This update provides a summary of the key features of the regime as currently set out in the Draft Regulations.

The Dubai International Financial Centre Authority (DIFCA) has published a draft of the Variable Capital Company Regulations (the Draft Regulations) for public consultation, proposing a novel corporate structure aimed at enhancing the DIFC’s attractiveness as a jurisdiction for structuring investment platforms, including for family offices, asset holding, and private investment purposes.

The new regime introduces the Variable Capital Company (VCC), which offers a flexible framework for segregating assets and liabilities through the creation of “Cells” within a single legal entity.

The consultation process remains ongoing, and the final form of the regulations may change depending on feedback received. This update provides a summary of the key features of the regime as currently set out in the Draft Regulations.

Background and Context

The DIFC currently offers a limited cell regime under its existing Protected Cell Company framework, which is available only to certain types of investment companies. However, this framework does not include features such as segregated cells (described below). The proposed VCC regime introduces a more versatile and commercially attractive vehicle, offering structuring options that go beyond what is currently available under the DIFC’s existing framework.

Similar vehicles are available in only a few other jurisdictions, such as Singapore and Mauritius, which have implemented their own VCC regimes in recent years. By introducing a comparable structure, the DIFC aims to enhance its competitiveness and appeal to global investors, family offices, and asset managers seeking flexible and cost-effective structuring options.

Overview of the VCC Structure

A VCC is a private company that may be established in the DIFC either with one or more Segregated Cells or Incorporated Cells (each, a Cell) but not both, which may hold assets and liabilities separately from those of the VCC and other Cells. A VCC may have any number of Segregated Cells or Incorporated Cells, or none, in each case as provided for in its Articles of Association. This allows for ring-fencing of liabilities and targeted investment structuring.

Notably:

  • A Segregated Cell does not have separate legal personality but is treated as segregated for asset and liability purposes.
  • An Incorporated Cell is itself a private company with separate legal personality but cannot own shares in other Cells or the VCC.

The VCC structure is modelled to appeal to family offices, private funds, and other investment vehicles seeking to consolidate multiple investments within a single corporate structure, while maintaining legal separation between them.

Qualifying Criteria

Applicants must satisfy one of the following conditions:

  • The VCC will be controlled by GCC Persons, Registered Persons or Authorised Firms; or
  • It is established, or continued in the DIFC for purposes of holding legal title to, or controlling, one or more GCC Registrable Assets;
  • It is established for a Qualifying Purpose, defined to include Aviation Structures (persons having the sole purpose of facilitating the owning, financing, securing, leasing or operating an interest in aircrafts), Crowdfunding Structures (persons established for the purpose of holding the asset(s) invested through a crowdfunding platform), Intellectual Property Structures (persons established for the sole purpose of holding intellectual property for commercial purposes), Maritime Structures (persons having the sole purpose of facilitating the owning, financing, securing, chartering, managing or operating of an interest in maritime vessels or maritime units), Structured Financing (persons having the sole purpose of holding assets to leverage and/or manage risk in financial transactions), or  Secondaries Structures (vehicles facilitating the transfer of investment assets to secondary investors); or
  • It is established or continued in the DIFC has a Director that is an Employee of a Corporate Service Provider and that Corporate Service Provider has an arrangement with the DIFC Registrar pursuant to the relevant provisions in the Draft Regulations.

Key Features

1. Regulatory Oversight

  • VCCs are subject to the DIFC Companies Law and other Relevant Laws, unless otherwise provided.
  • The DFSA must authorise any VCC providing financial services.
  • The license of the VCC established for a Qualifying Purpose shall be restricted to the activities specific to the Qualifying Purpose stated in its application to incorporate or continue in the VCC in the DIFC, or any other permitted purpose shall be restricted to the activity of Holding Company. A VCC shall not be permitted to employ any employees.

2. Share Capital and Distributions

  • VCCs may issue and redeem shares based on the net asset of the company or individual Cells.
  • Cellular distributions must relate solely to the assets and liabilities of the relevant Cell, and must not impact other Cells or the VCC’s general assets.

3. Asset Segregation and Liability Protection

  • Officers may incur personal liability if they breach their duties regarding segregation and disclosure of cell identity in transactions.
  • The regulations include detailed provisions governing the consequences of unlawful inter-Cell transfers and creditor protections.
  • Each transaction with third parties must clearly specify the relevant Cell and limit recourse accordingly.

4. Conversions, Mergers, and Transfers

The framework allows for:

  • Conversion of existing DIFC companies into VCCs and vice-versa;
  • Transfer of incorporated cells between VCCs, subject to Registrar approval and creditor protection mechanisms;
  • Merger or consolidation of Segregated Cells, with prior written notice and creditor opt-out rights.

5. Licensing and Naming

  • VCCs must end their names with “VCC Limited” or “VCC Ltd.”
  • Segregated Cells and Incorporated Cells must have unique identifiers (e.g., “VCC SC” or “VCC IC”).
  • Licences are limited to the specific activities of the Qualifying Purpose, though VCCs controlled by Qualifying Applicants may be licensed for broader purposes.

6. Shareholder Transparency and AML Compliance

  • VCCs must maintain separate registers of shareholders for each Cell.
  • Ultimate beneficial ownership disclosure obligations apply in line with DIFC UBO Regulations.

7. Fees and Incorporation Process

The proposed incorporation and licensing fees are aligned with the DIFC’s broader cost-efficient regime:

  • USD 100 for incorporation;
  • USD 1,000 for an annual licence;
  • USD 300 for lodging a Confirmation Statement.

Key Topics

Some of the key topics included in the consultation paper include questions around:

  • the scope and breadth of the proposed qualifying-requirements test, including whether proprietary investment access is too wide or too narrow;
  • appropriateness of allowing both Segregated Cells and Incorporated Cells within a single regime, and the implications of prohibiting a VCC from having both types concurrently; and
  • adequacy of creditor-protection measures, notice, publication and court-application rights on conversion of a VCC into a standard DIFC company and vice versa.

Practical Implications

The proposed introduction of the VCC regime provides a robust framework for private clients and investment entities to achieve structural and operational flexibility within a regulated DIFC environment. Key advantages include:

  • Legal segregation of assets/liabilities for risk mitigation.
  • Simplified investment platform management.
  • Suitability for private wealth structuring, crowdfunding, and secondary market transactions.

The following Gibson Dunn lawyers prepared this update: Andrew Steele and Omar Morsy.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Mergers & Acquisitions or Private Equity practice groups, or the authors:

Andrew Steele – Abu Dhabi (+971 2 234 2621, asteele@gibsondunn.com)

Omar Morsy – Dubai (+971 4 318 4608, omorsy@gibsondunn.com)

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The Civil Transactions Law codifies the rules governing liquidated damages clauses under Saudi law. This client alert outlines key considerations for contracting parties when adopting such clauses, and how courts may approach them in practice.

How Liquidated Damages Clauses are Recognized in Saudi Arabia

The Saudi legal framework recognizes liquidated damages as pre-agreed estimates of losses incurred by one party due to the other party’s breach of contract, including non-performance or delay in fulfilling contractual obligations.

