements on businesses, similar to those of the European Union’s GDPR: maintaining privacy policies; implementing a privacy program and establishing reasonable policies, practices and procedures for the processing of covered data; designating a privacy protection officer; and seeking affirmative consent for the processing of covered data unless the processing is “consistent with the reasonable consumer expectations within the context of the interaction between the covered entity and the individual.”[42] Additionally, large companies would be required to provide annual filings to the FTC, including the results of an internal risk assessment and measures taken to address those risks. The bill also mandates express affirmative consent for all processing of sensitive information, which consent must be given separately for each type of personal information processed.[43]

While the draft bill is a step toward a bipartisan, comprehensive privacy law, at the time of publishing this Review, the two major political parties have not reached an agreement regarding several sections of the bill, including exceptions to the consent requirement, categorization of sensitive data and de-identified data, revenues and amounts of data processing sufficient to require heightened compliance from companies; opt-out requirements for first-party marketing; discriminatory use of data; and the size of the Bureau of Privacy; along with the issues of preemption and a private right of action.[44]

ii. Consumer Online Privacy Rights Act and United States Consumer Data Privacy Act of 2019

The proposed Consumer Online Privacy Rights Act (“COPRA”),[45] introduced by Senator Maria Cantwell (D-WA), and the draft United States Consumer Data Privacy Act of 2019 (“CDPA”),[46] circulated by Senator Roger Wicker (R-MS), Chairman of the Senate Commerce Committee, share many of the features included in the House Energy and Commerce Committee staff bipartisan draft privacy bill, requiring companies to adopt privacy policies and risk-based data security practices and assessments, and provide consumers the right to access, correct, delete, and port their data.[47] The Democrat-backed COPRA contains a private right of action while CDPA does not, and CDPA contains broad state-law preemption, while COPRA generally does not.[48]

b) Other Federal Legislation

There were several other privacy-related bills introduced in 2019 and 2020 prior to the publication of this Review, including: Online Privacy Act of 2019,[49] Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act,[50] Do Not Track Act,[51] Social Media Privacy Protection and Consumer Rights Act of 2019,[52] Algorithmic Accountability Act of 2019,[53] Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019,[54] Privacy Bill of Rights Act,[55] Information Transparency & Personal Data Control Act,[56] the DATA Privacy Act,[57] and the Preventing Real Online Threats Endangering Children Today (“PROTECT”) Kids Act.[58] None, as of this writing, has gained significant traction.

Most of these bills substantially overlap with the comprehensive federal privacy bills discussed above—except for the following legislation:

The Do Not Track Act, introduced by Senator Josh Hawley (R-MO), would require the FTC to develop an online Do Not Track (“DNT”) system.[59] Opting in would prevent sites and apps from tracking a user without consent, but a user could still consent to tracking by certain apps or sites.[60] If a user opted in to DNT, then that user would transmit a signal indicating that a company would be disallowed from targeted advertising or information sharing without prior permission.[61] And in the event a user does not transmit such a signal, the site or app would still have to notify the user that the DNT system is available for them to opt into.[62]
The Algorithmic Accountability Act of 2019, introduced by Senators Cory Booker (D-NJ) and Ron Wyden (D-OR), would require companies to conduct impact assessments to explain how their algorithms work and evaluate their algorithms’ use of personal information against the following metrics: “accuracy, fairness, bias, discrimination, privacy and security.”[63] Then, the Act would allow the FTC to promulgate compliance regulations based on the algorithm(s) used.[64]
Two similar bipartisan bills, the Preventing Real Online Threats Endangering Children Today (PROTECT Kids Act),[65] introduced in the House by Representatives Tim Walberg (R-MI) and Bobby Rush (D-Ill.), and a set of amendments to the 1998 Children’s Online Privacy Protection Act (“COPPA 2.0”),[66] introduced by Senators Ed Markey (D-MA) and Josh Hawley (R-MO), would update the original COPPA with additional protections. Both bills would raise the minimum age under which parental consent must be obtained before a company can collect personal data and location from 13 to 16 years old.[67] The PROTECT Kids Act would clarify that COPPA applies to mobile applications as well as other types of online activity, and expands the types of personal information protected under COPPA to include geolocation and biometric information.[68] COPPA 2.0, meanwhile, would provide parents with the ability to “erase” their children’s data from particular services.[69]

B. Enforcement and Guidance

1. Federal Trade Commission

a) Priorities

In 2019, the Federal Trade Commission (“FTC”) remained one of the most active and aggressive regulators of privacy and data security. The Commission continued to conduct policy reviews on a wide range of issues as part of its “Hearings Initiative” announced in 2018, which involved public hearings that took place through the spring of 2019.[70] The FTC also announced plans to study the privacy practices of internet service providers and has issued orders to seven companies to obtain information about their policies and practices with regard to collecting, using, and sharing personal information of consumers.[71] Relatedly, the FTC has also emphasized changes it has made to strengthen and improve “data security orders” issued to companies, making such orders more specific, increasing accountability for third-party assessors of compliance, and requiring that companies elevate data security concerns to their boards or similar governing bodies.[72]

The Commissioners emphasized their commitment to pursuing enforcement actions against companies that engage in unfair or unreasonable privacy and data security practices with all of the tools available to the FTC.[73] Recognizing potential limits to the FTC’s authority, however, the majority of the Commissioners have called on Congress to enact legislation that would: (1) authorize the FTC to obtain civil penalties for initial privacy and data security violations; (2) provide the FTC with narrow Administrative Procedure Act (“APA”) rulemaking authority to allow it to keep up with technological developments; and (3) give the FTC jurisdiction over nonprofits and common carriers.[74] The Commissioners also urged Congress to enact a national privacy law that would be enforceable by the FTC.[75] With growing public demand for additional consumer privacy protections, pressure on Congress to enhance the FTC’s authority to protect consumer privacy will likely continue.

b) Data Security and Privacy Enforcement

Demonstrating the Commissioners’ commitment to their cited priorities, the FTC continued to pursue enforcement actions related to privacy and data security in 2019, a number of which included significant monetary remedies and new prescriptive standards for information security and privacy programs in the technology industry.

Political Consulting Firm, Former CEO, and App Developer. In December 2019, the FTC entered into a settlement to resolve allegations that the former CEO of Cambridge Analytica and a developer of apps for the firm used deceptive tactics to collect personal information from social media users that it then used to target and profile voters.[76] Under the settlement agreement, the former CEO and app developer are prohibited from making false or deceptive statements about the extent to which they collect, use, share, or sell personal information and the purposes for which such data is acquired and distributed.[77] The former CEO and app developer are also required to destroy any personal information collected from consumers via the app that was used in violation of the FTC Act and any work product that originated from that data.[78] Notably, in its home country the firm has also been subject to discipline by the United Kingdom’s Information Commissioner’s Office for its data collection and utilization practices.[79]

The FTC also issued an opinion that found that the firm, which filed for bankruptcy last year, engaged in similar deceptive tactics in violation of the FTC Act and misrepresented its participation in the EU-U.S. Privacy Shield framework.[80] The final order prohibits the firm from misrepresenting the extent to which it protects personal information and its participation in the EU-U.S. Privacy Shield framework or other regulatory organizations.[81] The order also requires the firm to continue to apply Privacy Shield protections to personal information it collected while participating in the Privacy Shield program or to return and delete the information.[82]

Email Management Company. The FTC announced a final settlement with an email management company in December 2019, resolving allegations that the company deceived consumers about how it accessed and used their email.[83] Specifically, the FTC alleged that despite telling consumers that it would not “touch” their personal emails while helping users consolidate emails or unsubscribe from unwanted communications, the company shared users’ email receipts with its parent company, who in turn used the personal contact and purchasing information in the market research analytics products it sells.[84] Under the settlement agreement, the company is prohibited from misrepresenting the extent to which it collects, uses, stores, and shares consumer data.[85] Additionally, the company and its parent company must delete email receipts previously collected unless they obtain express consent to maintain the receipts.[86]

Operation Services Company. In November 2019, the FTC entered into a settlement with a Utah-based technology company that provides back-end operation services to multilevel marketers over allegations that the company failed to enact reasonable security safeguards, and, as a result, allowed a hacker to access personal information of approximately one million consumers over a two-year period.[87] Specifically, the FTC alleged that the company failed to delete personal information it no longer needed, neglected to implement cybersecurity safeguards to detect unusual activity on its network, and failed to adequately segment and test its network and conduct code review of its software.[88] Additionally, the FTC alleged that the company stored personal consumer information, including Social Security numbers, payment card information, and passwords, in clear, readable text on its network.[89] The proposed settlement prohibits the company from collecting, selling, sharing, or storing personal information unless it implements an adequate information security program which includes cybersecurity risk assessment, safeguards to protect personal information, and testing and monitoring of safeguards.[90] The settlement also requires a third-party assessment of the company’s information security program every two years for the next 20 years.[91]

App Developer. In October 2019, the FTC pursued its first case against a the developer of a “stalking” app (an app that can allow purchasers to monitor a mobile device’s activity without the knowledge or consent of the device’s users). The FTC alleged such apps compromised the privacy and security of the mobile devices on which these apps were installed.[92] The developer allegedly failed to adequately secure the information collected from the mobile devices, which resulted in a hacker accessing usernames, passwords, text messages, GPS locations, photos, and other data.[93] The FTC alleged that the company and its owner violated the FTC Act and COPPA, which requires operators to secure information collected from children under the age of 13.[94] The settlement agreement requires the app developer and its owner to delete data collected from the apps and prohibits them from promoting, selling, or distributing any monitoring app that requires users to bypass a mobile device’s security protections absent assurances that the app is being used for legitimate purposes.[95] It also requires the app developer and owner to implement and maintain a comprehensive security program and obtain third-party assessments of the program every two years for the next 20 years.[96] Under the settlement, the app developer and owner are also prohibited from violating COPPA and from misrepresenting the extent to which they protect the personal information they collect.[97]

Auto Dealer Software Company. Establishing a prescriptive standard for what constitutes reasonable security under the FTC Act, in September 2019 the FTC approved a final order settling charges against an Iowa-based auto dealer software provider that allegedly failed to take basic, low-cost measures to secure consumer data.[98] The FTC alleged that the security failures resulted in a data breach that exposed personal information of over 12 million consumers stored by 130 of the company’s auto dealer clients.[99] Under the final order, the software company is prohibited from sharing, collecting, or maintaining personal information unless it implements and maintains a comprehensive information security program designed to protect consumers’ personal information.[100] The order also requires the company to obtain third-party assessments of its information security program every two years for 20 years, and requires a senior corporate manager responsible for overseeing the information security program to certify the company’s compliance with the order on an annual basis.[101] Such a standard can be instructive for interpreting other privacy laws that do not define “reasonable security,” including the CCPA (discussed further above).

Internet Search Engine and Video Sharing Platform. A web search engine and its subsidiary video sharing platform agreed to a settlement with the FTC and the New York Attorney General in September 2019 to resolve allegations that the video sharing platform collected personal information from children without parental consent, in violation of COPPA.[102] The video sharing service allegedly knew that a number of its channels were directed at children but did not comply with COPPA’s requirements to obtain parental consent prior to collecting personal information about children.[103] As part of the settlement, the companies agreed to pay $34 million to New York and $136 million to the FTC, the largest monetary penalty the FTC has ever obtained in a COPPA case.[104] The proposed settlement also requires the companies to develop, implement, and maintain a system on the video sharing platform that allows channel owners to designate child-directed content so the companies can ensure compliance with COPPA.[105] Additionally, the settlement requires the companies to notify channel owners that child-directed content may be subject to COPPA and provide COPPA training to employees who interact with channel owners.[106] Finally, the settlement requires the companies to provide notice about their data collection practices and obtain parental consent prior to collecting personal information from children under the age of 13 and prohibits future violations of COPPA.[107]

Social Media Company. In July 2019, the FTC and DOJ filed a proposed consent order to resolve allegations that a social media company violated an earlier consent order with the FTC entered in 2012 by misrepresenting to consumers the extent of data sharing with third-party applications and the control consumers had over such sharing, and by failing to maintain a reasonable privacy program.[108] The FTC also alleged that the social media company engaged in deceptive practices related to the collection and use of consumer phone numbers to enable security features.[109] As part of the settlement, the company agreed to pay a $5 billion civil penalty, without admitting or denying the FTC’s allegations except as specifically stated in the proposed order.[110] In addition to the monetary penalty, the settlement order expands on the privacy program requirements embodied in the 2012 order and enhances oversight and accountability of the company’s data privacy practices.[111] In addition to requiring the company to implement early detection measures, the order also requires reporting of covered incidents to the FTC and regular status updates to the FTC regarding such incidents until their resolution.[112] The order further imposes the requirement that the company’s chief executive periodically certify that the company is in compliance with its obligations under the order.[113]

Consumer Credit Reporting Agency. In July 2019, a consumer credit reporting agency agreed to pay at least $575 million, and up to $700 million total as part of a global settlement with consumers, the FTC, the Consumer Financial Protection Bureau, and attorneys general representing 50 U.S. states and territories based on allegations that the credit reporting agency’s failure to implement basic measures to secure personal information on its network resulted in a data breach in 2017 that impacted 147 million people.[114] To address identity theft risks caused by the data breach, a portion of the settlement announced in July was to be dedicated to a fund that will provide affected consumers with credit monitoring services, a remedy discussed further below.[115] In addition to providing such monetary relief to consumers, the settlement also requires the credit reporting agency to implement a comprehensive data security program.[116] Under the settlement, the credit reporting agency must obtain third-party assessments of its information security program every two years for the next 20 years and must provide an annual update to the FTC regarding the status of the consumer claims process.[117]

Smart Home Products Manufacturer. The FTC entered into a settlement with a manufacturer of smart home products in July 2019 over allegations that the company misrepresented the measures it took to secure its wireless routers and internet-connected cameras, leaving sensitive consumer information, including live video and audio feeds, exposed to third parties.[118] The manufacturer allegedly told consumers that its products offered “advanced network security,” but failed to perform basic testing and remediation to address well-known security flaws and stored mobile app login credentials in clear, readable text on a user’s mobile device.[119] Under the proposed settlement, the manufacturer is required to implement a comprehensive security program that includes specific planning, testing, and monitoring standards.[120] The settlement also requires the manufacturer to obtain biennial, third-party assessments of its software security program for ten years.[121]

Video Social Networking App. In February 2019, the operators of a video social networking app agreed to pay $5.7 million to settle FTC allegations that the company violated COPPA by collecting personal information from children without obtaining parental consent.[122] Profile information of users, including children, was public on the app and could be seen by other users,[123] and the FTC alleged that the company was aware that a significant portion of its users were under the age of 13 and had received thousands of complaints from parents of young children.[124] In addition to the monetary payment, the settlement requires the app’s operators to take offline all videos made by children under the age of 13.[125]

Privacy Shield Enforcement. As discussed above, the FTC also brought actions against a number of companies regarding false claims of certification under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which allow companies to transfer personal data lawfully from the European Union and Switzerland, respectively, to the United States.[126] Each company held itself out as being certified and compliant with the Privacy Shield(s), despite failing to complete the certification process or allowing their certifications to lapse.[127] The FTC also sent warning letters to a number of other companies that falsely represented participation in these Privacy Shield frameworks, calling for them to remove statements regarding their participation in these frameworks from their websites and other company documents within 30 days.[128] The FTC has emphasized that enforcement of the Privacy Shield frameworks is a “high priority,”[129] and Gibson Dunn will continue to monitor developments in this area.

c) Circuit Split Over FTC Monetary Relief Authority

The FTC has long viewed its authority to recover monetary relief under Section 13(b) of the FTC Act as well settled, despite the lack of express reference to monetary remedy or relief in the provision, which refers only to “injunctions.”[130] The United States Supreme Court had not yet addressed whether Section 13(b) authorizes monetary relief, but prior to this year, the nine federal courts of appeals that had addressed the issue had construed Section 13(b) to allow the FTC to obtain monetary relief, including restitution, rescission, and disgorgement.[131] However, in August 2019, the Court of Appeals for the Seventh Circuit issued a decision in FTC v. Credit Bureau Center, LLC, expressly overturning its own precedent and breaking with eight other circuit courts by holding that Section 13(b) does not authorize the FTC to seek monetary awards.[132]

The implications of Credit Bureau are potentially far-reaching. Other circuit courts may decide to reconsider their own opinions on this issue, many of which rely on a now-overturned Seventh Circuit decision. Additionally, in December, the FTC filed a petition for a writ of certiorari asking the Supreme Court to review the decision,[133] and the likelihood of the Supreme Court granting certiorari is heightened because the prior Seventh Circuit decision Credit Bureau overruled was relied upon by many other circuits in decisions upholding the FTC’s authority to obtain monetary relief under Section 13(b). If the Supreme Court affirms the decision, the FTC’s ability to obtain monetary relief under Section 13(b) will be eliminated or significantly restricted. In that case, the Commission, absent new statutory authority, would be limited to pursuing monetary remedies through other existing means, including the process set forth in Section 19 of the FTC Act that requires, as a condition to such relief, that the agency invoke a previously promulgated rule or prevail in a prior administrative proceeding. Unsurprisingly, while the Supreme Court decides whether to grant certiorari, the Commissioners continue to urge Congress to pass legislation that will grant the FTC authority to obtain monetary relief for initial privacy and data security violations.[134] Congress’s decision to pursue the legislation requested by the Commissioners may be influenced by the ultimate resolution of Credit Bureau.

2. Department of Health and Human Services and HIPAA

The Department of Health and Human Services (“HHS”) continued in its efforts to enforce patient privacy protections in 2019, both through investigations and civil penalties for violations of Health Insurance Portability and Accountability Act (“HIPAA”) regulations. HHS also continued to consider major overhauls to the HIPAA regulations. HHS was not the only entity to enforce healthcare privacy violations in the last year, as 2019 saw the resolution of the first multistate data breach lawsuit brought by Attorneys General of several states alleging violations of HIPAA. These developments are addressed below.

a) HHS OCR Enforcement

In February 2019, the HHS’s Office for Civil Rights (“OCR”), the office that enforces HIPAA privacy, security, and breach notification rules, reported it had amassed a record $28.6 million in civil penalties from HIPAA violators in 2018.[135] In April 2019, OCR announced that it would reduce the penalties it seeks for lower-level HIPAA violations in the future,[136] and some observers have suggested that the total for 2019 was only around $12 million.[137] Nonetheless, there were several notable HIPAA-related settlements, judgments, and proceedings during 2019:

Medical Imaging Services Company. In May 2019, OCR announced a $3 million settlement with a medical imaging services company based on violations of HIPAA data privacy rules.[138] OCR found the imaging company had posted the PHI of more than 300,000 patients on an unsecured server, permitting search engines to index this PHI and make it publicly available.[139]

Hospital System. In October 2019, OCR reached a settlement imposing a civil penalty of more than $2.1 million on a hospital system after two hospital employees stole the PHI of more than 24,000 patients. An OCR investigation found the hospital system’s compliance regime had failed to regularly review system access records, did not restrict employee authorization to appropriate levels, and did not timely report this breach to HHS.

State Government Health Agency. OCR announced in November 2019 that it would impose a $1.6 million civil penalty against a state agency which provides assisted living centers, drug and substance use services, and supplemental nutrition benefit programs. OCR found that a data breach led to the posting of roughly 6,500 patients’ PHI on a publicly viewable internet site.[140] OCR also found that, because the agency did not deploy adequate activity audit controls, it was unable to determine how many unauthorized persons may have accessed the data at issue.

University Medical Center. Also in November 2019, OCR announced a settlement in which a university medical center agreed to pay penalties of $3 million and to take corrective action after PHI was impermissibly disclosed through the loss of two unencrypted mobile devices: a flash drive and a laptop.[141] OCR specifically noted that it had investigated the medical center for a very similar violation in 2010, and that the medical center continued to permit the use of unencrypted mobile devices even after this investigation.[142]

HIPAA Right of Access Initiative and Settlements. In spring 2019, OCR announced a new “HIPAA Right of Access Initiative” to enforce compliance with HIPAA requirements that guarantee patients’ right to prompt and economical access to their health records.[143] Late in the year, OCR announced the first- and second-ever enforcement actions and settlements under this initiative. The first, announced in September 2019, implicated a hospital operator that failed to timely provide a patient with access to her fetal heart monitor data.[144] The second, announced in December 2019, implicated a primary care provider that failed to timely provide a patient’s electronic medical records to a third party.[145] In each case, the provider agreed to pay OCR $85,000 and to adopt a corrective action plan.[146]

Cancer Center Challenges OCR Authority. Finally, 2019 also saw litigation which might ultimately reduce OCR’s regulatory capability going forward. In a 2018 ruling, OCR won a $4.3 million civil penalty against a hospital-based cancer center for violations of HIPAA. There, an administrative law judge for HHS found on summary judgment that the cancer center had violated HIPAA following the theft or loss of a laptop and two USB thumb drives containing unencrypted ePHI in 2012 and 2013, and assessed the penalty at issue.[147] In April 2019, however, the cancer center appealed this decision to a federal district court in Texas, requesting that the penalty be reduced or overturned. The cancer center’s petition argues that the $4.3 million penalty was unconstitutionally excessive, and that OCR lacked statutory authority to impose it.[148] Gibson Dunn will continue to monitor developments on this matter.

b) Request for Public Comments on Reforming HIPAA

In addition to bringing enforcement actions, HHS also concluded a far-ranging review of HIPAA regulations, which sought to “remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”[149] The request for public comments closed in February 2019 after receiving over 1,300 submissions,[150] with commenters ranging from state health agencies[151] and disability health advocates[152] to professional associations representing healthcare providers.[153] HHS has not yet announced further action on the proposed rulemaking, and Gibson Dunn will continue to monitor developments.

c) State Attorneys General Settle Multistate Action Premised on HIPAA

In a multistate data breach lawsuit alleging violations of HIPAA, a bipartisan group of 16 state Attorneys General, led by Indiana Attorney General Curtis T. Hill Jr., settled a lawsuit in Indiana federal court against a healthcare information technology company and its subsidiary related to a breach discovered in 2015 that compromised personal data of 3.9 million people.[154] The initial lawsuit, filed in December 2018, had alleged that the company failed to protect ePHI in the hands of its business associate after a breach related to a third-party web application.[155] Under the terms of the judgment and consent decree, the company agreed to pay a $900,000 settlement and to deploy more rigorous data security protections in the future.[156]

3. Securities and Exchange Commission

The Securities and Exchange Commission (“SEC”) continued to devote increased attention to cybersecurity and data-protection issues in 2019, evidenced by its updated guidance on privacy and cybersecurity to private firms. One area of focus for the Commission has been cryptocurrency and initial coin offerings. While the SEC has continued to bring enforcement actions related to cryptocurrency, it has also suggested that it may refrain from taking action against virtual currency companies provided that certain parameters exist.

a) Data Privacy Guidance and Examination Priorities

In April 2019, the SEC issued guidance addressing privacy notices and safeguard policies that SEC-registered investment bankers and broker-dealers must comply with.[157] This guidance noted that the SEC’s Office of Compliance Inspection and Examination (“OCIE”) had identified common deficiencies, such as failure to provide customers with sufficient data privacy notices or to inform them of their right to opt out of certain disclosures.[158] The guidance also noted that common areas of deficiency include use of personal devices to store customer information, use of unsecured networks, and failures to ensure that outside vendors adhere to confidentiality standards.[159]

Separately, OCIE released its 2020 Examination Priorities for registered firms in early January 2020.[160] The Priorities make clear that registrants’ use of non-traditional sources of data from inputs like mobile device geolocations, consumer credit card records, and other internet-based information, sometimes known as “alternative data,” will be a focus of examination review.[161] The Priorities also make clear that OCIE will prioritize cyber and other information security risks throughout its examinations.[162]

b) Cybersecurity and Data Breaches

Attempted Hacking of EDGAR database. In early 2019, the SEC brought charges against a Ukrainian-led group of nine defendants for attempting to hack the SEC’s EDGAR[163] data system, the primary system through which companies submit filings required by law to the SEC. The defendants had hacked into the database to extract nonpublic information to use for illegal trading,[164] reaping an alleged $4.1 million in profits from the scheme.[165]

Data Misuse Risk Disclosure. The SEC also brought charges against a social network company alleging it had made misleading disclosures regarding the risk that the company might misuse consumer data. Specifically, the SEC alleged that the company failed to disclose that customer data had been misused for several years after the company became aware of the misuse. The SEC and the company agreed to settle the matter for a civil penalty of $100 million without the company admitting or denying the allegations.[166]

Enforcing Regulation Systems Compliance and Integrity. In September 2019, the SEC brought an enforcement action against a securities clearing agency for violation of the Regulation System Compliance and Integrity (“Reg SCI”) rules, including failing to establish and enforce procedures around financial risk management and information system security. The clearing agency ultimately settled by agreeing to pay $20 million in penalties and to comply with extensive remedial measures.[167] The SEC noted that this action was particularly important in light of the risks that the clearing agency’s practices posed to “the broader financial system.”[168]

c) Cryptocurrency

Unregistered and/or Fraudulent Initial Coin Offerings. In 2019, the SEC focused substantial enforcement resources on combatting unregistered or fraudulent Initial Coin Offerings (“ICOs”) to the public. In February, the SEC halted the unregistered sale of over $12.5 million in digital assets as part of an unregistered ICO. The SEC required the issuer to return funds to all investors who purchased the tokens and to register the tokens pursuant to the Securities Exchange Act of 1934. It did not, however, impose any monetary penalties, citing the issuer’s cooperation and interest in taking prompt remedial steps.[169] In October, the SEC filed an emergency action and obtained a temporary restraining order against several offshore entities suspected of conducting an unregistered ICO that raised more than $1.7 billion of investor funds.[170] Finally, in December 2019, the SEC filed a complaint alleging a digital-asset entrepreneur had conducted a fraudulent ICO raising more than $42 million.[171]

First “No Action” Letter for Cryptocurrency. While continuing to target cryptocurrency operators who run afoul of federal regulations, the SEC also published its first ever “no action” letter for the use of a virtual token currency.[172] Specifically, the SEC stated that a business-travel startup’s sale of cryptocurrency travel tokens to the public would not trigger enforcement action, provided the token’s price stays fixed at one U.S. dollar each, that they are used only for air charter services, and that the startup will not represent the tokens as having potential profit value.[173]

4. Other Federal Agencies

In addition to the FTC, HHS and SEC, other federal government entities continue to make headlines in the data security and privacy space. This past year, there were notable developments at the Federal Communications Commission (“FCC”), the Consumer Financial Protection Bureau (“CFPB”), the Department of Defense (“DoD”), and other federal agencies.

a) Federal Communications Commission

i. Illegal Robocall Mitigation

Mitigating and preventing illegal robocalls remained a core focus for the FCC in 2019. In June, the FCC issued rules clarifying that voice service providers could offer tools that blocked calls reasonably suspected to be illegal spam robocalls.[174] And in August, the FCC issued an order banning caller ID “spoofing” of phone numbers on text messages and on incoming international calls.[175]

Alongside these measures, the FCC continues to encourage telecommunications companies to roll out the STIR/SHAKEN[176] framework of call authentication for consumer use.[177] STIR/SHAKEN provides legitimate calls with digital authentication tokens, making it easier for carriers to identify and filter out spam robocalls. Several carriers have already adopted STIR/SHAKEN-based tools for users.[178] And under the newly passed federal TRACED Act[179], the FCC has increased authority to mandate other carriers to deploy such authentication.[180]

ii. National Security Purchasing Order and Proposed Rulemaking

In November, in response to purported concerns that Chinese telecommunications firms might be using technological assets to spy on the United States,[181] the FCC took two interrelated steps to bar recipients of FCC Universal Service Funds (“USF”) from purchasing from foreign companies deemed to pose national cybersecurity threats. First, the FCC adopted an Order barring companies from spending any USF funds on such purchases.[182] At least one Chinese company alleged to present such a threat has sued the FCC to challenge this policy, and its petition is currently pending in the U.S. Court of Appeals for the Fifth Circuit.[183]

At the same time, the FCC issued a Further Notice of Proposed Rulemaking (“FNPR”) seeking comment on rules that condition the receipt of any USF funds on certifying that a company does not use or purchase any such services or equipment.[184] The FNPR comment period closes on February 3, 2020, while the window for reply comments closes March 3, 2020.

b) Consumer Financial Protection Bureau

The CFPB has continued to operate under uncertainty regarding its continued existence and, by extension, its role in consumer data protection. Late in 2018, Kathy Kraninger was confirmed by the Senate as the new CFPB director.[185] Initially, she asserted the agency would engage in vigorous enforcement action and make consumer data security an important priority.[186] But in September 2019, Kraninger filed a Supreme Court brief stating that she now believed the CFPB was unconstitutionally created and so must be disbanded.[187] The Court is set to decide that question in 2020.[188]

Despite this uncertainty, in July, the CFPB, in conjunction with the FTC and various state regulators, announced a settlement with a national provider of consumer credit information over a data breach which impacted 150 million consumers.[189] Under this agreement, the provider would pay up to $700 million in monetary relief, including up to $425 million in monetary relief to consumers.[190]

c) Department of Defense

The DoD made new efforts to address and defeat cybersecurity threats in 2019, particularly with respect to the national security supply chain. To this end, the DoD’s Guidebook for Contractor Purchasing[191] highlighted that safeguarding DoD-covered defense information would be critical to supply chain management[192] and proposed various measures to check for vendor compliance with the Department’s cybersecurity standards.[193]

Perhaps the most significant procurement-related developments came in the rollout of the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) program for vendors on the DoD’s supply chain. The CMMC will set out a proposed five-level hierarchy of “cyber hygiene” standards suppliers of DoD equipment must meet to contract with the Department, with each ascending level corresponding to a higher level of required protection depending on the sensitivity of the product involved.[194]

The CMMC’s goal is to review and combine cybersecurity standards and best practices from across the information technology industry, to certify independent third-party organizations to conduct audits and inform the development of the standards, and to build upon existing vendor regulations by adding a verification component.[195] Throughout 2019, the DoD released draft versions of the CMMC for comment and review, with the most recent released in December.[196] As the CMMC program comes into place, vendors may face challenges implementing it and matching the new standards as they upgrade their measures of protection.[197]

DoD itself may also have some work to do: in 2019, various audits revealed areas of potential vulnerability which the DoD must work to address. In July, the DoD’s Inspector General issued reports warning the Department had taken insufficient steps to verify the cybersecurity risk posed by off-the-rack technology systems purchased by DoD personnel,[198] and that DoD contractors failed to take cybersecurity precautions such as requiring multifactor authentication and systematically identifying network vulnerabilities.[199]

As it increases its focus on cybersecurity, the DoD will be guided by this year’s iteration of the National Defense Authorization Act,[200] which establishes a Principal Cyber Advisor for each of the military services, directs the Department to produce an annual report on military cyberspace operations, and endorses the CMMC program.[201]

d) Other Agencies

Apart from these examples, other federal agencies also made news in the data and cybersecurity space throughout 2019. In June, the DOJ announced an antitrust investigation into some of the nation’s largest technology companies,[202] with the company’s practices of amassing substantial amounts of consumer data flagged as a potential antitrust concern.[203] Gibson Dunn will continue to monitor developments as this effort proceeds.

In September, the Commodity Futures Trading Commission imposed a $1.5 million fine on a commissions merchant for allowing an email phishing attack to steal $1 million in customer funds via the company’s computer systems.[204] In December, the Department of Commerce initiated a notice of proposed rulemaking on regulations to block transactions that might endanger the nation’s information and communications technology supply chain.[205] 2019 also saw the Department of Energy continue efforts to improve the cybersecurity of America’s critical infrastructure systems,[206] albeit with warnings from watchdogs like the Government Accountability Office that key vulnerabilities remained.[207] And the Department of Homeland Security (“DHS”) itself came under scrutiny after a data breach at the Federal Emergency Management Agency (“FEMA”) exposed the sensitive data of over 2.3 million disaster survivors.[208]

Notably, the National Institute of Standards and Technology (“NIST”) also released two updated standards for other federal agencies to use in procurement when contracting with vendors. The first, NIST SP 800-171, Revision 2,[209] addresses contractual protections vendors should have when protecting Controlled Unclassified Information (“CUI”). This draft made comparatively minor changes from previous versions, but emphasized that Version 3, its next revision, will likely provide a comprehensive update.[210] NIST also released a draft of NIST SP 800-171B,[211] a heightened set of contracting standards intended for vendors engaged in “Critical Programs and High Value Assets,” and specifically focused on “(1) penetration resistant architecture; (2) damage-limiting operations; and (3) designing for cyber resiliency and survivability.”[212] And in January of 2020, NIST also released Privacy Framework Version 1.0, aimed at providing voluntary strategies and tools for organizations that want to “improve their approach to using and protecting personal data.”[213]

As data and privacy concerns become more salient, the depth and degree of federal agency involvement will surely continue to grow.

5. State Attorneys General and Other State Agencies

State-level regulators also continued to play a key role in data privacy and security matters in 2019, collaborating to bring enforcement actions yielding recoveries in the hundreds of millions of dollars and actively protecting consumers from the danger of data breaches.

a) State Attorneys General

As noted above, in July 2019, Attorneys General from 48 states, Puerto Rico, and the District of Columbia, along with the FTC and CFPB, settled a long-running dispute against a major credit reporting agency. This action stemmed from a 2017 data breach in which unauthorized persons gained access to portions of the reporting agency’s network, affecting more than 147 million consumers. Under the settlement, as discussed, the reporting agency is required to implement various consumer protection safeguards and controls and to offer no-cost credit monitoring to consumers as discussed above. In particular, in addition to other remedies described above, the agency had to pay the Attorneys General $175 million for purposes including consumer education and litigation costs.[214]

On July 31, a manufacturer of security camera software agreed to pay $8.6 million to settle multistate litigation alleging that the company violated the False Claims Act (“FCA”) and state whistleblower acts because it knowingly failed to report or remedy flaws in the security surveillance systems it sold to the federal government and to multiple state governments. These flaws made the system vulnerable to hackers. The settlement provided refunds to the federal government and 16 states that had purchased the allegedly defective software. This was the first cybersecurity-related settlement under the FCA or comparable state statutes.[215]

In October 2019, the Attorneys General of 47 states and territories announced a multistate antitrust investigation into a social networking platform. This investigation is being led by the New York Attorney General and will focus on whether the platform has stifled competition and put consumers’ data at risk. Many of the Attorneys General who have joined this investigation have issued statements emphasizing the need to combat anticompetitive business practices and protect consumer data.[216]

Individual states also took action apart from litigation. In October 2019, New Jersey’s Attorney General announced a new “Cyber Savvy Youth” initiative. This initiative will educate and test the cybersecurity knowledge of students from kindergarten through high school. At the same time, the state’s Division of Consumer Affairs announced the 2018 statistics regarding data breaches affecting New Jersey residents: 906 data breaches were reported to the New Jersey State Police last year, a nearly 6 percent decrease from the 958 breaches reported in 2017. In addition, civil settlements reached by the Attorney General’s Office following data breach incidents had resulted in more than $6.4 million in recoveries for the state on a year-to-date basis.[217]

b) New York Department of Financial Services

Apart from Attorneys General, other state regulators continued to engage in the data privacy space. In May 2019, for example, New York’s Department of Financial Services (“DFS”) announced the creation of a new Cybersecurity Division. The Division will focus on protecting consumers and industries from cyber threats by conducting cyber-related investigations, issuing regulatory guidance, offering counsel, and enforcing DFS’s cybersecurity regulations.[218]

II. Civil Litigation

A. Data Breach Litigation

Just nine months into the year, the number and sheer scale of cyberattacks occurring in 2019 had already surpassed those of prior years, earning 2019 the label of “the worst year on record” for data security breaches.[219] Not surprisingly, several high-profile attacks in 2019, including the following, culminated in consumer class action and shareholder litigation.

