Publications Archives

On September 5, 2024, Institutional Shareholder Services (ISS) released its 2024 Proxy Season Review: United States – Executive Compensation. The below chart summarizes our observations of the 2024 data and key takeaways as we look to the 2025 proxy season. While these trends are positive for issuers overall, they underscore that issuers, their boards, compensation committees, and management should continue to take an active role in compensation programs, disclosure, and shareholder engagement practices.

Observations	Key Takeaways
Increased shareholder support for say-on-pay and equity plan proposals. Median say-on-pay support levels rebounded after steadily declining since 2017, though median say-on-pay support did not quite reach 95% (hovering at 94.9%, well below the highs of 2015-2017). Instances of low (less than 70%) say-on-pay support and failed say-on-pay votes each also decreased to 5.1% and 1%, respectively in 2024. Likewise, after declining in 2022 and 2023, equity plan support improved in 2024 and equity plan failure rates normalized at just under 1% (down from 1.6% in 2023).	ISS notes that this is the lowest proxy season say-on-pay failure rate ever observed. We attribute this positive trend to continued transparency in compensation program disclosures and increased attention on shareholder engagement efforts. Issuers should continue to address in their disclosures (1) how their compensation practices affect shareholder dilution and reflect and respond to broader market conditions, including inflationary pressures and economic volatility, and (2) how these factors impact their approach to designing and administering their compensation programs.
Continued positive correlation between pay-for-performance quantitative screen and ISS say-on-pay vote recommendation. Unsurprisingly, higher quantitative screen concern levels correlated to a higher likelihood of an “against” recommendation, with over half of issuers flagged with a “high” concern level receiving “against” recommendations.	Interestingly, the 3% of issuers with a “low” concern level that received “against” recommendations generally were cited for problematic contractual provisions, non-CEO executive pay, insufficient board responsiveness, or severance payouts.
Rising CEO pay. After dipping slightly in 2023, median CEO pay in the S&P 500 reached its highest level since say-on-pay votes began over a decade ago – $15.6 million. The Russell 3000 (excluding the S&P 500) median CEO pay also trended up slightly to $5.3 million, but was still below the high-water mark set in 2021.	ISS notes that the record low say-on-pay failure rates combined with the record high S&P CEO median pay level suggest that investors are considering factors beyond pay magnitude in their voting decisions. Consistent with ISS’s proxy voting guidelines, many large investors’ say-on-pay votes can be swayed by problematic pay practices (such as one-time awards or application of discretion in pay decisions) without clear disclosure of a compelling rationale.
Compensation plan design continues to favor formulaic and performance-based compensation. Annual and long-term incentive awards trended towards non-discretionary and performance-based design, respectively.	ISS’s focus on formulaic performance-based compensation, including the impact of ISS’s pay-for-performance quantitative screen noted above, continues to correlate with the say-on-pay vote recommendation.
Specific sectors and the Russell 3000 continue to use discretionary compensation. While discretionary compensation across all sectors and indices has generally declined or remained steady year-over-year, financial sector CEOs and a higher percentage of Russell 3000 (excluding S&P 500) CEOs continued to receive discretionary bonuses.	Discretionary compensation may still have specific appropriate use cases, though issuers should consider clearly disclosing the business or sector-specific rationale when deploying discretionary compensation. Based on these trends, benchmarking against sector-specific peers may also be helpful.
Higher perquisite numbers driven by aircraft perks and security costs. Median values of CEO “all other compensation” reported in 2024 climbed markedly in the S&P 500, particularly in the upper percentiles of perquisite values.	The ISS report noted that increases in CEO “all other compensation” levels appeared to be primarily driven by larger corporate aircraft perks and security costs. And at the same time, issuers have seen an enhanced focus by the SEC and IRS on reporting and disclosure of these benefits.
Equity plan design trends include continuing rise of evergreen provisions, use of discretion to accelerate vesting, and no minimum vesting requirement. While “problematic” provisions like repricings or cash buyouts of equity awards without shareholder approval, and liberal change in control vesting provisions continued to decline overall, evergreen provisions in equity plans continued a steady rise and were observed in over 15% of 2024 plans up for approval. Issuers seeking plan approval in 2024 continued to eschew limitations on flexibility to accelerate vesting and set vesting schedules.	The prevalence of evergreen provisions is likely attributable in part to the repeal of Section 162(m) of the Internal Revenue Code in 2017 and an increase in SPAC/de-SPAC transactions since 2021. Favoring the ability to set and adjust vesting schedules is unsurprising as issuers balance the need for flexibility in equity plan administration.
No surprises in pay-versus-performance disclosure. Consistent with 2023, most industries used earnings as their most important performance metric and technology, media and telecom looked to revenue. Compensation actually paid (CAP) trended upwards in most industries.	The overall increase in CAP is not surprising given its correlation to increases in stock prices and the year-over-year performance of the relevant industries from fiscal year 2022 to fiscal year 2023.
Modest increases in CEO pay ratio. Median CEO pay ratio in the S&P 500 saw a small increase year-over-year while the other indices (S&P 400, S&P 600, and remaining Russell 3000) remained steady.	Consistent with the trends in CEO pay levels, the median CEO pay-to-median employee ratios in the S&P 500, S&P 400, S&P 600 and remaining Russell 3000 were 189, 111, 73, and 45, respectively.
Say-on-golden parachute failure rate increased. In 2024, proposals seeking advisory approval of compensation payable in connection with a change of control dipped below 80% average support for the first time since 2017, and the failure rate for these proposals hit an all-time-high of 17%.	Say-on-golden parachute support/failure rates have generally correlated to changes in median golden parachute value, which increased 35% year-over-year from 2023 to 2024.

The following Gibson Dunn lawyers assisted in preparing this update: Krista Hanvey, Elizabeth Ising, Ronald Mueller, Ekaterina Napalkova, and Lori Zyskowski.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these developments, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Executive Compensation and Employee Benefits or Securities Regulation and Corporate Governance practice groups:

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214.698.3425, khanvey@gibsondunn.com)
Kate Napalkova – New York (+1 212.351.4048, enapalkova@gibsondunn.com)

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
James J. Moloney – Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

I. Introduction

For fiscal years beginning on or after April 1, 2023, domestic public companies are required to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale, and/or other dispositions of their securities by their directors, officers and employees, or the companies themselves, and if so to file those policies and procedures as an exhibit to their annual reports on Form 10-K.[1] While calendar year companies must comply with these requirements in their Form 10-K for, or proxy statement following, the fiscal year ending December 31, 2024, 49 S&P 500 companies had addressed these requirements in filings as of June 30, 2024.[2]

As discussed in the summary of our preliminary observations below, while specific provisions vary from company to company, certain common approaches are emerging with respect to key policy terms. That said, company policies and procedures can vary based on a company’s particular circumstances, some companies may have interpretive materials that were not filed but elaborate on the operation of their policies and procedures, and some companies are updating their policies and procedures in light of the new filing requirements. As a result, we caution companies against treating these early observations as “best practices.” Your Gibson Dunn contacts are available to discuss the specifics of your policy and answer any questions you may have.

II. Persons Subject to the Insider Trading Policies

Nearly all policies we reviewed (96%) cover all company personnel (i.e., directors, officers and all employees of companies and their subsidiaries and, in some cases, certain affiliates) and their family members. Additionally, a significant majority of the policies (82%) expressly state that they apply to legal entities such as trusts whose securities transactions are controlled or influenced by company personnel and, in some cases, their family members. A majority of the policies (63%) also apply insider trading restrictions to contractors and/or consultants.[3]

III. Transactions in Company Securities Subject to the Insider Trading Policies

All of the policies specify types of transactions that are subject to, or are exempt from, the policy terms. Aside from open market sales or purchases, which are addressed in all of the policies, the most commonly addressed transactions include the following:

A significant majority of the policies (86%) provide some level of restriction on gifts, addressing to one degree or another the SEC’s position that gifts can constitute a form of insider trading.[4] A majority (61%) specifically address gifts as being subject to the policy for all covered persons (i.e., prohibiting gifts when an individual subject to the policy is in possession of material nonpublic information (“MNPI”) and/or applying window periods and/or pre-clearance restrictions to gifts),[5] although a handful of companies (8%) restrict gifts only if the donor has reason to believe the donee will sell while the donor has MNPI. Of the policies that do not apply gift restrictions to all employees, a majority restrict gifts only for certain covered persons that are subject to additional restrictions, such as blackout periods and/or pre-clearance procedures.
Option Exercises. A majority of the policies (69%) exempt exercises of options when there is no associated sale on the market; however, exercises of options where there is a sale of some or a portion of shares delivered upon exercise (e.g., cashless broker exercise) are typically treated like any other sale. Of this group, approximately a quarter of the policies specifically provide that withholding of shares for tax withholding purposes is exempt, and a smaller minority of policies provide that withholding of shares for tax withholding purposes and/or the payment of exercise price is exempt.
Vesting and Settlementof Other Equity Awards. A majority of the policies (59%) exempt vesting and settlement of equity awards, such as RSUs and restricted stock, and 51% of the policies specifically provide that withholding of shares for tax purposes (i.e., net share settlement) is exempt.

IV. Transactions in Other Company Securities

Nearly all policies (96%) specifically include some form of restriction on trading in the securities of another company when the person is aware of MNPI about that company or its securities. A significant majority of the policies (82%) prohibit trading in the securities of another company when the person is aware of MNPI about such company that was learned in the course of or as a result of the covered person’s employment or relationship with the company. The rest apply the prohibition more broadly to trading in the securities of another company while aware of MNPI about that company, without specifically addressing how the information was learned. Of the 82%, a minority tailor the prohibition to apply only to trading in the securities of another company that has some sort of a business relationship with the company (e.g., customers, vendors, or suppliers) or that is engaged in a potential business transaction with the company, and a smaller subset of these policies also include a specific reference to “competitors” in this prohibition.

V. Blackout Periods and Preclearance Procedures

Persons subject to quarterly blackout periods. A significant majority of the policies (88%) subject directors, executive officers and a designated subset of employees to regular quarterly blackout periods, with a few policies applying two different blackout periods to different groups of employees. Although the groups of persons (other than directors and executive officers) who are subject to quarterly blackout periods tend to be company-specific, most of the policies identify the “restricted persons” to include employees by title (e.g., all Vice Presidents or higher) and/or by department or role (e.g., all officers in accounting, financial planning and analysis, investor relations, legal and finance departments, etc.) as well as other employees who have been identified as having access to systems that have MNPI. Some policies take a less specific approach and identify restricted persons as those who are designated as such by the officer administering the insider trading policy. A minority of the policies (6%) subject all covered persons under the policy to quarterly blackout periods.
Start and end of quarterly blackout periods. The start date of the quarterly blackout periods ranges from quarter end to four weeks or more prior to quarter end. Under almost half of the policies (45%), the quarterly blackout periods start approximately two weeks prior to quarter end, 14% start the blackout periods three to four weeks prior to quarter end, and 18% start four weeks or more prior to quarter end. A significant majority of the policies (76%) end the quarterly blackout periods one to two full trading days after the release of earnings, with more policies ending after one trading day (51%) than two trading days (24%).[6] Additionally, nearly all policies specifically state that from time to time the company may implement additional special blackout periods.
Preclearance procedures. Nearly all policies require that certain covered persons must preclear their transactions with the appropriate officer administering the insider trading policy prior to execution. There is, however, variation in the persons subject to preclearance procedures—for 65% of the policies, the preclearance persons are a subset of the persons subject to blackout periods, while for a minority of the policies (29%), they are the same as the persons subject to the blackout periods. Of the 65% of the policies, a minority (38%) require preclearance only from the company’s directors and executive officers.[7] Regardless of scope, nearly all of the policies provide that directors and executive officers are subject to preclearance procedures.

VI. Special Prohibitions Under the Insider Trading Policies

All of the policies prohibit or otherwise restrict certain types of transactions regardless of whether they involve actual insider trading, in some cases stating that such transactions present a heightened risk of securities law violations or the potential appearance of improper or inappropriate conduct. The most common prohibitions addressed: hedging transactions (96%);[8] speculative transactions (96%); pledging securities as collateral for a loan (90%); and trading on margin or holding securities in margin accounts (82%). Although a significant majority of the policies apply the prohibition on hedging and speculative transactions to all persons subject to the policy, prohibitions on pledging and/or margin trading/accounts are sometimes limited to sub-categories of persons subject to the insider trading policies (39% and 27%, respectively): for instance, some policies apply the prohibition only to directors and executive officers or persons subject to quarterly blackout periods and/or preclearance procedures.[9]

A significant majority of the policies do not specifically address standing or limit orders or short-term trading, but of the ones that do, a significant majority take the approach of discouraging such transactions rather than strictly prohibiting them. Even where standing or limit orders are not strictly prohibited, some policies require that such orders be cancelled if the person becomes aware of MNPI (or prior to the start of a blackout period, if applicable). A few policies prohibit standing or limit orders if they go beyond a specified duration.

VII. Rule 10b5-1 Plans

All of the policies address the availability of Rule 10b5-1 plans. A significant majority of the policies (86%) do not set forth restrictions on who can enter into a Rule 10b5-1 plan so long as approval and other requirements are met, but a minority of the policies (12%) limit the use of 10b5-1 plans to directors and designated officers. A small minority of the policies (6%) require directors and designated officers to trade only pursuant to Rule 10b5-1 plans.

All of the policies require that Rule 10b5-1 plans be approved prior to adoption, but the policies tend to vary in approach when describing the guidelines for entering into Rule 10b5-1 plans (or modifying or terminating them). A significant majority (71%) of the policies describe the specified conditions under the SEC rules for a plan to qualify as a Rule 10b5-1 plan, although some do so in a more streamlined manner than others. Of these policies, a majority include Rule 10b5-1 plan requirements within the body of the policy, although a minority do so in an appendix and one company filed the plan guidelines as a separate exhibit. A minority of the policies (29%) do not describe the specified conditions under Rule 10b5-1, but provide a general statement regarding the affirmative defense from insider trading liability under the securities laws for transactions under a compliant Rule 10b5-1 plan and refer covered persons to the officer administering the policy for more information and guidelines on how to establish such a plan.

VIII. Policies Addressing Company Transactions

As noted above, Item 408(b) of Regulation S-K requires a public company to disclose whether it has adopted insider trading policies and procedures governing transactions in company securities by the company itself, and, if so, to file the policies and procedures, or if not, to explain why. Of the 23 S&P 500 companies subject to Item 408(b) that filed a Form 10-K and proxy statement prior to June 30, 2024, a significant majority (78%) did not address insider trading policies or procedures governing companies’ transactions in their own securities.[10] Of the ones that did, most included a brief sentence or two about the company’s policy of complying with applicable laws in trading in its own securities. Only one company in our surveyed group filed a company repurchase policy as a separate exhibit.

IX. Filing Practices Regarding Related Policies or Documents

A significant majority (88%) of the companies filed only a single insider trading policy and no other related policies or documents (even where they referenced other related policies in their insider trading policy).[11] In the few cases where multiple policies were filed, they appear to be supplemental guidelines/policies covering topics not generally applicable to all employees (e.g., trading windows, preclearance, 10b5-1 plans).

* * * *

We will continue to monitor public company filings of insider trading policies and procedures and expect to update our survey in early 2025 once calendar year-end companies’ Forms 10-K are on file, as we expect disclosure and filing practices to evolve as companies go through the first full year of complying with the new Item 408(b) disclosure and filing requirements.

[1]See Items 408(b) and 601(b)(19) of Regulation S-K, adopted by the SEC in connection with the Rule 10b5-1 amendments in December 2022. If a company has not adopted such policies and procedures, it is required to explain why it has not done so. Disclosure about the adoption (or not) of policies or procedures must appear in a company’s proxy statement (and must also be included in, or incorporated by reference to, Part III of a company’s Form 10-K), whereas the policies and procedures are to be filed as exhibits to the company’s Form 10-K.

[2] This group of 49 S&P 500 companies includes 23 companies that made Item 408(b) disclosures and 26 companies that were not subject to the disclosure requirements but voluntarily filed their insider trading policies and procedures with a Form 10-K filed prior to June 30, 2024.

[3] A minority of policies also include other service providers specific to their businesses.

[4] See Final Rule: Insider Trading Arrangements and Related Disclosures, Release No. 33-11138 (Dec. 14, 2022). In its adopting release, the SEC stated its view that the terms “trade” and “sale” in Rule 10b5-1 include bona fide gifts of securities and that gifts can be subject to Section 10(b) liability, since the Securities Exchange Act of 1934 does not require that a “sale” be for value and instead provides that the terms “sale” or “sell” each include “any contract to sell or otherwise dispose of.”

[5] A small minority of these policies also provide certain exceptions for gifts, including gifts to family members and/or controlled entities that are already subject to the policy, or exceptions on a case by case basis.

[6] Some policies use business days instead of trading days, but many policies do not define either term. We treated them as the same for purposes of our data analysis.

[7] The remaining 6% includes two policies that do not address preclearance procedures and one policy which is unclear.

[8] Item 407(i) of Regulation S-K requires companies to disclose practices or policies they have adopted regarding the ability of employees (including officers) or directors to engage in certain hedging transactions.

[9] A few policies allow for exceptions, subject to preclearance.

[10] For the purposes of this survey, we limited our review to Exhibit 19 filings and did not review the companies’ disclosures in the body of the proxy statement or Form 10-K addressing Item 408(b)(1) of Regulation S-K.

[11] Under Regulation S-K Item 408(b)(2), if all of a company’s insider trading policies and procedures are included in its code of ethics that is filed as an exhibit to the company’s Form 10-K, that satisfies the exhibit requirement. However, many companies do not file their code of ethics and instead rely on one of the alternative means of making the code available allowed under S-K Item 406(c)(2) and (3).

The following Gibson Dunn lawyers assisted in preparing this update: Aaron K. Briggs, Thomas Kim, Brian Lane, Julia Lapitskaya, James Moloney, Ronald Mueller, Michael Titera, Lori Zyskowski, and Stella Kwak.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups:

Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, afabens@gibsondunn.com)
Hillary H. Holmes – Houston (+1 346.718.6602, hholmes@gibsondunn.com)
Stewart L. McDowell – San Francisco (+1 415.393.8322, smcdowell@gibsondunn.com)
Peter W. Wardle – Los Angeles (+1 213.229.7242, pwardle@gibsondunn.com)

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
James J. Moloney – Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)
Aaron Briggs – San Francisco (+1 415.393.8297, abriggs@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
Brian J. Lane – Washington, D.C. (+1 202.887.3646, blane@gibsondunn.com)
Julia Lapitskaya – New York (+1 212.351.2354, jlapitskaya@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Michael Scanlon – Washington, D.C.(+1 202.887.3668, mscanlon@gibsondunn.com)
Mike Titera – Orange County (+1 949.451.4365, mtitera@gibsondunn.com)

This guidance reflects the increasing willingness of Hong Kong financial regulators to regulate the use of artificial intelligence.

In recent weeks, the Hong Kong Monetary Authority (“HKMA”) has been active in releasing guidance to authorized institutions (“AIs”) regarding their use of artificial intelligence in both customer-facing applications as well as in relating to detection of money laundering and terrorist financing (“ML/TF”). This guidance reflects the increasing willingness of Hong Kong financial regulators to regulate the use of artificial intelligence. We consider that this is reflective of the significant interest of financial institutions in Hong Kong in exploring the use of generative artificial intelligence (“GenAI”) in particular, with 39% of AIs surveyed by the HKMA earlier this year reporting that they either have already adopted GenAI in the provision of general banking products and services as well as daily operations, or that they plan to do so. Given this, we expect other Hong Kong regulators to issue guidance in this space in the coming months.

This client briefing covers:

The guiding principles issued by the HKMA on August 19, 2024 (“GenAI”) in customer-facing applications (“GenAI Guidelines”).[1] The GenAI Guidelines build on a previous HKMA circular “Consumer Protection in respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions” dated November 5, 2019 (“2019 BDAI Guiding Principles”) and provide specific guidelines to AIs on the use of GenAI;[2] and
The circular issued by the HKMA on September 9, 2024 requiring AIs with significant operations in Hong Kong to (a) undertake a study to consider the feasibility of using artificial intelligence in tackling ML/TF, and to (b) submit the feasibility study and an implementation plan to the HKMA by the end of March 2025 (“ML/TF Circular).[3]

I. Background to GenAI Regulation by the HKMA

GenAI is a form of big data analytics and artificial intelligence (“BDAI”) that enables generation of new content such as text, image, audio, video, code or other media, based on vast amounts of data. GenAI’s ability to generate new and original content sets it apart from other forms of traditional artificial intelligence, which is focused on analyzing information and automating processes. While its content-generating ability gives GenAI tremendous potential to streamline business processes and improve efficiency, this ability also creates risks such as hallucination risk (i.e. where a GenAI model generates incorrect or misleading results due to insufficient training data, incorrect assumptions or biases made by the model).

This content-generating ability, combined with the growing interest in GenAI adoption within the banking sector, has prompted the HKMA to issue the GenAI Guidelines. According to a recent survey on the use of BDAI (including GenAI) by AIs conducted by the HKMA, 39% of surveyed AIs reported adopting or planning to adopt GenAI in the provision of general banking products and services, as well as daily operations. While the majority of the current reported use cases in GenAI are in relation to internal business functions, such as summarisation and translation, coding and internal chatbots, the HKMA has stated that it considers that:

the content-generating capability of GenAI lends itself to increased uptake and deployment in relation to customer-facing activities; and
the prospective increase in the use of GenAI in customer-facing activities raises consumer protection concerns due to risks such as lack of explanability and hallucination risks, which in the HKMA’s words ‘could cause even more significant impact on customers’ than the use of less complex BDAI.

Given this, while the HKMA expects all AIs to continue to apply the 2019 BDAI Guiding Principles, the HKMA also expects all AIs to adhere to the additional principles in the GenAI Guidelines in order to ensure appropriate safeguards are in place when GenAI is adopted for customer-facing applications.

II. Summary of the HKMA’s GenAI Guidelines

Using the 2019 BDAI Guiding Principles as a foundation, the GenAI Guidelines adopts the same core principles of governance and accountability, fairness, transparency and disclosure, and data privacy and protection, but introduces additional requirements to address the specific challenges presented by GenAI.

Core Principles	Requirements under GenAI Guidelines
Governance and Accountability	The board and senior management of AIs should remain accountable for all GenAI-driven decisions and processes, and should thoroughly consider the potential impact of GenAI applications on customers through an appropriate committee which sits within the AI’s governance framework.The board and senior management should ensure the following: Clearly defined scope of customer-facing GenAI applications to avoid GenAI usage in unintended areas; Proper policies and procedures and related control measures for responsible GenAI use in customer-facing applications; and Proper validation of GenAI models, including a “human-in-the-loop” approach in early stages, i.e. having a human retain control in the decision-making process, to ensure the model-generated outputs are accurate and not misleading.
Fairness	AIs are responsible for ensuring that GenAI models produce objective, consistent, ethical, and fair outcomes for customers. This includes: That model generated outputs do not lead to unfair outcomes for customers. As part of this, AIs are expected to give consideration to different approaches that may be deployed in GenAI models, such as (a) anonymizing certain data categories; (b) using comprehensive and fair datasets; and (c) making adjustments to remove bias during validation and review; and During the early deployment stage, provide customers with an option to opt out of GenAI use and request human intervention on GenAI-generated decisions as far as practicable. If an “opt-out” option is unavailable, AIs should provide channels for customers to request review of GenAI-generated decisions.
Transparency and Disclosure	AIs should: Provide appropriate transparency to customers regarding GenAI applications; Disclose the use of GenAI to customers; and Communicate the use, purpose, and limitations of GenAI models to enhance customer understanding.
Data Privacy and Protection	AIs should: Implement effective protection measures for customer data; and Where personal data are collected and processed by GenAI applications, comply with the Personal Data (Privacy) Ordinance, including the relevant recommendations and good practices issued by the Office of the Privacy Commissioner for Personal Data, such as the “Guidance on the Ethical Development and Use of Artificial Intelligence” issued on August 18, 2021,[4] and the “Artificial Intelligence: Model Personal Data Protection Framework” issued on June 11, 2024.[5]

Notably, the HKMA has also expressed support for proactive use of BDAI and GenAI in enhancing consumer protection in the banking sector. Examples of suggested use cases include identification of customers who are vulnerable and require more protection and education; identification of customers who may need more information or clarifications to better understand product features, risks, and terms and conditions in the disclosure; or issuance of fraud alerts to customers engaging in transactions with potentially higher risks.

III. Summary of the HKMA Circular

Consistent with the HKMA’s recognition of the potential use of GenAI in consumer protection in the GenAI Guidelines, the HKMA Circular also indicates that the HKMA recognizes the considerable benefits that may come from the deployment of artificial intelligence in monitoring ML/TF. In particular, the HKMA Circular notes that the use of artificial intelligence powered systems ‘take into account a broad range of contextual information focusing not only on individual transactions, but also the active risk profile and past transaction patterns of customers…These systems have proved to be more effective and efficient than conventional rules-based transaction monitoring systems commonly used by AIs.’[6]

Given this, the HKMA has indicated that AIs with significant operations in Hong Kong should:

give due consideration to adopting artificial intelligence in their ML/TF monitoring systems to enable them to stay effective and efficient;
undertake a feasibility study in relation to the adoption of artificial intelligence in their ML/TF monitoring systems and, based on the outcome of that review, should formulate an implementation plan.

The feasibility study and implementation plan should be signed off at the board level and submitted to the HKMA by the end of March 2025.[7]

The HKMA has also indicated that it intends to support the use of artificial intelligence by AIs in this space through the establishment of a dedicated team to provide feedback and guidance to assist AIs, as well as through organisation of an experience sharing forum in November 2024 to allow firms to share regarding their use of artificial intelligence in relation to ML/TF monitoring.

IV. Conclusion

The issue of the GenAI Guidelines and HKMA Circular by the HKMA reflect the HKMA’s awareness of both the considerable potential of GenAI as well as the prospective risks associated with its deployment. Given the HKMA’s interest in this space, we recommend that AIs review and update their policies and procedures in relation to the use of GenAI to ensure compliance with the GenAI Guidelines. As part of this, AIs should ensure that the use of GenAI in customer-facing activities are thoroughly considered at a board and senior management and governance committee level.

Further, it is important more generally that AIs develop the necessary expertise in understanding the artificial intelligence model that is being adopted. This will not only assist senior management in its decision making process with respect to their deployment of artificial intelligence, but will also aid in the development of appropriate internal systems and controls with respect to the use of artificial intelligence. For instance, AIs can consider implementing staff training on the features and risks of artificial intelligence, to ensure that issues caused by artificial intelligence models are adequately escalated and addressed.

[1] “Consumer Protection in respect of Use of Generative Artificial Intelligence”, published by the HKMA on August 19, 2024, available at: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240819e1.pdf

[2] “Consumer Protection in respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions”, published by the HKMA on November 5, 2019, available at: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2019/20191105e1.pdf

[3] “Use of Artificial Intelligence for Monitoring of Suspicious Activities”, published by the HKMA on September 9, 2024, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240909e1.pdf

[4] “Guidance on the Ethical Development and Use of Artificial Intelligence”, published by the Office of the Privacy Commissioner for Personal Data on August 18, 2021, available at: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf

[5] “Artificial Intelligence: Model Personal Data Protection Framework”, published by the Office of the Privacy Commissioner for Personal Data on June 11, 2024, available at https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_protection_framework.pdf

[6] “Use of Artificial Intelligence for Monitoring of Suspicious Activities”, published by the Hong Kong Monetary Authority on September 9, 2024, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240909e1.pdf

[7] Ibid. The HKMA will communicate with AIs on an individual basis regarding the exact timing for the feasibility study and implementation plan and the format in which they should be provided, and will consider further engagement and follow up in due course. Reference should also be made to:

(a) “Report on AML/CFT Regtech: Case Studies and Insights Volume 1” published on 21 January 2021, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2021/20210121e1a1.pdf;

(b) “Report on AML/CFT Regtech: Case Studies and Insights Volume 2” published on 25 September 2023, available at https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/aml-cft/AMLCFT_Regtech-Case_Studies_and_Insights_Volume_2.pdf ; and

(c) “Thematic Review of Transaction Monitoring Systems and Use of Artificial Intelligence” published on 17 April 2024, which sets out insights for design, implementation and optimisation of transaction monitoring systems, available at https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240417e1a1.pdf.