Historical Context

Even prior to the Civil Transactions Law, Saudi courts recognized liquidated damages clauses based on Sharia principles. Such clauses have been upheld as valid and enforceable, except in cases where:

  • the breaching party had a legitimate excuse for non-performance or delay; or
  • the agreed amount was deemed excessively high, amounting to financial coercion, in which cases courts have assessed excessiveness based on prevailing customs and practices.[1]

How Liquidated Damages Operate Today

  • Validity:Parties can agree on liquidated damages, either in the original contract or a later agreement.[2]
  • Simplified Burden of Proof:Liquidated damages clauses render the occurrence of damages presumed. To enforce such a clause, the aggrieved party is not required to prove damage or causation – merely that a breach has occurred.[3]
  • Avoiding Liquidated Damages:A party may avoid liability under a liquidated damages clause by proving either:
    • that the other party did not suffer any damage;[4] or
    • that the damage was not caused by the party’s breach, but rather by the other party’s acts, omissions, or a force majeure event.
  • Reducing Liquidated Damages:The breaching party may be successful in reducing the sum of liquidated damages by proving either:
    • that the pre-agreed amount is grossly exaggerated, thereby allowing the court to rule in accordance with the general principles of liability under Saudi law;[5] or
    • that the breaching party has partially performed their obligations, thereby allowing the court to assess the extent of unperformed obligations and apply the liquidated damages clause accordingly.[6]
  • Court Discretion:Courts cannot freely adjust liquidated damages clauses. Their discretion is limited to:
    • reducing the amount in cases of gross exaggeration or partial performance. A mere discrepancy between the damages incurred and the agreed sum is insufficient to warrant reduction[7]; or
    • increasing the sum if the non-breaching party proves that deceit or gross negligence by the debtor caused the damage to exceed the agreed sum.[8]
  • Prohibition on Payment Obligations:In line with Saudi Arabia’s strict prohibition of interest payments[9], it is impermissible as a matter of public policy for liquidated damages to apply to payment obligations.[10]
  • How Saudi Arabia Compares to Neighboring Jurisdictions:Saudi Arabia’s approach towards liquidated damages clauses shares similarities with the approaches of UAE and Egypt, but there are some differences. For example:
Element Saudi Arabi UAE Egypt
Default position on prior notice of imposition No prior notice required.[11] Prior notice required.[12] Prior notice required.[13]
Court discretion to adjust liquidated damages Relatively limited.[14] Relatively broad.[15] Relatively limited.[16]

Points to Consider When Drafting a Liquidated Damages Clause

  1. Be specific. Clearly define what triggers the liquidated damages (delays, quality issues, etc.).
  2. Consider industry benchmarks. Base estimates on market standards or historical data to avoid claims of exaggeration.
  3. Expressly address partial performance. Specify how damages will be calculated if some of the triggering obligations are met.
  4. Follow notice requirements. While Saudi law does not by default require notice to enforce liquidated damages, your specific contract might.
  5. Understand burden of proof requirements. Know who bears the burden of proof in different scenarios to claim or defend tactically.
  6. Consider all available remedies and seek them tactically. Parties may be precluded from enforcing liquidated damages clauses in conjunction with other contractual remedies.

[1]  Resolution No. 25 dated 31/08/1394H by the Council of Senior Scholars: “The Council unanimously decides that the penalty clause stipulated in contracts is valid and legally binding, and must be upheld unless there is a legitimate excuse for the breach of the obligation that justifies it under Sharia. In such a case, the excuse nullifies the obligation until it ceases. If the penalty clause is, by customary standards, excessive to the extent that it serves as a financial threat and deviates significantly from the principles of Sharia, then fairness and equity must prevail, based on the actual loss of benefit or incurred harm.” Cases in which Saudi courts upheld the Council of Senior Scholar’s Resolution No. 25 include the General Court’s Decision No. 1 of 1439H: “The liquidated damages clause included in contracts is a valid and enforceable condition which must be upheld, unless there is a legitimate excuse for breaching the obligation that is recognized under Shari’a, in which case the excuse suspends the obligation until it ceases. If the amount of liquidated damages is excessive by customary standards, to the point that it constitutes financial coercion and departs from the principles of Shari’a, then recourse must be had to justice and fairness, based on the actual harm incurred or the benefit lost. The determination of such matters in case of dispute is to be made by the competent court with the assistance of experts and professionals.”

[2]  Civil Transactions Law, Article 178: “The contracting parties may specify in advance the amount of compensation whether in the contract or in a subsequent agreement, unless the subject of the obligation is a cash amount. The right to compensation shall not require notification.”

[3]  For example: Board of Grievance’s decision in Case No. 20 of 1430H (predating the enactment of the Civil Transactions Law): “…and the administrative authority is not required to prove that it has suffered harm, given that [the liquidated damages] constitute an agreed-upon compensation for presumed harm, including harm resulting merely from delay.” Commercial Court in Riyadh’s decision in Case No. 4530906759 of 1445H: “The Law expressly provides that liquidated damages are not due to the creditor if the debtor proves that the creditor has suffered no harm. This is specifically stated in paragraph (1) of Article (179) of the same Law mentioned above,” presuming that liquidated damages are initially owed to the creditor upon breach, and it is the debtor’s burden to rebut this presumption by proving the absence of harm. This position is consistent with the literature of leading scholars in the region. For example, A. Sanhouri, ‘Al Waseet on the Explanation of the Civil Code’, Part Two, p. 817, concerning a similarly formulated legal provision in Egypt’s Civil Code: “[…] the presence of a Liquidated Damages Clause renders the occurrence of damage presumed, and the creditor would not be required to prove it.  Therefore, if the debtor alleges that the creditor has not incurred damage, it is he who would bear the burden of proof, and not the creditor.”

[4]  Civil Transactions Law, Article 179: “Compensation that is contractually agreed upon by the parties shall not be payable if the debtor proves that the creditor has sustained no harm.”

[5]  Civil Transactions Law, Article 179(2): “The court may, upon a petition by the debtor, reduce the compensation if the debtor establishes that the agreed-upon compensation was excessive or that the original obligation was partially performed.” A. Almarjah, ‘Explanation of the Saudi Civil Transactions law,’ 1445H, Part One, p. 297: “Judicial intervention is limited to removing exaggeration in the liquidated damages clause, not to assessing its proportionality to the actual harm. Accordingly, if the agreed liquidated damages exceed the actual harm, but the excess is not deemed gross, the judge may not reduce the amount.”

[6]  Civil Transactions Law, Article 179(2): “The court may, upon a petition by the debtor, reduce the compensation if the debtor establishes that the agreed-upon compensation was excessive or that the original obligation was partially performed.”

[7]  A. Sultan, ‘A Brief on the General Theory of Obligation’, 1983, Section 2, p. 78, concerning a similarly formulated legal provision in Egypt’s Civil Code: “…if there is excess in the quantification, but it is not exaggerated, it is impermissible to reduce it, as the fundamental principle is that the Judge orders in accordance with what has been agreed-upon by the parties, and absent one of the conditions of the exception, it is obligatory to resort to the fundamental principle.” A similar opinion has been given by a Saudi scholar; A. Almarjah, ‘Explanation of the Saudi Civil Transactions law,’ 1445H, Part One, p. 297: “Judicial intervention is limited to removing exaggeration in the liquidated damages clause, not to assessing its proportionality to the actual harm. Accordingly, if the agreed liquidated damages exceed the actual harm, but the excess is not deemed gross, the judge may not reduce the amount.”

