As the COVID-19 pandemic continued into 2021, lawmakers and regulators around the world faced the dual-pronged challenge of reversing the slowdown in enforcement seen in 2020 while working to combat new forms of bribery and corruption that emerged as a result of the pandemic. This webcast will explore the approach taken by emerging markets in addressing these challenges and examine the trends seen in FCPA and local anti-corruption enforcement. In China, companies face increased scrutiny over their compliance programmes as the country introduces its first pilot programme for corporate criminal compliance and non-prosecution. Chinese regulators have continued their assault on key industries, such as big tech and healthcare, and sweeping reforms to data protection laws have had seismic effects on the conduct of cross-border investigations. In Russia, the topic of corruption remains a source of great tension while the complexity of sanctions regimes increases and cybercrime activities become the latest driving force behind white-collar enforcement. In Latin America, anti-corruption efforts have struggled to gain a strong foothold amid the practical challenges caused by COVID-19 and political instability in key markets.

In India, enforcement has fallen as a result of the COVID-19 pandemic and new legislation which has made it more difficult to commence investigations. State governments have also withdrawn the general consent previously provided to authorities to investigate corruption allegations, which has caused delays in resolving cases. Nevertheless, while anti-corruption enforcement remains inconsistent, recent cases highlight the heightened risks for multinationals doing business in the country. Across Africa, companies and individuals face significant fines, bidding suspensions, and other sanctions as investigations by authorities from the United States, the United Kingdom, the World Bank, and African authorities concluded in several countries in the region. Meanwhile, high-profile trials of former heads of state, including Benjamin Netanyahu and Jacob Zuma, resumed after delays due to the pandemic and claims of bias and political interference.

Join our team of experienced international anti-corruption attorneys to learn more about how to do business in China, Russia, Latin America, India and across Africa without running afoul of anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”).

Topics to be Discussed:

  • An overview of FCPA enforcement statistics and trends for 2021;
  • The corruption landscape in key emerging markets, including recent headlines and scandals;
  • Lessons learned from local anti-corruption enforcement in China, Russia, Latin America, India, and across Africa;
  • Key anti-corruption legislative changes in China, Russia, Latin America, India, and across Africa;
  • The effect of COVID-19 on corruption and anti-corruption efforts; and
  • Mitigation strategies for businesses operating in high-risk areas

View Slides (PDF)



MODERATOR:

F. Joseph Warin is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and he is chair of the over 200-person Litigation Department of the Washington, D.C. office.  Mr. Warin is ranked in the top-tier year after year by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience.  He has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers, including UK’s SFO and FCA, and government regulators in Germany, Switzerland, Hong Kong, and the Middle East.  Mr. Warin has served as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ.

PANELISTS:

Kelly Austin is Partner-in-Charge of Gibson Dunn’s Hong Kong office and a member of the firm’s Executive Committee.  Ms. Austin is ranked annually in the top-tier by Chambers Asia Pacific and Chambers Global in Corporate Investigations/Anti-Corruption: China.  Her practice focuses on government investigations, regulatory compliance and international disputes.  Ms.. Austin has extensive expertise in government and corporate internal investigations, including those involving the FCPA and other anti-corruption laws, and anti-money laundering, securities, and trade control laws.

Joel Cohen is Co-Chair of the firm’s global White Collar Defense and Investigations Practice Group and a partner in the New York office.  Mr. Cohen’s successful defense of clients has been noted in numerous feature articles in the American Lawyer and the National Law Journal, including for pretrial dismissal of criminal charges and trial victories.  He is highly-rated in Chambers and named by Global Investigations Review as a “Super Lawyer” in Criminal Litigation.  He has been lead or co-lead counsel in 24 civil and criminal trials in federal and state courts, and he is equally comfortable in leading confidential investigations, managing crises or advocating in court proceedings.  Mr. Cohen’s experience includes all aspects of FCPA/anticorruption issues, in addition to financial institution litigation and other international disputes and discovery.

Benno Schwarz is Co-Chair of the firm’s Anti-Corruption & FCPA Practice Group and a partner in the Munich office, where his practice focuses on white collar defense and compliance investigations. Mr. Schwarz is ranked annually as a leading lawyer for Germany in White Collar Investigations/Compliance by Chambers Europe and was named by The Legal 500 Deutschland 2021 and The Legal 500 EMEA 2021 as one of four Leading Individuals in Internal Investigations, and also ranked for Compliance. He is noted for his “special expertise on compliance matters related to the USA and Russia.” Mr. Schwarz advises companies on sensitive cases and investigations involving compliance issues with international aspects, such as the implementation of German or international laws in anti-corruption, money laundering and economic sanctions, and he has exemplary experience advising companies in connection with FCPA and NYDFS monitorships or similar monitor functions under U.S. legal regimes.

Patrick Stokes is Co-Chair of the firm’s Anti-Corruption and FCPA Practice Group and a partner in the Washington, D.C. office, where he focuses his practice on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. Mr. Stokes is ranked nationally and globally by Chambers USA and Chambers Global as a leading attorney in FCPA. Prior to joining the firm, Mr. Stokes headed the DOJ’s FCPA Unit, managing the FCPA enforcement program and all criminal FCPA matters throughout the United States covering every significant business sector. Previously, he served as Co-Chief of the DOJ’s Securities and Financial Fraud Unit.

Karthik Ashwin Thiagarajan is of counsel in the Singapore office. He represents clients in transactional, compliance and anti-corruption matters across the South Asia and ASEAN regions. Mr. Thiagarajan advises multi-national corporations on acquisitions, joint ventures and divestments across key emerging markets in Asia, including India and Indonesia. He frequently assists clients with internal investigations, anti-corruption reviews and regulatory actions in these markets.


MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement.

This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an affirmation form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

On September 17, 2021, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) imposed sanctions in response to the ongoing humanitarian and human rights crisis in Ethiopia, particularly in the Tigray region of the country.[1] The new sanctions program provides authority to the Secretary of the Treasury, in consultation with the Secretary of State, to impose a wide range of sanctions for a variety of activities outlined in a new Executive Order (“E.O.”). No individuals or entities have yet been designated under the E.O. However, U.S. Secretary of State Antony Blinken has warned that “[a]bsent clear and concrete progress toward a negotiated ceasefire and an end to abuses – as well as unhindered humanitarian access to those Ethiopians who are suffering – the United States will designate imminently specific leaders, organizations, and entities under this new sanctions regime.”

This action comes on the heels of repeated calls by the United States for all parties to the conflict to commit to an immediate ceasefire as evidenced in the Department of State’s press statement on May 15, 2021, and Secretary of State Blinken’s phone call to Ethiopian Prime Minister Abiy Ahmed on July 6, 2021. Similarly, on August 3-4, 2021, U.S. Agency for International Development (“USAID”) Administrator Samantha Power traveled to Ethiopia to “draw attention to the urgent need for full and unhindered humanitarian access in Ethiopia’s Tigray region and to emphasize the United States’ commitment to support the Ethiopian people amidst a spreading internal conflict” according to a USAID press release at the time. And prior to the actions on September 17, on August 23, 2021, OFAC sanctioned General Filipos Woldeyohannes,Chief of Staff of the Eritrean Defense Forces, for engaging in serious human rights abuses under the Global Magnitsky sanctions program and condemned the violence and ongoing human rights abuses in the Tigray region of Ethiopia.

The nature and scope of this new sanctions regime suggests that the Biden administration is taking a measured, flexible, and cautious approach to the situation in Ethiopia. OFAC is able to impose sanctions measures of varying degrees of severity, without those sanctions necessarily flowing down to entities owned by sanctioned parties – which should limit ripple effects on the Ethiopian economy. Alongside the Chinese Military Companies sanctions program, this new sanctions program is one of the very few instances where OFAC’s “50 Percent Rule” does not apply, perhaps signaling a more patchwork approach to sanctions designations going forward. The decision to hold off on any initial designations is also telling, and makes clear the focus on deterrence – as opposed to punishment for past deeds. Moreover, at the outset, OFAC has issued general licenses and related guidance allowing for humanitarian activity in Ethiopia to continue. The approach here, although slightly different, is broadly consistent with the Biden administration’s handling of the situation in Myanmar, in which it has gradually rolled out sanctions designations over a period of many months and prioritized humanitarian aid in its general licenses and guidance.[2]

Menu-Based Sanctions Permit Targeted Application of Restrictions

With respect to persons or entities engaged in certain targeted activities, the E.O. permits the Department of the Treasury to choose from a menu of blocking and non-blocking sanctions measures. In keeping with recent executive orders of its kind, the criteria for designation under the E.O. are exceedingly broad. The E.O. provides that the Secretary of the Treasury, in consultation with the Secretary of State, may designate any foreign person determined:

  • to be responsible for or complicit in, or to have directly or indirectly engaged or attempted to engage in, any of the following:
    • actions or policies that threaten the peace, security, or stability of Ethiopia, or that have the purpose or effect of expanding or extending the crisis in northern Ethiopia or obstructing a ceasefire or a peace process;
    • corruption or serious human rights abuse in or with respect to northern Ethiopia;
    • the obstruction of the delivery or distribution of, or access to, humanitarian assistance in or with respect to northern Ethiopia, including attacks on humanitarian aid personnel or humanitarian projects;
    • the targeting of civilians through the commission of acts of violence in or with respect to northern Ethiopia, including involving abduction, forced displacement, or attacks on schools, hospitals, religious sites, or locations where civilians are seeking refuge, or any conduct that would constitute a violation of international humanitarian law;
    • planning, directing, or committing attacks in or with respect to northern Ethiopia against United Nations or associated personnel or African Union or associated personnel;
    • actions or policies that undermine democratic processes or institutions in Ethiopia; or
    • actions or policies that undermine the territorial integrity of Ethiopia;
  • to be a military or security force that operates or has operated in northern Ethiopia on or after November 1, 2020;
  • to be an entity, including any government entity or a political party, that has engaged in, or whose members have engaged in, activities that have contributed to the crisis in northern Ethiopia or have obstructed a ceasefire or peace process to resolve such crisis;
  • to be a political subdivision, agency, or instrumentality of the Government of Ethiopia, the Government of Eritrea or its ruling People’s Front for Democracy and Justice, the Tigray People’s Liberation Front, the Amhara regional government, or the Amhara regional or irregular forces;
  • to be a spouse or adult child of any sanctioned person;
  • to be or have been a leader, official, senior executive officer, or member of the board of directors of any of the following, where the leader, official, senior executive officer, or director is responsible for or complicit in, or who has directly or indirectly engaged or attempted to engage in, any activity contributing to the crisis in northern Ethiopia:
    • an entity, including a government entity or a military or security force, operating in northern Ethiopia during the tenure of the leader, official, senior executive officer, or director;
    • an entity that has, or whose members have, engaged in any activity contributing to the crisis in northern Ethiopia or obstructing a ceasefire or a peace process to resolve such crisis during the tenure of the leader, official, senior executive officer, or director; or
    • the Government of Ethiopia, the Government of Eritrea or its ruling People’s Front for Democracy and Justice, the Tigray People’s Liberation Front, the Amhara regional government, or the Amhara regional or irregular forces, on or after November 1, 2020;
  • to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any sanctioned person; or
  • to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any sanctioned person.

Upon designation of any such foreign person, the Secretary of the Treasury may select from a menu of sanctions options to implement as follows:

  • the blocking of all property and interests in property of the sanctioned person that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person, and provide that such property and interests in property may not be transferred, paid, exported, withdrawn, or otherwise dealt in;
  • the prohibiting of any United States person from investing in or purchasing significant amounts of equity or debt instruments of the sanctioned person;
  • the prohibiting of any United States financial institution from making loans or providing credit to the sanctioned person;
  • the prohibiting of any transactions in foreign exchange that are subject to the jurisdiction of the United States and in which the sanctioned person has any interest; or
  • the imposing on the leader, official, senior executive officer, or director of the sanctioned person, or on persons performing similar functions and with similar authorities as such leader, official, senior executive officer, or director, any of the sanctions described in (1)-(4) above.

The restrictions above not only prohibit the contribution or provision of any “funds, goods, or services to, or for the benefit of” any sanctioned person, but also the receipt of any such contribution of provision of funds, goods, or services from any sanctioned person. Those persons subject to blocking sanctions would be added to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), while those subject to non-blocking sanctions would be added to the Non-SDN Menu-Based Sanctions List (“NS-MBS List”).[3]

In addition to the restrictions described above, the E.O. directs other heads of relevant executive departments and agencies to, as necessary and appropriate, to (1) “deny any specific license, grant, or any other specific permission or authority under any statute or regulation that requires the prior review and approval of the United States Government as a condition for the export or reexport of goods or technology to the sanctioned person” and (2) deny any visa to a leader, official, senior executive officer, director, or controlling shareholder of a sanctioned person.

OFAC’s “50 Percent Rule” Does Not Automatically Apply

Importantly, and unlike nearly all other sanctions programs administered by OFAC, this E.O. stipulates that OFAC’s “50 Percent Rule” does not automatically apply to any entity “owned in whole or in part, directly or indirectly, by one or more sanctioned persons, unless the entity is itself a sanctioned person” and the sanctions outlined within the E.O. are specifically applied.  OFAC makes clear in Frequently Asked Questions (“FAQs”) 923 and 924 that such restrictions do not automatically “flow down” to entities owned in whole or in part by sanctioned persons regardless of whether such persons are listed on OFAC’s SDN List  or NS-MBS List.

Parallel Issuance of New General Licenses and FAQs to Support Wide Range of Humanitarian Efforts

Recognizing the importance of humanitarian efforts to addressing the ongoing crisis in northern Ethiopia, OFAC concurrently issued three General Licenses and six related FAQs:

  • General License 1, “Official Activities of Certain International Organizations and Other International Entities,” authorizes all transactions and activities for the conduct of the official business of certain enumerated international and non-governmental organizations by their employees, grantees, or contractors. FAQ 925 provides additional information on which United Nations organizations are included within this authorization.
  • General License 2, “Certain Transactions in Support of Nongovernmental Organizations’ Activities,” authorizes transactions and activities that are ordinarily incident and necessary to certain enumerated activities by non-governmental organizations, including humanitarian projects, democracy-building initiatives, education programs, non-commercial development projects, and environmental or natural resource protection programs. FAQ 926 provides additional examples of the types of transactions and activities involving non-governmental organizations included within this authorization.
  • General License 3, “Transactions Related to the Exportation or Reexportation of Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components, or Software Updates,” authorizes transactions and activities ordinarily incident and necessary to the exportation or reexportation of agricultural commodities, medicine, medical devices, replacement parts and components for medical devices, and software updates for medical devices to Ethiopia or Eritrea, or to persons in third countries purchasing specifically for resale to Ethiopia or Eritrea. The authorization is limited to those items within the definition of “covered items” as stipulated in the general license, and the general license includes a note that the compliance requirements of other federal agencies, including the licensing requirements of the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), still apply. As of this writing, licenses from BIS for exports to Ethiopia are still required for any items controlled for reasons of chemical and biological weapons (CB1 and CB2), nuclear nonproliferation (NP1), national security (NS1, NS2), missile technology (MT1), regional security (RS1 and RS2), and crime control (CC1 and CC2) unless a license exception under the Export Administration Regulations (15 C.F.R. § 730 et seq.) applies.

Concluding Thoughts and Predictions

The implementation of this new sanctions program targeting “widespread violence, atrocities, and serious human rights abuse” in Ethiopia highlights the Biden administration’s efforts to apply pressure to Ethiopian and Eritrean forces to implement a ceasefire and permit the free flow of humanitarian aid into the Tigray region. We will continue to monitor further developments to see how the Biden administration chooses to deploy the flexible tools of economic pressure that it has created. As noted, we anticipate that, based on the administration’s recent past practice, its approach to designations under the new Ethiopia-related sanctions program will be gradual and measured as opposed to sweeping. Notably, the administration’s decision to create a new sanctions program as opposed to simply designating additional individuals and entities under an existing OFAC program (such as the Global Magnitsky sanctions program) may indicate the administration’s desire to put the Ethiopian and Eritrean governments on alert before additional actions are taken. The new Ethiopian sanctions program’s broad general licenses as well as the non-application of OFAC’s “50 Percent Rule” give further support to this assessment.

Moreover, the new sanctions program appears calibrated to minimize any collateral effects on international and non-governmental organizations operating within the humanitarian aid space, and may signal that the Biden administration will include broad humanitarian allowances in new sanctions actions moving forward.

Although the Department of the Treasury had not yet designated any foreign persons pursuant to this new sanctions regime, companies considering engaging with parties in the Horn of Africa should remain abreast of any new developments and designations, as unauthorized interactions with designated persons can result in significant monetary penalties and reputational harm to individuals and entities in breach of OFAC’s regulations.

__________________________

   [1]   According to the accompanying press release from the Department of the Treasury, the imposition of new sanctions represents an escalation of the Biden administration’s efforts to hold accountable those persons “responsible for or complicit in actions or policies that expand or extend the ongoing crisis or obstruct a ceasefire or peace process in northern Ethiopia or commit serious human rights abuse.” In the same statement, the Treasury Department made clear the purpose of the E.O. was to target “actors contributing to the crisis in northern Ethiopia” and was not “directed at the people of Ethiopia, Eritrea, or the greater Horn of Africa region.”

   [2]   For more on Myanmar sanctions developments, please see our prior client alerts on February 16, 2021, and April 2, 2021.

   [3]   For more background on the NS-MBS List, please see our December 2020 client alert which discussed the designation of Republic of Turkey’s Presidency of Defense Industries (“SSB’) to the then newly created NS-MBS List. To date, SSB remains the only designee on the NS-MBS List.


The following Gibson Dunn lawyers assisted in preparing this client update: Chris Mullen, Audi Syarief, Judith Alison Lee, Adam Smith, Stephanie Connor, Christopher Timura, Allison Lewis, and Scott Toussaint.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade practice group:

United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)
Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com)
Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, cmullen@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202-887-3509, ssewall@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, stoussaint@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, szhang@gibsondunn.com)

Asia:
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing – (+86 10 6502 8534, qyue@gibsondunn.com)

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Nicolas Autet – Paris (+33 1 56 43 13 00, nautet@gibsondunn.com)
Susy Bullock – London (+44 (0)20 7071 4283, sbullock@gibsondunn.com)
Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com)
Sacha Harber-Kelly – London (+44 20 7071 4205, sharber-kelly@gibsondunn.com)
Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com)
Steve Melrose – London (+44 (0)20 7071 4219, smelrose@gibsondunn.com)
Matt Aleksic – London (+44 (0)20 7071 4042, maleksic@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Richard W. Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.

Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“EU”):

  • On 16 July 2020, the Court of Justice of the EU (“CJEU” or “Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S.  While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law also compels these companies to ensure that personal data will be safeguarded.
  • As a consequence of the COVID-19 pandemic, a number of public, corporate and workplace practices have emerged to limit the spread of the virus, all which have privacy implications.  To respond to this, many EU Member States have issued rules and guidelines with respect to the processing of personal data in the context of the pandemic.
  • Negotiations among EU Member States have been ongoing regarding the adoption of a new e-Privacy Regulation, due to replace the soon 20-year-old e-Privacy Directive.  Meanwhile, EU supervisory authorities have continued to publish guidance on cookie practices and other e-privacy matters, as well as to impose heavy fines on companies in breach of cookies-related requirements.
  • Before Brexit was completed on 31 December 2020, the EU and the UK adopted the Trade and Cooperation Agreement, which includes an overall six-month “bridging mechanism” to cover transfers of personal data into the UK.  The European Commission and the UK are in negotiations to adopt an adequacy decision that can enable the free flow of personal data beyond this six-month period, as in the pre-Brexit scenario.

In addition to the EU, different legal developments occurred in other jurisdictions around the globe, including in other European jurisdictions, the Asia-Pacific region, the Middle East, Africa and Latin America.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

__________________________________________

Table of Contents

I. European Union

A.        International Data Transfers

1.         The Schrems II Ruling
2.         Guidance Adopted by the EDPB and Member State Authorities
3.         Conclusions on Data Transfers

B.        COVID-19 Pandemic

1.         Guidance Adopted by Supervisory Authorities
2.         Guidance at EU Member State Level
3.         Next Challenges for the Fight against the COVID-19 Pandemic

C.        E-Privacy and Cookies

1.         Guidance Adopted by the EDPB and Member State Authorities
2.         Reform of the e-Privacy Directive
3.         Enforcement in Relation to Cookies

D.        Cybersecurity and Data Breaches

1.         Guidance and Initiatives Adopted by ENISA
2.         Enforcement in Relation to Cybersecurity

E.         The UK and Brexit 17

1.         Transfers from and into the EU/EEA and the UK
2.         Transfers from and into the UK and other Jurisdictions

F.         Other Significant Developments in the EU

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A.        Russia

1.         Access Restriction Trend in Privacy Laws Enforcement
2.         The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies
3.         Legislative Updates

B.        Switzerland

1.         The Revised FADP
2.         The Swiss-U.S. Privacy Shield

C.        Turkey

1.         Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents
2.         Turkish Data Protection Act Continues to be Enforced

III. Developments in Asia-Pacific, Middle East and Africa

A.        Australia

B.        China

1.         New Developments in Chinese Legislation
2.         Enforcement of Chinese Data Protection and Cybersecurity Legislation

C.        Hong Kong SAR

D.        India

1.         Legislative initiatives
2.         Regulatory opinions and guidance
3.         Enforcement of data protection laws

E.         Indonesia

F.         Israel

G.        Japan

H.        Malaysia

I.        Singapore

J.        South Korea

K.        Thailand

L.        United Arab Emirates

M.       Other Developments in Africa

N.        Other Developments in the Middle East

O.        Other Developments in Southeast Asia

IV. Developments in Latin America and in the Caribbean Area

A.        Brazil

B.        Other Developments in South America

1.         Argentina
2.         Chile
3.         Colombia
4.         Mexico
5.         Uruguay

__________________________________________

I. European Union

A.  International Data Transfers

1. The Schrems II Ruling

On 16 July 2020, the CJEU struck down as legally invalid the EU-U.S. Privacy Shield, which some companies had relied upon to transfer personal data from the EU to the U.S.  The Court also ruled that the Standard Contractual Clauses (“SCCs”) approved by the European Commission, another mechanism used by many companies to transfer personal data outside of the EU, remained valid with some caveats.  The Court’s landmark decision has forced companies on both sides of the Atlantic to reassess their data transfer mechanisms, as well as the locations where they store and process personal data.[1]

2.  Guidance Adopted by the EDPB and Member State Authorities

Following the Schrems II ruling, several supervisory authorities shared their views and opinions on its interpretation.[2]  On its side, the UK Information Commissioner’s Office (“ICO”) invited companies to continue transferring data on the basis of the invalidated Privacy Shield and, on the contrary, several German Authorities have advised against it.