The following Gibson Dunn lawyers prepared this update: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Financial Regulatory team, including the following members in Hong Kong:

William R. Hallatt (+852 2214 3836, whallatt@gibsondunn.com)
Emily Rumble (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun (+852 2214 3838, apun@gibsondunn.com)
Becky Chung (+852 2214 3837, bchung@gibsondunn.com)
Jane Lu (+852 2214 3735, jlu@gibsondunn.com)

Michael Holecek, DJ Manthripragada, and Madeleine McKenna discuss the latest developments in arbitration agreements and mass arbitration. They discuss recent trends in mass arbitration filings and defenses, recent mass arbitration court cases, changes in arbitration provider rules and fee schedules, and approaches to drafting mass arbitration provisions.

PANELISTS:

Michael Holecek is a litigation partner in the Los Angeles office of Gibson, Dunn & Crutcher, where his practice focuses on complex commercial litigation, class actions, and labor and employment law—both in the trial court and on appeal. Michael has first-chair trial experience and has successfully tried to verdict both jury and bench trials, he has served as lead arbitration counsel, and he has presented oral argument in numerous appeals. Michael represents clients in worker classification disputes – including independent contractor misclassification litigation, misclassification lawsuits involving the FLSA and state law, lawsuits under California’s Private Attorneys General Act (“PAGA”), class action employment lawsuits, and lawsuits against staffing agencies and gig economy platforms. He also has considerable experience with drafting arbitration agreements and arbitration clauses, mass arbitration, disputes over arbitration fees, and enforcing arbitration agreements. He has successfully litigated dozens of motions to compel arbitration and class action waivers in California, New York, Florida, Illinois, and other states. In 2023, Michael presented to the ABA National Class Actions Conference on arbitration agreements, class action waivers, and mass arbitration. Michael was recognized in The Best Lawyers in America® 2022 Ones to Watch in Mass Tort Litigation / Class Action.

Dhananjay (DJ) Manthripragada is a partner in the Los Angeles and Washington, D.C. offices of Gibson, Dunn & Crutcher. He is Chair of the firm’s Government Contracts practice group, and also a member of the Litigation, Class Actions, Labor & Employment, and Aerospace and Related Technologies practice groups. DJ has a broad complex litigation practice, and has served as lead counsel in precedent setting litigation before several United States Courts of Appeals, District Courts and state courts in jurisdictions across the country, the Court of Federal Claims, and the Federal Government Boards of Contract Appeals. He has first-chair trial experience and has successfully tried to verdict both jury and bench trials, and has served as lead counsel in arbitration and other alternative dispute resolution forums. His practice spans a wide range of industries, and he has represented some of the world’s leading aerospace and defense, finance, logistics/transportation, high-technology, and pharmaceutical companies in their most significant matters. DJ is also highly regarded as a trusted advisor to clients regarding significant compliance/enforcement, contract, dispute resolution, and employment issues. He was recognized in The Best Lawyers in America® Ones to Watch in Commercial Litigation in 2021 and 2022.

Madeleine McKenna is a litigation associate in Gibson, Dunn & Crutcher’s Los Angeles office. She practices in the firm’s Insurance, Class Actions, Labor and Employment, and Appellate and Constitutional Law Practice Groups, with a focus on complex civil litigation in the trial courts and on appeal. Madeleine has represented clients in a variety of high-stakes, complex litigation matters in state and federal courts, with a particular focus on class and representative actions involving employment and consumer protection claims. She has also litigated a wide variety of appellate matters. Prior to joining Gibson Dunn, she clerked for the Honorable Richard C. Tallman of the U.S. Court of Appeals for the Ninth Circuit.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.0 hour. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 1 hour toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia, and Washington State Bars.

Data center developers, investors, AI companies, and energy companies all stand to benefit from the Administration’s support for AI data center development.

With four months left in his administration, President Biden is making a play for the future with a concerted focus on developing infrastructure to support artificial intelligence (AI). A limiting factor in the advancement of AI is the need to build data centers and their associated energy infrastructure to process the extraordinary quantities of information involved in AI computations and development of large language models. Over the past weeks, the Administration has taken several significant steps to promote the development of AI data centers. Data center developers, investors, AI companies, and energy companies all stand to benefit from the Administration’s support for AI data center development.

Several months ago, Gibson Dunn formed an interdisciplinary task force of partners specializing in energy, infrastructure, real estate, digital and AI, environment, litigation, national security, and public policy to provide integrated advice to clients who are actively pursuing opportunities in the data center sector. We are closely tracking the Administration’s efforts regarding AI data centers and are available to help clients to share their insights with the Administration, as well as to take advantage of the opportunities these high-level initiatives may offer in the coming months.

I. White House Roundtable, Interagency Efforts to Promote AI Data Centers

On September 12, 2024, the Biden Administration convened AI industry leaders, utility companies, and high-level Administration officials to discuss how to ensure the United States continues to lead in AI. After the roundtable, the White House announced several new initiatives to promote AI in ways that will advance national security and protect the environment.

Most significantly, the Administration launched its Task Force on AI Datacenter Infrastructure to coordinate federal government policy across agencies. Led by the National Economic Council, National Security Council, and the White House Deputy Chief of Staff’s office, the Task Force involves the highest levels of the Biden Administration, indicating the importance the Administration is placing on this initiative. The Task Force will work with private sector leaders to identify growth opportunities, as well as with agencies to prioritize AI data center projects.

The Administration also announced that it is tasking the Federal Permitting Improvement Steering Council to work with AI data center developers and federal agencies to set comprehensive timelines for project development, provide technical assistance to the permitting agencies, and distribute funding to agencies to expedite the permitting process for data centers. The U.S. Army Corps of Engineers also will be identifying nationwide permits to expedite the construction of AI data centers. AI data centers require substantial amounts of land, water, and energy—all resources protected or regulated by federal, state, and local permitting regimes. This focus on easing the permitting process for data center developers may give investors some comfort about the shorter-term return on their investments and potentially serve as a model for broader infrastructure permitting reform.

II. Department of Energy Developments

Given AI data centers’ need for significant amounts of energy, combined with the Administration’s clean-energy goals, it is no surprise that the Department of Energy (DOE) is taking the lead on several significant projects to support AI data centers. Of interest to clients, the DOE is planning a series of convenings with industry stakeholders to discuss the challenges associated with data centers’ energy needs.

Moreover, multiple offices within the DOE are working to provide solutions to stakeholders. In August, the DOE Office of Policy developed a list of resources to help data center developers, owners and operators, and interconnection stakeholders take advantage of tax credits, financing programs, and technical assistance.

In July, the DOE Secretary of Energy Advisory Board convened a Working Group on Powering AI and Data Center Infrastructure and presented its recommendations to Jennifer Granholm, the Secretary of Energy.

The Working Group’s report encouraged the DOE to adopt several key immediate and longer-term impact recommendations for supporting AI-driven data center power demand while limiting harm to existing customers and greenhouse gas emissions. The Working Group’s three immediate impact recommendations to the DOE encouraged the DOE to:

explore flexible siting and geographic distribution of AI large language model data centers in an effort to reduce highly concentrated loads;
foster dialogue between energy utilities, data center developers and operators, and other key stakeholders to manage current electricity supply bottlenecks and encourage real-time data sharing; and
rapidly assess reliability, cost, performance, and supply chain issues facing generation, storage, and grid technologies to support data center expansion.

As longer term recommendations, the Working Group encouraged the DOE to:

establish an AI testbed within the DOE to allow researchers to develop and assess algorithms for energy-efficient AI training, and advance the United States’ AI capabilities;
work with other government agencies and the private sector to develop a standardized and adaptable framework for orchestrating grid services; and
accelerate and de-risk private investment in emerging technologies, particularly nuclear, geothermal, long-duration storage, and carbon capture and sequestration.

The DOE’s focus on providing data center solutions will continue as it works in conjunction with other government agencies and the private sector to drive development, provide incentives, and discover efficiencies with respect to AI-driven data center power demands.

III. Department of Commerce Developments

Along with the DOE, the Department of Commerce will play a significant role in the Administration’s efforts to promote data center development. The National Telecommunications and Information Administration (NTIA), a component of the Department of Commerce, has invited comments on data center security and supporting data center growth in the United States. The NTIA is tasked with advising the President on issues related to the internet economy, including internet infrastructure, cybersecurity, and online privacy. Much of its work focuses on expanding broadband access and adoption, particularly in rural parts of the country, and the NTIA administers grant funding programs to support expansion of broadband infrastructure.

The NTIA will use the comments to inform its work on a comprehensive report for the executive branch offering policy recommendations about how the federal government can promote data center development. The NTIA is coordinating its efforts with the DOE. The Administration seeks comments on a variety of data center development topics including AI data center usage, barriers to data center competition, supply chain vulnerabilities, risk management practices, staffing shortages, and power supply challenges.

Offering comments to the NTIA will allow interested parties to shape the recommendations made within the executive branch on the best path toward maximizing data center infrastructure. The NTIA’s advisory role and its coordination with the DOE on this report will allow commenters to reach multiple interested executive agencies through this comment process. Comments are due November 4.

Given the economic, strategic, and national security implications of the AI race, these efforts are likely just the start of a federal government campaign to support AI data centers, regardless of outcome of the November elections. In light of the Administration’s keen interest in collaborating with the private sector on AI data center development, industry participants who want to shape the future of AI and data center policy should take this opportunity to make their voices heard.

Gibson Dunn’s Data Center Task Force attorneys are available to assist clients by offering strategic advice; drafting comment letters to agencies; arranging and preparing for high-level executive branch and congressional meetings; and helping clients take advantage of potential opportunities emerging from the rapidly changing regulatory environment.

The following Gibson Dunn lawyers prepared this update: F. Joseph Warin, Eric Feuerstein, Stephenie Gosnell Handler, William R. Hollaway, Ph.D., Michael D. Bopp, Tory Lauterbach, Amanda Neely, David Casazza, and Simon Moskovitz.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Artificial Intelligence, Energy Regulation & Litigation, National Security, Public Policy, Real Estate, or White Collar Defense & Investigations practice groups, or the following authors:

Vivek Mohan – Co-Chair, Artificial Intelligence Practice Group, Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)

William R. Hollaway, Ph.D. – Chair, Energy Regulation & Litigation Practice Group, Washington, D.C. (+1 202.955.8592, whollaway@gibsondunn.com)

Tory Lauterbach – Partner, Energy Regulation & Litigation Practice Group, Washington, D.C. (+1 202.955.8519, tlauterbach@gibsondunn.com)

Stephenie Gosnell Handler – Partner, National Security Practice Group, Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)

Michael D. Bopp – Co-Chair, Public Policy Practice Group, Washington, D.C. (+1 202.955.8256, mbopp@gibsondunn.com)

Eric M. Feuerstein – Co-Chair, Real Estate Practice Group, New York (+1 212.351.2323, efeuerstein@gibsondunn.com)

F. Joseph Warin – Co-Chair, White Collar Defense & Investigations Practice Group, Washington, D.C. (+1 202.887.3609, fwarin@gibsondunn.com)

Amanda H. Neely – Of Counsel, Public Policy Practice Group, Washington, D.C. (+1 202.777.9566, aneely@gibsondunn.com)

With this final rule, BIS seeks to tip the scales in favor of more frequent disclosures and introduces new factors to consider when assessing engagement with U.S. regulators.

In a final rule effective September 16, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) updated its process for handling voluntary self-disclosures from industry and expanded its discretion to impose higher monetary penalties for violations of export control laws. Whether to submit a voluntary self-disclosure remains a fact-dependent decision and requires careful weighing of factual, legal, practical and policy considerations.

Background

Corporate violations of U.S. sanctions, export control laws, and foreign direct investment determinations are a key enforcement priority for BIS, the Department of Justice, the Department of the Treasury, and the Committee on Foreign Investment in the United States (“CFIUS”), with each taking an increasingly aggressive enforcement posture through new guidance, compliance expectations, and record-setting penalties in recent years.

On September 12, 2024, BIS announced the publication of a final rule updating its policies regarding voluntary self-disclosures (“VSD”) and the BIS Penalty Guidelines, found at Supplement No. 1 to Part 766 of the Export Administration Regulations (“EAR”). The rule finalizes a series of policy changes by the Office of Export Enforcement (“OEE”) that were first articulated in memoranda publicly issued by BIS beginning in 2022 and that seek to strengthen BIS’s administrative enforcement program and encourage voluntary disclosures of apparent export control violations.^[1]

As we summarized in our 2023 Year-End Sanctions and Export Control Update, these changes aim to:

streamline self-disclosure of minor or technical violations, facilitate corrective action that might otherwise be prohibited, and prioritize enforcement actions against “significant” violations by establishing a dual-track process for VSD submission and processing;
incentivize VSDs by treating failure to disclose significant apparent violations as an aggravating factor;
enhance OEE’s discretion in assessing penalties when warranted;
incentivize compliance-minded firms to report violations committed by other firms or competitors; and
coordinate enforcement efforts through the appointment of a new Chief of Corporate Enforcement position.

The final rule, outlined in greater detail below, highlights BIS’s continued commitment to streamlining the VSD program to facilitate faster resolutions of non-egregious apparent violations and at the same time highlights BIS’s desire to focus its resources on significant infractions, including by expanding its discretion to impose higher civil monetary penalties.

1. Dual-Track VSD Processing, Streamlined Submission of Minor or Technical Violations, and Corrective Action Provisions

a. Dual-Track VSD Processing

Minor or Technical Violations Track

Section 764.5 of the EAR previously set forth a single track for handling VSDs, regardless of the severity of the violation at issue. The final rule adds a new paragraph regarding disclosure of minor or technical violations, defined as any violation that does not include aggravating factors.

These revisions permit firms to disclose minor or technical violations through a “fast-track” process that will be resolved in 60 days, either through a no-action letter or a warning letter. For such apparent violations, firms may submit by email an abbreviated narrative report in lieu of more burdensome narrative and documentation requirements previously set forth in Sections 764.5. For minor or technical violations, the rule also removes the recommendation that firms conduct a five-year lookback, unless OEE suspects that aggravating factors are present. Firms may also “bundle” multiple minor or technical apparent violations into a single submission, if such apparent violations occurred within the prior quarter.

OEE offered several examples of “minor or technical” violations, including immaterial Electronic Export Information filing errors and the incorrect use of one license exception where another license exception was available.

“Significant” Violations Track

For VSDs that concern a “significant violation,” firms should follow the prior procedures, including submission of a full narrative report.

The rule notes that parties unsure whether a disclosure involves a minor or technical violation or a significant violation are advised to follow the procedures for disclosing a significant violation.

Following disclosure of a “significant” apparent violation, OEE will conduct an investigation and may, depending on the facts and circumstances of the case, issue a warning letter or initiate an administrative enforcement proceeding. OEE may also refer the matter to DOJ for criminal prosecution.

b. Treatment of Unlawfully Exported Items

The final rule revises the EAR with regards to the treatment of unlawfully exported items. Consistent with a 2024 policy memorandum, the final rule clarifies that OEE authorizes any person, not just a party submitting a VSD, to request permission to engage in corrective activities otherwise prohibited by Section 764.2(e) (often referred to as a “General Prohibition 10 Waiver”). The rule also authorizes firms to seek the return of any unlawfully exported item to the United States following notification to OEE and removes the need for firms to receive authorization from OEE for such return-related activities. Further, items that have been returned to the United States do not require additional authorization from OEE, provided that those future activities comply with any applicable EAR requirements. This change is likely due in part to the increase in General Prohibition 10 Waiver requests related to items exported, reexported, or transferred (in-country) to Russia and Belarus (including aircraft) following the imposition of strict export controls on these destinations.

Any re-export from abroad or transfer outside of the United States of an item that has been the subject of a self-disclosure would require a license from BIS.

2. Nondisclosure as Aggravating Factor

Assistant Secretary Axelrod previously explained in a January 2024 speech at NYU Law School, “when someone affirmatively chooses not to file a VSD, [BIS] want[s] them to know that they risk incurring concrete costs.”

Consistent with that statement and previous policy memoranda, the final rule confirms that BIS will consider a deliberate decision by a firm not to disclose a significant apparent violation to be an aggravating factor when determining what administrative penalty, if any, should be applied.

A “deliberate decision” occurs when a firm uncovers a significant apparent violation but then chooses not to file a VSD.

The rule adds a new Aggravating Factor D to the BIS Penalty Guidelines for “[f]ailure to disclose a significant violation.”

3. Penalty Guidelines and Increased Discretion

The final rule enhances OEE’s discretion in calculating potential penalties for apparent violations in several significant ways.

First, the rule removes the base penalty caps for non-egregious cases and instead links penalties to transaction value and other circumstances.

As a result, for non-egregious VSD cases, the base penalty amount is no longer capped at a maximum of $125,000, but is instead capped at one-half of the transaction value. For a non-egregious case that is not initiated by a VSD, the base penalty amount is no longer capped at $250,000, but is instead capped at the full transaction value. The rule describes this change as permitting OEE to “impose penalties with sufficient deterrent effect in situations where transaction values are high.”

For egregious VSD cases, the base penalty amount is capped at one-half of the statutory maximum—which is $364,992 or twice the full transaction value, whichever is greater. For an egregious case that is not initiated by a VSD, the base penalty amount is capped at the statutory maximum.

Second, the rule permits BIS to issue non-monetary resolutions for non-egregious conduct that has not resulted in serious national security harm yet nonetheless merits stronger response than a no-action or warning letter. The final rule indicates that such resolutions are likely to “require remediation through the imposition of a suspended denial order with certain conditions, such as training and compliance requirements.”

Third, the final rule removes from the Penalty Guidelines all specific percentage ranges for potential penalty reduction based on mitigating factors. As the rule explains, “[t]he inclusion of specific percentage ranges for some mitigating factors and not for other factors led parties to incorrect assumptions about the range of reduction to which they were entitled.” With the revisions, “OEE is making clear that the civil monetary penalty will be adjusted (up or down) to reflect the applicable factors for administrative action set forth in the BIS Penalty Guidelines.”

Fourth, the final rule amends Aggravating Factor C, “Harm to Regulatory Program Objectives,” to include transactions that enable human rights abuses as a specific consideration when assessing the potential impact of an apparent violation on U.S. foreign policy objectives.

Fifth, the final rule amends General Factor E (previously D), for “Individual Characteristics,” by expanding the scope of past corporate criminal resolutions that OEE may consider when calibrating an enforcement response. Previously, this factor only mentioned prior conviction of an export-related criminal violation. As revised, it includes not only where a respondent has been convicted or entered a guilty plea, but also where a party has entered into any other type of resolution with the Department of Justice or other authorities, including a Deferred Prosecution Agreement or a Non-Prosecution Agreement.

4. Exceptional Cooperation for Third-Party Tips

As explained by Assistant Secretary Axelrod in his January 2024 speech, BIS seeks to ensure a “level playing field” for compliance-minded firms, recognizing that rule-following firms can suffer as firms that flout regulations book business.

The revised Penalty Guidelines now clarify that disclosure of conduct by others that leads to an enforcement action counts as “exceptional cooperation.” BIS will provide cooperation credit for such tips in “a future enforcement action, even for unrelated conduct,” if such an action is ever brought.

The decision to provide cooperation credit for tips as to suspected third-party violations is unusual and marks a significant departure from other VSD programs with uncertain implications for industry.

5. Chief of Corporate Enforcement

Mirroring action taken by the Department of Justice’s National Security Division (“NSD”) in 2023, BIS announced the appointment of Raj Parekh as the agency’s first Chief of Corporate Enforcement. An accompanying press release to the final rule indicates that Mr. Parekh will “serve as the primary interface between BIS’s special agents, the Department of Commerce’s Office of Chief Counsel for Industry and Security, and the Department of Justice,” with the aim of “advance[ing] significant corporate investigations.”

Mr. Parekh joins BIS from the U.S. Attorney’s Office for the Eastern District of Virginia, where he served as Acting U.S. Attorney. He previously worked at DOJ NSD, and the press release notes that this appointment “further reflect[s] BIS’s commitment to this effort.”

Conclusion

In his January speech, Assistant Secretary Axelrod touted the early successes of recent changes to BIS’s VSD program. Specifically, BIS received nearly 80 percent more VSDs containing potentially serious violations in FY2023 than in FY2022, even as the overall number of VSDs remained relatively constant. BIS also experienced a 33 percent uptick in third-party disclosures from industry.

The revised rule reflects BIS’s continued focus on corporate compliance with export controls and the increased centrality of economic statecraft to U.S. national security policy. It also demonstrates that BIS seeks to focus its investigative resources on infractions most likely to damage U.S. national security interests, and its willingness to impose steeper penalties to incentivize compliance. In April 2023, for instance, BIS announced the largest standalone penalty in the agency’s history—a $300 million civil penalty against affiliates of a technology company that allegedly sold hard disk drives to Huawei Technologies Co. Ltd. BIS is not alone in this prioritization, with CFIUS announcing in August 2024 that it imposed the largest penalty in its history—$60 million—for the breach of a mitigation agreement that resulted in harm to U.S. national security equities, and the Treasury’s Office of Foreign Assets Control levying two of the largest civil penalties in its history last year, including a $968 million settlement, for violations of U.S. sanctions law.

In addition, over the last two years, officials at DOJ have sounded a drumbeat of announcements indicating that criminal enforcement of U.S. export control and sanctions law is one of their highest priorities, with the Department hiring 25 new NSD prosecutors to “investigate national security-related economic crimes” and the publication of an updated NSD Enforcement Policy that “strongly encourages companies to voluntarily self-disclose directly to NSD all potentially criminal … violations of the U.S. government’s export control and sanctions regimes.”

While a decision to submit a voluntary self-disclosure will be the result of considering many factors, BIS is seeking to raise the consequences of a decision not to submit a self-disclosure where aggravating factors are present. The factors highlighted in this new rule, as well as the heightened importance of international trade controls in the United States’ response to global challenges, should remain at the forefront when considering a voluntary self-disclosure of any apparent export control violations to BIS or other regulators.

[1] See Memorandum from Bureau of Indus. & Sec., Further Strengthening Our Administrative Enforcement Program (June 30, 2022), https://www.bis.gov/sites/default/files/files/Administrative%20Enforcement%20Memo.pdf; Memorandum from Bureau of Indus. & Sec., Clarifying Our Policy Regarding Voluntary Self-Disclosures and Disclosures Concerning Others (Apr. 18, 2023), https://www.bis.gov/sites/default/files/files/VSD%20Policy%20Memo%20%2804.18.2023%29.pdf; Memorandum from Bureau of Indus. & Sec., Further Enhancements to Our Voluntary Self-Disclosure Process (Jan. 16, 2024), https://www.bis.gov/sites/default/files/files/VSD%20MEMO.pdf.

The following Gibson Dunn lawyers prepared this update: Cody Poplin, Christopher Timura, David Burns, Adam M. Smith, Stephenie Gosnell Handler, Samantha Sewall, Chris Mullen, and Audi Syarief.

Gibson Dunn lawyers are monitoring the proposed changes to U.S. export control laws closely and are available to counsel clients regarding potential or ongoing transactions and other compliance or public policy concerns.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, rkirk@gibsondunn.com)
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, ctimura@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, cmbrown@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202.887.3509, ssewall@gibsondunn.com)
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, mweinbaum@gibsondunn.com)
Mason Gauch – Houston (+1 346.718.6723, mgauch@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, cmullen@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Anna Searcey – Washington, D.C. (+1 202.887.3655, asearcey@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, stoussaint@gibsondunn.com)
Claire Yi – New York (+1 212.351.2603, cyi@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, szhang@gibsondunn.com)

Asia:
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, kaustin@gibsondunn.com)
David A. Wolber – Hong Kong (+852 2214 3764, dwolber@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing (+86 10 6502 8534, qyue@gibsondunn.com)
Dharak Bhavsar – Hong Kong (+852 2214 3755, dbhavsar@gibsondunn.com)
Felicia Chen – Hong Kong (+852 2214 3728, fchen@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Patrick Doris – London (+44 207 071 4276, pdoris@gibsondunn.com)
Michelle M. Kirschner – London (+44 20 7071 4212, mkirschner@gibsondunn.com)
Penny Madden KC – London (+44 20 7071 4226, pmadden@gibsondunn.com)
Irene Polieri – London (+44 20 7071 4199, ipolieri@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Nikita Malevanny – Munich (+49 89 189 33 224, nmalevanny@gibsondunn.com)
Melina Kronester – Munich (+49 89 189 33 225, mkronester@gibsondunn.com)
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, vludwig@gibsondunn.com)

The new regulations control quantum computing, advanced semiconductor items, and additive manufacturing technologies.

On September 6, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) published new regulations to control certain advanced and emerging technologies, including quantum computing, semiconductor manufacturing equipment, Gate All-Around Field-Effect Transistor (GAAFET) technology, and additive manufacturing.[1] The regulations—which were effective when issued but published as an interim final rule (IFR)—are noteworthy because they introduce tools to both build and recognize new ad hoc agreements with like-minded nations on export controls to regulate advanced and emerging technologies, an objective that has been more and more out of reach due to the inability to achieve consensus through the broader multilateral Wassenaar Arrangement (WA) process. This IFR is a key example of BIS’s efforts to enhance international collaboration among U.S. allies and key suppliers of critical inputs for advanced and emerging technologies to implement consistent export controls. Specifically, in the regulations, BIS creates a new License Exception Implemented Export Controls (IEC) to recognize and reward countries who impose similar export controls with easier access to the technology, software, and commodities that enable the development of emerging technologies. BIS also continues a several-year experiment with modified deemed export controls. The new deemed export control framework created by the regulations will help ensure that the United States retains and continues to attract the international talent now working with U.S. universities, research institutes, and companies in advanced and emerging technologies and that BIS’s new export controls will not disrupt the work of non-U.S. collaborators with individual license requirements for foreign nationals on their teams. The regulations became effective on September 6, 2024, however, parties transferring certain quantum technologies to Wassenaar participating states are not required to comply with corresponding license requirements until November 5, 2024.

I. Major features of the Interim Final Rule

BIS’s first step toward reaching a new agreement among like-minded countries on the regulation of advanced and emerging technologies represents a departure from BIS’s typical process of achieving consensus through iterative working group and plenary meetings of the WA. The WA is a voluntary agreement among participating states (today 42 states participate) to control the export of conventional arms and certain dual-use goods to contribute to regional and international security. Although certain states such as Israel, the People’s Republic of China, and Singapore do not participate in WA, the influence of the WA control lists extends beyond the current membership of the WA because many non-participating countries opt to adopt most or all of the same control parameters and exclusions into their own national controls. The specific items that are described on the WA control lists change from year to year through the adoption of amendments to the control lists at annual plenary meetings. However, the ability of the United States and many like-minded countries to reach consensus on the adoption of new controls on several advanced and emerging technologies has been stymied in recent years by the refusal of the Russian Federation, among others, to support the imposition of new controls.