[8]  Civil Transactions Law, Article 179(3): “The court may, upon a petition by the creditor, increase the amount of compensation to the extent necessary to cover the harm if the creditor establishes that an act of fraud or gross negligence by the debtor is what caused the harm to exceed the agreed-upon compensation.”

[9]  Commercial Court in Jeddah, Case No. 4531041638 of 1445H: “…it is impermissible to agree on compensation where the subject of the obligation is a monetary amount. Given that this Article pertains to public order (public policy), the parties may not contract out of or override its provisions…”

[10]  See, Resolution No. (109) (12/3) of the International Islamic Fiqh Academy: “It is permissible to stipulate a penalty clause in all financial contracts, except in contracts where the primary obligation is a debt, as this would constitute explicit riba (usury),” upheld by the Commercial Court in Jeddah in Case No. 433665897 of 1443H.

[11]  Civil Transactions Law, Article 178: “The contracting parties may specify in advance the amount of compensation […] The right to compensation shall not require notification.”

[12]  UAE’s Civil Transactions Law, Article 387: “Compensation is not due without the debtor being notified, unless otherwise provided by law or agreed upon in the contract.”

[13]  Egypt’s Civil Code, Article 218: “Unless otherwise specified, compensation is not due without the debtor being notified.”

[14]  Civil Transactions Law, Article 179(2): “The court may, upon a petition by the debtor, reduce the compensation if the debtor establishes that the agreed-upon compensation was excessive or that the original obligation was partially performed.” Id, Article 179(3): “The court may, upon a petition by the creditor, increase the amount of compensation to the extent necessary to cover the harm if the creditor establishes that an act of fraud or gross negligence by the debtor is what caused the harm to exceed the agreed-upon compensation.”

[15]  There are some inconsistent court decisions noted across and within each of the jurisdictions. UAE’s Civil Transactions Law, Article 390(2): “The judge may, in all cases, at the request of one of the parties, amend such an agreement, in order to make the amount assessed equal to the damage. Any agreement to the contrary is void.”

[16]  Egypt’s Civil Code, Article 224: “(1) Damages fixed by agreement are not due, if the debtor establishes that the creditor has not suffered any loss. (2) The judge may reduce the amount of these damages, if the debtor establishes that the amount fixed was grossly exaggerated or that the principal obligation has been partially performed. (3) Any agreement contrary to the provisions of the two preceding paragraphs is void.


The following Gibson Dunn lawyers prepared this update: Mahmoud Abdel Baky, Rashed Khalifah, and Hamzeh Zu’bi*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Arbitration, Judgment and Arbitral Award Enforcement, or practice groups, or the following authors in Riyadh:

Mahmoud Abdel-Baky (+966 55 056 6323, mabdel-baky@gibsondunn.com)

Rashed Z. Khalifah (+966 55 236 0511, rkhalifah@gibsondunn.com)

*Hamzeh Zu’bi is a trainee associate in Riyadh and not admitted to practice law.

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

In a transformative step to enhance and better protect its business environment, Saudi Arabia has enacted a new Trade Name Law, which was published in the Official Gazette (Um AlQura) on October 4, 2024, and has come into effect on April 3, 2025.

Introduction

The law came into effect on April 3, 2025, replacing the previous legislation that had been in force since November 23, 1999. The implementing regulations were published on March 30, 2025, and took effect concurrently with the new law.

This law reform marks yet another significant step in the modernization of Saudi’s legal framework, streamlining processes and fostering a transparent, efficient business landscape. Below, we outline the key features of the new law and its practical implications in Saudi Arabia.

Key Features of the New Trade Name Law

1. Simplified Trade Name Selection

The updated Trade Name Law offers businesses greater flexibility in reserving and registering trade names. Trade names can be reserved for an initial period of 60 days, with the possibility of extending for an additional 60 days. Further extensions may be granted but are subject to specific registration circumstances. Given the exclusivity associated with registered/reserved trade names, there is a greater practical need to register desired trade names ahead of time. If the reservation period expires and the procedures for the issuance of a commercial register certificate are not complete, the reservation will lapse, and the trade name will become available for reservation by any person. All reservations and extensions will be subject to payment of fees.

2. Linguistic Flexibility

The old trade names regime was renowned for its strict restrictions on the use of foreign trade names with only a few exceptions being permitted for certain foreign companies or as determined on a case-by-case basis by the Minister of Commerce. The new Trade Name Law ushers in a new era as trade names can now be registered in Arabic, transliterated Arabic (i.e., Arabic words or text that have been written using the Latin (Roman) alphabet instead of the Arabic script), English, or combinations of letters and numbers (with a maximum of 9 digits).

It is recommended that all businesses ensure linguistic consistency in branding to maximize recognition. Foreign investors will need to ensure that the foreign trade name is writable in English and is capable of being translated into Arabic.

3. Independent Trade Name Ownership

Trade names are capable of being owned, sold, or assigned to other persons, which enhances their commercial value. Given that trade names are exclusive and cannot be replicated, registering and owning a trade name provides businesses with a potentially valuable asset.

What Else Has Changed? A Deeper Look at the New Trade Name Law

Trade Name Registration Process

Article 5 of the new law provides a clearer process regarding the trade name application process, including clearer decision-making timelines of up to 10 days from the date of submission of the application, compared to the old timeline which took up to 30 days (see Article 7 of the old regulation). The decision timeline is extendable in certain cases to 30 days when external approval of a trade name is required.

The Ministry of Commerce has integrated the trade name reservation service into the Saudi Business Center portal, which now manages all trade name applications. After a trade name application is accepted, publication is now mandatory, with applicants bearing associated costs.

Priority is given to the first applicant i.e. first in time to submit an application, if multiple applications for the same name exist. If the registrar rejects an application, applicants will have 60 days to appeal to the Ministry.

Trade Name Protection Against Unauthorized Use

The new law, under its Article 6, strengthens protection against unauthorized use such that no person is entitled to use a trade name registered that belongs to someone else. A fine of SAR 10,000 is now imposed as per Article 15 of the implementing regulations to strengthen adherence to the law and limit unauthorized use of registered or reserved trade names. Businesses with registered names in the Commercial Register have the right to seek compensation for damages caused by unauthorized use. This means that the commercial register serves as proof of ownership, and any person who makes any unauthorized use of a registered trade name will have committed a violation and may be liable to pay compensation to the registered owner of the trade name.

Prohibited Trade Names

Article 7 of the new law outlines the following prohibitions:

  • Trade names must not violate public order or morality.
  • Names that are misleading, deceptive, or resemble an already registered trade name (regardless of activity type) are not allowed.
  • Names similar to famous trademarks are restricted unless owned by the applicant.
  • Names containing political, military, or religious references are prohibited.
  • Trade names must not resemble symbols of local, regional, or international organizations.

The Ministry of Commerce will also maintain and update a public list of prohibited names regularly, for transparency. Some of the prohibitions introduced by the Trade Names Law are quite broad in nature (particularly the prohibitions relating to “public order or morality” and “famous trademarks”).

It remains unclear how broadly these prohibitions will be interpreted and applied by the Registrar, and the practical challenges such prohibitions may create for applicants wishing to register their trade names. It also remains to be seen whether other restrictions will be unilaterally imposed by the Ministry by way of practice or by way of circumstance and how far the Ministry may go in enforcing these restrictions. To date, the Ministry has already started to reject applications containing the word “company” or that otherwise include a description of an ordinary business activity such as “regional headquarter”.