These initial reactions were overcome by the Frequently Asked Questions (“FAQ”) report issued by the European Data Protection Board (“EDPB”) on 23 July 2020.  In its FAQs on Schrems II, the EDPB stated, in particular, the following:

 

i.

 

No “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield.  Entities relying on the now invalidated Privacy Shield should immediately put in place other data transfer mechanisms or frameworks.

    
 

ii.

 

Data controllers relying on SCCs and BCRs to transfer data should contact their processors to ensure that the level of protection required by EU law is respected in the third country concerned.  If personal data is not adequately protected in the importing Member State, the controller or the processor responsible should determine what supplementary measures would ensure an equivalent level of protection.

    
 

iii.

 

If data transferred cannot be afforded a level of protection essentially equivalent to that guaranteed by EU law, data transfers should be immediately suspended.  Companies willing to continue transferring data under these circumstances should notify the competent supervisory authority(ies).[3]

In October 2020, the U.S. Department of Commerce and the European Commission announced that they had initiated discussions to evaluate the potential for a new version of the Privacy Shield that would be compliant with the requirements of the Schrems II ruling.[4]

Pending the discussions between the EU and the U.S. on a new data transfer framework, on 10 November 2020, the EDPB issued important new guidance on transferring personal data out of the EEA, namely:

 

i.

 

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[5] which aim to provide a methodology for data exporters to determine whether and which additional measures would need to be put in place for their transfers; and

    
 

ii.

 

Recommendations 02/2020 on the European Essential Guarantees (“EEG”) for surveillance measures,[6] which aim to update the EEG, in order to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a receiving country, whether national security agencies or law enforcement authorities, can be regarded as a justifiable interference.

The EDPB’s guidance lessened some of the uncertainty caused by the Schrems II ruling.  However, since this guidance was issued in the form of a public consultation closing on 21 December 2020, it may be subject to further changes or amendments.

In the Recommendations on supplementary transfer tools, the EDPB recommends that data exporters: (i) map all transfers of personal data to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary; (ii) verify the transfer tool on which the transfers are based; (iii) assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards, and document this assessment; (iv) identify and adopt additional measures (examples are provided in Annex 2 of the Recommendations); (v) take any formal procedural steps that the adoption of the supplementary measure may require; and (vi) re-evaluate at appropriate intervals the level of protection afforded to the data transferred.  Although the guidance takes the form of non-binding recommendations, companies that transfer personal data outside of the EEA would be well served to review their approach to such transfers in light of the EDPB guidance.

On 12 November 2020, the European Commission published a draft implementing decision on SCCs for the transfer of personal data to third countries along with a draft set of new SCCs.  The new SCCs include several modules to be used by companies, depending on the transfer scenario and designation of the parties under the GDPR, namely: (i) controller-to-controller transfers; (ii) controller-to-processor transfers; (iii) processor-to-processor transfers; and (iv) processor-to-controller transfers.

These new SCCs also incorporate some of the contractual supplementary measures recommended by the EDPB, as described above.  They have been opened for public consultation that closed on 10 December 2020 and the final new set of SCCs is expected to be adopted in early 2021.  At this stage, the draft provides for a grace period of one year during which it will be possible to continue to use the old SCCs for the execution of contracts concluded before the entry into force of the new SCCs.[7]

Besides, the European Commission also published on 12 November 2020 draft of SCCs for contracts between controllers and processors.  These SCCs are intended to be optional (the parties may choose to continue using their own data processing agreements) and have also been opened for public consultation that closed on 10 December 2020.  The final draft of SCCs are also expected to be adopted in early 2021.[8]

On 15 January 2021, the EDPB and European Data Protection Supervisor adopted joint opinions on both sets of SCCs (one opinion on the SCCs for contracts between controllers and processors, and another one on SCCs for the transfer of personal data to third countries).[9]

3.  Conclusions on Data Transfers

As explained above, 2020 was a year of changes when it comes to data transfer mechanisms.

The EU-U.S. Privacy Shield, once believed to have put an end to the issues raised by the EU-U.S. Safe Harbour, has again been deemed to be insufficient to safeguard the data protection rights of individuals in the EU.  It is expected that, with a change in the U.S. federal administration, and the need for authorities to give legal certainty and facilitate cross-border commercial activity in the current economic context, the EU and the U.S. will work swiftly towards a mechanism that can resolve transatlantic transfers once and for all.

The adoption of new SCCs, expected to occur in 2021, will also bring more certainty to companies that relied on this framework to transfer personal data.  The new sets of SCCs will cover wider scenarios than those under the current framework, reducing implementation costs and limiting uncertainty.  However, given the limited grace period expected to apply to pre-GDPR SCCs, and the introduction of changes to the new SCCs, companies should take the opportunity to review the new contractual framework and adapt it to their data transfer needs.

B.  COVID-19 Pandemic

The COVID-19 pandemic and the ensuing health crisis has led to the emergence of new practices to limit the spread of the virus, such as the issuance of tracing apps and the implementation of temperature checks at public administration buildings or at the workplace.  These practices involve the processing of various health data, and may therefore have privacy implications.  On the other hand, remote working has increased the exposure of companies and their employees to cybersecurity risks, such as the use of private (unprotected and non-certified) assets to review, print or process company information.[10]

1.  Guidance Adopted by Supervisory Authorities

On 19 March 2020, the EDPB adopted a statement on the processing of personal data in the context of COVID-19.  In the statement, the EDPB emphasised that while data protection rules should not hinder the fight against the virus, data controllers and processors must ensure the protection of personal data even in these exceptional times.[11]

Further, on 17 April 2020, the European Commission set out the criteria and requirements that applications supporting the fight against COVID-19 must meet in order to ensure compliance with data protection regulations.[12] Building on this guidance, the EDPB adopted Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak as well as Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak.[13]

Since the beginning of the pandemic, European authorities have also focused on pooling resources at the EU level.  The European Commission and the EDPB published materials relating to the interoperability between the Members States’ contact tracing applications, in order for users to be able to rely on a single app wherever they are located in the EU.[14]

The EDPS also issued a Preliminary Opinion on the European Health Data Space, which aims to promote better exchange and access to different types of health data within the EU.[15]

2.  Guidance at EU Member State Level

Member State supervisory authorities have also issued their own guidance with respect to the processing of personal data in the context of the COVID-19 pandemic.  Although authorities have emphasised the general principles set forth under the GDPR, they have failed to adopt a unified approach.

As regards national tracing applications, the UK ICO issued a notice on the joint initiative by two tech companies to enable the use of Bluetooth technology in contact research applications,[16] as well as on the development of contact tracing applications in accordance with the principles of privacy by design and privacy by default.[17]  In France, the French supervisory authority (the “CNIL”) opened and closed a formal enquiry into the national tracing app sponsored and developed by the French government,[18] after requesting the Ministry of Solidarity and Health to remedy certain breaches identified in the app.[19]  In Germany, as in France, the authority emphasised that the use of the national COVID-19 app should be voluntary.[20]

On a different note, supervisory authorities have also intervened in different degrees in the testing and tracing efforts of public authorities.  In the UK, for example, the ICO issued a notice on the recording and retention of personal data in support of the test and trace scheme, where it advised in particular to only collect data requested by the government, not to reuse the data for other purposes, and to delete the data as soon as it is no longer necessary.[21]  In Germany, a regional supervisory authority even issued warnings for excessive health requests.[22]

Supervisory authorities have also issued substantial guidance in respect of measures to fight the COVID-19 pandemic in an employment context, for example, in the UK,[23] France,[24] Italy,[25] Belgium[26] and the Netherlands.[27]  The topics covered by supervisory authorities include the implementation of tests and the monitoring of employees, the reporting of sensitive information to the employer, and in turn the communication of such information to the health authorities, as well as remote work.

The use of smart and thermal cameras has also been strictly regulated both in France and in Germany.[28]

3.  Next Challenges for the Fight against the COVID-19 Pandemic

While data protection laws were not meant to hinder the deployment of necessary measures to trace and contain the evolution of the virus, EU supervisory authorities have been adamant that this should not come at a cost in terms of privacy.

Privacy standards are likely to remain high as Member States commence their vaccination plans and prepare for the post-COVID-19 economic recovery.  For example, in the Member States the monitoring of doses and medical supervision of patients are generally conducted by qualified medical staff, and health and pharmaceutical institutions.  However, there is still some debate whether private and public institutions can issue or request vaccination “passports” or certificates to facilitate the safe movement of people.[29]  With regard to tracing and detection data, public administrations and companies have to assess the proper retention periods that apply to the storage and archive of such information.

C.  E-Privacy and Cookies

Against the backdrop of the ongoing EU discussions on the future e-Privacy Regulation, guidance has been released by Member State supervisory authorities.  Meanwhile, significant fines continue to be imposed on companies that do not comply with applicable e-privacy rules.

1.  Guidance Adopted by the EDPB and Member State Authorities

On 5 April 2020, the EDPB updated its Guidelines (05/2020) on consent, which now specifically address the practice of so-called “cookie walls” (a practice which consists in making access to online services and functionalities conditional on the consent of a user to cookies).  Among others, in these Guidelines the EDPB explicitly states that continuing browsing on a website does not meet the requirements of valid consent.[30]

As a result of the additional clarifications provided by the EDPB, the Spanish supervisory authority (“AEPD”) updated its guidance on the use of cookies, denying the validity of consent obtained through cookie walls or continued browsing.[31]

In France, the CNIL adopted a different approach set by the French Administrative Court, which in a 2020 ruling invalidated the general and absolute ban on cookie walls.  Consequently, the CNIL adopted amending guidelines and a recommendation on the use of cookies and other tracing devices, offering practical examples of the collection of user’s consent.[32]

2.  Reform of the e-Privacy Directive

The e-Privacy Regulation was proposed by the European Commission in 2017 in order to update the legislative rules applicable to digital and online data processing and to align e-privacy laws to the GDPR.  Ambitious and promising at first, eight presidencies of the Council of the EU have been unable to push the project over the finish line.

In January 2021, the Portuguese Presidency of the Council of the EU (January to June 2021) proposed a new version (the 14th) of the e-Privacy Regulation, with the aim to simplify the text and further align it with the GDPR.[33]

While the new Regulation is not expected to be applicable before 2022, its adoption process should be closely monitored in order to anticipate compliance efforts that will be required, in particular in view of the shorter transition period (from 24 to 12 months) set out in the proposal of the Portuguese Presidency.

3.  Enforcement in Relation to Cookies

In parallel, Member State supervisory authorities continued to enforce their national e-privacy legislation transposing the e-Privacy Directive.

In Spain, a social network service was fined €30,000 for breaching the rules relating to cookies, specifically because its cookie banner did not enable users to reject the use of trackers or to issue consent per type of cookie.[34]  Similarly, the AEPD imposed a fine of the same amount to an airline for implementing a “cookie wall” on its website.[35]

In France, hefty fines have been imposed for violations of the legal provisions on cookies.  First, two companies of a food and goods retail distribution group were fined €2,250,000 and €800,000 euros for various violations, including the automatic setting of cookies on users’ terminals.[36]  More recently, two U.S. tech companies have been imposed fines of €100 million and €35 million, respectively, due to violation of the legal framework applicable to cookies.  In particular, the CNIL observed that these companies placed advertising cookies on user’s computers without obtaining prior consent and without providing adequate information.[37]

D.  Cybersecurity and Data Breaches

As in previous years, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards.

1. Guidance and Initiatives Adopted by ENISA

The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity, including management of personal data.

In 2020, ENISA continued to issue guidelines and to spearhead initiatives to achieve these objectives:

  • On 27 January 2020, ENISA released an online platform to assist companies in the security of personal data processing.  Among others, the platform focuses on the analysis of technical solutions for the implementation of the GDPR, including the principle of privacy by design.  The platform may assist data controllers and processors in the determination of their approach when developing personal data protection policies.[38]
  • On 4 February 2020, ENISA published a report outlining frameworks, schemes and standards of possible future EU cybersecurity certification schemes.  The report focuses in particular on the current standards applied to fields such as the Internet of Things, cloud infrastructure and services, the financial sector and electronic health records.  The Report also addresses gaps in the current cybersecurity certification schemes, paving the way for the adoption of future EU cybersecurity certification schemes.[39]
  • On 19 March 2020, ENISA issued a report on security requirements for digital service providers and operators of essential services, based on Directive (EU) 2016/1148 of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (“NISD”) and the GDPR.  Among other things, the report proposes and sets the outline for a risk-based approach to security.  It identifies the guidelines relevant to NISD and GDPR security measures, recommends the establishment of certification mechanisms, and sets the need for competent EU bodies and research bodies to continue providing specialised guidance on state-of-the-art data protection and security techniques.[40]
  • On 9 June 2020, ENISA made available a visual tool to ensure transparency with regard to cybersecurity incidents.  The tool provides information on eight years of telecommunications security incidents, as well as four years of trust services incident reports.  In total, the tool provides information on a total of 1,100 cybersecurity incidents notified as mandated by EU legislation for over nine years.  In its release, ENISA noted that, over the last four years, system failure was the most common cause behind both telecom security incidents and trust services incidents.[41]

Finally, it is worth noting the Strategy for a Trusted and Cyber Secure Europe released by ENISA on 17 July 2020.  The Strategy aims to achieve a high common level of cybersecurity across the EU, containing ENISA’s strategic objectives to boost cybersecurity, preparedness, and trust across the EU.  The Strategy sets out a list of seven objectives that it aims to reach, including the effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.[42]

2.  Enforcement in Relation to Cybersecurity

Member State supervisory authorities have been particularly active in sanctioning data breaches and the lack of appropriate security measures, with significant monetary penalties.

For example, in the UK, three sanctions have been especially significant.  First,an airline company was fined £20 million following a cyberattack in 2018, compromising the personal and financial data of more than 400,000 of its customers for over two months.[43]  ICO investigators found that the airline company should have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the cyber-attack.

Second, a hotel chain was fined £18.4 million after an estimated 339 million guest records worldwide were affected following a cyberattack that occurred in 2014, but remained undetected until September 2018.[44]  According to the ICO, the investigation revealed failures on the side of the hotel chain to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.  In those two cases, the ICO significantly reduced the amount of the fine originally considered in its notice of intention to fine the companies, taking into account the company’s representations and the economic impact of the COVID-19 pandemic in setting the final amount of the fine.

Third, a ticket sales and distribution company was imposed a £1.25 million fine for failing to comply with its security obligations, in the context of a cyberattack on a chatbot installed on its online payment page, potentially affecting the data of 9.4 million people.[45]  The ICO concluded that the company failed to assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner.

In Germany, a German telecommunications service provider was fined by the German Federal Data Protection Authority for insufficient data security procedures established in a call centre that lead to an inappropriate disclosure of a cell phone number of an individual who then complained to a data protection authority.  While the fine initially amounted to €9.5 million, it was challenged by the telecommunications service provider and later reduced by the competent district court in Bonn to €900,000.

More recently, in Ireland, a social network service was fined €450,000 concerning its 2019 data breach.  This decision bears great importance, as it represented the outcome of the first application of the GDPR dispute resolution mechanism, where the Irish Data Protection Commission adopted a decision further to the adoption of a prior decision by the EDPB.[46]

On 30 July 2020, the Council of the EU imposed its first ever sanctions on cyberattacks.  In particular, the Council adopted restrictive measures against six individuals and three entities responsible for or involved in various cyberattacks, including a travel ban and an asset freeze.  In addition, EU individuals and entities are forbidden from making funds available to these individuals and entities.[47]

E.   The UK and Brexit

The UK regained full autonomy over its data protection rules at the end of the Brexit transition period, on 31 December 2020.  However, before Brexit was concluded, the EU and the UK entered into the EU-UK Trade and Cooperation Agreement on 30 December 2020.[48]  This Agreement regulates data flows from the EU/EEA to the UK under a so-called “bridging mechanism”, and sets a timeline for the adoption of an EU-UK adequacy decision thereafter.

The Trade and Cooperation Agreement includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism.  The EU does not have the power to block changes to the UK’s framework or use of its powers.  However, if the EU objects to changes considered by the UK, and the UK implements them despite these objections, the EU/EEA-UK bridge will be terminated.

1.  Transfers from and into the EU/EEA and the UK

As indicated above, the bridging mechanism contained in the EU-UK Trade and Cooperation Agreement covers personal data transfers from the EU/EEA to the UK.  According to the provisions in the Agreement, it will apply for up to a maximum period of six months, unless an adequacy decision comes into effect earlier.  The adoption of an EU adequacy decision for the UK, which is expected to be adopted in 2021, would enable the ongoing free flow of personal data from the EEA to the UK thereafter, without needing to implement additional safeguards.

Notwithstanding the stability offered by the Trade and Cooperation Agreement, the UK Government has advised companies to put in place alternative transfer mechanisms that may safeguard personal data received from the EEA against any interruption to the free flow of personal data.[49]  SCCs have been identified as the most relevant mechanism that organisations may resort to in order to safeguard such transfers.

On the other side, regarding personal data transfers from the UK to the EU/EEA and Gibraltar, the conditions under which such transfers may be made will remain unchanged and unrestricted, according to the UK Government.[50]

2.  Transfers from and into the UK and other Jurisdictions

The transfer of personal data from third countries and territories to the UK generally raises questions of legal compliance in the exporting jurisdiction.  The impact of Brexit has been particularly significant regarding the regulation of data transfers into the UK from jurisdictions that were already covered by an adequacy decision of the European Commission.

Pre-Brexit, the European Commission had made findings of adequacy of personal data transfers to a number of jurisdictions.[51]  These adequacy decisions generally address the inbound transfer of personal data from these jurisdictions into the EU/EEA.  However, in order to obtain and maintain these adequacy decisions, these jurisdictions put in place legal restrictions on (onward) transfers of personal data to countries outside the EEA, which now include the UK.

To resolve potential issues on transfers of personal data from these jurisdictions to the UK, the governments of most of these jurisdictions have issued statements, resolutions and even modified their legal regimes in order to permit the continued transfer of personal data into the UK.  The UK ICO has indicated that it is continuing to work with these jurisdictions in order to make specific arrangements for transfers of personal data to the UK.[52]

On the UK side, the 2019 Brexit regulations applicable to data protection matters recognised the European Commission’s adequacy decisions, and rendered permissible cross-border transfers of personal data to these jurisdictions.[53]  The Government and the ICO are working on the adoption of new UK adequacy regulations, to confirm that particular countries, territories or international organisations ensure an adequate level of protection, so as to allow transfers of personal data from the UK to these jurisdictions, without the need for adoption of additional safeguards.  SCCs and other mechanisms for lawful international data transfers may be put in place to cover transfers of personal data from the UK to jurisdictions not covered by adequacy decisions.

F.  Other Significant Developments in the EU

More generally, this year has been marked by the adoption of important EDPB Guidelines.  In addition to those mentioned above, the EDPB released new Guidelines on the concepts of controller and processor, on the targeting of social media users, and on data protection by design and by default.[54]

Furthermore, hefty fines were imposed as mentioned in Sections I.A to D above, in particular in France with the €100 million fine imposed on a tech company which is the highest penalty ever imposed by a supervisory authority as of end of December 2020.

Fines were also imposed on topics other than those addressed above.  In particular, in Germany, the Hamburg supervisory authority fined a retail company €35.3 million for illegally collecting and storing sensitive personal data from employees, such as information about health condition, religious beliefs and family matters.  According to the authority’s investigation, data about the personal life of the company’s employees had been collected comprehensively and extensively by supervisors since at least 2014, and stored on the company’s network drive.  This information was accessible to up to 50 managers of the company and was used, among other things, to create profiles of individual employees in order to evaluate their work performance and to adopt employment decisions.  In sum, the practice of the company amounted to a number of data protection violations, including a lack of legal basis for the data processing, illegal processing of the data, and the absence of controls to limit storage and access to the data.[55]

Significant monetary penalties have also been imposed due to the lack of valid consent under the GDPR:

  • In Italy, two telecommunications operators were fined approximately €17 and €12 million for processing hundreds of unsolicited marketing communications without having obtained users’ prior consent, without having offered to users their right to object to the processing, and for aggressive telemarketing practices, respectively.[56]
  • In Spain, the AEPD fined a bank €5 million for violations of the right to information and for lack of valid consent.  In particular, the bank used imprecise terminology to define the privacy policy, and provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through financial products, services, and channels.  Moreover, the bank failed to obtain consent before issuing promotional SMS messages, and did not have in place a specific mechanism for consent to be obtained by customers and account managers.[57]

As regards the requirements for valid consent under the GDPR, the CJEU, in its ruling on Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, decided that valid consent cannot be inferred from a preselected box in a contract for the provision of telecommunications services, whereby the customer allegedly consents to the collection and storage of his/her identity document.  The Court specified that this is also the case where the customer is misled as to the possibility of concluding the contract if he/she refuses to consent to the processing of his/her data, or where the freedom to choose to object to that collection and storage is affected by the requirement to complete an additional form setting out that refusal.[58]

In addition to increased scrutiny by data protection authorities, there is also a slightly increasing trend in private enforcements actions from consumers and (former) employees.  These actions primarily relate to both the enforcement of transparency and access rights to personal data as well as claims for compensation for alleged GDPR violations.

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

As explained in the 2020 International Outlook and Review, the increasing impact of digital services in Europe and the overhaul brought about by the GDPR in the EU have continued to influence the regulatory and enforcement actions of jurisdictions in the vicinity of the EU.

A.  Russia

1.   Access Restriction Trend in Privacy Laws Enforcement

Russian local data privacy laws have continued to be heavily enforced by the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”).  This activity reflects the growing priority and concern that personal data protection represents for the Russian population.  According to Roskomnadzor’s statistics, in the previous year the number of complaints concerning personal data protection had increased to 50,300.  The largest number of complaints related to the actions of the owners of internet sites, including social networks, credit institutions, housing and communal services organisations, and collection agencies.[59]

The most notable activity of Roskomnadzor in 2020 was its use of its regulatory powers to manage activities of numerous Internet-based services.  Below we describe three noteworthy cases where the access to Internet resource was restricted by Roskomnadzor until the respective company satisfied certain expectations and /or requests of the regulator.

On 29 January 2020, Roskomnadzor announced that it would restrict access to the mail service of a tech company.  In deciding so, Roskomnadzor noted that the company was used by cybercriminals to send false messages under the guise of reliable information, and that it had categorically refused Roskomnadzor’s repeated requests for information to be included in the register of information dissemination organisers on the Internet.[60]  However, the company has taken actions to address the situation, and currently it is accessible for the Russian users.

On 20 February 2020, Roskomnadzor took a similar measure and temporarily restricted access to another email service provider.[61]  The authority stated that, in 2019 and in February 2020, the email service had been used by cyber-attackers to send false messages under the guise of reliable information about the massive mining of social transport infrastructure and ships in the Russian Federation.