Clinical Laboratories. On June 3, 2019, a medical diagnostics provider announced that its medical billing contractor suffered a data breach between August 1, 2018 and March 30, 2019, in which hackers accessed the personal data of nearly 12 million of the laboratory’s customers.[220] Another leading clinical laboratory that contracted with the same billing contractor was also impacted by the breach, which affected up to 7.7 million of its patients.[221] Class action lawsuits were subsequently filed in federal and state courts, including in California and New Jersey.[222] On June 18, 2019, the billing contractor filed for bankruptcy, citing the fallout from the breach.[223]

Convenience Store Chain. On December 19, 2019, a convenience store chain announced that it had discovered malware capable of exposing credit card numbers, expiration dates, and cardholder names at all of the chain’s more than 850 stores.[224] In the weeks following the announcement, nearly a dozen proposed class action lawsuits were filed in the Eastern District of Pennsylvania.[225]

2. Updates in High-Profile Data Breach Cases from Prior Years

a) Key Settlements

Consumer Credit Reporting Agency. As outlined above, in July 2019 a consumer credit reporting agency agreed to pay at least $575 million, and up to $700 million, as part of a global settlement with consumers, the FTC, the Consumer Financial Protection Bureau, and 50 U.S. states and territories based on allegations that the reporting agency’s failure to implement basic measures to secure personal information on its network resulted in a data breach in 2017 that impacted 147 million people. On December 19, 2019, a federal district judge in Georgia granted final approval to that portion of the global settlement defining monetary relief for consumers impacted by the breach. Under approved settlement, the reporting agency will pay up to $425 million in restitution to consumers, $77.5 million in attorney’s fees to class counsel, and up to $3 million in class counsel litigation expenses.[226] The company also agreed to spend $1 billion to improve its own cybersecurity, pay in full all valid consumer claims for out-of-pocket expenses, and cover credit monitoring services for affected consumers.[227] The federal judge approving the consumer settlement concluded that the deal, which encompasses more than $7 billion in aggregate benefits to consumers, represents “the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.”[228]

Internet Service Company. On July 20, 2019, a federal district judge in the Northern District of California preliminarily approved a $117.5 million settlement to resolve litigation arising out of a trio of data breaches of an internet service provider’s user account data between 2012 and 2016.[229] The deal covers an estimated 194 million class members.[230] The preliminary approval came after the judge had rejected prior versions of the settlement, citing a lack of sufficient specificity as to the class size, monetary and non-monetary relief, and details of the nature of the data breaches.[231]

Earlier in the year, in January 2019, a California Superior Court judge approved a $29 million deal to resolve three shareholder derivative lawsuits against the company’s former officers and directors in California and Delaware, which arose out of the same series of data breaches.[232]

b) Litigation

Social Media Company. Following reports that Cambridge Analytica obtained information on a social media company’s users, the social media company faced several shareholder derivative lawsuits and consumer class actions, the latter of which were ultimately consolidated in the Northern District of California. On September 9, 2019, the federal district judge presiding over the consumer class actions permitted certain of the plaintiffs’ claims to proceed, while granting the social media company’s motion to dismiss other claims.[233] The court held, with respect to the surviving claims, that plaintiffs maintained a privacy interest in information they disclosed to a limited audience and that they had alleged an injury sufficient to confer standing based on that privacy interest alone, even in the absence of a secondary economic injury such as identity theft.[234] On October 31, 2019, the court issued a single-sentence order denying the social media company’s motion to certify the court’s Article III standing analysis for interlocutory review.[235] A hearing on class certification is scheduled for late 2021.[236]

Sports Apparel Company. Last year we also reported on class action litigation filed against a fitness apparel company following its announcement that hackers obtained access to the data of 150 million users of its fitness-tracking app.[237] On February 11, 2019, a federal district judge in the Central District of California granted the company’s motion to compel arbitration, holding that by clicking “accept” in response to the app’s terms and conditions, which incorporated the American Arbitration Association Rules, the plaintiff had “clearly and unmistakably delegated the arbitrability issue to the arbitration.”[238]

3. The Deepening Circuit Split on Standing Post-Spokeo

In 2019, the divide among circuit courts over the requirements for Article III standing in data breach cases continued to deepen in the wake of the Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins.[239]

In Spokeo, the Supreme Court held that a statutory violation alone cannot establish injury-in-fact standing; a plaintiff must allege a “concrete” injury stemming from the violation.[240] Following that decision, lower courts have diverged over what facts a plaintiff must allege to establish a “concrete” injury sufficient to confer Article III standing in data breach cases. While some courts of appeals, including the Ninth and D.C. Circuits, have held that the theft of consumers’ private information in and of itself establishes a “substantial risk” of future harm sufficient to confer standing,[241] other courts, including the Fourth and Eighth Circuits, have held that such allegations are too speculative.[242]

In June 2019, a divided panel of the D.C. Circuit reaffirmed the split, holding that government employees “cleared the low bar to establish standing” by alleging that they faced an increased risk of identity theft following a 2015 hack of the Office of Personnel Management (“OPM”).[243] The majority’s decision expanded on the court’s prior holding in Attias v. CareFirst, which had pointed to the circumstances of the breach at issue to conclude that the hackers had “the intent and the ability to use” the stolen data “for ill.”[244] Here, the majority reasoned, the sensitivity of the stolen data and the fact that some class members had already suffered identity theft or fraud rendered the question of the hacker’s intent “markedly less important.”[245] The majority further rejected the dissent’s conclusion that the passage of two years between the cyberattacks and the filing of the complaint “was enough to render the threat of future harm insubstantial.”[246]

Thus far, the Supreme Court has not signaled an interest in resolving the divide. As we reported last year, the Supreme Court denied a petition to review the D.C. Circuit’s Attias decision.[247] In March 2019, the Supreme Court again passed on the opportunity, declining to review the Ninth Circuit’s decision in In re Zappos.com, Inc., which held that plaintiffs had established standing based on the allegation that the information exposed in a data breach could be used to cause future harm.[248]

B. Telephone Consumer Protection Act Litigation

The past year brought several significant actions and noteworthy developments related to the Telephone Consumer Protection Act (“TCPA”).

First, at the start of the year, the FCC’s Consumer and Government Affairs Bureau solicited comments on a motor vehicle servicer’s petition for declaratory review around the FCC’s understanding of “dual purpose” communications (communications that both provide a service and simultaneously act as commercial messages for TCPA purposes).[249] The servicer argued its prerecorded messages to customers, recommending that they take their cars for inspections at certain times, were not “dual purpose,” since the communications allegedly were entirely service-based rather than commercial.[250] Accordingly, the servicer argued, the communications should not be subject to the heightened written consent standards the TCPA imposes on commercial messages.[251] The FCC has yet to issue guidance in response to the petition, but Gibson Dunn will continue to monitor developments in this area, and the Commission’s interest in such questions suggests clarifications of the “dual purpose” concept might be made in 2020.

Turning to another aspect of the TCPA, as discussed above, on June 6, the FCC adopted a Declaratory Ruling and Third Further Proposed Rulemaking to allow phone carriers to block both illegal and unwanted robocalls by default without waiting for customers to opt in to the service.[252] The FCC’s ruling requires carriers to use “reasonable analytics”—such as those used by call-management apps—to determine which calls to block.[253]

On June 20, the Supreme Court issued an opinion in PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., although the Court did not definitively decide the issue presented.[254] Acknowledging that it is “difficult to answer [the] question” of whether the Hobbs Act requires the district court to accept the FCC’s legal interpretation of the term “unsolicited advertisement” in the TCPA, the Court remanded to the Fourth Circuit to answer two preliminary questions: first, whether the FCC’s 2006 order is a “legislative” or “interpretive” rule under the APA, as the former has the “force and effect of law” while the latter does not;[255] and second, whether PDR Network had a “prior” and “adequate” opportunity to seek judicial review of the FCC’s 2006 order, as required by Section 703 of the APA.[256] If not, the Court noted that PDR Network “may” be permitted to challenge the validity of the order under the APA, even if the order is deemed a legislative rather than an interpretive rule.[257] In a four-Justice concurrence, Justice Kavanaugh deemed the question “straightforward,” stating that the relevant statute does not “expressly preclude judicial review of an agency’s statutory interpretation in an enforcement action” and PDR Network therefore “may argue to the District Court that the FCC’s interpretation of the TCPA is wrong,” and he concluded that, on remand, “the District Court should interpret the TCPA under usual principles of statutory interpretation, affording appropriate respect to the [FCC’s] interpretation.”[258] He went on to provide an extensive analysis that will “remain[] available to the court on remand . . . and . . . to other courts in the future.”[259]

In August, the Eleventh Circuit created a circuit split when it concluded that the receipt of a single unsolicited text message—which is “more akin to walking down a busy sidewalk and having a flyer briefly waived in one’s face”—does not generate the harm necessary to give rise to claims under the TCPA.[260] That ruling is at odds with the Ninth Circuit’s January 2017 decision in Van Patten v. Vertical Fitness Group, LLC, which held that the receipt of just two unsolicited text messages constituted concrete harm under Article III.[261] Though no parties have filed petitions for certiorari to date, it is likely that the Supreme Court will be presented with the question of what constitutes standing under the TCPA.

Later in the year, within a 15-day span a social media company and a communications company filed separate petitions for certiorari with the Supreme Court regarding the constitutionality of the TCPA. Specifically, the companies are asking the Court to opine on whether the TCPA’s prohibition on calls made using an automated telephone dialing system (“ATDS”) or an artificial or prerecorded voice is an unconstitutional restriction on speech.[262] The social media company’s petition also asks the Court whether the Ninth Circuit’s statutory interpretation of the TCPA’s definition of an ATDS in Marks v. Crunch San Diego[263] is overly broad.[264] Although the FCC sought public comments on this question following both Marks and the D.C. Circuit Court’s decision in ACA International v. FCC,[265] the agency has yet to issue any guidance. Thus, the Supreme Court’s consideration of this question would be significant. And in a further constitutional challenge to the TCPA, this January the Supreme Court granted certiorari in Barr v. American Association of Political Consultants Inc.,[266] in which it will consider whether the TCPA’s “government-debt exception” violates the First Amendment and, if so, whether the appropriate remedy would be to sever the exception from the statute.

Finally, on December 30, President Trump signed into law the Telephone Robocall Abuse Criminal Enforcement and Deterrence (“TRACED”) Act, which is intended to combat illegal robocalls under the TCPA.[267] Specifically, the legislation: (1) increases civil penalties for TCPA violations to up to $10,000 per call; (2) provides the FCC with additional time to bring actions based on violations related to knowingly providing misleading or inaccurate caller ID information; and (3) requires telecommunications carriers to implement, at no additional charge, the FCC’s STIR/SHAKEN call authentication procedures to prevent scammers from spoofing numbers.[268] The House in July passed a similar law aimed at cracking down on unwanted automated phone calls, the Stopping Bad Robocalls Act, on which the Senate has yet to vote.[269]

C. Biometric Information Privacy Act Litigation

As we foreshadowed in last year’s Review, 2019 was an active year for biometric privacy litigation. In particular, litigation continued around Illinois’ Biometric Information Privacy Act (“BIPA”), which confers a private right of action to individuals “aggrieved” under the statute,[270] unlike similar statutes in states such as California, Texas, and Washington. The Illinois Supreme Court seemed to invite such litigation with its decision in Rosenbach v. Six Flags,[271] in which the court held that individuals aggrieved under the BIPA have standing to sue without alleging an actual injury, because the BIPA provides individuals with a substantive right to control their biometric information and no-injury BIPA violations are not merely “technicalit[ies]” but instead are “real and significant” harms to important rights.[272]

As a result of Rosenbach, to withstand a motion to dismiss plaintiffs need merely to allege that they are aggrieved persons under the BIPA. Illinois courts and federal courts applying Illinois law have applied Rosenbach in precisely this manner. For example, in Rottner v. Palm Beach Tan, Inc., an Illinois appellate court reversed the lower court’s dismissal of a BIPA action for failure to sufficiently plead damages, issued prior to Rosenbach, because “Rottner, like Rosenbach, has standing to sue and has adequately stated a claim for liquidated damages under section 20 of the Act, even if she has alleged only a violation of the Act and not any actual damages beyond violation of law.”[273] Similarly, in Rogers v. CSX Intermodal Terminals, Inc., the U.S. District Court for the Northern District of Illinois granted in part the defendant’s motion to dismiss putative class action claims for intentional and reckless violations of the BIPA, which the court deemed insufficiently pled, but it denied the motion as to claims of statutory violations of the BIPA, which the court noted required only that a plaintiff allege he or she was an aggrieved person under the BIPA.[274] Likewise, in Namuwonge v. Kronos, Inc.,[275] the court determined that the plaintiff failed to plead any facts that would support a finding of intentionality or recklessness, and instead merely alleged that the putative class was composed of aggrieved persons under the BIPA.[276] The court thus struck the intentional and reckless claims from the complaint, but it left untouched the remaining BIPA claims.[277]

In addition to using Rosenbach to defeat motions to dismiss, plaintiffs also have used it to avoid being compelled into arbitration. In Liu v. Four Seasons Hotel, Ltd.,[278] an Illinois appellate court rejected the defendant’s attempt to compel arbitration of its employees’ BIPA claims on the ground that the claims merely sought “wages and hours” relief, clarifying that: “[s]imply because an employer opts to use biometric data, like fingerprints, for timekeeping purposes does not transform a complaint into a wages or hours claim.”[279] Although this holding applies narrowly to circumstances in which employers attempt to construe privacy claims as wage and hour claims, it nevertheless highlights Rosenbach’s impact in facilitating the survival of such claims. Indeed, some companies are choosing to settle BIPA claims for sizeable sums rather than litigate them, as Smith Senior Living and its timekeeping company Kronos (which lost a motion to dismiss in a separate BIPA action last year) did to the tune of $1.55 million for a class of just under 1,700.[280]

Perhaps the biggest impact of Rosenbach, though, has been the flood of class actions filed against large corporations as a result of the BIPA’s relatively simple pleading requirements.[281] As this Review went to press, the Supreme Court declined to grant certiorari on one closely watched case in this area.[282] The case involves the Ninth Circuit’s affirmance of the certification of a class of a social media company’s users for alleged violations of the Illinois BIPA predicated on the company’s use of facial recognition technology.[283]

D. Other Notable Cases

In addition to the cases described above, 2019 brought developments in a number of matters discussed in last year’s Review, as well as a host of new matters concerning shareholders’ derivative rights, companies’ recordation and storage of data through connected devices and otherwise, the Internet of Things, medical records, the scope of the Wiretap Act, and privacy‑related insurance coverage. We describe some of the key updates and cases on these issues in greater detail below.

Social Media Company. As highlighted in last year’s Review, at the end of 2018, the media reported that two bugs had exposed profile data of millions of users of a social media service.[284] Upon release of the news, plaintiffs filed complaints, which were consolidated in a single class action complaint in the Northern District of California.[285] The company filed a motion to dismiss the complaint on April 10, 2019, but later agreed to a settlement in principle after mediation on August 14, 2019.[286] Under the proposed settlement, the company must pay $7.5 million; individual claimants will each receive up to $5.00, with the potential to receive up to $12.00 depending on the number of claimants.[287]

Derivative shareholder litigation against the social media company, also discussed in last year’s Review, was also consolidated in the Northern District of California. In May 2019, the company moved to dismiss the shareholders’ amended complaint, arguing, among other things, that it fixed the bug before it made any statements shareholders claimed were “misleading,” and that shareholders had failed to adequately plead scienter or material harm to the business.[288] The court has yet to rule on the motion to dismiss.

Social Media Company. After the media reported in March 2018 that Cambridge Analytica had obtained information on some of a different social media company’s users, the social media company’s shareholders brought a number of derivative lawsuits that were consolidated in the U.S. District Court for the Northern District of California. On March 22, 2019, the court granted in part the company’s motion to dismiss the shareholders’ state claims on forum non conveniens grounds, finding the forum selection clause in the company’s Restated Certificate of Incorporation valid and applicable.[289] The court granted the social media company’s motion to dismiss the federal claims with leave to amend, holding that the shareholders failed to adequately plead demand futility.[290] The shareholders filed an amended complaint on December 17, 2019.[291]

In May 2019, the Washington, D.C. Superior Court denied the company’s motion to dismiss claims brought by the D.C. Attorney General alleging violations of the D.C. Consumer Protection Procedures Act for failing to take reasonable steps to protect the “trove” of personal consumer data that the company “collects and maintains.”[292] The court concluded that the Attorney General had adequately pleaded the merits of its case at the motion-to-dismiss stage and any existing factual questions should be decided by a jury.[293]

Banking Institutions. In last year’s Review, we reported on litigation against banking institutions claiming that the institutions impermissibly recorded consumer calls. In February 2019, the U.S. District Court for the Western District of Pennsylvania approved a stipulated dismissal of one such action following a settlement between the bank and the plaintiff.[294] It does not appear that the institution involved in the California-based case has appealed from the California Court of Appeals’ decision, which reversed summary judgment for the institution and held that the institution had failed to show it lacked intent to record the relevant conversations, defining “intent” as acting with “the purpose or desire of recording a confidential conversation, or with the knowledge to a substantial certainty” that a confidential conversation will be recorded.[295]

Technology Company – Location History. On December 19, 2019, the Northern District of California granted a technology company’s motion to dismiss class-action claims that it had stored users’ locations even where those users had turned off location history settings in apps.[296] The plaintiffs had asserted claims under the California Invasion of Privacy Act (“CIPA”) and California’s state-constitutional right to privacy.[297] In its motion filed in May 2019, the company argued that the plaintiffs had consented to the collection and storage of location data by agreeing to its Privacy Policy, and that the laws plaintiffs cited were inapplicable because the company did not deploy an “electronic tracking device” “attached to a . . . movable thing” under the CIPA or egregiously breach social norms under the state constitution.[298] The court found the statements within the company’s Privacy Policy and Terms of Service irrelevant, but it concluded, among other things, that the CIPA applies only to “unconsented geolocation tracking,” not the storage and collection of geolocation data, and that the plain terms of the statute did not encompass the circumstances presented.[299] The court therefore dismissed the plaintiffs’ CIPA claims with prejudice.[300] The court also found that the plaintiffs had failed to plead facts to establish a legally protected privacy interest under the state constitution, but granted plaintiffs leave to amend the complaint on this issue.[301]

Technology Company – Medical Records. On June 26, 2019, plaintiffs filed a class action complaint and demand for jury trial against a technology company and a private university, claiming that the university turned over to the company “the confidential, highly sensitive and HIPAA-protected records of every patient who walked through its doors between 2009 and 2016” without notifying patients or obtaining their express consent, thereby violating state consumer fraud, contract, intrusion upon seclusion, and unjust enrichment laws.[302] The plaintiffs labeled the company’s and the university’s assertions that the medical records were de-identified “incredibly misleading,” alleging that the records contained detailed date stamps and free-text notes, and that because the company is a “prolific data mining” company, it could determine individuals’ identities from the records.[303] The plaintiffs further claimed that the company collected the records in order to build and patent its own commercial electronic health record system and develop software that could be sold at premium prices, and that, in exchange for providing the records, the university received a perpetual license to use the software that the company developed.[304] The university and company filed separate motions to dismiss, arguing, among other things, that the plaintiffs had failed to allege an actual injury and thus lacked Article III standing.[305] The motions are currently pending.

Connected Vehicles and Devices, and the Internet of Things. On November 11, 2019, an automobile manufacturer we discussed in last year’s Review moved to decertify state-based classes of drivers in Michigan, Illinois, and Missouri,[306] following the U.S. Supreme Court’s refusal in January to hear the manufacturer’s challenge to the certifications.[307] Also on November 11, the manufacturer moved both for summary judgment on the drivers’ claims that defects in certain vehicles’ infotainment systems made the vehicles vulnerable to hackers and to dismiss the claims for lack of subject matter jurisdiction.[308] The manufacturer asserted that none of the plaintiffs had alleged that his or her vehicle’s system had malfunctioned or was hacked; thus, the plaintiffs had suffered no legally cognizable injury.[309] It also argued that there is a growing consensus among courts that consumers’ claims that they “overpaid” for a product because it theoretically could have been made safer are insufficient to establish subject matter jurisdiction.[310] The court has yet to rule on these dispositive motions.

Additional connected-device cases continue to emerge, and the bases of such cases continued to test the scope of the Wiretap Act in 2019. In May, for example, the Northern District of California held that the vibration intensity settings a user chooses on an adult product constitutes “content” under the Wiretap Act, and the harvesting of such data could constitute intrusion upon seclusion under California state law.[311] In August, the U.S. District Court for the District of New Jersey partially granted two electronic companies’ motion-to dismiss claims that Smart TVs collected data on consumers, including which programs consumers watched, IP and MAC addresses, and ZIP codes, and that the companies sold the data to third parties who used it to conduct targeted advertising.[312] The court dismissed the plaintiffs’ state law claims and claims under the Video Privacy Protection Act (“VPPA”), finding the latter “squarely foreclosed” by controlling precedent that established such “static” identifying information does not constitute personally identifiable information under the VPPA.[313] The court allowed the plaintiffs’ Wiretap Act claim to go forward, finding that the companies were not parties to any allegedly intercepted “communication” between the content provider and the Smart TV, and that information about what consumers are watching constitutes “content” under the Act.[314] The companies have asked the court to reconsider its ruling on the Wiretap Act claim, or, in the alternative, to certify the court’s order for interlocutory appeal.[315]

In June, plaintiffs filed class action complaints in California state court (subsequently removed to federal court) and Washington federal court against a large retailer and technology company, alleging that the company used voice-enabled devices to build a “massive database of billions of voice recordings” containing private personal details of children, among others, without the consent of the children or their parents.[316] The plaintiffs claimed that the company does not have to store these voice recordings but does so for its own commercial gain, and they asserted that the company’s alleged actions violate multiple states’ wiretap laws.[317] Since filing, some plaintiffs have voluntarily dismissed their complaints without prejudice.[318] The company moved to dismiss the remaining plaintiffs’ claims in early January 2020, arguing that the plaintiffs had failed to state a claim because, among other things, the “mere creation of recordings within a communication service” intended to provide instructions over the internet does not constitute illicit interception, eavesdropping, or recording.[319]

Minors’ privacy rights also were in the news in 2019 as a result of class actions filed against app developers and major media companies alleging that the defendants used gaming apps for children to track online behavior and leveraged the collected data to target advertising to the children playing the games.[320] On May 22, 2019, the Northern District of California allowed the majority of the plaintiffs’ privacy claims to move forward, finding, among other things, that the plaintiffs’ allegations that defendants gathered user-specific information, worked with third-party companies to buy and sell the information, targeted ads to users, and tracked users’ responses to those ads met the standard required to survive a motion to dismiss.[321] Trial is currently scheduled for October 2020.[322]

Computer Fraud and Abuse Act Litigation. In July, an online ticket vendor reached a favorable settlement on its allegations that individuals had used bots to purchase large quantities of tickets in violation of the company’s Terms of Use, as we described in last year’s Review. Under the settlement, the defendants are permanently enjoined from using the ticket vendor to search for or purchase tickets, from violating the vendor’s Terms of Use, and from conspiring with others to engage in such activities, among other things.[323]

Cybersecurity Insurance and Acts of War. In December 2019, an insurer, about which we wrote in last year’s Review, settled with its insured after the latter filed an appeal in the Eleventh Circuit challenging a district court decision that the insured’s personal injury policy did not cover data breach litigation costs.[324] Similarly, the bank and insurer we discussed in last year’s Review in the context of financial institution bonds also settled in March 2019.[325]

In a case that could have broad implications for companies seeking to insure themselves against cybersecurity attacks, a suit between a food and beverage company and its insurer after the insurer denied coverage for a ransomware attack was one of the most salient of 2019.[326] The food and beverage company was one of hundreds of companies impacted by the “NotPetya” cyberstrike in 2017, for which the U.S. government ultimately assigned responsibility to Russia.[327] When the company made a claim to its insurance company to cover costs resulting from the attack, pointing to provisions of its insurance policy that provided coverage for damage to electronic data or damages resulting from the failure of electronic data processing equipment or media, the insurance company invoked an exception to coverage for “hostile or warlike action in time of peace or war.”[328] The food and beverage company has asserted breach of contract, promissory estoppel, and unreasonable conduct claims under Illinois law and has requested at least $100 million in damages.[329] A pharmaceutical company filed a similar suit against its insurer in New Jersey related to the NotPetya strike, seeking $1.3 billion in damages.[330] Neither case has yet resolved, but as the risks and prevalence of cybersecurity attacks increase, in particular attacks with suspected connections to foreign governments, the interpretation of “act of war” exclusions in security-related insurance policies likely will become increasingly important.

Cy Pres Settlements. An open question going into 2020 is the legality of cy pres-only settlements, or settlements from which the proceeds go to public interest organizations rather than class members, which we discussed in last year’s Review. Although the Supreme Court seemed poised to address this question in Frank v. Gaos,[331] a case concerning a technology company’s alleged transmission of users’ search terms to third parties through referrer headers, the Court instead remanded the case to the district court to evaluate the plaintiffs’ standing in light of Spokeo, Inc. v. Robins,[332] discussed above.

III. Government Data Collection

A. Collection of Data from Computers, Cellphones, and Other Devices

This year, a number of court decisions addressed the issue of individuals’ privacy rights with respect to data stored on cell phones and other personal electronic devices. Although one of the more prominent decisions bolstered such rights by narrowing the Government’s ability to collect and search data without warrants, courts have reached divergent conclusions regarding the Government’s authority to demand that an individual provide biometric input (such as pressing their fingerprint) to unlock digital devices.

In November 2019, a federal district court in Massachusetts held that the Fourth Amendment prevented warrantless data searches of electronic devices at border crossings unless there is reasonable suspicion the devices contain contraband.[333] In doing so, the court cabined the Fourth Amendment’s traditional “border search exception,” under which a variety of suspicionless searches are permitted.[334] The court found that while that exception might allow for cursory searches—such as taking a brief look to determine whether a device is in fact owned by the person carrying it—it did not extend to a full search of one’s personal photographs, phone contacts, or sensitive personal or professional data.[335] Both parties have appealed the decision to the U.S. Court of Appeals for the First Circuit, where the matter is pending.[336]

As digital devices increasingly require thumbprint or facial recognition credentials upon startup, a split has emerged over whether the Government can compel arrestees to provide their biometric inputs to unlock their devices.

In the Matter of the Search of a Residence in Oakland, prosecutors applied for a warrant to search electronic devices in an extortion investigation.[337] The warrant application sought the authority to compel any person present during the search to provide biometric inputs (such as pressing a finger or displaying their face) to unlock the devices.[338] The court rejected the application, reasoning that providing biometric data is akin to compelling a witness to provide testimony, and thus a violation of the Fifth Amendment. In reaching this conclusion, the Court analogized forced biometric authorization to forcing a witness to produce a passcode to a digital device, which courts have regularly found to invoke the Fifth Amendment privilege.[339]

In United States v. Barrera, however, a federal court in Illinois reached the opposite result.[340] The court in Barrera found the Fifth Amendment is invoked only when “the compelled act forces an individual to disclose the contents of the subject’s own mind,” and is distinct from one’s physical characteristics.[341] In this respect, the Barrera Court compared compelled biometric use to physical acts, such as providing blood samples or handwriting exemplars, which courts have routinely held to be non-testimonial in nature.[342]

B. Other Notable Developments

1. Extraterritoriality and Warrants

In 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).[343] The Act’s two main prongs were to: (1) empower the government to make agreements with foreign countries that mutually remove any barriers to compliance with each nation’s court orders to produce data; and (2) clarify that any communication provider subject to U.S. jurisdiction must, upon appropriate legal request, produce any data in their possession, regardless of where the data is stored.[344]

This year saw the United States and the United Kingdom sign the first-ever CLOUD Act bilateral pact: the US-UK Bilateral Data Access Agreement.[345] Under the agreement, the U.S. can now access any electronic data stored in the United Kingdom using American legal processes (and vice versa).[346] However, the agreement has brought protest from groups who believe that standards for search and seizure in the United Kingdom are weaker than those required by the Fourth Amendment, putting civil liberties at risk.[347]

Apart from its United Kingdom agreement, the federal government has also begun talks with both the European Union[348] and Australia,[349] suggesting 2020 may well bring new CLOUD Act pacts.

This year the government also sought to clarify the scope of the CLOUD Act via formal Department of Justice guidance. The DOJ’s white paper asserted that the second, location-based prong of the CLOUD Act did not create a substantive change, but rather “simply clarified existing U.S. law on this issue; it did not change the existing high standards under the U.S. law that must be met before law enforcement agencies can require disclosure of electronic data.”[350] Nonetheless, privacy rights groups remain skeptical of the Act,[351] and Gibson Dunn will continue to monitor developments in this area.

2. Foreign Intelligence Surveillance Court Approves FBI’s Proposed Electronic Surveillance Procedures

This fall, the Foreign Intelligence Security Court (“FISC”) considered whether the FBI’s protocols for identifying targets for electronic surveillance and collecting their data complied with the Foreign Intelligence Surveillance Act (“FISA”) and with the Fourth Amendment.[352] On September 4, FISC upheld the certifications, approving a procedure under which: (1) the FBI differentiates between queries of U.S. persons and all other queries; (2) prior to reviewing the contents of any U.S. person query, the FBI provides a written statement as to why such query is reasonably likely to return foreign intelligence information or evidence of a crime; and (3) the FBI provides records of such queries to the Department of Justice and the Office of the Director of National Intelligence for oversight.[353] Additionally, the FISC affirmed that the NSA’s 2018 Targeting Procedures prohibit collection of communications solely containing reference to, but not to or from, a foreign intelligence target (also known as “abouts” collection).[354]

3. Increased Government Use of Biometric Identification Technologies Draws Scrutiny

On October 31, 2019, the American Civil Liberties Union (“ACLU”) filed a complaint against the FBI, DOJ and the Drug Enforcement Administration to compel the release of its policies, contracts and other records relating to the use of facial recognition programs and other biometric identification and tracking technology. The complaint argues that such “highly invasive” technologies permit the U.S. government to track people and their associations in potentially unconstitutional ways.[355] For example, according to an FBI witness, the FBI has the ability to run facial recognition searches against over 640 million photographs.[356] The FBI’s guidelines permit the use of such technology without a warrant, demonstration of probable cause, or other fact-based suspicion.[357]

Similarly, Immigration and Customs Enforcement (“ICE”) has recently been scrutinized for its use of “Rapid DNA” testing on families at the U.S.-Mexico border to identify biological parent-child relationships within 90 minutes.[358] The Electronic Frontier Foundation filed suit this fall seeking records of ICE’s testing procedures and accuracy, arguing that Rapid DNA testing is error-prone and expressing concern over the technology’s use on lawful residents in non-border circumstances.[359]

Also in light of concerns regarding invasiveness and accuracy, three municipalities in California and one in Massachusetts have banned the municipal government from using facial recognition systems altogether.[360] At the state level, California and Massachusetts are considering laws to place a moratorium on government use of facial recognition and other biometric identification technologies until regulations are established to protect the public’s interest.[361] At the federal level, the U.S. Congress has held multiple hearings throughout 2019 on the government’s use of facial recognition, and several bills have been introduced to prohibit and/or limit such use.[362]

IV. Conclusion

2019 has proven to be another significant year in the development and application of data privacy and cybersecurity law and for 2020 the fast pace of change will continue. As technology and data collection become more sophisticated, companies, governments and the public at large will continue to explore the opportunities, and perils, that these changes present. We will be tracking these important issues in the year ahead.

______________________

[1] Eric Goldman, What we’ve learned from California’s Consumer Privacy Act so far, The Hill (Jan. 11, 2020), available at https://thehill.com/opinion/cybersecurity/477821-what-weve-learned-from-the-california-consumer-privacy-act-so-far.

[2] See, e.g., California Consumer Privacy Act: Compliance Heading into the New Year, Gibson Dunn (Dec. 12, 2019), available at https://www.gibsondunn.com/california-consumer-privacy-act-compliance-heading-into-the-new-year/; California Consumer Privacy Act Final Amendments Signed, Gibson Dunn (Oct. 16, 2019), available at https://www.gibsondunn.com/california-consumer-privacy-act-2019-final-amendments-signed/; California Consumer Privacy Act Update: Regulatory Update, Gibson Dunn (Oct. 11, 2019), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-regulatory-update/; California Consumer Privacy Act Update — California State Committees Vote on Amendments, Gibson Dunn (Apr. 30, 2019), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-california-state-committees-vote-on-amendments/.

[3] California SB-1121 requires that the final regulations be published on or before July 1, 2020.

[4] Laura Mahoney, California Governor Signs Bills to Refine Sweeping Privacy Law, Bloomberg Law (Oct. 12, 2019), available at https://news.bloomberglaw.com/privacy-and-data-security/california-governor-signs-bills-to-refine-sweeping-privacy-law.

[5] Allison Grande, Calif. Voters May Get Chance To Tighten Privacy Law, Law360 (Sept. 25, 2019), available at https://www.law360.com/articles/1202779/calif-voters-may-get-chance-to-tighten-privacy-law.

[6] Cal. Civ. Code §§ 1798.100, 1798.140.