Monetary Fees for Name Reservations

Article 14 of the implementing regulation introduces the following new fee structure for trade name reservations:

  • SAR 200 for an Arabic trade name.
  • SAR 500 for an English trade name.
  • SAR 100 to extend reservation duration.
  • SAR 100 to dispose of the trade name.

New Guidelines for Trade Names Similarity Criteria

Article 5 of the implementing regulation stipulates a formal set of criteria and guidelines that will be used to determine whether a trade name is deemed too similar to an existing one, reducing ambiguity. Under these guidelines, a trade name will be considered like another if its written form closely resembles that of a registered, famous, or reserved trade name. This includes:

  • Identical spelling with different word arrangements.
  • Identical spelling with a one-letter difference.
  • Identical spelling with minor changes, such as adding, removing, or altering pronouns, definite articles, pluralization, or diminutives.
  • Identical pronunciation despite differences in spelling or numbers replacing letters, and vice versa.

Criteria mentioned above shall apply to English trade names and their corresponding wording with the use of Arabic letters.

Use of ‘Saudi’ or names of Saudi Cities and Regions in Trade Names

As per Article 4 of the implementing regulation, businesses can now reserve names containing ‘Saudi’ or the name of a Saudi city or region, subject to the following conditions:

  1. The name must not be identical or similar to any governmental entity.
  2. The main component or essential element of the name must not be ‘Saudi’ or a Saudi city or region.
  3. The name must not be used in a manner that would cause harm to the reputation of the Kingdom of Saudi Arabia.
  4. For both Makkah and Madinah regions, approval from the Royal Commission for Makkah and the Holy Sites or the Madinah Development Authority is required.

Practical Considerations for Businesses

Saudi Arabia’s new Trade Name Law enhances transparency, secures commercial identities, and increases business interests in Saudi. In line with this, businesses should consider the following:

  • Ensure Distinctiveness: With stricter rules on name similarity and given the relative ease of reserving/registering a trade name, applicants should conduct comprehensive trade name searches and check the Ministry’s prohibited names list before applying to avoid getting rejected.
  • Understand New Protections: Trade names are now valuable commercial assets—businesses should actively monitor for unauthorized use and take prompt legal action if necessary.
  • Consider Linguistic Strategy: With increased linguistic flexibility, businesses can choose names that enhance global branding while remaining compliant with local regulations.

For Tailored Legal Guidance

For expert legal advice on trade name registration and compliance, contact our team below.


The following Gibson Dunn lawyers prepared this update: Mohamed A. Hasan and Hadeel Tayeb.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, or the authors in Riyadh:

Mohamed A. Hasan (+966 55 867 5974, malhasan@gibsondunn.com)

Hadeel Tayeb (+966 53 944 3329, htayeb@gibsondunn.com)

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The new Rules come into effect from 3 April 2025.

Background:

On 21 February 2025, the Minister of Commerce officially decreed and published into law the Ultimate Beneficial Ownership Rules (UBO Rules). In line with steps taken by other financial centers and leading jurisdictions around the world, the UBO Rules require all companies in KSA, other than companies publicly listed in KSA, to disclose and maintain accurate information about their ultimate beneficial owners. The UBO Rules come into effect from 3 April 2025.

How does the UBO Rules define an Ultimate Beneficial Owner?

  1. The UBO Rules define an “ultimate beneficial owner” as any natural person who meets the following criteria:
    1. owns at least 25% of the company’s share capital whether directly or indirectly;
    2. controls at least 25% o the voting shares in the company, whether directly or indirectly;
    3. is entitled to appoint or remove a majority of the company’s board of directors, its manager or president, whether directly or indirectly;
    4. ability to influence decision-making or the business of the company whether directly or indirectly; or
    5. is a representative of any legal person to which any of above criteria applies.
  2. The UBO Rules clarify that if an ultimate beneficial owner cannot be identified by applying the foregoing criteria, then the company’s manager or members of its board of directors or its president will be regarded as its ultimate beneficial owner.

Key obligations under the UBO Rules:

Some of the key obligations under the UBO Rules include the following:

  • Incorporation: The Ministry of Commerce will now require applicants to disclose information on their ultimate beneficial owners as part of the application process for incorporation of companies in KSA.
  • Annual Filings: In relation to those companies already established at the time the UBO Rules come into effect, such companies will be required to make annual filings disclosing their ultimate beneficial owners. Such filings are due on the anniversary of the date on which companies were registered with the Ministry’s commercial register.
  • Maintenance & Updates: All existing companies will be required to maintain an ultimate beneficial owner register and notify the Ministry of any changes in the identity of an ultimate beneficial owner.
  • Required Information: It remains unclear what information will be requested by the Ministry to validate the identity of an ultimate beneficial owner in a relevant KSA company. Unsurprisingly, the UBO Rules grant the Ministry with broad authority to require disclosure. The UBO Rules state that the Ministry will publish guidelines with respect to its procedures and requirements for the identification of ultimate beneficial owners.

Exemption from UBO Rules:

The following entities are exempted from the application of the UBO Rules:

  1. Companies wholly owned by the state or any state-owned authorities whether directly or indirectly; and
  2. Companies undergoing insolvency proceedings in accordance with the Bankruptcy Law.

Additionally, the Minister of Commerce may issue exemptions on a case-by-case basis. All companies exempted from the UBO Rules are nevertheless required to prove to the Ministry that they enjoy such an exempted status.

Penalties for Non-Compliance:

A person that is required to comply with the UBO Rules but fails to do so, including its obligations to disclose/update information to the Ministry with respect to ultimate beneficial ownership, may face a fine of SAR 500,000.

Investors with complex shareholding structures in KSA should be wary of these UBO Rules as indirect changes in their shareholding structures could trigger disclosure obligations with the Ministry in KSA. All investors in KSA must start thinking about introducing appropriate internal protocols to ensure full compliance with the UBO Rules.


The following Gibson Dunn lawyers prepared this update: Mohamed A. Hasan and Lojain AlMouallimi.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, or the authors in Riyadh:

Mohamed A. Hasan (+966 55 867 5974, malhasan@gibsondunn.com)

Lojain AlMouallimi (+966 11 827 4046, lalmouallimi@gibsondunn.com)

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This update explores how the concept of loss of profit in contractual liability has evolved in light of the enactment the Saudi Civil Transactions Law.

Recent developments, including the enactment of the Civil Transactions Law,[1] have clarified certain aspects of recoverable damages in contractual liability, particularly regarding the permissibility of loss of profit claims under Saudi law. This article explores how the concept of loss of profit in contractual liability has evolved in light of the enactment of the Civil Transactions Law.

A. Historical Stance on Loss of Profit Claims

Previously, Saudi courts generally excluded the recovery of loss of profits in breach of contract claims. This was based on the prevailing Islamic Shari’a principle that compensation must be certain, rather than speculative. Courts viewed claims for lost profits as speculative, and thus were routinely rejected.[2] However, there have been some court decisions that granted loss of profit claims, although these were exceptional and not part of a consistent judicial trend.[3]

While these outlier court decisions did not clearly articulate a consistent standard for when loss of profits can be compensated, they referred to Islamic Shari’a principles that suggest loss of profits may be compensated where the loss is ‘certain.’ Article 5 of Resolution No. 109/3/12 of the International Islamic Fiqh Academy asserts that “…the damages that may be compensated include actual financial damages, true losses, and certain loss of profit.” The key element here is the element of “certainty.” Although the courts have not articulated a clear threshold for certainty in these decisions, they implied that the loss of profit must be capable of being verified to avoid speculation.