On 18 June 2020, Roskomnadzor also announced that it had removed the requirements to restrict access to the messaging application of a tech company.[62]  This decision was paired with Roskomnadzor’s declaration of its readiness to cooperate with internet companies operating in Russia to quickly suppress the spread of terrorist and extremist information, child pornography, and the promotion of suicide and drugs.  In addition, Roskomnadzor noted that, through joint efforts with leading Russian and foreign companies, it had removed, on average and weekly, 2,500 materials relating to suicidal behaviours, 1,300 materials of an extremist and terrorist nature, 800 materials propagandising drug use, and 300 materials containing pornographic images of minors.

2.  The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies

In 2020, Roskomnadzor followed its set trend in targeting large, multinational digital companies.  On 31 January 2020 the authority announced that it had initiated administrative proceedings against two social network services.[63]  In particular, Roskomnadzor stated that these companies did not meet the requirements for data localisation of Russian users on servers located in the Russian Federation.

Following the authority’s proceedings, on 13 February 2020, the Tagansky District Court of Moscow fined both social network services RUB 4 million (approx. €45,000) for these violations.[64]  The Court affirmed the authority’s finding that one of the companies had violated Russia’s legal requirement to record, organise and store the personal data of Russian citizens in databases located in the Russian Federation.[65]

3.  Legislative Updates

Several notable laws have been adopted at the end of 2020.

New amendments to the Code of Administrative Offenses of the Russian Federation entail considerable fines for failure to delete prohibited information upon the request of Roskomnadzor.[66]  The fines can be imposed on hosting providers or any person enabling other persons to publish information on the Internet for failure to restrict access to prohibited information and owners of the websites or Internet resources for non-deletion of prohibited information may be up to RUB 4,000,000 (approx. €45,000) for the first offence and up to 10% of the company’s annual turnover from the preceding calendar year (but not less than RUB 4,000,000) for the subsequent offence.  If prohibited information contains propaganda of extremism, child pornography, or drugs, liability is increased for up to RUB 8,000,000 (approx. €90,000) for the first offence or up to 20% of the company’s annual revenue from the preceding calendar year (but not less than RUB 8,000,000) for the subsequent offence.  This law is aimed at establishing liability for hosting providers, owners of websites and information resources who fail to restrict access to or delete the information, dissemination of which is prohibited in Russia, and has come into force on 10 January 2021.

Another amendment to Russian law[67] increases significantly the risks of blocking of internet resources in Russia.  The law introduces the status of the owner of an Internet resource involved in violations of the fundamental human rights of Russian citizens.  The Prosecutor General, in consultation with the Russian Foreign Ministry, may assign this status to the owner of an Internet resource that discriminates against materials from the Russian media.  Such a decision can be made if the internet resource limits access to socially important information based on the nationality, language, or in connection with the imposition of sanctions against Russia or its citizens.  If the owner of the internet resource censors or anyhow restricts the access to accounts of Russian media, Roskomnadzor is entitled to restrict access to such internet resource, fully or partially.  This law has come into force on 10 January 2021.

The law amending the Personal Data Law significantly changes the legal landscape with regard to the processing of publicly available personal data.[68]  As per the new law, data controllers making personal data publicly available for further processing by third parties must obtain individuals’ explicit consents, which shall not be bundled to any other consents and data subjects have a wide range of rights in this regard.

Third parties who intend processing publicly available personal data have three options: (i) to rely on the consent obtained by the controller when making the data publicly available, subject to compliance with the rules of data processing; (ii) to rely on the consent provided by an individual to Roskomnadzor via a dedicated web-based platform to be set up under the law, but also subject to compliance with the rules of data processing; or (iii) to ensure on their own that they have appropriate legal grounds as per the general requirements of Russian Personal Data Law.  The above rules will enter into force as of 1 March 2021.

In addition, the new law introduces the data controller’s obligation to publish information on the processing terms and existing prohibitions and conditions for processing of personal data, permitted by a data subject for dissemination, by an unlimited number of persons.  These new requirements will come into force as of 1 July 2021.  According to the amendments to the Law on Information, Information Technologies, and Information Protection, if a resource is considered a social network, it will be included in the register maintained by the Roskomnadzor.[69]  These amendments impose moderation obligations on social networks regarding the content published by users, and require them to make available certain information on their websites.

In practice, social networks will now be required to identify and restrict access to illegal content.[70]  Furthermore, the following information must be posted on the social network by its owner: (i) name, email address and an electronic form for sending requests about the illegal content; (ii) annual reports on the results of the consideration of requests and monitoring activities; (iii) terms of use of the social network.  This amendment will enter into force on 1 February 2021.

The recently adopted laws evidence the trend of the increased regulation of IT-industry activities in Russia.  With these new regulations, the Russian authorities increase the regulatory mechanisms that may affect the activities of websites, news media, social media, social networks and video hosting services in Russia.

B.  Switzerland

1.  The Revised FADP

On 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”).[71]  The Revised FADP is not in force yet, as it was subject to approval by referendum until 14 January 2021 (which was not held).  The Federal Council will decide on entry into force which is expected during 2021 or at the beginning of 2022.  The specific date is particularly important because the Revised FADP does not provide for any transitional periods.

One of the main reasons behind the adoption of the Revised FADP was to ensure that the EU recognises Switzerland as providing an adequate level of protection to personal data according to GDPR standards.

The most significant differences between the Revised FADP and the previous version, are the following:

  • The Revised FADP now codifies expressly the international principle of the effects doctrine, subject to the principles governing civil and criminal enforcement that remain in place.[72]  Hence, the Revised FADP will also apply on persons that are domiciled outside of Switzerland if they process personal data and this data processing has an effect in Switzerland.
  • Personal data pertaining to legal entities is no longer covered by the Revised FADP, which in line with the GDPR, and most foreign data protection laws.[73]
  • The Revised FADP will extend the term of sensitive data by adding two new categories: (i) genetic data; and (ii) biometric data that uniquely identifies an individual.[74]
  • The Revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR.[75]
  • The Revised FADP distinguishes controllers and processors.[76]
  • Like the GDPR, the Revised FADP contains provisions concerning data protection by design and by default.[77]
  • The Revised FADP provides that a processor can hire a sub-processor only with the prior consent of the controller.[78]
  • Under the Revised FADP and subject to specific exemptions, controllers and processors must maintain records of data processing activities under their respective responsibility.  The former duty to notify data files to and register with the Federal Data Protection and Information Commissioner (“FDPIC”) has been abolished.[79]
  • Under the Revised FADP and under specific conditions, controllers that are domiciled or resident abroad and process personal data of Swiss individuals must designate a representative in Switzerland.[80]
  • The Revised FADP provides that individuals must (at the time of collection) be informed about certain minimum information[81] and have a new right to intervene in case of automated decision-making.[82]
  • Under the Revised FADP, the FDPIC will have the power to issue binding decisions.  However, it will not have the unilateral power to impose fines, unlike most data protection authorities in Europe – resort to Swiss courts will be required.
  • Controllers are required to conduct a Data Protection Impact Assessment (“DPIA”) where there is a high risk for the privacy and the fundamental rights of data subjects.[83]
  • Controllers will have a data breach notification obligation to the FDPIC where an incident results in high risk for data subjects.[84]
  • The Revised FADP introduces the right to data portability, which was not covered by the previous data protection law.[85]
  • The maximum amount of sanctions for individuals will be CHF 250,000 (approx. €232,000),[86] and the Revised FADP also extends criminal liability to the violation of additional data protection obligations.

As can be seen, there are significant similarities between the Revised FADP and the GDPR.  The entry into force of the Revised FADP is therefore expected to lead to continuity in the cross-border data transfers between the EU and Switzerland.

2. The Swiss-U.S. Privacy Shield

On 8 September 2020, the FDPIC published an assessment on the Swiss-U.S. Privacy Shield where it found that the cross-border transfer mechanism did not guarantee an adequate level of protection regarding data transfers from Switzerland to the U.S.[87]  Prior to FDPIC’s assessment, the CJEU had delivered its judgment in Schrems II,[88] in July 2020, which rendered the European Commission’s decision on the EU-U.S. Privacy Shield invalid.

The FDPIC identified two key problems concerning the Swiss-U.S. Privacy Shield, namely: (i) the lack of an enforceable legal remedy for persons concerned in Switzerland in particular due to the inability to assess the effectiveness of the Ombudsman mechanism because of a lack of transparency; and (ii) the inability to assess the decision-making abilities of the Ombudsman and its independence with respect to U.S. intelligence services.  Since FDPIC’s assessment is a soft-law instrument without legally binding nature, the Swiss-U.S. Privacy Shield will remain valid and binding for the companies registered unless and until it is repealed or annulled on a case-by-case basis by the competent Swiss courts or in its entirety by the U.S.

C.  Turkey

1.  Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents

In 2020, the Turkish Data Protection Authority (“KVKK”) and the Turkish Data Protection Board (the “Board”) continued to issue a number of statements, decisions and guidance documents regarding the application and enforcement of Turkish data protection provisions.  We outline and briefly explain below the most relevant ones:

  • On 16 December 2020, the KVKK issued a statement on the data protection rules related to publicly available personal data.  In the statement, the KVKK acknowledged that the Law on Protection of Personal Data No. 6698 (“Turkish Data Protection Act”) allows personal data to be processed where the data concerned is made available to the public by the data subject themselves.[89]  However, the KVKK clarified that the concept of “making data public” has a narrow meaning under the Turkish Data Protection Act, and only covers scenarios where the data subjects wish the data to be public for data processing – the mere act of making personal data available to the public is not sufficient.
  • On 26 October 2020, the KVKK issued a statement on cross-border data transfers outside of Turkey.[90]  The statement noted that the Turkish Data Protection Act allowed a grace period for compliance with relevant data transfer provisions, and that several deadlines had been extended due to the COVID-19 pandemic.  The KVKK also committed to eliminate and correct any misunderstandings arising from the interpretation and implementation of the Act, which had led to criticism from practitioners and scholars.  As a start, the KVKK clarified that the Board will carry out assessments on the adequacy of foreign jurisdictions for data transfers based on a number of factors, including the reciprocity concerning data transfers between the importing country and Turkey.  The KVKK also indicated that “Binding Corporate Rules” (“BCRs”) may be applicable and used in data transfers between multinational group companies.  Indeed, on 10 April 2020, the KVKK introduced BCRs to the Turkish data protection law, to be used in cross-border personal data transfers of multinational group companies.[91]  In its announcement, the KVKK described the undertaking letter procedure for data transfers outside of Turkey, and states that although the undertaking letters make bilateral data transfers easier; they may be inadequate in terms of data transfers between multinational group companies.  Therefore, the KVKK determined BCRs as another mean that could be used in international data transfers between group companies.
  • On 17 July 2020, the KVKK issued a statement on de-indexing of personal data from search engine results[92] based on the Board’s decision with number 2020/481.[93]  The KVKK stated in its announcement that, they have evaluated the applications submitted before the KVKK with regards to the requests as to de-indexing web search results and within the scope of “right to be forgotten”, the Board decided that search engines should be considered as “data controllers” under the Turkish Data Protection Act, that individuals may primarily convey their de-indexing requests to the search engines and file complaints before the KVKK and search engines should make a balance test between fundamental right and freedoms and public interest.  Additionally, KVKK also published a criteria document[94] by indicating that de-indexing requests should be considered per the issues indicated therein, which is mainly based on Article 29 Working Party’s Opinion on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on Costeja Case.
  • On 26 June 2020, the KVKK issued a statement on obligation to inform data subjects.[95]  The statement concerns the general rules that are already regulated under the Turkish Data Protection Act and secondary legislation concerning the obligation to inform set forth for the data controllers.  KVKK indicated in its announcement that privacy policies or data processing policies should not be used to fulfill the obligation to inform and thus, privacy notices should be separated from these texts.  Following that, the KVKK listed several examples with regards to the deficiencies and illegalities as to obligation to inform.
  • In the context of the COVID-19 pandemic, on 9 April 2020, the KVKK issued a statement on the processing of location data in light of the COVID-19 pandemic.[96]  The statement highlights that many other countries have used and allowed the use of personal data, such as the health, location and contact information of individuals, to identify those who carry or are at risk of carrying this disease. The KVKK reminds that the processing of this data needs to be carried out within the framework of the basic principles enshrined in the Turkish Data Protection Act.

2.  Turkish Data Protection Act Continues to be Enforced

2020 was also a year in which the KVKK enforced the Turkish Data Protection Act in a number of data protection proceedings.

On 6 February 2020, the KVKK fined an undisclosed bank TRY 210,000 (approx. €27,800) for illegally processing personal data to gain potential customers.[97]  The case concerned the creation of bank accounts without the knowledge or consent of individuals, using information gained by the bank via a third party.  The KVKK found that the bank had acted in breach of its security obligations to prevent unlawful processing of personal data.

On 22 July 2020, the KVKK fined an automotive company TRY 900,000 (approx. €101,840) for violations related to the transfer of personal data based on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”).[98]  The software provider sought to rely on the fact that the receiving country was party to Convention 108 and, therefore, offered sufficient protection to personal data imported from Turkey.  However, the KVKK outlined that the fact that a receiving country is a party to Convention 108 is in itself an insufficient measure in determining adequate protection of data.  The data transfer had thus been carried out in breach of the Turkish Data Protection Act, without data subjects’ consent and not benefitting from any of the exceptions set out in the Turkish Data Protection Act.  It is worth noting, in this regard, that the KVKK is yet to publish the list of countries deemed to provide sufficient protection under Turkish law.  Finally, the decision notes that the data controller failed to comply with its data security obligations, as it had failed to prevent the unlawful processing and transfer of personal data.  The KVKK ordered the data controller to delete/destroy the personal data unlawfully transferred outside of Turkey.

On 16 April 2020, the KVKK fined a gaming company TRY 1,100,000 (approx. €120,000) for failing to notify the KVKK of data breach within seventy-two (72) hours after becoming aware of the relevant data breach and to take required data security measures.[99]

On 27 February 2020, the KVKK fined an e-commerce company TRY 1,200,000 (approx. €120,000) mainly, TRY 1,100,000 for failing to fulfil the obligations relating to data security and TRY 100, 000 for failing to comply with the obligation to inform data subjects.[100] Besides, the Board also ordered the data controller to revise the data processing processes and privacy policy, Conditions of Sale and Use and Cookie Notice in accordance with the determined irregularities and in line with the Turkish Data Protection Act.  The Board stated in its decision that (i) the privacy policy contains lots of information and general information about personal data processing and this does not mean that the data subjects are duly informed; (ii) although the data processing activities start with the cookies as soon as a user enters the website, information obligation is not complied with at any stages such as cookies or member login to the website; (iii) explicit consent is not obtained for commercial electronic communications and cross-border transfer of personal data; and (iv) considering that the undertaking letters submitted for cross-border transfer of personal data are not approved and the safe countries have not been announced, data controller may only transfer personal data abroad based on data subjects’ explicit consent.

III.  Developments in Asia-Pacific, Middle East and Africa

A.    Australia

The Australian government released the Terms of Reference and Issues Paper for the review of the Privacy Act 1988, and solicited public submissions by 29 November 2020.  This wholesale review may update main provisions of the Privacy Act 1988, such as increasing maximum civil penalties, creating a binding privacy code for social media platforms, strengthening notification and consent requirements, modifying international data transfers, and expanding the definition of personal information.  The government plans to issue a discussion paper seeking specific feedback on preliminary outcomes and possible areas of reform in early 2021.

B. China

1. New Developments in Chinese Legislation

The most significant legislative framework in China for the protection of personal data is the Cybersecurity Law (“Cybersecurity Law”) which came into effect on 1 June 2017.  Two additional laws were introduced into the pipeline in 2020: the Draft Personal Information Protection Law[101] (“Draft PIPL”); and the Draft Data Security Law (“Draft DSL”).  Once adopted, the combination of these three legal instruments (the Cybersecurity Law, the Draft Data Security Law and the Draft PIPL) are expected to become the fundamental laws in the field of cybersecurity and data protection in China.

The Draft PIPL is intended to be a general data protection law, which could harmonise the current fragmented legislative framework.  However, even after the adoption of the Draft PIPL, personal information protection in China would remain sector based.

The Draft PIPL was partially inspired by the GDPR, but it has important differences that prevent a common cross-border approach (e.g., regarding the legal grounds for data processing, there is no legal basis of legitimate interest of the controller).  Using a single privacy framework for EU and Chinese companies would consequently not result in adequate compliance.

The Draft PIPL introduces substantial new fines.  For example, data processors are subject to fines of RMB 50 million (approx. €8 million, or $7.4 million), or 5% of the company’s revenue from the previous year.[102] In addition, the Cyberspace Administration of China would also have the competence to blacklist organisations and individuals for misusing data subjects’ data.[103]

On 18 November 2020, the Centre for Information Policy Leadership (“CIPL”) submitted recommendations on possible modifications of the Draft PIPL in order to ensure the protection of China’s citizens, businesses and government data,[104] including the following:

  • The Draft PIPL includes definitions for sensitive personal information,[105] including biometric, financial, ethnic and religious information.  The CIPL suggested a risk-based approach to assess personal data processing, rather than providing categories of predefined “sensitive information”.
  • According to the CIPL, exemptions should be provided to the general requirement to appoint data protection officers and representatives, in line with other foreign privacy laws like the GDPR.
  • The Draft PIPL should explain further what conditions or factors are required to satisfy the Cyberspace Administration’s security assessment for cross-border transfers of personal data.
  • The Draft PIPL should clarify what constitutes a “serious” unlawful act.
  • Finally, the CIPL recommended that organisations be afforded a two-year grace period from the date that the Draft PIPL is passed, to be fully compliant.

The other major legislative proposal, the Draft DSL, is intended to provide the fundamental rules of data security for both personal and non-personal data.  The intended scope of application of the Draft DSL is broad, applying to “activities” (actions including collection, storage, processing, use, supply, trade and publishing) regarding “data” (any record of information in electronic or non-electronic form).

Finally, on 1 January 2021 the Civil Code of the People’s Republic of China entered into force, adopted by the third session of the 13th NPC.  The Civil Code applies to all businesses in general (without distinguishing among controllers and processors), and introduces rules for the protection of personal information, including its collection, use, disclosure, and processing.

2. Enforcement of Chinese Data Protection and Cybersecurity Legislation

In August 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued two separate fines of RMB 1 million ($150,000) on two banks.[106]  In both cases the banks were fined for failures to provide protection to personal data of credit card customers.

C.  Hong Kong SAR

On June 30, 2020, the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “NSL”) passed by the Standing Committee of the National People’s Congress of the People’s Republic of China (the “PRC”) became effective in Hong Kong.  The NSL empowers law enforcement authorities to search electronic devices and premises that may contain evidence of related offenses and carry out covert surveillance upon approval of the Chief Executive; criminalizes acts of terrorism, subversion, secession, or collusion with foreign or external forces to endanger national security; and holds incorporated or unincorporated entities accountable for violations of the NSL.

Furthermore, the Committee for Safeguarding National Security (the “Committee”), which consists of specified Hong Kong officials and an advisor appointed by the Central People’s Government of the PRC (the “CPR”), is established pursuant to the NSL and assumes various duties including formulating work plans and policies, advancing the enforcement mechanisms and coordinating significant operations for safeguarding national security in Hong Kong.  Decisions made by the Committee are not subject to judicial review.

The Office for Safeguarding National Security of the CPG (the “Office”) may in specified circumstances assume jurisdiction over serious or complex cases which would be difficult or ineffective for Hong Kong to handle in light of, for example, involvement of a foreign country or external elements. Such cases shall be investigated by the Office and, upon prosecution by a body designated by the Supreme People’s Procuratorate, adjudicated by a court designated by the Supreme People’s Court of the PRC.

The NSL applies not only to offenses committed or having consequences in Hong Kong by any person or entity, but also offenses committed from outside Hong Kong against Hong Kong by any person or entity.

D.  India

1. Legislative initiatives

As indicated in the 2020 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Parliament on 11 December 2019 adapted from the draft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018[107], by the committee of experts led by Justice Srikrishna.  Thereafter the PDP Bill was referred to a Joint Parliamentary Committee for its review.  As of January 2021, the PDP Bill is in its final stages of deliberation and is expected to be promulgated soon.  Several industry bodies and stakeholders were asked to depose before the Joint Parliamentary Committee for their views on the amendments made in the PDP Bill and the desired requisites of a national data protection law.  Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, continue to govern data protection in India.

In September 2019, the Ministry of Electronics and Information Technology constituted a committee of experts (“Committee”) to devise a framework for the regulation of non-personal data.  Ultimately, on 12 July 2020, the Committee released a Report on Non-Personal Data Governance Framework (“NPD Framework”)[108], where it emphasised that the regulation of non-personal data is necessary to incentivise innovation, create value from data sharing, address privacy concerns, and prevent harm.  The NPD Framework was met with criticism for the imposition of compulsory data sharing obligations and onerous compliance requirements on entities collecting and managing non-personal data.  After reviewing feedback from public and stakeholders, the Committee released a revised version of the NPD Framework on 1 January 2021, wherein the Committee provided several clarifications to the earlier draft and streamlined the jurisdictions of the PDP Bill and the NPD Framework.  The NPD Framework is still under public consultation and is yet to be presented before the Parliament as a bill for the promulgation of a single national-level regulation to establish rights over non-personal data collected and created in India.

In August 2020, the Government of India also proposed a data-sharing framework in the fintech sector.  The National Institution for Transforming India (“NITI Aayog”) released a draft framework on the Data Empowerment and Protection Architecture[109] which will be implemented by the four government regulators: the Reserve Bank of India, the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority, and the Pension Fund Regulatory and Development Authority, and the Ministry of Finance.  The draft aims to institute a mechanism for secure consent-based data sharing in the fintech sector, which may be an important step towards empowering individuals in relation to their personal data.  The draft aims to enable individuals to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner.

In August 2020, the Government of India also launched the National Digital Health Mission (“NDHM”), a visionary project which intends to digitise the entire health care ecosystem of India.  The National Health Data Management Policy, 2020[110] came into force on 15 December, 2020, and is the first step in realising the NDHM’s guiding principle of “security and privacy by design” for the protection of data principals’ personal digital health data privacy.  It is intended to be a guidance document across the National Digital Health Ecosystem and sets out the minimum standard for data privacy protection for data relating to the physiological and psychological health of individuals in India.

2.  Regulatory opinions and guidance

Indian institutions have also adopted certain measures in response to the challenges resulting from the COVID-19 pandemic.  For instance, the Data Security Council of India (“DSCI”) issued the best practices on working from home in light of COVID-19[111] on 18 March, 2020.  The guidance notes, among other things, that virtual private networks should only be used on company-owned devices, employees should access company data and applications through a browser-based webpage or virtual desktop, and a risk assessment should be conducted when selecting a remote access method.  In addition, the guidance outlines a basic mandate for organisations and employees, which includes taking care of the confidentiality of valuable transactions and sensitive financial documents when working from home.