In its new regulations, BIS seeks to encourage the development of new plurilateral controls outside the WA and without the Russian Federation’s support. Since the export control reform efforts of the 2010s, the United States and many observers have described the goal of U.S. export controls as building higher fences around smaller yards. The new framework is designed to enable the United States to coordinate faster fence building in other countries’ yards where critical advances in emerging technologies are also occurring. In the IFR, BIS achieves this aim by imposing new permutations of world-wide licensing requirements on the export, reexport, and in-country transfer (collectively, “export”) of specified items and by creating a new license exception—License Exception IEC—which authorizes exports to and among countries who implement similar export control licensing requirements on these technologies.

Adds new, and revises existing Export Control Classification Numbers (ECCNs) to identify controls on emerging advanced quantum computing, semiconductor manufacturing, GAAFET technology, and additive manufacturing technologies

BIS imposes its new, worldwide licensing requirements on the targeted technologies through amendments to the Export Administration Regulations’s (EAR’s) Commerce Control List (CCL)[2] which now includes additional ECCN entries for certain commodities, software, and technology that enable the design, manufacture, and functionality of (1) quantum computers, (2) semiconductor devices and circuitry, (3) high-performance computing chips, and (4) additive manufacturing items that produce metal or metal alloy components. Examples of listed items in the interim rule include quantum computers and related electronic assemblies and components; cryogenic cooling systems and components; complimentary metal-oxide semiconductor (CMOS) integrated circuits; technology for the development or production of integrated circuits or devices, using GAAFET structures; additive manufacturing equipment, designed to produce metal or metal alloy components; and, technology related to coating systems; among others. The newly-controlled commodities, software, and technology can be found at the following ECCNs: 2B910, 2D910, 2E903, 2E910, 3A901, 3A904, 3B903, 3B904, 3C907, 3C908, 3C909, 3D901, 3D907, 3E901, 3E905, 4A906, 4D906, and 4E906. The IFR also revises the following nine ECCNs: 2E003, 3A001, 3B001, 3C001, 3D001, 3D002, 3E001, 4D001, and 4E001, which are ECCNs that have historically reflected WA controls, to include certain newly-controlled items.

BIS also amends the EAR to enable the agency to more easily identify these and other emerging technologies that it plans to make subject to non-WA-based worldwide export control licensing requirements. Specifically, these items will be assigned ECCNs with a third digit of “9” and the fourth digit as a number from 0 to 7 (i.e., 3A901).

BIS creates a new license exception and adopts new licensing policies that favor exports to like-minded and allied countries

While the new controls on emerging technologies are similar to BIS’s existing controls on other ECCNs controlled for national security and regional stability reasons, BIS will make available a more limited set of license exceptions and will apply different licensing review policies. BIS amends the EAR to create a new License Exception IEC, which authorizes the export of specific technologies to countries that have agreed to adopt the same technical parameters and restrictions in their own export control regimes. And for those countries who have not adopted similar controls, BIS will apply new license review policies that are keyed to the EAR’s country groups, reflective in part of a given state’s participation in different multilateral agreements and U.S. national security determinations and arms embargoes.[3] Thus, when a proposed export involves items controlled by one of the new or modified ECCNs to a country that has not yet implemented similar controls, BIS will apply a presumption of approval for destinations specified in Country Groups A:1 (which includes all WA countries), A:5, and A:6, a presumption of denial for destinations specified in Country Groups D:1 (countries designated for U.S. national security reasons) and D:5 (countries subject to U.S. or UN arms embargoes), and a case-by-case review policy for destinations for the remaining balance of countries.

Alongside the creation of the new License Exception IEC, BIS makes a procedural change to more immediately reward countries that adopt parallel controls. Specifically, BIS bypasses the need to publish every change related to IEC exception availability through Federal Register notices. BIS does this by developing a mechanism to more quickly identify countries that have implemented the same controls through a cross-referenced list that will be available outside of the Federal Register publication. This new License Exception IEC Eligible Items and Destinations list will be maintained by BIS, hosted by the National Archives and Records Administration, and made available by a BIS website hyperlink. By maintaining the list outside of the Federal Register, BIS will be able to more quickly expand the applicability of License Exception IEC by ECCN and by country when a given country adopts sufficient controls. Were BIS obligated to reflect each of these changes in Federal Register notices, collaborators in the United States and like-minded countries would possibly need to wait months, rather than weeks or days, after their governments reached agreement on new controls to take advantage of the new IEC authorization.

BIS uses General Orders to grandfather and authorize exports of specific advanced technologies in recognition of a limited, global talent pool

Over the past two years, BIS has grappled with the challenge of ensuring its new controls on emerging technologies do not disrupt ongoing work involving foreign nationals in the United States or dissuade talented foreign nationals from seeking employment in the United States or in other countries whose companies collaborate with U.S. companies. This disruption can occur when licensing controls are placed on the release of software and technology to non-U.S. persons. These transfers to non-U.S. persons located in the United States are referred to as “deemed exports,” because the release of controlled technology and software to foreign persons is deemed to be an export to the person’s most recent country of citizenship or legal permanent residence. Similarly, a deemed reexport occurs when software or technology is released to a foreign person of a country other than the foreign country of the entity authorized to receive the controlled technology (e.g., a Syrian national employed by a company in France). Given the scarcity of individuals with expertise in many areas of emerging technology and that many specially trained foreign nationals come from jurisdictions that often trigger export control licensing requirements such as China, BIS’s new approach to foreign national licensing is critical to ensuring that the United States does not undermine ongoing work involving emerging technologies and that U.S. companies can continue to recruit the talent they need to advance such activities.

BIS’s experiment with foreign national licensing in the context of advance technology exports started in October 2022, when BIS included an exclusion from the requirement to seek deemed export licenses for certain advanced semiconductor controls and other specified items, such as items related to advanced computing chips and computer technologies, controlled for new “regional stability” purposes. In October 2023, BIS issued additional semiconductor controls and clarifications, which included updated ECCN item tables so as to “not undermine the deemed export and reexport exclusion.”[4] BIS underscored in the same interim rule its interest in receiving comments from businesses on the impact of deemed export provisions which BIS could use to better inform potential additional changes to deemed export licensing requirements. Finally, in April 2024, BIS released its most recent round of clarifications concerning semiconductor controls and reiterated that such controls did not require licensing for the deemed export or reexport of items controlled for “national security” reasons.

The present IFR introduces a few new permutations of deemed export authorizations. The first authorization grandfathers U.S. and non-U.S. entities who had hired foreign national contractors or employees to advance their work as of the effective date of BIS’s new controls (i.e., September 6, 2024), except for those working with certain GAAFET technology.[5] BIS also opted to wholly exclude from deemed export and reexport requirements the release of certain advanced semiconductor technology and software and to partially exclude other semiconductor manufacturing and quantum technology and software for all foreign nationals except those from Group D:1 countries, which are subject to U.S. national security export licensing requirements, and D:5 countries, which are subject to U.S. or United Nations arms embargoes.[6]

To authorize Group D:1 and Group D:5 foreign nationals’ access to controlled software and technology, BIS issues more specific authorizations through general orders, which provide the required authorization subject to certain reporting requirements. One general order authorizes Group D:1 and Group D:5 foreign nationals working as contractors or employees of entities and having access to the newly controlled GAAFET technology, provided that the individuals were supporting GAAFET technology projects as of September 6, 2024.[7] BIS also created a parallel authorization for foreign nationals from the same jurisdictions supporting work with newly controlled quantum technologies, though without a restriction on when these foreign nationals were hired or assigned to supporting these projects.[8] To take advantage of the general licenses, exporters are obligated to file annual reports with BIS (due for 2024 on November 4, 2024 and on February 1 for every year thereafter) that detail the GAAFET and quantum software and technology that the foreign nationals are using or to which they otherwise receiving access in their work, as well as reports concerning the voluntary or involuntary termination of such employees.

Although the Federal Register notice does not offer a specific rationale for the new annual reporting requirements, BIS will be able to use the information gathered to help trace where the contractors and employees authorized to work with these advanced technologies go when their work terminates. In accordance with newly added 15 C.F.R. §§ 743.7 and 743.8, entities must report the identity of the foreign personnel, the specific technology in question, when the person is terminated, and whether, upon termination, the person intends to go to a destination specified in Country Group D:1 or D:5. The introduction of a regulatory requirement to that will allow BIS to track the movement of foreign national employees who are advancing the leading edges of emerging technologies is unprecedented, but may serve as the model for similar authorizations that BIS will extend to foreign nationals working with other emerging technologies.

Use of the export, reexport, and deemed export and reexport licenses set forth in clauses (f)(1) and (f)(2) of General Order No. 6 (which license certain GAAFET exports, reexports, and deemed exports and reexports ongoing prior to September 6, 2024) are also conditioned on the specific application of the technology and software. In particular, although these general licenses extend to companies located in Country Groups A:5 and A:6, they expressly exclude any companies that are working at the direction of companies headquartered or whose ultimate parent is located in a sensitive jurisdiction (Country Groups D:1 or D:5) to develop or produce certain controlled items. Thus, for example, the authorization could not be used to support GAAFET or quantum development or production projects being directed by companies in China or other listed jurisdictions.

II. More fences around more yards, more quickly

The set of amendments that BIS implements through the IFR are among the more complex we have seen. The rule reflects the increasingly innovative tools BIS is employing to address the complicated issues that have arisen over the last two years in imposing controls on emerging technologies advanced semiconductor, semiconductor manufacturing, and supercomputing technologies. Moreover, BIS’s new License Exception IEC and novel use of grandfathering and general orders to mitigate the impact of new controls on the multinational teams collaborating to advance emerging technologies, among other rule features, constitute a playbook, and a new set of regulatory tools, for BIS to recruit like-minded countries to implement important controls outside of the consensus restraints associated with the WA.

Other countries are already adopting equivalent export controls concerning quantum computing and other technologies that will make them eligible for License Exception IEC. For example, on September 7, 2024, a day after the IFR took effect, the Netherlands amended its Regulation on Advanced Production Equipment for Semiconductors to require chip manufacturing giant ASML to apply for a Netherlands export license—rather than a U.S. export license—in order to export its TWINSCAN NXT:1970i and 1980i DUV immersion lithography systems outside the European Union. This amendment, which follows the Netherlands’ original restrictions targeting deep ultraviolet light machines (promulgated in September 2023), has the practical effect of building new walls around the flow of semiconductor manufacturing equipment to sensitive jurisdictions like China. ASML noted in an official statement, that it “believes this requirement will harmonize the approach for issuing export licenses.”

We expect other nations to similarly mirror IEC items licensing requirements and potential exclusions for quantum computing and other emerging technologies in the coming months. In response to the U.S. controls, as well as any potential future controls imposed by like-minded states, companies in the quantum computing, semiconductor manufacturing, GAAFET technology, and additive manufacturing industry should re-evaluate their previous item classifications, update deemed export and reexport policies as needed, and ensure that any required reports are filed in a timely manner. Companies operating in these industries should also evaluate the potential applicability of License Exception IEC—as well as related licensing policies—to their products. Finally, companies in these industries may wish to consider revising or re-evaluating human resources policies in order to more effectively comply with the above-described controls and authorizations relating to foreign nationals’ access to controlled software and technology.

[1] See Commerce Control List Additions and Revisions; Implementation of Controls on Advanced Technologies Consistent With Controls Implemented by International Partners, 89 Fed. Reg. 72,926 (Sept. 6, 2024).

[2] See 15 C.F.R. Part 774, Supplement No. 1.

[3] See 15 C.F.R. Part 740, Supplement No. 1.

[4] Implementation of Additional Export Controls: Certain Advanced Computing Items; Supercomputer and Semiconductor End Use; Updates and Corrections, 88 Fed. Reg. 73,458, 73,485 (Oct. 25, 2023) (codified at 15 C.F.R. § 774, Supplement No. 1).

[5] Commerce Control List Additions and Revisions; Implementation of Controls on Advanced Technologies Consistent with Controls Implemented by International Partners, 89 Fed. Reg. 72,926, 72,929 (Sept. 6, 2024) (to be codified at 15 C.F.R. §§ 742.4(a)(5)(i) &742.6(a)(10)(i)).

[6] Id. at 72,929.

[7] Id. at 72,936 (to be codified at 15 C.F.R. Part 736, Supplement No. 1 , General Order No. 6, subsections (f)(1) and (f)(2)).

[8] Id. at 72,936 (to be codified at 15 C.F.R. Part 736, Supplement No. 1 , General Order No. 6, subsection (f)(3)).

The following Gibson Dunn lawyers prepared this update: Nicole Martinez, Christopher Timura, Chris Mullen, Zach Kosbie, Stephenie Gosnell Handler, and Adam M. Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

*Nicole Martinez, an associate in the firm’s New York office, is not admitted in New York.

We are pleased to provide you with Gibson Dunn’s ESG update covering the following key developments during July and August 2024. Please click on the links below for further details.

I. GLOBAL

The Network for Greening the Financial System (NGFS) publishes two complementary reports on nature-related risks

On July 2, 2024, NGFS published two reports. The first report is the final version of the Conceptual Framework for nature-related financial risks, which will provide policy guidance for central banks and financial supervisors. The NGFS published its initial version of this report in September 2023, but the final Conceptual Framework includes two cases to exemplify the application of the risk assessment framework to freshwater and forest ecosystems.

The second report outlines the key emerging trends related to nature-related litigation, including cases concerning biodiversity loss, ocean degradation and carbon sinks, and explores the potential relevance for central banks and the financial system. The two reports are complementary: the Conceptual Framework outlines the broad framework for nature-related risks, the second report aims to raise awareness more specifically about nature-related litigation risks.

The Taskforce on Nature-related Financial Disclosures (TNFD) and Glasgow Financial Alliance for Net Zero (GFANZ) to launch separate consultations on nature and transition plans

On July 4, 2024, the TNFD, a global organization established to provide companies with a framework to quantify and disclose nature-related financial risks and opportunities, announced a new consultation which will focus on what a nature transition plan should include and how it should be disclosed. It will ask organizations to “describe the effect nature-related dependencies, impacts, risks and opportunities” have had on the organization’s business strategy and financial planning. The TNFD plans to publish its final guidance in Q2 of 2025.

GFANZ’s consultation will focus on how nature could be further considered in its net-zero transition plan (NZTP) framework, which will cover how nature-related levers can support net-zero implementation. The GFANZ has 36 members from across the net-zero alliances working on this initiative and aims to publish voluntary supplemental guidance on nature in NZTP in Q1 of 2025.

NGFS publishes information note “Improving Greenhouse Gas Emissions Data”

On July 16, 2024, the NGFS published an information note on improving greenhouse gas (GHG) emissions. The NGFS focuses on GHG emissions data because it is one of the most significant data gaps and is a key factor in monitoring progress towards the transition to a low-carbon economy.

In its note, the NGFS expert network presents practical examples of how NGFS members use GHG emissions data, for example to classify bond issuers based on emission intensity. Such classification of bonds presents numerous practical challenges, such as discrepancies in the calculation of emissions metrics. NGFS’ guidance provides a set of collaborative measures and best practices that can tackle these challenges.

Among other items, the note states that financial institutions need to accelerate their collection of data on financed emissions. It also suggests that central banks, supervisors and regulators could provide information through their websites to increase supervised entities’ awareness of the importance of sustainability indicators.

NGFS publishes their 2023 Annual Report

On July 25, 2024, the NFGS published its Annual Report for the year 2023. In this Annual Report, NGFS announced a growth in membership numbers with 13 new members and two new observers. Among the main issues that the NGFS focused on in 2023 was the potential use of transition plans from a micro prudential perspective, the enrichment of its long-term climate scenarios to prepare a theoretical note which would help develop a first set of short-term climate scenarios to help the financial system assess the economic impact of climate-related risks and held a number of knowledge and best practices sharing workshops, including on climate-related disclosures for central banks. 2023 was also a prolific year for publications as the NGFS also launched works on nature-related risks and a report on blended climate finance on ways to deploy private capital for climate mitigation and adaptation.

Science Based Targets initiative (SBTi) publishes papers as part of its consultation on the SBTi Corporate Net-Zero Standard

On July 30, 2024, the SBTi published four technical papers as an early step in the process of reviewing the SBTi Corporate Net-Zero Standard. The publications focus on reviewing the approach to scope 3 emissions which on average account for 75% of a company’s emissions.

The scope 3 discussion paper outlines the SBTi’s initial considerations for refining scope 3 emissions targets, which includes encouraging companies to focus on reducing critical emission sources instead of relying on carbon credits. The paper outlines scenarios where carbon credits from outside the value chain may support evidence of corporate decarbonization or offset residual emissions, but stresses that credits should not replace direct value chain decarbonization.

The International Accounting Standards Board (IASB) provides illustrative examples on reporting climate-related effects and other uncertainties in financial statements

On July 31, 2024, the IASB published a consultation document with eight different examples on how companies can apply the IFRS Accounting Standards when reporting on the effects of climate-related and other uncertainties in their financial statements, aiming to provide guidance on how the requirements in the Standards should be applied to provide investors with better information about this sort of risks. The illustrative examples come in response to requests from stakeholders concerned that the information they were reporting was insufficient or inconsistent with information provided outside the financial statements, particularly information reported in other general purpose financial reports. The examples focus on areas such as materiality judgments, disclosures about assumptions, credit risk, decommissioning and restoration provisions and disaggregated information. The IASB has opened a consultation process to invite stakeholders to provide feedback on the proposed examples. The deadline for submitting comment letters is November 28, 2024.

In case you missed it…

Banks get International Capital Market Association (ICMA) and Loan Market Association (LMA) guidance on using bonds to fund sustainability-linked loan portfolios

On June 25, 2024, the ICMA and LMA jointly published new Guidelines for Sustainability-linked Loans Financing Bonds (SLLBs). The guidelines recommend transparency and disclosure for issues of SLLBs. For SLLBs to align with the guidelines, issuers must adhere to the four core components, which cover:

the use of proceeds;
the process for sustainability-linked loans evaluation and selection;
the management of proceeds;
and the reporting of information on portfolios.

Per the guidelines, issuers should also explain the alignment of their SLLBs in a framework document and ensure that external reviews are carried out and made publicly available.

II. UNITED KINGDOM

The King’s Speech sets out 40 bill proposals from the new Labour government under which the party aim to boost industry growth and bring major changes to workers’ rights

On July 17, 2024, King Charles delivered the new UK Prime Minister’s legislative agenda in the King’s Speech at the state opening of parliament. Prime Minister Sir Keir Starmer has proposed 40 bills which he claims will commence “a decade of national renewal”. Amongst the bills outlined were several planning and transport proposals including the renationalization of Britain’s rail operators, greater power for local councils to develop their own bus services and the removal of potential obstacles to new housing developments in selected areas.

A notable proposal in the energy sector are plans for a new state-run company, GB Energy, which will be set up to manage and operate Britain’s clean energy projects. The new Labour government also intends to improve worker rights by banning zero-hours contracts which they consider exploitative, end “fire and rehire” practices as a means of employers unilaterally amending workers’ terms and conditions, making flexible working a day one right for all workers and improving access to parental leave and sick pay for new employees. The proposals would also remove previous Conservative legislation which placed restrictions on the ability of trade unions to take strike action which has been welcomed by unions.

The new Labour government sets a record budget for this year’s renewable energy auction

On July 31, 2024, the UK’s Energy Secretary announced a £1.5 million budget for this year’s renewable energy auction, an increase of £500 million from last year’s budget. Each year the UK government holds an auction to encourage companies to bid for green energy projects to supply the UK national grid with electricity, for which they will receive a guaranteed price for the electricity generated from the government. Last year, there were no bids for offshore wind power projects as they were considered unviable due to their low price. In response, the former Conservative government significantly increased the guaranteed price for such projects last year. The new Labour government aims to quadruple Britain’s offshore wind power by 2030, and therefore the majority of this year’s budget will be directed towards such projects.

Financial Conduct Authority (FCA) publishes downloadable labels for distributors subject to Sustainability Disclosure Requirements and investment labeling regime

On July 31, 2024, firms subject to the FCA’s labeling scheme were allowed to begin using the fund labels, which aim to tackle greenwashing. Firms are required to notify the FCA when using an investment label and have until December 2, 2024 to ensure the labeling of their funds are compliant.

The labeling scheme includes four labels for sustainable funds:

Sustainability Improvers: funds that invest in assets that may not currently be sustainable but aim to improve their sustainability profile over time;
Sustainability Impact: funds that invest in assets with clearly “pre-defined, positive, measurable impact in relation to an environmental and/or social impact”;
Sustainability Focus: funds that invest in other sustainable assets; and
Sustainability Mixed Goals: funds that invest in a combination of assets from the above three categories.

To comply with the FCA labeling rules, asset managers need to demonstrate that at least 70% of the fund’s assets support the label of choice.

New bill proposed to regulate ESG rating agencies

On August 8, 2024, the UK’s Chancellor of the Exchequer announced a bill proposed by the new Labour government to regulate ESG rating agencies. ESG rating agencies are unregulated, electing to follow a voluntary code of conduct instead. This bill aims to enhance transparency and accountability in the ESG space and alleviate current concerns about the lack of consistency amongst ESG ratings provided by different agencies. ESG ratings play a key role in the direction of sustainability investments and the current inconsistency has led to investor confusion. It is envisaged that this new legislation will make it easier for investors to make informed decisions, as well as mirroring similar regulatory measures being taken in the EU.

Royal Institute of Chartered Surveyors (RICS) issues new guides on Whole Life Carbon Assessment (WLCA) for the built environment

The RICS 2^nd edition was published in September 2023 and is effective from July 1, 2024. RICS members now need to follow the 2^nd edition standard’s requirements when completing a WLCA.

The transition from the 1^st to the 2^ndedition of the RICS WLCA marks a move towards a more comprehensive and integrated approach to carbon measurement in the built environment. The RICS’ guides support the new ‘Whole life carbon assessment, RICS – 2^nd Edition’ tool, which was created to meet the requirements of the RICS 2^nd edition. The tool will enable measurement of whole-life carbon emissions, manage carbon budgets, reduce life cycle emissions and deliver a net-zero future for the built environment.

The tool can be applied to any type of construction or built asset in the UK involving (i) new constructions or new-build assets; (ii) demolition of existing and construction of new assets; (iii) retrofit or refurbishment of existing assets; and (iv) fit-out of built assets. However, it cannot be used for infrastructure assets or civil engineering works.

Oceana UK files legal challenge, calling recent oil & gas license “unlawful”

Oceana UK has filed a case at the High Court challenging fossil fuel exploration licenses in UK waters. In the claim, Oceana alleges that the previous UK government’s decision to issue 31 new oil and gas licenses in May 2024 was unlawful because it failed to consider the extreme impact of oil spills on marine life, as well as on several other grounds. Oceana and other members of the Ocean Alliance Against Offshore Drilling have now written to Ed Miliband, the Secretary of State for Energy Security and Net Zero in the new Labour government, urging the new government to concede the case and signal a commitment to, and clear departure from, reliance on fossil fuels.

III. EUROPE

European Parliament publishes study on the current implementation of the Sustainability-related Financial Disclosures Regulation (SFDR)

On July 3, 2024, the European Parliament published a study on the SFDR. The study was provided by the Policy Department for Economic, Scientific and Quality of Life Policies at the request of the Committee on Economic and Monetary Affairs.

The SFDR is the centerpiece of the sustainable finance strategy for funds and other financial products. However, its provisions are too complex and don’t interact effectively with provisions shaping corporate reporting, indexes, or client preferences. The study states that a revised SFDR should aim to include more recognizable product labels or categories which will: enable transition investments; smoothly interact with corporate reporting; and expand the scope of disclosure obligations.

The European Securities and Markets Authority (ESMA) issues Public Statement on the European Sustainability Reporting Standards (ESRS)

On July 5, 2024, ESMA published a statement on the ESRS in addition to its final report on the guidelines on enforcement of sustainability information. The public statement on the first application of the ESRS acknowledges the significant changes for the sustainability reporting practices due to the new EU requirements.

Both the statement and the report underline the areas of focus for in-scope companies preparing to issue their first sustainability statements due to be published in 2025 in accordance with the Corporate Sustainability Reporting Directive (CSRD). Significant points include the establishment of governance arrangements and internal controls, designing and conducting materiality assessments, and creating connectivity between financial and sustainability information.

Corporate Sustainability Due Diligence Directive (CSDDD) published in Official Journal

On July 5, 2024, the Official Journal of the European Union published the CSDDD, following its adoption by the European Parliament and the Council of the EU earlier this year. The CSDDD introduces a due diligence duty on large EU companies and non-EU companies with significant EU activity to address adverse human rights and environmental impacts in their own operations, their subsidiaries and their supply chains.

EU member states must transpose the CSDDD rules into national measures by July 26, 2026.

From July 26, 2027, the CSDDD measures will become applicable in stages, based on whether the company is based in the EU, its number of employees and turnover.

Companies can start to prepare by:

conducting risk assessments to identify actual and potential adverse impacts within their own operations, subsidiaries and value chains;
adopting measures to prevent or where this is not possible, minimize the identified adverse impacts; and
preparing suitable and fair contractual assurances to be included in direct and indirect business partner agreements.
New monitoring rules agreed for the EU Emissions Trading System (ETS)

On August 29, 2024 EU Member States represented in the Climate Change Committee endorsed an amendment to the Monitoring and Reporting Regulation proposed by the Commission.

The revisions agreed introduce zero-rating of emissions from the combustion of renewable fuels of non-biological origin, recycled carbon fuels and synthetic low carbon fuels in the EU ETS, subject to compliance with the criteria set out in the Renewable Energy Directive, ensuring that such emissions are properly accounted for.

The changes to the rules also include zero-rating of biomass fuels concerning the use of a recently established EU-wide database; detailed monitoring and reporting requirements for alternative aviation fuels; harmonization of small emitter thresholds; and monitoring and reporting requirements for non-CO2 aviation effects per flight.

The Association for Financial Markets in Europe (AFME) calls for UK’s green alignment with EU on its partnerships with the financial sector to deliver green growth

In its new paper, published last month, the AFME welcomed the UK’s new Labour government’s plans to make the UK a leading center for green finance while simultaneously encouraging the government to recognize that, in order to create opportunities for finance and investment to support green growth, conditions need to be in place to enable the real economy to transition. The AFME recommended that the government prioritize: (i) progression of UK Sustainability Reporting Standards which are aligned with the standards developed by the International Sustainability Standards Board; (ii) consulting on the adoption of transition plan disclosures for listed and unlisted companies; and (iii) following up on the recommendations of the Transition Finance Market Review to facilitate transition finance.

Further AFME recommendations include: (i) scaling up the role of blended finance; (ii) linkage of the UK ETS with the EU ETS; and (iii) before moving forward with delivering a UK Greem Taxonomy, wide engagement with companies and financial institutions to ensure that there is a clear use case for one.

The European Securities and Markets Authority (ESMA) publishes Guidelines on funds’ names using ESG or sustainability-related terms

On August 21, 2024, ESMA, ESMA, the EU’s financial markets regulator and supervisor, published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. The Guidelines are aimed at ensuring that investors are protected against unsubstantiated or exaggerated sustainability claims in fund names, and to provide asset managers with clear and measurable criteria to assess their ability to use ESG or sustainability-related terms in fund names. The Guidelines will start to apply on November 21, 2024. Funds created on or after such date will be immediately subject to the Guidelines, while existing funds will be entitled to a six-month transitional period. By October 21, 2024, national competent authorities must notify ESMA whether they: (i) comply; (ii) do not comply, but intend to comply; or (iii) do not comply and do not intend to comply with the Guidelines.

IV. NORTH AMERICA

U.S. Attorneys General seek answers from asset managers regarding support for environmental shareholder proposals

On August 29, a group of 24 attorneys general sent letters targeting the “twenty-five large asset managers . . . who”—between 2020 and 2023—had “voted 75% or more of the time” in support of proposals that Institutional Shareholder Services (ISS) had recommended votes “for” and which Ceres had flagged in its climate-related proposals database. The letter raises concerns that these asset managers had failed in their fiduciary duties by outsourcing their voting responsibilities to ISS or others.