B. Interpretation of Loss of Profit Claims Under the Civil Transactions Law

In June 2023, the Civil Transactions Law was promulgated by Royal Decree No. 191/D, dated 29/11/1444H. The enactment of the Civil Transactions Law has clarified the legal treatment of loss of profit claims, expressly permitting them.

However, the Civil Transactions Law does not provide specific criteria or standards for assessing such claims. This gave rise to uncertainty regarding how Saudi courts will approach claims for lost profits in breach of contract claims under the Civil Transactions Law. Therefore, claims for lost profits will most likely be assessed according to the general rules of contractual liability under the Civil Transactions Law. These include:

  • Contractual liability must be established: All elements of contractual liability, namely breach, damages, and causation, must be proven by the claimant.[4] Saudi courts have upheld this rule in multiple judgments, ensuring that a breach of contract claim is only successful when all three elements are satisfactorily established.[5]
  • Quantum must be proven: Establishing the occurrence of loss in not enough. The claimant must also prove quantum. In straightforward cases, such as those involving documentary evidence like invoices, proving the quantum of damages can be a relatively simple process. However, in more complex cases, expert evidence is typically required to establish the quantum of damages. This has been the standard practice in Saudi courts.
  • Recoverable losses must be typically foreseeable: If compensation is not specified in the contract, the court will determine it. If the obligation arises from the contract and there is no fraud or gross negligence, damages are limited to those damages that are foreseeable at the time of the contract.[6]
  • The loss must be a natural consequence of the breach: As a general rule, recoverable damages include moral and material damages naturally arising from the breach, including loss of profit. The Civil Transactions Law uses an objective standard to determine this. Damages are considered a natural consequence if the aggrieved party could not have avoided them by exercising reasonable care.[7]
  • The award must not enrich the creditor: The goal of awarding damages in breach of contract cases is to restore the non-defaulting party to the position they would have occupied if the contract had been properly performed. In other words, compensation is intended to “fully cover the loss” and restore the aggrieved party to their original position – or to the position they would have been in – had the loss not occurred.[8]

It is noteworthy that Article 1 of the Civil Transactions Law mandates that, in the absence of specific legal provisions, the courts must apply Islamic Shari’a principles that are consistent with the general provisions of the Civil Transactions Law. This means that, despite the Civil Transactions Law’s explicit allowance for loss of profit claims, the courts may still turn to Shari’a principles requiring certainty in such claims.

C. Conclusion

The treatment of loss of profit claims in Saudi Arabia has evolved with the introduction of the Civil Transactions Law, representing a significant shift in the legal landscape. While Saudi law now permits the recovery of lost profits, the courts have yet to establish clear guidelines on how such claims will be assessed. In the absence of detailed court decisions, the general rules of contractual liability will be controlling, and the courts may rely on Islamic Shari’a principles and the requirement for certainty in determining whether loss of profit claims are compensable. As the legal framework continues to develop, a clearer standard for these claims is likely to emerge.

[1]  The Civil Transactions Law, promulgated by Royal Decree No. 191/D, dated 29/11/1444H.

[2]  This position was upheld in multiple cases. See, for example, the Commercial Court of Appeal in Riyadh’s Decision No. 4655 of 1442H and the Court of Appeal in Mecca’s Decision No. 430329136 of 1443H.

[3]  Court of Appeal of Board of Grievances’ Decision No. 2454 of 1437 and Jeddah Commercial Court of First Instance’s Decision No. 2393 of 1437H are examples of cases in which courts allowed claims for lost profits, citing Islamic Shari’a authorities that permit such claims if the loss is “certain.”

[4]  Article 2(1) of the Evidence Law, promulgated by Royal Decree No. D/43, dated 25/5/1443: ((A claimant shall have the burden of proof and a defendant shall have the burden of defense.))

[5]  For instance, the Commercial Court of Appeal in Riyadh’s Decision No. 4530050546 of 1445H: ((…if the three elements are satisfied, the claimant would be entitled to fair compensation for all damages; if one of those elements is not satisfied, the entitlement to compensation would terminate completely.))

[6]  Article 180 of the Civil Transactions Law: ((If the amount of compensation is not specified in a contract or a legal provision, it shall be determined by the court in accordance with the provisions of Articles 136, 137, 138, and 139 of this Law. However, if the obligation arises from the contract, the debtor who has not committed any act of fraud or gross negligence shall be liable only for compensating harm that could have been anticipated at the time of contracting.))

[7]  Article 137 of the Civil Transactions Law: ((The harm for which a person is liable for compensation shall be determined according to the aggrieved party’s loss, whether the loss is incurred or in the form of lost profits, if such loss is a natural result of the harmful act. Such loss shall be deemed a natural result of the harmful act if the aggrieved party is unable to avoid such harm by exercising the level of care a reasonable person would exercise under similar circumstances.))

[8]  Article 136 of the Civil Transactions Law: ((Compensation shall fully cover the harm; it shall restore the aggrieved party to his original position or the position he would have been in had the harm not occurred.))

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The Court’s decision also distinguishes the ADGM and DIFC’s approaches to English law.

A unique feature of the ADGM—certainly within the region—is that the English common law, as it stands from time to time, not only applies and has legal force in the jurisdiction, but also forms part of the ADGM’s laws. This is enshrined in Article 1(1) of the Application of English Law Regulations 2015 (“Regulations”).

On 17 November 2023, the ADGM Court of Appeal published an important decision in AC Network Holding Ltd. v. Polymath Ekar SPV1, confirming, among other things, that whilst ADGM judges “are not sitting as English law judges”, “they are bound to apply the rule laid down by the [Regulations]”. Lord Hope contrasted this with the position in the Dubai International Financial Center (“DIFC”): “The position in the Dubai International Financial Centre is different. Common law rules in various areas have been codified, and it is only if those rules or the laws of other relevant legal systems do not provide an answer that the laws of England and Wales are applied.”

This decision provides clarity to parties contracted to resolve disputes before the ADGM courts, and emphasises the unique position of English law in the ADGM, which the Court of Appeal observed “lies at the heart of the system of law that was created for the ADGM”.

Context and Factual Background

With the adoption of the Regulations in 2015, the ADGM opted to fully transplant English law as its applicable private law.[1] The result is that the entire, constantly updated, corpus of English common law applies in the ADGM. However, as the AC case demonstrates, there remained some doubts as to the full effect of this legal transplant.

AC concerned the sale of shares in a car-sharing company operating in Dubai, Abu Dhabi and Saudi Arabia. In 2020, the company’s minority shareholders were compelled, pursuant to a “Drag Along Notice” (“Notice”) issued by the majority shareholders, to sell their shareholding to a third party.

The minority shareholders challenged the validity of the Notice on the ground that the third party purchaser was not a ‘bona fide purchaser’ as required by the Shareholders’ Agreement (“Agreement”). Rather, they claimed that the purchaser was actually the majority shareholder himself, merely acting through a corporate veil. The minority shareholders sued the majority for the economic torts of intentionally procuring a breach of the Agreement as well as of conspiracy to use unlawful means to breach the Agreement. The Agreement was governed by English Law and any disputes arising under the Agreement were subject to the exclusive jurisdiction of the ADGM courts.