In a similar vein, the DSCI published, on 24 April 2020, its guidelines on data privacy during the COVID-19 pandemic, which highlights the privacy implications of COVID-19 for different sets of stakeholders and provides privacy and data protection practices.[112]  The guidelines address healthcare privacy considerations and note the importance of notifying patients of all information that is collected, having specific protocols in place to ensure that consent is obtained, having internal and external audit mechanisms to assess privacy measures, and using health data solely for the specific purposes of their collection.  Finally, the guidelines provide working from home considerations both for employers and employees, noting the importance of revisiting data protection strategies, data management practices, remaining compliant with regulatory obligations, conducting Data Protection Impact Assessments to ascertain privacy risks, and spreading privacy awareness and training across organisations.[113]

The DSCI also published its Report for Enabling Accountable Data Transfers from India to the United States Under India’s Proposed Personal Data Protection Bill on 8 September 2020[114] (“Report on Data Transfers”).  The purpose of the Report on Data Transfers is to make additional recommendations to the existing draft of the PDP Bill to enable free flow of data between countries, especially with the U.S. owing to the value it adds to India’s digital economy, and to provide solutions for facilitating India-US data transfers.  The Report on Data Transfers also suggests, among other things, that the PDP Bill’s provision on the creation of codes of practice should include certification requirements in order to increase interoperability between different privacy regimes as well as facilitate cross-border transfer mechanisms.

On 2 September 2020, the Artificial Intelligence Standardisation Committee for the Department of Telecommunication released its Indian AI Stack discussion paper.[115]  The Discussion Paper notes that the AI Stack will, among other things, secure storage environments that simplify archiving and extraction from data based on the data classification, ensure the protection of data through data federation, data minimisation, an open algorithm framework, defined data structures, interfaces and protocols, and monitoring, auditing, and logging, as well as ensuring the legitimacy of backend services.

3. Enforcement of data protection laws

In 2020, the Government of India adopted three decisions to block applications following information that they were engaging in activities which were prejudicial to the integrity and the national security of India.[116]

In particular, the Government had received complaints regarding the misuse of mobile application data, stealing and secretly transmitting users’ data in an unauthorised manner to servers located outside of India.  As a result, on 29 June 2020, the Government decided to disallow the use of 59 applications to safeguard the interests of Indian mobile and internet users.[117]  Similarly, on 2 September 2020[118], and 29 November, 2020,[119] the Indian Government decided to further block 118 and 43 mobile applications respectively for misusing users’ data and engaging in activities which are prejudicial to the sovereignty, integrity and defence of India, as well as the security of the state and public order.  According to the Government, the applications’ practices raised concerns relating to the fact that they were collecting and sharing data in a manner which compromised the personal data of users, posing a severe threat to the security of the State.

On 23 November 2020, the Orissa High Court delivered an important judgment emphasising the need to recognise the right to be forgotten, noting the presence of objectionable images and videos of rape victims on social media platforms.[120]  The court emphasised that the principle of purpose limitation is already embodied in law by virtue of the precedent of the Supreme Court’s judgment in K.S. Puttaswamy v. Union of India, and that capturing images and videos with the consent of the victim cannot justify the subsequent misuse of such content.  The court referred to existing case law and the PDP Bill, which provide for the right to be forgotten.  Accordingly, the court recognised the right to be forgotten as a right in rem and stressed that, in the absence of legislation, victims may nevertheless seek appropriate orders to have offensive posts erased from public platforms to ensure protection their right to privacy.

E.  Indonesia

On 24 January 2020, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives.[121]  The PDP Bill consolidates the rules related to personal data protection in Indonesia, and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[122]

On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[123]  However, it appears that the COVID-19 pandemic has led to delays in the adoption of the Bill.

Finally, on 10 March 2020, Kominfo submitted a new draft regulation on the Management of Privately Managed Electronic System Organiser (“Draft Regulation”) for approval.  The Draft Regulation is intended to serve as an implementing regulation of Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, which, as noted in the 2020 International Outlook and Review, became effective in October 2019.

F.  Israel

On 29 November 2020, the Israeli Ministry of Justice (“MoJ”) launched a public consultation on the introduction of amendments to the Protection of Privacy Law 5741-1981.[124]  The MoJ also launched, on 23 July 2020, a public consultation on proposed amendments to privacy law database registration requirements which would reduce the scope of the obligation to register a database and amend certain definitions contained in the law.[125]

Moreover, the Privacy Protection Authority (“PPA”) published a number of reports and recommendations on a series of topics, including:

  • privacy protection in the context of epidemiological investigations,
  • security recommendations following security incidents,
  • the protection of privacy in the context of money transfers and app payments,
  • data processing and storage service providers,
  • smart transportation services,
  • digital monitoring tools for COVID-19 contact tracing,
  • GSS assistance in contact tracing,
  • recommendations in the context of the COVID-19 pandemic (e.g., remote learning, privacy for individuals entering workplaces, medical institutions privacy compliance).

Following the CJEU’s decision to annul the EU-U.S. Privacy Shield in Schrems II, the PPA issued, on 29 September 2020, a statement regarding transfers of personal information from Israel to the U.S.  In this statement, the PPA indicated that data transfers from Israel to the U.S. could no longer rely on the EU-U.S. Privacy Shield or the Transfer of Information Regulations, and that alternative exceptions provided for in Section 2 of the Regulations could only be used where applicable.  The PPA had nonetheless clarified that personal data could be transferred from Israel to EU Member States, as well as to countries which will cease to be EU Member States but will continue to apply and enforce the provisions of EU Law on the protection of personal data.[126]

On the enforcement side, in 2020 the PPA identified and investigated a number of violations, including the leak of personal data of 6.5 million Israeli voters.[127]  The PPA also offered security recommendations following the security incident at an insurance company.

G.  Japan

On 5 June 2020, the Parliament of Japan adopted a bill to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”).[128]

Under the bill, the rights of the data subjects have been expanded.  For example, if the proposed amendments to the APPI are introduced, data subjects will be entitled to request an organisation to delete their personal information, but only if certain requirements are met.  Consequently, the scope has remained narrower than the right to erasure and the right to object under the GDPR.

Regarding data retention periods, the currently applicable law provides that any data which was to be erased after six months is not considered as “retained personal data”, and therefore is not not subject to data subject requests.  The Amendments will abolish this six-month rule, and data subjects will be able to exercise their data-related rights regardless of the retention period.

Under the current applicable law, organisations should “duly make an effort” to report data breaches to the Personal Information Commission (“PIC”).  In contrast, the bill will introduce a mandatory obligation to notify data breaches, obliging organisations to report data breaches to the PIC and to notify the affected data subjects if their rights and interests are infringed.  Although this requirement is similar to the corresponding provisions in the GDPR, the latter sets a strict deadline of 72 hours for notification, while the bill requires “prompt” reporting.

The amended APPI will include the concept of “pseudonymously processed information”, which similarly to the GDPR will mean personal information that cannot be used to identify an individual unless combined with other information.  Pseudonymously processed information will not be subject to some requirements, such as requests for disclosure, utilisation, or correction.  In the event of a data breach concerning pseudonymously processed information, reporting to the PIC will not be mandatory.

One of the main goals of the bill is to address the increasing risks associated with cross-border data transfers.  Under the new provisions, data subjects should be informed about the details of any data transfer to a third party located in a foreign country.  The bill has also increased the criminal penalties, such as the penalty for violating an order of the PIC (100 million yen; approx. €800,000).  However, administrative fines will not be introduced.

The bill is expected to enter into force no later than June 2022.  The new rules will bring the APPI into closer alignment with the EU’s data protection standards and strengthen Japan’s data protection regime.

H. Malaysia

On the legislative side, on 14 February 2020, a public consultation paper was released proposing amendments to the Malaysian Personal Data Protection Act 2010, which currently regulates data protection in Malaysia.[129] If adopted, the amendments would introduce significant changes to Malaysia’s data protection regime, including: the obligatory appointment of a data protection officer, mandatory breach reporting, the introduction of civil litigation against data users, the implementation of technical and organisational measures such as data portability and privacy by design, and the broadening of the Malaysian Personal Data Protection Act’s scope to data processors.  Many of the proposed amendments have been inspired by the GDPR and aim to bring the Malaysian regime closer to EU data protection standards.

On 29 May 2020, the Department of Personal Data Protection (“PDP”) released advisory guidelines on the handling of personal data by businesses under the Conditional Movement Control Order.[130]  The advisory guidelines highlight that only names, contact numbers, and the dates and times of attendance can be collected from customers, and requires a clearly visible notice detailing the purpose of collection.  The PDP also advises that personal data should only be collected for informational purposes and must be permanently deleted six months after the Control Order is terminated.

I.  Singapore

As explained in the 2020 International Outlook and Review, Data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).

The Personal Data Protection Commission (“PDPC”) conducted a review of the Singapore PDPA and, on 14 May 2020, the PDPC released a joint statement with the Ministry of Communications and Information announcing the launch of an online public consultation on a bill to amend the Singapore PDPA and the Spam Control Act 2007 (“SCA”).[131]

On the basis of this, the proposed amendments to the Singapore PDPA to address Singapore’s evolving digital economy needs, and related amendments to the SCA, were passed in Parliament on 2 November 2020.[132]  The bill introduced several notable amendments, including mandatory data breach notification requirements, enabling meaningful consent where necessary and providing consumers with greater autonomy over their personal data through the incorporation of a data portability obligation.[133] Moreover, the bill strengthened the enforcement powers of the PDPC.[134]

Subsequently, on 20 November 2020, the PDPC issued the draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“Draft Advisory Guidelines”).[135] The Draft Advisory Guidelines provide clarifications on key provisions in the bill, covering, inter alia, the framework for the collection, use, and disclosure of personal data, mandatory breach notification requirements, financial penalties, and offences for mishandling personal data.  The Draft Advisory Guidelines will be finalised and published when the amendments to the Singapore PDPA come into effect, i.e., upon their signing and publication in the Gazette, which is expected in early 2021.

J. South Korea

In January 2020, the National Assembly of the Republic of Korea adopted amendments (“Data 3 Act”) to the Personal Information Protection Act 2011 (“PIPA”)[136] and to other main data protection laws.  The adoption of the Data 3 Act meant the implementation of a more streamlined approach to personal data protection in South Korea.  In addition, it is expected that these legislative changes will facilitate the adequacy assessment under the GDPR and the adoption of an adequacy decision from the European Commission.

The Data 3 Act aims to extend the powers of the Personal Information Protection Commission (“PIPC”), which will be the supervisory authority for any data breaches.  Data protection issues are currently handled by several different agencies, but with the entry into force of the reforms these will now be handled exclusively by the PIPC.  In addition, the PIPC will have the competence to impose fines similar to those provided under the GDPR.

The Data 3 Act introduced to the PIPA the concept of “pseudonymised information” (i.e., personal information processed in a manner that cannot be used to identify an individual unless combined with other information).  Pseudonymised information may be processed without the consent of the data subject for purposes of statistical compilation, scientific research, and record preservation for the public interest.

Finally, it should be noted that the cross-border transfer of the personal data of Korean data subjects has remained restricted as their consent is required prior to transferring their personal data abroad.

K. Thailand

As noted in the 2020 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020.  However, in May 2020, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021, citing the negative effects of the COVID-19 pandemic as one of the main reasons for doing so.[137]

Subsequently, on 8 June 2020, the Ministry of Digital Economy and Society (“MDES”) issued a statement on the Thailand PDPA’s postponement, noting that government agencies, and private and public institutions, were not ready for the enforcement of the legislation.[138]  This was followed by a notice published by the MDES on 17 July 2020 for data controller requirements and security measures to be implemented during the postponement period of the Thailand PDPA.[139]

Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation.  Moreover, the Thailand PDPA provides for the creation of the Personal Data Protection Committee (“PDPC”), which is yet to be fully established.  As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand.  Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA by 27 May 2021.

L. United Arab Emirates

On 19 November 2020, the Abu Dhabi Global Market (“ADGM”)[140] announced the issuance of a public consultation on proposed new Data Protection Regulations 2020 amending the existing Data Protection Regulations 2015.[141]  The proposed draft aims at aligning the ADGM with certain international standards, especially the GDPR,[142] and introduces, amongst other things, the following elements: definitions, the principles of accountability and transparency, the processing of special categories of data, individual rights, security obligations, and the notification of data breaches.  The proposed data protection framework is aimed to have a broad scope of application, including the processing of personal data in the context of the activities of an establishment in ADGM, regardless of whether the processing takes place in ADGM.  In a similar vein, it will apply to natural persons, whatever their nationality or place of residence, excluding cases where a data controller is only connected to ADGM because it uses a data processor located inside the ADGM.  In the latter case, the Proposed Data Protection Framework would not apply to the data controller.[143]

On 1 July 2020, the Dubai International Financial Centre (the “DIFC”) published the Data Protection Regulations, which entered into effect on the same date with the Data Protection Law No. 5 of 2020.[144]  In particular, the Regulations comprise provisions regarding, in particular, the content and format to be followed by personal data processing records, activities requiring data processing notifications to the Data Protection Commissioner, conditions to transfer data outside of the DIFC, and fines.  Moreover, in September 2020, the DIFC became a fully accredited member of the Global Privacy Assembly (“GPA”).[145]

M. Other Developments in Africa

Data protection authorities in Africa have generally been monitoring compliance with data protection requirements, especially in the context of the COVID-19 pandemic.  Moreover, Nigeria and other African nations have developed a framework that aims to harmonise laws on data protection and the digital economy.[146]

Egypt: On 17 July 2020, Resolution No. 151 of 2020 (“Egypt Data Protection Law”) was approved and published in the official gazette, and within three months it came into force.[147]  The Egypt Data Protection Law governs the processing of personal data carried out electronically, in part or in full, and gives to data subjects’ rights in relation to the processing of personal data.  The key elements that the law provides for are the following:

  • consent is the main legal basis for the processing of personal data;
  • conditions and principles for data processing must be respected;
  • the Centre for the Protection of Personal Data is the regulatory body aiming to maintain compliance with the Egypt Data Protection Law; and
  • activities covered include the processing of sensitive personal data, cross-border transfers, electronic direct marketing practices, monetary penalties and criminal sanctions for violations of the Egypt Data Protection Law itself.

Kenya:[148] The Information Technology Industry Council (“ITI”) announced, on 28 April 2020, that it had submitted comments to the Office of the U.S.  Trade Representative on the U.S. and Republic of Kenya Trade Agreement negotiations.  These comments include measures that should ensure protection of personal data by taking into account best international practices for privacy and interoperability, strengthen regulatory practices in emerging technologies such as artificial intelligence and machine learning, and promote risk-based cybersecurity and vulnerability disclosure in alignment with international standards.[149]  The formal negotiations were launched in July 2020.[150]

Namibia: Namibia has not yet enacted a comprehensive data protection legislation.  On 24 February 2020, the Council of Europe organised, in coordination with Namibia’s Ministry of Information and Communication Technology, a two-day stakeholders’ consultation workshop on a draft data protection bill for Namibia.[151]  A draft of the bill is expected to be published in 2021.

Nigeria: In Nigeria, data privacy is currently protected by a comprehensive data protection regime comprising a variety of laws, regulations, and guidelines.  As underlined in a statement, issued on 27 January 2020 by the National Information Technology Development Agency (“NITDA”), the Nigeria Data Protection Regulation concerns the use, collection, storage or transfer of personal data and intends to provide a clear framework for data protection in Nigeria.  However, pursuant to the Nigerian Communications Commission, appropriate legal instruments must be put in place in order in order to strengthen cybersecurity.[152]

The NITDA issued, on 17 May 2020, its Guidelines for Management of Personal Data by Public Institutions in Nigeria.[153] On 20 August 2020, the NITDA had published the Draft Data Protection Bill 2020 for public comments.  The Draft Bill aims primarily to promote a code of practice that ensures the protection of personal data and its lawful, fair and transparent process in accordance with the principles set out in the Draft Bill while taking into account the legitimate interests of commercial organisations as well as government security agencies.  In addition, the Draft Bill provides for a Data Protection Commissioner, an impartial, independent and effective regulatory authority.

South Africa:[154] In 2013, the Protection of Personal Information Act (“POPIA”) was signed into law by the President of South Africa and the Information Regulator was established as the supervisory authority.  In June 2020, the President announced that certain essential remaining sections of POPIA would commence to apply on 1 July 2020 and that, following a 12-month transition period, public and private bodies would need to comply from 30 June 2021.

In addition, on 3 April 2020, the South African Regulator published a guidance note on processing personal information during the Coronavirus pandemic encouraging proactive compliance by responsible parties when processing personal information belonging to COVID-19 cases and their contacts.[155]

Togo: On 9 December 2020, the National Assembly announced that it had adopted a draft decree on the organisation and functioning of the body for the protection of personal data, the IPDCP, which will have a power of investigation and enforcement in order to support the government’s policy on personal data protection.[156]

Rwanda: A final draft of the data protection bill was approved and published on 27 October 2020 by the Office of the Prime Minister of the Republic of Rwanda.[157] The Bill includes provisions on data subject rights, general rules for data collection and processing, and procedures for data activities, such as transfers, sharing and retention.[158] Moreover, the Ministry of ICT and Innovation (MINICT) published, on 5 May 2020, COVID-19 guidelines addressing cybersecurity measures.[159]

N.  Other Developments in the Middle East

Whereas data protection was mainly provided for in sectoral regulations, privacy laws are progressively emerging across the region.

Oman: On 12 July 2020, the State Council of the Sultanate of Oman announced that it had held discussions on the draft law on the protection of personal data, which comprises in particular provisions regarding the role of the Ministry of Technology and Communications, the responsibility to protect the rights of personal data owners, and the obligations of controllers and processors, as well as the applicable sanctions.[160]  The State Council also announced on 10 September 2020 that it had discussed a draft law of a new legislation dealing with cybersecurity.  The Technology and Innovation Committee of the State Council had approved in part the content of the draft law.

Pakistan: Data protection is still governed through sectoral legislation.  However, the Ministry of Information Technology and Telecommunication (“MOITT”) finalised the draft Personal Data Protection Bill 2020 which was presented to the Cabinet of Pakistan for approval.[161]  The bill, which was introduced in April 2020, provides for the general requirements for personal data collection and processing and contains several similar provisions to those found within GDPR, but is silent regarding the right to data portability and does not require data controllers to notify data subjects of data breaches.  In addition, the MOITT adopted, on 18 November 2020, social media rules setting measures and obligations applicable to social media and internet providers in order to prevent unlawful online content and to protect national security.[162]

O.  Other Developments in Southeast Asia

Throughout 2020, developments related to the data protection and cybersecurity landscape occurred in certain other jurisdictions in the south-eastern subregion of Asia, including the following:

Cambodia: While the country does not have a general personal data protection law or a data protection authority, there have been recent legislative developments addressing relevant areas.  In particular, a draft cybercrime law is currently being prepared that would regulate Cambodia’s cyberspace and security, aiming to prevent and combat cyber-related crimes.

Philippines: On 9 March 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system.  As such, the Philippines becomes the ninth APEC economy to join the CBPR system.

The institutions in the Philippines have been particularly active in formulating data protection measures and statements to address issues relating to the collection and processing of data in the wake of the COVID-19 pandemic.  On 1 June 2020, the Philippines created a task force in order to drive practical responses to privacy issues emerging from the pandemic.

Vietnam: The data protection framework in Vietnam was fragmented, and relevant provisions can be found in numerous laws.  In 2020, the government of Vietnam issued Decree No. 15/2020/ND-CP, providing for regulations on penalties for administrative offences in the sectors of post, telecommunication, radio frequency, information technology, and electronic transactions, which is in effect as of 15 April 2020.  In February 2020, however, a draft personal data protection decree was released, which has already undergone public consultation.  The draft decree sets out principles of data protection, including purpose limitation, data security, data subject rights, and the regulation of cross-border data transfers.  Moreover, the draft decree contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, and the creation of a data protection authority.

IV. Developments in Latin America and in the Caribbean Area

A.  Brazil

The biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018, the General Personal Data Protection Law[163] (as amended by Law No. 13.853[164] of 8 July 2019) (“LGPD”) on 18 September 2020.  The specific enforcement provisions of the LGPD are expected to enter into force on 1 August 2021, further to an additional law passed in June 2020.

Compared to the EU’s GDPR, the LGPD shows both differences and similarities.  The definitions of “personal data” are very similar in both instruments, both having the goal of assuring a high level of protection for any “information related to an identified or identifiable natural person”.  Thus, anonymised data falls expressly out of scope in the two jurisdictions, with a caveat on the Brazilian side existing in the sense that if anonymised data is used to create or enhance the behavioural profiling of a natural person, it may also be deemed as personal data, provided that the impacted person can be identified in the process.

Both legislations apply to the processing of personal data carried out by both public and private entities, online and offline.  As for the territorial scope, the rules apply to organisations that are physically present in the EU and Brazil as well as to organisations that, although not located in those states/regions, may offer goods or services there.  When it comes to the handling of sensitive data, the LGPD sets forth a narrower list of legal grounds that can be elected to legitimise the processing of such data, such as the necessity to comply with a legal obligation, to protect the life and physical safety of the subject or a third party, for the exercise of rights in contractual or judicial proceedings and for the prevention of fraud.

The LGPD offers ten legal grounds for processing of personal data, which are comparable to the ones provided in the GDPR.  In addition, the LGPD offers four additional grounds that may authorise the processing of personal data, namely for the conduction of studies of research bodies, for the exercise of rights in judicial, administrative, and arbitral proceedings, for the protection of health in procedures conducted by health professionals and health entities, and for the protection of credit.

Both the LGPD and the GDPR expressly provide for a set of rights granted to data subjects with respect to their personal data.  Both norms recognise individuals’ right of access to their personal data, right to be informed of processing activities based on their personal data, and rights of rectification and erasure.  Although the rights prescribed in both pieces of legislation are fairly similar, it could be argued that the major element that sets both norms apart are the timeframes for responding to data subject requests.  While on the European side organisations must generally respond to requests within one month of the receipt of a request, the LGPD is limited to a 15-day period for complying with access requests, while requests for the exercise of other rights should be responded to immediately.

The role of data protection officers (“DPOs”) is fairly similar under both legislations.  DPOs are legally tasked with acting as a point of contact between the organisation they represent, the supervisory authorities, and data subjects, as well as advising and orienting the organisation they represent with regard to its data protection obligations.  There are, however, two major differences between the Brazilian and the EU rules concerning the position of DPOs.  The first one is that the GDPR expressly specifies instances where an organisation is required to appoint a DPO, while the LGPD makes no such limitation, thus obliging virtually every organisation subject to its scope to appoint one.  The second difference is that, while the GDPR establishes the need for DPOs to be independent within the organisational structure of their organisations and also to be provided with monetary and human resources to fulfil their tasks, the LGPD does not provide such express guidance.