Large asset managers report declining support for environmental and social shareholder proposals during 2024 proxy season

On August 29, Vanguard released its 2024 U.S. Regional Brief disclosing its investment stewardship activities for the past proxy season. Vanguard-advised funds supported none of the 400 environmental and social shareholder proposals considered at U.S. portfolio companies’ meetings. The lack of support was attributed to Vanguard determining that “the proposals did not address financially material risks to shareholders,” “were overly prescriptive in their requests,” or repeated “previously filed proposals that companies [had] taken action to address.” Vanguard also noted that in some cases, it did not find a governance practice or disclosure gap that the proposal would address.

On August 14, BlackRock released its 2024 Investment Stewardship Voting Spotlight regarding its proxy voting and engagement activities in the most recent proxy season. BlackRock supported only 20 of the 493 global environmental and social proposals it voted on during the 2024 proxy season, as a “majority of [such] proposals . . . were overreaching, lacked economic merit, or sought outcomes that were unlikely to promote long-term shareholder value.” BlackRock also noted that some proposals concerned risks that companies had already addressed. The month before, BlackRock released new Climate and Decarbonization Stewardship Guidelines describing its approach to voting “on behalf of funds with explicit decarbonization or climate-related investment objectives.”

For more information on trends from the 2024 proxy season, including shareholder proposals, see our recent client alert.

Indiana sends BlackRock cease and desist order

On August 23, the office of the Secretary of State, Securities Division of Indiana issued a cease and desist order naming several BlackRock entities as engaged in alleged securities fraud in violation of Indiana law. In particular, the order alleges BlackRock made “various untrue statements of material fact” regarding its use and implementation of ESG standards. BlackRock had previously been placed on a watch list by the state’s Treasurer following the enactment of a law prohibiting the state’s public retirement system from investing assets with firms that use ESG principles in investment decisions.

Interfaith Center on Corporate Responsibility (ICCR) asks Business Roundtable for information on its opposition to the SEC’s climate rules

On August 22, 2024, ICCR announced it had sent a letter to the Business Roundtable (BRT) regarding the amicus brief it filed in June 2024 opposing the SEC’s climate rules. In particular, ICCR noted that the BRT’s position in the brief did “not appear to be aligned with the positions and values of many BRT members” and sought more information about the “governance process” that led to the brief’s submission.

Missouri Court strikes down anti-ESG investment rules

On August 14, 2024, a federal district court in Missouri granted summary judgment and a permanent injunction in favor of the Securities Industry and Financial Markets Association (SIFMA) in its challenge to certain state anti-ESG investment rules. The rules had required securities professionals and firms to collect signed consent forms from investors in the state before including social or nonfinancial objectives in investment advice or securities recommendations. The court held the rules were preempted by federal law and violated the First and Fourteenth Amendments.

Additional briefing submitted in U.S. Securities and Exchange Commission (SEC) climate rules litigation

On August 6, the SEC filed its consolidated response brief in the multi-district litigation challenging the climate-related disclosure rules adopted last Spring (and summarized here). The SEC asserted it had sufficient Congressional authority to adopt the rules; that it complied with the requirements of the Administrative Procedure Act when proposing and adopting the rules; and that the rules are consistent with the First Amendment of the U.S. Constitution. Filings by amici both in support and in opposition to the climate rules were subsequently filed on August 19, 2024. Oral argument has not yet been scheduled.

California State Teachers’ Retirement System (CalSTRS) reports climate-related expectations for portfolio companies and 2024 climate-related voting

On August 1, CalSTRS reported that during the 2024 proxy season, it had focused on climate risk disclosure and voted against the boards of directors at more than 2,250 companies. The press release also summarized the pension fund’s expectation that portfolio companies:

publish sustainability-related disclosure aligned with the International Financial Reporting Standards;
disclose Scope 1 and Scope 2 greenhouse gas emissions; and
for high-emitting companies, including those on the Climate Action 100+ list, to set “appropriate targets to reduce GHG emissions.”

ISS and Glass Lewis release 2024 policy surveys

On August 1, ISS Governance opened its annual benchmark policy survey, soliciting investor views on environmental and social topics such as Scope 3 GHG emission reduction target disclosure and the relevant factors to consider for climate- and workforce-diversity-related shareholder proposals. Responses were due by September 5, 2024.

Glass Lewis opened its 2024 policy survey in July. ESG-related questions focused on whether companies should consider transitioning to a B Corporation; if it is appropriate for an entity’s financial auditor to also be responsible for sustainability reporting assurance; what factors are relevant when voting on Say on Climate proposals or shareholder proposals more generally; whether the identity of a shareholder proposal proponent is relevant in voting decisions; whether information related to climate transition strategies and oversight would be helpful in proxy reports; and what factors would drive a vote against non-financial reporting by certain EU countries. Responses were due by August 30, 2024.

The results of these surveys are expected to inform future updates of ISS and Glass Lewis policies, research, and vote recommendations.

ISS ESG announces new emission intensity solution

On July 31, ISS ESG announced its new industry average emission intensity data as an addition to its current climate solutions offering. The data focuses on supporting insurance companies and banks in their compliance with mandatory disclosures on climate matters.

Republican lawmakers send letter to Climate Action 100+ signatories

On July 30, the chairmen of the House Judiciary Committee and the Subcommittee on the Administrative State, Regulatory Reform and Antitrust issued a press release regarding letters they sent to over 130 government pension programs, companies, and retirement systems seeking information as to “their involvement with the woke ESG cartel Climate Action 100+.”

SEC issues Spring 2024 regulatory agenda

On July 8, the SEC released its Spring 2024 regulatory agenda. Compared to the Fall 2023 agenda, the SEC delayed proposed rules on human capital management from April 2024 to October 2025 and proposed rules on corporate board diversity from October 2024 to April 2025. The agenda also pushed back the timing for adoption of final rules seeking disclosure requirements from investment companies and advisers on ESG factors from April 2024 to October 2024. These timeframes are not hard deadlines for future SEC rulemaking, and the SEC retains flexibility to change this timing further in future agendas.

In case you missed it…

The Gibson Dunn Workplace DEI Task Force has published its updates for July and August summarizing the latest key developments, media coverage, case updates, and legislation related to diversity, equity, and inclusion.

V. APAC

Climate Bonds Initiative (CBI) and the Institute for Global Environmental Strategies (IGES) develop a Transition Strategies Toolkit

On July 29, 2024, CBI and IGES collaboratively released the Transition Strategies Toolkit, a guidance tool based on scientific evidence to promote transition finance in Japanese industries. The toolkit provides guidance for Japanese companies to develop and implement credible, science-based transition plans and for investors to promote investments that support the transition to decarbonization. The Transition Strategy Toolkit builds on the Guidance for Assessing Transition Plans published by CBI in 2023 which outlined key features and frameworks for reliable transition planning. Based on this guidance, the Transition Strategy Toolkit is primarily intended to promote understanding of the basic characteristics and elements that Japanese companies should incorporate when developing transition plans in response to climate change.

Australia’s opposition party calls for an end to the country’s nuclear energy ban

Australia’s opposition party has called for a change in the law to reverse the country’s 1998 ban on nuclear power and has instead pledged commitment to the construction of new nuclear plants. The current government is focused on the rapid phase-out of coal and scale-up of renewable energy sources, passing legislation which targets: a 43% cut in carbon emissions from 2005 levels by 2030; net zero emissions by 2050; and delivery of 82% of electricity from renewable sources by 2030. The government has described the opposition’s nuclear aspirations as too expensive, too slow to build and too risky. Energy policy is likely to remain a prominent issue in Australia in the lead up to next year’s election.

China voices its opposition to the European Union Deforestation Regulation (EUDR)

The EUDR, which is set to take effect in December 2024 and is designed to limit deforestation, requires geolocational data for all forest products imported into the EU. China, a key supplier of forest products such as timber, paper and pulp, has recently voiced its opposition, citing security concerns with the sharing of such data. A potential withdrawal of China from compliance with the EUDR could materially disrupt global supply chains. This development follows resistance from the US, which is pushing for delayed implementation of the EUDR on the basis that it will impose “impossible standards” and act as a non-tariff trade barrier.

Please let us know if there are other topics that you would be interested in seeing covered in future editions of the monthly update.

Warmest regards,
Susy Bullock
Elizabeth Ising
Perlette M. Jura
Ronald Kirk
Michelle M. Kirschner
Michael K. Murphy
Selina S. Sagayam

Chairs, Environmental, Social and Governance Practice Group, Gibson Dunn & Crutcher LLP

For further information about any of the topics discussed herein, please contact the ESG Practice Group Chairs or contributors, or the Gibson Dunn attorney with whom you regularly work.

The following Gibson Dunn lawyers prepared this update: Lauren Assaf-Holmes, Natalie Lamb, Georgia Derbyshire, Magdalena Augé, Alex Eldredge*, Elizabeth Ising, Cynthia Mabry, Michelle Kirschner and Selina S. Sagayam.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Environmental, Social and Governance practice group:

Environmental, Social and Governance (ESG):

Susy Bullock – London (+44 20 7071 4283, sbullock@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
Perlette M. Jura – Los Angeles (+1 213.229.7121, pjura@gibsondunn.com)
Ronald Kirk – Dallas (+1 214.698.3295, rkirk@gibsondunn.com)
Michelle Kirschner – London (+44 20 7071 4212, mkirschner@gibsondunn.com)
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, mmurphy@gibsondunn.com)
Selina S. Sagayam – London (+44 20 7071 4263, ssagayam@gibsondunn.com)

*Alex Eldredge, a trainee solicitor in the London office, is not admitted to practice law.

This edition of Gibson Dunn’s Federal Circuit Update for August 2024 summarizes the current status of petitions pending before the Supreme Court and recent Federal Circuit decisions concerning obviousness-type double patenting, Article III standing, and attorneys’ fees under Section 285.

Federal Circuit News

Noteworthy Petitions for a Writ of Certiorari:
There were no new potentially impactful petitions filed before the Supreme Court in August 2024. We provide an update below of the petitions pending before the Supreme Court that were summarized in our July 2024 update:

In United Therapeutics Corp. v. Liquidia Technologies, Inc. (US No. 23-1298), after the respondent waived its right to respond, a response was requested by the Court. The response brief was filed on August 27, 2024, and the reply brief was filed on September 10, 2024.
In Chestek PLLC v. Vidal (US No. 23-1217), the response brief was filed on August 14, 2024, and the reply brief was filed on August 29, 2024. Five amicus curiae briefs had been filed.
In Cellect LLC v. Vidal (US No. 23-1231), the response brief was filed on August 21, 2024, and the reply brief was filed on September 4, 2024. An additional amicus curiae brief was also filed on August 21, 2024. A total of eight amicus curiae briefs have now been filed.

All three petitions will be considered during the Court’s September 30, 2024 conference.

Other Federal Circuit News:

Release of Materials in Judicial Investigation. The Federal Circuit released additional materials in connection with the proceeding under the Judicial Conduct and Disability Act and the implementing Rules involving Judge Pauline Newman. The materials may be accessed here. In particular, the Judicial Council of the Federal Circuit has ordered that Judge Newman “not be permitted to hear or participate in any cases . . . for a period of one year beginning with the issuance of this Order.”

Notice of Proposed Amendments to Federal Circuit Rules of Practice. The Federal Circuit has published proposed amendments to the Federal Circuit Rules of Practice available here. Here is a summary of some of the proposed amendments:

Amending Rule 15 to extend the time to appeal from the Secretary of Veterans Affairs from 60 days to 6 years.
Amending Rule 30 to require parties to add information in the submitted appendices designating how a document was designated at the reviewed tribunal (such as docket numbers).
Combing Rule 35 regarding en banc rehearing with Rule 40 regarding panel rehearing.

Public comments must be received on or before October 4, 2024.

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website.

Key Case Summaries (August 2024)

Allergan USA, Inc. et al. v. MSN Laboratories Private Ltd. et al., No. 2024-1061 (Fed. Cir. Aug. 13, 2024): Allergan markets and sells eluxadoline tablets under the brand name Viberzi®. Allergan owns patents that cover the drug compound and composition. The first-filed application issued as the ‘356 patent and had a total patent term adjustment (PTA) of 467 days. Continuing applications were filed claiming the same priority date as the ‘356 patent, which issued as the ‘011 and ‘709 patents. The ‘011 and ‘709 patents did not receive any PTA, and each was therefore set to expire before the ‘356 patent. Defendant argued based on In re Cellect, LLC, 81 F.4th 1216 (Fed. Cir. 2023), that the ‘011 and ‘709 patents were obviousness-type double patenting (ODP) references that rendered the ‘356 patent invalid. The district court agreed.

The Federal Circuit (Lourie, J., joined by Dyk and Reyna, JJ.) reversed. The Court held that a “first-filed, first-issued, later-expiring claim” cannot “be invalidated by a later-filed, later-issued, earlier-expiring reference claim having a common priority date.” The Court explained that a contrary result would be “antithetical to the principles of ODP,” which is “to prevent patentees from obtaining a second patent on a patentably indistinct invention to effectively extend the life of a first patent to that subject matter.”

(Judge Dyk concurred on the ODP issue but dissented with respect to other issues addressed by the Court.)

A more detailed summary of this case may be found here.

Platinum Optics Technology Inc. v. Viavi Solutions Inc., No. 23-1227 (Fed. Cir. Aug. 16, 2024): Viavi sued Platinum Optics (PTOT) alleging infringement in two civil actions on a patent directed to optical filters including layers of hydrogenated silicon and sensor systems comprising such optical filters. PTOT then petitioned for inter partes review (IPR), and the Patent Trial and Appeal Board (Board) concluded that PTOT failed to prove that the challenged claims were unpatentable. PTOT challenges the Board’s decision in this appeal. However, before the Board issued its final written decision, Viavi’s patent infringement claims regarding the challenged patent were dismissed with prejudice in both district court cases.

The Federal Circuit (Cecchi, J. (district judge sitting by designation), joined by Moore, C.J., and Taranto, J.) dismissed the appeal for lack of standing. Although a party does not need Article III standing to appear before an agency, PTOT failed to show it had standing to seek judicial review of the agency’s final action in federal court. In particular, the Court concluded that PTOT could not show that it had suffered an injury in fact, because it had not established there were concrete plans for future activity that created a substantial risk of infringement. The Court determined that a Viavi letter that stated Viavi did “not believe” PTOT could fulfill its supply agreements without infringing was mere speculation and insufficient to show a substantial risk of future infringement. Moreover, this letter was sent prior to the start of the district court cases, and the relevant claims had been dismissed with prejudice. The Court also determined that PTOT’s declaration regarding the continued development of new bandpass filters failed to identify any concrete plans that would implicate the challenged patent.

Realtime Adaptive Streaming LLC v. Sling TV, LLC, No. 23-1035 (Fed. Cir. August 23, 2024): Realtime sued DISH and related Sling entities for infringing patents directed to digital data compression. Over the next six years, a series of events related to determinations of ineligibility or invalidity of the asserted patent and its related patents occurred in various forums, leading the district court to ultimately find the asserted claims of the asserted patent ineligible. While that determination of ineligibility was on appeal, the district court granted DISH’s motion for attorneys’ fees, highlighting six events that it considered “red flags,” finding that “Realtime’s dogged pursuit of the case notwithstanding those danger signals render[ed] this an exceptional case.”

The Federal Circuit (Albright, J. (district judge sitting by designation), joined by Moore, C.J. and Lourie, J.) vacated and remanded. The Court determined that, although the district court did not err in giving weight to the decisions from two different district courts in determining that certain claims of a related patent were ineligible (one of the “red flags”), the district court erred in giving weight to the other five red flags. The Court determined that the district court erred in finding that the Adaptive Streaming decision from the Federal Circuit should have put Realtime on notice that its patent claims were meritless. The Court explained that Adaptive Streaming was about technology that was different from that claimed in the asserted patent. The Court also determined that the district court failed to explain why the final written decisions from the Board invalidating certain claims of a related patent and non-final office actions rejecting claims of the asserted patents were relevant to its decision to award attorneys’ fees. The Court next explained that a notice letter DISH had sent to Realtime contained “no analysis sufficient to put the patentee on notice that its arguments regarding ineligibility are so meritless as to amount to an exceptional case.” “Simply being on notice of adverse case law and the possibility that opposing counsel would pursue 285 fees does not amount to clear notice” that the claims in question were invalid and therefore did not support a finding of exceptionality. Finally, the Court held that the district court erred in finding that the opinions of DISH’s expert regarding noninfringing alternatives should have put Realtime on notice that its arguments “were so without merit as to amount to an exceptional case.”

The following Gibson Dunn lawyers assisted in preparing this update: Blaine Evanson, Kate Dominguez, Jaysen Chung, Audrey Yang, Vivian Lu, Julia Tabat, and Michelle Zhu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:

Blaine H. Evanson – Orange County (+1 949.451.3805, bevanson@gibsondunn.com)
Audrey Yang – Dallas (+1 214.698.3215, ayang@gibsondunn.com)

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, tdupree@gibsondunn.com)
Allyson N. Ho – Dallas (+1 214.698.3233, aho@gibsondunn.com)
Julian W. Poon – Los Angeles (+ 213.229.7758, jpoon@gibsondunn.com)

Intellectual Property:Kate Dominguez – New York (+1 212.351.2338, kdominguez@gibsondunn.com)
Y. Ernest Hsin – San Francisco (+1 415.393.8224, ehsin@gibsondunn.com)
Josh Krevitt – New York (+1 212.351.4000, jkrevitt@gibsondunn.com)
Jane M. Love, Ph.D. – New York (+1 212.351.3922, jlove@gibsondunn.com)

From the Derivatives Practice Group: This week, there were developments in the election event contracts case in the DC District Court and the DC Circuit Court and the CFTC amended exemptions from certain compliance requirements for commodity pool operators, commodity trading advisors, and commodity pools, which had not been amended since 1992.

New Developments

DC Circuit Court Orders Temporary Stay Suspending Trading on Election Contracts. On September 12, the United States Court of Appeals for the District of Columbia Circuit (the “DC Circuit Court”) ordered a temporary stay suspending trading on election contracts offered by KalshiEx LLC (“KalshiEx”) “to give the court sufficient opportunity to consider the emergency motion for stay pending appeal.” Prior to the temporary stay from the DC Circuit Court, the United States District Court for the District of Columbia (the “DC District Court”) overturned an order blocking KalshiEx from allowing election contract trading on its platform and denied the CFTC’s request for a stay pending appeal. KalshiEx filed a response to the CFTC’s emergency motion on September 12 and the CFTC’s reply is due to the DC Circuit Court by 6:00 pm on September 14. [NEW]
CFTC Approves Final Rule Regarding Exemptions from Certain Compliance Requirements for Commodity Pool Operators, Commodity Trading Advisors, and Commodity Pools. On September 12, the CFTC published a final rule that amends CFTC Regulation 4.7, a provision that provides exemptions from certain compliance requirements for commodity pool operators (“CPOs”) regarding commodity pool offerings to qualified eligible persons (“QEPs”) and for commodity trading advisors (“CTAs”) regarding trading programs advising QEPs. The final rule amends various provisions of the regulation that have not been updated since the rule’s original adoption in 1992. Specifically, the final rule: (1) increases the monetary thresholds outlined in the “Portfolio Requirement” definition that certain persons may use to qualify as Qualified Eligible Persons; (2) codifies exemptive letters allowing CPOs of Funds of Funds operated under Regulation 4.7 to choose to distribute monthly account statements within 45 days of the month-end; (3) includes technical amendments designed to improve its efficiency and usefulness for intermediaries and their prospective and actual QEP pool participants and advisory clients, as well as the general public; and, (4) updates citations within 17 CFR Part 4, and throughout the CFTC’s rulebook, to reflect the new structure of Regulation 4.7. [NEW]
CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.
CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market.
CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s DMO and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK.
CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (“DCR”) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.

New Developments Outside the U.S.

ESAs Warn of Risks From Economic and Geopolitical Events. On September 10, the three European Supervisory Authorities (“ESAs”) issued their Autumn 2024 Joint Committee Report on risks and vulnerabilities in the EU financial system. In the report, the ESAs underlined ongoing high economic and geopolitical uncertainties, warned of the financial stability risks that they believe stem from these uncertainties and called for continued vigilance from all financial market participants. For the first time, the report also includes a cross-sectoral deep dive into credit risks in the financial sector. [NEW]
EC Publishes Draghi Report on the Future of European Competitiveness. On September 9, the European Commission (“EC”) published a report, Future of European Competitiveness, authored by former Italian prime minister and head of the European Central Bank Mario Draghi. The report, which was commissioned by EC president Ursula von der Leyen, outlines the EU’s new industrial strategy. Part A of the report outlines the overarching strategy, while Part B discusses sectoral and horizontal policies and related recommendations in more detail. The report covers topics that include energy derivatives, sustainable finance, EU supervision, Basel framework, and collateral. The EC president indicated that she will aim to form a cabinet, with related mission letters that she expects to cover certain aspects of the report as part of future EU policies. [NEW]
MAS Updates FAQs on OTC Derivatives Reporting Regulations. On September 4, the Monetary Authority of Singapore (“MAS”) further updated the Frequently Asked Questions (FAQs) on the Securities and Futures (Reporting of Derivatives Contracts) Regulations 2013. MAS indicated that the FAQs are to aid implementation of the reporting obligations and elaborate on its intentions for some of the requirements. The new Singapore reporting rules will take effect on October 21, 2024. [NEW]
Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report stated that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit.

New Industry-Led Developments

ISDA Responds to Australia’s CFR on Bonds and Repo Clearing. On September 4, ISDA submitted a response to a consultation from Australia’s Council of Financial Regulators (“CFR”) on the central clearing of bonds and repos in Australia. In response to changes in the size and structure of the Australian bond and repo markets, the CFR sought feedback on the costs and benefits of introducing a central counterparty (“CCP”) in the Australian bond and repo markets. It also sought views on the circumstances under which a bond and repo CCP could be operated safely and efficiently by an overseas operator and what additional protections may be required in Australia. ISDA said that it welcomes the fact that the CFR is not considering the introduction of a clearing mandate. In its response, ISDA set out its opinion on the costs and benefits of voluntary central clearing for the Australian bond and repo markets. ISDA also commented on participation and other factors to consider for a bond and repo clearing offering to be viable. On location, the response states it is not uncommon for an overseas operator to provide clearing services related to non-domestic markets and ISDA indicated that it does not see any increased risk for an overseas operator to provide clearing services for the Australian bond and repo markets, as long as the overseas CCP is appropriately supervised and risk-managed. [NEW]
ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g., for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.”
ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (212.351.3869, alapidus@gibsondunn.com )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

William R. Hallatt , Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki , New York (212.351.4028, mtakagaki@gibsondunn.com )

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Gibson Dunn’s Workplace DEI Task Force aims to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Key Developments:

On August 29, 2024, America First Legal Foundation (AFL), the conservative organization founded and run by former Trump policy advisor Stephen Miller, sent a letter to Jeremy Gosch, CEO of Hy-Vee, Inc., demanding that the supermarket chain terminate its “Hy-Vee OpportUNITY Inclusive Business Summit’s Pitch Competition,” through which Hy-Vee pledged to give $50,000 to local minority and women-owned businesses in Iowa and the surrounding states. The competition is open to businesses with “at least 51% ownership, operation and control by the [] diversity classifications defined by the Small Business Administration[, including] minority, women, and/or other disadvantaged populations.” AFL alleges that the program unlawfully limits eligibility by race and gender and precludes “white and/or male” individuals from participating, in violation of 42 U.S.C. § 1981.

On September 3, 2024, AFL announced that it had filed a federal civil rights complaint with the EEOC against Williams-Sonoma, Inc., alleging that the company sets diversity goals for hiring and promotion based on race and sex, in violation of Title VII. AFL also sent a letter to Williams Sonoma’s board of directors demanding that the company end its allegedly discriminatory practices. The complaint references the company’s 2024 Annual Report, which states that its Equity Action Plan has led to approximately 68.1% of the workforce identifying as female and about 41.1% identifying as a member of an ethnic minority group. AFL contends that the Equity Action Plan illegally tracks and sets goals for diversity among employees and board members. The complaint also criticizes statements on the company’s website, including a goal to “consciously increase Black representation among our vendors, partners, and collaborators.” Williams Sonoma has yet to respond to AFL’s complaint.