Court of First Instance

The ADGM Court of First Instance agreed with the minority shareholders that the Notice was invalid, insofar as the majority shareholder, by standing on “both sides of the fence,” had effectively expropriated the company’s shares in bad faith. However, the Court did not find that this breach was intentional, with the majority shareholder having received assurance from its legal counsel that the transfer was lawful.[2] In considering the unlawful means conspiracy claim, the Court was faced with a question of English law: did this claim also require knowledge of the unlawfulness of the conduct?

In answering this question, the minority shareholders pointed to a 2021 decision of the English Court of Appeal in Racing Partnership, where a majority of judges held that such knowledge was not required.[3] However, the ADGM Court of First Instance declined to follow this decision, holding that while Article 1(1) of the Regulations made English court decisions and precedent “highly relevant,” it did not bind ADGM courts.[4] Instead, it was the ADGM Court of First Instance’s duty to ascertain the “correct position” in English law, which may not be reflected in the latest case law.[5]

In this analysis, the ADGM Court of First Instance found that Racing Partnership confused rather than settled English law, with the correct position being that knowledge was, in fact, a requirement to establish the tort of conspiracy by unlawful means. Having already found that the majority shareholder lacked knowledge that his conduct was unlawful, the minority shareholders’ claims were dismissed.[6]

Court of Appeal

On appeal, the minority shareholders claimed that the Court of First Instance had erred in its application of English law, and consequently, the Regulations. They argued that Article 1(1) of the Regulations required that the ADGM courts apply English law including respecting the doctrine of precedent, the principle that within a single legal system, lower courts are bound by the prior decisions of higher courts.

The ADGM Court of Appeal agreed. In its reading, Article 1(1) of the Regulations required ADGM courts to apply English law principles, which would necessarily include the bedrock doctrine of precedent.[7] With some exceptions, a lower court would thus be required to apply decisions of higher courts even if they felt that the decision was faultily reasoned or had an unjust result.[8] In this context, the ADGM Court of Appeal found that the English Court of Appeal’s decision Racing Partnership was binding authority in the ADGM.[9] With knowledge of the illegality of its conduct no longer required, the ADGM Court of Appeal found the majority shareholder was liable for conspiracy to use unlawful means to breach the Agreement.[10]

Implications

The ADGM Court of Appeal’s decision in AC has profound implications in the ADGM. As the decision recognises, respect for the doctrine of precedent injects predictability into the ADGM’s application of English law, which was the primary reason for the Regulations in the first place. No longer will ADGM judges be encouraged (or permitted) to depart from latest English case law to undertake novel (and potentially complex) analyses of the ‘correct’ position under English law. Instead, the practice before the ADGM courts will be greatly synthesised with that before English courts, providing relief to clients and lawyers already familiar with these courts and their rulings.

AC also has the notable effect of further entrenching the ADGM’s wholesale adoption of English common law, which stands in contrast to other special economic zones and financial zones in the region (including in the UAE). For example, the DIFC explicitly codified various common law rules as DIFC law with adjustments, with English common law only applied to fill gaps in these existing DIFC codes.[11] The merit of the ADGM model—evidenced by the ADGM’s growing attractiveness to foreign investors worldwide—is its immediate familiarity to clients and lawyers well-versed with English law. The AC decision is another welcome step in the right direction.

__________

[1] Application of English Law Regulations 2015, art. 1(1) (“The common law of England (including the principles and rules of equity), as it stands from time to time, shall apply and have legal force in, and form part of the law of the Abu Dhabi Global Market”.)

[2] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 16.

[3] Racing Partnership v. Done Bros Ltd. [2021] Ch 233

[4] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 18.

[5] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 19.

[6] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 19.

[7] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 25.

[8] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶¶ 32-33.

[9] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 45.

[10] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 46.

[11] AC Network Holding Ltd. v. Polymath Ekar SPV1 [2023] ADGMCA 0002, ¶ 2.


The following Gibson Dunn attorneys assisted in preparing this update: Nooree Moola and Praharsh Johorey.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s global Litigation, International Arbitration, or Mergers and Acquisitions practice groups:

Renad Younes – Abu Dhabi (+971 2 234 2602, ryounes@gibsondunn.com)
Marwan Elaraby – Dubai/Abu Dhabi (+971 4 318 4611, melaraby@gibsondunn.com)
Nooree Moola – Dubai (+971 4 318 4643, nmoola@gibsondunn.com)
Praharsh Johorey – Dubai (+1 212.351.3911, pjohorey@gibsondunn.com)
Cyrus Benson – London (+44 20 7071 4239, cbenson@gibsondunn.com)
Penny Madden KC – London (+44 20 7071 4226, pmadden@gibsondunn.com)

© 2023 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Click for PDF

On January 31, 2022 the Ministry of Finance of the United Arab Emirates (UAE) announced the introduction of a federal Corporate Tax (“CT”) on business profits, effective from the financial year beginning June 1, 2023.  Pursuant to the aforementioned announcement, the Ministry of Finance published a consultation document to collect and appraise the responses of stakeholders (“Consultation Document”) with regards to the most prominent features of the legislation and its implementation, ahead of the release of the draft CT legislation.  The formal responses to the Consultation Document should be submitted using this form by May 19, 2022.  The Consultation Document can be viewed here.

In this client alert, we provide a summary of the key policy drivers, the key features of the proposed regime, and high level commentary contextualising the potential effects of the legislative reforms on our clients.

Background

The UAE currently does not have a federal CT regime.  CT is determined at an Emirate level through tax decrees.  Currently, at an Emirate level, the UAE only levies corporate tax on oil and gas companies and branches of foreign banks.  Furthermore, the UAE benefits from the presence of more than 40 free zones, which have their own rules and regulations.  Such zones generally afford companies incorporated therein significant tax benefits, making the UAE an attractive jurisdiction from a tax perspective.  Additionally, the UAE does not levy income tax on employment-based income.

Key Policy Drivers

The UAE, as a member of the OECD inclusive framework, is introducing the federal CT regime as a stepping stone to the execution of its commitment to the global minimum effective tax rate concept proposed by Pillar II of the OECD Base Erosion and Profit Shifting project (“OECD BEPS”).[1]  The responsible body of oversight has been designated as the Federal Tax Authority (“FTA”).  In introducing CT, the UAE aims to further its objectives of accelerating its development and transformation by introducing “a competitive CT regime that adheres to international standards, together with the UAE’s extensive network of double tax treaties, [which] will cement the UAE’s position as a leading jurisdiction for business and investment”.[2]  The introduction of CT is also perceived as an important step in diversifying the UAE Government’s budget revenue away from revenues that today are mainly generated from the hydrocarbon industry.  The Consultation Document offers assurances that the CT regime will build on international best practices as opposed to introducing new concepts, in order to ensure the seamless integration and cooperation of the regime with existing international frameworks.

The Consultation Document indicates that the UAE Government has been guided by a set of key principles in its legislative undertaking.  Such principles include: (1) flexibility and alignment with modern business practices, ensuring adaptability to changing socio-economic circumstances; (2) certainty and simplicity of the tax rules to support businesses’ accurate decision-making and cost-effective operation; (3) neutrality and equity, ensuring fair taxation treatment to different types of businesses; and (4) transparency.