A significant difference between the two instruments is their enforcement.  The legal structure of the Brazilian supervisory authority lacks some traits of independence and autonomy when compared to the structure provided for under the GDPR.  However, the LGPD has introduced a number of sanctions that can be imposed by the ANPD, such as public disclosure of a violation, erasure of personal data relating to a violation, and even a temporary suspension of data processing activities.  The entry into force of the provisions of the LGPD governing administrative sanctions has been deferred to 1 August 2021.

On 23 September 2020, Bill 4695/2020,[165] seeking to protect the personal information of students when using distance learning platforms, was introduced.  The bill would require distance learning platforms to follow data processing requirements provided by the LGPD and to, whenever possible, use the technology without collecting and sharing personal and sensitive data, revealing racial origin, religious or political beliefs, or genetics of the users.  Furthermore, the bill requires that processing of personal data can only take place when prior and express consent has been obtained.

Finally, on 18 December 2020, the National Telecommunications Agency (“Anatel”) approved the Cybersecurity Regulation[166] applied to the telecommunications sector.  The regulation is intended to promote cybersecurity in telecommunications networks and services and support ongoing supervision of the market, infrastructures, and the adoption of proportional corrective measures.  Moreover, the regulation imposes an obligation on telecommunication providers to develop, maintain and implement a detailed cybersecurity policy, which must include, inter alia, national and international norms, best practices, risk mapping, incident response time and sharing and sending information to Anatel.  The regulation came into force on 4 January 2021.

B. Other Developments in South America

1.  Argentina

On 28 January 2020, The Argentinian data protection authority (“AAIP”) issued a resolution[167] against a telecommunication company for violations of Law No. 26.951 (“DNC Law”).[168]  In particular, the AAIP issued a fine of ARS 3,000,000 (approx. €45,000) for 248 charges relating to violations of Article 7 of the DNC Law, which provides that those who advertise, offer, sell or give away goods or services by means of telephone communications may not address any individual who is registered in the “Do Not Call” registry.

On 6 June 2020, the AAIP imposed a fine[169] of ARS 280,000 (approx. €3,770) against a tech company for violations of the Personal Data Protection Act No. 25.326 of 2000.  In particular, the AAIP found that the company did not allow a user to access their personal data in their email account and related applications after changes to their passwords were made by an un-authorised third party.

2.  Chile

On 1 June 2020, the Chilean Transparency Council (“CPLT”) announced that an audit of 12,000 purchase orders made by 86 organisations in the health sector had revealed some disclosures of sensitive personal data of patients without their express consent.[170]  Moreover, the CPLT highlighted that in some cases the data had even been made public through online platforms.  To remedy that, the CPLT has offered technical support to the Chilean Ministry of Health.[171]

3.  Colombia

On 26 November 2020, the Colombian data protection authority (“SIC”) announced that it had issued an order[172] requiring a videoconference service provider (with no physical presence in Colombia) to implement new measures guaranteeing the security of personal data of its users in Colombia.  SIC emphasised that the measures should be effective and meet the standards of data security required under the Colombian Data Protection Law, and required the company to provide a certificate issued by an independent data security expert.  SIC’s order raise significant jurisdictional question, since the Colombian Data Protection Law does not apply to processing that occurs outside of Colombia (and there was no allegation that any processing in violation of the Law occurred in Colombia).).[172a]

Through 2020, SIC also imposed a number of fines on various companies for non-compliance with data protection rules.  Some of the biggest and most notorious fines were imposed on a health company[173] and on financial institutions[174]

4.  Mexico

Since the beginning of the COVID-19 pandemic, the Mexican data protection authority, the National Institute of Transparency, Access to Information and Data Protection (“INAI”) began a series of actions to provide information to the general public on how to protect their personal data and the guidelines for data controllers on how to process personal and sensitive personal data.

Among these actions, it became imperative to announce to health-related data controllers, public and private hospitals, to comply with their legal obligations as per the Mexican data protection laws, on how to process personal data of patients diagnosed with COVID-19.  This was especially the case because Mexican data protection laws consider health-related data to be sensitive and thus require stronger security measures.

One of the first actions by the Mexican data protection authority was that, on 29 March, 2020, it launched a COVID-19 microsite[175] dedicated specifically to provide useful information and guidelines to protect personal data and provide transparency during the pandemic.  This microsite has been a useful tool for both data subjects and data controllers to handle personal data processed as a result of the COVID-19 pandemic.

On 2 April 2020, the INAI released a statement calling for the adoption of extreme precautions with regard to personal data of COVID-19 patients.[176]  Medical personnel handling such data must use strict administrative, physical and technical safeguards to avoid any loss, destruction of improper use.  The INAI also recommended that only minimum necessary personal data is collected, and only for purposes of preventing and containing the spread of the virus.  This communication also speaks of the responsibility that all data processors bear when handling personal data.

As the pandemic grew, on 13 July 2020, the INAI expressed its concerns on the deficiencies of the health sector in the processing of personal data of COVID-19 patients.  Francisco Javier Acuña Llamas, the then President Commissioner of INAI, noted that data bases that contain COVID-19 patients must be kept for a specific period of time and not indefinitely.  He established that all data transferences of sensitive personal data should be under the specificities of the Mexican data protection laws.  He also recognised that the Global Privacy Assembly, to be held in Mexico in 2021, should have at its core a discussion of the impact of the pandemic.[177]

The pandemic brought a series of events that had not been taken into consideration on a regular basis, because of the pandemic many companies allowed their employees to work from home.  Because of this development, on 8 April 2020, the INAI issued recommendations for the protection of personal data in a home office environment.  These guidelines highlighted the need to implement security measures that included only using computer equipment provided by the employer, not using public connections, using only official communication sites to share information, and using passwords on all equipment used at home for work-related activities.[178]

In Mexico this brought legislative changes to the Federal Labor Law[179] that now establishes how work from home is to be regulated.  These modifications to the law establish both the employers and employees’ obligations when working from home.  This comes to show how, due to the COVID-19 pandemic, a new normality is underway and will be here to stay.

This pandemic is far from over and it poses a challenge not only to the processing of sensitive personal data, but also to the implementation of health check points in every public space or while working from home.  It has changed the way organisations protect their information from any loss or improper access putting cybersecurity at the forefront for any organisation.  It has changed the way organisations interact with clients and how products or services are purchased, turning evermore to an online commerce activity.  This will bring challenges not only regarding companies’ operations, but also how companies collect and process a data subjects’ information.

5.  Uruguay

On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.[180]

The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours.  Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.

The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection.  The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.


[10]  See, e.g., https://www.enisa.europa.eu/news/executive-news/top-tips-for-cybersecurity-when-working-remotely.  On 15 March 2020, the Director of the ENISA shared some views on teleworking conditions during COVID-19.  The Director recommended that individuals work with a secure Wi-Fi connection and have up-to-date security software, regularly update their anti-virus systems and make periodic backups.  Employers should also provide regular feedback to their employees on the procedures to follow in case of problems.

[51]  The adequacy decisions adopted by the European Commission currently cover Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

[53]  See Schedule 21 of the Data Protection Act 2018, as enacted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

[59] The Statistics are (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71528.htm.

[60] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71612.htm.  For more information in English seehttps://www.reuters.com/article/us-russia-protonmail-idUSKBN1ZS1K8.

[61] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news72026.htm.

[62] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news73050.htm.  For more information (in English) seehttps://www.ft.com/content/b1e76905-29f2-4ac0-99e0-7af07cef280d.  For more information see the 2020 Privacy and Cybersecurity International Review and Outlook.

[70] The Russian laws define the notion of illegal content broadly.  Inter alia, illegal content is materials containing public calls for terrorist activities or publicly justifying terrorism, other extremist materials, as well as materials promoting pornography, the cult of violence and cruelty, and materials containing obscene language.

[72] See Revised FADP, Article 3.

[73] See Revised FADP, Article 5(a).

[74] See Revised FADP, Article 5(c).

[75] See Revised FADP, Article 5(f).

[76] See Revised FADP, Article 5(j) and (k).

[77] See Revised FADP, Article 7.

[78] See Revised FADP, Article 9(3).

[79] See Revised FADP, Article 12.

[80] See Revised FADP, Article 14.

[81] See Revised FADP, Article 19.

[82] See Revised FADP, Article 21.

[83] See Revised FADP, Article 22.

[84] See Revised FADP, Article 24.

[85] See Revised FADP, Article 28.

[86] See Revised FADP, Articles 60-63.

[88] Judgment of the Court of 16 July 2020 in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, available athttp://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=rst&part=1&cid=9791227.

[93] Full decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6776/2020-481.

[97] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6733/2020-103.

[98] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6790/2020-559.

[99] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6763/2020-286.

[100] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6739/2020-173.

[102] See Article 62 of the Draft PIPL.

[103] See Article 42 of the Draft PIPL.

[105] See Article 29 of the Draft PIPL.

[107] For the daft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018 by the committee of experts led by Justice Srikrishna, seehttps://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

[108] Report on Non-Personal Data Governance Framework available at https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf

[109] See “Data Empowerment and Protection Architecture: A Secure Consent-Based Data Sharing Framework to Accelerate Financial Inclusion – Draft for Discussion” (August 2020), available athttps://niti.gov.in/sites/default/files/2020-09/DEPA-Book_0.pdf.

[110]        See the National Health Data Management Policy, available athttps://ndhm.gov.in/assets/uploads/NDHM%20Health%20Data%20anagement%20Policy.pdf.

[111] See DSCI, “Work from Home – Best Practices” (18 March 2020), available athttps://www.dsci.in/sites/default/files/DSCI-WorkfromHomeAdvisory-1.pdf.

[112]      See DSCI, “COVID-19: Data Privacy Outlook” (24 April 2020), available athttps://www.dsci.in/sites/default/files/DSCI_COVID19_Data_Privacy_Outlook.pdf.

[113]      See also DSCI, “Business Resiliency and Security During COVID-19” (24 May 2020), available at https://www.dsci.in/sites/default/files/Business-Resiliency-and-Security.pdf.

[114]      See DSCI, “Report on Data Transfers” (8 September 2020), available athttps://www.dsci.in/sites/default/files/documents/resource_centre/DSCI-CIPL-Accountable-Data-Transfer-Report.pdf.

[116] See “India bans 43 more mobile apps as it takes on China” Reuters (25 November 2020), available athttps://uk.reuters.com/article/uk-india-china-apps/india-bans-43-more-mobile-apps-as-it-takes-on-china-idUKKBN2841QI.

[117] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1635206#.XvoIE9L3Qpw.whatsapp.

[118] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1650669.

[119]      The press release and a list of the apps that were blocked are available athttps://www.pib.gov.in/PressReleasePage.aspx?PRID=1675335.

[120]      Case BLAPL/4592/2020 Subhranshu Rout @ Gugul v State of Odisha available at https://www.medianama.com/wp-content/uploads/display_pdf.pdf.

[126]      See “Opinion regarding cross-border transfers of personal data, from Israeli based organisations to organisations based in countries complying with the data protection legislation of the EU” (1 July 2020), available athttps://www.gov.il/en/Departments/publications/reports/personaldata_the_european_union.

[127]      See “Personal data of all 6.5 million Israeli voters is exposed” (10 February 2020), available athttps://www.nytimes.com/2020/02/10/world/middleeast/israeli-voters-leak.html.  Press release, “Data Breach at Shirbit” (1 December 2020), available athttps://www.gov.il/en/departments/news/news_shirbit.

[129] Department of Personal Data Protection, “Public Consultation Paper No. 10/2020 – Review of Personal Data Protection Act 2010 (Act 709)” (14 February 2020), available athttps://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdfSee also a press release of 26 August 2020, where the Malaysian government announces the continued discussions on amending the Personal Data Protection Act 2010 (in Malay), available athttps://www.kkmm.gov.my/awam/berita-terkini/17616-bernama-26-ogos-2020-kerajaan-masih-bincang-keperluan-pinda-akta-perlindungan-data-peribadi.

[130] Advisory guidelines (in Malay) available athttps://www.kkmm.gov.my/images/AdHoc/200529-ADVISORY.pdf.

[131] See “MCI and PDPC launch online public consultation on Personal Data Protection (Amendment) Bill 2020”, Press Release (14 May 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/5/MCI-and-PDPC-launch-online-public-consultation-on–Personal-Data%20Protection-Amendment-Bill-2020; “Public Consultation on the Draft Personal Data Protection (Amendment) Bill” (28 May 2020), available athttps://www.mci.gov.sg/public-consultations/public-consultation-items/public-consultation-on-the-draft-personal-data-protection-amendment-bill.

[132] See Bill No. 37/2020 Personal Data Protection (Amendment) Bill, available athttps://www.parliament.gov.sg/docs/default-source/default-document-library/personal-data-protection-(amendment)-bill-37-2020.pdf; Ministry of Communications and Information, “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[133] See “Opening Speech by Mr S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020 on 2 November 2020” (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/opening-speech-by-minister-iswaran-at-the-second-reading-of-pdp-(amendment)-bill-2020.

[134] See “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[135] See PDPC, “Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill” (20 November 2020), available athttps://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en.

[140]      The AGDM is a financial free zone within the UAE.

[141]      See “Abu Dhabi Global Market Launches Public Consultation on New Data Protection Regulatory Framework” by Natasha G. Kohne, Jenny Arlington, Sahar Abas & Mazen Baddar, GDPR, International Privacy (7 December 2020), available at https://www.akingump.com/en/experience/practices/cybersecurity-privacy-and-data-protection/ag-data-dive/abu-dhabi-global-market-launches-public-consultation-on-new-data-protection-regulatory-framework.html.

[142]      See “ADGM commences Public Consultation on proposed new Data Protection Regulations” (19 November 2020), available athttps://www.adgm.com/media/announcements/adgm-commences-public-consultation-on-proposed-new-data-protection-regulations.

[143]      This explanation is taken from Data Guidance – AGDM.

[144]      See Data Protection Regulations, available athttps://www.difc.ae/files/9315/9358/7756/Data_Protection_Regulations_2020.pdf and Data Protection Law No. 5 of 2020, available athttps://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf.

[145]      For the full list of accredited GPA members, see https://globalprivacyassembly.org/participation-in-the-assembly/list-of-accredited-members/.

[146]                 See “Africa to harmonise laws for data protection, digital economy” by Gloria Nwafor, Guardian (8 October 2020), https://guardian.ng/appointments/africa-to-harmonise-laws-for-data-protection-digital-economy/?_sm_au_=iVV7MH8JqKDPF0RFFcVTvKQkcK8MG.

[147]      See “Sisi endorses law on personal data protection”, Egypt Today (18 July 2020), available athttps://www.egypttoday.com/Article/1/89794/Sisi-endorses-law-on-personal-data-protection.

[148]      Kenya’s high court ruled that the country’s new digital ID scheme could continue with some conditions and stronger regulations.  The court banned the collection of DNA and geolocation data, See “Court orders safeguards for Kenyan digital IDs, bans DNA collecting“, by Humphrey Malalo, Omar Mohammed, (31 January 2020),  available athttps://www.reuters.com/article/us-kenya-rights/court-orders-safeguards-for-kenyan-digital-ids-bans-dna-collecting-idUSKBN1ZU23D

[149]      See “ITI Comments on the U.S.-Kenya Trade Agreement Negotiation” (27 April 2020), https://www.itic.org/policy/ITIUS-KenyaFTAComments_27APR2020_FINAL.pdf and “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade” (28 April 2020), available athttps://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade.

[150]      See “Joint Statement Between the United States and Kenya on the Launch of Negotiations Towards a Free Trade Agreement” (7 August 2020), available athttps://ustr.gov/node/10204.

[152]      See “Pantami Reiterates FG’s Commitment to Strengthening Cybersecurity” (14 April 2020), available athttps://www.ncc.gov.ng/media-centre/news-headlines/783-pantami-reiterates-fg-s-commitment-to-strengthening-cybersecurity.

[154]      See “Annual Report for the 2019/2020 Financial Year”, available athttps://www.justice.gov.za/inforeg/docs/anr/ANR-2019-2020-InformantionRegulatorSA.pdf and “South Africa must implement privacy laws to protect citizens, says UN expert” (12 March 2020), available athttps://mg.co.za/article/2020-03-12-south-africa-must-implement-privacy-laws-to-protect-citizens-says-un-expert/.  Moreover, two significant incidents were reported: Experian South Africa announced a data incident affecting 24 million South Africans and 793,749 businesses, see “Experian South Africa curtails data incident” (19 August 2020), available athttps://www.experian.co.za/content/dam/marketing/emea/soafrica/za/assets/experian-south-africa-statement-19082020.pdf.  Nedbank announced a data incident concerning 1.7 million clients, see “Nedbank warns clients of potential impact of data incident at Computer Facilities (Pty) Ltd”, https://www.nedbank.co.za/content/nedbank/desktop/gt/en/info/campaigns/nedbank-warns-clients.html.

[155]      See “Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA),” available athttps://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf and Press Release (3 April 2020), available athttps://www.justice.gov.za/inforeg/docs/ms-20200403-GuidanceNote-PPI-Covid19.pdf.

[156]      See “Conseil des ministres: un projet de décret sur la protection des données à caractère personnel adopté” (9 December 2020), available athttps://presidence.gouv.tg/2020/12/09/conseil-des-ministres-un-projet-de-decret-sur-la-protection-des-donnees-a-caractere-personnel-adopte/.

[159]      See Cybersecurity Regulation n˚ 010/r/cr-csi/rura/020 of 29/05/2020, available athttps://rura.rw/fileadmin/Documents/ICT/Laws/Cybersecurity_Regulation_in_Rwanda.pdf.

[160]      See “Oman: Latest developments in data protection and cybersecurity,” Alice Gravenor, PWC-Middle East (19 November 2020), available athttps://www.pwc.com/m1/en/media-centre/articles/oman-latest-developments-data-protection-cybersecurity.html.

[161]      See Draft Personal Data Protection Bill (9 April 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Personal%20Data%20Protection%20Bill%202020%20Updated(1).pdf.

[162]      See social media rules adopted (6 October 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Corrected%20Version%20of%20Rules.pdf.

[173] The imposed fine was of COP 894,365,280 (approx. €214,524), after confirming the violation of the personal data of a data subject whose data was being processed by EPS.  Full Resolution available at https://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/1%20Apelacio%CC%81n%2018-179365%20%20EPS%20SANITAS%20VP%20F%20(1)%20(1).pdf.

[174] For the first bank, the imposed fine was of COP 702,000,000 (approx. €171,400) for including information that was not of a financial or credit nature in the credit history of 288,753 Colombians.  Full Resolution available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/SANCIO%CC%81N%20CIFIN.pdf; for the second bank, the imposed fine was of COP 269,046,492 (approx. €60,030) for violating a data subject’s right to deletion.  Full Resolution of SIC available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/19-141889%20VP.pdf; for the third bank, the imposed fine was of COP 356,070,000 (approx. €80,910) for violations of Law 1581 of 2012 and Decree 4886 of 2011.  Full decision of SIC available athttps://www.sic.gov.co/sites/default/files/files/Noticias/2019/RE10720-2020(1).pdf.

[179] Mexico’s Official Gazzete publication of January 11, 2021 that modifies section XII Bis of the Federal Labor Law available  athttp://dof.gob.mx/nota_detalle.php?codigo=5609683&fecha=11/01/2021.

[180] Decree (in Spanish) available athttps://www.impo.com.uy/bases/decretos/64-2020


The following Gibson Dunn lawyers assisted in the preparation of this article: Ahmed Baladi, Alexander Southwell, Alejandro Guerrero, Vera Lukic and Clémence Pugnet.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Social unrest, political upheaval, and economic instability and retrenchment defined the first year of the new decade, all against the backdrop of the COVID-19 pandemic. In emerging markets, these issues impacted efforts to reign in endemic corruption, as illustrated by headline-grabbing scandals, legislative changes, and enforcement actions. In China, for example, Chinese regulators began training their sights on corruption in key sectors, such as the pharmaceutical industry. In India, COVID-19 and the impact of recent legislative changes may be causing a reduction in local enforcement actions, even as massive corruption scandals continue and Indian citizens increasingly report that bribery and corruption are part of daily life. In Russia, the latest statistics show that law enforcement continues to focus on corruption as the country grapples with far-reaching amendments to the Constitution, severe economic losses and the spread of COVID-19. In Africa, high-profile cases involving corruption in both the public and private sector will keep regulatory focus on the continent for the foreseeable future. And in Latin America, after years of substantial anti-corruption activism resulting in sweeping legal reforms in many key markets, anti-corruption initiatives have largely stalled in the last year.

Join our team of experienced international anti-corruption attorneys to learn more about how to do business in Russia, Latin America, China, India and Africa without running afoul of anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”).

Topics to be Discussed:

  • An overview of FCPA enforcement statistics and trends for 2020;
  • The corruption landscape in key emerging markets, including recent headlines and scandals;
  • Lessons learned from local anti-corruption enforcement in Latin America, China, India, Africa and Russia;
  • Key anti-corruption legislative changes in Latin America, China, India, Africa, and Russia;
  • The effect of COVID-19 on corruption and anti-corruption efforts; and
  • Mitigation strategies for businesses operating in high-risk markets.

View Slides (PDF)



PANELISTS:

F. Joseph Warin is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and he is chair of the Washington, D.C. office’s 200-person Litigation Department. Mr. Warin is ranked annually in the top-tier by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience. Mr. Warin has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers, including UK’s SFO and FCA, and government regulators in Germany, Switzerland, Hong Kong, and the Middle East. He has served as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ.

Kelly Austin is Partner-in-Charge of Gibson Dunn’s Hong Kong office and a member of the firm’s Executive Committee. Ms. Austin is ranked top-tier in the category “Corporate Investigations/Anti-Corruption: China” year after year by Chambers Asia Pacific and Chambers Global. Ms. Austin’s practice focuses on government investigations, regulatory compliance and international disputes. She has extensive expertise in government and corporate internal investigations, including those involving the FCPA and other anti-corruption laws, and anti-money laundering, securities, and trade control laws.

Joel Cohen is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group. Mr. Cohen is highly-rated in Chambers and ranked a Super Lawyer” in Criminal Litigationby Global Investigations Review. He has been lead or co-lead counsel in 24 civil and criminal trials in federal and state courts, and he is equally comfortable in leading confidential investigations, managing crises or advocating in court proceedings. Mr. Cohen’s experience includes all aspects of FCPA/anticorruption issues, in addition to financial institution litigation and other international disputes and discovery.