[7] Id.

[8] Mark Anderson, California privacy law to take effect immediately in 2020, AG says, Sacramento Business Journal (last updated Dec. 17, 2019), available at https://www.bizjournals.com/sacramento/news/2019/12/16/california-to-start-enforcing-privacy-law.html.

[9] Alexei Koseff, California promises aggressive enforcement of new privacy law, S.F. Chronicle (Dec. 16, 2019), available at https://www.sfchronicle.com/politics/article/California-promises-aggressive-enforcement-of-new-14911017.php.

[10] Id.

[11] Cal. Civ. Code §§ 1798.100, 1798.150.

[12] Act relating to Internet privacy, S.B. 220 (Nev. 2019), available at https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Act to Protect the Privacy of Online Customer Information, S. P. 275 (Me. 2019), available at http://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=1&snum=129.

[18] Id.

[19] Id.

[20] Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), S5575B (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5575.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] An to amend the general business law, in relation to the management and oversight of personal data (New York Privacy Act), S.5842 (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5642/.

[26] Lucas Ropek, NY’s Data Privacy Bill Failed; Is There Hope Next Session?, Government Technology (July 15, 2019), available at https://www.govtech.com/policy/NYs-Data-Privacy-Bill-Failed-Is-There-Hope-Next-Session.html.

[27] Allison Schiff, State Legislatures Are Back In Session, So Expect New Privacy Bills. Next Up: Washington State, AdExchanger (Jan. 14, 2020), available at https://adexchanger.com/privacy/state-legislatures-are-back-in-session-so-expect-new-privacy-bills-next-up-washington-state/.

[28] Act Relating to the management and oversight of personal data, S.B. 5376 (Wash. 2019), available at https://app.leg.wa.gov/billsummary?BillNumber=5376&Year=2019&Initiative=false.

[29] Id.

[30] Act to amend the general business law, in relation to the management and oversight of personal data, S.5642 (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5642.

[31] Id.

[32] Id.

[33] See, e.g., Allison Schiff, State Legislatures Are Back In Session, So Expect New Privacy Bills. Next Up: Washington State, AdExchanger (Jan. 14, 2020), available at https://adexchanger.com/privacy/state-legislatures-are-back-in-session-so-expect-new-privacy-bills-next-up-washington-state/.

[34] Senate Democrat Privacy Principles, Senate Democrats (Nov. 14, 2019), available at https://www.democrats.senate.gov/imo/media/doc/Final_CMTE%20Privacy%20Principles_11.14.19.pdf.

[35] See, e.g., Lauren Feiner, A federal privacy law is starting to crystallize, but Democrats and Republicans can’t agree on how to do it, CNBC (last updated Dec. 4, 2019), available at https://www.cnbc.com/2019/12/04/a-federal-privacy-law-is-starting-to-crystallize-senators-remain-divided-over-details.html.

[36] See, e.g., Abbie Gruwell, Preemption Takes Center Stage Amid Federal Data Privacy Action, The National Conference of State Legislatures Blog (Apr. 8, 2019), available at https://www.ncsl.org/blog/2019/04/08/preemption-takes-center-stage-amid-federal-data-privacy-action.aspx.

[37] See, e.g., Cameron F. Kerry, Will this new Congress be the one to pass data privacy legislation?, Brookings (Jan. 7, 2019), available at https://www.brookings.edu/blog/techtank/2019/01/07/will-this-new-congress-be-the-one-to-pass-data-privacy-legislation/.

[38] House Energy and Commerce Committee Staff Bipartisan Draft Privacy Bill (2019), available at https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/12/2019.12.18-Privacy-Bipartsian-Staff-Discussion-Draft.pdf.

[39] Emily Birnbaum, Key House committee offers online privacy bill draft, The Hill (Dec. 18, 2019), available at https://thehill.com/policy/technology/475191-key-house-committee-offers-online-privacy-bill-draft.

[40] House Energy and Commerce Committee Staff Bipartisan Draft Privacy Bill (2019), available at https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/12/2019.12.18-Privacy-Bipartsian-Staff-Discussion-Draft.pdf.

[41] Id.

[42] Id.

[43] Id.

[44] Id.

[45] S. 2968, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2968?q=%7B%22search%22%3A%5B%22cantwell%22%5D%7D&s=3&r=3.

[46] United States Consumer Data Privacy Act of 2019 Staff Discussion Draft (2019), available at https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/12/Nc7.pdf.

[47] Id.

[48] Id; S. 2968, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2968?q=%7B%22search%22%3A%5B%22cantwell%22%5D%7D&s=3&r=3.

[49] H.R. 4978, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/4978/text.

[50] S. 1951, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1951/text.

[51] S. 1578, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1578/text.

[52] S. 189, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/189/text.

[53] H.R. 2231, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/2231/text.

[54] S. 1116. 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1116/text.

[55] S. 1214, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1214/text.

[56] H.R. 2013, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/2013/text.

[57] S. 583, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/583/text.

[58] H.R. 5573, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text.

[59] S. 1578, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1578/text.

[60] Id.

[61] Id.

[62] Id.

[63] H.R. 2231, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/2231/text.

[64] Id.

[65] H.R. 5573, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text.

[66] S. 748, 116th Cong (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/748/text.

[67] H.R. 5573, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text; S. 748, 116th Cong (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/748/text.

[68] H.R. 5573, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text.

[69] S. 748, 116th Cong (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/748/text.

[70] See Prepared Opening Remarks of Chairman Joseph Simons, Hearings on Competition and Consumer Protection in the 21st Century, The FTC’s Approach to Consumer Privacy (Apr. 9, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1512673/chmn-simons-opening_remarks_ftc_hearing_12.pdf; Remarks of Chairman Joseph Simons, Hearings on Competition and Consumer Protection in the 21st Century, Session on FTC’s Role in a Changing World (Mar. 25, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1508536/oia_hearing_march_25_remarks_chmn_simons.pdf.

[71] Press Release, Federal Trade Commission, FTC Seeks to Examine the Privacy Practices of Broadband Providers (Mar. 26, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-examine-privacy-practices-broadband-providers.

[72] See, e.g., Andrew Smith, New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Federal Trade Commission Blog (Jan. 6, 2020), available at https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance.

[73] See, e.g., Remarks of Commissioner Rebecca Kelly Slaughter, The Near Future of U.S. Privacy Law (Sept. 6, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf.

[74] See Remarks of Commissioner Rebecca Kelly Slaughter, The Near Future of U.S. Privacy Law (Sept. 6, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf; Prepared Remarks of Chairman Joseph Simons, Introductory Keynote: American Bar Association Consumer Protection Conference (Feb. 5, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1451379/simons-_nashville-aba-remarks.pdf.

[75] See Prepared Remarks of Chairman Joseph Simons, Introductory Keynote: American Bar Association Consumer Protection Conference (Feb. 5, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1451379/simons-_nashville-aba-remarks.pdf.

[76] Press Release, Federal Trade Commission, FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data (Dec. 18, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/12/ftc-grants-final-approval-settlement-former-cambridge-analytica.

[77] Id.

[78] Id.

[79] See, e.g., Press Release, United Kingdom Information Commissioner’s Office, SCL Elections prosecuted for failing to comply with enforcement notice (Jan. 9, 2019), available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/01/scl-elections-prosecuted-for-failing-to-comply-with-enforcement-notice/.

[80] Press Release, Federal Trade Commission, FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield (Dec. 6, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/12/ftc-issues-opinion-order-against-cambridge-analytica-deceiving.

[81] Id.

[82] Id.

[83] Press Release, Federal Trade Commission, FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email (Dec. 17, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/12/ftc-finalizes-settlement-company-misled-consumers-about-how-it.

[84] Id.

[85] Id.

[86] Id.

[87] Press Release, Federal Trade Commission, Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data (Nov. 12, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/11/utah-company-settles-ftc-allegations-it-failed-safeguard-consumer.

[88] Id.

[89] Id.

[90] Id.

[91] Id.

[92] Press Release, Federal Trade Commission, FTC Brings First Case Against Developers of “Stalking” Apps (Oct. 22, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/10/ftc-brings-first-case-against-developers-stalking-apps; see also FTC Brings First Case Against Tracking Apps, Gibson Dunn (Nov. 1, 2019), available at https://www.gibsondunn.com/california-consumer-privacy-act-2019-final-amendments-signed/.

[93] Id.

[94] Id.

[95] Id.

[96] Id.

[97] Id.

[98] Press Release, Federal Trade Commission, FTC Gives Final Approval to Settlement with Auto Dealer Software Company That Allegedly Failed to Protect Consumers’ Data (Sept. 6, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/09/ftc-gives-final-approval-settlement-auto-dealer-software-company.

[99] Id.

[100] Federal Trade Commission (F.T.C.), In re LightYear Dealer Technologies, LLC, Docket No. C-4687 (F.T.C. Sept. 6, 2019), available at https://www.ftc.gov/system/files/documents/cases/172_3051_c-4687_dealerbuilt_decision_order.pdf.

[101] Id.

[102] Press Release, Federal Trade Commission, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law (Sept. 4, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations.

[103] Id.

[104] Id.

[105] Id.

[106] Id.

[107] Id.

[108] Press Release, Federal Trade Commission, FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (July 24, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions.

[109] Id.

[110] Stipulated Order for Civil Penalty, Monetary Judgment, and Injunctive Relief, United States v. Facebook, Inc., No. 19-cv-2184 (D.D.C. July 24, 2019), ECF No. 2-1, available at https://www.ftc.gov/system/files/documents/cases/182_3109_facebook_order_filed_7-24-19.pdf.

[111] Id.

[112] Id.

[113] Id.

[114] Press Release, Federal Trade Commission, Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach (July 22, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.

[115] Id.

[116] Id.

[117] Id.

[118] Press Release, Federal Trade Commission, D-Link Agrees to Make Security Enhancements to Settle FTC Litigation (July 2, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation.

[119] Id.

[120] Id.

[121] Id.

[122] Press Release, Federal Trade Commission, Video Social Networking App Musical.ly Agrees to Settle FTC Allegations That it Violated Children’s Privacy Law (Feb. 27, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/02/video-social-networking-app-musically-agrees-settle-ftc.

[123] Id.

[124] Id.

[125] Id.

[126] Press Release, Federal Trade Commission, FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield (Dec. 6, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/12/ftc-issues-opinion-order-against-cambridge-analytica-deceiving; Press Release, Federal Trade Commission, California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield (Nov. 19, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/11/california-company-settles-ftc-allegations-it-falsely-claimed; Press Release, Federal Trade Commission, FTC Charges Nevada Company with Falsely Claiming Participation in the EU-U.S. Privacy Shield (Nov. 7, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/11/ftc-charges-nevada-company-falsely-claiming-participation-eu-us; Press Release, Federal Trade Commission, FTC Approves Final Consent Order Settling Charges That Background Screening Company Falsely Claimed Compliance with EU-U.S. Privacy Shield Framework (Aug. 21, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/08/ftc-approves-final-consent-order-settling-charges-background.

[127] Id.

[128] Press Release, Federal Trade Commission, FTC Takes Action against Companies Falsely Claiming Compliance with the EU-U.S. Privacy Shield, Other International Privacy Agreements (June 14, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/06/ftc-takes-action-against-companies-falsely-claiming-compliance-eu.

[129] Federal Trade Commission, Privacy Shield, available at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield.

[130] See 15 U.S.C. § 53(b).

[131] See FTC v. Commerce Planet, Inc., 815 F.3d 593, 598–99 (9th Cir. 2016); FTC v. Ross, 743 F.3d 886, 890–92 (4th Cir. 2014); FTC v. Bronson Partners, LLC, 654 F.3d 359, 365–66 (2d Cir. 2011); FTC v. Magazine Sols., LLC, 432 F. App’x 155, 158 n.2 (3d Cir. 2011) (unpublished); FTC v. Direct Mktg. Concepts, Inc., 624 F.3d 1, 15 (1st Cir. 2010); FTC v. Freecom Commc’ns, Inc., 401 F.3d 1192, 1202 n.6 (10th Cir. 2005); FTC v. Gem Merch. Corp., 87 F.3d 466, 468–70 (11th Cir. 1996); FTC v. Security Rare Coin & Bullion Corp., 931 F.2d 1312, 1314–15 (8th Cir. 1991); FTC v. Amy Travel Serv., Inc., 875 F.2d 564, 571–72 (7th Cir. 1989).

[132] FTC v. Credit Bureau Ctr., LLC, 937 F.3d 764 (7th Cir. 2019) (vacating a $5.26 million judgment in favor of the FTC).

[133] Petition for a Writ of Certiorari, FTC v. Credit Bureau Ctr., LLC, No. 19-____ (U.S. Dec. 19, 2019), available at https://www.ftc.gov/system/files/documents/cases/petitionforawritofcertiorari_no._19.pdf.

[134] See, e.g., Remarks of Commissioner Rebecca Kelly Slaughter, The Near Future of U.S. Privacy Law (Sept. 6, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf; Prepared Remarks of Chairman Joseph Simons, Introductory Keynote: American Bar Association Consumer Protection Conference (Feb. 5, 2019), available at https://www.ftc.gov/system/files/documents/public_statements/1451379/simons-_nashville-aba-remarks.pdf.

[135] Press Release, Department of Health and Human Services, OCR Concludes All-Time Record Year for HIPAA Enforcement with $3 Million Cottage Health Settlement (Feb. 7, 2019), available at https://www.hhs.gov/about/news/2019/02/07/ocr-concludes-all-time-record-year-for-hipaa-enforcement-with-3-million-cottage-health-settlement.html.

[136] Ben Kochman, HIPAA Enforcers Lower Fines For Less Serious Violations, Law360 (Apr. 26, 2019), available at https://www.law360.com/articles/1154042/hipaa-enforcers-lower-fines-for-less-serious-violations.

[137] See, e.g., Dena Castricone, HIPAA Compliance Lessons From 2019 Enforcement Trends, Law360 (Jan. 22, 2020), available at https://www.law360.com/articles/1236238/hipaa-compliance-lessons-from-2019-enforcement-trends.

[138] Press Release, Department of Health and Human Services, Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing over 300,000 Patients’ Protected Health Information (May 6, 2019), available at https://www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html.

[139] Id.

[140] Press Release, Department of Health and Human Services, OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations (Nov. 7, 2019), available at https://www.hhs.gov/about/news/2019/11/07/ocr-imposes-a-1.6-million-dollar-civil-money-penalty-against-tx-hhsc-for-hipaa-violations.html.

[141] Press Release, Department of Health and Human Services, Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement (Nov. 5, 2019), available at https://www.hhs.gov/about/news/2019/11/05/failure-to-encrypt-mobile-devices-leads-to-3-million-dollar-hipaa-settlement.html.

[142] Id.

[143] Press Release, Department of Health and Human Services, OCR Settles First Case in HIPAA Right of Access Initiative (Sept. 9, 2019), available at https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.

[144] Id.

[145] Press Release, Department of Health and Human Services, OCR Settles Second Case in HIPAA Right of Access Initiative (Dec. 12, 2019), available at https://www.hhs.gov/about/news/2019/12/12/ocr-settles-second-case-in-hipaa-right-of-access-initiative.html.

[146] Press Release, Department of Health and Human Services, OCR Settles First Case in HIPAA Right of Access Initiative (Sept. 9, 2019), available at https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html; Press Release, Department of Health and Human Services, OCR Settles Second Case in HIPAA Right of Access Initiative (Dec. 12, 2019), available at https://www.hhs.gov/about/news/2019/12/12/ocr-settles-second-case-in-hipaa-right-of-access-initiative.html.

[147] Press Release, Department of Health and Human Services, Judge Rules in Favor of OCR and Requires a Texas Cancer Center to Pay $4.3 Million in Penalties for HIPAA Violations (June 18, 2018), available at https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.

[148] See Complaint, Univ. of Tex. MD Anderson Cancer Ctr. v. Azar, Docket No. 4:19-cv-01298 (S.D. Tex. Apr. 9, 2019), ECF No. 1.

[149] Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, 83 Fed. Reg. 64302 (proposed Dec. 14, 2018) (to be codified at 45 C.F.R. pts. 160, 164), available at https://www.federalregister.gov/documents/2018/12/14/2018-27162/request-for-information-on-modifying-hipaa-rules-to-improve-coordinated-care.

[150] See Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, regulations.gov, available at https://www.regulations.gov/docket?D=HHS-OCR-2018-0028.

[151] See, e.g., Comment of Wash. State Dep’t of Soc. and Health Servs., Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, FR Docket No. 2018-27162 (Feb. 12, 2019), available at https://www.regulations.gov/document?D=HHS-OCR-2018-0028-1095.

[152] See, e.g., Comment of Nat’l Disability Rights Network, Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, FR Docket No. 2018-27162 (Feb. 12, 2019), available at https://www.regulations.gov/document?D=HHS-OCR-2018-0028-1294.

[153] See, e.g., Comment of Nat’l Ass’n of Chain Drug Stores, Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, FR Docket No. 2018-27162 (Feb. 11, 2019), available at https://www.regulations.gov/document?D=HHS-OCR-2018-0028-0874.

[154] See Complaint, State of Arizona v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. Dec. 04, 2018), ECF No. 1.

[155] Id.

[156] Consent Judgment and Order, State of Arizona v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. May 28, 2019), ECF No. 66.

[157] SEC Office of Compliance Inspection and Examinations, Risk Alert – Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.

[158] Id. at 2–3.

[159] Id. at 3–4.

[160] Press Release, SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities (Jan. 7, 2020), available at https://www.sec.gov/news/press-release/2020-4.

[161] Id.

[162] Id.

[163] U.S. Securities and Exchange Commission, Electronic Data Gathering, Analysis, and Retrieval, available at https://www.sec.gov/edgar.shtml (last visited Jan. 23, 2020).

[164] Complaint, SEC v. Ieremenko et al., No. 2:19-cv-00505 (D.N.J. Jan. 15, 2019), ECF No. 1.

[165] Press Release, U.S. Securities and Exchange Commission, SEC Brings Charges in EDGAR Hacking Case (Jan. 15, 2019), available at https://www.sec.gov/news/press-release/2019-1.

[166] Press Release, U.S. Securities and Exchange Commission, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data (July 24, 2019), available at https://www.sec.gov/news/press-release/2019-140.

[167] Press Release, U.S. Securities and Exchange Commission, SEC and CFTC Charge Options Clearing Corp. with Failing to Establish and Maintain Adequate Risk Management Policies (Sept. 4, 2019), available at https://www.sec.gov/news/press-release/2019-171.

[168] SEC Division of Enforcement, 2019 Annual Report at 13, available at https://www.sec.gov/files/enforcement-annual-report-2019.pdf.

[169] Press Release, U.S. Securities and Exchange Commission, Company Settles Unregistered ICO Charges After Self-Reporting to SEC (Feb. 20, 2019), available at https://www.sec.gov/news/press-release/2019-15.

[170] Complaint, SEC v. Telegram Group Inc. et al., No. 1:19-cv-9439 (S.D.N.Y. Oct. 11, 2019), ECF No. 1; see also Press Release, U.S. Securities and Exchange Commission, SEC Halts Alleged $1.7 Billion Unregistered Digital Token Offering (Oct. 11, 2019), available at https://www.sec.gov/news/press-release/2019-212.

[171] Complaint, SEC v. Eyal, No. 1:19-cv-11325 (S.D.N.Y. Dec. 11, 2019), ECF No. 1.

[172] TurnKey Jet, Inc., SEC No-Action Letter (Apr. 3, 2019), available at https://www.sec.gov/divisions/corpfin/cf-noaction/2019/turnkey-jet-040219-2a1.htm.

[173] Id.

[174] See Advanced Methods to Target and Eliminate Unlawful Robocalls, Declaratory Ruling and Third Further Notice of Proposed Rulemaking, FCC 19-51, 34 FCC Rcd. 4876 (June 6, 2019).

[175] In the Matters of Implementing Section 503 of RAY BAUM’S Act, Second Report and Order, FCC Rcd. 19-73 (Aug. 1, 2019), available at https://docs.fcc.gov/public/attachments/FCC-19-73A1.pdf

[176] STIR/SHAKEN stands for “Secure Telephony Identity Revisited/ Secure Handling of Asserted information using toKEN.”

[177] Ajit Pai, Comm’r, FCC, Remarks at the Robocall Symposium of New England States (Nov. 21, 2019), available at https://docs.fcc.gov/public/attachments/DOC-360946A1.pdf

[178] Press Release, FCC, Chairman Pai Statement on Progress by Major Phone Companies in Implementing Caller ID Authentication (Aug. 14, 2019), available at https://docs.fcc.gov/public/attachments/DOC-359087A1.pdf.

[179] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, Pub. L. No. 116-105, 133 Stat. 3274 (2019).

[180] Id.

[181] See, e.g., Cassell Bryan-Low et al., Special report – Hobbling Huawei: Inside the U.S. war on China’s tech giant, Reuters (May 21, 2019), available at https://www.reuters.com/article/us-huawei-usa-5g-specialreport/special-report-hobbling-huawei-inside-the-u-s-war-on-chinas-tech-giant-idUSKCN1SR1EU; Diane Bartz & Christian Shepherd, U.S. legislation steps up pressure on Huawei and ZTE, China calls it ‘hysteria’, Reuters (Jan. 16, 2019), available at https://www.reuters.com/article/us-usa-china-huawei-tech/u-s-legislation-steps-up-pressure-on-huawei-and-zte-china-calls-it-hysteria-idUSKCN1PA2LU.

[182] In the Matter of Protecting Against Nat’l Security Threats to the Comm’ns Supply Chain Through FCC Programs, Report and Order, Further Notice of Proposed Rulemaking, and Order, FCC 19-121 (Nov. 22, 2019), available at https://docs.fcc.gov/public/attachments/FCC-19-121A1.pdf.

[183] See Petition for Review, Huawei Techs. v. FCC, No. 19-60896 (5th Cir. Dec. 5, 2019), available at https://prodnet.www.neca.org/publicationsdocs/wwpdf/12519huawei.pdf; see also Petition for Review, Huawei Technologies USA, Inc. et al. v. Federal Communications Commission et al., No 19-60896 (5th Cir. Jan. 7, 2020).

[184] In the Matter of Protecting Against Nat’l Security Threats to the Comm’ns Supply Chain Through FCC Programs, Report and Order, Further Notice of Proposed Rulemaking, and Order, FCC 19–121, ¶¶ 122-60 (Nov. 22, 2019), available at https://docs.fcc.gov/public/attachments/FCC-19-121A1.pdf.

[185] Jim Puzzanghera, New CFPB Director Kathy Kraninger says she won’t be puppet of Mick Mulvaney, L.A. Times (Dec. 11, 2018), available at http://www.latimes.com/business/la-fi-kathy-kraninger-cfpb-20181211-story.html.

[186] Id.

[187] Brief for the Respondent, Seila Law LLC v. CFPB, No. 19-7 (U.S. Sept. 17, 2019).

[188] Seila Law LLC v. CFPB, 140 S. Ct. 427 (2019) (granting certiorari). Barr v. Am. Ass’n of Political Consultants Inc.,

[189] Press Release, CFPB, CFPB, FTC and States Announce Settlement with Equifax Over 2017 Data Breach (July 22, 2019), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-ftc-states-announce-settlement-with-equifax-over-2017-data-breach/.

[190] Id.

[191] Dep’t of Defense, Defense Contract Mgmt. Agency, Contractor Purchasing System Review (CPSR) Guidebook (June 14, 2019), available at https://www.dcma.mil/Portals/31/Documents/CPSR/CPSR_Guidebook_062719.pdf

[192] Id. at 97.

[193] See, e.g., id. at 103–05.

[194] U.S. Dep’t of Defense Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification (CMMC) Version 0.7 (Dec. 6, 2019), available at https://www.acq.osd.mil/cmmc/docs/CMMC_Version0.7_UpdatedCompiledDeliverable_20191209.pdf.

[195] U.S. Dep’t of Defense Office of the Under Secretary of Defense for Acquisition & Sustainment, Welcome Page, available at https://www.acq.osd.mil/cmmc/index.html.

[196] U.S. Dep’t of Defense Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification (CMMC) Version 0.7 (Dec. 6, 2019), available at https://www.acq.osd.mil/cmmc/docs/CMMC_Version0.7_UpdatedCompiledDeliverable_20191209.pdf.

[197] Travis J. Tritten, Defense Contractors to Face Added Costs With Cybersecurity Audit, Bloomberg Gov’t (Jan. 15, 2020), available at https://about.bgov.com/news/defense-contractors-to-face-added-costs-with-cybersecurity-audit/.

[198] U.S. Dep’t of Defense Inspector General, Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items (July 26, 2019), available at https://media.defense.gov/2019/Jul/30/2002164272/-1/-1/1/DODIG-2019-106.PDF.

[199] U.S. Dep’t of Defense Inspector General, Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems (July 23, 2019), available at https://media.defense.gov/2019/Jul/25/2002162331/-1/-1/1/DODIG-2019-105.PDF.

[200] National Defense Authorization Act (NDAA) for Fiscal Year 2020, Pub. L. No. 116-92, 133 Stat 1198 (2019).

[201] Id.

[202] Press Release, DOJ, Justice Department Reviewing the Practices of Market-Leading Online Platforms (July 23, 2019), available at https://www.justice.gov/opa/pr/justice-department-reviewing-practices-market-leading-online-platforms.

[203] Tony Romm, DOJ issues new warning to big tech: Data and privacy could be competition concerns, Wash. Post (Nov. 8, 2019), available at https://www.washingtonpost.com/technology/2019/11/08/doj-issues-latest-warning-big-tech-data-privacy-could-be-competition-concerns/.

[204] Press Release, CFTC, CFTC Orders Registrant to Pay $1.5 Million for Violations Related to Cyber Breach (Sept. 12, 2019), available at https://www.cftc.gov/PressRoom/PressReleases/8008-19.

[205] Press Release, Dep’t of Commerce, U.S. Department of Commerce Proposes Rule for Securing the Nation’s Information and Communications Technology and Services Supply Chain (Nov. 26, 2019), available at https://www.commerce.gov/news/press-releases/2019/11/us-department-commerce-proposes-rule-securing-nations-information-and.

[206] Brandi Vincent, How the Energy Department Is Prioritizing Secure Infrastructure, Nextgov (Mar. 21, 2019), available at https://www.nextgov.com/cybersecurity/2019/03/how-energy-department-prioritizing-secure-infrastructure/155734/.

[207] See, e.g., GAO-19-332, Critical Infrastructure Protection, Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid (Aug. 2019), available at https://www.gao.gov/assets/710/701079.pdf.

[208] DHS Office of Inspector General, Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information (REDACTED) (Mar. 15, 2019), available at https://www.oig.dhs.gov/sites/default/files/assets/2019-03/OIG-19-32-Mar19.pdf.

[209] Nat’l Institute of Standards and Tech., Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (June 2019), available at https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft.

[210] Id. at iv.

[211] Nat’l Institute of Standards and Tech., Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Enhanced Security Requirements for Critical Programs and High Value Assets (June 2019), available at https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf.

[212] Id. at iv (emphases omitted).

[213] Nat’l Institute of Standards and Tech., NIST Releases Version 1.0 of Privacy Framework (Jan. 16, 2020), available at https://www.nist.gov/news-events/news/2020/01/nist-releases-version-10-privacy-framework.

[214] Final Judgment and Consent Decree, The State of Alabama v. Equifax, Inc. (July 19, 2019), available at https://www.sec.gov/Archives/edgar/data/33185/000119312519198584/d734596dex104.htm.

[215] See Press Release, NY State Office of the Attorney General, Attorney General James Secures $6 Million From Cisco Systems In Multistate Settlement (Aug. 1, 2019), available at https://ag.ny.gov/press-release/2019/attorney-general-james-secures-6-million-cisco-systems-multistate-settlement; Mark Chandler, Executive Platform: A Changed Environment Requires a Changed Approach, Cisco Blogs (July 31, 2019), available at https://blogs.cisco.com/news/a-changed-environment-requires-a-changed-approach.

[216] Press Release, N.Y. Dep’t Fin. Serv., Attorney General James Gives Update on Facebook Antitrust Investigation (Oct. 22, 2019), available at https://ag.ny.gov/press-release/2019/attorney-general-james-gives-update-facebook-antitrust-investigation.

[217] Press Release, Office of the Attorney Gen., NJ Announces New “Cyber Savvy Youth” Initiative to Keep Kids Safe Online and Releases Annual Statistics on Cyber Breaches (Oct. 31, 2019), available at https://www.nj.gov/oag/newsreleases19/pr20191031a.html.

[218] Press Release, N.Y. Dep’t Fin. Serv., Acting Superintendent Linda A. Lacewell Names Justin Herring Executive Deputy Superintendent of Newly Created Cybersecurity Division (May 22, 2019), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1905221.

[219] See RiskBased Security, Data Breach Quickview Report, 2019 Q3 Trends (Nov. 2019), available at https://pages.riskbasedsecurity.com/hubfs/Reports/2019/Data%20Breach%20QuickView%20Report%202019%20Q3%20Trends.pdf.

[220] Christopher Rowland, Quest Diagnostics Discloses Breach of Patient Records, Wash. Post (June 3, 2019), available at https://www.washingtonpost.com/business/economy/quest-diagnostics-discloses-breach-of-patient-records/2019/06/03/aa37b556-860a-11e9-a870-b9c411dc4312_story.html.

[221] Jessica Davis, Quest, Labcorp, AMCA Face Breach Lawsuits, State Investigations, Health Security (June 11, 2019), available at https://healthitsecurity.com/news/quest-labcorp-amca-face-hit-by-breach-lawsuits-state-investigations.

[222] Id.

[223] Ben Kochman, Debt Collection Co. Files Ch. 11 After Health Data Breach (June 11, 2019), available at https://www.law360.com/articles/1170470?scroll=1&related=1.

[224] Taylor Telford, Wawa Hit With Massive Data Breach, Potentially Affecting More Than 850 Locations, CEO Says, Wash. Post (Dec. 20, 2019), available at https://www.washingtonpost.com/business/2019/12/20/wawa-hit-with-massive-data-breach-potentially-affecting-all-locations-ceo-says/.

[225] Matt Fair, Firm Says Lead Counsel Bids in Wawa Suits Should Wait, Law360 (Jan. 3, 2020), available at https://www.law360.com/articles/1231110/firm-says-lead-counsel-bids-in-wawa-suits-should-wait.

[226] Allison Grande, Contested Equifax Data Breach Deal Gets Final Nod, Law360 (Dec. 20, 2019), available at https://www.law360.com/articles/1230211/contested-equifax-data-breach-deal-gets-final-nod.

[227] Id.; see also Allison Grande, Equifax Data Breach Settlement Is A Good Deal, Judge Says, Law360 (Jan. 15, 2020), available at https://www.law360.com/articles/1234404?scroll=1&related=1.

[228] Allison Grande, Equifax Data Breach Settlement Is A Good Deal, Judge Says, Law360 (Jan. 15, 2020), available at https://www.law360.com/articles/1234404?scroll=1&related=1.

[229] Order Granting Preliminary Approval, In Re: Yahoo! Inc. Customer Data Security Breach Litigation, 5:16-MD-02752 (N.D. Cal. July 20, 2019), ECF No. 390.

[230] Id.

[231] Dorothy Atkins, Yahoo’s Revised $117M Data Breach Deal Gets Koh’s Initial OK, Law360 (July 22, 2019), available at https://www.law360.com/articles/1180718/yahoo-s-revised-117m-data-breach-deal-gets-koh-s-initial-ok.

[232] Vince Sullivan, $29M Yahoo Breach Deal in Calif. Ends Chancery Suit in Del., Law360 (Jan. 11, 2019), available at https://www.law360.com/articles/1117984/-29m-yahoo-breach-deal-in-calif-ends-chancery-suit-in-del-.

[233] Order Granting in Part and Denying in Part Facebook Inc.’s Motion to Dismiss, In re Facebook, Inc., Consumer Privacy User Profile Litig., No. 18-MD-02843 (N.D. Cal. Sept. 9, 2019), ECF No. 298.

[234] Id.

[235] Pretrial Order No. 26: Order Denying Motion to Certify for Interlocutory Appeal, In re: Facebook, Inc. Consumer Privacy User Profile Litig., No. 18-MD02843-VC (N.D. Cal. Oct. 31, 2019), ECF No. 330.

[236] Pretrial Order No. 32: Case Management Schedule, In re: Facebook, Inc. Consumer Privacy User Profile Litig., No. 18-MD02843-VC (N.D. Cal. Dec. 13, 2019), ECF No. 356.

[237] Hamza Shaban, Under Armour Announces Data Breach, Affecting 150 million MyFitnessPal App Accounts, Wash. Post (Mar. 29, 2018), available at https://www.washingtonpost.com/news/theswitch/wp/2018/03/29/under-armour-announces-data-breach-affecting-150-million-myfitnesspal-appaccounts.

[238] Order, Murray v. Under Armour, Inc., 18-cv-04032 (C.D. Cal. Feb. 11, 2019), ECF No. 36.

[239] 136 S. Ct. 1540 (2016).

[240] Id. at 1549.

[241] See, e.g., In re Zappos.com, Inc., 888 F.3d 1020, 1028 (9th Cir. 2018); Attias v. Carefirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017).

[242] See, e.g., Beck v. McDonald, 848 F.3d 262, 266-67 (4th Cir. 2017); In re SuperValu, Inc., 870 F.3d 763, 771–72 (8th Cir. 2017).

[243] In re U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 61 (D.C. Cir. 2019) (quoting Attias v. Carefirst, Inc., 865 F.3d 620, 622 (D.C. Cir. 2017)).

[244] 865 F.3d 620, 628 (D.C. Cir. 2017).

[245] In re U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 58 (D.C. Cir. 2019) .

[246] Id. at 59.

[247] CareFirst, Inc. v. Attias, 138 S. Ct. 981 (2018).

[248] In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018). See Zappos.com, Inc. v. Stevens, No. 18-225, Doc. No. 13 (Mar. 25, 2019) (denying certiorari).

[249] Consumer and Governmental Affairs Bureau Seeks Comment on Petition For Expedited Declaratory Ruling Filed By SGS North America, Inc., GC Docket No. 02-278 (Dec. 20, 2018), available at https://ecfsapi.fcc.gov/file/12212239203475/DA-18-1290A1.pdf (noting comment period closes in February of 2020).