The Consultation Document heavily emphasises the UAE’s ongoing commitment to execute BEPS 2.0, noting that “further announcements on how the Pillar Two rules will be embedded into the UAE CT regime will be made in due course.”[3]  No further practical guidance is otherwise offered in the Consultation Document.  In this regard, international entities which may be subject to Pillar II are advised to keep a close eye on developments in the law that are likely to apply to them, to the extent they are taxable entities subject to the UAE CT regime.

Key Features of the Corporate Tax Regime

Taxable Persons

Subject to certain exemptions discussed below, CT will be levied on UAE-incorporated companies such as LLCs, PSCs, PJSCs, and any other legal entities with a distinct legal personality, including, for example, LLPs and partnerships limited by shares.

In line with tax measures in other jurisdictions, CT will be levied on foreign legal entities:  (1) with a permanent establishment (“PE”) in the UAE, and that earn UAE sourced income, or (2) that are tax resident by way of management and control in the UAE.

Unincorporated partnerships and other unincorporated ventures will be deemed ‘transparent’ for UAE CT purposes.  Income of such entities may be taxed in the hands of their partners or members.  Helpfully, in order to tackle the discrepancies in the classification of partnerships (transparent vs opaque) in different jurisdictions, the UAE CT treatment of foreign unincorporated partnerships will defer to the tax treatment of the partnership in the relevant foreign jurisdiction.

Companies and branches registered in free zones will also fall within the scope of the CT regime, and will be subject to tax return filing requirements.  In order to honour existing tax arrangements within free zones, such entities will be subject to a 0% CT rate provided that they maintain adequate substance and comply with all regulatory requirements.  A free zone person with a branch in mainland UAE will be taxed at a regular CT rate on mainland source income while continuing to benefit from the 0% CT rate on its “other income”.  Where a free zone person transacts with mainland UAE but does not have a mainland branch, the free zone person can continue to benefit from the 0% CT rate if its income from mainland UAE is limited to ‘passive’ income (meaning interest and royalties, and dividends and capital gains from owning shares in mainland UAE companies).  The 0% CT rate will also apply to any transactions between free zone entities and their group companies in mainland UAE.  However, payments made to free zone entities by a mainland group company will not be tax deductible.  Furthermore, the Consultation Document notes that, to prevent free zone businesses from gaining an unfair competitive advantage compared to businesses established in mainland UAE, any other mainland sourced income will disqualify a free zone person from the 0% CT regime in respect of all their income.  Once the draft law is released, we expect that free zone registered entities will need to evaluate their existing position and whether they will continue to benefit from the tax exemptions, or whether their position will change in light of the CT law.

Income tax will not be payable by natural persons, provided that they do not engage in business or commercial activity in the UAE.  Taxable natural persons operating through sole establishments or proprietorships or as individual partners in an unincorporated partnership, conducting business in the UAE, will be subject to the CT regime.  The Consultation Document indicates that it remains to be the case that employment based income obtained in the UAE will not be subject to income tax.

Applicable Rates

CT will be charged on the annual taxable income of a business as follows:

  • 0%, for taxable income not exceeding AED 375,000;
  • 9%, for taxable income exceeding AED 375,000; and
  • a different tax rate (not yet specified) for large multinationals that meet specific criteria set with reference to Pillar II of the OECD BEPS.[4] In light of the Consultation Document’s emphasis on the UAE’s commitment to implementing the BEPS 2.0 measures, we expect that the rate will be fixed with reference to the rate finally determined by the OECD.

Exempt Entities

The following list of entities will be exempt from CT, either automatically or by way of application (the method is still undetermined):

  1. the federal UAE Government and Emirate Governments and their departments, authorities and other public institutions;
  2. wholly Government-owned UAE companies that carry out a sovereign or mandated activity, and that are listed in a cabinet decision;
  3. businesses engaged in the extraction and exploitation of UAE natural resources that are subject to Emirate-level taxation (e.g. upstream oil and gas companies);
  4. charities and other public benefit organisations that are listed in a Cabinet Decision issued at the request of the Ministry of Finance, upon application of the relevant entity;
  5. public and regulated private social security and retirement pension funds; and
  6. investment funds, as they are typically organised as ‘flow-through’ limited partnerships. Furthermore, regulated investment funds and Real Estate Investment Trusts can apply to the FTA to be exempt from CT subject to meeting certain requirements.[5]

Residency

As previously indicated, tax residency is a pivotal factor in determining whether business profits will be subject to CT in the UAE.  In furtherance of its objective of achieving certainty, the UAE relies on international principles in determining tax residency.

The Consultation Document notes that a legal person that is incorporated in the UAE will automatically be considered a ‘resident’ person for UAE CT purposes.  Equally, any natural person who is engaged in a business or commercial activity in the UAE, either in their own name or through an unincorporated partnership, will also be considered a resident person for purposes of the UAE CT regime.  A foreign company may be treated as a resident person if it is effectively “managed and controlled” in the UAE.  This will be a question of fact, but the Consultation Document indicates this would “typically look at where the directors or other decision makers of the company make the key management and commercial decisions”.[6]

UAE resident legal persons will be taxed in the UAE on their worldwide income.  Natural persons will only be taxed on income earned from their business activities carried out in the UAE.  However, certain income earned from overseas will be exempt from CT, including income from foreign branches and qualifying foreign shareholdings.  Where income earned from abroad is not exempt, income taxes paid in the foreign jurisdiction can be credited against the CT payable in the UAE on the relevant income to prevent double taxation.

Non-Residents

Non-residents will be subject to UAE CT on taxable income (1) from a PE in the UAE, and (2) which is sourced in the UAE.  The Consultation Document indicates that the law is to refer to the definition of PE outlined in Article 5 of the OECD Model Tax Convention, and the intention is for foreign companies and advisors to be entitled to rely on OECD Commentary when assessing whether they have a PE in the UAE.  Thus, the existence of a PE in the UAE will be determined by reference to whether either there is a “fixed place of business” of, or a “dependent agent” habitually exercising the authority to conclude contracts on behalf of, the non-resident person in the UAE.

Significantly, the Consultation Document notes that the UAE CT regime will allow regulated UAE investment managers to provide discretionary investment management services to foreign customers without triggering a UAE PE for the foreign investor or the foreign investment fund – this investment management exemption will “be subject to conditions that are comparable to similar regimes in leading financial centres”.[7]

Calculating Taxable Income

The UAE CT regime proposes to use the accounting net profit (or loss) position in the financial statements of a business as the starting point for determining taxable income.  IFRS standards are typically used by businesses in the UAE and will form the basis for such assessment, but the CT law will allow for alternative financial reporting standards.

Exemptions & Deductions

The CT law will include a participation exemption from CT on dividends received, and capital gains earned from the sale of shares of a subsidiary company.  The UAE CT regime will exempt all domestic dividends earned from UAE companies, including dividends paid by a free zone registered entity benefitting from the 0% CT regime.  The main condition to benefit from the participation exemption is that the UAE shareholder company must own at least 5% of the shares of the subsidiary company.  This participation requirement remains competitive in comparison with other jurisdictions.  For example, the participation exemption in the UK (the “substantial shareholding exemption”) requires (amongst other things) the shareholder to own at least 10% of the ordinary shares in the subsidiary for a consecutive period of at least 12 months.