Benno Schwarz is a partner in the Munich office, where his practice focuses on white collar defense and compliance investigations. Mr. Schwarz is ranked as a leading lawyer for Germany in White Collar Investigations/Compliance by Chambers Europe 2020 and commenters have noted his “special expertise on compliance matters related to the USA and Russia”. For more than 25 years, Mr. Schwarz has advised companies on sensitive cases and investigations in the context of all compliance issues with international aspects, such as the implementation of German or international laws to prevent and avoid corruption, money laundering or avoiding economic sanctions in the corporate context. Especially noteworthy is Mr. Schwarz’ experience advising companies in connection with FCPA and NYDFS monitorships or similar monitor functions under U.S. legal regimes.

Patrick Stokes is a litigation partner in the Washington, D.C. office, where his practice focuses on internal corporate investigations and enforcement actions regarding corruption, securities fraud, and financial institutions fraud. Mr. Stokes is ranked nationally and globally by Chambers USA and Chambers Global as a leading attorney in FCPA. Prior to joining the firm, Mr. Stokes headed the DOJ’s FCPA Unit, managing the FCPA enforcement program and all criminal FCPA matters throughout the United States covering every significant business sector. Previously, he served as Co-Chief of the DOJ’s Securities and Financial Fraud Unit.

Oliver Welch is a partner in the Hong Kong office, where he represents clients throughout the Asia Pacific region in connection with government enforcement actions and corporate internal investigations, including those involving anti-corruption, anti-money laundering, and trade control laws. Mr. Welch also regularly guides companies on creating, implementing and maintaining effective compliance programs.


MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement.

This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

The COVID-19 pandemic has had a seismic impact on virtually all aspects of commerce, law, and life, and enforcement of the U.S. Foreign Corrupt Practices Act (“FCPA”) is no exception. Indeed, the inherently cross-border nature of the FCPA renders it perhaps particularly susceptible to impacts—from interviews of witnesses located in foreign countries, to collecting documents from employees working from home, to remote presentations to government agencies, everything is more challenging in this environment.

But if one thing is clear from our practice, it is that the commitment of the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) to enforcing the FCPA has not waned. The relative numbers of FCPA enforcement actions are down—10 in the first half of 2020 versus more than twice that at this point a year ago—but we know from our own inventory of investigations and the broader enforcement landscape that DOJ, the SEC, and other global enforcers remain active and are continuing to adapt to the circumstances. From the largest coordinated foreign bribery settlement of all time, to the Second Edition of the joint DOJ/SEC FCPA Resource Guide, to updated compliance program guidance from DOJ, to a Supreme Court decision on the SEC’s authority to seek disgorgement, the first half of 2020 in FCPA enforcement provides much still to discuss.

This client update provides an overview of the FCPA as well as domestic and international anti-corruption enforcement, litigation, and policy developments from the first half of 2020.

FCPA OVERVIEW

The FCPA’s anti-bribery provisions make it illegal to corruptly offer or provide money or anything else of value to officials of foreign governments, foreign political parties, or public international organizations with the intent to obtain or retain business.  These provisions apply to “issuers,” “domestic concerns,” and those acting on behalf of issuers and domestic concerns, as well as to “any person” who acts while in the territory of the United States.  The term “issuer” covers any business entity that is registered under 15 U.S.C. § 78l or that is required to file reports under 15 U.S.C. § 78o(d).  In this context, foreign issuers whose American Depository Receipts (“ADRs”) or American Depository Shares (“ADSs”) are listed on a U.S. exchange are “issuers” for purposes of the FCPA.  The term “domestic concern” is even broader and includes any U.S. citizen, national, or resident, as well as any business entity that is organized under the laws of a U.S. state or that has its principal place of business in the United States.

In addition to the anti-bribery provisions, the FCPA also has “accounting provisions” that apply to issuers and those acting on their behalf.  First, there is the books-and-records provision, which requires issuers to make and keep accurate books, records, and accounts that, in reasonable detail, accurately and fairly reflect the issuer’s transactions and disposition of assets.  Second, the FCPA’s internal controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations.  Prosecutors and regulators frequently invoke these latter two sections when they cannot establish the elements for an anti-bribery prosecution or as a mechanism for compromise in settlement negotiations.  Because there is no requirement that a false record or deficient control be linked to an improper payment, even a payment that does not constitute a violation of the anti-bribery provisions can lead to prosecution under the accounting provisions if inaccurately recorded or attributable to an internal controls deficiency.

Foreign corruption also may implicate other U.S. criminal laws. Increasingly, prosecutors from the FCPA Unit of DOJ have been charging non-FCPA crimes such as money laundering, mail and wire fraud, Travel Act violations, tax violations, and even false statements, in addition to or instead of FCPA charges. Perhaps most prevalent amongst these “FCPA-related” charges is money laundering—a generic term used as shorthand for several statutory provisions that together criminalize the concealment or transfer of proceeds from certain “specified unlawful activities,” including corruption under the laws of foreign nations, through the U.S. banking system. Although this has not always been the case, DOJ now frequently deploys the money laundering statutes to charge “foreign officials” who are not themselves subject to the FCPA. It is increasingly commonplace for DOJ to charge the alleged provider of a corrupt payment under the FCPA and the alleged recipient with money laundering violations.

The below table and graph detail the number of FCPA enforcement actions initiated by DOJ and the SEC, the statute’s dual enforcers, during the past 10 years.

2011 2012 2013 2014 2015 2016 2017 2018 2019

2020

(thru
Jun 30)

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

23

25

11

12

19

8

17

9

10

10

21

32

29

10

22

17

35

19

6

4

Number of FCPA Enforcement Actions Per Year*

* As of June 30, 2020

While the COVID-19 pandemic may contribute to 2020 being a statistically anomalous year—at least within the context of the modern era of FCPA enforcement—as we have noted for several years now, increasingly “FCPA-only” enforcement statistics do not tell the whole story in international anti-corruption enforcement by U.S. prosecutors and regulators. As can be seen from the below table and graph, which include non-FCPA charges brought by DOJ’s FCPA Unit in international corruption investigations, over the last two-and-a-half years the FCPA Unit has brought nearly as many cases under related statutes, such as money laundering, than it has under the FCPA. The 10 FCPA-related enforcement actions thus far in 2020 exceed DOJ’s FCPA total for the year and continue what is now a years-long trend of substantial extra-FCPA enforcement by DOJ that shows no signs of letting up.

2011 2012 2013 2014 2015 2016 2017 2018 2019

2020

(thru
Jun 30)

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

DOJ

SEC

24

25

12

12

21

8

19

9

12

10

27

32

36

10

48

17

54

19

16

4

* As of June 30, 2020

Corporate Enforcement Actions

There were four corporate FCPA enforcement events in the first half of 2020, not including an early July action involving Alexion Pharmaceuticals, Inc. that will be covered in our 2020 Year-End FCPA Update.

Airbus SE

Beginning the year in corporate anti-corruption enforcement in a big way, on January 31, 2020 French-headquartered airplane manufacturer Airbus reached a multi-billion-dollar coordinated resolution with authorities in France, the United Kingdom, and the United States. The combined allegations pertain to alleged improper payments to government officials in more than a dozen countries between at least 2008 and 2015, as well as export controls-related charges in the United States. With combined penalties of more than $3.9 billion, more than $3.67 billion of which relates to the anti-corruption matters, this resolution now stands as the largest foreign bribery settlement of all time.

On the U.S. front, Airbus entered into a deferred prosecution agreement with DOJ alleging conspiracy to violate the FCPA’s anti-bribery provisions as well as conspiracy to violate the Arms Export Control Act and the International Traffic in Arms Regulations (“ITAR”). With respect to the FCPA conduct, Airbus allegedly made payments to a Chinese business partner knowing that all or part of those funds would be used to bribe Chinese officials, while on the ITAR side the company allegedly made false reports to the U.S. government to facilitate the sale or export of defense articles and services. Airbus is not a U.S. issuer, so jurisdiction for the FCPA charge was premised on employees and agents allegedly having sent emails while in the United States and participating in and providing luxury travel to the United States for foreign government officials. The FCPA-related penalty was $2.09 billion, although the vast majority of that was credited against payments to foreign regulators and ultimately Airbus agreed to pay $294.5 million for the FCPA-related conduct and $232.7 million for the ITAR-related conduct, for a total of $527.2 million to U.S. authorities.

As imposed, the larger financial penalties came from the French Parquet National Financier (“PNF”) and the UK Serious Fraud Office (“SFO”), which each entered into their own deferred prosecution agreements with Airbus. Specifically, the PNF imposed a USD-equivalent penalty of $2.29 billion for alleged improper payments in China, Colombia, Nepal, Russia, Saudi Arabia, South Korea, Taiwan, and the United Arab Emirates, while the SFO imposed a USD-equivalent penalty of $1.09 billion (made up of disgorgement, a fine, and the SFO’s costs) for alleged improper payments in Ghana, Indonesia, Malaysia, Sri Lanka, and Taiwan.

The majority of the alleged conduct appears to have involved Airbus’s former Strategy and Marketing Department, a 150-person division devoted to engagement with business partners to obtain and manage business. As a significant remediation effort, in October 2014, Airbus disbanded this group and froze all payments to business partners worldwide until confirmatory due diligence could be performed on the purpose for the payments. Each of the regulators noted Airbus’s substantial cooperation with the investigation and remediation, and it is notable that no compliance monitor will be imposed for the anti-corruption related conduct, although that may well be due to the fact that the French Agence Française Anticorruption (“AFA”) will be conducting anti-corruption audits over the next three years.

Cardinal Health, Inc.

On February 28, 2020, the SEC announced an FCPA accounting provision resolution with Cardinal Health related to the allegedly improper use of marketing funds in China. According to the SEC, Cardinal Health’s former Chinese subsidiary served as the exclusive distributor for and administered marketing accounts on behalf of a European dermocosmetic (skin care) company, formally employing the European company’s workforce through administrative HR agreements but without directly supervising or applying all of Cardinal Health’s internal controls to those employees. The European company representatives, on the payroll of Cardinal Health, allegedly directed some of the marketing funds to promote the company’s products to Chinese healthcare professionals and employees of Chinese state-owned retail entities.

Without admitting or denying the allegations, Cardinal Health consented to the entry of a cease-and-desist order to resolve FCPA books-and-records and internal controls charges and agreed to disgorge $5.4 million of profits, plus $916,887 in prejudgment interest, and pay a $2.5 million civil penalty. The SEC’s order did not impose ongoing reporting requirements on Cardinal Health and acknowledged the company’s voluntary self-disclosure, cooperation with the SEC’s investigation, and the remedial actions taken by the company, including terminating the marketing accounts and its employment contracts with the marketing employees. Cardinal Health has announced that DOJ declined to take action.

Eni S.p.A.

On April 17, 2020, the SEC announced an FCPA resolution with Italian oil company and ADR-issuer Eni relating to alleged misconduct in obtaining government oil contracts in Algeria. According to the SEC, Eni violated the FCPA’s accounting provisions because a 43%-owned subsidiary entered into four purportedly sham contracts to pay approximately €198 million to an intermediary, which directed a portion of that money to Algerian officials to assist in obtaining contracts from Algeria’s state-owned oil company.

With respect to the books-and-records charge, the SEC contended that the Eni subsidiary classified these payments as “brokerage fees” in its books and records, which then were consolidated into the books of Eni, allegedly causing Eni’s books and records to be inaccurate. With respect to the internal controls charge, the SEC acknowledged that pursuant to 15 U.S.C. § 78m(b)(6), because Eni was a minority shareholder in the subsidiary, it was required only to “proceed in good faith to use its influence, to the extent reasonable under [the] circumstances,” to cause the subsidiary to maintain a system of internal controls consistent with the FCPA. The SEC alleged that Eni failed to satisfy this standard, in part because the subsidiary’s CFO, who along with others allegedly bypassed internal controls to enter into the contracts with the intermediary, later became CFO of Eni and in that role continued to participate in and conceal the nature of the relationship with the intermediary. According to the SEC: “As the principal finance officer of Eni, [the CFO] could not have been proceeding in good faith to cause [the subsidiary] to devise and maintain sufficient internal accounting controls while simultaneously being aware of, and participating in, conduct at [the subsidiary] that undermined those controls.”

Without admitting or denying the allegations, Eni consented to the entry of a cease-and-desist order to resolve the FCPA accounting charges and agreed to disgorge $19.75 million plus $4.75 million in prejudgment interest. The disgorgement amount was calculated based on the alleged tax benefit that Eni received from its subsidiary deducting the costs of the payments to the intermediary. DOJ closed its investigation in September 2019 without taking action, approximately one year after an Italian criminal court’s acquittal of Eni and corporate officers following a trial on Italian corruption charges. Italian trial convictions of the subsidiary and certain of its former employees were overturned by the Milan Court of Appeals in January 2020.

Novartis AG & Alcon Pte Ltd

Rounding out the first half of 2020 in corporate enforcement, on June 25 DOJ and the SEC announced the year’s first joint FCPA resolution, involving Swiss pharmaceutical company and issuer Novartis, its Greek subsidiary, and a former subsidiary. The charging documents allege that between 2012 and 2016, subsidiary employees provided things of value to healthcare providers in Greece, South Korea, and Vietnam.

To resolve the SEC’s investigation, Novartis consented to the entry of an administrative cease-and-desist order charging FCPA accounting violations and agreed to pay $112.8 million in disgorgement and prejudgment interest. To resolve criminal charges of FCPA anti-bribery and books-and-records conspiracy, Novartis’s Greek subsidiary entered into a deferred prosecution agreement and agreed to pay a criminal penalty of $225 million. In addition, former Novartis subsidiary Alcon Pte Ltd entered into a deferred prosecution agreement to resolve a charge of FCPA books-and-records conspiracy and agreed to pay a criminal penalty of $8,925,000. Novartis and Alcon were given full credit for their cooperation in the investigation and their significant remedial measures. They will self-report on the status of their compliance programs over the three-year term of the agreements with DOJ and the SEC. Gibson Dunn represented Novartis and Alcon in connection with the Alcon Pte Ltd-related conduct.

Individual Enforcement Actions

There were FCPA and FCPA-related charges filed or unsealed against 15 individual defendants during the first half of 2020.

Martinelli Brothers

On June 27, 2020, a criminal complaint was filed in the U.S. District Court for the Eastern District of New York charging Luis Enrique Martinelli Linares and Ricardo Alberto Martinelli Linares, brothers and the sons of former Panamanian President Ricardo Alberto Martinelli Berrocal, with money laundering. The charging documents were unsealed on July 6, when the brothers were arrested in Guatemala pursuant to a U.S. arrest warrant. According to the allegations, the brothers served as intermediaries to set up secret bank accounts to receive and disguise $28 million in bribe payments made by Brazilian construction conglomerate Odebrecht S.A. for the benefit of President Martinelli. We covered the December 2016 FCPA resolution with Odebrecht in our 2016 Year-End FCPA Update.

Asante K. Berko

On April 13, 2020, the SEC filed a civil complaint in the U.S. District Court for the Eastern District of New York against Asante Berko, a dual U.S. and Ghanaian citizen who formerly worked for the UK subsidiary of a U.S. financial services company and issuer. The complaint charges Berko with FCPA bribery associated with his alleged participation in a scheme to pay at least $2.5 million to an intermediary with the intention that all or substantially all of that amount would be paid to Ghanaian government officials making decisions on an electrical power plant project Berko’s Turkish-based client was building. The complaint further alleges that Berko personally received $2 million in secret commissions from the Turkish client, without the knowledge or approval of Berko’s employer. There is no current indication that the U.S. financial services company will be charged, and indeed the complaint against Berko speaks at length of Berko’s circumvention of his employer’s controls, including using personal rather than company email, falsifying or failing to correct inaccurate corporate documents, and lying to company compliance and legal personnel when they asked increasingly probing questions about the transaction.

The Berko case is significant for at least two reasons. First, many of the acts described above as to Berko’s circumvention of company existing controls are in other cases argued by the SEC to be evidence of the company’s deficient internal controls. Second, even as the SEC seems to take an accommodating stance with respect to controls, it takes a very aggressive stance with respect to its agency theory of liability for the bribery charges. Berko was not an employee of the U.S. issuer, but rather a UK subsidiary, so the SEC (which has jurisdiction only over issuers and their representatives) alleged that Berko was an agent of the parent issuer because the parent allegedly exercised general control over the subsidiary and its employees, Berko was subject to the parent’s compliance policies, and certain key documents relating to the transaction were reviewed by a committee of the parent issuer. This agency theory is oft-contested, but less frequently litigated. Berko has yet to make an appearance and, according to the SEC’s complaint, is residing in Ghana.

DOJ’s ongoing investigation of alleged corruption in the bidding panels of Venezuelan state-owned oil company Petróleos de Venezuela, S.A. (“PDVSA”) continued apace through the first six months of 2020. As we have been covering since our 2015 Year-End FCPA Update, DOJ now has brought numerous FCPA and FCPA-related (primarily money laundering) prosecutions associated with an alleged “pay-to-play” corruption scheme whereby businesses paid millions of dollars in bribes to PDVSA officials to influence the award of competitively-bid contracts and to secure preferential treatment in the payment of PDVSA debts.

Charges from the first half of 2020 include:

  • On February 7, 2020, Texas resident and Venezuelan citizen Tulio Anibal Farias-Perez was charged and then pleaded guilty to FCPA conspiracy associated with his alleged provision of more than $500,000 in payments to PDVSA representatives through cash, wire transfers, and tickets to high-profile sporting events such as the World Series and Super Bowl in exchange for contract awards to his companies;
  • On March 11 and 12, 2020, respectively, DOJ unsealed November 2019 criminal informations charging Lennys Rangel, the procurement head of a PDVSA majority-owned joint venture, and Edoardo Orsoni, the former general counsel of PDVSA, each with conspiracy to commit money laundering in connection with the alleged receipt of more than a million dollars each in cash and property in exchange for favorable treatment in PDVSA bidding processes;
  • On March 20, 2020, DOJ filed a criminal information charging Venezuelan businessperson Carlos Enrique Urbano Fermin with conspiracy to commit money laundering based on Urbano’s alleged $100,000 bribe to a Venezuelan government official, via U.S. bank accounts, to forestall a local bribery prosecution of Urbano’s companies in Venezuela; and
  • Also on March 20, 2020, DOJ charged another Venezuelan businessperson, Leonardo Santilli, in a criminal money laundering complaint associated with Santilli’s alleged payment of more than $9 million in bribes to receive nearly $150 million in contracts from PDVSA.

Additional Alstom S.A. Defendants Charged

In our 2019 Year-End FCPA Update, we covered DOJ’s ongoing prosecutions arising from Alstom’s alleged corrupt winning of the Taharan power plant contract in Indonesia as an example of DOJ leveraging a relatively contained, one-country fact pattern into many cases over numerous years. This phenomenon extended into 2020, when on February 18 DOJ unsealed a superseding indictment, initially filed in 2015, charging two former executives of Alstom’s Indonesian subsidiary and a former executive of Alstom agent Marubeni with conspiracy to violate the FCPA and commit money laundering. Reza Moenaf and Eko Sulianto, the former president and director of sales of Alstom’s Indonesian subsidiary respectively, were each charged with two counts of FCPA bribery, and Junji Kusunoki, the former deputy general manager of Marubeni’s Overseas Power Project Department, was charged with six counts of FCPA bribery. All three defendants also face money laundering charges, and none have yet made an appearance in court.

Seguros Sucre Defendants

On February 13, 2020, DOJ filed a criminal complaint in the Southern District of Florida charging Juan Ribas Domenech, Jose Vicente Gomez Aviles, and Felipe Moncaleano Botero with money laundering conspiracy for their alleged roles in a scheme to secure contracts with Ecuador’s state-owned insurance company, Seguros Sucre. Separately, on March 3, 2020, DOJ filed a criminal complaint charging Roberto Heinert with a related money laundering offense.

Ribas is a former Seguros Sucre chairman and Ecuadorian citizen; Gomez is an Ecuadorian businessperson who helped companies secure contracts with Seguros Sucre; Heinert is a dual U.S. and Ecuadorian citizen who worked with Gomez; and Botero is a Colombian citizen and former executive of an unnamed UK reinsurance broker’s Colombian subsidiary that worked with Seguros Sucre. According to the criminal complaints, Ribas allegedly received bribes from Gomez, Heinert, and Botero, laundered through U.S. bank accounts, in exchange for awarding a reinsurance contract for Ecuador’s Ministry of Defense, provided through Seguros Sucre. On June 11, 2020, Gomez pleaded guilty. Ribas, Heinert, and Botero are before the Court and awaiting trial dates.

Following the filing of FCPA or FCPA-related charges, criminal and civil enforcement proceedings can take years to wind through the courts. A selection of prior-year matters that saw enforcement litigation developments during the first half of 2020 follows.

Hoskins’s FCPA Convictions Reversed; Money Laundering Convictions Stand

In what is arguably one of the most significant, if not longest-running, enforcement cases in FCPA history, the Honorable Janet Bond Arterton of the District of Connecticut issued her decision on the Rule 29 Motion for a Judgment of Acquittal filed by Lawrence Hoskins, whose November 2019 convictions we covered in our 2019 Year-End FCPA Update. Following a key pretrial appeal in which the Second Circuit Court of Appeals held that the government could not charge foreign national Hoskins with conspiracy or aiding and abetting an FCPA offense because he did not otherwise belong to the class of individuals that can be charged with committing a substantive FCPA violation (covered in our 2018 Year-End FCPA Update), the key FCPA question at trial was whether DOJ could prove that Hoskins was acting as an “agent” of a U.S. person (i.e., Alstom’s U.S. subsidiary). The jury seemingly answered that question in the affirmative through its verdict, convicting Hoskins on all seven FCPA counts.

But on February 26, 2020, Judge Arterton set aside the FCPA guilty verdicts and entered a judgment of acquittal, finding that the evidence presented at trial did not support a conclusion that an agency relationship existed between Hoskins and Alstom’s U.S. subsidiary. Specifically, the Court held that the evidence DOJ presented was insufficient as a matter of law to show that the U.S. subsidiary retained the ability to control Hoskins’s actions. Nonetheless, demonstrating the relative power of money laundering charges to pursue international corruption cases outside the jurisdictional reach of the FCPA, Judge Arterton left Hoskins’s four money laundering convictions intact. There, the Court rejected Hoskins’s arguments that he could not be convicted absent knowledge that U.S. bank accounts would be used, and also held that Connecticut was an appropriate venue because the transfers from Connecticut (where Alstom’s subsidiary was based) to Maryland (where the agent was based) to Indonesia (where the foreign official was based) was all part of a single, continuing transaction for purposes of the money laundering statute.