[250] Petition For Expedited Declaratory Ruling or, in the Alternative, Request for Retroactive Waiver, GC Docket No. 02-278 (Dec. 17, 2018), available at https://ecfsapi.fcc.gov/file/121726169703/SGS%20–%20FCC%20Petition%20for%20Declaratory%20Ruling.pdf.

[251] Id.

[252] In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls, Federal Communications Commission, Declaratory Ruling and Third Further Notice of Proposed Rulemaking, FCC 19-51 (June 6, 2019), available at https://docs.fcc.gov/public/attachments/FCC-19-51A1.pdf

[253] Id. at 12–13.

[254] 139 S. Ct. 2051 (2019).

[255] Id.

[256] Id.

[257] Id. at 2056.

[258] Id. at 2058.

[259] Id.

[260] Salcedo v. Hanna, 936 F.3d 1162, 1172 (11th Cir. 2019).

[261] 847 F.3d 1037, 1043 (9th Cir. 2017).

[262] Facebook, Inc. v. Duguid, Petition for Writ of Certiorari, No. 19-511 (U.S. Oct. 17, 2019) (“Facebook Petition”); Charter Commc’ns, Inc. v. Gallion, Petition for Writ of Certiorari, No. 19-575 (U.S. Nov. 1, 2019).

[263] 904 F.3d 1041 (9th Cir. 2018).

[264] Facebook Petition at 23–29.

[265] 885 F.3d 687 (D.C. Cir. 2018). Gibson Dunn represented the U.S. Chamber of Commerce, one of the petitioners, in this case.

[266] Barr v. Am Ass’n of Political Consultants Inc., No. 19-631 (U.S. Jan. 10, 2020) (granting certiorari).

[267] S. 151 116th Congress (2019-2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/151/text.

[268] Id.

[269] H.R. 3375 116th Congress (2019-2020), available at https://www.congress.gov/bill/116th-congress/house-bill/3375/text.

[270] 740 Ill. Comp. Stat. Ann. 14/20 (West 2008).

[271] 129 N.E.3d 1197 (Ill. 2019).

[272] Id. at 1206.

[273] 2019 WL 1049107 (Ill. App. Ct. Mar. 4, 2019).

[274] 409 F. Supp. 3d 612 (N.D. Ill. 2019).

[275] 2019 WL 6253807 (N.D. Ill. Nov. 22, 2019).

[276] Id. at *5.

[277] Id.

[278] 2019 WL 1560416 (Ill. App. Ct. Apr. 9, 2019).

[279] Id. at *4.

[280] See generally Plaintiff’s Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement, Dixon v. The Washington and Jane Smith Community-Beverly, 2019 WL 2445292 (N.D. Ill. May 9, 2019) (No. 1:17-cv-08033).

[281] See, e.g., Complaint, Yozze v. Universal Parks & Resorts Mgmt. Servs. LLC, No. 2019-CH-06366 (Ill. Cir. Ct. May 23, 2019); Complaint, Acaley v. Vimeo Inc., No. 2019-CH-10873 (Ill. Cir. Ct. Sept. 20, 2019); Complaint, Miracle-Pond v. Shutterfly Inc., No. 2019-CH-07050 (Ill. Cir. Ct. June 11, 2019).

[282] Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019).

[283] Id. at 1267.

[284] See David Thacker, Expediting changes to Google+, Google (Dec. 10, 2018), available at https://www.blog.google/technology/safety-security/expediting-changes-google-plus/; see also Douglas MacMillan & Robert McMillan, Google Exposed User Data, Feared Repercussions of Disclosing to Public, Wall Street Journal (Oct. 8, 2018), available at https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194; Lily Hay Newman, A New Google+ Blunder Exposed Data from 52.5 Million Users, Wired (Dec. 10, 2018), available at https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed/.

[285] Joint Stipulation and [Proposed] Order re Plaintiffs’ Filing of Amended Consolidated Complaint, In re Google Plus Profile Litig., No. 5:18-cv-06164-EJD (N.D. Cal. Feb. 20, 2019), ECF No. 35.

[286] Joint Stipulation and [Proposed] Order to Continue Hearing Date for Motion for Preliminary Approval, In re Google Plus Profile Litig., No. 5:18-cv-06164-EJD (VKD) (N.D. Cal. Dec. 5, 2019), ECF No. 55.

[287] Plaintiffs’ Notice of Motion for Preliminary Approval of Class Action Settlement, Exhibit 1 (Settlement Agreement), In re Google Plus Profile Litig., No. 5:18-cv-06164-EJD (VKD) (N.D. Cal. Jan. 6, 2020), ECF No. 57-2.

[288] Defendants’ Notice of Motion and Motion to Dismiss Consolidated Amended Complaint for Violation of the Federal Securities Laws and Memorandum of Points and Authorities in Support at 2, In re Alphabet, Inc., Sec. Litig., No. 4:18-CV-06245-JSW (N.D. Cal. May 31, 2019), ECF No. 71.

[289] Order on Motions to Dismiss, Motion to Stay, and Motion to Intervene, In re Facebook, Inc. S’holder Derivative Privacy Litig., No. 18-CV-01792-HSG (N.D. Cal. Mar. 22, 2019), ECF No. 113.

[290] Id. at 22.

[291] Plaintiffs’ First Amended Consolidated Shareholder Derivative Complaint, In re Facebook, Inc. S’holder Derivative Privacy Litig., No. 18-CV-01792-HSG (N.D. Cal. Dec. 17, 2019), ECF No. 142.

[292] Order Denying Defendant Facebook, Inc.’s Opposed Motion to Dismiss, or in the Alternative, to Stay Proceedings at 2, District of Columbia v. Facebook, No. 2018 CA 8715 B (D.C. Super. Ct. May 31, 2019).

[293] Id. at 24–29.

[294] Order Approving Stipulation of Dismissal, Mulder v. Wells Fargo Bank, N.A., No. 2:18-CV-00029 (W.D. Pa. Feb. 5, 2019), ECF No. 58.

[295] See Rojas v. HSBC Card Servs. Inc., 20 Cal. App. 5th 427, 430–35 (Ct. App. 2018).

[296] Order Granting Defendant’s Motion to Dismiss at 10, In re: Google Location History Litig., No. 5:18-cv-05062-EJD (N.D. Cal. Dec. 19, 2019), ECF No. 113.

[297] Id. at 19.

[298] Defendant Google LLC’s Motion to Dismiss Plaintiffs’ Consolidated Complaint, In re: Google Location History Litig., No. 5:18-cv-05062-EJD (N.D. Cal. May 28, 2019), ECF No. 87.

[299] Order Granting Defendant’s Motion to Dismiss, In re: Google Location History Litig., No. 5:18-cv-05062-EJD (N.D. Cal. Dec. 19, 2019), ECF No. 113.

[300] Id. at 2.

[301] Id.

[302] Complaint, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. June 26, 2019), ECF No. 1; see also Amended Class Action Complaint and Demand for Jury Trial, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. Oct. 8, 2019), ECF No. 42.

[303] Complaint at 2, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. June 26, 2019), ECF No. 1.

[304] Id. at 17; Amended Class Action Complaint and Demand for Jury Trial at 2, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. Oct. 8, 2019), ECF No. 42.

[305] Defendant Google LLC’s Motion to Dismiss Plaintiff’s Complaint, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. Aug. 27, 2019), ECF No. 30; The University of Chicago and The University of Chicago Medical Center’s Motion to Dismiss, Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. Aug. 27, 2019), ECF No. 26.

[306] See FCA US LLC’s Motion to Decertify Classes, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF No. 550.

[307] United States Supreme Court Order List, United States Supreme Court, 18-398 (Jan. 7, 2019), available at https://www.supremecourt.gov/orders/courtorders/010719zor_m6ho.pdf.

[308] See FCA US LLC’s Motion for Summary Judgment and Brief in Support of its Motion for Summary Judgment, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF Nos. 561, 562; FCA US LLC’s Motion to Dismiss for Lack of Subject Matter Jurisdiction and Brief in Support of its Motion to Dismiss for Lack of Subject Matter Jurisdiction, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF Nos. 574, 575.

[309] See FCA US LLC’s Brief in Support of its Motion for Summary Judgment at 1, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF No. 562; FCA US LLC’s Brief in Support of its Motion to Dismiss for Lack of Subject Matter Jurisdiction, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF No. 575.

[310] See FCA US LLC’s Brief in Support of its Motion to Dismiss for Lack of Subject Matter Jurisdiction at 12, Flynn v. FCA US LLC, No. 3:15-CV-855-SMY-RJD (S.D. Ill. Nov. 11, 2019), ECF No. 575.

[311] Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss, S.D. v. Hytto Ltd., D/B/A/ Lovense, No. 18-cv-00688-JSW (N.D. Cal. May 15, 2019), ECF No. 44.

[312] Letter Order, White v. Samsung Electronics America, Inc., No. 17-01775 (D.N.J. Aug. 21, 2019), ECF No. 104.

[313] Id. at 5.

[314] Id. at 6–7.

[315] See Defendant Samsung Electronics America, Inc.’s Brief in Support of Motion to Reconsider or, in the Alternative, Motion to Certify Order of August 21, 2019 for Interlocutory Appeal, White v. Samsung Elec. Am., Inc., No. 17-01775 (MCA) (SCM) (D.N.J. Sept. 4, 2019), ECF No. 105-1; Notice of Defendant Sony Electronics Inc. Joining Defendant Samsung Electronics America, Inc.’s Motion to Reconsider or, in the Alternative, Motion to Certify Order of August 21, 2019 for Interlocutory Appeal, White v. Samsung Elec. Am., Inc., No. 17-01775 (MCA) (SCM) (D.N.J. Sept. 4, 2019), ECF No. 106.

[316] See First Amended Class Action Complaint and Demand for Jury Trial at 2, B.F. and A.A. v. Amazon.com, Inc., No. 2:19-cv-00910 (W.D. Wash. July 8, 2019), ECF No. 24; Amended Class Action Complaint and Demand for Jury Trial, R.A. v. Amazon.com, Inc., 2:19-cv-06454-CJC-AGR (C.D. Cal. Sept. 18, 2019), ECF No. 42.

[317] First Amended Class Action Complaint and Demand for Jury Trial at 8, 18–33, B.F. and A.A. v. Amazon.com, Inc., No. 2:19-cv-00910 (W.D. Wash. July 8, 2019).

[318] Notice of Voluntary Dismissal, R.A. v. Amazon.com, Inc., 2:19-cv-06454-CJC-AGR (C.D. Cal. Dec. 6, 2019), ECF No. 45; Notice of Voluntary Dismissal by Plaintiffs A.A., B.F., S.M., C.M., and F.B., C.O. v. Amazon.com, Inc., 2:19-cv-910-RAJ-MLP (Dec. 10, 2019), ECF No. 95.

[319] Defendants’ Motion to Dismiss Plaintiffs’ Second Amended Complaint at 1, B.F. and A.A. v. Amazon.com, Inc., No. 2:19-cv-910-RAJ-MLP (W.D. Wash. Jan. 9, 2020), ECF No. 106.

[320] Order re Motions to Dismiss, McDonald v. Kiloo APS, 17-cv-04344-JD (N.D. Cal. May 22, 2019), ECF No. 270.

[321] Id.

[322] Scheduling Order, McDonald v. Kiloo APS, 17-cv-04344-JD (N.D. Cal. Dec. 19, 2019), ECF No. 316.

[323] Final Judgment, Ticketmaster L.L.C. v. Prestige Entm’t, Inc., No. 2:17-cv-07232-ODW (JCx) (C.D. Cal. July 8, 2019), ECF No. 101.

[324] Joint Motion to Dismiss, St. Paul Fire & Marine Ins. Co. v. Rosen Hotels & Resorts, Inc., No. 18-14427 (11th Cir. Dec. 27, 2019).

[325] Joint Motion to Dismiss, The Nat’l Bank of Blacksburg v. Everest Nat’l Ins. Co., No. 7:18-cv-00310-GEC (W.D. Va. Mar. 22, 2019), ECF No. 30.

[326] Complaint, Mondelez Int’l v. Zurich Am. Ins. Co., No. 2018L011008, 2018 WL 4941760 (Ill. Cir. Ct. Oct. 10, 2018).

[327] See Adam Satariano & Nicole Perlroth, Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong, N.Y. Times (Apr. 15, 2019), available at https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html?login=email&auth=login-email.

[328] Complaint, Mondelez Int’l v. Zurich Am. Ins. Co., No. 2018L011008 (Cir. Ct. Ill. Oct. 10, 2018).

[329] Id.

[330] See David Voreacos et al., Merck Cyberattack’s $1.3 Billion Question: Was It an Act of War?, Bloomberg (Dec. 2, 2019, 10:01 PM), available at https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war; see also Adam Satariano & Nicole Perlroth, Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong, N.Y. Times (Apr. 15, 2019), available at https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html?login=email&auth=login-email.

[331] 139 S. Ct. 1041 (2019) (per curiam).

[332] 136 S. Ct. 1540 (2016).

[333] Alasaad v. Nielsen, No. 17-cv-11730-DJC, 2019 WL 5899371, at *21 (D. Mass, Nov. 12, 2019).

[334] Id. at *8.

[335] Id. at *13.

[336] See Notice of Appeal, Alasaad v. Nielsen, No. 1:17-cv-11730 (D. Mass. Jan. 10, 2020), ECF No. 115; Notice of Appeal, Alasaad v. Nielsen, No. 1:17-cv-11730 (D. Mass. Jan. 13, 2020), ECF No. 117.

[337] In the Matter of Residence in Oakland, California, 354 F. Supp. 3d, 1010, 1013 (N.D. Cal. 2019).

[338] Id.

[339] Id. at 1016 (citing Doe v. United States, 487 U.S. 201, 219 (1988) (Stevens, J., dissenting); Fisher v. United States, 425 U.S. 391, 420 (1976)); see also In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012) (holding that decryption and production of hard drives would implicate the Fifth Amendment privilege); United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010) (holding that subpoena requiring defendant to provide password violated the Fifth Amendment); Securities and Exchange Commission v. Huang, No. 15-269, 2015 WL 5611644 (E.D. Pa. Sept. 23, 2015) (holding that passcodes to defendant’s work-issued phone is not corporate record and forcing him to produce personal passcodes violates the Fifth Amendment).

[340] In the Matter of the Search Warrant Application for the Cellular Telephone in United States v. Anthony Barrera, No. 19 CR 439, 2019 WL 6253812, at *7 (N.D. Ill. Nov. 22, 2019).

[341] Id. at *3 (internal quotations and citations omitted).

[342] Id.

[343] 18 U.S.C. § 2713.

[344] Id.; White Paper, Department of Justice, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the Cloud Act, 4, 6 (April 2019), available at https://www.justice.gov/dag/page/file/1153436/download.

[345] Press Release, Department of Justice, U.S. and UK Sign Landmark Cross-Border Data Access Agreement to Combat Criminals and Terrorists Online (Oct. 3, 2019), available at https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combat-criminals-and-terrorists.

[346] Id.

[347] See Coalition Statement to U.S. House, Senate Committees Re: U.S.-U.K. CLOUD Act Agreement (Oct. 29, 2019), available at https://epic.org/privacy/intl/USUK-CLOUD-Act-Letter-20191028.pdf.

[348] Press Release, European Commission, Criminal Justice: Joint Statement on the Launch of EU-U.S. Negotiations to Facilitate Access to Electronic Evidence (Sept. 25, 2019), available at https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_19_5890.

[349] Press Release, Department of Justice, Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton (Oct. 7, 2019), available at https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiation-cloud-act-agreement-us.

[350] White Paper, Department of Justice, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the Cloud Act, 3 (Apr. 2019), available at https://www.justice.gov/dag/page/file/1153436/download.

[351] See, e.g., Katitza Rodriguez & Camille Fischer, A Race to the Bottom of Privacy Protection: The US-UK Deal Would Trample Cross Border Privacy Safeguards, Electronic Frontier Foundation (Oct. 4, 2019), available at https://www.eff.org/deeplinks/2019/10/race-bottom-privacy-protection-us-uk-deal-would-trample-cross-border-privacy; Press Release, EPIC, NGOs Object to U.S.-U.K. CLOUD Agreement, Urge Congressional Action, Electronic Privacy Information Center (Oct. 29, 2019), available at https://epic.org/2019/10/ngos-object-to-us-uk-cloud-agr.html.

[352] Office of the Dir. of Nat’l Intelligence, Release of Documents Related to the 2018 FISA Section 702 Certifications (Oct. 8, 2019), available at https://www.intel.gov/index.php/ic-on-the-record-database/results/951-release-of-documents-related-to-the-2018-fisa-section-702-certifications.

[353] Office of the Dir. of Nat’l Intelligence, Release of Documents Related to the 2018 FISA Section 702 Certifications (Oct. 8, 2019), available at https://www.intel.gov/index.php/ic-on-the-record-database/results/951-release-of-documents-related-to-the-2018-fisa-section-702-certifications.

[354] Id.

[355] Complaint at 1–2, Am. Civil Liberties Union et al. v. United States Dept. of Justice et al., No. 1:19-cv-12242 (D. Mass. Oct. 31, 2019).

[356] Am. Civil Liberties Union Director, The FBI is Tracking Our Faces in Secret. We’re Suing (Oct. 31, 2019), available at https://www.aclu.org/news/privacy-technology/the-fbi-is-tracking-our-faces-in-secret-were-suing/.

[357] Complaint at 2, Am. Civil Liberties Union et al. v. United States Dept. of Justice et al., No. 1:19-cv-12242 (D. Mass. Oct. 31, 2019).

[358] Saira Hussain, Elec. Frontier Found., ICE’s Rapid DNA Testing on Migrants at the Border Is Yet Another Iteration of Family Separation (Aug. 2, 2019), available at https://www.eff.org/deeplinks/2019/08/ices-rapid-dna-testing-migrants-border-yet-another-iteration-family-separation.

[359] Complaint at 5 & 7, Elec. Frontier Found. v. United States Dep’t of Homeland Sec., No. 3:19-cv-07431 (N.D. Cal. Nov. 12, 2019).

[360] Complaint at 2, Am. Civil Liberties Union et al. v. United States Dept. of Justice et al., No. 1:19-cv-12242 (D. Mass. Oct. 31, 2019).

[361] Id. at 3.

[362] Id.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Ryan Bergsieker, Alexander Southwell, Timothy Loose, Roscoe Jones Jr., Ashley Rogers, Daniel Rauch, Reuben Aguirre, Jennifer Bracht, Chris Connelly, Meghan Dunn, Sarah Erickson-Muschko, Cassandra Gaedt-Sheckter, Julie Hamilton, Doriel Jacov, Nicole Lee, Reid Rector, Jacob Rierson, Isabella Sayyah, Jeremy Smith, Danny Weiner, and Lisa Victoria Zivkovic.

Gibson Dunn’s lawyers are available to address any privacy or cybersecurity concerns your business may face. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Privacy, Cybersecurity and Consumer Protection Group:

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

Questions about SEC disclosure issues concerning data privacy and cybersecurity also may be addressed to the following practice leaders:

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Orange County, CA (+ 949-451-4343, [email protected])
Lori Zyskowski – New York (+1 212-351-2309, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

London partner Benjamin Fryer and associate Barbara Onuonga are the authors of “The year in review,” [PDF] published in Financial Instruments Tax & Accounting Review in December 2019/January 2020. Fryer and Onuonga provide an overview of some of the key UK tax developments in 2019 with potential implications for the financial services sector.

Washington, D.C. partner Kristen Limarzi is the author of “Facebook Is Not An Illegal Monopoly,” [PDF] published by Law360 on January 24, 2020.

Between claims of “financial carpet bombing” and dire warnings regarding the “weaponization” of the U.S. dollar, it was difficult to avoid hyperbole when describing the use of economic sanctions in 2019. Sanctions promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) have become an increasingly prominent part of U.S. foreign policy under the Trump administration. For the third year in a row, OFAC blacklisted more entities than it had under any previous administration, adding an average of 1,000 names to the Specially Designated Nationals and Blocked Persons (“SDN”) List each year—more than twice the annual average increase seen under either President Barack Obama or President George W. Bush. Targets included major state-owned oil companies such as Petróleos de Venezuela, S.A. (“PdVSA”), ostensible U.S. allies such as Turkey (and—almost—Iraq), major shipping lines, foreign officials implicated in allegations of corruption and abuse, drug traffickers, sanctions evaders, and more. As if one blacklisting was not enough, some entities had the misfortune of being designated multiple times under different regulatory authorities—each new announcement resulting in widespread media coverage if little practical impact. At last count, Iran’s Islamic Revolutionary Guard Corps (“IRGC”) has been sanctioned under seven separate sanctions authorities. Eager to exert its own authorities in what has traditionally been a solely presidential prerogative, in 2019 the U.S. Congress proposed dozens of bills to increase the use of sanctions. Compounding the impact of expansive new sanctions, OFAC’s enforcement penalties hit a record of more than U.S. $1.2 billion.

While President Obama described his sanctions team as his favorite “combatant command” (likening it to the traditional military forces employed by the United States), President Trump has truly unleashed the power of OFAC sanctions—employing them frequently, quickly, and unilaterally. The Trump administration announced new sanctions 82 times in 2019—eclipsing the previous record set in 2018. Much to the chagrin of the regulated community, more than one-quarter of the announcements in 2019 were made on a Friday. Under prior administrations, U.S. officials tried to avoid such late-week announcements to ensure that new designations were implemented consistently within the business week on both sides of the Atlantic. The willingness to impose Friday measures is an underappreciated indication of the breakdown in multilateral support for the use of U.S. sanctions, as well as the United States’ increasing willingness to go it alone.

This lack of multilateral sanctions engagement, however, should not be read as an indication that other jurisdictions are cooling to the idea of sanctions—quite the opposite. The United Kingdom, as a part of its Brexit process, announced that it would adopt existing European Union sanctions into its own domestic law in addition to promulgating independent, domestic measures that, at least initially, will target human rights abusers. The remainder of the European Union continued to threaten new measures against the regime of Venezuela’s Nicolás Maduro, paved the way for new sanctions against Iran by initiating the dispute resolution process allowed for under the Joint Comprehensive Plan of Action (“JCPOA”), and is considering sanctions targeting gross human rights violations. Meanwhile, companies began turning to the EU Blocking Statute—which aims to prohibit EU actors from complying with certain extraterritorial aspects of U.S. sanctions—to strengthen their position in contractual negotiations, disputes, and litigation.

Both China and Russia also proposed counter-sanctions in 2019 against parties who comply with U.S. measures. While China’s “unreliable suppliers” list has yet to be formalized and its sole counter-sanctions have thus far focused on non-economic actors (principally non-government organizations supportive of the Hong Kong democracy movement), and as of this writing Russian counter-sanctions remain un-enacted by the Duma, we expect the use of such counter-sanctions to increase in 2020.

Though it is hard to predict how sanctions will develop going forward, we feel it is safe to assume that sanctions will remain a centerpiece of the current U.S. administration’s approach to the world in 2020. We expect other world powers—both established and emerging—to respond in kind.

As the following charts illustrate, the two-decades-long trend toward increasing use of U.S. sanctions continued apace in 2019 and shows no signs of stopping during the year ahead.

OFAC Designations

Chart - New Additions to OFAC Sanctions Lists by Year

OFAC Sanctions Actions

Annual Sanctions Actions Announced by OFAC

OFAC Monetary Penalties

Chart - Total OFAC Civil Enforcement Penalties by Year

I. Major U.S. Program Developments

A. Iran

When the United States abandoned the JCPOA and fully re-imposed nuclear sanctions on Iran in November 2018, the Trump administration warned that the United States would exert “maximum economic pressure” on all facets of the Iranian economy to both deter Iran’s “malign activities”—including its support for terrorism, missile proliferation, and regional disruption—and drive Iran back to the negotiating table. True to its word, the Trump administration continued to increase sanctions pressure on Iran and its trading partners in 2019 and expanded its enforcement efforts to new industries and institutions. Iran responded by pulling back from its commitments under the JCPOA, seeking alternative paths to avoid U.S. jurisdiction, and ramping up its provocative use of force. Hostilities with Iran escalated sharply by the end of the year—U.S. and Iranian-backed militias exchanged airstrikes and rocket attacks in late December, culminating in a militia-led breach of the U.S. embassy compound in Baghdad on December 31. When a U.S. airstrike killed Iranian General Qassem Soleimani on January 3, 2020, Iran vowed to retaliate, later carrying out a missile strike on two Iraqi military bases hosting U.S. troops. President Trump responded to this latest Iranian missile strike by promising the imposition of “additional punishing economic sanctions on the Iranian regime,” a promise that left many observers questioning whether anything in Iran was left to be sanctioned.

In pursuing “maximum economic pressure,” the United States has not only targeted new industries and entities but also has ramped up pressure on previously sanctioned persons. On April 8, 2019, as we described here, the United States designated the already-sanctioned IRGC as a foreign terrorist organization (“FTO”). Until this designation, the FTO label had been exclusively used on non-state actors, such as Al-Qaeda or the Islamic State of Iraq and Syria (“ISIS”). The FTO designation has limited practical impact, as the IRGC was already designated under several OFAC sanctions programs—including those related to counterterrorism.

As we discussed here, Iranian President Hassan Rouhani announced on May 8, 2019 that Iran would stop complying with the JCPOA’s limitations on Iran’s domestic build-up of enriched uranium and heavy water, and that same day President Trump signed an executive order authorizing new sanctions relating to the iron, steel, aluminum, and copper sectors of the Iranian economy.

Notably, Iran has responded to increasing economic pressure—particularly on Iranian banks—by seeking alternative tools to finance its operations. Specifically, U.S. sanctions effectively cut off Iran’s access to dollars and euros and contributed to a sharp drop in the value of the Iranian rial, making Iran’s foreign reserve currencies an increasingly important tool for the support of Iran’s activities in Iraq, Lebanon, Syria, and Yemen. According to OFAC, Iran used a network of Turkish and Emirati foreign exchange houses and front companies to exchange rials for foreign currencies used by a designated Iranian bank to support the IRGC’s Qods Force (“IRGC-QF”) and Iran’s Ministry of Defense and Armed Forces Logistics (“MODAFL”)—both of which have been designated to the SDN List. The United States responded to this workaround by designating 25 Iranian, Turkish, and Emirati exchange houses, trading companies, and officials on May 26, 2019. Rather than relying on its Iran sanctions authorities, OFAC used its counterterrorism sanctions—as it would later against Iran’s central bank—to ensure maximum impact. Entities designated under that program are not only subject to the broad sanctions restrictions typically imposed on SDNs but also may not participate in humanitarian trade with Iran—a category of activity generally exempt from sanctions restrictions. The designations also underscored OFAC’s willingness to extend its maximum economic pressure campaign to Iran’s international supporters, a possible harbinger of things to come in 2020.

In 2019, the United States continued to roll back sanctions relief that it had previously provided to other countries, including waivers that allowed certain jurisdictions to continue importing Iranian oil. In particular, waivers granted to China, India, South Korea, Japan, Italy, Greece, Taiwan, and Turkey allowed those jurisdictions to continue importing Iranian oil without being sanctioned by the United States, provided that those jurisdictions significantly reduced their Iranian oil imports. Our analyses of these temporary waivers, also known as Significant Reduction Exceptions (“SREs”), can be found here and here. The Trump administration also announced that, as part of its maximum pressure campaign, no further SREs would be issued and warned that those who continued to trade in Iranian crude would be sanctioned. The expiration of the SREs had relatively little effect on Taiwan, Italy, and Greece, which reportedly ceased importing oil from Iran long before the announcement.

By contrast, China increased its purchases of Iranian oil, cementing its status as Iran’s biggest customer. According to the U.S. State Department, China continued to purchase oil from Iran following the expiration of its SRE in May. In response, the Trump administration made good on its earlier warning—quickly sanctioning a Chinese state-owned oil trading company and its CEO in July. In announcing the designation, Secretary of State Mike Pompeo emphasized that the United States takes its secondary sanctions seriously and “will sanction any sanctionable behavior.” That warning, combined with the speed of the designation and the targeting of a state-owned firm, sent a clear signal that the Trump administration would continue aggressively applying maximum economic pressure both within and outside Iran.

In one of the more disruptive sanctions actions of the past year, OFAC on September 25, 2019, designated two subsidiaries of the giant Chinese company COSCO Shipping Corporation Ltd. (“COSCO”) for their involvement in transporting Iranian oil. While this action targeted only approximately 40 vessels belonging to the two designated entities (and their majority-owned subsidiaries), by not identifying those vessels by name the designation caused confusion to ripple through world markets regarding which among the approximately 1,100 vessels in the larger COSCO fleet were actually subject to U.S. sanctions. In an abundance of caution, many counterparties temporarily ceased doing business with all COSCO vessels—leaving numerous ships and their cargo stranded at sea. This confusion dissipated only after OFAC issued guidance indicating that non-U.S. persons that continue to deal with COSCO post-designation will generally not be at risk of U.S. sanctions exposure provided that such dealings do not involve Iran or otherwise have any U.S. nexus, and also issued a general license authorizing U.S. person involvement in transactions and activities ordinarily incident to the maintenance and wind down of pre-existing contracts involving one of the two sanctioned COSCO entities and its vessels.

In another example of the Trump administration’s maximum pressure campaign reaching beyond the typical industries, OFAC released an advisory on July 23, 2019 warning of Iran’s deceptive practices in the civil aviation industry and the heightened risk of enforcement actions against those that engage with Iran. The advisory formally put the global commercial aviation industry on notice of the role Iranian commercial airlines play in providing services to the Iranian government and military, as well as the deceptive practices commonly used to acquire U.S.-origin aircraft and related goods—including using front companies, misrepresenting that sanctions have been lifted, and falsely claiming OFAC authorization. The guidance specifically called out Mahan Air—designated in 2011 for its support of the IRGC-QF—for flying several flights per week with fighters and weapons to Damascus, and flying back the bodies of Iranian soldiers killed in Syria. The industry advisory used more than just the threat of sanctions to urge the civil aviation industry to avoid Mahan, noting that Germany and several other countries deny Mahan landing rights and urging others to do the same, as well as warning that Mahan has failed to pay its debt obligations.

As sanctions began to bite, economic tensions escalated to physical conflict. In September, Iran conducted airstrikes on Saudi Arabian oil facilities. The United States responded by imposing additional sanctions on the Central Bank of Iran (“CBI”) and Iran’s sovereign wealth fund on September 20. The United States accused those entities of supporting the IRGC, its Qods Force, and Hezbollah, and designated them using OFAC’s primary counterterrorism authority. Although President Trump characterized these designations as the “highest sanctions ever imposed on a country,” these sanctions in fact marked the latest in a series of actions targeting the CBI, including its earlier designation to the SDN List in November 2018. OFAC had also previously sanctioned senior CBI officials for their involvement in transactions supporting the IRGC and its Qods Force. These earlier sanctions already prohibited U.S. persons from engaging in transactions involving CBI and its designated officers, and non-U.S. persons were already subjected to secondary sanctions for doing so.

The new counterterrorism designations primarily impact the ability of U.S. and non-U.S. persons to provide food, other agricultural products, medicine, and medical devices to Iran. Such humanitarian goods can typically be provided to Iran pursuant to a general license. However, the license expressly prohibits the involvement of persons designated under OFAC’s counterterrorism sanctions—now including the CBI. Given the CBI’s key role in financing and otherwise facilitating humanitarian trade with Iran, many were concerned that the provision of humanitarian items to Iran had effectively become unlawful or sanctionable.

In response to these concerns, OFAC announced that it would implement a new mechanism to identify compliant financial channels to support humanitarian exports to Iran. According to Brian Hook, the U.S. Special Representative for Iran, the new financing channel would “make it easier for foreign governments, financial institutions, and private companies to engage in legitimate humanitarian trade on behalf of the Iranian people while reducing the risk that money ends up in the wrong hands.”

Under the new program, OFAC will provide written confirmation, or “comfort letters,” that proposed financial channels are not exposed to U.S. sanctions. However, to obtain these comfort letters, exporters of humanitarian items, foreign financial institutions, and foreign governments will be required to provide, on an ongoing basis, a significant amount of detailed information about their Iran-related activities and the proposed payment channel. Specifically, OFAC will require those seeking written confirmation to submit monthly reports that include detailed information about Iranian customers, their beneficial ownership, the seller of the items for export, the items included in the proposed exports, and the path of the export. Those who obtain written confirmation from OFAC will also be required to inform OFAC if they discover that their Iranian customers have misused the financial channel for non-humanitarian purposes. As of this writing, we are aware of no companies that have yet taken OFAC up on its offer.

On December 11, 2019, OFAC followed its warning to the civil aviation industry with the designation of three of Mahan’s general sales agents, which are third parties that provide services to an airline under the airline’s brand. None of the sales agents are based in Iran; the designated entities are registered in the United Arab Emirates and China. They were all designated purely for acting on behalf of Mahan Air, and were not alleged to have specifically been involved in flights to and from Syria.

On January 10, 2020, OFAC announced the designation of several senior Iranian government officials, as well as Iran’s largest steel, aluminum, copper, and iron manufacturers, a number of Iranian metal producers, and several Chinese and Seychellois companies involved in the purchase of Iranian metals. The President also issued a new executive order authorizing OFAC to designate entities operating in Iran’s construction, mining, manufacturing, or textile sectors or any other sector of the Iranian economy determined by the U.S. Secretary of the Treasury and authorizing the imposition of secondary sanctions for any entity that supports Iranian companies designated under the new authority. Following the U.S. drone strike that killed General Soleimani, Iran again announced that it would further reduce its commitments to restrain its nuclear program and would no longer comply with the restrictions on the number of centrifuges it may operate. The most meaningful response to Iran’s actions may come from the European Union which has triggered the dispute mechanism under the JCPOA—which could lead to the automatic re-imposition of sanctions against Iran.

With much of Iran now subject to comprehensive, sometimes overlapping sanctions regimes, it is not clear whether and how the Trump administration will continue to increase sanctions pressure on Iran. OFAC may target additional Iranian government officials, and 2020 will likely see designations under the newly released executive order targeting Iran’s construction, mining, manufacturing, and textiles sectors. If past is prologue, the Trump administration may also begin imposing secondary sanctions more robustly in an effort to further cut off Iran’s international support. These measures may have limited practical impact, however, as many non-U.S. entities have already decided not to participate in the Iranian economy out of concern for the tightening network of U.S. secondary sanctions.