Several elite colleges and universities in the United States have reported a decline in enrollment of minority students following the Supreme Court’s SFFA decision striking down affirmative action in college admissions. Harvard University, Amherst College, Tufts University, and the Massachusetts Institute of Technology (MIT) all reported a decrease in the percentage in enrollment of Black students. At MIT, for example, the percentage of incoming Black students dropped from 15% to 5%. In addition, the percentage of Latino students decreased from 16% to 11%, while the percentages of white and Asian American students increased.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

Washington Post, “Fearless Fund settles with DEI foes, ends grant program for Black women” (September 11): The Washington Post’s Julian Mark and Taylor Telford report on the settlement between Fearless Fund, a venture capital firm started by Black women to invest in businesses owned by women of color (represented by Gibson Dunn, among others), and the American Alliance for Equal Rights (AAER), a conservative nonprofit organization. Mark and Telford say that, as part of the agreement, Fearless Foundation has decided to permanently close its Fearless Strivers grant contest, which previously awarded $20,000 grants to Black female-owned businesses. AAER, led by conservative activist Edward Blum, sued Fearless Fund on August 2, 2023, alleging discrimination against non-Black businesspeople. Alphonso David, one of Fearless Fund’s attorneys, described the settlement as “narrow,” and said that Fearless Fund’s intent was to limit the case’s impact to the Eleventh Circuit. Civil rights activist Reverend Al Sharpton, who has supported Fearless Fund since the outset, described the settlement as a “sacrifice,” commenting that “if we had fought, and Blum and them wanted to go all the way to the Supreme Court, we’d have lost the fight for generations.”
Wall Street Journal, “Fearless Fund Shuts Down Grant Program for Black Founders After Legal Settlement; The outcome of a legal battle with Edward Blum’s organization is a setback for diversity efforts in venture capital” (September 11): Yuliya Chernova of The Wall Street Journal reports on the closure of Fearless Foundation’s grant program for Black female entrepreneurs, which comes as part of a legal settlement with the American Alliance for Equal Rights. Chernova notes that the settlement has prompted concerns about the potential impact on other initiatives aimed at diversifying the venture capital industry. According to Chernova, venture-backed startups remain predominantly led by white men, and U.S. companies with at least one female founder have secured just 22.6% of all venture funding. Edward Blum, president of AAER, commented that “race-exclusive programs like the one the Fearless Fund promoted are divisive and illegal. Opening grant programs to all applicants, regardless of their race, is enshrined in our nation’s civil rights laws and supported by significant majorities of all Americans.” In response, Arian Simone, CEO of Fearless Fund, affirmed that her organizations will continue their efforts to help under-resourced entrepreneurs despite the program’s closure.
Financial Times, “Meet Robby Starbuck, the anti-woke activist who is shaking up boardrooms” (September 6): Taylor Nicole Rogers of The Financial Times reports on conservative activist Robby Starbuck’s recent campaigns against corporate DEI initiatives. Known for his social media campaigns against a number of companies, Starbuck has now turned his focus to Molson Coors, the maker of Coors Light and Miller beers. As a result of his efforts, Rogers says that Molson Coors announced that it would no longer participate in the Human Rights Campaign’s scoring system, which rates companies based on LGBTQ+ inclusion in the workspace, and that the company will eliminate its supplier-diversity goals. Rogers reports that Starbuck, who engages his 600,000 followers on X and employs two staff members to research companies’ diversity efforts, has shifted his focus from companies with conservative customer bases to those with more neutral or diverse audiences. According to Starbuck, “The situation these companies are facing is a very different new world where I have a direct line to a sizeable portion of their customers. These customers are engaged and they now understand something very important: their wallets are a weapon.”
Bloomberg, “Investors Craft Counterattacks After Influencer’s Anti-DEI Blitz” (September 6): Bloomberg’s David Hood reports on the efforts by shareholder groups to reinstate DEI commitments at companies that have been targeted by conservative activist Robby Starbuck. Hood says that these groups are exploring a range of strategies—from proxy proposals to litigation—to restore DEI polices at companies attacked by Starbuck. Andy Behar, CEO of shareholder advocacy group As You Sow, indicated that his organization is considering helping investors launch campaigns to replace board members at companies that reversed course on DEI. Additionally, Brad Lander, New York City’s Comptroller, who oversees funds totaling nearly $500 million across seven companies targeted by Starbuck, stated that companies yielding to Starbucks’s demands should be “on notice” and warned that “we’re not going to stand by as folks with no track record in investing try to roll back proven strategies for advancing diversity of companies across the economy in effective ways.”
Wall Street Journal, “Molson Coors Rolls Back DEI Initiatives” (September 3): The Wall Street Journal’s Joseph Pisani reports that Molson Coors, the maker of Coors Light and Miller beers, has decided to pull back on its diversity policies and initiatives. The company announced that it would no longer participate in the Human Rights Campaign’s scoring system, which rates companies based on LGBTQ+ inclusion in the workspace. Additionally, Pisani reports that Molson Coors will eliminate its supplier-diversity goals. Conservative activist Robby Starbuck claimed responsibility for the changes at Molson Coors, stating that he messaged company executives the week before the announcement. Molson Coors representatives indicated that this shift is intended to broaden its DEI efforts to ensure that all employees feel welcomed.
CalMatters, “California may ban legacy admissions at colleges. The end of affirmative action is a reason why” (August 29): Mikhail Zinshteyn of CalMatters, a nonprofit news organization that covers California state politics and policies, reports that California’s legislature passed a bill on August 28, 2024, barring the state’s private nonprofit colleges from making admissions decisions based on whether family members of students donated money to the school or had attended the school themselves. If signed by Governor Newsom, California would join Illinois, Maryland, Virginia, and Colorado in banning legacy preferences in admissions at either public or private institutions. Currently, only six private colleges in California use legacy as a factor in admissions, while no public colleges in the state do. If the bill becomes law, schools will be prohibited from considering an applicant’s legacy or donor connections in admissions decisions starting September 1, 2025. Zinshteyn reports that the bill is intended to serve as “a necessary corrective” to the Supreme Court’s ruling that banned colleges from using race as a factor in admissions. According to Democratic Assemblymember Phillip Ting, the bill is intended to “make sure that everyone’s getting in because of their own merit, because of their grades, their test scores, what they provide to that institution, not because of their pocketbooks, of their parents or their family members.”
Forbes, “Chicago Bears Settle Lawsuit Over ‘Legal Diversity Fellow’ Role” (August 28): Forbes’ Chris Deubert reports that the Chicago Bears have confidentially settled a lawsuit filed by Jonathan Bresser, a law student at DePaul University College of Law. Bresser challenged the constitutionality of the team’s “Legal Diversity Fellow” program, which provided opportunities for local law students to work with the Bears’ legal team and DEI department on various goals and initiatives. Deubert reports that the fellowship was open only to law students who are women or persons of color. Bresser, who is a white male, applied for the fellowship in November 2023 but was not selected. He subsequently filed a lawsuit in the U.S. District Court for the Northern District of Illinois, alleging that the Bears and several of its employees violated Title VII and its Illinois equivalent by not hiring him based on his race and gender. According to the court records, the matter was settled on August 27, 2024.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

American Alliance for Equal Rights v. Southwest Airlines Co., No. 24-cv-01209 (N.D. Tex. 2024): On May 20, 2024, American Alliance for Equal Rights (AAER) filed a complaint against Southwest Airlines, alleging that the company’s ¡Latanzé! Travel Award Program, which awards free flights to students who “identify direct or parental ties to a specific country” of Hispanic origin, improperly discriminates based on race. AAER is seeking a declaratory judgment that the program violates Section 1981 and Title VI, a temporary restraining order barring Southwest from closing the next application period (set to open in March 2025), and a permanent injunction barring enforcement of the of the program’s ethnic eligibility criteria.
- Latest update: On August 22, 2024, Southwest filed a motion to dismiss, arguing that the case was moot because the company had signed a covenant with AAER that eliminated the challenged provisions from any and all future program application cycles. The program is now open to students who are “enrolled at a college/university located at least 200 miles from a student’s home” and is “not limited by race, ethnicity, or national origin.” On August 29, 2024, the court stayed proceedings in the case, pending resolution of Southwest’s motion to dismiss. Oral argument on the motion is scheduled for November 12, 2024.

2. Employment discrimination and related claims:

Newman v. Elk Grove Education Association, No. 2:24-cv-01487 (E.D. Cal. 2024): On May 24, 2024, a white teacher at the Elk Grove Unified School District in Sacramento, California, sued the teachers’ union under Title VII and California law, after the District created an executive board position called the “BIPOC At-Large Director” open only to those who “self-identify” as “African American (Black), Native American, Alaska Native, Native Hawai’ian, Pacific Islander, Latino (including Puerto Rican), Asian, Arab, and Middle Eastern.” The plaintiff alleges that he is a union member who “wants to run for union office to address the District’s recent adoption of what he believes to be aggressive and unnecessary Diversity, Equity & Inclusion (‘DEI’) policies,” but is ineligible for this board seat because of his race.
- Latest update: On August 26, 2024, the defendant filed a motion to dismiss, arguing that the plaintiff’s claims are moot because the union “no longer has any position with any eligibility criteria that is based on race” and has replaced the BIPOC At-Large Director position with a new Racial Equity Director At-Large position that is open to all members regardless of race. The defendant also moved to dismiss the plaintiff’s claims for punitive damages, arguing that he had not pled any facts sufficient to show malice, reckless indifference, or oppression. Oral argument on the hearing is scheduled for October 15, 2024.
Harker v. Meta Platforms, Inc., No. 23-cv-7865 (S.D.N.Y. 2023): A lighting technician who worked on a set where a Meta commercial was produced sued Meta and a film producers association, alleging that their diversity initiative Double the Line (DTL) violated Title VII, Sections 1981 and 1985, and New York law. The plaintiff also claimed that he was retaliated against after raising questions about the qualifications of a coworker hired pursuant to the DTL initiative. On December 19, 2023, the defendants moved to dismiss the plaintiff’s first amended complaint. On January 25, 2024, the plaintiff filed his opposition to Meta’s motion.
- Latest update: On August 29, 2024, the court granted the defendants’ motions to dismiss for lack of standing. The court reasoned that because the plaintiff did not apply, attempt to apply, or even express interest in applying for, a lighting technician position under the DTL program, he had not alleged any injury-in-fact sufficient to establish standing. The court further denied leave to amend the complaint and entered judgment closing the case.

3. Challenges to agency rules, laws and regulatory decisions:

Do No Harm v. Lee, No. 3:23-cv-01175-WLC (M.D. Tenn. 2023): On November 8, 2023, Do No Harm sued Tennessee Governor Bill Lee under the Equal Protection Clause, seeking to enjoin a 1988 Tennessee law requiring the governor to “strive to ensure” that at least one board member of the six-member Tennessee Board of Podiatric Medical Examiners is a racial minority. On February 2, 2024, Governor Lee moved to dismiss the complaint for lack of standing. On August 8, 2024, the court granted Governor Lee’s motion to dismiss and entered judgment in the case, holding that Do No Harm had not demonstrated injury in fact.
- Latest update: On August 30, 2024, Do No Harm appealed the district court’s decision to the Sixth Circuit.

Young Americans for Freedom v. United States Department of Education, No. 3:24-cv-00163 (D.N.D. 2024): On August 27, 2024, the University of North Dakota Chapter of Young Americans for Freedom (YAF) sued the U.S. Department of Education (DOE) over its McNair Post-Baccalaureate Achievement Program, a research and graduate studies grant program that supports incoming graduate students who are either low-income first-generation college students or “member[s] of a group that is underrepresented in graduate education.” Relevant federal regulations define these underrepresented groups as “Black (non-Hispanic), Hispanic, American Indian, Alaskan Native, Native Hawaiians, and Native American Pacific Islanders.” YAF alleges that the McNair program violates the Equal Protection Clause by restricting admission based on race, and violates the Administrative Procedure Act as an agency action that is “contrary to a constitutional right.” See 5 U.S.C. § 706(2)(B). YAF requests, among other things, a preliminary injunction enjoining the DOE from enforcing all race-based qualifications for the McNair program.
- Latest update: On September 4, 2024, YAF filed a motion for preliminary injunction, requesting that the court prevent the DOE from enforcing the racial and ethnic qualifications of the McNair program, and requiring the DOE to notify all participating institutions of higher education that they cannot impose or rely upon such classifications. YAF argues that the racial eligibility criteria fails the strict scrutiny test for affirmative action policies because the government did not have evidence of discrimination when it started the McNair program. The docket does not reflect that the DOE has been served.

4. Actions against Educational Institutions:

Students for Fair Admissions v. United States Naval Academy, No. 1:23-cv-02699 (D. Md. 2023): On October 5, 2023, Students for Fair Admissions (SFFA) sued the U.S. Naval Academy, arguing that consideration of race in its admissions process violates the Fifth Amendment. On December 20, 2023, the district court denied SFFA’s preliminary injunction motion, holding that SFFA did not show that it would succeed on the merits of its Equal Protection claim because it failed to show that the defendants’ justifications for their policies did not satisfy strict scrutiny.
- Latest update: On August 15, 2024, SFFA filed a motion for partial summary judgment on the issue of standing, arguing that the four anonymous SFFA members, each of whom applied for admission at the Naval Academy but were denied, would have standing to sue in their own right. SFFA argued that each member sustained an injury of being denied the opportunity to compete for admission to the Naval Academy on an equal basis and is “ready to apply” if the court redresses the issue. On August 23, 2024, the Naval Academy opposed the motion, urging the court to consider the issue of standing after trial because there are disputed issues of material fact as to whether SFFA members are “able and ready” to apply. On August 28, 2024, SFFA replied, arguing that the disputes over their members’ “ability and readiness to apply” are not material or genuine, and therefore should not be a bar to granting partial summary judgment ahead of trial. A pretrial conference and hearing on motions in limine was held on September 5, 2024, and a bench trial is scheduled for September 16–27, 2024.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Mollie Reiss, Jenna Voronov, Alana Bevan, Marquan Robertson, Elizabeth Penava, Skylar Drefcinski, Mary Lindsay Krebs, David Offit, Lauren Meyer, Kameron Mitchell, Maura Carey, and Jayee Malwankar.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, bevanson@gibsondunn.com)

Julia Lapitskaya, Ronald Mueller and Stella Kwak are the authors of “How Companies Are Approaching Insider Trading Policies” [PDF] published by Law360 on September 11, 2024.

Europe

08/06/2024

Council of Europe | Report | Neural data

The Council of Europe reported on the data protection challenges linked to neurotechnology and neural data from the perspective of the Convention 108+.

The report highlights the challenges posed by neural data and neurotechnology, including the impact it may have on human rights and fundamental freedoms, in particular the right to privacy and to the protection of personal data. It provides a legal and technical description of neurotechnology and neural data and suggests solutions to address privacy concerns related to neural data processing.

For further information: Council of Europe Website

08/01/2024

European Commission | EU AI Act

The European Artificial Intelligence Act (“AI Act”) came into force.

The European Commission announced that the AI Act came into force on August 1, 2024. The majority of rules of the AI Act will start applying on August 2, 2026.

For more information: European Commission Website

Belgium

08/23/2024

Belgian Supervisory Authority | Sanction | Access Request

The Belgian Supervisory Authority (“APD”) imposed a fine of €100,000 on a telecom operator for late reply to a right to access request.

The APD determined that the telecom operator failed to appropriately process and reply to the individual’s access request by providing a response 14 months after the access request was submitted.

For more information: EDPB Website

Denmark

08/26/2024

Danish Supervisory Authority | Decision | AI

On August 26, 2024, the Danish Supervisory Authority (“Datatilsynet”) published its decision allowing an insurance company to record and use artificial intelligence for analyzing incoming telephone calls.

Following its investigation in March 2023 on the insurance company and its use of artificial intelligence to analyze customer service calls, the Datatilsynet found that the insurance company complies with GDPR rules. Finally, the Datatilsynet’s decision recalls that the processing must comply with data protection rules, particularly with regard to obtaining consent and the information given to data subjects.

For more information: Datatilsynet Website [DA]

France

08/27/2024

French Supervisory Authority | Monitoring Tool | Binding Corporate Rules

The French Supervisory Authority (“CNIL”) published a monitoring tool for Binding Corporate Rules (“BCR”).

The CNIL makes available to BCR holders a self-assessment tool to verify their level of compliance with BCR requirements and specifies the steps for its deployment.

For more information: CNIL Website

Germany

08/30/2024

Saxony Supervisory Authority | Recommendation | Technical and Organizational Measures

On August 30, 2024, the Saxon Supervisory Authority (“SDTB”) published its recommendation on the redaction of documents.

The SDTB pointed out that it is often necessary to delete or anonymize personal data (for example when publishing documents containing sensitive data) and that, in such cases, technical and organizational measures, including document redaction, must be implemented for data protection. In particular, the recommendation describes the possible sources of error and solutions relating to redaction.

For more information: SDTB Website [DE]

08/28/2024

Rhineland-Palatinate Supervisory Authority | Press Release | Customer Account

The Rhineland-Palatinate Supervisory Authority (“LfDI Rheinland-Pfalz”) announced in a press release that it has sent an information letter to 13 e-shops on the necessity of providing guest access when placing an order.

While recognizing the advantages of creating a customer account (e.g., ordering without having to enter the same data again or reviewing orders), the LfDI Rheinland-Pfalz points out that individuals should always have an equal alternative when shopping online. It further considers that online shops have an obligation to implement a guest ordering process which results from the provisions of Articles 5 and 6 of the GDPR.

For more information: LfDI Rheinland-Pfalz Website [DE]

08/15/2024

BfDI | Press Release | Messenger Services Standard Test Catalogue

The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) has launched a public consultation process on the creation of a uniform test for messenger services regarding their compliance with the GDPR.

The BfDI has initiated the development of a uniform standard test regarding the GDPR compliance of messenger services. This is especially important due to their widespread use both in private life and for work related purposes. So as to create a useful uniform standard test, the BfDI now invites specialist users or deployers and the civil society to comment on and participate in the development of criteria for the published draft test.

For more information: BfDI Website [DE]

08/01/2024

Saxony Supervisory Authority | Guidelines | Data Subject Access Requests

On August 1, 2024, the Saxon Supervisory Authority (“SDTB”) published guidelines for local authorities and administrative bodies on how to handle data subject access requests under Article 15 of the GDPR.

The SDTB’s guidelines are intended to provide guidance on how to comply with requests regarding the right of access of data subjects. It incorporates the latest higher court’s and especially the Court of Justice of the European Union’s case law.

For more information: SDTB Website [DE]

Italy

08/09/2024

Italian Supervisory Authority | Sanction | Unlawful access to a database

The Italian Supervisory Authority (“Garante”) published its decision of June 6, 2024, imposing a fine of €1 million on a financial institution for unlawful processing.

The Garante received a complaint where an individual claimed having been blacklisted and denied financing for a long-term car rental, following verifications in a database. The complainant requested to the car rental company and its parent company, a financial institution, information on the reasons behind the backlisting in the context of a request to exercise his rights under the GDPR but received no response. Upon investigation, the Garante found that the financial institution, which proceeded to verifications on behalf of the car rental company, did not have the authorization from the Ministry of Economy and Finance to access the centralized fraud prevention system (“SCIPAFI”) and concluded that the complainant’s personal data had been unlawfully processed.

For more information: Garante Website [IT]

08/09/2024

Italian Supervisory Authority | FAQ | Right to be forgotten

The Italian Supervisory Authority (“Garante”) announced having released frequently asked questions (“FAQs”) on the “right to be forgotten in oncology”.

The FAQs aim to clarify the provisions of the Law No. 193 of 7 December 2023 on “right to be forgotten in oncology”, which allows individuals who have recovered from an oncological disease not to provide information or be investigated regarding their previous condition to access to banking, financial, investment and insurance services, to insolvency procedures, as well as to employment and professional training. The Garante will be in charge of the enforcement of these provisions.

For more information: Garante Website [IT]

Switzerland

08/14/2024

Swiss Federal Council | Adequacy Decision | Swiss-US Data Privacy Framework

The Swiss Federal Council adopted its decision of adequacy regarding the USA under the Swiss-US Data Privacy Framework (“DPF”).

Over a year after the European Commission, the Swiss Federal Council has now also adopted its adequacy decision for US-companies certified under the DPF and thus facilitates the transfer of personal data to the USA in compliance with data protection regulations. This will enter into force on 15 September 2024.

For more information: Federal Council Website

United Kingdom

08/21/2024

Department for Science, Innovation and Technology | Blog | Privacy-Preserving Federated Learning

The Department for Science, Innovation and Technology (“DSIT”) published a blog post on implementation challenges in Privacy-Preserving Federated Learning (“PPFL”).

The blog highlights challenges to developing deployable PPFL, which are due to several factors such as real-world conditions for deployment (e.g., insufficient computational power) or flaws in the system design which can lead to privacy breaches.

For more information: UK Government Website

08/13/2024

UK Supervisory Authority | Report | Privacy Enhancing Technologies

The UK Supervisory Authority (“ICO”) published a report entitled “Tackling Barriers to Privacy-Enhancing Technologies Adoption”.

Privacy-Enhancing Technologies (“PETs”) are defined by the ICO as technologies supporting data privacy by minimizing the use of personal data and increasing their security. The report explains, in particular, the barriers to adopting such technologies and provides recommendations on how to support and promote their use across organizations.

For more information: ICO Website

08/07/2024

UK Supervisory Authority | Sanction | Ransomware Attack

The UK Supervisory Authority (“ICO”) issued a provisional decision to impose a fine of £6.09 million (approximately €7,14 million) on a software provider following a ransomware attack which occurred in 2022.

The ICO explained that hackers accessed the company’s health and care systems through a customer account which was not protected via multi-factor authentication. The attack led to the exfiltration of personal data from 82,946 individuals, including phone numbers, medical records, and information on how to gain entry to the homes of 890 people receiving home care. Critical services had also been disrupted. The ICO’s findings are provisional, and a final decision has not yet been made. If issued, this will notably be the first time that the ICO issues a fine to a processor for a breach of its obligations under data protection laws.

For more information: ICO Website

08/02/2024

UK Supervisory Authority | Statement | Children protection

The UK Supervisory Authority (“ICO”) issued a statement calling on social media platforms (“SMPs”) and video-sharing platforms (“VSPs”) to improve their children’s data privacy practices.

The ICO stated that it has reviewed 34 SMPs and VSPs focusing on the process children go through to sign-up for accounts. The ICO found different levels of compliance with the Children’s Code, and sent some of the platforms questions on issues relating to default privacy settings, geolocation, age assurance and targeted advertising.

For more information: ICO Website

This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)

Joel Harrison – Partner, Co-Chair, PCDI Practice, London (jharrison@gibsondunn.com)

Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)

Lore Leitner – Partner, London (lleitner@gibsondunn.com)

Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)

Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)

Hermine Hubert – Associate, Paris (hhubert@gibsondunn.com)

Billur Cinar – Associate, Paris (bcinar@gibsondunn.com)

Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)

Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)

Sarah Villani – Associate, London (svillani@gibsondunn.com)

Miles Lynn – Associate, London (mlynn@gibsondunn.com)

From the Derivatives Practice Group: This week, the CFTC staff issued a no-action letter regarding swap data reporting and recordkeeping regulations. The no-action letter is comparable to previous letters issued for similarly situated designated contract markets and derivatives clearing organizations.

New Developments

CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.
CFTC Grants Kalshi Klear LLC DCO Registration. On August 29, the CFTC announced it has issued Kalshi Klear LLC (“Kalshi”) an Order of Registration as a derivatives clearing organization (“DCO”) under the Commodity Exchange Act. Kalshi’s affiliate, KalshiEx LLC, is registered with the CFTC as a designated contract market.
CFTC Staff Extends Brexit-Related No-Action Positions. On August 29, the CFTC’s DMO and Market Participants Division (“MPD”) announced they are extending temporary no-action positions in connection with the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”), known as Brexit. In addition, DMO is amending its no-action position to include two additional multilateral trading facilities (“MTFs”) authorized in the UK. The no-action position was also amended to remove an MTF and an organized trading facility because the facilities are no longer authorized in the UK.
CFTC Staff Issues No-Action Letter for EU-Based and UK-Based DCOs Regarding Certain Requirements Applicable to DCOs. On August 23, the CFTC’s Division of Clearing and Risk (“DCR”) issued a no-action letter to address the applicability of certain CFTC regulations to registered DCOs based in either the EU or the UK. This letter replaces CFTC Letter 16-26, which applied only to EU-based DCOs and was issued in 2016 as part of the CFTC’s response to the EU equivalence determination with regard to the CFTC’s regulatory framework for DCOs. DCR has updated CFTC Letter 16-26 to explicitly apply it to UK-based DCOs post-Brexit.

New Developments Outside the U.S.

Markets Increasingly Sensitive After Strong Performance in Early 2024. On August 29, ESMA published its second risk monitoring report of 2024, setting out the key risk drivers currently facing EU financial markets. The report stated that external events continue to have a strong impact on the evolution of financial markets, and ESMA also sees high or very high overall risks in the markets within its remit.
ESMA Publishes Translations of its Guidelines on Funds’ Names. On August 21, ESMA published the translations in all official EU languages of its Guidelines on funds’ names using ESG or sustainability-related terms. National competent authorities must notify ESMA by October 21, 2024 whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
ESAs’ Joint Board of Appeal Allows the Appeal Lodged by NOVIS and Remits the Case to EIOPA. On August 13, the Joint Board of Appeal of the European Supervisory Authorities (“ESAs”) unanimously decided that the appeal brought by NOVIS against the European Insurance and Occupational Pensions Authority (“EIOPA”) is admissible. The appeal was brought in relation to the EIOPA decision not to grant access to documents, which were requested by NOVIS. In its decision, the board of appeal acknowledged that requests for access to documents laid out in Regulation No 1049/2001 can be dismissed by way of exceptions to protect certain public and private interests.
ESMA Recognizes CDS Clearing and Depository Services as Tier 1 CCP Following MoU with the British Columbia Securities Commission. On August 13, ESMA signed a Memorandum of Understanding (“MoU”) with the British Columbia Securities Commission and updated its list of recognized third-country central counterparties (“CCPs”) under the European Markets Infrastructure Regulation (“EMIR”). The MoU establishes cooperation arrangements, including the exchange of information, regarding CCPs that are established in Canada and authorized or recognized by the British Columbia Securities Commission, and which have applied for EU recognition under EMIR.

New Industry-Led Developments

ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g. for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.” [NEW]
ISDA and IIF Respond to BCBS Consultation on CCR Management. On August 28, ISDA and the Institute of International Finance (“IIF”) submitted a joint response to the Basel Committee on Banking Supervision’s (“BCBS”) consultation on guidelines for counterparty credit risk (“CCR”) management. The new guidelines represent an update to the Sound Practices for Banks’ Interactions with Highly Leveraged Institutions, published in January 1999, to incorporate recent lessons and best practices. In the response, the associations stress the guidelines should be risk-based and proportional, considering a diverse universe of counterparties and financial markets across the world. The associations stated that they believe a common understanding and coordination between central banks, supervisors and banks can enhance the effectiveness of CCR practices.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (212.351.3869, alapidus@gibsondunn.com )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

William R. Hallatt , Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki , New York (212.351.4028, mtakagaki@gibsondunn.com )

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Personal Data | Cybersecurity | Data Innovation

Europe

03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation

On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.

The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.

For further information: ENISA Website

03/14/2023 – European Parliament | Regulation | Data Act

On 14 March 2023, the European Parliament adopted the draft Data Act.

The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.

For further information: European Parliament Website

02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework

On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.

The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.

For further information: EDPB Website

02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns

On 24 February 2023, the European Data Protection Board published final version of three guidelines.

Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.

For further information: EDPB Website

02/15/2023 – European Commission | Decision | Whistleblowing

On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.

The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.

For further information: European Commission Website

01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce

On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.

The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.

For further information: EDPB Website

01/16/2023 – European Union | Regulation | Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.

The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.

For further information: Official Journal Website

01/12/2023 – Court of Justice of the European Union | Decision | Right of access

On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.

The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

For further information: Press Release

Austria

02/01/2023 – Austrian Parliament | National Council | Whistleblowing

On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.

For further information: Austrian Parliament Website

Belgium

02/15/2023 – House of Representatives | Legislation | Whistleblowing

On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.

For further information: Whistleblowing Law

Bulgaria

01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing

On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.

For further information: CPDP Website [BG]

Czech Republic

03/07/2023 – Czech Supervisory Authority | FAQ | Cookies

On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.

For further information: UOOU Website [CZ]

Denmark

02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls

The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.

The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.

For further information: Danish DPA Website [DK]

01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent

On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.

For further information: Danish DPA Website [DK]

Finland

02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation

On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.

In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.

For further information: Finnish DPA Website

France

03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data

On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.

The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.

For further information: CNIL Website

03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras

On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.

The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.

For further information: CNIL Website

02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act

On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.

For further information: CNIL Website

01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence

On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.

The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.

For further information: CNIL Website

01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance

On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.

For further information: LOPMI

01/04/2023 – French Supervisory Authority | Sanction | Consent

On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.

The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.

The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.

For further information: CNIL Website

01/17/2023 – French Supervisory Authority | Sanction | Consent

On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.

The company was using an essentially technical identifier for advertising purposes without the user’s consent.

For further information: CNIL Website

Germany

03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”

The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.

The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.

For further information: DSK Website [DE]

03/15/2023 – Supervisory Authorities| BfDI | Activity Report

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.

For further information: BfDI [DE]

03/15/2023 – Supervisory Authorities| Activity Reports

The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.

The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.

For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]

03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework

The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.

For further information: Bundestag Website [DE] and BfDI [DE]

02/13/2023 – German Competition Authority | Decision | US Data Transfers

On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.

In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.

For further information: BKartA Website [DE]

02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages

On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.

In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.

Italy

03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.

The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.

For further information: Garante Website [IT]

03/09/2023 – Council of Ministers | Legislation | Whistleblowing

On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.

The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.

For further information: Governo Italiano Website [IT]

02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices

The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.

For further information: Garante Website [IT]

02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.

The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.

For further information: Garante Website

Ireland

02/27/2023 – Irish Supervisory Authority | Sanction | Security

On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.

The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.

For further information: #DPC Website

02/23/2023 – Irish Supervisory Authority | Sanction | Security

On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.

The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.

For further information: DPC Website

01/16/2023 – Irish Supervisory Authority | Sanction | CCTV

On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.

For further information: DPC Website

Netherlands

02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings

The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.

For instance, the car may still take camera images, but only when the user activates that function.

For further information: AP Website [NL]

02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing

On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.

For further information: AP Website [NL]

Norway

03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool

On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.

For further information: Datatilsynet Website [NO]

02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation

On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).

For further information: Datatilsynet Website [NO]

Portugal

01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures

The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.

These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.

For further information: Press release [PT]

Romania

03/28/2023 – President of Romania | Legislation | Whistleblowing

The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.

For further information: CDEP Website [RO]

Spain

03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization

The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation

The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.

In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability

The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.

For further information: AEPD Website [ES]

03/13/2023 – Spanish Senate | Legislation | Whistleblowing

The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.