On March 6, 2020, Hoskins was sentenced to 15 months in prison and to pay a $30,000 fine in connection with the money laundering convictions, although his surrender date has been postponed to October 2020 due to the COVID-19 pandemic situation. Each of DOJ and Hoskins have appealed the unfavorable portions of Judge Arterton’s decision to the Second Circuit, making it likely that we have not heard the last from this groundbreaking case.

Inniss Convicted by Jury

Donville Inniss, the former Barbados Minister of Industry, was indicted in March 2018 for allegedly receiving $36,000 in bribes from the Insurance Corporation of Barbados Limited in exchange for agreeing to award government contracts to the insurer. According to DOJ, Inniss allegedly laundered the funds through a New York bank account in the name of a dental company owned by his friend.

Following a four-day jury trial and two hours of deliberation, on January 16, 2020, Inniss was convicted by a jury sitting in the Eastern District of New York of one count of conspiracy to commit money laundering and two counts of money laundering. Inniss has filed a Rule 29 motion for judgment of acquittal of all counts, which remains pending.

Baptiste and Boncy Granted New Trial

We reported in our 2019 Year-End FCPA Update on the June 2019 jury convictions of retired U.S. Army colonel Joseph Baptiste and former lawyer and Haitian Ambassador-at-Large Roger Richard Boncy for allegedly soliciting bribes from two undercover FBI agents who were posing as prospective investors in a proposed $84 million port development project in Haiti. Following a nine-day jury trial, they were each found guilty of one count of FCPA conspiracy and one count of Travel Act conspiracy, with Baptiste additionally convicted of violating the Travel Act and money laundering conspiracy.

But in a post-conviction setback for DOJ, on March 11, 2020, the Honorable Allison Burroughs of the District of Massachusetts granted a new trial for both Baptiste and Boncy based on the ineffective performance of Baptiste’s trial attorney. Among other things, Judge Burroughs cited that Baptiste’s lawyer did not subpoena witnesses to testify on Baptiste’s behalf and pursued an entrapment defense after being told the defense was unavailable for Baptiste. In addition to prejudicing Baptiste, Judge Burroughs found that the attorney’s performance resulted in Boncy’s own attorney “having to play an outsized role at trial rather than pursue his preferred defense strategy,” thereby also prejudicing Boncy. DOJ has appealed Judge Burroughs’s order to the U.S. Court of Appeals for the First Circuit.

Seng’s Supreme Court Challenge re McDonnell Application to FCPA Denied

We covered in our 2018 Mid-Year FCPA Update the conviction and sentencing of billionaire Ng Lap Seng on FCPA, federal programs bribery, and money laundering charges associated with his role in a scheme to pay more than $1 million in bribes to two UN officials in connection with, among other things, a plan to build a UN-sponsored conference center in Macau. In August 2019, Seng’s conviction was upheld by the U.S. Court of Appeals for the Second Circuit, which rejected his argument that DOJ failed to prove that an “official act” occurred in exchange for the bribes as required by the Supreme Court’s decision in McDonnell v. United States, instead holding that McDonnell’s official acts standard does not apply to the FCPA. Seng filed a petition for writ of certiorari in the Supreme Court, which was denied on June 29, 2020.

Lambert’s Motion for Judgment of Acquittal on Wire Fraud Charges Denied

As reported in our 2019 Year-End FCPA Update, Mark T. Lambert, the former Co-President of Transport Logistics International, was convicted in November 2019 of FCPA, wire fraud, and conspiracy charges in connection with his alleged participation in a conspiracy to make corrupt payments to an official at a Russian state-owned supplier of uranium and uranium enrichment services in return for sole-source contracts. In December, Lambert filed a motion for judgment of acquittal on the two wire fraud convictions, arguing that the government failed to prove that he made any material misrepresentations or omissions that caused injury to the Russian state-owned entity, the alleged victim of the fraud.

On February 11, 2020, the Honorable Theodore D. Chuang of the District of Maryland denied Lambert’s motion. The Court found that the evidence that Lambert actively concealed bribes from the Russian state-owned entity was sufficient, and further that the government need not prove that the Russian state-owned entity actually lost money as a result of the scheme, provided Lambert intended to deprive the entity of money. Lambert’s sentencing has been delayed due to COVID-19 complications.

Fifth Circuit Dismisses Khoury’s Appeal

Lebanese businessperson Samir Khoury has continued his attack on a more than decade-old indictment charging him with mail and wire fraud offenses arising out of the Bonny Island, Nigeria corruption scheme. As reported in our 2019 Year-End FCPA Update, after successfully persuading the Southern District of Texas to unseal the indictment in absentia, Khoury filed a renewed motion to dismiss, arguing the government had failed to prosecute the case diligently and the indictment is time-barred. The Honorable Keith P. Ellison rejected Khoury’s motion on December 6, 2019, and denied Khoury’s additional motion for a “Ruling on Constitutional Issues Not Addressed” on February 24, 2020.

In March 2020, Khoury sought appellate and mandamus relief from the U.S. Court of Appeals for the Fifth Circuit, challenging, among other things, the district court’s conclusion that any delay in prosecution was caused by Khoury’s decision to remain in Lebanon. The government moved to dismiss Khoury’s appeal, arguing that it must wait a trial, judgment, and sentencing. On May 12, 2020, the Fifth Circuit granted the government’s motion to dismiss in a per curiam order. The Fifth Circuit rejected Khoury’s petition for en banc review on July 13, 2020.

Former Banker Permanently Barred for Role in 1MDB Bond Offerings

We have been tracking for years activity related to the alleged diversion of more than $2.7 billion from Malaysian sovereign wealth fund 1Malaysia Development Berhad (“1MDB”), including actions previously taken against Malaysian businessperson Low Taek Jho and two former bankers, Tim Leissner and Roger Ng Chong Hwa, for their alleged involvement in the scheme.

On February 4, 2020, the Federal Reserve Board of Governors announced that it was permanently barring from the banking industry former banker Andrea Vella, who had responsibility for three bond offerings by 1MDB. According to the Board’s debarment order, Vella failed to fully escalate Low Taek Jho’s involvement in the offerings, which the Board claimed indicated heighted potential underwriting risks. As part of the debarment order, Vella has agreed to cooperate with the Board’s investigations into 1MDB.

Coburn and Schwartz Indictment Challenge Turned Away

As covered in our 2019 Year-End FCPA Update, former Cognizant Technology Solutions executives Gordon J. Coburn and Steven E. Schwartz face a 12-count indictment charging them with FCPA bribery, conspiracy, falsification of books and records, and circumvention of internal controls in connection with their alleged participation in a bribery scheme in India. They each promptly moved to dismiss various counts in the indictment on a number of grounds, including most notably for practitioner purposes that three counts of FCPA bribery were multiplicitous because they charged three emails associated with the same alleged bribe as three separate violations of the FCPA’s anti-bribery provisions.

On February 14, 2020, the Honorable Kevin McNulty of the District of New Jersey issued a scholarly opinion analyzing this question, which has never been squarely presented in an FCPA case. In upholding the indictment, Judge McNulty agreed with DOJ that the relevant “unit of prosecution” for FCPA bribery is making use of interstate commerce in connection with a bribery scheme; thus, the emails cited in the three counts “are permissible, if not inevitable, units of prosecution.”

Odebrecht Plea Agreement Extended

We covered Odebrecht’s coordinated anti-corruption resolution with Brazilian, Swiss, and U.S. authorities in our 2016 Year-End FCPA Update. One of the conditions of the U.S. resolution was the engagement of an independent compliance monitor for a three-year period.

The monitorship period was scheduled to conclude in February 2020. However, in a January 29 letter filed with the Eastern District of New York, DOJ announced that Odebrecht had failed to complete its obligations to “implement and maintain a compliance and ethics program,” including by allegedly “failing to adopt and implement the agreed upon recommendations of the monitor and failing to allow the monitor to complete the monitorship.” DOJ reported that Odebrecht had agreed with these contentions and to extend the monitorship until November 2020 to allow the additional time to fulfill its obligations under the extended timeline.

In addition to the enforcement activity covered above, the first six months of 2020 saw important developments in FCPA policy, practice, and related matters. Among the developments covered below are DOJ and the SEC issuing their first comprehensive update to the 2012 FCPA Resource Guide, DOJ providing updated guidance on how it will evaluate corporate compliance programs, the announcement of a new privilege unit within DOJ’s Fraud Section, and a Supreme Court decision on the SEC’s ability to seek disgorgement in enforcement actions.

DOJ and SEC Issue First Comprehensive Update to FCPA Resource Guide

On July 3, 2020, DOJ and the SEC published the first substantive update to their consolidated FCPA guidance, “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” which was first issued in November 2012. The Second Edition to this publication—which has served as an important resource for companies and practitioners seeking to understand both enforcers’ interpretations of the FCPA and approaches for enforcing it—does not necessarily break new ground, but incorporates a number of significant developments in government guidance, relevant case law, and enforcement activity in the seven-plus years since its original publication.

Among the more significant updates in the Second Edition are the inclusion of the FCPA Corporate Enforcement Policy (see below) and other recent governmental guidance; updated guidance regarding the application of the FCPA in M&A transactions; legal updates regarding the scope of the term “agent” for assessing corporate liability, the scope of the SEC’s disgorgement authority, and the requirements for criminal violations of the FCPA’s accounting provisions. This new edition likewise includes numerous new or updated case studies and hypotheticals to further illustrate relevant FCPA concepts. For additional details regarding the Second Edition, please see our recent client alert, “U.S. DOJ and SEC Issue First Comprehensive Update to FCPA Resource Guide Since 2012.”

DOJ Issues Updated Guidance for Evaluating Corporate Compliance Programs

On June 1, 2020, DOJ issued further updates to its guidance to DOJ prosecutors about how to assess the effectiveness of corporate compliance programs when conducting investigations, making charging decisions, and negotiating resolutions. This guidance, entitled “Evaluation of Corporate Compliance Programs,” updates the prior version of the guidance published in 2019.

Among other changes, the updated guidance places increased emphasis on evaluating corporate compliance programs on a case-by-case basis relative to the individual company’s “size, industry, geographic footprint, [and] regulatory landscape” and reflects an increased focus on whether control functions are provided with sufficient resources to effectively discharge their responsibilities and have access to the data needed to properly carry out their monitoring and auditing activities. For more on the updated guidance, please see our separate client alert, “DOJ Updates Guidance Regarding Its ‘Evaluation of Corporate Compliance Programs.’

DOJ Fraud Section to Create New Privilege Unit

So-called “taint” or “filter” teams have long been DOJ’s preferred solution to address the oft-arising issue of how to handle attorney-client and other privileged materials seized during the execution of search warrants. To prevent prosecutors from being exposed to protected information, the filter team (typically from the same DOJ Unit but not assigned to the investigation) generally is responsible for segregating protected material before providing the remaining materials to the prosecutors leading the investigation. This practice has been subject to criticism from the defense bar and courts alike, not the least of which being a decision in October 2019 by the U.S. Court of Appeals for the Fourth Circuit.

Potentially in response to this scrutiny, the Fraud Section has restructured its privilege review process by creating a new unit—the Special Matters Unit. The Special Matters Unit, which will be led by Fraud Section and Miami U.S. Attorney’s Office alum Jerrob Duffy, will oversee the privilege review team and work with the other Fraud Section litigation units, including the FCPA Unit, to establish uniform protocols regarding evidence collection and review that may implicate attorney-client and other privileges.

U.S. Supreme Court Decision Limits Disgorgement Authority in Civil Actions

As our readership knows, disgorgement of purportedly illicit profits frequently is the key driver in determining the cost of an FCPA resolution with the SEC. On June 22, 2020, the Supreme Court issued an important decision in Liu v. SEC, a closely watched case involving a challenge to the SEC’s ability to seek disgorgement in civil enforcement actions filed in federal court. This case follows the Court’s 2017 opinion in Kokesh v. SEC (discussed in our client alert United States Supreme Court Limits SEC Power to Seek Disgorgement Based on Stale Conduct), in which the Court unanimously held that disgorgement ordered in an SEC enforcement action constituted a “penalty” and was therefore subject to the five-year statute of limitations defined by 28 U.S.C. § 2462, but expressly reserved the question of whether SEC had the authority to seek disgorgement as a form of “equitable relief” in civil actions filed in federal court.

In the instant Liu case, husband and wife Charles Liu and Xin Wang were ordered to disgorge nearly $27 million in profits and pay $8.2 million in penalties arising from a scheme in which they allegedly misappropriated funds invested with them for the purpose of building a cancer treatment center. The district court refused to permit the deduction of even legitimate business expenses from the disgorgement amount, which decision the Ninth Circuit affirmed, holding that “the proper amount of disgorgement in a scheme such as this one is the entire amount raised less the money paid back to the investors.” In an 8-1 opinion authored by Justice Sotomayor, the Supreme Court upheld the SEC’s ability to seek disgorgement as a form of equitable relief, but only provided that the disgorgement is limited to the amount of the defendants’ net profits from the wrongdoing after legitimate expenses are deducted and further that disgorgement is assessed at least partially for the benefit of victims. For more on the Supreme Court’s decision, please see our client alert, “Supreme Court Limits Disgorgement Remedy In SEC Civil Enforcement Actions.”

2020 MID-YEAR KLEPTOCRACY FORFEITURE ACTIONS

The first half of 2020 saw continued activity in the Kleptocracy Asset Recovery Initiative spearheaded by DOJ’s Money Laundering and Asset Recovery Section (“MLARS”) Unit, which uses civil forfeiture actions to freeze, recover, and, in some cases, repatriate the proceeds of foreign corruption. In particular, we have been tracking the 1MDB corruption case since it was first announced as a civil forfeiture proceeding, as covered in our 2016 Year-End FCPA Update.

On May 6, 2020, DOJ announced a settlement of its civil forfeiture cases against more than $49 million of assets acquired by Emirati businessperson Khadem al-Qubaisi, using funds allegedly misappropriated from 1MDB. The assets include sales proceeds of Beverly Hills real estate and a luxury penthouse in New York City. This was followed on July 1 by the announcement of six DOJ civil forfeiture complaints in the U.S. District Court for the Central District of California seeking the forfeiture and recovery of an additional $96 million in assets, including luxury real estate in Paris, artwork by Monet, Warhol, and Basquiat, and bank accounts in Luxembourg and Switzerland. Since July 2016, the United States has sought forfeiture of more than $1.8 billion in assets associated with 1MDB, with more than $600 million of that now returned to Malaysia.

2020 MID-YEAR PRIVATE CIVIL LITIGATION SECTION

Although the FCPA does not provide for a private right of action, civil litigants continue to pursue a variety of causes of action in connection with FCPA-related conduct.  A selection of matters with developments in the first half of 2020 follows.

Shareholder Lawsuits

  • Cemex S.A.B. de C.V. On February 10, 2020, the Honorable Valerie E. Caproni of the Southern District of New York dismissed with prejudice the second amended complaint filed against Mexican building materials company and U.S. issuer Cemex for allegedly concealing a bribery scheme and then making misleading statements relating to the same. As reported in our 2019 Year-End FCPA Update, the lawsuit was filed in 2018 after an internal probe identified payments worth approximately $20 million to a Colombian company in return for land, mining rights, and tax benefits for a new cement plant. In dismissing the second amended complaint, Judge Caproni found that plaintiffs had failed to allege specific facts on which to base a securities fraud action and had failed to establish the existence of an underlying bribery scheme.
  • BRF S.A. – On May 15, 2020, the U.S. District Court for the Southern District of New York preliminarily approved a $40 million settlement in a putative class action against Brazilian food processor BRF. The suit was brought in March 2018 following Brazilian investigations related to payments to allow the sale of rancid meat by circumventing safety inspections. Investors alleged that they were misled by the company after the investigation drove down the company’s stock price. BRF also had announced that it had initiated an internal investigation and was cooperating with DOJ and SEC prior to the filing of the shareholder suit. A settlement hearing is scheduled for October 2020.

Breach of Contract/Civil Fraud/RICO Actions

  • Keppel Offshore & Marine Ltd. – On May 9, 2020, the Honorable Paul G. Gardephe of the Southern District of New York issued an order dismissing RICO conspiracy charges against Keppel Offshore & Marine, finding that the FCPA deferred prosecution agreement it entered with DOJ in 2017 does not constitute a criminal conviction for the purposes of the Private Securities Litigation Reform Act (“PSLRA”). Plaintiffs had argued that Keppel’s deferred prosecution agreement was a criminal conviction that qualified for a PSLRA exception for RICO claims against “any person that is criminally convicted in connection with the fraud,” but Judge Gardephe concluded that “[a] party that enters into a deferred prosecution agreement has not been convicted of a crime. Indeed, the obvious purpose of entering into a deferred prosecution agreement is to avoid a criminal conviction.” With the RICO claims dismissed, only the aiding and abetting fraud claims remain and the case is set for a pretrial conference later in July 2020.
  • Citgo Petroleum Corp. – On May 26, 2020, CITGO, the Texas-based subsidiary of PDVSA, filed a complaint in the U.S. District Court for the Southern District of Texas against Jose Manuel Gonzalez Testino and his company alleging breach of contract, fraud, and RICO violations arising from Gonzalez’s violations of the FCPA. In May 2019, Gonzalez pleaded guilty to violations of the FCPA and failure to file a foreign bank account report, in connection with payments to PDVSA and CITGO officials. CITGO’s civil complaint alleges that Gonzalez bribed CITGO employees to induce CITGO to enter into a Service Contract Agreement with his company, and to win contracts under the same agreement. The complaint further alleges that Gonzalez’s conduct caused CITGO to lose millions of dollars, and seeks compensatory damages plus interest, treble damages, and punitive damages. As of the date of publication, the defendants have not filed a responsive pleading.
  • Harvest Natural Resources, Inc. – As reported most recently in our 2019 Year-End FCPA Update, now-defunct Houston energy company Harvest Natural Resources filed suit in the U.S. District Court for the Southern District of Texas in 2018 alleging RICO and antitrust violations against various individuals and entities affiliated with the Venezuelan government and PDVSA. Harvest’s complaint alleged that approval for the sale of the company’s Venezuelan assets was wrongfully withheld after it refused to pay $40 million in bribes to Venezuelan officials, and that as a result, Harvest had to sell the assets to different buyers at a $470 million loss, leading to the company’s dissolution. Chief Judge Lee H. Rosenthal granted a default $1.4 billion judgment in the action against Rafael Darío Ramírez Carreño, Venezuela’s former Minister of Energy and former President of PDVSA, when Ramírez failed to appear. But on June 9, 2020, after Ramírez appeared and filed a motion to vacate the default judgment. Judge Rosenthal reopened the case, denied the motion to dismiss, and set a status conference to discuss scheduling for further proceedings.

2020 MID-YEAR INTERNATIONAL ANTI-CORRUPTION DEVELOPMENTS

The COVID-19 pandemic has had, and continues to have, profound societal, economic, and health impacts. The frenetic pace of procurement activity around the world to acquire personal protective equipment, pharmaceuticals, and other medical products needed to combat the virus also can create heightened corruption-related risks. The following selection of recent developments illustrates steps that anti-corruption organizations around the world are taking to combat these novel corruption risks.

  • On April 15, 2020, the Council of Europe’s Group of States against Corruption (“GRECO”) issued guidance to its member states regarding how to combat bribery and corruption in the healthcare sector. The risk areas identified by GRECO’s guidance include government procurement of medical supplies, bribery related to the provision of medical services, corruption of government agencies involved in overseeing the research and development of new pharmaceutical products, financial scams relating to the sale of medical products, and whistleblower protection in the healthcare sector.
  • On April 22, 2020, the Organisation for Economic Co-operation and Development’s (“OECD”) Working Group on Bribery issued a statement warning that the current pandemic environment could create conditions “ripe for corruption” given the scramble to obtain needed supplies. The Working Group called on its member states to uphold their commitments under the OECD Anti-Bribery Convention, and noted that the OECD would “examine the possible impact and consequences of the coronavirus pandemic on foreign bribery, as well as solutions to help countries strengthen their anti-bribery systems.”
  • On May 5, 2020, the International Monetary Fund (“IMF”) issued guidance explaining that, in addition to its existing anti-corruption measures, it was taking additional steps to ensure that emergency funding provided to governments in support of their COVID-19 responses would be used properly. These steps include asking governments to commit in letters of intent to ensure the funds are used for the purpose of responding to the crisis; assessing the extent to which it is feasible to ask member states to take additional steps to prevent bribery, corruption, and money laundering without unduly delaying disbursements; and continuing to include governance and anti-corruption measures in multi-year financing arrangements provided to member states.

Multilateral Development Banks

The first half of 2020 saw important developments concerning the World Bank’s, and increasingly other multilateral development banks’ (“MDB”), mechanisms for investigating fraud, corruption, and other sanctionable conduct connected to MDB-supported projects.

Perhaps most notably, the World Bank announced in May 2020 that Mouhamadou Diagne will become the new head of the Bank’s Integrity Vice Presidency (“INT”), a position that has been held by an acting head since the departure of Pascale Dubois in November 2019. Diagne previously served as the Bank’s Inspector General of the Global Fund to Fight Aids, Tuberculosis, and Malaria, in which role he led that organization’s investigations and audit functions. In his new role, Diagne will report directly to Bank President David Malpass rather than to an intermediary Managing Director as previously had been the case.

We also direct our readers to the Bank’s updated Sanctions Board Law Digest published in December 2019. The Sanctions Board acts as the ultimate adjudicator of sanctions sought by INT, and the Digest helpfully summarizes key takeaways from the Board’s decisions since the last update several years ago. The Digest also details the current sanctions framework, and is a valuable resource for practitioners and companies that become ensnared in the World Bank sanctions process.

Those who have dealt with INT and enforcement personnel at other MDBs may feel that the enforcers follow a fairly rigid approach in meting out sanctions. Reflecting a possible change at least one key MDB, the Head of the Office of Anti-Corruption and Integrity of the Asian Development Bank (“ADB”) wrote in responses published in the Global Investigations Review in May 2020 that the ADB’s enforcement approach to corporate and individual sanctions is becoming more flexible. He noted that the Bank’s use of debarments has decreased as its use of reprimands, cautions, and conditional-non-debarments has increased. A more nuanced assessment provides opportunity for a more proportionate sanction, which is particularly important given the significant collateral consequences that can attend an MDB debarment.

In other MDB news, the Inter-American Development Bank (“IDB”), which provides financing in Latin America, has been active on the enforcement front. In April 2020, the IDB debarred Andrade Gutierrez Engenharia S.A. (“AGE”), one of Brazil’s largest private conglomerates, and 11 of its subsidiaries for three years, in connection with alleged bribes to secure four IDB-financed contracts. The IDB credited AGE’s substantial cooperation in the case, which no doubt reflects a strategic decision by the company to address the issue holistically—two years earlier, AGE paid more than $381 million in fines to Brazilian authorities to resolve this and other conduct.