B. Venezuela

U.S. sanctions targeting the regime of Venezuela’s President Nicolás Maduro significantly expanded in 2019, as the Trump administration designated the giant state-owned oil company PdVSA, the country’s central bank, and ultimately the entire Government of Venezuela. These seismic shifts in U.S. policy were prompted by a power struggle in Caracas between Nicolás Maduro and Juan Guaidó, the head of Venezuela’s National Assembly, that witnessed dueling claims to the presidency, widespread public protests, and an abortive military uprising. Against that tumultuous backdrop, the United States sought to hasten the transition to a democratically elected government by imposing more than 20 rounds of sanctions designed to deny the Maduro regime the financial resources to sustain its hold on power. In addition to designating progressively broader segments of the Venezuelan state, the Trump administration during 2019 also expanded U.S. sanctions to target Venezuela’s oil, financial, and defense and security sectors; a growing list of senior regime officials; as well as President Maduro’s perceived enablers in Russia and Cuba.

The rapid evolution of U.S. sanctions on Venezuela began immediately after the new year. In January 2019, Nicolás Maduro was inaugurated for a second term as president following an election widely described by outside observers as neither free nor fair. Within days, Juan Guaidó, acting as head of the National Assembly—the country’s sole remaining democratic institution—invoked a provision of Venezuela’s constitution to declare himself the country’s interim leader. (Guaidó’s claim to be Venezuela’s lawful head of state has since been recognized by the United States and nearly 60 other countries.) In a protective action designed to deny Maduro and his inner circle access to oil revenues and to prevent the regime from looting state assets, the Trump administration on January 28, 2019, imposed sanctions on the state-owned oil company PdVSA—by far the most economically significant actor in Venezuela’s oil-driven economy and one of the largest companies ever designated by OFAC. PdVSA’s designation and its implications are described at length in an earlier client alert, available here. Underscoring the strong U.S. policy interest in preserving PdVSA for use in rebuilding Venezuela’s economy under a post-Maduro government, OFAC has issued and repeatedly extended general licenses authorizing certain transactions involving PdVSA’s main U.S. subsidiary CITGO, as well as the activities of five named U.S. oil and oil services companies that operate joint ventures with PdVSA.

As the year progressed, the Trump administration continued to make use of the authorities set forth in Executive Order 13850—which empowers the U.S. Secretary of the Treasury to impose sanctions on persons who operate in the gold sector of the Venezuelan economy, and any other sector the Secretary deems appropriate—to target areas of the Venezuelan economy that generate large amounts of hard currency and are especially prone to corruption. In particular, OFAC during 2019 used this authority to impose sanctions on specific individuals and entities operating in the gold, oil, financial, and defense and security sectors of Venezuela’s economy. Among the targeted entities were the state gold mining company, Minerven; PdVSA’s majority-owned subsidiaries; Venezuela’s national development bank, BANDES, and four of its affiliates, including the prominent commercial lender Banco de Venezuela; and the Central Bank of Venezuela. Taken together, these measures sharply constrained the Maduro regime’s access to capital and closed off key channels for transferring funds in and out of Venezuela.

In August 2019, the United States went further and imposed sanctions on the entirety of the Government of Venezuela, including all of its agencies and political subdivisions. Importantly, however, this measure did not impose sanctions on all transactions involving the country of Venezuela and its practical impact was limited by the fact that the most economically significant arms of the Venezuelan state—including the national oil company, PdVSA, and its various subsidiaries, along with the country’s central bank—were already subject to U.S. sanctions. OFAC then further cabined this action by issuing general licenses—common across even the most restrictive U.S. sanctions programs (such as those targeting Cuba, Iran, North Korea, and the Crimea region)—authorizing certain transactions that involve the Venezuelan government and that are associated with telecommunications/mail; technology allowing internet communication; medical services; registration and defense of intellectual property; support for non-governmental organizations; transactions related to port and airport operations; overflight payments; and personal maintenance of U.S. persons inside Venezuela. Further details regarding this action can be found in our August 2019 client alert.

Throughout the past year, the United States also sought to target the Maduro regime’s perceived enablers, both within Venezuela and abroad. Consistent with past practice, the United States continued to designate a steady stream of senior Venezuelan government officials, including the country’s foreign minister and various members of the security services. Such designations appear designed both to punish previous bad behavior by senior officials—including corruption, mismanagement and the breakdown of democratic institutions—and to deter other officials from engaging in similar conduct in the future. Additionally, the Trump administration designated numerous foreign actors—principally from Russia and Cuba—for providing a financial lifeline to the government in Caracas. For example, in March 2019, OFAC designated the Russian-Venezuelan financial institution Evrofinance Mosnarbank for helping the regime to evade U.S. sanctions by, among other things, financing Venezuela’s cyber currency, the Petro. OFAC, across multiple actions, also designated dozens of companies and vessels involved in the Venezuela-Cuba oil trade, and has strongly suggested that Russian and Chinese individuals and entities may be sanctioned if they continue to prop up the Maduro regime.

Finally, amid a year of sweeping changes to the Venezuela sanctions program, OFAC has repeatedly emphasized that “U.S. sanctions need not be permanent and are intended to bring about a positive change of behavior.” Even if such an “off ramp” to sanctions has always existed—and parties do come off the SDN List—OFAC’s announcement that it would be amenable to de-listing parties if they manifest a change in behavior is new. Along those lines, the Trump administration has held out the prospect of sanctions relief for individuals and entities that renounce their previous support for President Maduro—an enticement OFAC has touted by de-listing the former head of Venezuela’s intelligence service, along with numerous shipping companies and vessels that had discontinued their Venezuela-related business activities and implemented sanctions compliance measures. Moreover, OFAC has indicated in published guidance that it is prepared to swiftly lift sanctions on PdVSA, and presumably the Government of Venezuela itself, upon a transfer of control “to Interim President Juan Guaidó or a subsequent, democratically elected government.” Accordingly, just as the United States rapidly tightened sanctions on Venezuela during 2019, there remains the possibility, if President Maduro were to fall, that U.S. sanctions could be eased just as quickly.

C. Cuba

In 2019, the Trump administration continued to reverse the Obama administration’s easing of measures on Cuba. In April 2019, President Trump removed a more than two-decades-long restriction on American citizens’ ability to bring suit over property confiscated by the Cuban regime. Title III of the Cuban Liberty and Democratic Solidarity (LIBERTAD) Act of 1996, commonly known as the Helms-Burton Act, authorizes U.S. citizens and companies whose property was confiscated by the Cuban government to sue those that “traffic” in that confiscated property. Since the Act’s entry into force in 1996, Presidents of both parties had continuously suspended the availability of this cause of action. As we discussed here, by lifting this suspension President Trump has—for the first time—opened up U.S. federal courts to a new type of lawsuit, which has important implications not only for U.S. relations with Cuba but also with countries that continue to operate in Cuba.

Title III actions can be based on claims certified by the Foreign Claims Settlement Commission of the United States (“FCSC”)—a quasi-judicial, independent federal agency created by the International Claims Settlement Act of 1949 (“certified claims”), or claims that have not been adjudicated by the FCSC process (“uncertified claims”). There are currently 6,000 certified claims, and by the State Department’s estimate, up to 200,000 uncertified claims. We have not yet witnessed a flood of litigation; rather, the filing of new Title III cases has averaged a little over two cases per month. By Gibson Dunn’s count, there have been 21 Title III cases filed in federal court to date, with the vast majority in the Southern District of Florida. Many of these cases were brought against defendants in the tourism industry, including airlines, cruise lines, hotels, and travel technology companies, with a number related to other industries such as oil refining, banking, and farming.

Also in April 2019, the Trump administration struck down a December 2018 deal between Major League Baseball (“MLB”) and the Cuban Baseball Federation (“CBF”) in which Cuban athletes would have been allowed to play in the United States without defecting. Under the MLB-CBF deal, an MLB team could sign a CBF player if it, among other things, paid the CBF a fee equivalent to 25% of the player’s signing bonus. (A similar arrangement exists for foreign players from other countries such as Japan.) The deal was originally thought to be authorized under a license established by the Obama administration that allowed the hiring of a Cuban national as long as payments were not made to the Cuban government in connection with such hiring. Per a senior Trump official, although this license remains in effect, the CBF is considered a part of the Cuban government and, as a result, the MLB-CBF deal as structured was illegal.

In June 2019, OFAC announced it would no longer authorize “people-to-people” educational group travel, which had allowed an organization subject to U.S. jurisdiction to sponsor exchanges that promoted contact with Cuban locals. Those travelers who had completed at least one travel-related transaction (e.g., purchasing a flight, booking a hotel) prior to June 5, 2019 were grandfathered in and allowed to proceed with their trip. Notably, OFAC left intact the “support for the Cuban people” travel authorization which also allows travel to Cuba but under strict conditions, such as avoiding all state-run businesses and institutions.

At the same time, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”), in coordination with OFAC, instituted a policy of denying licenses for passenger and recreational vessels (e.g., cruise ships, yachts), and private and corporate aircraft, to travel to Cuba on temporary sojourn. Moreover, such vessels and aircraft were made ineligible for license exceptions. This policy change left cruise lines scrambling to modify their trips.

In September 2019, OFAC announced a number of changes to the general license allowing for remittances to Cuba. First, the amount that one remitter can send to one Cuban national was capped at $1,000 per quarter. Second, close relatives of Cuban government officials or Cuban Communist Party officials could no longer be the recipients of such remittances. (The officials themselves had already been barred.) Third, “donative” remittances to certain individuals and organizations under 31 C.F.R. § 515.570(b) were eliminated. In that same action, OFAC also created a new authorization that allows for remittances to “self-employed individuals,” which includes small business owners, contractors, and farmers.

At the same time, OFAC announced changes to the “U-Turn” general license. The U-Turn license authorized U.S. financial institutions to “process fund transfers originating and terminating outside the United States, provided that neither the originator nor the beneficiary is a person subject to U.S. jurisdiction.” In effect, this allowed transactions between a Cuban national and a non-U.S. person, occurring outside the United States, to be conducted using U.S. dollars processed through the U.S. financial system via correspondent accounts maintained at U.S. intermediary banks. Now, such institutions are required to reject requests for these transactions. While this change dramatically limits the ability of Cubans to transact in U.S. dollars, notably banks are not required to block the funds at issue.

The Trump administration gave the same rationale for these financial restrictions as they did for the travel restrictions months earlier. As Treasury Secretary Steven Mnuchin expressed it, by imposing these restrictions, the United States is “hold[ing] the Cuban regime accountable for its oppression of the Cuban people and support of other dictatorships throughout the region, such as the illegitimate Maduro regime.”

In October 2019, citing Cuba’s “destructive behavior at home and abroad,” BIS amended the Export Administration Regulations (“EAR”) in a number of ways to further restrict exports and re-exports of items to Cuba. First, licenses to lease aircraft to Cuban state-owned airlines were revoked, and a general policy of denying future applications was instituted. Second, the de minimis level was revised downward for Cuba from 25% to 10%, meaning that items with at least 10% Cuban content would be subject to EAR restrictions. Third, the “Support for the Cuban People” license exception was limited in a number of ways, including barring donations to organizations controlled by or administered by the Cuban government or the Cuban Communist Party.

In addition to changes to the Cuba sanctions regulations, the Trump administration has consistently added Cuban persons and entities to the blacklist for their support of Venezuela’s Maduro regime. As discussed above, numerous shipping entities and vessels that have transported Venezuelan oil to Cuba have been sanctioned along with Cuban state-owned oil companies and individual Cuban government officials. Cuba’s defense minister, for example, has been barred by the U.S. State Department from entry into the United States for his actions “prop[ping] up the former Maduro regime in Venezuela.”

D. North Korea

Amid the stalled nuclear negotiations between President Trump and North Korean leader Kim Jong Un, the United States over the past year continued to target the illicit movement of goods in and out of North Korea. On March 21, 2019, OFAC published an advisory to address North Korea’s illicit shipping practices (the “North Korea Advisory”). That document serves as a comprehensive guide to key participants in the shipping trade, such as ship owners, financial institutions, brokers, oil companies, port operators, and insurance companies, and includes an overview of sanctions specific to the shipping industry. The North Korea Advisory also includes updated information about North Korea’s deceptive shipping practices, as well as additional guidance for members of the shipping industry on how to mitigate the risk of involvement in these practices.

According to OFAC, North Korea has been resorting to certain tactics to mask the identities of vessels and cargo in order to evade U.S. sanctions. These tactics include: (i) disabling a vessel’s location-tracking Automatic Identification System (“AIS”); (ii) physically altering a vessel’s identification or International Maritime Organization number; (iii) engaging in ship-to-ship transfers to conceal the origin or destination of the transferred cargo; (iv) falsifying cargo and vessel documents; and (v) manipulating data transmitted via AIS. To counter these deceptive practices, the North Korea Advisory encourages persons involved in shipping-related transactions to adopt certain risk mitigation measures, including but not limited to, carrying out necessary diligence to verify the identity of vessels, reviewing all applicable shipping documentation, and monitoring for AIS manipulation and disablement. The North Korea Advisory also identifies, in a series of annexes, 18 vessels believed to have engaged in ship-to-ship transfers with North Korean tankers, plus 49 vessels that are believed to have exported North Korean coal since the United Nations Security Council Resolution 2371 was passed on August 5, 2017.

Throughout 2019, OFAC continued to designate individuals and entities involved in the shipping industry for facilitating North Korean trade. On March 21, 2019, OFAC designated two Chinese shipping companies for their dealings with North Korea, citing the routine use of deceptive practices that enabled EU-based North Korean procurement officials to operate and purchase goods for the Kim regime. On August 30, 2019, OFAC announced North Korea-related designations of two individuals and three entities from Taiwan and Hong Kong for participating in illicit “ship-to-ship transfers” to enable North Korea’s import of refined petroleum products. Finally, U.S. prosecutors continued to pursue civil forfeiture actions against companies engaged in the illicit shipment of goods to North Korea, relying in many instances on money laundering or bank fraud charges in addition to violations of OFAC sanctions.

E. Russia

In 2019, OFAC took additional measures to address and combat Russia’s past and current attempts at interfering in the U.S. electoral process. On September 30, 2019, OFAC took its first action under Executive Order 13848, targeting Russia’s Internet Research Agency (“IRA”) and its financier, Yevgeniy Prigozhin, as well as entities, individuals, and assets associated with them, for their efforts to interfere with the 2018 midterm elections. Executive Order 13848, which was announced in September 2018, blocks all property in the United States of those who have “directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign interference in a United States election,” as well as those found to have provided support for election interference. The action’s practical impact was limited by the fact that both the IRA and Prigozhin were previously designated in March 2018 under Executive Order 13694, which the Obama administration implemented to target “malicious cyber actors,” as were four of the six IRA members who were designated in this action. Adding additional pressure to Prigozhin, OFAC designated three of his private aircraft, a yacht, and three entities that operated those vessels.

On August 3, 2019, the Trump administration announced that OFAC will be issuing a second round of sanctions in response to Russia’s use of the Novichok nerve agent in the United Kingdom in March 2018. The Chemical and Biological Weapons Control and Warfare Elimination Act of 1991 (the “CBW Act”) requires, in the event that the President determines that a foreign government has used chemical or biological weapons, two rounds of sanctions. This second round of CBW Act sanctions prohibits U.S. banks, including foreign branches, from participating in the primary market for non-ruble denominated bonds issued by Russia and from issuing non-ruble denominated loans to Russia. As detailed in our 2018 Year-End Sanctions Update, the first round of sanctions were imposed on August 22, 2018. Though initially expected in November 2018, the second round of sanctions was not implemented until August 26, 2019, over a year after the first round’s implementation.

As described in detail here, on April 6, 2018, OFAC significantly enhanced the impact of sanctions against Russia by blacklisting almost 40 Russian oligarchs, officials, and their affiliated companies pursuant to Obama-era sanctions, as modified by the Countering America’s Adversaries Through Sanctions Act of 2017. On December 19, 2018, OFAC de-listed three entities that had been related to sanctioned oligarch Oleg Deripaska after the companies took significant steps to disentangle from Deripaska’s ownership.

Several months later, on March 15, 2019, Deripaska sued the Secretary of the Treasury, the Department of the Treasury, and OFAC in U.S. federal court in order to reverse the sanctions imposed upon him. Deripaska argued that OFAC acted outside the bounds of its authority by including him on “an arbitrarily contrived list of ‘oligarchs’” and that “[t]he effects of these unlawful sanctions has been the wholesale devastation of [his] wealth, reputation, and economic livelihood.” Although the U.S. government has filed a motion to dismiss (and, in the alternative, motion for summary judgment) and Deripaska has submitted his opposition, the court has stayed the motion until the parties file a joint status report, due on February 19, 2020.

Congress and the Trump administration took additional measures against Russia during the very last weeks of 2019, highlighting the geopolitical tension between the two countries.

On December 18, 2019, the Senate Foreign Relations Committee voted to approve the Defending American Security from Kremlin Aggression Act (“DASKA”), which aims to impose new sanctions on the Russian financial, energy, and cyber sectors. The draft bill limits the President’s ability to withdraw from NATO, establishes in the State Department a new office to address international cybersecurity, creates new offenses related to hacking, and directs the President to impose a host of sanctions against Russia. Among the many contemplated sanctions, the bill includes additional sanctions against Russian banks, the Russian energy, cyber, and shipbuilding sectors, sovereign debt, and, significantly, sanctions on persons who facilitate corrupt activities on behalf of President Vladimir Putin. Although the bipartisan bill has been dubbed the bill “from hell,” currently there is no scheduled date for the full Senate to vote on its adoption.

Two days after DASKA was approved by committee, the President signed the National Defense Authorization Act for Fiscal Year 2020 (the “NDAA”), which includes provisions requiring the imposition of sanctions against vessels and persons involved in the construction of two Russian gas export pipelines, the Nord Stream 2 and the Turkstream pipelines. Although the inclusion of these sanctions signals U.S. support for Ukraine—Russia is constructing these pipelines largely to bypass Ukraine—their impact may be minimal as the pipelines’ construction is nearly complete.

F. Syria

As we described in an earlier client alert, on October 14, 2019, the Trump administration authorized sanctions against core ministries of the Government of Turkey in response to Ankara’s incursion into northern Syria. Shortly thereafter, OFAC issued sanctions against Turkey’s Ministry of Energy and Natural Resources and Ministry of National Defense, as well as three senior officials. Less than two weeks later, following the announcement of a ceasefire in northern Syria, the Department of Treasury delisted the two ministries and three senior officials. To our knowledge, OFAC had never issued and then reversed sanctions so quickly against such significant targets.

On March 25, 2019, OFAC issued an updated advisory to the maritime petroleum shipping community “alert[ing] persons globally to the significant U.S. sanctions risks for parties involved in petroleum shipments to the Government of Syria” (the “Syria Advisory”). That document emphasizes that certain countries, in particular Iran and Russia, ship petroleum to Syria, and that the facilitation of such transactions by persons subject to U.S. jurisdiction puts those persons at risk for being targeted by OFAC. The Syria Advisory also includes a non-comprehensive list of deceptive practices employed by certain shipping companies to “obfuscat[e] the destination and recipient of oil shipments in the Mediterranean Sea ultimately destined for Syria,” as well as certain measures companies should take to mitigate risk presented by these practices.

Though very similar to an earlier advisory on which it is based, the latest version of the Syria Advisory includes “additional guidelines and risks associated with facilitating the shipment of petroleum destined for Syrian Government-owned and -operated ports, to include petroleum of Iranian origin.” Additionally, the updated Syria Advisory includes an expanded annex, listing additional vessels that are alleged to have delivered petroleum to Syria between 2016 and 2018, as well as vessels that are alleged to have engaged in ship-to-ship transfers of oil destined for Syria and those that had exported Syrian oil to other countries.

II. Other OFAC Programs

A. Global Magnitsky Sanctions

As we noted previously, on December 20, 2017, President Trump issued Executive Order 13818, an unusually broad executive order to implement the Global Magnitsky Human Rights Accountability Act (“Global Magnitsky Act”), a 2016 law that authorizes sanctions against those responsible for human rights abuses and significant government corruption around the world.

The Global Magnitsky Act is named for Sergei Magnitsky, a Russian accountant who was imprisoned after exposing a tax fraud scheme allegedly involving Russian government officials and who died under suspicious circumstances while in custody. The 2012 Sergei Magnitsky Rule of Law Accountability Act of 2012 (the “2012 Magnitsky Act”) authorizes sanctions against individuals and entities found to have been involved in Magnitsky’s mistreatment and death as well as subsequent efforts to obstruct the related investigation. The Global Magnitsky Act expands that sanctions authorization to cover serious human rights abuses and corruption worldwide.

In 2019, the Trump administration designated 97 individuals and entities under the Global Magnitsky Act. That figure was nearly double the 49 designations in 2018, a significant number of which were levied against those involved in the killing of the journalist Jamal Khashoggi. Together with the initial round of designations that accompanied issuance of Executive Order 13818, the total number of persons designated pursuant to the Global Magnitsky Act is currently 196 (two designations of senior Turkish government officials were lifted in 2018 following the release of American pastor Andrew Brunson). Also this past year, the administration designated six additional Russian persons pursuant to the 2012 Magnitsky Act.

On December 9 and 10, 2019, in conjunction with International Anticorruption Day and International Human Rights Day, respectively, OFAC announced a set of wide-ranging sanctions targeting notable cases of public corruption and serious abuses.

On December 9, 2019, Treasury announced the following Global Magnitsky Act designations:

Try Pheap and Kun Kim, current and former senior Cambodian officials responsible for significant public corruption and misuse of state resources.
Aivars Lembergs, a Latvian oligarch and mayor of Ventspils, Latvia, who is involved in significant public corruption, money laundering, and abuse of office. OFAC also designated four entities controlled by Lembergs, including the Ventspils Freeport Authority.
Associates of and entities controlled by Slobodan Tesic, a Serbian arms dealer who was previously sanctioned by the UN for violating the arms embargo imposed on Liberia.

On December 10, 2019, Treasury announced the following designations:

Four senior Burmese military officials, including the Commander-in-Chief of the Burmese military forces, for their involvement in serious human rights abuses committed against the minority Rohingya people in Rakhine State. Since 2017, over 500,000 Rohingya have fled Burma and, during that time, the Burmese military has been engaged in acts of mass violence directed against the Rohingya people.
The leader and deputies of the Allied Democratic Forces (“ADF”) of the Democratic Republic of the Congo (“DRC”). The ADF has engaged in serious human rights abuses, committing acts of mass violence, torture, abduction, and the use of child soldiers for over two decades in the Eastern part of the DRC, near the border with Uganda.
Marian Kocner, a Slovakian businessman, charged with ordering the murder of Jan Kuciak, a young reporter who had uncovered alleged corrupt dealings involving Kocner.
A Pakistani senior superintendent of police reportedly responsible for staging encounters in which over 400 individuals were killed by police.

OFAC also used the Global Magnitsky authority to target several Iraqi officials, some of whom are known proxies of the IRGC-QF. In July 2019, Treasury designated two Iraqi militia leaders pursuant to the Global Magnitsky Act for human rights abuses and corruption carried out in the Nineveh region of Iraq, a former Islamic State stronghold, as well as two Iraqi former politicians accused of significant public corruption. In December 2019, Treasury designated three Iraqi militia leaders responsible for directing soldiers to open fire on protesters in Baghdad. The Iraqi militia leaders were described as proxies of the IRGC-QF. The designations were made just weeks before one of the designated militia leaders was photographed among those protesting at the U.S. Embassy in Baghdad on December 31. On January 3, 2020, two of the previously designated militia leaders were further designated as global terrorists.

As discussed further below, the European Union announced on December 9, 2019 that it would begin drafting its own Magnitsky-style sanctions framework for targeting human rights offenders. The United Kingdom and Canada have already adopted Magnitsky-style sanctions programs.

From a compliance perspective, the Global Magnitsky Act designations serve as a reminder to carefully assess contacts with, and screen business partners related to, jurisdictions of heightened concern, even if those jurisdictions are not subject to comprehensive sanctions. Particularly with respect to jurisdictions with increased risk related to public corruption, organized crime, or geopolitical instability, sanctions may be deployed with very little notice and may affect commercial networks both within and beyond the country concerned.

B. Narcotics Trafficking Kingpin Sanctions and New Fentanyl Sanctions Act

This past year brought renewed focus on using financial sanctions to target persons involved in the international trafficking of opioids. On August 21, 2019, the Treasury Department announced coordinated action by OFAC and by Treasury’s Financial Crimes Enforcement Network (“FinCEN”) to target manufacturers and distributors of illicit synthetic opioids. OFAC designated three Chinese individuals and two entities pursuant to the Foreign Narcotics Kingpin Designation Act (“Kingpin Act”) for operating an international drug trafficking network responsible for shipping hundreds of packages of synthetic opioids to the United States. Treasury highlighted the use of digital currency by the designated persons to launder the proceeds of illicit drug sales. The White House also announced actions to crack down on international fentanyl trafficking, including the publication of a series of private-sector advisories to help domestic and foreign businesses protect themselves and their supply chains from inadvertent fentanyl trafficking.

Congress took further action by adopting the Fentanyl Sanctions Act on December 20, 2019, as Title 72 of the NDAA. The Act requires the President to submit to Congress within 180 days a list of persons determined to be foreign opioid traffickers and requires the imposition of five or more sanctions measures against such persons, including, among other restrictions, an asset freeze, visa ban, exclusion from public procurement, and exclusion from the U.S. financial system. The statute also calls upon the government of China to follow through on its commitments to implement new regulations controlling the production and export of fentanyl and fentanyl analogues.

Separately, OFAC designated over 70 additional persons under the Kingpin Act in 2019, including drug trafficking and money laundering networks in Argentina, the Dominican Republic, Guatemala, Lebanon, Mexico, and the United Arab Emirates.

C. Mali

Despite the presence of 15,000 United Nations peacekeepers and police in Mali, renewed violence has continued to roil the country; news reports indicate that at least 200,000 people were displaced in the first half of 2019 alone. As a result, the Trump administration on July 26, 2019, announced a new sanctions program “to combat the worsening situation in Mali,” which was described to include “[m]align activities such as drug trafficking, hostage taking, attacks against civilians, and attacks against United Nations (UN) Multidimensional Integrated Stabilization Mission in Mali (MINUSMA) personnel.” In connection therewith, President Trump issued Executive Order 13882, finding the deterioration of peace and security in Mali to constitute a national security threat to the United States.

The Order blocks all property and interests in property under U.S. jurisdiction of persons determined to be responsible or complicit in: acts or policies that threaten the peace, security, stability, or the democratic processes or institutions in Mali; acts that threaten, violate, or obstruct the 2015 Agreement on Peace and Reconciliation in Mali; planning or sponsoring attacks against government institutions and the Malian defense and security forces, international security forces and peacekeepers, and any other U.N. personnel; obstructing the distribution of humanitarian aid; planning, directing, or committing any act that violates international humanitarian law or constitutes a serious human rights abuse; the use or recruitment of child soldiers in the Malian armed conflict; the illicit production of or trafficking in narcotics; trafficking in persons, arms, and illegally acquired cultural property; and any transaction(s) involving bribery or other corruption. Currently, five individuals have been added to the SDN List pursuant to this Order.

III. Other U.S. Developments

A. New Treasury Under Secretary for Terrorism and Financial Intelligence

On December 10, 2019, the Trump administration announced its intent to nominate Jessie K. Liu, the United States Attorney for the District of Columbia, to the position of Under Secretary for Terrorism and Financial Intelligence at the Treasury Department, a role previously held by Sigal Mandelker. In this role, Liu would lead the Treasury Department teams responsible for administration and enforcement of U.S. sanctions programs. Liu previously served as Deputy General Counsel of the Treasury Department and in a senior position within the Justice Department’s National Security Division, the office responsible for criminal enforcement of U.S. sanctions and export control laws.

B. OFAC Compliance Guidance

As we described in a previous client alert, OFAC in May 2019 published “A Framework for OFAC Compliance Commitments,” on what constitutes an effective sanctions compliance program. The document represents the most detailed statement to date of OFAC’s views on the best practices that companies should follow to ensure compliance with U.S. sanctions laws and regulations. Importantly, this guidance also aims to provide greater transparency with respect to how, should a sanctions violation occur, OFAC will assess the adequacy of a company’s existing compliance program in determining what penalty to impose.

The compliance guidelines contain five components of what OFAC deems to comprise an effective compliance framework: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) testing and auditing; and (v) training. OFAC also provides examples of best practices that companies are expected to follow under each of the five components. With the publication of the new OFAC compliance framework, companies subject to U.S. jurisdiction now have the benefit of a more granular understanding of what policies and procedures will lead OFAC to conclude that their sanctions compliance program is adequate or deficient. The compliance guidelines also describe in detail ten root causes of sanctions violations, including but not limited to the lack of a formal sanctions compliance program; facilitating transactions by non-U.S. persons; exporting or re-exporting U.S.-origin goods, technology or services to OFAC sanctioned persons or countries; and utilizing non-standard payment or commercial practices. We recommend that companies use the OFAC framework as a baseline to assess their own compliance programs, and update them accordingly to reduce the risk of incurring U.S. sanctions liability.

C. New OFAC Transaction Reporting Procedures

On June 21, 2019, OFAC announced an Interim Final Rule amending the Reporting, Procedures, and Penalties Regulations (31 C.F.R Part 501). Notably, the amendment expands the reporting requirements for rejected transactions. Although financial and non-financial institutions alike had previously been required to file blocked property reports, only financial institutions had been required to file rejected transfer reports. Under the new amendment, however, all U.S. persons and persons subject to U.S. jurisdiction are required to submit reports on rejected transactions. The new amendment also makes clear that, in addition to rejected funds transfers, the reporting requirement applies to all rejected transactions, which includes rejected “transactions related to wire transfers, trade finance, securities, checks, foreign exchange, and goods or services.” Moreover, the scope of the information to be included in the rejection (and blocking) reports is expanded to include a host of information in order to reduce OFAC’s need to issue follow-up requests for additional information.

This new rule materially increases the number of transactions that may need to be reported to the agency; the regulated community and advisors have been engaging with OFAC ever since the announcement to understand the true scope of the transactions that OFAC would like to see reported.

D. New OFAC Penalty Amounts

Also in June 2019, OFAC increased the maximum base penalties for sanctions violations pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. This is the fourth time that OFAC has adjusted the applicable civil monetary penalties (“CMPs”) since the Act was adopted in 2015.

Under this adjustment, the maximum CMP amount for the five applicable sanctions-related statutes increased as follows:

Additionally, the OFAC enforcement guidelines published as Appendix A to 31 C.F.R. Part 501 have been updated to reflect these new figures. The update includes a new “base penalty matrix” to assist in calculating possible penalty amounts under the various statutes, which takes into account the egregiousness of the offense and whether the offending transaction was voluntarily disclosed to OFAC:

E. CAPTA List

On March 14, 2019, OFAC introduced the List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (“CAPTA List”). This list includes identifying information of foreign financial institutions (“FFIs”) for whom it is prohibited to open or maintain correspondent or payable-through accounts in the United States under existing legal authorities, including: the Ukraine Freedom Support Act of 2014, as amended by the Countering America’s Adversaries Through Sanctions Act; the North Korea Sanctions Regulations; the Iranian Financial Sanctions Regulations; and the Hizballah International Financing Prevention Act of 2015.

Importantly, the CAPTA List is not a new list in its own right; rather, it consolidates information that had previously been included under other lists maintained under various sanctions programs, such as the now-defunct Part 561 List and the (never used) Hizballah Financial Sanctions Regulations List. Notably, entities appearing on the CAPTA List are not included on the SDN List.

Although this list does not contain new information per se, it may prove to be a useful resource for U.S. financial institutions when conducting diligence on FFIs seeking to open correspondent or payable-through accounts in the United States.

IV. Developments in U.S. Export Controls

The Trump administration’s practice of using all international trade tools at its disposal to advance its domestic and foreign policy objectives also extended to its use of certain authorities delegated to the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”). Although interagency coordination on sanctions is not new, the Administration’s apparent willingness in 2019 to use BIS’s export control licensing and enforcement tools to advance its foreign policy and national security interests, including the Administration’s trade agenda, was. This was most manifest in BIS’s designation of Huawei Technologies Co. Ltd. (“Huawei”) to the Export Administration Regulation’s (“EAR”) Entity List on May 16, 2019, though BIS made frequent use of this and another listing power throughout the year. Importantly, BIS’s measures are not technically “sanctions” though they operate in a similar manner and, depending upon the measure, can have similar impacts.

A. Entity List

Entities can be designated to the Entity List upon a determination by the End-User Review Committee (“ERC”) that the entities pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States. The ERC is an interagency body with representatives from the Departments of Commerce, State, Defense, Energy, and the Treasury, and which is chaired by Commerce. Through Entity List designations, BIS prohibits the export, re-export, or transfer (hereinafter “export”) of specified items to designated entities without BIS licensing. BIS will typically announce either a policy of denial or ad hoc evaluation of license requests.

The practical impact of any Entity List designation varies in part on the scope of items BIS defines as subject to the new export licensing requirement, which could include all or only some items that are “subject to the EAR.” In addition to items manufactured or exported from the United States, items “subject to the EAR” include (a) foreign-made items containing U.S. content that exceeds the EAR’s de minimis threshold for controlled content to the country of destination (25% for most countries, 10% for others), (b) certain U.S. content that is exempt from the de minimis rule, meaning that any amount of the controlled content will render the foreign-made item subject to the EAR, and to foreign-made items (c) that are the direct product of U.S.-origin technology or software, or (d) that are the products of whole plants or components of plants designed with certain U.S. technology or software. Those exporting to parties on the Entity List are also precluded from making use of any BIS license exceptions.

Because the Entity List prohibition applies only to exports of items subject to the EAR, U.S. persons are still free to provide many kinds of services and to otherwise continue dealing with those designated in transactions that occur wholly outside of the United States and without items subject to the EAR. While on the one hand, this makes the Entity List prohibition more limited than OFAC’s SDN prohibitions, the Entity List prohibition is more extraterritorial in reach because it also prohibits non-U.S. persons from re-exporting or transferring any items subject to the EAR to the listed parties wherever these items are located. OFAC’s SDN prohibitions are limited to U.S. person dealings with SDNs, though foreign person dealings with SDNs can be a basis for OFAC’s designating the foreign person under certain circumstances.

On May 16, 2019, BIS added Huawei and almost 70 Huawei affiliates to the Entity List. Later, on August 21, 2019, BIS expanded its Huawei designations to include its fabless semiconductor subsidiary, HiSilicon, plus 46 new designations, pushing the total number of Huawei entities designated to over 100. The ERC’s cited basis for its original determination was a Superseding Indictment of Huawei filed in the Eastern District of New York which includes among its 13 counts two charges that Huawei knowingly and willfully conspired and caused the export, re-export, sale and supply, directly and indirectly, or goods, technology, and services from the United States to Iran and the Government of Iran without authorization from OFAC.