For further information: BOE Website [ES]

United Kingdom

03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing

On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.

The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.

For further information: ICO Website

03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations

The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.

The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.

For further information: ICO Website

03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection

The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.

The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.

For further information: ICO Website

03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default

The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.

The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.

For further information: ICO Website

03/08/2023 – UK Government | Legislation | Cookies

The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.

The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.

For further information: UK Government Website

02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children

The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.

For further information: ICO Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)
Roxane Chrétien – Associate, Paris (rchretie@gibsondunn.com)
Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Personal Data | Cybersecurity | Data Innovation

Europe

08/25/2023 – Digital Services Act | Regulation | Very Large Online Platforms and Very Large Online Search Engines

On 25 August 2023, the Digital Services Act (“DSA”) started to apply to very large online platforms and very large online search engines.

As a reminder, on 25 April 2023, the European Commission designated nineteen providers of very large online platforms and of very large online search engines. The DSA will apply to the designated providers from four months after the notification of the designated decisions

For further information: DSA Regulation; European Commission Website

07/25/2023 – European Consumer Organisation | Position Paper | AI Act

The European Consumer Organisation (“BEUC”) published a position paper urging EU legislators to ensure that consumers can expect a high level of protection when using AI systems as they enter the final legislative stage on the Artificial Intelligence Act (“AI Act”).

For further information: BEUC Website

07/18/2023 – European Data Protection Board | Information note | EU-US Data transfers

The European Data Protection Board (“EDPB”) published an information note on data transfers to the United States after the adoption of the adequacy decision on 10 July 2023.

The EDPB outlines that transfers to entities in the US which are not included in the “Data Privacy Framework List” cannot be based on the adequacy decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g., through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.

For further information: EDPB Website

07/12/2023 – European Commission | Strategy | Metaverse

The European Commission issued its strategy for “Virtual Worlds”, commonly referred to as metaverses.

For further information: European Commission Website

07/10/2023 – European Commission | Press Release | EU-US Data Transfers

The European Commission has formally adopted the adequacy decision for the EU-US Data Privacy Framework.

This decision finds that the EU-US Data Privacy Framework provides an adequate level of protection, comparable to that of the European Union, for data transfers from the EU to US companies under the new framework. As a result, personal data can flow safely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards.

For further information: European Commission Website

07/05/2023 – Council of Europe | Guidelines | Data Processing for Financial Services

The Council published guidelines on data protection for the processing of personal data for Anti-Money Laundering/Countering Financing of Terrorism (“AML/CFT”) purposes.

The purpose of these guidelines is to provide orientation on how to integrate the requirements of Convention 108+ in the area of AML/CFT in order to provide for an appropriate level of data protection while facilitating transborder data flows, and to highlight certain areas in the AML/CFT context where data protection safeguards should be strengthened.

For further information: Council of Europe Website

07/04/2023 – Court of Justice of the European Union | Decision | Antitrust, Competition & GDPR enforcement

The Court of Justice of the European Union (“CJEU”) ruled that a competition authority of a Member State may identify a violation of the GDPR in order to establish the existence of an abuse of a dominant position.

For further information: CJEU decision

07/04/2023 – European Commission | Proposal for Regulation | GDPR Enforcement

The European Commission has proposed to adopt a new regulation “to streamline cooperation between data protection authorities” with regards to GDPR enforcement in cross-border cases.

The regulation aims to further harmonize procedural rules in cross-border cases. It contains provisions regulating the rights of complainants, the rights of the parties under investigation as well as provisions to streamline the cooperation and dispute resolution process. According to the European Commission, the proposed regulation will lead to “swifter resolution of cases” and enhance the efficiency of GDPR enforcement.

For further information: European Commission Website

06/28/2023 – European Parliament/Council of the EU | Regulation | Data Act

The European Parliament and the Council of the EU have reached a political agreement on the European Data Act. This new legislation aims at “boosting” the EU’s data economy by ensuring a competitive European data market.

The proposal contains provisions regulating data access rights, unfair contractual terms as well as rules governing the switch between cloud data-processing service providers among other things. The draft EU Data Act complements the Data Governance Act of November 2020 and is expected to enter into force in late 2024. The next step in the legislative process is the formal passing of the law by the European Parliament and the Council, which is expected later this year.

For further information: European Commission Website

06/22/2023 – Court of Justice of the European Union | Judgement | Data Subject Rights

The Court of Justice of the European Union (“CJEU”) ruled that the fact that a data controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has no effect on the scope of the right granted to the data subject.

For further information: CJEU Website

06/21/2023 – European Data Protection Board | Recommendations | Binding Corporate Rules

The European Data Protection Board (“EDPB”) adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (“BCR-C”).

For further information: EDPB Website

06/07/2023 – European Data Protection Board | Guidelines | Calculation of Administrative Fines

The European Data Protection Board (“EDPB”) adopted a final version of the guidelines 04/2022 on the calculation of administrative fines following public consultation.

For further information: EDPB Website

05/24/2023 – European Commission | News Announcement| EU-ASEAN Data Transfers

The European Commission announced that the EU and the Association of Southeast Asian Nations (“ASEAN”) issued a joint guide identifying commonalities between the EU Standard Contractual Clauses (“SCCs”) and the ASEAN Model Contractual Clauses for cross-border data transfers.

The objective of the guide is to assist companies operating across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses, thereby facilitating compliance with ASEAN and EU data protection laws as applicable.

For further information: European Commission Website

05/22/2023 – European Data Protection Board | Case Digest | Right to Object and Erasure

The European Data Protection Board (“EDPB”) published a case digest on the right to object and erasure.

In particular, the case digest examines a selection of one-stop-shop decisions taken from the EDPB’s public register relating to Articles 17 and 21 of the GDPR. Most of the complaints under those articles concern minor violations where the data controller shows active cooperation, with spontaneous remediation of the infringement. Hence, the decisions analyzed often result in reprimands. Although in some cases the lead supervisory authorities have imposed specific sanctions on data controllers, this is usually due to a large number of infringements of the GDPR, with a minor role played by violations of Articles 17 and 21.

For further information: EDPB Website

05/04/2023 – Court of Justice of the European Union | Decision | Right to Compensation

The Court of Justice of the European Union ruled that a mere infringement of the GDPR does not give rise to a right to compensation.

Overall, the Court stated that the right to compensation under the GDPR is subject to three cumulative conditions: an infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. Moreover, the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. Finally, as the GDPR does not contain any rules governing the assessment of damages, it is for each Member State to prescribe them, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.

For further information: CJEU Website

05/04/2023 – Court of Justice of the European Union | Decision | Data Subjects Rights

The Court of Justice of the European Union ruled that the data subject’s right to obtain from the controller a “copy” of the personal data undergoing processing as per Article 15(3) GDPR means that the data subject must be given a faithful and intelligible reproduction of all those personal data.

In particular, that entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, if the provision of such copy is essential to enable the data subject to exercise effectively the right granted to him/her by that regulation, taking into account the rights and freedoms of others.

For further information: CJEU Website

04/26/2023 – European Union General Court | Decision | Pseudonymized Data

The General Court of the European Union ruled that in order to determine whether information constitutes personal data, it is necessary to determine whether the information relates to “identifiable persons”. The European Data Protection Supervisor (“EDPS”) has appealed this decision before the Court of Justice of the European Union (“CJEU”) on 5 July 2023.

The EDPS argues, that the General Court has not interpreted the relevant provisions correctly. Therefore, the EDPS seeks that the CJEU sets aside the General Court’s judgement in its entirety as well as give a final judgment in the dispute.

For further information: Official Journal of the European Union Website; CJEU Website

04/19/2023 – European Data Protection Board | Report | 101 NOYB Data Transfer Complaints

The European Data Protection Board (“EDPB”) published a report of the work undertaken by the supervisory authorities within the 101 Task Force.

The report sets out the common positions agreed by the supervisory authorities taking part in the task force with a view to handling the “101 complaints” received from NOYB in the aftermath of the Schrems II ruling. Notably, several supervisory authorities have ordered website operators to comply with the requirements of Chapter V of the GDPR, and if necessary, to stop the transfer at stake.

For further information: EDPB Website

04/17/2023 – European Data Protection Board | Guidelines | Right of Access

The European Data Protection Board (“EDPB”) published a final version of the guidelines 01/2022 on data subjects’ right of access, following a public consultation.

For further information: EDPB Website

04/17/2023 –European Data Protection Board | Guidelines | Lead Supervisory Authority

The European Data Protection Board (“EDPB”) published a final version of the guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.

For further information: EDPB Website

04/13/2023 – European Protection Data Board | Guidance | Data Subject Rights

The European Data Protection Board (“EDPB”) published a guide for exercising data subjects’ rights, compiled by the Schengen Information System (“SIS”) II Supervision Coordination Group.

For further information: EDPB Website

04/04/2023 – European Data Protection Board | Guidelines | Personal Data Breach Notification

The European Data Protection Board released a new version of its guidelines 9/2022 on personal data breach notification under the GDPR.

For further information: EDPB Website

04/04/2023 – European Commission | Statement | Japan-EU Mutual Adequacy Arrangement

The European Commission released a joint press statement on the successful conclusion of the first review of the Japan-EU mutual adequacy arrangement.

In 2019, the EU and Japan recognized each other’s data protection systems as “equivalent”, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows.

For further information: European Commission Website

Austria

05/10/2023 – Austrian Supervisory Authority | Sanction | GDPR Violations

The Austrian Supervisory Authority issued a sanction against an American facial recognition company for multiple breaches of the GDPR, but did not issue a fine.

The facial recognition company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources. The complainant found out that his image data was processed by the company and lodged a complaint. In particular, the Austrian Supervisory Authority found that the processing carried out by the company serves a completely different purpose from the original publication of the complainant’s personal data (especially photographs).

For further information: EDPB Website

Belgium

05/24/2023 – Belgian Supervisory Authority | Press Release | Personal Data Transfers

The Belgian Supervisory Authority announced the prohibition of transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance to the US tax authorities under the intergovernmental Foreign Account Tax Compliance Act (“FATCA”) agreement.

The Litigation Chamber of the Belgian Supervisory Authority held that the generalized and undifferentiated transfer of tax data provided under FATCA breaches the principle of purpose limitation (FATCA does not contain exact objectives for the transfer of data), as well as the principles of proportionality and data minimization of the GDPR.

For further information: ADP Website

05/22/2023 – Belgian Supervisory Authority | Announcement | 2022 Annual Activity Report

The Belgian Supervisory Authority announced the publication of its 2022 annual activity report.

In particular, the report highlights that, in 2022 the Authority received 604 complaints and the main topics of the complaints and requests for mediation in 2022 were direct marketing as well as photos and cameras. The Dispute Chamber of the Authority issued 189 decisions in 2022, including fines totaling €738,900. As for data breaches, the Authority opened 1426 data leak files.

For further information: ADP Website [FR]

Denmark

07/13/2023 – Danish Supervisory Authority | Guidance | Right to erasure

The Danish Supervisory Authority expanded its guidance on what applies when an individual wants to have a search result related to him/her deleted from a search engine (e.g. Google and Bing).

For further information: Datatilsynet Website [DK]

06/27/2023 – Danish Supervisory Authority | Guidance | Video Surveillance

The Danish Supervisory Authority published new guidance on video surveillance used by companies.

For further information: Datatilsynet Website [DK]

03/29/2023 – Danish Supervisory Authority | Guidance | Employment Relationships

The Danish Supervisory Authority published an updated guidance on data protection in employment relationships.

For further information: Datatilsynet Website [DK]

Finland

08/08/2023 – Finnish Supervisory Authority | Press Release | Data transfers

The Finnish Supervisory Authority announced that it has issued an order to an international platform which provides taxi services to suspend its data transfers from Finland to Russia temporarily and to cease the processing of the personal data.

The Authority considers that this order is necessary because of a legislative reform that will enter into force in Russia will significantly weaken the protection of customers’ personal data when using the platform. For instance, the Russian intelligence service will have the right to receive data processed in taxi operations.

For further information: Ombudsman Website

France

06/22/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision which was issued on 15 June 2023 and imposed a €40 million fine to an advertising company, for several GDPR violations.

The company specializes in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalized advertisements. In particular, the Authority considered that the advertising company had failed to demonstrate that the data subjects gave their consent.

For further information: CNIL Website

06/15/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision issued on 8 June 2023, imposing a €150,000 fine to a company which provides clairvoyance consultation through its website (by chat or telephone), for failing to comply with its obligations under the GDPR and the French Data Protection Act.

In particular, the Authority found that the company collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.

For further information: CNIL Website

05/26/2023 – French Supervisory Authority | Decision | Consent

The French Supervisory Authority published a decision issued on 11 May 2023, in which it closed the injunction issued on a technology company.

On 19 December 2022, the company was fined 60 million euros by the Authority, which also required the company, within three months, to allow users of its search engine located in France to give their consent to the use of trackers to combat advertising fraud, as soon as they arrived on the website. The company responded within the timeframe and made technical modifications so that tracking linked to the fight against advertising fraud would be inactive in the absence of specific consent from French users.

For further information: CNIL Website

05/17/2023 – French Supervisory Authority | Sanction | Health Data and Cookies

The French Supervisory Authority published a decision issued on 11 May 2023, imposing a €380,000 fine to a health and well-being website for several breaches of the GDPR and of the French Data Protection Act.

Following a complaint by an association, the Authority carried out investigations into the company. The Authority identified several infringements, namely a failure to store data for no longer than necessary, failure to obtain consent from individuals to collect their health data, failure to provide a formal legal framework for the processing operations carried out jointly with another data controller, failure to ensure the security of personal data and a failure to comply with obligations related to the use of cookies.

For further information: CNIL Website

05/16/2023 – French Supervisory Authority | Action Plan | Artificial Intelligence

The French Supervisory Authority published its action plan for the deployment of AI systems that respect individuals’ privacy.

In 2023, the Authority will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: (i) understand the functioning of AI systems and their impact on people, (ii) enable and guide the development of privacy-friendly AI, (iii) federate and support innovative players in the AI ecosystem in France and Europe, and (iv) audit and control AI systems and protect people. This work will also allow to prepare for the entry into application of the draft European AI Regulation currently under discussion.

For further information: CNIL Website

05/10/2023 – French Supervisory Authority | Sanction | Compliance

The French Supervisory Authority published a decision issued on 17 April 2023, imposing a €5,2 million fine to a facial recognition company, for failing to comply with the injunction issued in its October 2022 sanction decision.

The Authority had fined the company €20 million and enjoined the company to refrain from collecting and processing the data of individuals in France without a legal basis, and to delete the data of these individuals after responding to requests for access. The injunction was accompanied by an penalty of 100,000 euros per day of delay at the end of the two-month period. The Authority considered that the company had not complied with the order and imposed an overdue penalty payment.

For further information: CNIL Website [FR]

05/09/2023 – French Supervisory Authority | Publication | Data Protection Officers

The French Supervisory Authority announced that as part of a coordinated enforcement framework at the European level, it is conducting audits on public and private organizations to verify the role and means entrusted to their Data Protection Officer (“DPO”).

For its assessment, the Authority sent a dozen surveys in April to public institutions, local authorities and private companies, particularly in the luxury and transport sectors. The answers provided by the organizations will be analyzed in coordination with the Authority’s European counterparts. Depending on the results of these initial checks, on-site inspections may be carried out to complete the findings.

For further information: CNIL Website [FR]

04/03/2023 – French Supervisory Authority | Guidelines | Security of Personal Data

The French Supervisory Authority published updated guidelines relating to personal data security.

This guidelines aim to support actors dealing with personal data by reminding them of the basic precautions to be taken. The updated guidelines take into account the latest recommendations of the Authority regarding passwords and login.

For further information: CNIL Website [FR]

03/21/2023 – French Supervisory Authority | Publication | Connected Vehicles

The French Supervisory Authority announced the creation of a “compliance club” dedicated to players in the connected vehicle and mobility sectors, as part of its industry support initiative.

This privileged forum for dialogue will enable regular exchanges on issues affecting the daily lives of French individuals, and encourage innovation that respects their privacy.

For further information: CNIL Website [FR]

Germany

08/17/2023 – German Federal Ministry of the Interior and Community | Regulation | Federal Data Protection Act

The German Federal Ministry of the Interior and Community is working on an amendment to the Federal Data Protection Act. The Ministry’s current legislative draft has become public following a request under Germany’s Freedom of Information Act (“IFG”).

The draft is still at a very early stage and aims at institutionalizing the German Data Protection Conference (“Datenschutzkonferenz” / DSK), a body consisting of representatives from each of the German data protection authorities. Additionally, the proposed provisions include various changes, e.g. simplifications in terms of determining which authority is competent.

For further information: FragDenStaat [DE]

08/02/2023 – Berlin Supervisory Authority | Sanction | Data Protection

The Berlin Supervisory Authority announced imposing a €215,000 fine to a company for illegally documenting a list of information about employees on probationary period including sensitive data.

The authority found that in order to determine whether to continue employment of the data subjects, the company was processing health and non-company related justifications that would conflict with flexible shift scheduling.

For further information: BlnBDI [DE]

06/06/2023 – German Federal Labour Court | Decision | Data Protection Officers

The German Federal Labour Court has ruled that a chairman of the works council usually cannot serve as a data protection officer at the same time. The German Federal Labour Court argues, that these positions would typically lead to a conflict of interest.

For further information: German Federal Labour Court Press Release [DE]

06/02/2023 – German Parliament | Regulation | Whistleblowing Directive

The Law to improve the protection of whistleblowers and to implement the directive on the protection of persons who report violations of Union law transposing the Whistleblowing Directive was published in the Federal Gazette.

For further information: Official Gazette [DE]

05/31/2023 – Berlin Supervisory Authority | Sanction | GDPR Violations

The Berlin Supervisory Authority announced issuing a fine of €300,000 on a bank for lack of transparency regarding an automated individual decision.

In particular, the complainant informed the Authority that the bank’s algorithm rejected its application for a credit card without providing any specific justification, preventing the complainant from challenging the automated decision.

For further information: BlnBDI Website [DE]

04/19/2023 – Schleswig-Holstein Supervisory Authority | Questionnaire | Artificial Intelligence Chatbot

The Schleswig-Holstein Supervisory Authority published the questionnaire that was sent by German Supervisory Authorities to an AI chatbot company in relation to its data processing.

For further information: UDL Website [DE]

04/14/2023 – Federal Office for Information Security | Guide | Security and Artificial Intelligence

The Federal Office for Information Security (“BSI”) published a Practical AI-Security guide.

The guide contains a brief and clear presentation of the current state of research in the area of attacks on AI and developers are also presented with possible defenses against attacks.

For further information: BSI Website [DE]

Ireland

08/21 /2023 – Irish Supervisory Authority | Sanction | Data minimization

The Irish Supervisory Authority published a decision imposing a reprimand and corrective measures on an online platform providing intermediation service, for infringing the principle of data minimization.

In particular, the Authority found that the platform’s retention of a copy of the complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimization.

For further information: DPC website

04/28/2023 – Irish Supervisory Authority | Guidance | Data Protection in the Workplace

The Irish Supervisory Authority announced the publication of guidance for employers, regarding data protection in the workplace.

This new guidance is specifically aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing the personal data of their employees, former employees and prospective employees.

For further information: DPC website

04/19/2023 – Irish Supervisory Authority | Guidance | Records of Processing Activities

The Irish Supervisory Authority announced the publication of guidance on records of processing activities.

For further information: DPC website

Italy

07/06/2023 – Italian Supervisory Authority | Annual Report

The Italian Supervisory Authority published its annual report for the year 2022.

The report outlines the need for ensuring the protection of data subjects’ rights and freedoms against the risks resulting from large-scale processing activities based on AI tools, as well as actions of the Authority in this regard.

For further information: Guarante Website [IT]

06/22/2023 – Italian Supervisory Authority | Sanction | GDPR violation

The Italian Supervisory Authority announced that a concessionaire for the construction and management of toll motorways was fined €1 million for violating the GDPR.

In this ruling, the Authority considered that the concessionaries violated the principles of correctness and transparency, given the failure to provide adequate information in relation to the processing, as well as the misclassification of the GDPR status.

For further information: Guarante Website [IT]

06/09/2023 – Italian Supervisory Authority | Sanction | GDPR Violations

The Italian Supervisory Authority published a decision issued on 14 April 2023, in which it imposed a fine of €676,956 to an energy provider company for data protection failures with regard to promotional calls.

The Authority outlined that, by virtue of the principle of accountability and privacy by design, the data controller should prepare suitable measures to guarantee, at any time and, even more so, at the request of the Authority, the traceability of all operations carried out.

For further information: Guarante Website [IT]

04/20/2023 – Italian Supervisory Authority | Press Release | Dark Patterns

The Italian Supervisory Authority published information on deceptive design patterns that can influence online browsing behavior and hinder data protection.

The Authority launched an information page which is part of a large information and awareness project on data protection, digital education and safety, for a conscious use of the Internet and new technologies.

For further information: Guarante Website [IT]

04/14/2023 – Italian Supervisory Authority | Sanction | Unlawful Telemarketing Activities

The Italian Supervisory Authority issued a decision on 13 April 2023 imposing a €7,631,175 fine to a telecommunications company, for multiple GDPR violations.

In particular, the Authority found that the company had failed to reply to data subject access requests, lacked valid documentation demonstrating the consent of the company’s commercial communications, failed to act on a data breach and remained inactive over time.

For further information: Guarante Website [IT]

Netherlands

05/17/2023 – Dutch Supervisory Authority | Annual Plan 2023

The Dutch Supervisory Authority published its annual plan for the year 2023.

In 2023, the Authority will pay particular attention to (i) algorithms & AI, (ii) big tech, and (iii) freedom & security.

For further information: AP Website [NL]

04/13/2023 – Dutch Supervisory Authority | Sanction | Inadequate Identity Checks

The Dutch Supervisory Authority announced imposing a fine of €150,000 on the organization which implements national insurance schemes in the Netherlands, for failure to adequately confirm the identity of callers to its telephone helpdesk and disclosed personal data to unauthorized individuals.

The organization has now taken measures to address the matter.

For further information: AP Website [NL]

Norway

07/27/2023 – Norwegian Supervisory Authority | Advice | Analytics and Tracking

The Norwegian Supervisory Authority published an advice on the use of website analytics and tracking.

As analytics and tracking tools on the market are not all legal, the Authority provides guidance to websites (e.g., regarding cookie banner requirements, the use of consent as a legal basis, data transfers).

For further information: Datatilsynet Website [NO]

Portugal

04/20/2023 – Portuguese Supervisory Authority | Press Release | Security Incidents

The Portuguese Supervisory Authority published an overview of the security incidents in Portugal for the year 2022.

In 2022, 37 security incidents were reported to the Authority by electronic communications network and service companies and impacted approximately 6,4 million subscribers.

For further information: ANACOM Website [PT]

Spain

08/22/2023 – Council of Minister | Authority Appointment | Artificial Intelligence

The Council of Ministers has approved the statute of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA).

With the creation of the AESIA, Spain becomes the first European country to have such an entity and anticipates the entry into force of the European Artificial Intelligence Act.

For further information: Government Website [ES]

08/21/2023 – Spanish Supervisory Authority | Sanction | Sub-processing

The Spanish Supervisory Authority published a decision imposing a €120,000 fine (reduced €72,000) against a transport company for unlawful sub-processing.

The Authority found that it was clear that the subcontracting did not comply with the provisions of the GDPR due to the lack of formalization of contracts or legal acts, as well as the lack of authorizations prior to their formalization.

For further information: AEPD Website [ES]

07/28/2023 – Spanish Supervisory Authority | Sanction | Security

The Authority issued a €2,5 million fine against a bank for failing to implement appropriate security measures.

In particular, the Authority considered that the technical and organizational measures implemented by the bank did not guarantee a level of security appropriate to the risk, due to the nature of the personal data processed, which deserve special protection in terms of their confidentiality and integrity.

For further information: AEPD Website [ES]

07/11/2023 – Spanish Supervisory Authority | Guidance | Cookies

The Spanish Supervisory Authority released an updated cookie guide taking into account the EDPB guidelines on deceptive design patterns.

For further information: AEPD Website [ES]

05/09/2023 – Spanish Supervisory Authority | Guidelines | Encryption

The Spanish Supervisory Authority published guidelines for the validation of cryptographic systems in data protection processing.

For further information: AEPD Website [ES]

Sweden

06/27/2023 – Swedish Supervisory Authority | Press Release | Profiling

The Swedish Supervisory Authority published its decision, issued on 26 June 2023, imposing a fine of SEK 13 million (approx. €1,09 million) on a publishing company, for profiling its customers and web visitors without consent.

For further information: IMY Website

06/12/2023 – Swedish Supervisory Authority | Sanction | GDPR Violations

The Swedish Supervisory Authority issued a decision imposing a SEK 58 million (approx. €4,9 million) fine to a company providing an audio streaming service for shortcomings regarding the right of access.

The Authority considered that the company does not provide information about how it uses the personal data it processes upon a request of access of individuals and specifies that this information must be easy to understand. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. The Authority has further found that the company had failed in its handling of requests for access related to two out of three of the complaints examined.

For further information: NOYB Website

Switzerland

05/11/2023 – Swiss Supervisory Authority | Press Release | Revised Federal Act on Data Protection | Website Update

The Swiss Supervisory Authority updated the content of its website in anticipation of the new Data Protection Act coming into force on 1 September 2023. At the same time, it is launching the “DataBreach Portal” for reporting security vulnerabilities.

For further information: FDPIC Website

United Kingdom

08/30/2023 – UK Supervisory Authority | Guidance | Email Communications

The UK Supervisory Authority published new guidance for organisations sending bulk communications by email.

For further information: ICO Website

08/24/2023 – UK Supervisory Authority | Guidance | Data Scraping

The UK Supervisory Authority released a joint statement on data scraping and the protection of privacy with agencies from Australia, Canada, Hong Kong, Switzerland, Norway, New Zealand, Columbia, Jersey, Morocco, Argentina and Mexico.

The statement calls for the protection of people’s personal data from unlawful data scraping taking place on social media sites. It also sets expectations for how social media companies should protect people’s data from unlawful data scraping.

For further information: ICO Website

08/18/2023 – UK Supervisory Authority | Guidance | Biometric Data

The UK Supervisory Authority published draft guidance on biometric data and biometric technologies, which is open for public consultation until 20 October 2023.

For further information: ICO Website

07/17/2023 – UK Supervisory Authority| Blog | Unlawful Marketing

The UK Supervisory Authority released a blog post on its ongoing work to tackle unlawful marketing calls and messages.

The UK Supervisory Authority has issued more than £2,4 million in fines (approx. €2,8 million) since April 2022, through the enforcement of the UK Privacy and Electronic Communications Regulations 2003, against companies responsible for nuisance calls, texts and emails.

For further information: ICO Website

07/06/2023 – National Cyber Security Centre | Report | Risk Management

The National Cyber Security Centre announced the release of its sixth annual report providing a retrospective summary of the work carried out as part of the Active Cyber Defense program.

For further information: NCSC Website

06/19/2023 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies

The UK Supervisory Authority issued guidance which discusses privacy-enhancing technologies (“PETs”).

As a reminder, PETs are technologies that embody fundamental data protection principles by (i) minimizing personal data use, (ii) maximizing information security, or (iii) empowering people.

For further information: ICO Website

06/08/2023 – UK Supervisory Authority | Sanction | Unlawful Marketing Calls

The UK Supervisory Authority announced it fined two energy companies a total of £250,000 (approx. €291,577) for bombarding people and businesses on the UK’s “do not call” register with unlawful marketing calls.

The UK Supervisory Authority also issued an enforcement notice to both companies to stop calling people and businesses on the UK’s “do not call” register, or who had previously objected to such calls.