Europe

United Kingdom

SFO Publishes Guidance for Evaluating Compliance Programs

On January 17, 2020, the UK Serious Fraud Office (“SFO”) published its guidance to SFO prosecutors and investigators on how to assess corporate compliance programs. The guidance, “Evaluating a Compliance Programme,” forms part of the SFO’s Operational Handbook and states that the SFO should consider the state of an organization’s compliance program at the time of the offense and when making a charging decision (which could impact whether a deferred prosecution agreement is suitable), as well as consider how the program may change going forward. The guidance recommends framing the assessment around the six principles that the Ministry of Justice published in 2011 to guide commercial organizations in developing adequate anti-bribery compliance programs (covered in our 2011 Mid-Year FCPA Update). The January 2020 guidance provides additional insight into how the SFO will consider corporate compliance programs, and therefore is a valuable resource for organizations subject to the jurisdiction of the SFO.

Two Unaoil Defendants Convicted; Hung Jury for Third

As covered in our 2019 Year-End FCPA Update, the Monaco-based oil services company Unaoil has been at the center of a developing cluster of anti-corruption enforcement that has grown to include enforcement activity on both sides of the Atlantic. January 2020 saw the start of the London trial of three individuals—Ziad Akle, Paul Bond, and Stephen Whiteley—who were accused of conspiring to bribe an Iraqi official alongside Iraqi business partner Basil Al Jarah, who himself pleaded guilty in the UK in July 2019. Due to COVID-19, the trio’s trial was suspended for several weeks, but was one of the first criminal trials to resume in May 2020.

On July 13, 2020, guilty verdicts were announced as to Akle and Whiteley. The jury convicted the two of conspiracy to provide corrupt payments associated with the payment of over $500,000 in bribes to secure a $55 million contract from the Iraqi South Oil Company. Akle, Whiteley, and Al Jarah are due to be sentenced on July 22 and 23, 2020. The jury was unable to reach a decision as to Bond, and the SFO has indicated that it will seek a retrial. The jury actually returned the verdicts on in June, but the verdicts were held in quarantine until July 13 to give the SFO time to assess its future action.

Nigeria’s Lawsuit against Royal Dutch Shell and Eni Dismissed

In May 2020, the High Court dismissed a $1 billion lawsuit brought by the Nigerian government against oil and gas giants Royal Dutch Shell Plc and Eni S.p.A., alleging that payments made by the companies to acquire an oil exploration license were used to personally enrich Nigerian officials. The High Court found that it did not have jurisdiction over the case because the same allegations and participants feature in ongoing criminal proceedings in Italy. As covered in our 2017 Year-End FCPA Update, in December 2017 the Milan Public Prosecutor’s Office brought criminal proceedings against the companies as well as several individuals, with the Nigerian government later joining as a civil claimant in March 2018. The Italian proceedings are ongoing.

France

Sanctions Committee Renders Second Decision

On February 7, 2020, the French Anticorruption Agency’s (“AFA”) Sanctions Committee (discussed in our separate client alert, “New French Anti-Corruption Regime”) rendered its second decision. Although it did not impose a fine, despite a recommendation to do so from the AFA, the Committee compelled French mineral extraction company Imerys to update its code of conduct and accounting procedures following an investigation that identified certain potential controls weaknesses.

Ministry of Justice Issues Directive to Combat International Bribery

On June 2, 2020, the French Minister of Justice issued a directive to prosecutors regarding “criminal policy in the fight against international corruption.” Among other things, the directive calls on the French National Financial Prosecutor (“PNF”) to redouble its efforts to detect international corruption by paying special attention to “domestic and foreign press articles” that may justify in-depth investigations. Taking a page from U.S. anti-corruption efforts, the directive also encourages companies to self-disclose potential incidents of bribery to the PNF.

Germany

As reported in our 2019 Year-End German Law Update and 2019 Year-End FCPA Update, the German government is pursuing a corporate criminal liability bill that could significantly change the practice of German criminal law. Unlike in the United States and many other countries, German criminal law does not currently provide for corporate criminal liability. Corporations may be fined only for administrative offenses.

A recently updated draft of the legislation includes modest changes from the 2019 draft discussed in our previous updates. The 2020 version of the proposed bill:

  • Applies only to entities conducting an economic business (i.e., does not apply to nonprofits);
  • Abandons the corporate “death penalty” (i.e., liquidation of the company); and
  • Clarifies that when an internal investigation significantly contributes to resolving the matter, courts “should” provide mitigation credit when calculating a fine or determining a sentence, rather than more discretionary language in the prior version, but to qualify for mitigation credit, internal investigations must satisfy certain criteria, including being conducted by counsel distinct from the corporation’s defense counsel.

Overall, the core of the bill remains unchanged, and it still includes several potentially challenging issues, such as the separate representation point noted above and the effect that cooperating with German authorities may have on privilege in foreign jurisdictions. On June 16, 2020, the Federal Government adopted the draft bill and has introduced it to Parliament.

Russia

Over the past year, arrests have been made in connection with a long-running graft scheme involving officials from Russia’s FSB (the successor to the KGB), Deposit Insurance Agency (Russia’s version of the FDIC), and other government agencies. As alleged, the scheme was perpetrated in the context of bank supervision: in exchange for allowing banks to continue operating, representatives of security services allegedly demanded payments from bank owners; and, when government regulators took over privately owned banks, the same representatives of security services and other government officials illicitly extracted cash from the distressed banks. After one former FSB colonel was arrested and charged with fraud and bribery for his involvement in the scheme, Russian criminal authorities reportedly seized more than $100 million in his possession. Another former government official (formerly of the Deposit Insurance Agency), who is alleged to have aided the former FSB colonel, fled Russia before he could be apprehended.

In addition, as we anticipated in our 2019 Year-End FCPA Update, since January 1, 2020, information about administrative anti-corruption convictions of entities, as well as entry in the public register of corporate corruption offenders, has been included in their registration profiles in the public procurement register of suppliers participating in public procurement, meaning this information is available to prospective purchasers. In the first half of 2020, 57 new entities were added to the public register of corporate corruption offenders, bringing the total number of entities in the register to just over 1,000. In a June 17, 2020 speech before the upper chamber of the Russian parliament, Russia’s Prosecutor General emphasized the importance of using the register in conducting due diligence on suppliers to prevent corruption in public procurement.

Ukraine

On May 13, 2020, the Ukrainian parliament passed into law a bill that prohibits the return of nationalized banks to their former private owners. The effect of this legislation is to prevent international aid money from being siphoned from nationalized banks into the pockets of oligarchs. This move was critical in Ukraine securing a $5.5 billion loan from the IMF to help with pandemic relief, but is seen as an affront to Ihor Kolomoisky, the prominent co-founder of PrivatBank viewed by many as a large supporter of President’s Zelensky’s election campaign. In addition, a new law that offers protections to whistleblowers and includes rewards for tips helpful to investigations of corruption cases involving a certain level of damages to the state entered into effect earlier this year.

Balancing against these positive developments on the anti-corruption front, in March 2020, the parliament fired several government officials who were viewed internationally as reformers. The dismissals included the country’s top prosecutor as well as the well-regarded heads of the customs and tax bureaus. President Zelensky in particular argued that the top prosecutor had not produced any tangible results, whereas the latter claimed that President Zelensky’s party dismissed him for proposing significant anti-corruption reforms. This comes amid perceptions that President Zelensky’s fight against corruption is stalling: a February 2020 survey indicated that many Ukrainians believe that the president is failing in his fight against corruption.

Uzbekistan

In March 2020, Uzbekistan’s Supreme Court announced that Gulnara Karimova, the daughter of Uzbekistan’s former president, was found guilty of extortion, racketeering, money laundering, and embezzlement of up to $1.6 billion of public funds, and sentenced to 13 years in prison. According to the Court, Karimova illegally purchased shares in two state-owned cement companies at artificially low prices before selling those shares abroad for a large profit. Karimova previously was convicted of tax evasion, extortion, and embezzlement in 2015, and of fraud, customs and currency violations, and money laundering in 2017, and sentenced to house arrest. After violating the terms of her house arrest, Karimova was jailed in March 2019. According to local law, the new sentence will apply from August 2015 and run concurrently with the previous sentences, effectively resulting in an additional eight years of prison time. As reported in our 2019 Year-End FCPA Update, in 2019 DOJ charged Karimova with money laundering conspiracy as part of the alleged bribery scheme in the Uzbek telecommunications sector that has ensnared several companies and individuals, and efforts reportedly are underway in several countries, including France, Latvia, Russia, and Switzerland, to recover Karimova’s allegedly ill-gotten assets.

The Americas

Brazil

As Operation Car Wash enters its seventh year and launches its 71st phase, Brazil faces a new corruption scandal. In April 2020, Brazil’s justice minister and former Operation Car Wash judge, Sérgio Moro, resigned after accusing President Jair Bolsonaro of seeking to exercise improper control over the federal police. The public prosecutor has opened a criminal investigation into Moro’s claims that Bolsonaro fired the federal police chief, Mauricio Valeixo, in order to install a chief who would permit him to interfere in corruption investigations, and that the President previously sought to replace the head of police in Rio de Janeiro, where two of his sons are under investigation.

In January 2020, Brazil’s new Anticrime Law took effect. The law, which establishes protections for whistleblowers reporting public corruption and fraud, requires the government to establish an ombudsman office to facilitate whistleblower reports, shields whistleblowers from civil or criminal liability in connection with their reports, and offers financial incentives for whistleblowers who provide information that leads to the recovery of proceeds from crimes against the public administration. Although Brazil previously had employed leniency agreements to encourage whistleblower complaints (including throughout Operation Car Wash), the new law formalizes protections and financial incentives for whistleblowing relating to public corruption, fraud in government procurement and contracts, and other crimes or misconduct that harm the public interest.

Also beginning in January 2020, companies seeking to contract with the Federal District for more than R$5 million must adopt compliance policies and procedures. The new regulations bring the Federal District in line with several other Brazilian states requiring companies to report on their compliance programs when seeking government contracts. And beginning in October 2020, companies must comply with enhanced Brazilian Central Bank regulations relating to suspicious transaction reporting, money laundering, and terrorist financing.

Ecuador

Former president Rafael Correa, living in Belgium since leaving office in 2017, was found guilty of bribery and corruption and sentenced in absentia to eight years imprisonment in April. Correa was one of 20 people, including his former vice president, accused of accepting $8 million in bribes in exchange for government contracts between 2012 and 2016. Correa has expressed interest in running for office in 2021, but the court’s sentence bars him from political office for 25 years.

Mexico

In February 2020, former Petróleos Mexicanos (“PEMEX”) CEO Emilio Lozoya Austin was arrested in Spain on a Mexican warrant for tax fraud and bribery charges associated with his alleged acceptance of more than $10 million in bribes from Odebrecht. A Spanish court agreed to extradite Lozoya to Mexico in early July. Additionally, in June 2020, Mexican prosecutors announced an investigation into a former project coordinator at PEMEX’s refinement subsidiary, Mario Alberto García Duarte, regarding alleged unexplained increases in wealth while managing contract awards to Odebrecht.

Asia

China

In January 2020, during the Fourth Plenary Session of the 19th Central Commission for Discipline Inspection, President Xi Jinping reiterated that enforcement authorities will continue to focus on combating corruption in state-owned enterprises, the financial sector, and in the healthcare sector. In the months that followed, anti-graft agencies announced several investigations, arrests, and convictions of high-level government officials at state-owned enterprises and international organizations. In May, Zhao Zhengyong, Shaanxi province’s former governor and Communist Party secretary, pleaded guilty to accepting more than $100 million in bribes, and related to the same case anti-graft authorities expelled He Jiuchang, the former chairman of one of the country’s largest oil refiners, from the Communist Party. And in January, Meng Hongwei, the former president of Interpol, was sentenced to 13 1/2 years in prison for accepting more than $2 million in bribe payments.

We also continue to see enforcement actions against high-profile executives in the financial sector. In February, the former head of state-owned China Development Bank, Hu Huaibang, was arrested for accepting bribes. In May, Chinese authorities indicted Sun Deshun, the former president of a Chinese bank, on charges of accepting bribe payments in exchange for using his position to benefit others. Authorities also have commenced multiple enforcement actions against executives of Shandong-based Hengfeng Bank following the government’s approval of a $14.21 billion bailout of the distressed lender; in December, former chairman Jiang Xiyun was sentenced to death for corruption, accepting bribes, and embezzling $108 million of the bank’s stock. Xiyun’s successor, Cai Guohua, is currently on trial for similar charges after allegedly amassing significant amounts in illicit gains during his tenure at the bank.

More recently, in June, several central government agencies issued a joint notice regarding the government’s 2020 enforcement priorities in the healthcare sector. The notice indicates that, by year-end, enforcement authorities will begin to target corruption related to academic conferences, donations, and research collaborations between doctors and pharmaceutical companies.

India

In March 2020, the newly appointed federal anti-corruption watchdog “Lokpal” opened its doors to receiving complaints with the announcement of formal procedures for complaint submissions. The Lokpal has since received 1,426 complaints, of which it claims it has disposed of 1,200. The precise nature of these cases remains unclear, as does detailed information regarding the Lokpal’s actions in response to allegations of corruption.

In February, India’s Ministry of Corporate Affairs introduced the Companies (Auditor’s Report) Order, 2020, which is intended to strengthen the corporate governance and audit framework for Indian companies. Per the order, statutory auditors must, in the course of drafting the auditor’s annual report, disclose whether they have considered any whistleblower complaints received by the company. Companies must therefore disclose details of whistleblower complaints to their statutory auditors. The order does not provide further detail on the meaning of “whistleblower complaint,” or on the level of detail companies must disclose. The order initially applied to audits of the 2019-2020 financial year; however, due to the COVID-19 pandemic, implementation has been deferred to the 2020-2021 financial year.

In May, the State Vigilance and Anti-Corruption Bureau of Himachal Pradesh arrested the state’s senior health official, Ajay Kumar Gupta, after an audio recording surfaced purportedly showing Gupta asking a supplier of COVID-19 protective equipment for a bribe. The state’s leader of the ruling Bharatiya Janata Party resigned in the days following the arrest, and opposition lawmakers in the state have called for a high-level impartial probe into allegations that party leaders may be involved in the misconduct.

Indonesia

As reported in our 2019 Year-End FCPA Update, Indonesia passed legislation in late 2019 that significantly weakened the powers of the country’s anti-corruption agency, the Corruption Eradication Commission (“KPK”). In the months that have followed, anti-corruption watchdogs have cited a decrease in investigations, arrests, and enforcement actions by the KPK as evidence of the agency’s weakened powers and independence under the new law.

Now in light of the COVID-19 pandemic, lawmakers and activists have called on the KPK to take action against corruption related to the public health emergency. In response, the KPK has created a task force to oversee certain sectors of the government’s response that are perceived to be prone to corruption, and KPK Chairman Firli Bahuri warned in April that those found guilty of corruption relating to the country’s COVID-19 relief funds may face the death penalty.

Malaysia

In February 2020, AirAsia CEO Tony Fernandes and AirAsia Group Chairman Kamarudin Meranun stepped down from their positions following bribery allegations that surfaced in connection with Airbus’s multi-billion dollar global bribery settlement with French, U.S., and UK authorities discussed above. The allegations relate to Airbus’s alleged $50 million sponsorship of a Formula 1 racing team jointly owned by two unnamed AirAsia executives. Malaysia’s Anti-Corruption Commission (“MACC”) has opened an investigation into the allegations and is reportedly working with UK authorities to gather evidence. Both executives have denied wrongdoing, and AirAsia has denied making any purchase decisions on the basis of the Airbus sponsorship.

The collapse of Malaysia’s ruling political coalition in February and the swearing in of new Prime Minister Muhyiddin Yassin has sown doubt over the government’s pursuit of enforcement actions against high-level officials in connection with the 1MDB scandal. The new government is allied with former Prime Minister Najib Razak’s political party, United Malays National Organisation (“UMNO”), and drew sharp criticism over prosecutors’ decision in May to enter into a settlement with Najib’s stepson, Riza Aziz, for his role in the scandal. Under the settlement, Riza agreed to return overseas assets worth more than $107 million; he had been charged with laundering $248 million from the government investment fund. High-profile enforcement actions against Najib and his wife, Rosmah Mansor, continue to progress. As reported in our 2019 Year-End FCPA Update, Najib faces 42 charges of corruption, abuse of power, and money laundering in five criminal cases linked to the 1MDB scandal. Prosecutors concluded the first trial against Najib in early June, and a verdict is expected in July.

South Korea

In December 2019 and January 2020, the National Assembly passed two amendments to The Act on Preventing Bribery of Foreign Public Officials in International Business Transactions. The amendments give enforcement authorities the power to conduct wiretaps in foreign bribery cases, and raise the maximum penalties for individuals and corporations convicted of foreign bribery.

In February 2020, former Korean President Lee Myung-Bak was sentenced by the Seoul High Court to a jail term of 17 years, plus more than $15 million in fines and forfeiture, associated with his March 2018 arrest on multiple charges of corruption, including bribery, embezzlement, tax evasion, and abuse of power as discussed in our 2018 Mid-Year FCPA Update.

Vietnam

In late December 2019, a Vietnamese court sentenced former Minister of Information and Communications Nguyen Bac Son to life in prison after finding him guilty of accepting $3 million in bribes from state telecommunications firm MobiFone Telecommunications Corporation in connection with MobiFone’s acquisition of digital television service Audio Visual Global JSC (“AVG”). At the trial, former MobiFone chairman Le Nam Tra confessed to accepting bribe payments from AVG, and to making payments to Son to gain his support for the acquisition. An appeals court upheld Son’s life sentence in April. The case, which also resulted in the convictions of several MobiFone and AVG executives, is part of a broader anti-corruption campaign spearheaded by Vietnamese President and Communist Party General Secretary Nguyen Phu Trong.

Middle East and Africa

Ghana

Part of the allegations related to Airbus’s multibillion dollar resolution, discussed above, involve a campaign to sell the C-295 military vehicle to the Ghanaian government. This allegedly involved payments made through various consultants to influence “Individual 1” to use his political weight in the country to secure purchase of several C-295 aircraft. A special prosecutor in Ghana has announced a formal investigation into the matter, and public reports suggest that “Individual 1” could be John Dramani Mahama, who served as Vice President of Ghana from 2009 to 2012 and as President when John Atta Mills passed away in July 2012. Mahama denies wrongdoing.

Israel

On May 24, 2020, Israeli Prime Minister Benjamin Netanyahu made his first in-court appearance in the landmark corruption trial stemming from three separate allegations of wrongdoing made by the Israeli Attorney General’s office (covered most recently in our 2019 Year-End FCPA Update). Proceedings currently are adjourned until July, but due to the current pandemic and other extenuating circumstances, the prosecution may not begin its case-in-chief for many months. Netanyahu maintains that he is innocent.


The following Gibson Dunn lawyers assisted in preparing this client update:  F. Joseph Warin, John Chesley, Christopher Sullivan, Richard Grime, Patrick Stokes, Reuben Aguirre, Claire Aristide, Claire Chapla, Austin Duenas, Andreas Dürr, Helen Elmer, Julie Hamilton, Daniel Harris, Patricia Herold, Amanda Kenner, Derek Kraft, Kate Lee, Nicole Lee, Taonga Leslie, Allison Lewis, Lora MacDonald, Andrei Malikov, Megan Meagher, Jesse Melman, Steve Melrose, Caroline Monroy, Erin Morgan, Alexander Moss, Jaclyn Neely, Virginia Newman, Ning Ning, Nick Parker, Liesel Schapira, Emily Seo, Jason Smith, Pedro Soto, Laura Sturges, Karthik Ashwin Thiagarajan, Grace Webster, Oliver Welch, Ralf van Ermingen-Marbach, Jeffrey Vides, Oleh Vretsona, Alina Wattenberg, Dillon Westfall, Brian Yeh, and Caroline Ziser Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. We have more than 110 attorneys with FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices. Please contact the Gibson Dunn attorney with whom you work, or any of the following:

Washington, D.C.
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
Richard W. Grime (+1 202-955-8219, rgrime@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
Judith A. Lee (+1 202-887-3591, jalee@gibsondunn.com)
David Debold (+1 202-955-8551, ddebold@gibsondunn.com)
Michael S. Diamant (+1 202-887-3604, mdiamant@gibsondunn.com)
John W.F. Chesley (+1 202-887-3788, jchesley@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
Stephanie Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
Stuart F. Delery (+1 202-887-3650, sdelery@gibsondunn.com)
Adam M. Smith (+1 202-887-3547, asmith@gibsondunn.com)
Christopher W.H. Sullivan (+1 202-887-3625, csullivan@gibsondunn.com)
Oleh Vretsona (+1 202-887-3779, ovretsona@gibsondunn.com)
Courtney M. Brown (+1 202-955-8685, cmbrown@gibsondunn.com)
Jason H. Smith (+1 202-887-3576, jsmith@gibsondunn.com)
Ella Alves Capone (+1 202-887-3511, ecapone@gibsondunn.com)
Pedro G. Soto (+1 202-955-8661, psoto@gibsondunn.com)

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Mark A. Kirsch (+1 212-351-2662, mkirsch@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)
Daniel P. Harris (+1 212-351-2632, dpharris@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Laura M. Sturges (+1 303-298-5929, lsturges@gibsondunn.com)

Los Angeles
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)
Marcellus McRae (+1 213-229-7675, mmcrae@gibsondunn.com)
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)

San Francisco
Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com)
Thad A. Davis (+1 415-393-8251, tadavis@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)
Michael Li-Ming Wong (+1 415-393-8333, mwong@gibsondunn.com)

Palo Alto
Benjamin Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

London
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Charlie Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com)
Sacha Harber-Kelly (+44 20 7071 4205, )
Michelle Kirschner (+44 (0)20 7071 4212, mkirschner@gibsondunn.com)
Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com)
Steve Melrose (+44 (0)20 7071 4219, smelrose@gibsondunn.com)

Paris
Benoît Fleury (+33 1 56 43 13 00, bfleury@gibsondunn.com)
Bernard Grinspan (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)
Jean-Philippe Robé (+33 1 56 43 13 00, jrobe@gibsondunn.com)

Munich
Benno Schwarz (+49 89 189 33-110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33-180, mwalther@gibsondunn.com)
Mark Zimmer (+49 89 189 33-130, mzimmer@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Oliver D. Welch (+852 2214 3716, owelch@gibsondunn.com)

São Paulo
Lisa A. Alfaro (+5511 3521-7160, lalfaro@gibsondunn.com)
Fernando Almeida (+5511 3521-7093, falmeida@gibsondunn.com)

Singapore
Joerg Bartz (+65 6507 3635, jbartz@gibsondunn.com)

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.