BIS’s prohibition on dealings with Huawei was and continues to be comprehensive; BIS included the export of all items subject to the EAR within the scope of its prohibition and announced that it will review license applications to export to Huawei with a policy presumption of denial. No other company as large as Huawei or with operations in as many countries worldwide had ever been designated by the ERC to the Entity List.

B. BIS Made More Typical Entity List Designations Throughout the Year

On June 24, 2019, BIS designated five Chinese entities involved in exascale high performance computing out of concern that they were developing and using technologies to support nuclear explosive simulation and military simulation activities.

On May 14, 2019, BIS designated twelve entities to the Entity List. Two from China were added due to their role in the unauthorized export of syntactic foam to Chinese state-owned enterprises, defense industrial corporations, and military-related academic institutions. Four more Chinese and Hong Kong entities were added due to their attempts to procure U.S.-origin commodities that would provide material support to Iran’s weapons of mass destruction and military programs. A Pakistan entity was added due to its participation in unsafeguarded nuclear activities. Finally, four United Arab Emirates-based entities were designated for their role in procuring U.S.-origin commodities for the SDN Mahan Air and for another entity already identified on the Entity List.

On November 13, 2019, BIS added 22 new entities located in Bahrain, France, Iran, Jordan, Lebanon, Oman, Pakistan, Saudi Arabia, Senegal, Syria, Turkey, the United Arab Emirates, and the United Kingdom. The rationales provided for their designations ran the gamut of U.S. foreign policy concerns. An airline from France was designated for its role in transshipping U.S.-origin items to sanctioned jurisdictions. Entities in Oman, Pakistan, Saudi Arabia, and the United Arab Emirates were designated for their participation in unspecified unsafeguarded nuclear activities, and entities located in Bahrain, the United Arab Emirates, and Turkey were designated for diverting U.S.-origin items to Iran without authorization.

C. One Other Set of Entity List Designations Broke New Ground and Could Create a Path for Export Control Designations in 2020

While many of BIS’s other Entity List designations for the year tracked historical concerns of the United States—for example, nuclear proliferation and sanctions evasion—one set of Entity List designations broke new ground. On October 9, 2019, BIS designated 28 new Chinese entities, including eight major emerging technology companies, for their roles in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uighurs, Kazakhs, and other members of Muslim minority groups in the Xinjiang Uighur Autonomous Region. While OFAC designations based on human rights concerns have become common in recent years, BIS has not historically used Entity List designations in this way and we anticipate that we will see additional Entity List designations on these grounds in 2020.

V. Legislative Developments: Focus on China

On November 21, 2019, amid mounting tensions between China and Hong Kong over a now-withdrawn extradition bill, the U.S. Congress passed the Hong Kong Human Rights and Democracy Act of 2019 (the “HK Act”), as described in our earlier client alert. The HK Act seeks to protect civil rights in Hong Kong and to deter human rights violations in the territory (including punishing those who commit them). Within a week after the HK Act was passed by supermajorities in both houses of Congress, President Trump signed the HK Act into law on November 27, 2019, despite hinting earlier that he might veto the legislation. An accompanying bill to prohibit the commercial export of covered munitions items to the Hong Kong police force was also signed into law the same day.

The HK Act augments the existing U.S.-Hong Kong Policy Act of 1992 by requiring the U.S. Secretary of State to annually certify to Congress whether Hong Kong retains sufficient autonomy to merit its special trade and investment status. An adverse assessment could potentially threaten this status. Under the HK Act, the President is also empowered to impose sanctions on individuals deemed responsible for human rights violations in Hong Kong. The potential sanctions are varied, and could include asset blocking, which would effectively blacklist any identified party from participating in transactions with U.S. persons, and limit the designated party’s ability to engage in U.S. dollar trade (which almost always requires clearing through a bank under U.S. jurisdiction). Other types of sanctions that could be imposed include the revocation or denial of U.S. visas currently issued or to be issued to identified individuals.

China has declared that the HK Act represents an interference in its domestic affairs and has retaliated by announcing sanctions against U.S.-based non-profit organizations, including the National Endowment for Democracy and Human Rights Watch. China also stated that it will prohibit U.S. military vessels from conducting port calls in Hong Kong—though, in practice, such port calls were already typically denied. It remains to be seen if Beijing will impose further retaliatory measures.

On December 3, 2019, the U.S. House of Representatives passed the Uighur Intervention and Global Humanitarian Unified Response Act of 2019 (the “UIGHUR Act”) in an attempt to hold Beijing accountable for its alleged human rights abuses against ethnic and religious minorities, particularly the Uighurs (alternatively “Uyghurs”) in the Xinjiang region. This bill, which passed by a vote of 407-1, would amend and strengthen a related Senate version of the bill by explicitly linking U.S. policy toward China with the human rights situation in Xinjiang and mandating many of the Senate version’s non-binding provisions. In particular, the UIGHUR Act stands to impose a host of sanctions on senior Chinese government officials involved in the human rights abuses towards the Uighurs and implement export controls on U.S.-made items destined for Xinjiang and that could be used by the Chinese government for certain surveillance and repressive activities. If enacted, it would mark the first time that sanctions would be imposed on a member of China’s politburo, namely Secretary Chen Quanguo. The Senate now must reconcile and approve the differences between the House and Senate versions, and the President must sign the final bill for enactment. Key lawmakers have expressed optimism that Congress will be able to move the legislation forward soon, even as concerns about the UIGHUR Act’s strengthened export controls provisions and President Trump’s impeachment trial may result in delay.

VI. Select U.S. Enforcement

2019 saw OFAC as busy as it has been in over a decade, finalizing 30 cases, assessing record fines, and pursuing novel and aggressive enforcement theories. While OFAC cases are not formally precedential, the agency does use enforcement to educate the public and to indicate OFAC’s foremost compliance concerns. In that regard, we provide below an overview of some of the more impactful enforcement actions of the past year.

A. Apollo Aviation

In November 2019, Apollo Aviation Group, LLC (“Apollo”) agreed to pay $210,600 to OFAC to settle its potential civil liability for apparent violations of U.S. sanctions on Sudan. OFAC alleged that Apollo violated U.S. sanctions when it leased three aircraft engines to an entity incorporated in the United Arab Emirates, which then subleased the engines to a Ukrainian airline, who in turn installed the engines on aircraft leased to Sudan Airways. The leases occurred between 2013 and 2015, when Sudan Airways was identified on the SDN List as meeting the definition of “Government of Sudan.” The lease agreements that Apollo entered into contained a provision prohibiting the lessee from maintaining, operating, flying, or transferring the engines to any countries subject to U.S. sanctions. However, OFAC alleged that Apollo did not periodically monitor or otherwise verify that the lessee and sublessee were adhering to this lease provision and, as a result, Apollo did not learn that its engines were installed on Sudan Airways aircraft until a review of the engine records after the end of the lease. In determining the appropriate penalty, OFAC considered that Apollo voluntarily self-disclosed the apparent violations, implemented a number of remedial measures in response, and no Apollo personnel had actual knowledge of the conduct leading to the apparent violations.

This case was one of the first to name in an enforcement action a non-operational, private equity investor that did not own the entity at the time of the alleged misconduct. This line of enforcement cases has made it clear that OFAC is increasingly willing to pursue enforcement actions under a theory of successor liability and even against parties not involved in the operational management of an alleged offender.

B. General Electric

In October 2019, the General Electric Company (“GE”), on behalf of three current and former GE subsidiaries, Getsco Technical Services Inc., Bentley Nevada, and GE Betz (collectively, the “GE Companies”), agreed to pay $2,718,581 to settle potential civil liability for 289 alleged violations of U.S. sanctions on Cuba. Specifically, OFAC alleged that between December 2010 and February 2014, the GE Companies accepted 289 payments from The Cobalt Refinery Company (“Cobalt”) for goods and services provided to a Canadian customer of GE. Cobalt, an entity owned by a public joint venture between GE’s Canadian customer and the Cuban government, has been on the SDN List since June 1995.

Although GE entered into contracts with and issued invoices directly to the Canadian customer, Cobalt paid the invoices in more than 65 percent of the total transactions during the relevant period, with payments totaling approximately $8,018,615. In setting the monetary penalty, OFAC considered the fact that GE identified the alleged violations by testing and auditing its compliance program and then voluntarily self-disclosed the payments to OFAC. This case demonstrated OFAC’s continued focus on Cuban violations and the agency’s willingness to “pierce the veil” in enforcement cases to find alleged wrongdoing on an indirect basis.

C. British Arab Commercial Bank

In September 2019, British Arab Commercial Bank (“BACB”) agreed to remit $4,000,000 to settle potential violations of the Sudanese Sanctions Regulations stemming from the bank’s processing of 72 transactions totaling $190,700,000. OFAC determined that BACB did not make a voluntary self-disclosure and that the violations represented an egregious case, but nonetheless found that the bank’s operating capacity was such that it would face disproportionate impact were it required to pay the proposed penalty of over $220 million.

Between September 2010 and August 2014, BACB processed 72 bulk funding payments related to Sudan in relation to its operation of U.S. dollar accounts for at least seven Sudanese financial institutions, including the Central Bank of Sudan. The transactions themselves were not processed to or through the U.S. financial system but the bank did operate a nostro account at a non-U.S. financial institution located in a country that imports Sudanese-origin oil to facilitate payments involving Sudan. The bank funded this nostro account with large, periodic U.S. dollar wire transfers from banks in Europe, which in turn transacted with U.S. financial institutions in a manner that violated OFAC sanctions. Several BACB employees, including managers and a member of the compliance team, had knowledge of this arrangement. In determining a settlement amount far lower than the potential penalty range, OFAC considered BACB’s record free from prior violations, the bank’s cooperation with the investigation, and the institution’s weak financial position. OFAC also credited BACB for undertaking several remedial measures, including exiting the Sudanese market, hiring new compliance staff and new senior management, and implementing additional compliance procedures.

This case was another in a line of enforcement actions that has seen OFAC continue to extend its theory of jurisdiction, using even an indirect and somewhat attenuated reliance on the U.S. dollar to bring an entire body of transactions under OFAC jurisdiction.

D. Atradius

On August 16, 2019, Atradius Trade Credit Insurance, Inc. (“Atradius”), a trade credit insurer licensed to operate in the state of Maryland, agreed to pay $345,315 to settle its potential civil liability for two apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations. On May 5, 2016, OFAC designated Grupo Wisa, S.A. (“Grupo Wisa”) pursuant to the Kingpin Act and added the entity to the SDN List. In October 2016, approximately five months after Grupo Wisa’s designation, a cosmetics company located in the United States assigned to Atradius the right to collect on a debt owed by Grupo Wisa. Atradius subsequently filed a claim in Panama as a creditor in the liquidation of Grupo Wisa, and in June 2017, Atradius received a payment of approximately $4 million from the liquidation of Grupo Wisa’s assets in Panama. OFAC alleged that by accepting the assignment of the Grupo Wisa debt, and by receiving the payment from the Grupo Wisa liquidation, Atradius was alleged to have dealt in property or interests in property of a specially designated narcotics trafficker in violation of U.S. sanctions. OFAC considered it an aggravating factor that Atradius did not undertake any meaningful analysis or otherwise seek confirmation from OFAC that assignment of the SDN’s debt and acceptance of payment was permissible under existing authorizations.

This enforcement action underlines one of the surprising facts about OFAC designations. Atradius sought to extract money from a sanctioned party, which would presumably be in line with U.S. Government wishes to further harm a designated entity. However, that is not how OFAC sees such dealings. Whether a party is providing a benefit to or attempting to seize payments from a blocked party, it is the dealings with that party that are prohibited. Once on the SDN List, OFAC’s desire is to make the party a financial pariah, and almost any engagement requires an OFAC license.

E. DNI and Southern Cross

On August 8, 2019, OFAC issued Findings of Violation to two U.S. companies, DNI Express Shipping Company (“DNI”) and Southern Cross Aviation, LLC (“Southern Cross”), in relation to administrative subpoenas with follow-up responses deemed by OFAC to be materially inaccurate or incomplete. This is one of the few times OFAC has ever enforced solely on the basis of inadequate responses.

DNI, a shipping company based in Virginia, was under investigation in 2015 for allegedly facilitating the shipment and sale of farm equipment to Sudan in apparent violation of U.S. sanctions. OFAC issued an administrative subpoena and a Cautionary Letter to DNI in May 2015. OFAC determined that DNI, through counsel, demonstrated “reckless disregard” for its U.S. sanctions obligations by providing misleading and inaccurate information in response to a May 2015 administrative subpoena. Similarly, OFAC determined that Southern Cross, a Florida-based aviation company which had been issued an administrative subpoena, demonstrated “reckless disregard” for its U.S. sanctions obligations by failing to provide complete and accurate information in response to OFAC’s administrative subpoena, but did consider that the underlying potential sale in question did not appear to have occurred.

F. Paccar Inc.

On August 6, 2019, OFAC announced a $1,709,325 settlement with Paccar Inc. (“Paccar”) to resolve the company’s potential civil liability for 63 apparent violations of U.S. sanctions on Iran by DAF Trucks N.V. (“DAF”), a wholly-owned subsidiary of Paccar headquartered in the Netherlands. Specifically, OFAC alleged that on three occasions between October 2013 and February 2015, DAF sold or supplied 63 trucks to customers in Europe that it knew or had reason to know were ultimately intended for buyers in Iran.

DAF sells its trucks through a network of independent dealers that typically purchase the trucks from DAF and then resell the trucks to identified end-customers. In 2014, a dealer based in Hamburg, Germany requested a price quotation from DAF for 51 trucks with particular specifications for an Iranian company located in Iran. After DAF informed the Hamburg-based dealer that DAF could not sell trucks destined for Iran, the dealer submitted a nearly identical order the same day, this time stating that the trucks were destined for an end-user in Russia. Despite the similarities, DAF did not conduct a further inquiry and processed the order. The dealer then resold the trucks to a buyer in Iran. Separately, in 2013, a directly owned DAF dealer in Frankfurt sold two trucks to a trader based in the Netherlands who in turn resold the trucks to two buyers in Iran, despite receiving draft invoices referencing buyers in Iran. In 2014, DAF sold ten trucks to a dealer in Bulgaria who sold the trucks to an affiliated rental company, which in turn sold the ten trucks to a buyer in Iran. The Bulgarian agent alleged that a DAF employee had introduced its agent to the Iranian buyers. OFAC alleged that in both instances DAF knew or had reason to know that the trucks were intended for Iran.

The Paccar case is a reminder that while most OFAC sanctions programs stop at the water’s edge and foreign subsidiaries of U.S. companies do not, as a general matter, come under OFAC jurisdiction, the same is not true under either Iran or Cuba sanctions. In both cases, a foreign subsidiary or affiliate of a U.S. company can find itself subject to the exact same restrictions as their U.S. parent regardless how removed or insulated their activities may appear to be.

G. State Street

In May 2019, OFAC issued State Street Bank and Trust Co. (“State Street”) a Finding of Violation with no accompanying penalty for processing pension payments totaling over $11,000 to a participant who was a U.S. citizen with a U.S. bank account, but who was residing in Iran, a violation of the Iranian Transactions and Sanctions Regulations. Between January 2012 and September 2015, State Street acted as trustee for a customer’s employee retirement plan, processing at least 45 pension payments totaling $11,365 to a plan participant who was a U.S. citizen with a U.S. bank account but who resided in Iran. State Street appeared to have knowledge that the plan participant was a resident of Iran because the beneficiary’s address was in Tehran and the bank’s sanctions compliance software issued an alert with each payment. The compliance process in place at the time, however, routed such alerts to non-sanctions expert personnel, rather than State Street’s sanctions compliance staff. State Street self-reported the violation and modified its process to ensure that such payments are reviewed by its sanctions compliance unit. In issuing a Notice of Violation without a monetary penalty, OFAC considered State Street’s self-disclosure of the violation, its remedial action in response to the violation, its screening process in place at the time of the violation, and the fact that no managers or supervisors appeared to have been aware of the conduct that led to the violation.

This matter emphasizes both the expanse of Iran sanctions (applying to any person “ordinarily resident in Iran”) while underlining that sanctions expertise within a compliance unit is critical and expected—especially for sophisticated economic actors.

H. Standard Chartered and UniCredit

In a return to the massive bank fines of the past, in April 2019, OFAC announced enforcement settlements against Standard Chartered Bank (“Standard Chartered”) and various UniCredit entities.

Standard Chartered agreed to remit $1.1 billion in a global settlement with federal, state, local, and UK authorities for apparent violations of sanctions programs relating to Burma, Cuba, Iran, Sudan, and Syria. Payment owed to OFAC amounted to $639 million, which was deemed satisfied by payments of penalties assessed by other U.S. federal agencies arising out of the same conduct. OFAC also separately settled a case with Standard Chartered involving violations related to Zimbabwe.

Between June 2009 and May 2014, Standard Chartered processed 9,335 transactions to or through the United States involving persons or countries subject to various comprehensive sanctions regimes administered by OFAC. The total amount processed was $437,553,380. A majority of the conduct related to Iranian-associated accounts maintained in Standard Chartered’s Dubai branches, including accounts maintained by a United Arab Emirates-incorporated petrochemical company owned by an Iranian citizen and engaged in the sale of energy products to, from, and through Iran. The Dubai entity processed U.S. dollar transactions to or through the bank’s New York branch and other U.S. financial institutions on behalf of customers physically located or ordinarily residing in Iran.

Separately, Standard Chartered agreed to remit $18,016,283 to settle potential civil liability for violations related to Zimbabwe. The bank’s New York branch processed 1,795 transactions totaling over $76 million to individuals on the SDN List or parties that were owned 50 percent or more by individuals on the SDN List. OFAC determined that Standard Chartered voluntarily self-disclosed these apparent violations and that they constituted a non-egregious case. OFAC also identified several failures in the bank’s compliance program including insufficient procedures to identify and “ring-fence” SDN customers, but also credited Standard Chartered’s cooperation with the investigation.

OFAC announced three separate settlements totaling $611 million with three UniCredit Group banks, including UniCredit Bank AG (Germany), UniCredit Bank Austria AG (Austria) and UniCredit S.p.A. (Italy), resolving its investigation into apparent violations of a number of U.S. sanctions programs. UniCredit Bank AG in Germany agreed to remit $553,380,759 to settle its potential civil liability; UniCredit S.p.A., the parent company of the UniCredit Group, and UniCredit Bank Austria AG agreed to remit a total of $57,542,662 to settle potential civil liability.

While these penalties were substantial, they do not necessarily portend another surge in sanctions enforcement against financial institutions. Notably, the apparent violations date back a decade or more, suggesting that these are legacy actions rather than an indication of future enforcement priorities. However, these matters demonstrate that OFAC remains ready, willing, and able to impose massive fines on global institutions.

I. Kollmorgen

In February 2019, Kollmorgen Corporation (“Kollmorgen”), on behalf of its Turkish affiliate, Elsim Elektroteknik Sistemler Sanayi ve Ticaret Anonim Sirketi (“Elsim”), agreed to remit $13,381 to settle potential civil liability for six apparent violations of U.S. sanctions on Iran. Specifically, OFAC alleged that between July 2013 and July 2015, Elsim appeared to violate U.S. sanctions on Iran when, on six occasions, Elsim serviced machines containing Elsim products located in Iran and provided products, parts, or services with knowledge they were destined for Iranian end-users.

OFAC determined that despite Kollmorgen’s extensive compliance efforts, a monetary penalty remained appropriate due to Elsim’s egregious conduct and specific risk profile, including that Elsim had previously engaged in business with Iran. Notably, OFAC sanctioned a Turkish national employee, Evren Kayakiran, for directing the apparent violations and his attempted concealment of them. The action against Kayakiran is the first time OFAC has named an individual a Foreign Sanctions Evader in relation to a civil enforcement action. This demonstrates an additional, very serious consequence that can emerge from an enforcement action—it is not just a penalty and compliance obligations, but individuals directly involved can actually end up blacklisted.

J. e.l.f. Cosmetics

In January 2019, e.l.f. Cosmetics, Inc. (“ELF”) agreed to pay $996,080 to settle its potential civil liability for 156 apparent violations of U.S. sanctions on North Korea. Specifically, OFAC alleged that between April 2012 and January 2017, ELF imported false eyelash kits from two suppliers located in the People’s Republic of China that contained materials sourced from North Korea. This case has been interpreted to demonstrate OFAC’s growing concern about supply chain management, and especially some jurisdictions (like North Korea’s) willingness to co-mingle commodity supply chains.

During the operative time period, OFAC alleges that ELF’s OFAC compliance program was either non-existent or inadequate. The company and its supplier audits failed to discover that approximately 80 percent of false eyelash kits supplied by the two China-based suppliers contained materials sourced from North Korea until January 2017. Subsequently, OFAC determined that ELF voluntary self-disclosed the apparent violations to OFAC and that the apparent violations constitute a non-egregious case.

In determining the penalty amount, OFAC considered among other factors the fact that ELF’s personnel did not appear to have had actual knowledge of the conduct at issue and that the apparent violations did not appear to constitute a significant part of ELF’s business activities. Further, OFAC considered the company’s cooperation with OFAC by immediately disclosing the apparent violations, signing a tolling agreement, and submitting a complete and satisfactory response to OFAC’s request for additional information.

____________________

In addition to the OFAC enforcement actions, this overview would not be complete without referencing an enforcement action that, via an unprecedented judicial action, was overturned in Exxon Mobil Corp. v. Mnuchin.

On December 31, 2019, the U.S. District Court for the Northern District of Texas vacated a $2 million final penalty notice issued by OFAC to Exxon Mobil Corporation (“Exxon”), finding that OFAC had failed to provide fair notice that Exxon’s entry into contracts with Rosneft that were signed by Rosneft CEO Igor Sechin, an SDN, would violate sanctions rules.

Igor Sechin was added to the SDN List in April 2014 under Executive Order 13661 relating to Russian activities in the Crimea region of Ukraine. The next month, Exxon entered a series of contracts with its existing business partner Rosneft. The contracts were signed by Sechin acting in his representative capacity as chief executive of Rosneft. OFAC issued an administrative subpoena to Exxon and, following an investigation, issued a penalty notice to Exxon imposing a $2 million fine.

Exxon objected and filed suit. The court considered whether OFAC had carried its burden of providing “fair notice” to the public regarding its interpretation of Executive Order 13661 and related implementing regulations. A “Frequently Asked Question” (“FAQ”) posted on OFAC’s website under the Burma sanctions program announced the agency’s interpretation that U.S. persons could not enter into contracts signed by an SDN, even if the company represented by the SDN was not itself blocked. However, similar FAQs for the Ukraine program were not published until after Exxon had signed the contracts. In addition, various White House Factsheets and other executive branch public statements had emphasized that the sanctions targeted the designated persons “individually” and with respect to their “personal assets.” The court concluded that a regulated party “acting in good faith” would not have known with “ascertainable certainty” that Sechin’s signature on the contract would constitute a prohibited receipt of a service from an SDN.

VII. European Union Legislative Developments, Enforcement and Judgements

In 2019, the European Union became more active in addressing EU common foreign and security policy (“CFSP”) objectives with the help of what it calls “restrictive measures,” i.e., EU financial and economic sanctions. This included targeting new issues that had not been precisely addressed by “traditional” EU sanctions. For example, the EU imposed a new sanctions framework for responding to cyber-attack threats. Further “new” types of EU sanctions are under discussion, such as EU human rights-related, “Magnitsky-like” sanctions. The EU has also become more vocal on how it expects individuals and companies under its jurisdiction to implement EU sanctions. For instance, the bloc issued unprecedented detailed guidance regarding how to comply with the EU Blocking Statute. Furthermore, the EU has published guidance on internal compliance programs for dual-use trade controls.

We have discussed these developments and respective challenges in depth in our recently published treatise U.S., EU, and UN Sanctions: Navigating the Divide for International Business. Below, we provide an update on the most recent developments.

A. EU Legislative Developments

With the recent start of Ursula von der Leyen’s term as the new President of the European Commission, the EU has already been active on the topic of sanctions: “The EU Commission emphatically rejects sanctions against European companies that engage in projects in line with the law,” von der Leyen noted in response to U.S. sanctions against EU companies working at finalizing the Nord Stream 2 pipeline. Further, without yet providing details, von der Leyen has discussed sanctions as a means to resolve trade disputes, saying “[w]e must ensure that we can enforce our rights, including through the use of sanctions, if others block the resolution of a trade conflict.” We expect EU sanctions to play a key role in addressing and enforcing the CFSP and potentially also to be applied in trade disputes in the years to come.

Additionally, several EU member state foreign ministers have requested a reform of the EU sanctions regime, specifically asking for faster implementation of, better guidance on, and stricter compliance with EU sanctions. We expect further development on this front.

1. EU Human Rights Sanctions

On December 9, 2019, the EU agreed to begin the necessary preparatory work to develop a global sanctions regime to address serious human rights violations. Josep Borrell, the EU’s High Representative for Foreign Affairs and Security Policy, noted that the legislation will be the “Magnitsky Act of the EU.” In line with some media reports, we expect the EU human rights sanctions to take several months before taking effect.

2. Cyber-Attack Threats

The EU took a step forward in demonstrating its determination to enhance the EU’s cyber-defense capabilities with the introduction, on May 17, 2019, of a new sanctions framework in response to cyber-attack threats (as discussed in detail in our recent client alert.) The announced framework creates restrictive measures to deter and respond to cyber-attacks that constitute an external threat to the EU or its member states.

The framework is significant for two reasons. First, it enables the EU to implement unilateral cyber sanctions—a move that expands the EU’s sanctions toolkit beyond traditional areas of sanctions, such as sanctions imposed in response terrorism and international relations-based grounds.

Second, it represents a major, concrete measure that arose out of the EU’s continued interest in developing an open and secured cyberspace and amid concerns about the malicious use of information and communications technologies by both state and non-state actors. From the alleged plot by Russia to hack the Organization for the Prohibition of Chemical Weapons in The Hague in April 2018 to a cyber-attack on the German Parliament, European leaders have been very concerned about future cyber-attacks on EU member states.

B. EU Economic Sanctions & EU Dual-Use Regulation Updates

Council Regulation (EC) 428/2009—regularly referred to as the EU Dual-Use Regulation—has established an EU regime for the control of export, transit, and brokering of dual-use items in order to contribute to international peace and security by precluding the proliferation of nuclear, chemical, or biological weapons and their means of delivery. In the interplay with EU economic sanctions and national EU member state export laws, it forms part of what one could refer to as “EU Export Controls.”

To adapt to rapidly changing technological, economic, and political circumstances, the EU Commission presented a proposal in September 2016 to update and expand the existing rules that was supported by the European Parliament in its first report on the matter. On June 5, 2019, the Council issued its own parameters for negotiations with the European Parliament seeking a more limited recast of the dual-use regulation. Thereby the discussion mainly focuses on the classification of cyber surveillance technologies as dual-use goods and the possibility of a resulting discrimination of EU companies. The progress of the respective discussions can be viewed at the respective EU legislative train.

The respective legislative train has not yet reached the station, and it remains to be seen whether it will be a priority of von der Leyen’s.

However, the EU Commission already started to become more vocal on how it expects individuals and companies under its jurisdiction to implement EU sanctions. We summarized key recommendations of this new EU guidance and some additional points we consider helpful in our recent client alert.

Taking into account both the new EU guidance and the Framework for OFAC Compliance Commitments, there is a clear trend from authorities to articulate in detail their expectations on how companies should address sanctions and export control compliance. In turn, it can be expected that non-compliance with such expectations will increasingly be under enhanced regulatory scrutiny.

Further, EU member states have indicated that they might have additional, independent expectations. For instance, the Netherlands has issued its own set of guidelines for companies to assist with establishing an internal compliance program for “strategic goods, torture goods, technology and sanctions.”

1. Iran

Following the implementation of the JCPOA in January 2016, most nuclear-related EU financial and economic sanctions were removed. However, several prohibitions and authorization requirements remain in place, specifically with respect to prohibited support for Iran’s ballistic missile program.

Furthermore, since 2011, the EU has adopted and regularly renewed non-nuclear Iran financial and economic sanctions related to violations of human rights, including asset freezes and visa bans for entities and individuals responsible for grave human rights violations and a ban on exports of equipment that might be used for internal repression or for monitoring telecommunications. These measures were last extended on April 8, 2019 until April 13, 2020.

In response to the U.S. decision to abandon the JCPOA, on August 6, 2018 the European Union enacted Commission Delegated Regulation (EU) 2018/1100 which amended the EU Blocking Statute. The EU Blocking Statute is a 1996 European Commission Regulation (No 2271/96) which was designed as a countermeasure to what the EU considers to be the unlawful effects of third-country (primarily U.S.) extraterritorial sanctions on “EU operators.” The combined effect of the EU Blocking Statute and the Re-imposed Iran Sanctions Blocking Regulation, inter alia, is to prohibit compliance by EU operators with U.S. sanctions that have been re-imposed following the U.S. withdrawal from the JCPOA. Further, decisions rendered in the United States or elsewhere because of the sanctions blocked by the EU Blocking Statute cannot be enforced in the EU. Finally, the EU Blocking Statute allows EU operators to recover damages arising from the application of the extraterritorial measures and requires EU operators to report to the EU.

Two principal trends have emerged after the end of the first full year of an “active” EU Blocking Statute. While enforcement by the competent authorities of the EU member states has been limited, the EU Blocking Statute has not been the paper tiger some have suggested; an interesting feature of the landscape over the last year has been private enforcement of the EU Blocking Statute by parties to commercial litigation before the domestic courts of the EU member states. In a number of instances, non-EU companies, including Iranian companies, have relied on the EU Blocking Statute to secure enforcement through the national courts of EU member states of contracts relating to sanctioned countries against EU companies refusing performance by reference to the extraterritorial effects of U.S. sanctions.

Furthermore, Instex was established in January 2019 by France, Germany, and the United Kingdom to facilitate non-U.S. dollar and non-SWIFT trade with Iran. While additional EU member states became shareholders of the French incorporated vehicle, it substantially fell behind expectations.

The recent escalation in tensions between the United States and Iran led President Trump to renew his call for the remaining parties to the JCPOA to abandon the deal and re-introduce EU Iran nuclear-related sanctions.

While EU leaders have opted to rally behind the JCPOA, ignoring the U.S. administration’s repeated calls to abandon the agreement, this should not be seen as an indication that the EU would not be willing to reintroduce EU Iran nuclear-related sanctions in the event that Iran does not uphold its part of the bargain. UN Security Council Resolution 2231 (2015), which endorsed the JCPOA, includes a “snapback” mechanism that would be triggered and eventually lead to the reintroduction of UN and EU nuclear-related Iran sanctions if the International Atomic Energy Agency, the UN’s nuclear watchdog, were to find Iran was no longer complying with the terms of the JCPOA.

In its latest statements in response to the killing of General Soleimani, Iran has threatened to no longer observe the JCPOA’s limitations of centrifuges—a key commitment under the JCPOA. The French, German, and UK foreign ministers responded by issuing a statement and referring the matter to the JCPOA dispute resolution mechanism. While Iran still has the opportunity to change its course of action, it is possible that this statement has triggered the last chapter of the JCPOA. As of today, 2020 might see a “snapback” of UN and EU nuclear-related sanctions.

2. Cuba

As discussed above, the increased U.S. sanctions pressure on Cuba has received broad resistance within the EU. The EU Blocking Statute already applies to Titles I, III, and IV of the Helms-Burton Act. Accordingly, the restrictions apply to this most recent set of U.S. Cuba sanctions. According to Article 4 of the EU Blocking Statute, any judgment enforcing the laws listed in the annex, including Helms-Burton, cannot be recognized or enforced in any EU member state. This means that the doctrine of res judicata (the Latin term for “a matter [already] judged”) no longer applies in these instances.

Further, the EU Blocking Statute not only prohibits EU operators from complying with Helms-Burton but also entitles them to recover any damages, including legal costs, caused by the application of the law. Indeed, the EU Blocking Statute might also be used as a “clawback” mechanism of any damages that may be awarded in a Title III action. As noted, no cases under Helms-Burton have yet been finalized and consequently this aspect of the EU Blocking Statute remains untested.

Additionally, it is important to take into account national, and specifically EU member state, anti-boycott (anti-declaration) provisions, particularly those relating to Cuba.

As an example, for transactions, individuals and entities subject to German jurisdiction, Section 7 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung (“AWV”)), states that “[t]he issuing of a declaration in foreign trade and payments transactions whereby a resident participates in a boycott against another country (boycott declaration) shall be prohibited.” This originally had to be read with the implicit addendum “to the extent such a declaration would be contradictory to UN, EU and German law.” Accordingly, any compliance advice included the burdensome task of understanding the specific extent of applicable UN, EU, and German sanctions and export control rules.

If an individual or entity was understood to declare that it was in compliance with specific U.S. sanctions against, inter alia, Cuba and Iran that were not mirrored by the UN, the EU, or Germany, such a declaration was regularly covered and thus prohibited by Section 7 AWV. If the German Public Prosecutor wanted to pursue such a case, a court could find the individual or entity to be in breach of Section 7 AWV, which could then lead to an administrative penalty of up to €500.000 (per declaration) for both the company and the acting employee. Further, it could also lead to forfeiture of income associated with the declaration, (partial) nullity of the provision in respective contractual arrangements, and reputational damages.

On December 19, 2018, Section 7 AWV was amended, adding a provision that a declaration of a boycott against another state is excluded from Section 7 AWV prohibitions if the UN, the EU, or Germany have issued economic sanctions against that state as well. After such a change, the general view is that it is permitted under German law to declare compliance with a boycott against another country if the UN, the EU, or Germany have imposed any sanctions (regardless to what extent) on the particular country.

Accordingly, individuals and entities may now lawfully declare their intent to comply with U.S. sanctions, at least under Section 7 AWV, if the UN, the EU, and/or Germany have also imposed economic sanctions against that particular state. This is the case with Iran, for example, where UN, EU, and German sanctions are in place. While the dilemma of complying with either U.S. sanctions or the EU Blocking Statute remains, the EU Blocking Statute currently only covers certain sanctions of the United States. Therefore, while it is still important to tailor such statements (usually appearing in representations and warranties) carefully, a broader statement of compliance with U.S. sanctions on Iran has become permissible under German law. With respect to Cuba (or Israel or any other country not in the scope of UN, EU, and/or German sanctions), Section 7 AWV continues to apply.