For further information: ICO Website

06/08/2023 – UK Government | Press Release | UK-US Data Transfers

The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, that will create a “data bridge” between the two countries.

US companies who are approved to join the framework, would be able to receive UK personal data under the new data bridge.

For further information: UK Government Website

05/30/2023 – UK Supervisory Authority | Guidance | Children Data

The UK Supervisory Authority announced that it updated its guidance on edtech and the Children’s code to clarify when an edtech service may be in the scope of the Children’s code.

For further information: ICO Website

05/24/2023 – UK Supervisory Authority | Guidance | Access Requests and Employers

The UK Supervisory Authority published new guidance for businesses and employers on responding to data subject access requests (“SARs”).

For further information: ICO Website

05/19/2023 – UK High Court of Justice | Decision | Loss Of Control Over Personal Data

The High Court struck out a class action claim for damages in relation to loss of control over personal data against a technology company and its AI company, and ordered summary judgment in their favor.

For further information: Royal Courts of Justice Website

04/14/2023 – UK Supervisory Authority | Sanction | Consent

The UK Supervisory Authority announced imposing a £130,000 (approximately €150,000) fine against a job search website provider for sending 107 million spam emails targeting jobseekers.

The UK Supervisory Authority established in its decision that the company had not obtained valid consent to send direct marketing in accordance with the UK Privacy and Electronic Communications Regulations 2003.

For further information: ICO Website

04/13/2023 – National Cyber Security Centre | Guidance | Security by Design and by Default

On 13 April 2023, the National Cyber Security Centre (“NCSC”) as well as agencies from the US, Australia, Canada, Germany, the Netherlands and New Zealand issued a new joint guide on security by design and by default.

In particular, the guide encourages software manufacturers to embed secure-by-design and by-default principles into their products to help keep customers safe.

For further information: NCSC Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)
Roxane Chrétien – Associate, Paris (rchretie@gibsondunn.com)
Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)
Hermine Hubert – Associate, Paris (hhubert@gibsondunn.com)
Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)
Sarah Villani – Associate, London (svillani@gibsondunn.com)

European Data Privacy Newsletter

Europe

12/14/2023

Court of Justice of the European Union | Decision | Misuse of personal data

The Court of Justice of the European Union ruled that the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.

In this case, the Bulgarian Supreme Administrative Court requested clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. The Court emphasized that the mere occurrence of unauthorized disclosure or access to personal data does not automatically imply that the protective measures implemented by the controller were not appropriate, they must be assessed in a concrete manner.

For more information: CJEU Website

12/07/2023

Court of Justice of the European Union | Decision | Automated Individual Decision

The Court of Justice of the European Union issued a significant ruling in cases involving a private credit information agency declaring that “scoring” qualifies as “automated individual decision-making” and is, in principle, prohibited by Article 22 of the GDPR.

While ‘scoring’ is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR. The court emphasized the primacy of data subjects’ rights and interests, asserting their right to prompt deletion when their personal data have been unlawfully processed, i.e. beyond the retention period.

For more information: CJEU Website

12/05/2023

Court of Justice of the European Union | Decision | Calculation of Fines

The Court of Justice of the European Union disclosed two rulings in which it shared an interpretation of the GDPR concerning the assessment and computation of penalties for breaches.

The CJEU clarifies the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the GDPR. In particular, it holds that the imposition of such a fine requires that a wrongful conduct; in other words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the entire group.

For more information: CJEU Website

11/27/2023

European Commission | Data Act

The European Regulation 2023/2854, often referred to as the “Data Act”, has been adopted on 27 November 2023 and entered into force on 11 January 2024.

For more information: Council of the European Union Website

11/16/2023

European Court of Justice | Decision | Indirect exercise of rights

On November 16, 2023, the European Court of Justice ruled that supervisory authority’s decisions in the context of the indirect exercise of the data subject’s rights are legally binding.

As a result, an appeal to the decision is possible, and the authority must provide sufficient information to the data subject to allow him/her to decide whether or not to appeal.

For more information: ECJ Decision

11/16/2023

European Data Protection Board | Guidelines | Tracking technologies

The European Data Protection Board published its guidelines on the application of article 5(3) of the e-Privacy Directive on new tracking technologies.

The guidelines aims to clarify how the e-Privacy Directive applies to innovative technologies. The EDPB is open to comments until January 18, 2024.

For more information: EDPB Guidelines

10/28/2023

European Commission and Japan | Agreement | Cross Border Data flows

On October 28, 2023, the European Commission has reached an agreement with Japan concerning cross-border data flows.

This agreement aims to facilitate efficient data handling between both parties, eliminating burdensome administrative and storage requirements. Notably, the agreement removes the requirement for companies to physically store their data locally. Once ratified, the provisions of this agreement will be incorporated into the EU-Japan Economic Partnership Agreement.

For more information: European Commission Website

10/26/2023

Confederation of European Data Protection Organizations | Paper | Generative AI

The Confederation of European Data Protection Organizations released a paper addressing the data protection implications of Generative AI.

Key issues covered include data-sharing risks, accuracy of personal data, conducting DPIAs on generative AI tools, implementing data protection by design, selecting a lawful basis for training generative AI systems, optimizing organizational structures, applying privacy-enhancing techniques and handling data subject rights within this technological context.

For more information: CEDPO Website

10/26/2023

Court of Justice of the European Union | Decision | CJEU rules on Art. 15 GDPR (right to access)

The CJEU has clarified the rights of data subjects. The court ruled that the controller may only charge a fee for providing a copy under Art. 15 (3) GDPR where the data subject has already obtained a free copy before.

Furthermore, the data subject must receive a full copy of his/her personal data, where the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible.

For more information: CJEU Website

10/17/2023

European Data Protection Board | Announcement | EDPB to launch coordinated enforcement action regarding Art. 15 GDPR

The EDPB selected the topic for its third coordinated enforcement action and announced that it will be launched in 2024. The action will concern the implementation of the right of access by controllers.

For more information: EDPB Website

10/12/2023

Court of Justice of the European Union | Press Release | Data Privacy Framework

The Court of Justice of the European Union (“CJEU”) dismissed a French citizen’s request to suspend the execution of the EU-US Data Privacy Framework’s adequacy decision.

The CJEU considered that the French citizen failed to demonstrate the necessary prerequisites for such request, as he was unable to prove that he would experience significant harm if the execution of the adequacy decision was not suspended.

For more information: CJEU Website

10/05/2023

European Commission | Press Release | Contractual Clauses For AI

The Commission announced the finalization of the EU model contractual AI clauses to use in procurements of AI.

The clauses are developed for pilot use in the procurement of AI with the aim to establish responsibilities for trustworthy, transparent, and accountable development of AI technologies between the supplier and the public organization. The EU model contractual AI clauses contain provisions specific to AI systems and on matters covered by the proposed AI Act, thus excluding other obligations or requirements that may arise under relevant applicable legislation such as the GDPR.

For more information: European Commission Website

09/28/2023

European Data Protection Supervisor | Blog | Data Protection & Cybersecurity

The European Data Protection Supervisor published a blog post on the interplay between data protection and cybersecurity.

The post highlights the need to take into account data protection into cybersecurity strategies, advocating collaboration between data protection officers and IT security departments. Additionally, it discusses the dual role of artificial intelligence in cybersecurity, noting its potential to enhance current cybersecurity solutions and how it also allows, for instance, the production of (fake) pictures, videos, photos, texts, and more, which cybercriminals can exploit to steal someone’s identity as part of social engineering attacks.

For more information: EDPS Website

09/25/2023

European Commission | Data Governance Act

The European Regulation 2022/868, often referred to as the “Data Governance Act”, entered into force on 24 September 2023.

As a reminder, the regulation seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data, notably with public actors.

For more information: European Commission Website

Denmark

12/07/2023

Danish Supervisory Authority | Guide | Access Rights

The Danish Supervisory Authority released guidance on access rights management, emphasizing that it is a collective responsibility within organizations.

The guide highlights that all employees, regardless of their IT security role, share the responsibility of being aware of and respecting their access rights.

For further information: Datatilsynet Website [DA]

11/28/2023

Danish Supervisory Authority | Measures | Data Security

The Danish Supervisory Authority released a catalog outlining technical and organizational measures essential for ensuring security in compliance with Articles 5 and 32 of the GDPR.

The catalog suggests technical measures such as automatic encryption, multi-factor authentication, automatic access control, logging of users’ personal data use, and physical access control. On the organizational front, recommendations include measures such as minimizing privileged access rights, implementing role-based access rights, documenting data access authorizations, and establishing withdrawal procedures.

For further information: Datatilsynet Website [DA]

09/28/2023

Danish Supervisory Authority | Sanction | GDPR Violations

The Danish Supervisory Authority issued a DKK 1 million (approx. €134,000) fine against a hotel group for failure to delete personal data.

For more information: Datatilsynet Website [DK]

Finland

11/08/2023

Finnish Supervisory Authority | Guidance | Security Breach Notification

The Finnish Supervisory Authority published guidance on filing a data breach notification.

The guidance concerns risk assessment which should take into account consequences of the data breach from the point of view of the data subject, communication to the data subject, and completion of the notification to the supervisory authority and compliance with deadlines.

For further information: Ombudsman Website [FI]

France

12/12/2023

French Competition Authority | Joint Declaration | Cooperation in data protection and competition

The French Competition Authority and the French Supervisory Authority signed a joint declaration to enhance cooperation in the areas of data protection and competition.

For more information: CNIL Website [FR]

11/24/2023

French Supervisory Authority | Recommendation | API Data Sharing

The French Supervisory Authority issued a recommendation regarding the use of application programming interfaces (“APIs”) for data sharing.

The recommendation outlines three specific roles involved in the usage of APIs: the data holder, the API manager, and the data re-user. The recommendation also highlights the importance of evaluating the risks associated with APIs, considering factors like the type of database access, the security levels of authentication methods, and the categories of data involved, including sensitive data.

For more information: CNIL Website [FR]

11/15/2023

French Supervisory Authority | Referential | Health Data conservation duration

The French Supervisory Authority published a referential and guidance note on retention period for health data.

For more information : CNIL Website [FR]

11/07/2023

French Supervisory Authority | Sanction | Simplified Procedure

The French Supervisory Authority (“CNIL”) issued ten new decisions under its new simplified sanction procedure, introduced in 2022.

Private and public-sector players were fined a total amount of €97,000 for various violations, including failure to respond to CNIL requests, non-compliance with the principle of data minimization (geolocation and continuous video surveillance of employee), lack of information on the processing carried out and its purposes, and failure to respect individuals’ rights (in particular to respond to a request for objection).

For more information: CNIL Website

10/13/2023

French National Assembly | Clarifying Bill | GDPR Scope

The French National Assembly adopted an amendment to complete the French Data Protection Law in order to clarify the scope of the GDPR and ensure that certain practices are covered by French and European obligations in terms of personal data protection.

The French Supervisory Authority identified a legal gap in the data protection legislation which allows the trading of personal data by entities not established in the EU without the knowledge of individuals. The amendment seeks to supplement French law, ensuring that the GDPR applies effectively.

For more information: French National Assembly Website [FR]

10/11/2023

French Supervisory Authority | Publication | Databases Trainings For AI

The French Supervisory Authority opened to public consultation its first set of guidelines on use of artificial intelligence (AI), regarding the development of learning databases for AI systems.

For more information: CNIL Website [FR]

09/28/2023

French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority (“CNIL”) issued a €200,000 fine against an air freight company.

During the investigation, the CNIL observed some infringements regarding, in particular, an excessive data collection, a non-compliance with the ban on processing sensitive data and data relating to offences and a lack of cooperation with the CNIL services.

For more information: CNIL Website

Germany

11/29/2023

German Supervisory Authority | Opinion | EU AI ACT

The German Supervisory released its stance on the EU AI Act, emphasizing the need for a comprehensive allocation of responsibilities throughout the entire artificial intelligence value chain.

The Authority asserted that the EU AI Act should clearly outline the requirements for all parties involved, including manufacturers and providers of basic AI models. Critically, it argued against a unilateral transfer of legal responsibility to the later stages of the value chain, deeming such a shift as economically unsound and detrimental to data protection. The Authority contended that a balanced distribution of responsibilities is essential to safeguard the fundamental rights of individuals whose data undergoes processing by AI systems.

For more information: DSK Website [DE]

11/02/2023

Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Behavioral Advertising

The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) issued a press release addressing a social media platform’s new business model in light of the European Data Protection Board’s (“EDPB”) binding decision on behavioral advertising.

Following the EDPB’s binding decision, the social media has provided a new option where users can choose between a free version that still includes behavioral advertising, and a paid version without this type of marketing. Referring to the Resolution of the Data Protection Conference (“DSK”) on subscription models, the Hamburg Commissioner for Data Protection and Freedom of Information noted that the social media platform’s payment model will have to fulfill requirements like granularity in consent, transparency, and the avoidance of misleading design tools. The German Supervisory Authority expressed various problems and are now expecting a legal assessment by the lead authority in Ireland.

For more information: HmbBfDI Website [DE]

10/05/2023

German Competition Authority | Press Release | Competition

The German Competition Authority (“Bundeskartellamt”) obtained commitments from an American technology services company to grant users better control of their data.

The Bundeskartellamt conducted a proceeding, based on the new instrument under competition law which allows it to intervene when competition is threatened by large digital companies. In the future, the company will have to provide its users with the possibility to give free, specific, informed and unambiguous consent to the processing of their data across services. For this purpose, the company has to offer corresponding choice options for the combination of data. The choice options must be designed so as not to guide users manipulatively towards cross-service data processing to avoid “dark patterns”. Such an obligation will already result from the Digital Markets Act (“DMA”) for certain company services which have recently been designated by the European Commission and, thus are not covered by the commitments.

For more information: Bundeskartellamt Website

09/26/2023

German Federal Court of Justice | Decision | submits questions to CJEU regarding injunctive relief under the GDPR as well as regarding Art. 82 GDPR

The German Federal Court of Justice (“Bundesgerichtshof”) asked the CJEU under Art. 267 TFEU to provide a preliminary ruling as to whether Art. 17 (right to erasure) or Art. 18 (right to restriction of processing) of the GDPR also provide for a data subject’s right to request from a controller to refrain from any future illegitimate processing of personal data (injunctive relief).

Furthermore, the court asked the CJEU to clarify whether mere negative feelings such as anger, resentment, dissatisfaction, worry and fear, which, in the German court’s view, may be “part of the general risk of life and everyday experience” could constitute an immaterial damage within the meaning of Art. 82 GDPR.

For more information: Bundesgerichtshof Website [DE]

09/19/2023

Hamburg Commissioner for Data Protection and Freedom of Information| Press Release | Data Breach Notification

The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) published guidance on handling data breach notifications.

The guidance concerns, for instance, the cases that should be notified, the deadline that applies, and the form to use to notify the German Supervisory Authority.

For more information: HmbBfDI Website [DE]

09/04/2023

Supervisory Authorities | Information Note | Data Protection Framework

The German Data Protection Conference (“DSK”) published an information note to explain the background and content of the EU-U.S. Data Protection Framework.

The note is aimed at both data controllers and processors in Germany who transfer personal data to the U.S. and data subjects. In particular, the note highlights the scope and application of the new framework, the use of alternative instruments for transfers to the U.S., and the scope and enforcement of data subjects’ rights vis-à-vis entities in the U.S.

For more information: DSK Announcement [DE]

Ireland

09/28/2023

Irish Council for Civil Liberties | Statement | Irish Data Protection Commission

The Irish Council for Civil Liberties urged the Government to guarantee no appearance of conflict of interest in the selection of new leaders of the Irish Supervisory Authority.

For more information: ICCL Website

09/11/2023

Irish Supervisory Authority |Press Release | Unlawful Marketing

The Irish Supervisory Authority welcomed the outcome of the prosecution proceedings that were taken against several companies in Ireland for sending unsolicited marketing communications without obtaining consent.

For more information: Irish Supervisory Authority Website

Italy

12/12/2023

Italian Supervisory Authority | Guidelines | Password Storage

The Italian national security agency and the Italian Supervisory Authority jointly released guidelines addressing the technical measures to be adopted for password storage.

The primary goal of the guidelines is to offer recommendations for implementing the most secure technical functions for password storage, with a focus on preventing unauthorized access by cybercriminals. The guidelines outline various techniques and minimum parameters, emphasizing the improvement of password hashing techniques and the utilization of diverse algorithms as key measures to enhance password security. The overarching aim is to bolster the protection of sensitive data and mitigate the risk of unauthorized access.

For more information: Garante Website [IT]

11/22/2023

Italian Supervisory Authority | Investigation | Web scraping

The Italian Supervisory Authority announced the commencement of an investigation into public and private websites.

The aim is to assess the implementation of adequate security measures to prevent the web scraping of personal data for the training of artificial intelligence algorithms by third parties. The investigation targets all entities, acting as controllers, based in Italy or providing services in Italy, that publicly expose personal data online.

For more information: Garante Website [IT]

10/23/2023

Italian Supervisory Authority | Sanction | Inaccurate Personal Data

The Italian Supervisory Authority imposed a €10 million fine on an energy company for the activation of unsolicited contracts with inaccurate and outdated data.

The Authority also ordered corrective actions, such as implementing a contract accuracy verification system, alert systems to identify improper data acquisition, and enhancing audit procedures against sales agencies.

For further information: Garante Website [IT]

Norway

09/29/2023

Norwegian Privacy Appeals Board | Decision | Sensitive Data

The Norwegian Privacy Appeals Board confirmed the decision of the Norwegian Supervisory Authority from December 2021 to issue a NOK 65 million (approx. €5,5 million) fine against a dating application.

The Authority found that the dating application disclosed its users’ personal data such as GPS location, IP address, mobile phone’s advertising ID, age and gender – in addition to the fact that they were using the dating application – to several third parties for behavioral marketing purposes, without a proper legal basis.

Spain

11/23/2023

Spanish Supervisory Authority | Guide | Biometric Data

The Spanish Supervisory Authority issued a guide on the use of biometric data for presence and access control, outlining criteria to ensure compliance with the GDPR and other regulations.

For more information: AEPD Website [ES]

11/02/2023

Spanish Supervisory Authority | Blog Post | Synthetic Data

The Spanish Supervisory Authority (“AEPD”) provided guidance on the use and generation of synthetic data.

According to the AEPD, creation of synthetic data from real personal data is itself a processing governed by the GDPR. Therefore, it is necessary to consider the provisions of the GDPR and in particular the principle of accountability, and the assessment of a possible risk of re-identification from the created synthetic data set.

For more information: AEPD Website

10/20/2023

Spanish Supervisory Authority | Sanction | Cyber Security

The Spanish Supervisory Authority issued a €1 million fine (reduced to €800,000) against a Spanish banking company for insufficiently protecting the personal data of customers.

A customer had reported that its credit card had been stolen, and the bank had not properly taken the information into account, leading to identity theft where hackers took out loans and transferred money in the complainant’s name.

For more information: AEPD Website [ES]

10/05/2023

Spanish Supervisory Authority | Tool | Encryption

The Spanish Supervisory Authority (“AEPD”) released a tool called “ValidaCrypto”, designed to evaluate encryption systems.

ValidaCripto transfers the methodology of the AEPD’s previously released guidelines on cryptographic systems, to an intuitive web tool that helps to visually evaluate encryption systems’ compliance with data protection requirements.

For more information: AEPD Website

09/28/2023

Spanish Supervisory Authority | Blog | Privacy Enhancing Technologies

The Spanish Supervisory Authority published guidance on Privacy Enhancing Technologies.

The Blog emphasizes that the Privacy Enhancing Technologies or PETs allow to implement privacy principles, but the same tools are useful to implement the governance policies that guarantee the trust and data sovereignty in a Data Space. Therefore, PETs should be “dual-use” technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy.

For more information: AEPD Website

United Kingdom

12/15/2023

UK Supervisory Authority | Guidance | Transfer Risk Assessment

The UK Supervisory Authority released guidance on transfer risk assessment for entities transferring personal information to the US using Article 46 of the UK GDPR.

The guidance aims to support organizations engaged in restricted transfers of personal data to the US, employing mechanisms outlined in Article 46 of the UK GDPR. Following the Schrems II case in 2020, the guidance highlights the necessity of conducting a Transfer Risk Assessment before transferring personal data from the UK, emphasizing the importance of Department for Science, Innovation and Technology’s analysis to streamline the process. The Department of Science, Innovation and Technology analysis evaluates US laws concerning access and usage of personal information for national security and law enforcement purposes.

For more information: ICO Website

12/12/2023

UK Supervisory Authority | Draft guidance | Employment practices and data protection

The UK Supervisory Authority released two draft guidance documents on data protection compliance in the areas of “keeping employment records” and “recruitment and selection”.

The guidance for keeping employment records is directed at employers, outlining their obligations under the UK GDPR and the Data Protection Act 2018 concerning the collection and maintenance of worker records. It emphasizes the need for a balance between the necessity of employment records for organizational operations and the privacy rights of workers. The second draft guidance is tailored for employers and entities involved in recruitment processes, including agencies and consultancies. It addresses the intricacies of managing diverse personal data, including sensitive data, during recruitment, with a focus on protecting candidates’ data protection rights. These guidance documents are open for consultation from relevant stakeholders (including employers, professional associations, those representing the interests of staff, recruitment agencies, employment dispute resolution bodies, workers, volunteers and employees, and suppliers of employment technology solutions) until 5 March 2024.

For more information: ICO Website

11/09/2023

Office of Communications | Statement | Online Safety Act

On September 11, 2023, the Office of Communications (“Ofcom”) announced its new role as the regulator for online safety, following the enactment of the Online Safety Act on October 26, 2023.

Ofcom’s role is to make online services safer for the people who use them, by ensuring regulated services take appropriate steps to protect their users. Ofcom will set out codes of practice and guidance for companies falling under the scope of the Online Safety Act. It will have powers to take enforcement action, including issuing fines to services if they fail to comply with their duties. However, Ofcom will not responsible for removing online content, and won’t require companies to remove content, or particular accounts. It should be noted that Ofcom’s powers are not limited to service providers based in the UK.

For more information: Ofcom Website

10/25/2023

Department of Science, Innovation and Technology | Publication | Data Transfers

The Department of Science, Innovation and Technology (“DSIT”) released an executive summary and initial conclusions from the first phase of an evaluation into the implementation of the International Data Transfer Agreement (“IDTA”).

This evaluation started at the beginning of the implementation period of the UK’s new standard data protection clauses, the IDTA and Addendum to the European Commission’s Standard Contractual Clauses for international transfers, which replace the previous EU SCCs for international transfers. The evaluation was meant to assess how businesses experienced the transition to the new clauses. A further phase of this research is planned following the end of the transitional period. DSIT will work with the ICO to reflect on the findings of the research.

For more information: UK Government Website

10/12/2023

UK-US Data Bridge | Entry into Force | Adequate Protection

On October, 12, 2023, the Data Protection Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) entered into effect.

This UK extension to the EU-US Data Privacy Framework allows businesses to transfer personal data to US certified entities listed in the EU-US Data Privacy Framework without additional safeguards. However, UK organizations must update privacy policies and document data transfer methods to comply with this new framework.

For more information: The Data Protection (Adequacy) (United States of America) Regulations 2023

09/20/2023

UK Supervisory Authority | Sanction | Unlawful Marketing practices

The UK Supervisory Authority announced that it issued a fine against five companies totaling £590,000 (approx. €670,000) for unwanted marketing calls which targeted the elderly and people with vulnerabilities.

For more information: ICO Website

This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)
Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)
Roxane Chrétien – Associate, Paris (rchretien@gibsondunn.com)
Hermine Hubert – Associate, Paris (hhubert@gibsondunn.com)
Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)
Sarah Villani – Associate, London (svillani@gibsondunn.com)

Q1 and Q2 2024

Europe

07/12/2024

European Union | Artificial Intelligence Regulation | Publication

The AI Act (Regulation 2024/1689) was published in the OJEU today. It will enter into force on 1 August, meaning the 2-year transition period for most of the Act will end on 1 August 2026.

The Act applies to AI providers, deployers, importers, distributors, and manufacturers, with exemptions for military and research uses. It classifies AI systems by risk, prohibits certain practices, and in particular imposes requirements on high-risk systems. Enforcement includes the creation of an AI Office, a scientific panel, an AI Board, and an advisory forum, with possible fines up to €35 million or 7% of global turnover for severe breaches.

For more information: Official Journal of the European Union

06/20/2024

Court of Justice of the European Union | GDPR Violation | Right to Compensation

The Court of Justice of the European Union (“CJEU”) published a judgment on the right to compensation for non-material damage as a result of fear.

In the case C-590/22, the CJEU ruled that an infringement of the GDPR alone does not suffice to establish a right to compensation. The claimant must demonstrate actual damage caused by the infringement, although the damage need not be severe. The CJEU also determined that a claimant’s fear of personal data disclosure to third parties — as a result of a breach of the GDPR — can constitute non-material damage if the fear and its negative consequences are duly demonstrated. Notably, the criteria for administrative fines do not apply to compensation assessments, and compensation is not meant to serve a dissuasive function. Furthermore, violations of national laws that do not specifically relate to the GDPR do not need to be considered when determining compensation amounts.

For more information: CJEU Judgment– C-590/22

06/20/2024

Court of Justice of the European Union | GDPR Violation | Right to Compensation

The Court of Justice of the European Union (“CJEU”) published rulings on the right to compensation for non-material damages based on theft of personal data.

The CJEU made several important rulings regarding compensation under Article 82(1) of the GDPR. First, the court clarified that the right to compensation is intended solely to fully compensate for the damage suffered due to GDPR violations and does not serve a punitive purpose. Second, the severity or intentional nature of the violation does not need to be considered when determining the amount of compensation. Third, the court emphasized that non-material damage from a data breach is not inherently less significant than physical injury. Furthermore, minimal compensation can be awarded for minor damage as long as it fully compensates the harm. Finally, the court stated that for identity theft under the GDPR, actual misuse of stolen data must be shown, but compensation for non-material damage is not limited to cases where identity misuse is proven.

For more information: CJEU Judgment – C-182/22 and C-189/22

04/18/2024

European Data Protection Board | Strategy | Priorities for 2024-2027

On April 18, 2024, the European Data Protection Board (“EDPB”) released its strategy for 2024-2027.

The EDPB aims to support supervisory authorities in enforcing the GDPR and the Law Enforcement Directive, while also facilitating their interaction with new legislation such as the EU AI Act, the Digital Services Act, and the Digital Markets Act. Specifically addressing artificial intelligence, the EDPB plans to offer guidance on data protection and GDPR implementation, focusing on high-risk areas and vulnerable groups, such as children. Regarding the EU-US Data Privacy Framework, the EDPB intends to provide public information and template complaint forms to facilitate the implementation of redress mechanisms.

For more information: EDPB Website

03/14/2024

Court of Justice of the European Union | Personal Data | Powers of the Supervisory Authority

The Court of Justice of the European Union (“CJEU”) ruled that the supervisory authority of a Member State may order, of its own motion, the erasure of personal data in case of unlawful processing.

The CJEU clarified that the supervisory authority is entitled to order the erasure of data in order to ensure that the GDPR is fully enforced, even in the absence of a prior request made by the data subject to that effect. The CJEU further specified that, like other corrective measures, the power of the supervisory authority to order the erasure of data applies regardless of whether the data is collected directly from the data subject or indirectly from another source.

For more information: CJEU Judgment – C-46/23

04/11/2024

Court of Justice of the European Union | Compensation | GDPR Violation

In a ruling issued on April 11, 2024, the Court of Justice of the European Union (“CJEU”) clarified the concept of non-material damage, the conditions for exemption from liability and the criteria for determining the amount of damages.