3. North Korea

While 2018 gave rise to significant new and partly autonomous EU economic and financial sanctions against North Korea due to the deteriorating security situation on the Korean peninsula and regular threats by Kim Jong Un to attack South Korea or the United States, in 2019 the EU mostly maintained the scope of its sanctions on North Korea. The EU did, however, revise its lists of North Korea-related designated parties, which now consist of 57 individuals and 9 entities.

4. Venezuela

The EU Venezuela sanctions include an arms embargo as well as travel bans and asset freezes on listed individuals, targeting those involved in human rights violations and those undermining democracy or the rule of law. On September 27, 2019, the European Council added 7 members of the Venezuelan security and intelligence forces to the list of designated individuals, now including 25 listed persons. On January 9, 2020, the EU’s High Representative, Josep Borrell, declared that the EU is “ready to start work towards applying [additional] targeted measures against individuals” involved in the recent use of force against Juan Guaidó, the president of Venezuela’s National Assembly, and other lawmakers to impede their access to the National Assembly on January 5, 2020. The EU Venezuela sanctions have recently been extended until November 14, 2020.

5. Syria

EU Syria economic sanctions include an oil embargo, certain investment restrictions, asset freezes applying to the Syrian central bank, as well as export restrictions on equipment and technology used to monitor or intercept telecommunications or for internal repression. EU Syria financial sanctions include travel bans and asset freezes for persons involved in violently repressing the civilian population in Syria, benefiting from or supporting the regime, or being associated with such persons or entities. Currently 269 individuals and 69 entities are designated under the EU Syria sanctions program. On May 17, 2019, the EU extended its sanctions against the Syrian regime for one year, until June 1, 2020.

6. Russia and Crimea

As discussed in previous client alerts, since March 2014, the EU has progressively imposed economic and financial sanctions against Russia in response to Moscow’s deliberate destabilization of Ukraine and its annexation of Crimea. EU economic sanctions against Russia continue to include an arms embargo; an export ban on dual-use goods for military use or military end-users in Russia; limited access to EU primary and secondary capital markets for major Russian state-owned financial institutions and major Russian energy companies; and limited Russian access to certain sensitive technologies and services that can be used for oil production and exploration. However, there are certain noteworthy differences between U.S. and EU sanctions targeting Russia and the latest U.S. actions against Russia have created further disparities between the two regimes.

Further, the EU still does not recognize the annexation of Crimea and Sevastopol by Russia, and the EU imposed broad sanctions against these territories in 2014. The EU Crimea sanctions include an import ban on goods from Crimea and Sevastopol; broad restrictions on trade and investment related to certain economic sectors and infrastructure projects in Crimea and Sevastopol; an export ban on certain goods and technologies to Crimea and Sevastopol; and a prohibition to supply tourism services in Crimea or Sevastopol.

The EU economic sanctions against Russia have been renewed and are currently in place until July 31, 2020. Also, the EU financial sanctions were further extended in September 2019 until March 15, 2020. As of now, 170 people and 44 entities are subject to a respective asset freeze and travel ban. On June 20, 2019, the European Council also extended the EU Crimea sanctions until June 23, 2020. These restrictions are similar to those in place in the United States.

We expect the EU Russia and Crimea sanctions to stay in place for the time being. High Representative Borrell has previously indicated that he believes that “[u]ntil such time as Russia changes its attitude on Crimea and territorial violations, those [EU Russia] sanctions must remain.”

Finally, given how upset the EU has been regarding recent U.S. sanctions on Nord Stream 2, it would be logical to assess that the EU Blocking Statute could be extended to include the NDAA, which provides for targeted sanctions on Nord Stream 2. The EU Blocking Statute currently does not apply to U.S. Russia sanctions. However, we think this outcome is unlikely. The EU Trade Commissioner, Phil Hogan, pointed out that the EU opposes sanctions generally if they threaten companies involved in legitimate business. European Commission President Ursula von der Leyen stated, “The EU Commission emphatically rejects sanctions against European companies that engage in projects in line with the law.” Overall, the EU authorities appear to be at least momentarily satisfied that the U.S. sanctions are unlikely to actually be implemented in this late stage of the construction process, even if they are perceived as an “unfriendly act.”

7. Turkey

Considering that Turkey remains an official applicant for EU membership, it was a surprising development for the bloc to establish on November 11, 2019 an EU financial sanctions framework targeting Turkey’s drilling for natural resources off the coast of Cyprus. The contemplated EU financial sanctions include travel bans and asset freezes. So far, no entity has been designated under the new EU Turkey sanctions. EU Turkey sanctions are aimed at deterring Ankara from violating Cyprus’s maritime economic zone by drilling off the coast of the divided island. In a separate decision, the EU also imposed an arms embargo prohibiting new arms sales by EU member states to Turkey in light of Turkey’s involvement in the Syria conflict.

8. Saudi Arabia

After the assassination of dissident journalist Jamal Khashoggi at the Saudi consulate in Istanbul in October 2018, the German Federal Government issued a unilateral moratorium on arms exports to Saudi Arabia. While originally aligned with France and the United Kingdom, the moratorium did not take the form of EU economic sanctions. Rather, the competent German authority stopped issuing necessary export licenses, including for exports that had previously been approved by the German government.

The Administrative Court of Frankfurt am Main has now lifted this de facto export ban, at least with respect to a specific request to ship an arms manufacturer’s trucks. According to the court, the specific case was about 110 unarmored vehicles for the Royal Saudi Land Forces. The export of the trucks had been authorized in 2017, and 20 vehicles had then been delivered by the end of October 2018. With an order dated November 2018, the Federal Office of Economics and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle (“BAFA”)) temporarily “suspended the validity of the authorization.” Subsequently, additional orders with extended temporary suspensions were issued. After the BAFA failed to respond to the company’s complaint, the company brought an action for failure to act.

It is noteworthy that the question of whether or to what extent EU member states are free to unilaterally (i.e., without alignment with other EU member states) introduce national sanctions measures, such as an asset freeze, has been the topic of a broader recent debate in the EU. The European Commission has published a non-binding opinion in response to a request by an EU member state national competent authority on the compatibility of national, unilateral asset-freezing measures with EU law. According to the opinion, a unilateral asset freeze measure, such as those regularly imposed by EU financial sanctions, are generally not permissible if based on grounds covered by Article 215 of the Treaty on the Functioning of the European Union.

9. Nicaragua

On October 14, 2019, the EU adopted a legal framework for EU financial sanctions targeting Nicaragua, including travel bans and asset freezes against individuals and entities that have committed human rights violations or abuses, repressed civil society and democratic opposition, or undermined democracy and the rule of law in Nicaragua. Furthermore, EU individuals and entities also will not be allowed to make funds available to listed individuals and entities. So far, no designations have been made.

10. Myanmar/Burma

On April 29, 2019, the EU extended EU economic sanctions on Myanmar/Burma for one year, until April 30, 2020.

The EU economic sanctions against Myanmar/Burma include an embargo on arms and equipment that can be used for internal repression, an export ban on dual-use goods to be used by the military and border police, as well as restrictions on the export of equipment for monitoring communications that might be used for internal repression. Furthermore, the provision of military training to and military cooperation with the Myanmar Armed Forces (Tatmadaw) is prohibited under the sanctions regime.

The extension of the EU financial sanctions includes restrictive measures imposed on 14 officials of the Tatmadaw and the border police for human rights violations or association with such violations.

VIII. EU Member State Enforcement Action and Judgements

Enforcement of EU financial and economic sanctions takes place at the EU member state level. Judgments regarding EU financial and economic sanctions also regularly take place at the EU member state level. However, the EU’s supranational courts may be called upon to address specific questions and hold jurisdiction over particular matters, such as de-listing requests.

A. Belgium

In February 2019, the Antwerp Criminal Court found three Belgian companies and two of their managing directors guilty of violating EU Syria sanctions for exporting chemicals to Syria without the necessary license. The court imposed fines between €75,000 and €500,000 on AAE Chemie Trading (“AAE”), Anex Customs (“Anex”), and Danmar Logistics (“Danmar”) for creating a supply chain to export the chemicals to Syria. AAE’s managing director was given a conditional fine of €346,000 and received a four-month conditional sentence, and Anex and Danmar’s managing director was given a conditional fine of €500,000 and was sentenced to a 12-month custodial sentence.

B. Denmark

In September 2019, Danish state prosecutors started investigating Dan-Bunkering, the Danish bunker fuel supplier, on suspicion of violation of the EU Syria sanctions. According to U.S. court records and public sources, Dan-Bunkering was involved in supplying at least 30,000 metric tons of jet fuel for the civil war in Syria. According to Russia’s Foreign Ministry, the company that ordered the supplies was in charge of supplying fuel for Russian fighter jets conducting air raids in Syria. A confidential report submitted to the court detailed transactions totaling DKK 342 million (approximately $50 million) between Dan-Bunkering and the Russian company Maritime in 2016 and 2017.

C. Estonia

In autumn 2019, Estonia started taking measures against the news agency Sputnik Estonia in order to implement EU sanctions. Sputnik Estonia is controlled by Russia Today, the Russian state media organization. Dimitry Kiselyov, the head of Russia Today, is on the EU’s list of those subject to an asset freeze and travel restrictions for their involvement in “undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.” Because of this, Estonian officials took enforcement measures against Sputnik Estonia.

At the end of October 2019, Estonian branches of foreign banks stopped payments by Sputnik Estonia, thus making the payment of salaries, taxes, and rent impossible. As a consequence, Sputnik Estonia received a termination notice from its landlord. In December 2019, the employees of Sputnik Estonia received a warning from the Estonian Finance Intelligence Unit informing them of possible criminal liability if they continued to work for Sputnik Estonia. Subsequently, all 35 employees of the news agency resigned. In December 2019, Sputnik Estonia announced that it would be closing its operations in Estonia.

D. France

In April 2019, the Sanctions Committee of the French Banking Regulator opened disciplinary proceedings against the bank Raguram International for shortcomings in its screening of customers with regard to sanctions compliance. No penalty was issued due to the ensuing compliance efforts by the bank.

E. Germany

1. Russia Arms Embargo

The Hamburg Higher Regional Court sentenced a Russian citizen to seven years in prison for violating European sanctions by selling sensitive dual-use technology worth over €1.83 million to Russians with military backgrounds between 2014 and 2018. In doing so, this individual both forged the necessary documents and violated the export ban under Council Common Position 2008/944/CFSP. He sold, among other things, two hot isostatic presses. As these can be used for civilian or military purposes, exporting them to Russia is prohibited. He further sold up to 15 kilograms of decaborane chemicals, also to a Russian military recipient. The chemicals can be used as rocket fuel or explosives. The items, which can be used for military purposes, fall under the EU Russia economic sanctions.

2. Mahan Air

In January 2019, Germany revoked the license of Iranian airline Mahan Air, which Germany alleged was transporting military equipment and personnel to Syria and other Middle East war zones. The airline is subject to U.S. terrorism secondary sanctions imposed in 2011 for its support for the IRGC. Partly in response to pressure from the United States, Germany imposed the sanctions on Mahan Air after discovering a spy working as a translator in the Bundeswehr.

IX. United Kingdom

2019 saw the United Kingdom’s Office of Financial Sanctions Implementation (“OFSI”) impose its first monetary penalties pursuant to the Policing and Crime Act 2017 (“PCA”). OFSI has the authority to substitute a criminal prosecution with a civil monetary enforcement for breaches of financial sanctions legislation. The maximum penalty a company can receive pursuant to the PCA is the greater of either £1 million (approximately $1.3 million) or 50% of the approximate value of the funds or the economic resources provided.

Guidance provided by OFSI in May 2018 highlights the factors to be considered when calculating the potential for, and amount of, the monetary penalty that may be levied. A number of these factors mirror those applied in other compliance regimes, including whether the breach was systemic, the level of knowledge within the organization, whether funds were provided directly, or actions were taken to circumvent the sanctions, etc.

A. House of Commons – Foreign Affairs Committee Report, and Government Response

On June 12, 2019, the Foreign Affairs Committee of the House of Commons published a scathing report (the “Report”) in relation to the UK’s sanctions regime post-Brexit and preparations in relation thereto. The Report, entitled “Fragmented and incoherent: the UK’s sanctions policy,” highlighted three key elements of sanctions policy that the Committee considered had been overlooked including: (i) a clear high-level Government strategy; (ii) an effective structure for cross-governmental coordination; and (iii) an acknowledgment of the overlap between sanctions and anti-money laundering enforcement in practice.

The overall strategy deficiencies included concern over the timing of incorporation of EU sanctions legislation into local law, a lack of legal certainty regarding whether, and when, the UK will be able to implement and use “Magnitsky-style” powers (that is to say, sanctions targeting human rights violators), and an absence of clarity regarding post-Brexit cooperation with the EU.

In order to overcome some of the deficiencies in the policy making and enforcement structures, the Report recommended the appointment of a Senior Responsible Officer (“SRO”) who would be personally accountable to the National Security Council in relation to sanctions policy and enforcement. The Report further recommended consideration be given to the creation of a single body with responsibility for both policy and enforcement, along the lines of OFAC in the United States.

Finally, while acknowledging that sanctions and anti-money laundering policy are distinct, the Report recommended a greater appreciation by the Foreign and Commonwealth Office (“FCO”) of the overlap between the two, using the example of the listing of En+ Group on the London Stock Exchange in 2017 as a failure in practical enforcement due to the sanctions laws in force at the time being too narrow to effectively block such a listing, and there being no clear way for the Financial Conduct Authority (“FCA”) to convey its concerns or consult national security experts. The Report also re-iterated its previous recommendation for there to be an assessment of the effectiveness of OFSI. The overall conclusion of the Report was that “the Government has spent the last two years running as fast as it can just to stay in the same place.”

The Government’s response (the “Response”) to the concerns raised by the Report was published on September 3, 2019. The Response began by noting the complexity, and unique and dynamic nature of the 22 statutory instruments that had to be drafted in order to translate EU sanctions into local law. The Government also noted that this in turn utilized unprecedented resources and time.

The Response indicated that post-Brexit the Government intends to implement Magnitsky-style sanctions as well as publish its own designated persons list to facilitate enforcement of the same. The Response confirmed the Government’s hope to continue international cooperation in relation to its sanctions regime while maintaining independent policy-making and using its permanent seat on the UN Security Council to express and coordinate the imposition of international sanctions.

In response to the Report’s more domestic concerns, such as its suggestion to appoint an SRO, the Government confirmed that it already has multiple SROs within the FCO, and will re-assess the need for a single SRO designation in the future. Additionally, the Response considered the Report’s concern regarding permission for En+ to list on the London Stock Exchange, the Government re-iterated that the FCA is an independent body, and is empowered under the Financial Services and Markets Act 2000 to refuse an application for listing where it would be detrimental to the investor. Furthermore, the Government stated that it is deliberating the possibility of introducing a power to block a listing on grounds of national security to overcome such challenges in the future.

In relation to the wider consideration of the overlap between sanctions and anti-money laundering efforts, the Government confirmed that its intention is to keep the two separate, however it recognized the overlap and highlighted the systems existing alongside sanctions in the Government’s artillery to fight economic crime. Lastly, the Government defended the effectiveness of OFSI, noting its success in communicating the latest sanctions, its guidance in relation to sanctions compliance, and the threat of monetary enforcement being a strong deterrent.

B. Enforcement

1. R. Raphael & Sons plc

In January 2019, OFSI issued its first financial penalty, against UK bank Raphael & Sons plc (“Raphaels Bank”), of £5,000, for dealing with funds belonging to a designated person without a license, in contravention of regulation 3 of the Egypt (Asset-Freezing) Regulations 2011 (S.I. 2011/887). The value of the transaction at issue was £200. Raphaels Bank made a disclosure of the transaction to OFSI and cooperated with the regulator which resulted in a reduction in penalty of 50 % from an initial fine of £10,000.

2. Travelex (UK) Ltd

OFSI issued its second enforcement in May 2019 against Travelex (UK) Ltd. for contravention of regulation 3 of the Egypt (Asset Freezing) Regulations 2011 (S.I. 2011/887) by dealing with funds belonging to a designated person without a license. This breach was linked to the penalty imposed against Raphaels Bank. OFSI found that “Travelex had direct, in-person, contact with a designated person (DP), in the UK, and dealt with funds belonging to that person despite having access to their passport, which clearly identified the individual by name, date of birth and nationality.” The transaction in question was valued at £204, however no discount was applied for voluntary disclosure and therefore the company was fined £10,000.

3. Telia Carrier UK Limited

OFSI’s largest monetary penalty yet was levied against Telia Carrier UK Limited (“Telia”), a UK subsidiary of Telia Company on October 28, 2019. Telia was fined for breaching section 4 and 6 of the Syria (European Union Financial Sanctions) Regulation 2012. SyriaTel, the sanctioned entity, is the largest mobile phone company in Syria and is owned and controlled by Rami Makhlouf, a powerful Syrian businessman and cousin of President Bashar al-Assad. The company was designated in 2011 by both the United States and the EU, and was described as “being controlled by one of the regime’s most corrupt insiders.” The decision from OFSI while not detailed, confirmed that the telecom carrier’s facilitation of international telephone calls to SyriaTel involved “repeatedly making economic resources available to the designated entity over an extended period of time.” OFSI took the opportunity to remind businesses of the broad scope of assistance that it would consider providing “economic resources,” including tangible and intangible assets that can be transferred either directly or indirectly. This broad definition is likely to be of interest to global businesses in all sectors. The decision confirmed that OFSI’s investigation found that the company “had knowledge, or had reasonable cause to suspect it was breaching sanctions.” The regulator urged companies to implement more thorough screening processes and self-report when issues are identified.

Interestingly, this is the first OFSI enforcement in which the ministerial review process, as provided for in Section 147 of the PCA, was engaged and the penalty in this matter was reduced substantially after the review. When ministerial review is requested by a company, there are three potential outcomes: (i) upholding the decision to impose a penalty and the amount; (ii) upholding the decision to impose a penalty but changing the amount; and (iii) canceling the decision to impose any penalty. The Guidance provided by OFSI in May 2018 confirms that a party requesting a review has 28 days to do so from the date on which it receives written confirmation of the penalty. Once a review is requested, no new material is generally required and this process is not designed to be an opportunity to introduce new evidence. However, in this case, during the review process, OFSI received further clarification regarding the nature of the transactions which it did not have when deciding the initial penalty. As a result the assessed value of the transactions was more than halved from £480,000 to £234,000. OFSI noted that this information needed to be considered even though it was provided as such a late stage, given the “significant impact” of the information. While it is unclear what would be considered “significant impact” and therefore what information will be of assistance to OFSI, companies found to be in breach will want to self-investigate the value of any breach as early as possible to ensure they are not incorrectly penalized.

4. Bank Mellat

In June 2019, the UK settled a £1.25 billion (approximately $1.6 billion) lawsuit brought by Bank Mellat, an Iranian bank partly owned by the Iranian government, in relation to UK sanctions imposed against it between 2009 and 2013 due to alleged links to Iran’s nuclear program. The bank claimed this led to losses of £3.2 billion (approximately $4 billion) due to its inability to do business in the UK financial sector and the substantial damage caused to its reputation in the UK and internationally. While details of the settlement were kept confidential, there was some press speculation that the settlement monies were transferred by the UK through a third country and entity, with U.S. sanctions concerns in mind. Bank Mellat continues to be sanctioned by the United States after its inclusion as a designated entity in October 2018.

The following Gibson Dunn lawyers assisted in preparing this client update: Judith Alison Lee, Adam Smith, Patrick Doris, Michael Walther, Stephanie Connor, Christopher Timura, Shruti Chandhok, Grace Chow, Cate Harding, Dyllan Lee, Allison Lewis, Jesse Melman, R.L. Pratt, Tory Roberts, Richard Roeder, Samantha Sewall, Audi Syarief, Scott Toussaint, Brian Williamson, and Simon Woerrlein.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade practice group:

United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Jose W. Fernandez – New York (+1 212-351-2376, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Ben K. Belair – Washington, D.C. (+1 202-887-3743, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Laura R. Cole – Washington, D.C. (+1 202-887-3787, [email protected])
R.L. Pratt – Washington, D.C. (+1 202-887-3785, [email protected])
Samantha Sewall – Washington, D.C. (+1 202-887-3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, [email protected])

Europe:
Peter Alexiadis – Brussels (+32 2 554 72 00, [email protected])
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Nicolas Autet – Paris (+33 1 56 43 13 00, [email protected])
Patrick Doris – London (+44 (0)207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 20 7071 4205, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Shruti S. Chandhok – London (+44 (0)20 7071 4215, [email protected])
Steve Melrose – London (+44 (0)20 7071 4219, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Richard W. Roeder – Munich (+49 89 189 33-160, [email protected])
Grace Chow – Singapore (+65 6507.3632, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Join our distinguished panelists as they discuss significant 2019 developments in areas including antitrust, corporate governance, data privacy and cybersecurity, international trade, money laundering, securities fraud, and white collar defense and investigations. Our panelists also will suggest strategies for identifying key compliance risks and building a strong compliance program as we move into the new decade.

Topics to be discussed include:

Global Enforcement and Regulatory Developments
Key Tips for Identifying and Addressing Top Areas of Compliance Risk
Practical Recommendations for Improving Corporate Compliance
DOJ and SEC Priorities, Policies, and Penalties
Update on Key Governance Issues and Regulatory Requirements

View Slides (PDF)
Listen to Audio (MP3) – Audio file is available for download and replay at your convenience, without MCLE credit.

PANELISTS:

Zainab Ahmad, a partner in New York, joined the firm after serving as Senior Assistant Special Counsel in Special Counsel Robert S. Mueller’s Office. She was previously Deputy Chief of the National Security and Cybercrime section at the U.S. Attorney’s Office in the Eastern District of New York. Ms. Ahmad is a decorated former prosecutor who has received both of DOJ’s highest honors, the Attorney General’s Award and the FBI Director’s Award, and whose work prosecuting terrorists was profiled by The New Yorker magazine. Her practice focuses on white collar defense and investigations, including corruption, anti-money laundering, sanctions and FCPA issues. She also advises clients regarding data privacy and cybersecurity matters. Her practice is international and focuses on cross-border issues; she is fluent in Urdu and Hindi.

Stuart Delery, a partner in Washington, D.C., was the Acting Associate Attorney General, the No. 3 position in the Justice Department, where he oversaw the civil and criminal work of five litigating divisions — Antitrust, Civil, Tax, Civil Rights, and Environment and Natural Resources — as well as other components. His practice focuses on representing corporations and individuals in high-stakes litigation and investigations that involve the federal government across the spectrum of regulatory litigation and enforcement.

Michelle Kirschner, an English law partner in London, focuses her practice on advising a broad range of financial institutions on regulatory matters. She has extensive experience advising clients on systems and controls, market abuse, conduct of business and regulatory change management. She has also conducted internal investigations, in particular reviews of corporate governance and systems and controls in the context of EU and UK regulatory requirements and expectations.

Adam M. Smith, a partner in Washington, D.C., was the Senior Advisor to the Director of the U.S. Treasury Department’s OFAC and the Director for Multilateral Affairs on the National Security Council. His practice focuses on international trade compliance and white collar investigations, including with respect to federal and state economic sanctions enforcement, the FCPA, embargoes, and export controls. He routinely advises multi-national corporations regarding regulatory aspects of international business.

Lori Zyskowski, a partner in New York, is Co-Chair of the firm’s Securities Regulation and Corporate Governance practice. She was previously Executive Counsel, Corporate, Securities & Finance at GE. She advises clients, including public companies and their boards of directors, on a wide variety of corporate governance and securities disclosure issues, and provides a unique perspective gained from over 12 years working in-house at S&P 500 corporations.

Moderator:

F. Joseph Warin, a partner in Washington, D.C., is Co-Chair of the firm’s White Collar Defense and Investigations practice and former Assistant U.S. Attorney in Washington, D.C. Mr. Warin is consistently recognized annually in the top-tier by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations acumen. In 2018 Mr. Warin was selected by Chambers USA as a “Star” in FCPA, and “a “Leading Lawyer” in the nation in Securities Regulation: Enforcement. Global Investigations Review reported that Mr. Warin has now advised on more FCPA resolutions than any other lawyer since 2008. Who’s Who Legal and Global Investigations Review named Mr. Warin to their 2016 list of World’s Ten-Most Highly Regarded Investigations Lawyers based on a survey of clients and peers, noting that he was one of the “most highly nominated practitioners,” and a “’favourite’ of audit and special committees of public companies.” Mr. Warin has handled cases and investigations in more than 40 states and dozens of countries. His credibility at DOJ and the SEC is unsurpassed among private practitioners — a reputation based in large part on his experience as the only person ever to serve as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ: Statoil ASA (2007-2009); Siemens AG (2009-2012); and Alliance One International (2011-2013).

The United Kingdom’s withdrawal from the European Union could have a significant effect on international and U.K. domestic taxation. It will likely impact aspects of the United Kingdom’s value added tax and withholding tax regimes, customs and excise taxes, State Aid determinations, and double tax treaties. This alert concerns one discrete issue that has not yet been decided by the U.S. Treasury, but that could have dramatic consequences for entities currently claiming the benefit of U.S. tax treaties: whether the United Kingdom’s withdrawal from the European Union means that U.K. shareholders will no longer be considered “equivalent beneficiaries” for purposes of the derivative benefits test in the limitation on benefits provision in U.S. tax treaties.

As explained in more detail below, strong arguments support U.S. Treasury extending treaty benefits to deal with unintended collateral consequences of the larger Brexit discussions; however, U.S. Treasury will need to tread carefully to avoid creating issues with either its treaty partners or the Senate.

We encourage clients to address these structural issues in advance of the United Kingdom’s formal exit from the European Union.

The Limitation on Benefits Article and Derivative Benefits Test

The limitation on benefits (LOB) article in U.S. tax treaties is intended to prevent “treaty shopping,” whereby residents from third countries not party to the treaty manipulate treaty residence rules or corporate shareholdings in order to obtain treaty benefits. Given the LOB’s mechanical and objective nature (as opposed to more subjective tests like the “principal purpose” test), even entities structured with no treaty shopping purpose whatsoever can run afoul of its requirements.

The LOB includes, depending on the treaty, up to five distinct safe harbors: the publicly traded companies/subsidiary test, the tax exempt organization and pension funds test, the stock ownership and base erosion test, the active trade or business test, and the derivative benefits test.[1] The derivative benefits test is intended to grant treaty benefits to a treaty state resident if its nonresident owners would be granted the same benefits if the income flowed directly to them. Essentially, the test extends treaty benefits to a resident entity that nonetheless fails the other LOB tests on the basis that its ownership structure is not abusive if its shareholders could have received the same treaty benefits without locating the entity in the treaty state. These nonresident owners are considered “equivalent beneficiaries” for purposes of the test.

Currently, sixteen U.S. tax treaties include derivative benefits tests in their LOB provisions.[2] Most of these clauses limit the grant of equivalent beneficiary status to some combination of residents of EU and European Economic Area (EEA) member states and parties to NAFTA. Taxpayers with U.K. shareholders hoping to rely on the derivative benefits test when applying for benefits under any of these treaties that restrict equivalent beneficiary status to EU, EEA, and NAFTA membership need to be aware that they might fail the test post-Brexit, in which case they would be denied treaty benefits entirely.

Arguments Supporting Extending Equivalent Beneficiary Status

One argument for extending equivalent beneficiary status to U.K. residents post-Brexit is that disallowing such status would frustrate the purpose of the derivative benefits test, which is to disapply the LOB in cases where its application is counterintuitive—for example, a situation where a resident of the United Kingdom would not be entitled to treaty benefits if investing or earning income in the United States via an entity resident in Ireland, in a situation where the United States grants the very same benefits under the Irish treaty as the treaty between the United Kingdom and the United States. Revoking U.K. residents’ status as equivalent beneficiaries would result in precisely such an outcome.

Another argument in favor of extending equivalent beneficiary status to U.K. residents is that the 2016 U.S. Model Income Tax Convention adopted a derivative benefits test that avoids this issue by removing the test’s geographic limitations. In the 2016 Model, the derivative benefits rule defines equivalent beneficiaries as residents of any state, provided that they would be entitled to the same benefits under their residence state’s comprehensive double tax treaty with the contracting state from which they seek to obtain benefits.[3] If the model treaty’s version of the derivative benefits test applied to all U.S. tax treaties, then treaty residents would obtain the benefits they sought regardless of the United Kingdom’s status as member of the European Union or European Economic Area, due to the benefits granted in the United States-United Kingdom treaty.

Finally, it is possible that revoking U.K. residents’ equivalent beneficiary status would cause harmful economic distortions. Brexit is predicted to have significant deleterious effects on states that have deep trade ties with the United Kingdom—many of whom are members of the European Union. A significant number of entities that would no longer be able to claim treaty benefits after Brexit may be forced to incur the expense of relocating or restructuring, expenses that would not be necessary but for the failure of U.S. treaties to reflect what the U.S. government itself considers to be model treaty provisions.

Arguments Against Extending Equivalent Beneficiary Status

The primary argument against the extension of equivalent beneficiary status to U.K. residents is that a plain text reading of the definitions of equivalent beneficiaries in the treaties at issue clearly shows that they include current EU and/or EEA member states but do not include former EU and/or EEA member states. In customary international law, a plain text reading of a treaty’s terms is the primary means of treaty interpretation. In most nations, the Vienna Convention on the Law of Treaties (VCLT) serves as the principle authority when it comes to treaty interpretation.

The United States is a signatory to the VCLT but has not ratified it and is not a party to it. Thus, U.S. courts are not bound by its terms. In practicing its own form of treaty interpretation completely separate from the VCLT, the Supreme Court has not been entirely consistent on its guiding principles. In a 2014 case BG Grp. Plc v. Republic of Arg., the Court focused on the intent of the parties, stating that “[a] treaty is a contract between nations, and its interpretation normally is a matter of determining the parties’ intent.”[4] In order to determine that intent when interpreting treaties, the Court will “‘begin with the text of the treaty and the context in which the written words are used.’”[5]

If Treasury decides to extend equivalent beneficiary status to U.K. residents after Brexit, it must contend with the fact that it will be doing so in direct contravention of the plain meaning of the relevant treaties’ terms.

Treasury’s Options[6]

When it comes to addressing the issue, Treasury’s most unilateral option is to issue a notice stating that for purposes of the U.S. double tax treaties that define equivalent beneficiary status by reference to the European Union and/or European Economic Area, U.K. residents will be treated as equivalent beneficiaries after Brexit. This method is easy and simple for both Treasury and the companies applying for treaty benefits. No change needs to be made to Form W‑8BEN‑E, the form that taxpayers use in applying for benefits under a tax treaty. The status quo will be preserved. However, it is not clear that Treasury has this authority, and it is possible that U.S. lawmakers and treaty partners may bristle at such an action.

In a subtler move, Treasury and the IRS might choose not to enforce the failure of U.S. withholding agents to withhold at a rate above the treaty rate when treaty benefits are denied by virtue of U.K. residents’ post-Brexit loss of equivalent beneficiary status. This would be an approach similar to the “don’t ask, don’t tell” approach taken by the Internal Revenue Service with respect to domestic taxation of employee frequent-flier miles.[7] This approach is attractive by virtue of its quietness, as opposed to a Treasury notice’s announcement to the world that the U.S. intends to ignore or purposefully misread tax treaty provisions; however, large enterprises that need to account for tax costs years in advance will find little assurance in an unannounced policy on which they cannot explicitly rely.

Competent authority relief is likely Treasury’s most effective option, since it is clearly within its authority and springs from the treaties themselves. A Competent Authority Arrangement is a bilateral agreement between the U.S. and its treaty partners to clarify or interpret treaty provisions. Treasury could enter into Competent Authority Arrangements with its treaty partners that grant equivalent beneficiary status to U.K. residents in a way that does not veer so far from reasonable treaty interpretation as to constitute treaty renegotiation. If that boundary is crossed, however, there is a possibility that certain U.S. lawmakers might consider such arrangements to usurp the Senate’s power to approve treaties and treaty protocols. There is also the possibility that Treasury faces pushback from treaty partners.

Potential Challenges

If Treasury uses one of the methods listed above in granting U.K. residents equivalent beneficiary status, it is conceivable that the contracting state may be displeased—by the granting of benefits itself, the method by which Treasury grants the benefits, or both. The contracting state may raise the issue with the United States by reference to a mutual agreement procedure contained in the treaty. Or, the contracting state could deny benefits to the resident company by assessing the tax it believes should have been withheld in the United States.[8]

If Treasury enters into agreements with treaty partner states agreeing to grant U.K. residents equivalent beneficiary status post-Brexit, the Senate may argue that such an agreement constitutes treaty renegotiation that infringes upon the Senate’s treaty power granted in the U.S. Constitution. In 2015, Senator Rand Paul challenged a different type of international tax agreement on similar grounds. He and several individual plaintiffs sued Treasury to strike down the Foreign Account Tax Compliance Act (FATCA) and certain intergovernmental agreements (IGAs). The Sixth Circuit ruled that Senator Paul did not have standing to challenge the IGAs.[9] The court distinguished the facts from those of Coleman v. Miller,[10] in which the Supreme Court found that a group of twenty-one Senators had standing to challenge a resolution that twenty of them had voted against, suggesting that a large enough bloc of Senators might have standing to challenge a Competent Authority Arrangement. On the other hand, legislators likely do not have standing to challenge a policy of discretionary non-enforcement, because the Service has enforcement authority with respect to tax assessment and collection, and enforcement authority includes the authority to prioritize certain enforcement goals over others.

Moving Forward

Businesses with U.K. shareholders that currently use the derivative benefits test in a U.S. treaty are encouraged to remain engaged with this issue. Those who have not begun contingency planning should consider it, in consultation with counsel, financial, and tax advisors. Members of the Gibson Dunn Tax team are available to discuss strategy, options, and considerations as these developments unfold.

____________________

[1] See IRS Tax Treaty Table 4, available at https://www.irs.gov/pub/irs-utl/Tax_Treaty_Table_4.pdf.

[2] Belgium, Canada, Denmark, Finland, France, Germany, Iceland, Ireland, Jamaica, Luxembourg, Malta, Mexico, Netherlands, Sweden, Switzerland, United Kingdom.