Referring to its previous case law, the CJEU ruled that the mere infringement of GDPR provisions granting rights to individuals is insufficient to establish non-material damage, unless the individual can prove actual harm, regardless of its severity. The Court emphasized that an organization cannot evade liability simply by attributing the infringement to human error within its operation. Additionally, when assessing compensation for non-material damages under GDPR, the criteria for setting administrative fines are not applicable, nor should the quantity of infringements affect compensation calculations. The judgment asserts the need for full and effective compensation directly proportional to the actual damage suffered, adhering strictly to the compensatory rather than punitive intent of the provision.

For more information: CJEU Judgment – C-741/21

03/07/2024

Court of Justice of the European Union | Personal Data | Online Advertising

The Court of Justice of the European Union (“CJEU”) rendered its judgment in the IAB Europe case and clarified the organization’s status with regard to data processing operations for advertising purposes within the Transparency and Consent Framework (“TCF”).

The TCF is a set of rules established by IAB Europe, consisting of guidelines and technical specifications that enable its members (website or application providers, data brokers, and advertising platforms) to lawfully process the personal data of users of a website or an application. The TCF allows, inter alia, the recording of users’ preferences through Consent Management Platforms, by generating a signal called “TC String”. First, the Court confirmed that the TC String is personal data within the meaning of the GDPR since it contains certain information that can be used to identify a user if associated with an identifier, such as an IP address. Second, the Court held that IAB Europe is a joint controller with its members when the consent preferences are recorded in a TC String. However, the Court stated that IAB Europe cannot be regarded as a controller for the subsequent data processing operations by members.

For more information: CJEU Judgment – inter alia

03/07/2024

Court of Justice of the European Union | Personal Data | Concept of Processing

The Court of Justice of the European Union (“CJEU”) ruled that the oral disclosure of information on possible ongoing or completed criminal proceedings to which a natural person has been subject constitutes processing of personal data.

The CJEU reiterates that since the oral disclosure of personal data constitutes non-automated processing, the personal data subject to such processing must be contained or intended to be contained in a filing system in order for that processing to fall within the material scope of the GDPR. The CJEU states that, in the present case, information on criminal proceedings is contained in a register of persons kept by a court, i.e., a filing system. Therefore, any oral disclosure of its contents may take place only if the conditions imposed by the GDPR are satisfied.

For more information: CJEU Judgment – C-740/22

03/07/2024

Court of Justice of the European Union | Personal Data | Concept of Identifiable Person

The Court of Justice of the European Union (“CJEU”) annulled a judgement issued by the General Court for misinterpreting the concept of “identifiable natural person”.

The case concerns a compensation claim brought before the General Court by a scientist with regard to a press release published by the European Anti-Fraud Office. In its judgement, the General Court had held that information contained in the press release did not constitute personal data since the person concerned was not identifiable with that information alone. The CJEU referred to its previous case law and stated that for information to be considered as “personal data”, it is not required that all the information enabling the identification of the data subject is in the hands of one person. In the present case, the data subject could be identified, in particular, by persons working in the same scientific field.

For more information: CJEU Judgment – C-479/22 P

02/13/2024

European Data Protection Board | Opinion | Notion of Main Establishment

The European Data Protection Board (“EDPB”) adopted an Opinion on the notion of main establishment and the criteria for the application of the One-Stop-Shop mechanism following a request by the French Supervisory Authority.

The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular in cases where decisions regarding the processing are taken outside the EU.

For more information: EDPB Website

01/18/2024

European Data Protection Board | Case Digest | Data Breach

The European Data Protection Board (“EDPB”) published a thematic one-stop-shop case digest on security of processing and data breaches.

The case digest analyses decisions adopted by supervisory authorities under the one-stop-shop mechanism relating to security of personal data and personal data breaches. It is intended to provide insights on how supervisory authorities have applied the relevant GDPR provisions in different data breach scenarios, such as ransomware or accidental data disclosure.

For more information: EDPB Website

01/11/2024

European Union | Regulation | Data Act

The Regulation on harmonized rules on fair access to and use of data (“Data Act”) entered into force.

The Data Act introduces, in particular, new data sharing and contractual obligations for providers of connected devices and related services, as well as cloud computing providers. The Act will become applicable 20 months from the date of entry into force, i.e., from September 12, 2025. Requirements on access to data generated by connected devices will apply to devices placed on the market after September 12, 2026.

For more information: Official Journal of the European Union

01/07/2024

European Union | Regulation | Cybersecurity

The new Cybersecurity Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices, and agencies of the Union entered into force.

The regulation aims to achieve a high common level of cybersecurity within Union entities by introducing an internal risk management, governance, and control framework, and establishing an Interinstitutional Cybersecurity Board to monitor its implementation.

For more information: Official Journal of the European Union

France

06/10/2024

French Supervisory Authority | Public Consultation | Artificial Intelligence

On June 10, 2024, the French Supervisory Authority (“CNIL”) opened a public consultation on its AI recommendations.

The consultation primarily focuses on the legal basis of processing for AI models’ development phase, data scraping for model training, and distribution of open-source AI models. It also covers other GDPR-related issues such as informing data subjects and the management of their rights.

For more information: CNIL Website

05/22/2024

French Parliament | Regulation | SREN Act

The Securing and Regulating the Digital Space Act (“SREN Act”) has been published in the Official Journal.

The SREN Act introduces a wide range of provisions in areas such as online child protection, cloud services, and Jonum (i.e., games offering monetizable digital objects). Additionally, it aims to align French law with the Digital Services Act (“DSA”) and the Digital Markets Act (“DMA”). With regard to the DSA, the Arcom is designated as the “digital services coordinator”. While the DGCCRF will be in charge of monitoring marketplace providers’ compliance with their obligations, the French Supervisory Authority will be responsible for ensuring that platforms comply with requirements related to online advertising. Regarding the DMA, the French Competition Authority and the Ministry of the Economy will be able to investigate and cooperate with the European Commission on gatekeepers’ practices. Furthermore, the SREN Act addresses the adaptation of French law to the Data Act and the Data Governance Act and grants new powers to regulatory bodies.

For more information: Official Journal [FR]

05/14/2024

French Supervisory Authority | Guidance | Traffic Data

On May 14, 2024, the French Supervisory Authority (“CNIL”) issued guidance on providing public internet access, emphasizing legal obligations for retaining traffic data.

Under the French law, organizations providing public internet access must retain IP addresses to identify devices, connection details (date, time, duration), and data identifying communication recipients. In this context, the CNIL reiterated that traffic data, being personal data, should be limited to what is necessary for processing. The retention periods vary according to the concerned data (from 3 months to 5 years).

For more information : CNIL Website [FR]

04/04/2024

French Supervisory Authority | Sanction | Direct Marketing

The French Supervisory Authority (“CNIL”) fined a telecommunications equipment retailer €525,000 for unlawfully processing its prospects’ personal data collected from data brokers for direct marketing.

The CNIL found that the data collection forms used by data brokers were misleading and did not allow the acquisition of free and unambiguous consent to marketing texts by third parties. The French Authority pointed out that contractual obligations imposed on data brokers were not sufficient to ensure that prospects’ consent was validly obtained, and the retailer should have implemented effective controls in this respect. With regard to the legal basis of marketing calls, the CNIL noted that the retailer could not validly rely on legitimate interest since the forms used by data brokers did not systematically mention the retailer in the list of data recipients.

For more information: CNIL Website

Germany

06/17/2024

Bavarian Data Protection Commissioner | Guidance | Joint Controllers

The Bavarian Data Protection Commissioner (“Bavarian DPC”) published guidance on joint controllers.

The Bavarian DPC’s new guidance aims at eliminating uncertainties and inhibitions in connection with joint controllership (Article 26 GDPR), which is always relevant when two or more controllers jointly determine the purposes and means of the processing of personal data. As the Bavarian DPC is the competent authority for public administration, the recommendations for action are primarily directed at stakeholders of the public sector and the examples in the guidelines are selected accordingly.

For more information: Bavarian DPC Website [DE]

05/14/2024

German Parliament | Regulation | Digital Services Act

The German Parliament aligned German law with the EU Digital Services Act (“DSA”).

The German Digital Services Act (Digitale-Dienste-Gesetz, “DDG”) accompanies the DSA and aligns German law with it at the national level. With the DDG entered into force on May 14, 2024, the German Telemedia Act (Telemediengesetz) lost its effect and is now replaced by the DSA and the DDG. In addition, the Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz) has been renamed the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).

For more information: German Federal Government Website [DE]

05/06/2024

German Supervisory Authorities | Guidance | Artificial Intelligence

The German Data Protection Conference (“DSK”) released guidance on artificial intelligence and data protection.

The new guidance focuses on the use of generative AI models by organizations and recalls their obligations in terms of data privacy, such as carrying out a Data Protection Impact Assessment, identifying a proper legal basis, and providing information to data subjects.

For more information: DSK Website [DE]

Italy

06/26/2024

Italian Supervisory Authority | Enforcement | Prospection

The Italian Supervisory Authority (“Garante”) published its decision of June 6, issuing a fine of €6.4 million to an energy company for illicit marketing calls.

The Garante found that marketing calls had been made without data subjects’ consent or despite the registration of their numbers on the Do Not Call List. In addition to the fine, the Garante ordered the company to cease further processing of the complainants’ personal data and to send them the Garante’s decision.

For more information: Garante Website

05/20/2024

Italian Supervisory Authority | Investigation | Web scraping

On May 20, 2024, the Italian Supervisory Authority (“Garante”) issued guidelines on web scraping by public and private entities acting as data controllers.

The guidelines address the indiscriminate collection of online data by third parties, particularly for training generative AI models. The Garante recommends several measures to prevent or hinder web scraping, namely, creating reserved areas that require registration to access data, including anti-scraping clauses in websites’ terms of use, monitoring web traffic to detect abnormal data flows, and implementing technological solutions to block unwanted scraping. The Garante noted that current investigations into the legality of web scraping based on legitimate interests are still pending, and the guidelines are part of interim measures.

For more information: Garante Website [IT]

03/07/2024

Italian Supervisory Authority | Sanction | Personal Data Breach

The Italian Supervisory Authority (“Garante”) imposed a €2.8 million fine on a bank following a cyber-attack that occurred in 2018, and a €800,000 fine on the bank’s service provider in charge of carrying out security tests.

The Garante stated that the cyber-attack had affected the data of approximately 778,000 former and current customers and resulted notably in the identification of over 6,800 customers’ PINs (personal identification number) to the mobile banking portal. The Garante concluded that the bank had not adopted necessary security measures to effectively counter cyber-attacks and had not required its customers to create stronger PINs. The Garante also found that the bank’s service provider had failed to notify the data breach to the bank within the required deadline and had engaged a sub-processor for the performance of security tests without prior consent of the bank.

For further information: Garante Website [IT]

Norway

07/01/2024

Oslo District Court | Judgement | Dating service

The Oslo District Court has confirmed a fine of NOK 65 million (about €5.7 million) imposed by the Norwegian Data Protection Authority on a dating service.

The fine was originally imposed by the Norwegian data protection authority (“Datatilsynet”) in 2020 because the dating service passed on too much information to advertising companies. In particular, GPS-data was affected. According to Datatilsynet, the use of the app itself involves particularly sensitive data, which is why the company has violated Article 9 GDPR. The case was triggered by a complaint from the Norwegian Consumer Council (“Forbrukerradet”). Datatilsynet’s opinion has now been confirmed by the Oslo district court.

For more information: Oslo Tingrett Website [NOR]

Netherlands

06/04/2024

Dutch Supervisory Authority | Guidance | Cookies

The Dutch Supervisory Authority (“AP”) has published guidelines on cookie consent.

In its guidelines, the AP gives guidance on how to design cookie banners to ensure that they comply with consent requirements and provides concrete examples.

For more information: AP Website [NL]

05/01/2024

Dutch Supervisory Authority | Guidelines | Data Scraping

On May 1, 2024, the Dutch Supervisory Authority (“AP”) released guidelines regarding data scraping practices by private individuals and organizations.

The guidelines emphasize GDPR compliance in data scraping endeavors, mandating adherence to the principles of legality, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The AP also clarifies situations where the GDPR does not apply, such as scraping for personal use or targeted scrapping (e.g., an organization scrapes a news media website to get news related to its business).

For more information: AP Website [NL]

Spain

05/14/2024

Spanish Supervisory Authority | Guide | Cookie

On May 14, 2024, the Spanish Supervisory Authority (“AEPD”) released an updated guide on cookie use to align it with Opinion 08/2024 on valid consent in “consent or pay” models by the European Data Protection Board (“EDPB”).

The AEPD incorporates the EDPB’s guidelines into its own guide, and notes that the EDPB plans to issue a comprehensive guide on consent validity in “consent or pay” models by early 2025.

For more information: AEPD Website [ES]

04/12/2024

Spanish Supervisory Authority | Sanction | GDPR violations

On April 12, 2024, the Spanish Supervisory Authority (“AEPD”) fined a financial services company €2 million (later reduced to €1.2 million) for GDPR violations following a complaint.

As part of a verification process, the financial services company requested personal and economic data from the complainant via a form requiring consent for such data collection, without giving an option to decline. When asked for further explanation, the financial services company stated that the complainant’s bank account would be blocked if consent was not provided. The AEPD found this violated GDPR Article 6(1), as the consent was not valid and there was no legal requirement for the data verification method used by the financial services company.

For more information: AEPD Website [ES]

United Kingdom

06/07/2024

UK High Court | Judgment | Data Subject Rights

On June 7, 2024, the High Court ruled in Harrison v Cameron & Another that under the UK GDPR, data subjects have the right to know the specific identities of their personal data recipients, not just the categories.

The High Court ruled that data subjects are entitled to know the specific identities of recipients who have access to their personal data. It is within the data subject’s discretion to request either detailed identities or merely the categories of these recipients.

For more information: UK High Court Judgment

05/13/2024

British Supervisory Authority | Consultation | Generative AI

On May 13, 2024, the UK Data Protection Authority (“ICO”) launched the fourth chapter of its consultation series on generative artificial intelligence (AI), focusing on data subject rights in relation to the training and fine-tuning of generative AI models.

The consultation highlighted several rights that individuals have under the UK GDPR, including: the right to access, the right to rectification, the right to erasure and the right not to be subjected to automated decision-making. These rights apply to personal data in various contexts, including training data, fine-tuning data, outputs of the generative AI model, and user queries. The consultation emphasized that organizations must have processes in place to enable individuals to exercise these rights throughout the AI lifecycle. The consultation outlines several obligations for organizations developing or deploying generative AI models, namely: inform individuals if their data is being processed, provide clear, accessible information about data usage and individuals’ rights, justify any exemptions used and safeguard individuals’ rights and freedoms, and apply privacy-enhancing technologies and techniques to protect data. The consultation also invites feedback on the effectiveness of measures to prevent unauthorized data retention and usage. Additionally, it seeks evidence on how organizations can fulfill their legal obligations while supporting innovation in generative AI.

For more information: ICO Website

05/10/2024

British Supervisory Authority | Guidance | Cyber Security Incidents

The British Supervisory Authority (“ICO”) published a report on cyber security incidents.

The report focuses on five main causes of cybersecurity incidents, including phishing, brute force attacks, and denial of service. In particular, it provides case studies based on previous data breach reports received by the ICO and gives practical recommendations to reduce the risk of cyber-attacks.

For more information: ICO Website

04/03/2024

British Supervisory Authority | Strategy | Protection of Children’s Privacy Online

On April 3, 2024, the British Supervisory Authority (“ICO”) released its 2024-2025 Children’s code strategy for protecting children’s privacy online.

Key focuses include defaulting profiles to private settings, restricting profiling for ads, monitoring content feeds, and obtaining parental consent for children under 13. The ICO plans audits on educational technology, engagement with stakeholders, and international collaboration to regulate the internet effectively.

For more information: ICO Website

This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)

Joel Harrison, – Partner, Co-Chair, PCDI Practice, London (jharrison@gibsondunn.com)

Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)

Lore Leitner – Partner, London (lleitner@gibsondunn.com)

Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)

Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)

Hermine Hubert – Associate, Paris (hhubert@gibsondunn.com)

Billur Cinar – Associate, Paris (bcinar@gibsondunn.com)

Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)

Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)

Sarah Villani – Associate, London (svillani@gibsondunn.com)

Miles Lynn – Associate, London (mlynn@gibsondunn.com)

Europe

07/25/2024

European Commission | GDPR | Report

On July 25, 2024, the European Commission published the Second Report on the application of the GDPR.

The report highlights a significant uptick in enforcement activity by supervisory authorities in recent years. The report considers that, to ensure strong protection for individuals and the free flow of personal data within and outside the EU, there is a need to focus on, among other things: proactive support by supervisory authorities in compliance efforts; consistent application of the GDPR across the EU; effective cooperation between supervisory authorities; establishing cooperation with sectoral regulators on issues with an impact on data protection; and implementing efficient and targeted working arrangements for guidelines, opinions, and decisions; and prioritizing key issues to reduce the burden on supervisory authorities.

For more information: European Commission Website

07/16/2024

European Data Protection Board | Statement | Role of DPA & EU AI Act

On July 16, 2024, the European Data Protection Board (“EDPB”) adopted a statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework.

The EDPB recommends that Data Protection Authorities (“DPAs”) should be designated as Market Surveillance Authorities (“MSAs”) for the high-risk AI systems mentioned in Article 74(8) of the AI Act. Further, the EDPB recommends that Member States consider appointing DPAs as MSAs for the other high-risk AI systems, particularly where those high-risk AI systems are in sectors likely to impact natural persons’ rights and freedoms with regard to the processing of personal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector).

For more information: EDPB Website

07/16/2024

European Data Protection Board | FAQ | EU-US Data Privacy Framework

On July 16, 2024, the European Data Protection Board (“EDPB”) adopted two Frequently Asked Questions (“FAQ”) documents regarding the EU-U.S. Data Privacy Framework (“DPF”).

The FAQ for individuals provides information on the functioning of the DPF (e.g., how to benefit from it, how to lodge a complaint) and the FAQ for businesses notably explains which U.S. companies are eligible to join the DPF and what to do before transferring personal data to a company in the U.S. which is, or claims to be, certified under the DPF.

For more information: EDPB FAQ for individuals and for businesses

France

07/18/2024

French Supervisory Authority | FAQ | Generative AI

On July 18, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the deployment of generative artificial intelligence.

The FAQ include information on the benefits and limitations of generative AI, the way to implement the use of a generative AI system, and the way to ensure compliance of an AI model with the GDPR and the AI Act.

For more information: CNIL Website

07/12/2024

French Supervisory Authority | FAQ | EU AI Act

On July 12, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the EU Regulation on Artificial Intelligence following its publication in the Official Journal of the European Union.

The FAQ include information on the specific provisions of the AI Act, the compliance monitoring authorities, as well as the interplay between the GDPR and the AI Act.

For more information: CNIL Website

07/10/2024

French Supervisory Authority | Audit results | Dark Patterns

On July 10, 2024, the French Supervisory Authority (“CNIL”) published the results of the Global Privacy Enforcement Network audit.

Twenty-six of the world’s data protection authorities, including the CNIL, members of the Global Privacy Enforcement Network (“GPEN”), audited 1,010 websites and mobile applications as part of a joint operation: the GPEN Sweep. This audit reveals that websites make extensive use of “dark pattern” mechanisms, hindering users’ ability to make informed decisions about privacy protection.

For more information: CNIL Website [FR]

07/04/2024

French Supervisory Authority | Study | Advertising Models

The French Supervisory Authority (“CNIL”) published a study on alternative advertising models.

On July 4, 2024, the CNIL announced that it commissioned an economic study of the possible consequences of the end of third-party cookies for certain browser and presented the main conclusions. The study, among other things, aims to provide indications on what the new advertising business models will be after the removal of third-party cookies and what risks these evolutions entail for data protection.

For more information: CNIL Website [FR]

Germany

07/31/2024

Hamburg Supervisory Authority | “Pay or OK” System

The Hamburg Data Protection Authority (“Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) granted the Spiegel Magazine permission to use the so-called “Pay or OK” system.

With the “Pay or OK” system, visitors to the website either have to consent to the use of their personal data or agree to a paid subscription model. This decision is now being challenged by an affected data subject.

For more information: Hamburg BfDI Website [DE]

07/30/2024

Saxon Data Protection and Transparency Officer | Guideline | Video Surveillance in Private and Public Spaces

On July 30, 2024, the Saxon Supervisory Authority (“LfDI Saxony”) published an updated version of its guideline on the use and regulation of video surveillance both in public and private spaces by private individuals and public authorities.

This new version has been created due to numerous complaints by data subjects. The LfDI Saxony includes examples for possible use cases and their limits in connection with video surveillance.

For more information: LfDI Saxony Website [DE]

07/19/2024

German Data Protection Authorities | Guidance | AI & Data Protection

In July, multiple data protection authorities published information on the AI Act and also discuss the arising responsibilities. In addition, the Baden-Wuerttemberg Supervisory Authority (“LfDI Baden-Wuerttemberg”) published an “Orientation Navigator AI & Data Protection”.

The Federal Commissioner for Data Protection and Information Security (“BfDI”) and the supervisory authority of North Rhine-Westphalia (“LDI North Rhine-Westphalia”) state that new responsibilities and tasks arise for the data protection supervisory authorities under the AI Act. A group of experts from the supervisory authority of Lower Saxony (“LfD Lower Saxony”) has also begun its discussions on data protection compliance of AI training data. In addition, the LfDI Baden-Wuerttemberg published a tool that organizes selected regulatory documents on AI. It is intended as an aid for responsible bodies such as authorities but also for private companies.

For more information: LfDI Baden-Wuerttemberg Website [DE]; BfDI Website [DE]; LDI North Rhine-Westphalia Website [DE]; LfD Lower Saxony [DE]

07/15/2024

Hamburg Supervisory Authority | Discussion Paper | GDPR & Large Language Models

On July 15, 2024, the Hamburg Supervisory Authority (“HmbBfDI”) published a discussion paper on the relationship between the GDPR and Large Language Models (“LLMs”).

The paper aims to support companies and authorities dealing with data protection issues related to LLM technologies and contains an explanation of the technical aspects of LLMs and their evaluation in light of the relevant case law of the Court of Justice of the European Union on personal data under the GDPR. Additionally, the paper discusses the difference between LLMs as an artificial intelligence model and as a component of an AI system in accordance with the AI Act.

For more information: HmbBfDI Website [DE]

Ireland

07/18/2024

Irish Supervisory Authority | Recommendation | AI & Data Protection

On July 18, 2024, the Irish Supervisory Authority (“DPC”) published an article on artificial intelligence, large language models (“LLMs”), and data protection.

The article highlights the increase in popularity of AI, particularly generative AI chatbots. The DPC warns about the inherent risks associated with AI, particularly concerning personal data processing, including: use of large amounts of personal data unnecessarily and without knowledge, agreement, or permission during training phases; issues arising from the accuracy and retention of personal data used or generated by AI systems; risks of personal data being shared without proper security or authorization; potential biases due to inaccurate or incomplete training data, affecting decision-making processes; and exposure to risks when new personal data is incorporated into training datasets for updated models.

For more information: DPC Website

Lithuania

07/02/2024

Lithuanian Supervisory Authority | Sanction | Data Subjects Rights

The Lithuanian Supervisory Authority (“SDPI”) fined an online retail company €2,385,276 million for several breaches relating to the right to be forgotten and the right of access.

The SDPI found that the Company had not dealt fairly and transparently with the deletion requests it had received, by refusing erasure request on the sole grounds that individuals did not cite one of the criteria provided for by the GDPR in their request and, in cases where it refused to erase the data, without informing the individuals of the reasons for such refusal. The SDPI also found that the Company had unlawfully implemented a “shadow blocking” mechanism, making the activity of a user who does not respect the platform’s rules invisible to other users, without the user being notified. In addition, the Company did not take sufficient technical and organizational measures to demonstrate that it had taken (or reasonably refused to take) action regarding right of access.

For more information: SDPI website

Netherlands

07/31/2024

Dutch Supervisory Authority | Guidance | AI

The Dutch Supervisory Authority (“AP”) published a guidance on the EU Artificial Intelligence Act (“AI Act”) for AI developers and users.

The AP clarified that, with the entry into force of the AI Act, various requirements will gradually apply on AI developers and users from February 2025. The AP highlights priorities for AI developers, in particular regarding prohibited AI systems that must be withdrawn from the market and no longer be in use by February 2025 and high-risk AI systems which must comply with specific requirements.

For more information: AP Website [NL]

07/16/2024

Dutch Supervisory Authority | Sanction | Cookies

On July 16, 2024, the Dutch Supervisory Authority (“AP”) announced its decision, as issued on May 2, 2024, to impose a fine of €600,000 on a company regarding its use of cookies.

Following its investigation, the AP determined that cookies were placed on user devices without their knowledge or consent. Due to the specific nature of the products that may be purchased on the website (drugstore products), the AP considered that the company collected and used sensitive data of millions of website visitors in violation of the applicable rules.

For more information: AP Website [NL]

Poland

07/19/2024

Polish Supervisory Authority | Opinion | Data Breach

On July 19, 2024, the Polish Supervisory Authority (“UODO”) issued an opinion advising controllers following the global cloud service outage that occurred on the same date.

The UODO states that not every interruption to personal data access is a personal data breach. Interruption to cloud services’ access and the resulting interruption to data access may, in some situations, result in a violation of the rights and freedoms of individuals. The UODO therefore recommends conducting a risk analysis before reporting the personal data breach to the authority.

For more information: UODO Website [PL]

07/08/2024

Polish Supervisory Authority | Guidance | Children Protection

On July 8, 2024, the Polish Supervisory Authority (“UODO”) published a guide to support institutions and organizations in ensuring better protection for children in the digital age.

The guide, entitled “Children’s Image on the Internet. Publish or not?”, notably includes tips to be used to protect children’s photos and videos on the Internet and the list of potential risks associated with publication of children’s images on the Internet.

For more information: UODO Website [PL]

Spain

07/10/2024

Spanish Supervisory Authority | Report | Addictive patterns

On July 10, 2024, the Spanish Supervisory Authority (“AEPD”) issued a report on addictive patterns in the processing of personal data.

The report highlights how, in many cases, service providers implement misleading and addictive design patterns, including to increase the amount of personal data collected about users. The report emphasizes that the adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children.

For more information: AEPD Website [ES]

United Kingdom

07/23/2024

Ofcom | Discussion Paper | Generative AI

On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on the evaluation of vulnerabilities in Generative Artificial Intelligence models.

The discussion paper discusses “red teaming” as a type of evaluation method that seeks to find vulnerabilities in generative artificial intelligence models to protect users from harmful content.

For more information: Ofcom Website

07/23/2024

Ofcom | Discussion Paper | Deepfake

On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on deepfakes.

Among other things, the discussion paper highlights the different types of deepfakes that can cause harm and the steps organizations can take to mitigate the risks of deepfakes.

For more information: Ofcom Website

07/17/2024

British Government | King’s Speech | Digital Information and Smart Data

The British Government plans to introduce Digital Information and Smart Data Bill.

On July 17, 2024, the Government announced, as part of the King’s Speech, that it planned to introduce the Digital Information and Smart Data Bill. The Government explained that the bill would, among other things, enable new innovative uses of data to be safely developed and deployed, reform data sharing and standards, improve data laws, and give the Information Commissioner’s Office (“ICO”) new, stronger powers.

For more information: Government Website

This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed
Baladi – Partner, Co-Chair, PCDI Practice, Paris (abaladi@gibsondunn.com)

Joel Harrison, – Partner, Co-Chair, PCDI Practice, London (jharrison@gibsondunn.com)

Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)

Lore Leitner – Partner, London (lleitner@gibsondunn.com)

Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)

Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)

Hermine Hubert – Associate, Paris (hhubert@gibsondunn.com)

Billur Cinar – Associate, Paris (bcinar@gibsondunn.com)

Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)