[3] See 2016 United States Model Income Tax Convention Art. 22(7)(e), available at https://www.treasury.gov/resource-center/tax-policy/treaties/Documents/Treaty-US%20Model-2016.pdf

[4] BG Grp. plc v. Republic of Arg., 572 U.S. 25, 26 (2014) (quoting Air France v. Saks, 470 U.S. 392, 399 (1985)).

[5] Water Splash, Inc. v. Menon, 137 S. Ct. 1504, 1508-09 (2017) (quoting Volkswagenwerk Aktiengesellschaft v. Schlunk, 486 U.S. 694, 699 (1988)).

[6] In assessing its options, U.S. Treasury might look to two potentially analogous historical events where changes in the intergovernmental landscape created similar hazards with respect to tax treaty interpretation and applicability: the collapse of the Soviet Union in 1991 and the United Kingdom’s handover of control over Hong Kong to China in 1997. However, the principal issues in those cases revolved around state succession and treaty succession (i.e., whether the U.S.-U.S.S.R. and U.S.-China treaties would remain in effect with respect to the former Soviet republics and China-controlled Hong Kong, respectively), which are fundamentally different than those raised by the interaction between Brexit and the derivative benefits test. See IRS Notice 97-40, 1997-2 C.B. 287 (announcing that the U.S.-China tax treaty would not apply to Hong Kong); Treasury News NB-1763 (announcing that the U.S.-U.S.S.R. tax treaty would remain in effect for the members of the Commonwealth of Independent States).

[7] See Lawrence Zelenak, Custom and the Rule of Law in the Administration of the Income Tax, 62 Duke L.J. 829, 830-31 (2012).

[8] If a contracting state were to do this, then the competent authority relief provision in most U.S. tax treaties would require the contracting state to consult with the U.S. competent authority before such denial.

[9] Crawford v. United States Dep’t of the Treasury, 868 F.3d 438 (6th Cir. 2017).

[10] 307 U.S. 433.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Tax practice group, or the authors:

David W. Rubin – Los Angeles (+1 213-229-7647, [email protected])
Benjamin J. Fryer – London (+44 (0)20 7071 4232, [email protected])
Jeffrey M. Trinklein – London/New York (+44 (0)20 7071 4224 /+1 212-351-2344), [email protected])

Please also feel free to contact any of the following practice leaders and members:

Tax Group:
Jeffrey M. Trinklein – Co-Chair, London/New York (+44 (0)20 7071 4224 /+1 212-351-2344), [email protected])
David Sinak – Co-Chair, Dallas (+1 214-698-3107, [email protected])
Sandy Bhogal – London (+44 (0)20 7071 4266, [email protected])
Benjamin J. Fryer – London (+44 (0)20 7071 4232, [email protected])
Jérôme Delaurière – Paris (+33 (0)1 56 43 13 00, [email protected])
Hans Martin Schmid – Munich (+49 89 189 33 110, [email protected])
James Chenoweth – Houston (+1 346-718-6718, [email protected])
Brian W. Kniesly – New York (+1 212-351-2379, [email protected])
Eric B. Sloan – New York (+1 212-351-2340, [email protected])
Edward S. Wei – New York (+1 212-351-3925, [email protected])
Benjamin Rippeon – Washington, D.C. (+1 202-955-8265, [email protected])
Daniel A. Zygielbaum – Washington, D.C. (+1 202-887-3768, [email protected])
Dora Arash – Los Angeles (+1 213-229-7134, [email protected])
Paul S. Issler – Los Angeles (+1 213-229-7763, [email protected])
Lorna Wilson – Los Angeles (+1 213-229-7547, [email protected])
Scott Knutson – Orange County (+1 949-451-3961, [email protected])

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

After a slow start to the year, global efforts to regulate artificial intelligence technologies (“AI”) have gained real momentum. The 116th U.S. Congress saw a record number of bills related to AI in 2019—the Filter Bubble Transparency Act being the latest—and in the final quarter of 2019 the Trump administration continued to take tentative steps towards articulating a “light-touch” federal policy that balances safety and innovation, collaboration and protectionism, whilst being sufficiently technically detailed to allow federal agencies to consider their regulatory response. California continues to buck the national trend and has taken legislative action to prohibit, among other things, the use of facial recognition technology by law enforcement.

Meanwhile, the EU is preparing to deliver much-anticipated draft AI legislation in early 2020, but has, as we discuss below, already taken a firm stance in favor of regulation that is broad in scope, focused on ethics, individual rights and corporate accountability, and “horizontally” applicable across industries, rather than specific sectors—in other words, GDPR-style principles of governance that are in many respects diametrically opposed to U.S. federal policy, which eschews the EU’s “regulate-first” approach.

As we will address in more detail in our forthcoming 2019 Annual Legal Review of Artificial Intelligence and Automated Systems, these fast-moving global developments will have a significant impact on companies developing or operating AI products in the EU.

___________________

I. Key U.S. Legislative And Regulatory Developments

A. Filter Bubble Transparency Act, S. 2763
B.  NSCAI Report on U.S. National Security
C.  U.S. Imposes Export Controls on Chinese AI Companies
D.  California’s Sweeping Attempts to Regulate AI
E.  EC Promises “GDPR”-Style Regulation of AI

II. Bias/Ethics and Technology Bans

A. German Data Ethics Commission Report
B. New DoD Ethics Framework

III. Intellectual Property Law

_______________

I. Key U.S. Legislative and Regulatory Developments

A. FILTER BUBBLE TRANSPARENCY ACT, S. 2763

On October 31, 2019 a bipartisan group of senators introduced the Filter Bubble Transparency Act, the first substantive federal bill aimed at regulating algorithmic control of content on internet platforms. If enacted, the bill would require large-scale internet platforms to provide greater transparency to consumers by providing clear notice on the use, and enabling consumers to opt out, of personalized content curated by “opaque” algorithms so that they can “engage with a platform without being manipulated by algorithms driven by user-specific data”[1] and “simply opt out of the filter bubble.”[2] “Filter bubble” refers to a zone of potential manipulation that exists within algorithms that curate or rank content in internet platforms based on user-specific data, potentially creating digital “echo chambers.”[3] Sen. John Thune, R-S.D., one of the bill’s sponsors, explained that the bill is intended to facilitate “a better understanding of how internet platforms use artificial intelligence and opaque algorithms to make inferences from the reams of personal data at their fingertips that can be used to affect behavior and influence outcomes.”[4]

The proposed legislation covers “any public-facing website, internet application, or mobile application,” such as social network sites, video sharing services, search engines and content aggregation services[5], and generally would prohibit the use of opaque algorithms on platforms without those platforms having first provided notice in a “clear, conspicuous manner on the platform whenever the user interacts with an opaque algorithm for the first time.” The term “opaque algorithm” is defined as “an algorithmic ranking system[6] that determines the order or manner that information is furnished to a user on a covered internet platform based, in whole or part, on user-specific data that was not expressly provided by the user to the platform” in order to interact with it.[7] Examples of “user-specific” data include the user’s history of web searches and browsing, geographical locations, physical activity, device interaction, and financial transactions.[8] Conversely, data that was expressly provided to the platform by the user for the purpose of interacting with the platform—such as search terms, saved preferences, an explicitly entered geographical location or the user’s social media profiles[9]—is considered “user-supplied.”

Additionally, the bill requires that users be given the option to choose to view content based on “input-transparent algorithms,” a purportedly generic algorithmic ranking system that “does not use the user-specific data of a user to determine the order or manner that information is furnished to such user on a covered platform,”[10] and be able to easily switch between the opaque and the input-transparent versions.[11] By way of example, Sen. Marsha Blackburn (R-TN), another co-sponsor of the bill, explained that “this legislation would give consumers the choice to decide whether they want to use the algorithm or view content in the order it was posted.”[12] However, there is nothing in the bill that would require platforms to disclose the use of algorithms unless they are using hyper-personal “user-specific” data for customization, and even “input-transparent” algorithms using “user-supplied” data would not necessarily show content in chronological order. Nor would platforms be required to disclose any source code or explain how the algorithms used work. As drafted, the bill’s goals of providing transparency and protecting consumers from algorithmic manipulation by “opting out” of personalized content appear to be overstated, and lawmakers will need to grapple with the proposed definitions to clarify the scope of the bill’s provisions.[13]

Much like the Algorithmic Accountability Act, discussed in more detail in our Artificial Intelligence and Autonomous Systems Legal Update (1Q19), the bill is squarely targeted at “Big Tech” platforms—it would not apply to platforms wholly owned, controlled and operated by a person that did not employ more than 500 employees in the past six months, averaged less than $50 million in annual gross receipts, and annually collects or processes personal data of less than a million individuals.[14] Violations of the Act would be enforced with civil penalties by the Federal Trade Commission (“FTC”) but, unlike the Algorithmic Accountability Act, the bill does not grant state attorneys general the right to bring civil suits for violations, nor expressly state that its provisions do not preempt state laws.

We will continue to monitor the bill, which is co-sponsored by four members of the Senate Committee on Commerce, Science, and Transportation, as it makes its way through Congress.

B. NSCAI REPORT ON U.S. NATIONAL SECURITY

On November 4, 2019, the National Security Commission on Artificial Intelligence (“NSCAI”) — which was tasked by Congress to research ways to advance the development of AI for national security and defense purposes — released a much-anticipated interim report specifying five key areas where it said U.S. policy can improve in order to transition AI from “a promising technological novelty into a mature technology integrated into core national security missions.”[15] Eric Schmidt, the chairman of the commission and the former head of Google’s parent company Alphabet, noted that the commission worked with a number of U.S. government departments and agencies including the intelligence community, academia and the private sector, as well as allied partners such as the United Kingdom, Japan, Canada and Australia. Across all five principles, NSCAI said that ethical and responsible development and deployment of AI is a top priority, and noted that it is still developing best practices for operationalizing AI technologies that are trustworthy, explainable, and free of unwanted bias.

The five lines of effort are: invest in research and development; apply the technology to national security missions; train and recruit AI talent; protect and build upon U.S. technology advantages; and marshal global cooperation on artificial intelligence issues.

The commission’s preliminary conclusion is that the U.S. “is not translating broad national AI strengths and AI strategy statements into specific national security advantages.”[16] Notably, the commission reported that federal R&D funding has not kept pace with the potential of AI technologies, noting that the requested fiscal year 2020 federal funding for core AI research outside of the defense sector grew by less than 2 percent from the estimated 2019 levels.[17] Further, it noted that AI is not realizing its potential to execute core national security missions because agencies are failing to embrace the technology as a result of “bureaucratic impediments and inertia.”[18] NSCAI also criticized the shortage of AI talent in government agencies, specifically in the Department of Defense (“DoD”). It made workforce development recommendations to federal agencies, including undertaking more widespread use of AI technologies, and improving training on basic AI principles.[19] The commission asserted that the U.S. has a global technological advantage in terms of AI implementation, but also warned that China is rapidly closing the gap.[20] NSCAI recommended export controls to protect AI hardware,[21] and preservation of an open research system with U.S. academia. Finally, the commission said the U.S. should lead creation of AI norms worldwide by fostering international collaboration and establishing a network of allies dedicated to AI data sharing, R&D coordination, capacity building, and talent exchanges.[22] The commission also notes that it is exploring possible avenues for “AI-related diplomatic discussions with rivals such as China and Russia” in areas such as AI safety in order to protect common interests, promote responsible research and innovation, and limit dangerous uses.[23]

NSCAI is set to release its final report and recommendations—which will likely contain additional insights into U.S. federal policy regarding AI— in March 2021.

C. U.S. IMPOSES EXPORT CONTROLS ON CHINESE AI COMPANIES

On October 7, 2019, BIS announced that it will add 28 Chinese governmental and commercial organizations to the Entity List for engaging in or enabling activities contrary to the foreign policy interests of the United States.[24] The regulation includes China’s leading AI companies, including Sense Time, Megvii Technology, Yitu, and Dahua Technology. Companies are required to comply with the notice as of the effective date, although it includes a standard “savings clause” exempting items that are already en route as of October 9, 2019. The Secretary of Commerce stated that this action was in response to “the brutal suppression of ethnic minorities within China[.]”[25]

D. CALIFORNIA’S SWEEPING ATTEMPTS TO REGULATE AI

1. Two New California Laws Ban Certain Deepfake Videos

As we previously reported in our Artificial Intelligence and Autonomous Systems Legal Update (3Q19), in the wake of a June 2019 hearing by the House Permanent Select Committee on Intelligence on the national security challenges of artificial intelligence, manipulated media, and deepfake technology, both the House and the Senate introduced legislation to regulate deepfakes. While those bills remains pending, California has taken action to restrict the specific use of deepfakes to influence elections and non-consensual pornographic deepfakes. On October 3, 2019 California’s Gov. Newsom signed a bill (A.B. 730) banning anyone “from distributing with actual malice materially deceptive audio or visual media of the candidate” within 60 days of an election with the intent to injure the candidate’s reputation or deceive a voter into voting for or against the candidate.[26] This measure exempts print and online media and websites if that entity clearly discloses that the deepfake video or audio file is inaccurate or of questionable authenticity. On October 3, Gov. Newsom also signed a bill (A.B. 602) banning pornographic deepfakes made without consent of the person depicted, creating a private right of action.[27] The law excepts “[c]ommentary, criticism, or disclosure that is otherwise protected by the California Constitution or the United States Constitution.”

It will remain to be seen whether these laws will be challenged and whether they will pass Constitutional muster. Regardless, the use and proliferation of deepfakes will likely face greater legal and regulatory scrutiny at both federal and state level going forward, and may impact technology platforms which permit users to upload, share or link content.

2. California Limits Police Body Camera Facial Recognition Technology

On October 8, Gov. Newsom signed bill A.B. 1215,[28] which places a three-year moratorium on any facial recognition technology used in police body cameras beginning January 1, 2020. This development follows San Francisco and Oakland bans on police use of facial recognition technology, as reported in our Artificial Intelligence and Autonomous Systems Legal Update (2Q19). The language of A.B. 1215 states that using biometric surveillance violates constitutional rights because it is the “functional equivalent” of requiring people to carry identification at all times.[29] The new law further regulates the collection of personal information, sounds in California’s concern for overly broad collection of information, and may influence modifications to the California Consumer Privacy Act 2018 (“CCPA”) regarding facial recognition (such as A.B. 1281, which would require businesses to give conspicuous notices where facial recognition technology is employed).

3. California AG Releases New California Consumer Privacy Act (CCPA) Proposed Regulations

As reported in our client alert California Consumer Privacy Act: 2019 Final Amendments Signed, on October 10, California Attorney General Xavier Becerra issued new draft regulations operationalizing the California Consumer Privacy Act (“CCPA”). The CCPA has been described as one of the most stringent state privacy laws and will affect AI technologies that are driven by personal data. We have previously published a summary of the CCPA as well as its initial amendments, and stand ready to advise companies who utilize or develop such technologies on the potential implications of CCPA within the AI space.

As reported in our Artificial Intelligence and Autonomous Systems Legal Update (3Q19), European Commission President Ursula von der Leyen promised to propose legislation to address the human and ethical implications of AI in the first quarter of 2020.[30] In a speech at the European Parliament on November 27, 2019, von der Leyen said that she was in favor of AI-focused legislation similar to the General Data Protection Regulation (“GDPR”).[31] The Commission is likely to draw on the work of its high-level expert group on AI, which outlined a series of principles earlier this year aimed at ensuring companies deploy artificial intelligence in a way that is fair, safe and accountable.[32] The principles, developed by a committee of academics and industry representatives, form part of the EU’s plan to increase public and private investment in AI to €20 billion per year.

We will monitor any further statements by the EC and provide updates on any proposed legislation as it becomes available. As we previously addressed in more detail in “Gearing Up for the EU’s Next Regulatory Push: AI,”[33] given the stringent requirements of the GDPR, future EC regulations are likely to stand in contrast to the current U.S. “light-touch” regulatory approach and could have a significant impact on companies developing or operating AI products within the EU.

II. Bias/Ethics and Technology Bans

A. GERMAN DATA ETHICS COMMISSION REPORT

On October 23, 2019, Germany’s Data Ethics Commission released a landmark 240-page report containing 75 recommendations for regulating data, algorithmic systems and AI.[34] Consistent with EC President Ursula von der Leyen’s recent remarks discussed above, the report suggests that EU regulation of AI may mirror the approach espoused in the GDPR — broad in scope, focused on individual rights and corporate accountability, and “horizontally” applicable across industries, rather than specific sectors.[35] Expanding on the EU’s non-binding “Ethics Guidelines for Trustworthy AI,” the commission concludes that “regulation is necessary, and cannot be replaced by ethical principles.”[36]

The commission creates a blueprint for the implementation of binding legal rules for AI—nominally both at national and EU level—on a sliding scale based on the risk of harm across five levels of algorithmic systems, with a focus on the degree of potential harm rather than differentiating between specific use cases. While systems posing a negligible or low likelihood of harm would not require any new regulatory obligations, those with at least “some” potential for harm would be subject to a mandatory labeling scheme that indicates where and how algorithms are being used within the system, and a risk assessment that evaluates the system’s effect on privacy rights, self-determination, bodily or personal integrity, assets and ownership rights, and discrimination, among other factors. For systems that curate content based on user data, such as personalized pricing algorithms, the commission recommends prior authorization by supervisory institutions, and heightened oversight (such as live monitoring) and transparency obligations systems with “regular or significant potential for harm,” which include determinations about consumer creditworthiness. The commission recommended a full or partial ban on systems with an “untenable potential for harm.”[37]

Of particular relevance to companies deploying AI software, the report recommends that measures be taken against “ethically indefensible uses of data,” such as “total surveillance, profiling that poses a threat to personal integrity, the targeted exploitation of vulnerabilities, addictive designs and dark patterns, methods of influencing political elections that are incompatible with the principle of democracy, vendor lock-in and systematic consumer detriment, and many practices that involve trading in personal data.”[38]

The commission also recommends that human operators of algorithmic systems be held vicariously liable for any harm caused by autonomous technology, and calls for an overhaul of existing product liability and strict liability laws as they pertain to algorithmic products and services.[39]

While the report’s pro-regulation approach is a counterweight to the “light-touch’ regulation favored by the U.S. government, the commission takes the view that, far from impeding private sector innovation, regulation can provide much-needed certainty to companies developing, testing, and deploying innovative AI products.[40] Certainly, the commission’s guiding principles—among them the need to ensure “the human-centred and value-oriented design of technology”[41]—reinforce that European lawmakers are likely to regulate AI development comprehensively and decisively. While it remains to be seen to what extent the forthcoming draft EU legislation will adopt the commission’s recommendations, all signs point to a sweeping regulatory regime that could significantly impact technology companies active in the EU.

B. NEW DOD ETHICS FRAMEWORK

On October 31, 2019, the Defense Innovation Board (“DIB”), an independent federal advisory committee to the Pentagon consisting of a group of science and technology experts led by former Google CEO Eric Schmidt, proposed a new ethics framework consisting of five overarching ethical principles which tie the Department of Defense’s (“DOD”) existing laws of war and rules of engagement[42] into the use of AI.[43]

The report is a high-level blueprint for military deployments of artificial intelligence and addresses some general shortcomings of AI technology.[44] The principles advocate for deliberate AI designs to counter unintended biases that could cause inadvertent harm and for humans to have the power to deactivate or disengage AI systems acting outside the intended parameters. The board also suggested that humans should always be responsible for the “development, deployment, use and outcomes” of AI rather than letting AI set its own standards of use: “Governability is important because operators and users of AI systems should understand the potential consequences of deploying the system or system of systems to its full extent, which may lead to unintended harmful outcomes.” In these cases, DOD should not use that AI system because “it does not achieve mission objectives in an ethical or responsible manner.”[45]

The DIB also recommended a number of technical and organizational measures that would help lay the groundwork to ensure military artificial intelligence systems adhere to ethical standards, such as increasing investment in standards development, workforce programs and AI security applications, and formalizing channels for exploring the ethical implications of deploying AI technology across the department.

The report follows concerns that most AI-related innovation is being developed by commercial technology firms rather than its internal research or traditional industrial base, and that some firms are reluctant to take on defense contracts at least in part due to ethical conflicts.[46] The newly proposed ethics framework could help address private sector concerns about innovative technology being wrongly weaponized or misused by the military or being part of autonomous systems without sufficient human oversight. However, the report’s recommendations are not binding, and Pentagon leaders will need to decide whether to enact the board’s recommendations into concrete policy going forward.

III. Intellectual Property Law

A. USPTO REQUEST FOR COMMENT

Intellectual property issues related to AI have also been at the forefront of the new technology, as record numbers of U.S. patent applications involve a form of machine learning component. As we reported previously in our Artificial Intelligence and Autonomous Systems Legal Update (4Q18), in January 2019, the United States Patent and Trademark Office (“USPTO”) released revised guidance relating to subject matter eligibly for patents and on the application of 35 U.S.C. 112 on computer implemented inventions. On the heels of that guidance, on August 27, 2019, the USPTO published a request for public comment on several patent-related issues regarding AI inventions.[47] The request for comment posed twelve questions covering several topics from “patent examination policy to whether new forms of intellectual property protection are needed.” The questions included topics such whether patent laws, which contemplate only human inventors, should be amended to allow entities other than a human being to be considered an inventor.[48] The commenting period was extended until November 8, 2019, and many of the comments submitted argue that ownership of patent rights should remain reserved for only natural or juridical persons.[49]

On December 13, 2019, the World Intellectual Property Organization (“WIPO”) published a draft issue paper on IP policy and AI, and requested comments on several areas of IP, including patents and data, and, similarly to the USPTO before it, with regard to issues of inventorship and ownership.[50] The commenting period is set to end on February 14, 2020.

_______________

[1] Filter Bubble Transparency Act, S. 2763, 116th Cong. (2019). The bill’s sponsors are Senators Marsha Blackburn (R-Tenn.), John Thune (R-S.D.), Richard Blumenthal (D-Conn.), Jerry Moran (R-Kan.)—all members of the Senate Committee on Commerce, Science, and Transportation, which has jurisdiction over the internet and consumer protection—and Mark Warner (D-Va.).

[2] Blackburn Joins Thune on Bipartisan Bill to Increase Internet Platform Transparency & Provide Consumers with Greater Control Over Digital Content, Marsha Blackburn, U.S. Senator for Tennessee (Oct. 31, 2019), https://www.blackburn.senate.gov/blackburn-joins-thune-bipartisan-bill-increase-internet-platform-transparency-provide-consumers.

[3] Supra, n.2; see also Zoe Schiffer, ‘Filter Bubble’ author Eli Pariser on why we need publicly owned social networks, The Verge (Nov. 12, 2019), available at https://www.theverge.com/2019/11/5/20943634/senate-filter-bubble-transparency-act-algorithm-personalization-targeting-bill.

[4] Colleagues Introduce Bipartisan Bill to Increase Internet Platform Transparency and Provide Consumers With Greater Control Over Digital Content, John Thune U.S. Senator for South Dakota (Nov. 1, 2019), https://www.thune.senate.gov/public/index.cfm/press-releases?ID=E1595915-69A3-456B-8CBA-0237F28AB4A3.

[5] Filter Bubble Transparency Act, supra n.1, at 2(4)(A)–(B). The bill provides that it is also applicable to common carriers that are subject to the Communications Act of 1934 and to “organizations not organized to carry on business for their own profit or that of their members.” Id. at 4(B)(3).

[6] Id. at 2(B). The term “algorithmic ranking system” is broadly defined and encompasses any computational process — including “one derived from algorithmic decision-making, machine learning, statistical analysis, or other data processing or artificial intelligence techniques” — that is used to determine the order in which a set of information is provided to a user on a covered internet platform. Examples include “the ranking of search results, the provision of content recommendations, the display of social media posts, or any other method of automated content selection.”

[7] Filter Bubble Transparency Act, supra n.1, at 2(1).

[8] See id. at 2(5)(B).

[9] Id. at 5(A), (C).

[10] Id. at 5(A).

[11] Id. at 3(A)–(B) (emphasis added).

[12] Supra, n.2.

[13] Adi Robertson, The Senate’s secret algorithms bill doesn’t actually fight secret algorithms, The Verge (Nov. 5, 2019), available at https://www.theverge.com/2019/11/5/20943634/senate-filter-bubble-transparency-act-algorithm-personalization-targeting-bill.

[14] The bill also exempts platforms that are operated for the sole purpose of conducting research that is not made for direct or indirect profit. Id. at 2(4)(A)–(B). Moreover, the bill does not cover contractors and subcontractors that receive rights to access indexes of web pages on the internet for the purpose of operating an internet search engine (i.e., downstream providers) from the respective upstream providers if “the search engine is operated by a downstream provider with fewer than 1,000 employees” and “the search engine uses an index of web pages on the internet to which such provider received access under a search syndication contract.” Id. at 3(B)(2).

[15] National Security Commission on Artificial Intelligence, Interim Report (Nov. 2019), available at https://www.epic.org/foia/epic-v-ai-commission/AI-Commission-Interim-Report-Nov-2019.pdf

[16] Id., at 22.

[17] Id., at 25.

[18] Id., at 31.

[19] Id., at 36.

[20] Id., at 18.

[21] Id., at 41. Note that the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) announced on October 7, 2019 that it will be imposing new export controls on the export of U.S.-origin software specially designed to automate the analysis of geospatial imagery. A license from BIS will be required to export the covered software to all countries, except Canada, or to transfer the software to foreign nationals. The only exception to this license requirement is for software transferred by or to a department or agency of the U.S. Government.

[22] Id., at 44.

[23] Id.

[24] U.S. Department of Commerce, Press Release, U.S. Department of Commerce Adds 28 Chinese Organizations to its Entity List (Oct. 7, 2019), available at https://www.commerce.gov/news/press-releases/2019/10/us-department-commerce-adds-28-chinese-organizations-its-entity-list.

[25] Anna Swanson and Paul Mozur, U.S. Blacklists 28 Chinese Entities Over Abuses in Xinjiang, N.Y. Times (Oct. 7, 2019), available at https://www.nytimes.com/2019/10/07/us/politics/us-to-blacklist-28-chinese-entities-over-abuses-in-xinjiang.html.

[26] A.B. 730 2019–2020 Reg. Sess. (Cal. 2019)

[27] A.B. 602 2019-2020 Reg. Sess. (Cal. 2019)

[28] A.B. 1215 2019-2020 Reg. Sess. (Cal. 2019)

[29] Id., at 1(c).

[30] Ursula von der Leyen, A Union that strives for more: My agenda for Europe, available at https://www.europarl.europa.eu/resources/library/media/20190716RES57231/20190716RES57231.pdf/.

[31] Oscar Williams, New European Commission president pledges GDPR-style AI legislation, New Statesman (Nov. 28, 2019), available at https://tech.newstatesman.com/policy/ursula-von-der-leyen-ai-legislation.

[32] For more information, please see our Artificial Intelligence and Autonomous Systems Legal Update (1Q19).

[33] H. Mark Lyon, Gearing Up For The EU’s Next Regulatory Push: AI, LA & SF Daily Journal (Oct. 11, 2019), available at https://www.gibsondunn.com/wp-content/uploads/2019/10/Lyon-Gearing-up-for-the-EUs-next-regulatory-push-AI-Daily-Journal-10-11-2019.pdf.

[34] German Federal Ministry for Justice and Consumer Protection, Opinion of the Data Ethics Commission, October 2019, available at http://bit.ly/373RGqI.

[35] Jeremy Feigelson, Jim Pastore, Anna Gressel and Friedrich Popp, German Report May Be Road Map For Future AI Regulation, Law360 (Nov. 12, 2019), available at https://www.law360.com/articles/1218560/german-report-may-be-road-map-for-future-ai-regulation.

[36] German Federal Ministry for Justice and Consumer Protection, Opinion of the Data Ethics Commission, supra, n.33 at 7.

[37] Id., at 19-20.

[38] Id., at 10.

[39] Id., at 26.

[40] David Meyer, A.I. Regulation Is Coming Soon. Here’s What the Future May Hold, Fortune (Oct. 24, 2019), available at https://fortune.com/2019/10/24/german-eu-data-ethics-ai-regulation/.

[41] German Federal Ministry for Justice and Consumer Protection, Opinion of the Data Ethics Commission, supra, n.33 at 5.

[42] Such as the U.S. Constitution, international treaties and the Pentagon’s Law of War.

[43] Defense Innovation Board, AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense (Oct. 31, 2019), available at https://media.defense.gov/2019/Oct/31/2002204458/-1/-1/0/DIB_AI_PRINCIPLES_PRIMARY_DOCUMENT.PDF.

[44] Jack Corrigan, Defense Innovation Board Lays Out 5 Key Principles for Ethical AI, Nextgov (Oct. 31, 2019), available at https://www.nextgov.com/emerging-tech/2019/10/defense-innovation-board-lays-out-5-key-principles-ethical-ai/161008/.

[45] Daniel Wilson, New Ethics Framework May Draw AI Firms To DOD, Law360 (Nov. 8, 2019), available at https://www.law360.com/articles/1217965/new-ethics-framework-may-draw-ai-firms-to-dod.

[46] Id.

[47] Request for Comments on Patenting Artificial Intelligence Inventions, 84 Fed. Reg. 44889, 44889 (Aug. 27, 2019); see also our client alert USPTO Requests Public Comments on Patenting Artificial Intelligence Inventions.

[48] See further Mark Lyon, Alison Watkins and Ryan Iwahashi, When AI Creates IP: Inventorship Issues To Consider, Law360 (Aug. 10, 2017), available at https://www.law360.com/articles/950313?scroll=1&related=1.

[49] Ryan Davis, Law Shouldn’t Let AI Be An Inventor On Patents, USPTO Told, Law360 (Nov. 13, 2019), available at https://www.law360.com/articles/1218939/law-shouldn-t-let-ai-be-an-inventor-on-patents-uspto-told.

[50] WIPO Begins Public Consultation Process on Artificial Intelligence and Intellectual Property Policy, Press Release (Dec. 13, 2019), available at https://www.wipo.int/pressroom/en/articles/2019/article_0017.html.

The following Gibson Dunn lawyers prepared this client update: H. Mark Lyon, Frances Waldmann and Claudia Barrett.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Artificial Intelligence and Automated Systems Group, or the following authors:

H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Frances A. Waldmann – Los Angeles (+1 213-229-7914,[email protected])

Please also feel free to contact any of the following practice group members:

Artificial Intelligence and Automated Systems Group:
H. Mark Lyon – Chair, Palo Alto (+1 650-849-5307, [email protected])
J. Alan Bannister – New York (+1 212-351-2310, [email protected])
Lisa A. Fontenot – Palo Alto (+1 650-849-5327, [email protected])
David H. Kennedy – Palo Alto (+1 650-849-5304, [email protected])
Ari Lanin – Los Angeles (+1 310-552-8581, [email protected])
Robson Lee – Singapore (+65 6507 3684, [email protected])
Carrie M. LeRoy – Palo Alto (+1 650-849-5337, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Michael Walther – Munich (+49 89 189 33 180, [email protected])

I. FCA ENFORCEMENT ACTIVITY

A. Total Recovery Amounts: 2019 Recoveries Exceed $3 Billion

B. Qui Tam Activity

C. Industry Breakdown

II. NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2019

A. Health Care and Life Science Industries

B. Government Contracting

III. LEGISLATIVE AND POLICY DEVELOPMENTS

A. Federal Developments

1. Attention on Application of the Granston Memo

2. Action on Opioids

3. Additional Developments

B. State Developments

IV. NOTABLE CASE LAW DEVELOPMENTS

A. Second Circuit Holds that the FCA Applies to Federal Reserve Banks

B. Eleventh Circuit Rejects FCA Liability Based on Reasonable Differences in Opinion

C. Courts Continue to Interpret the FCA’s Materiality Requirement Post-Escobar

D. Courts Continue to Analyze Rule 9(b)’s Particularity Requirement in FCA Claims

E. Fifth Circuit Clarifies Causation Standard for Mortgage Fraud Claims Under the FCA

F. Several Circuits Address Causation and Other Issues in FCA Retaliation Claims

V. CONCLUSION

Part I: The Second Circuit Rejects Challenge to Class Arbitration, and Holds That an Arbitrator Has the Power to Bind Absent Class Members

Part II: Appellate Courts Issue Several Important Decisions Rejecting Class Certification

Part III: Appellate Courts Issue a Range of Rulings Dealing with Non-Traditional “Injuries”

Table of Contents

I. European Union

A. EU GDPR: Implementation Application and Enforcement

1. National Data Protection Initiatives Implementing and Applying the GDPR

2. GDPR Cases, Investigations and Enforcement

3. CJEU Case Law

a) Territorial Scope of the “Right To Be Forgotten” under the GDPR

b) Cookie Consent under the ePrivacy Directive

c) Obligations of Website Providers and Social Network Services Offering Social Plug-ins

d) Validity of Data Transfer Mechanisms: Standard Contract Clauses and the EU-U.S. Privacy Shield

4. Guidance Adopted by the EDPB

5. International Transfers: Adequacy Declarations and Challenges

B. EU Cybersecurity Directive (“NIS Directive”)

C. Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation Bill

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A. Russia

B. Switzerland

C. Turkey

III. Developments in Asia-Pacific and Africa

A. China

B. Singapore

C. India

D. Other Developments in Africa & Asia

IV. Developments in Latin America and in the Caribbean Area

A. Brazil

B. Other Developments in the Caribbean Area

Table of Contents

The United States (DOJ and FTC)

By the Numbers: HSR Filings Increase with M&A Activity as DOJ Second Request Investigations Fall

Congress Weighs in on Merger Enforcement

Tech Acquisitions under the Microscope

Is the FTC Adopting a New Approach to Pharma and Medical Device M&A?

Vertical Mergers: New Draft Guidelines Are Published Following Controversial Cases

The DOJ Turns to Arbitration to Resolve Merger Challenge

The DOJ Updates Model Timing Agreement

China

Legislative Developments

Noteworthy Transactions

Failure to File

The European Union

The 2019 Prohibition Decisions

Siemens/Alstom – February 2019[64]

Wieland/Aurubis – February 2019[65]

Tata Steel/ThyssenKrupp – June 2019[66]

The Ensuing Political Debate

Other Trends

Continued Focus on Procedural Infringements

The Commission’s Fine to Canon for Gun-Jumping[77]

Increased Relevance of Internal Documents during Merger Review

1. Political Developments in the UK and the Impact of Brexit (click on link)

2. Whistleblowing (click on link)

3. Patent for Employee Invention (click on link)

4. Updated Guidance for Holiday Entitlement for Part-Year Workers (click on link)

5. Forthcoming Changes (click on link)

APPENDIX

1. Current Political Environment and Impact of Brexit