In order to remain an attractive tax jurisdiction for international businesses, the UAE will allow for foreign branches of UAE companies (subject to certain conditions) to either (i) claim a foreign tax credit for taxes paid in the foreign branch country, or (ii) elect to claim an irrevocable exemption for their foreign branch profits.

Interest and other financing costs will be deductible for CT purposes.  However, the deductibility of interest will be capped at 30% of a business’ earnings before interest, tax, depreciation, and amortisation (EBITDA), in line with Action 4 of the OECD BEPS project, in order to disincentivise businesses from using excessive levels of debt financing (as opposed to equity financing) in pursuance of a tax benefit.  Interest capping rules will not apply to banks, insurance business and other financial services entities.

Losses

In line with international best practices, a business will be able to offset a loss incurred in one period against the taxable income of future periods, up to a maximum of 75% of the taxable income in each of those future periods.

Tax losses will be able to be carried forward indefinitely provided the same shareholders hold at least 50% of the share capital from the start of the period when a loss is incurred to the end of the period in which a loss is offset against the taxable income.

Groups

A UAE resident group of companies will be able to elect to form a tax group, capable of being treated as a single taxable person (or a fiscal unity) if the parent company holds at least 95% of the share capital and voting rights of its subsidiaries.  To form a tax group, neither the parent company nor any of the subsidiaries can be an exempt person or a free zone entity benefitting from the 0% CT rate, and all group members must use the same financial year.  For other groups of companies which do not meet the 95% threshold, the CT regime will allow the transfer of losses between group companies, provided that they are at least 75% commonly owned.

Whilst no clear indications are given as to the features of the proposed law in respect of business reorganisations, the Consultation Document asserts that such reorganisations are to be undertaken on a tax neutral basis.[8]  Intra-group transfer relief will be available for transfers of assets and liabilities between UAE resident companies that are at least 75% commonly owned, provided the assets and/or liabilities being transferred remain within the same group for a minimum of three years.

To further facilitate corporate restructuring transactions, the UAE CT regime will exempt or allow for a deferral of taxation where a whole business, or independent parts of a business, are transferred in exchange for shares or other ownership interests.

Such features are positive and welcome additions to the CT rules, particularly if other aspects of the CT regime prompt corporate restructurings (please see below with regards to transfer pricing).  Furthermore, group relief is often sought to assist the financing of further mergers and acquisitions, potentially leading to increased activity in the UAE.

Transfer Pricing

Transfer pricing rules are expected to apply to transactions between related and connected persons, in accordance with the principles of the OECD Transfer Pricing Rules.  Therefore, transactions between related or connected parties must be conducted on an arm’s-length basis.

Large business groups, particularly family-owned conglomerates with cross-border operations may need to rethink their group structures and assess their intra-group transactions from a transfer pricing perspective, to ensure that their transactions are indeed conducted on an arm’s-length basis.

Tax Credits

As noted above, UAE resident companies will be subject to UAE CT on their worldwide income, which includes foreign sourced income that may have been subject to tax of a similar nature to CT in another country.  To avoid double taxation, the UAE CT regime will allow a credit for a foreign tax paid in a foreign jurisdiction against the UAE CT liability on the foreign-sourced income that has not been otherwise exempted.

Administrative Aspects

A business subject to CT will need to register with the FTA and obtain a tax registration number within a period of time to be prescribed in the law.  The FTA can also automatically register a business for CT purposes if the person does not voluntarily do so.  Businesses can also deregister if they cease to be subject to CT.  To reduce administrative efforts and costs, businesses will only need to prepare and file one tax return (and other related supporting schedules) with the FTA for each tax period.  A CT return must be filed, and any CT payment made, within nine months of the end of the relevant tax period.

Conclusion

The introduction of CT in the UAE logically follows from the UAE’s role as a member of the OECD inclusive framework, particularly in light of discussions on the global minimum tax proposed by Pillar II.  The proposed tax rate of 9% still remains highly competitive in comparison to other jurisdictions.  In addition, it can be seen from the Consultation Document that the proposed CT regime is based on well-recognised and practiced international principles, making the cost and process of implementing the law relatively efficient for businesses subject to similar regimes in other jurisdictions.  The law will seemingly also maintain some of the most distinct tax benefits of the UAE, for example, the tax benefits afforded to free zone registered entities.  Inevitably, once the regime takes effect, different businesses might want to reconsider their corporate structures in order to avail themselves of the available tax benefits.

We would be happy to help clients consider and review their current corporate structures to assess the impact of the proposed UAE CT rules, and also discuss any opportunities resulting therefrom.

___________________________

[1]   For further information regarding Pillar I and Pillar II of the OECD Base Erosion and Profit Shifting project, please refer to our UK Tax Quarterly Update – February 2022 (pp. 12-16) here.

[2]   Consultation Document, ¶ 2.2.

[3]   Consultation Document, Section 9.3.

[4]   https://u.ae/en/information-and-services/finance-and-investment/taxation/corporate-tax.

[5]   Consultation Document, Sections 3.3 and 3.7.

[6]   Consultation Document, ¶ 4.4.

[7]   Consultation Document, ¶ 4.21.

[8]   Consultation Document, Section 6.3


The following Gibson Dunn lawyers prepared this client alert: Jeffrey Trinklein, Sandy Bhogal, Benjamin Fryer, Hanna Chalhoub, Siham Freihat*, and William Inchbald.

Gibson Dunn’s lawyers are available to assist in addressing any questions that you may have regarding the issues discussed in this update.  For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Tax or Corporate practice groups, or the following authors:

Jeffrey M. Trinklein – London/New York (+44 (0) 20 7071 4224 /+1 212-351-2344), jtrinklein@gibsondunn.com)

Sandy Bhogal – London (+44 (0) 20 7071 4266, sbhogal@gibsondunn.com)

Benjamin Fryer – London (+44 (0) 20 7071 4232, bfryer@gibsondunn.com)

Hanna Chalhoub – Dubai (+971 (0) 4 318 4634, hchalhoub@gibsondunn.com)

William Inchbald – London (+44 (0) 20 7071 4264, winchbald@gibsondunn.com)

* Siham Freihat is a trainee solicitor in Gibson Dunn’s London office.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 25, 2021, the Dubai Financial Services Authority (“DFSA”) updated its Rulebook for “crypto” based investments by launching a regulatory framework for “Investment Tokens”. This framework follows, on the whole, the approach proposed in the DFSA’s “Consultation Paper No. 138 – Regulation of Security Tokens”, published in March 2021 (the “Consultation Paper”).

Peter Smith, Managing Director, Head of Strategy, Policy and Risk at the DFSA has noted that: “Creating an ecosystem for innovative firms to thrive in the UAE is a key priority for both the UAE and Dubai Governments, and the DFSA. Our consultation on Investment Tokens enabled us to understand what firms were looking for in a regulatory framework and introduce a regime that is relevant to the market. We look forward to receiving applications from interested firms and contributing to the ongoing growth of future-focused financial services in the DIFC.”[1]

What is an “Investment Token”?

An “Investment Token” is defined as either a “Security Token” or a “Derivative Token”[2]. Broadly speaking, these are:

  • a security (which includes, for example, a share, debenture or warrant) or derivative (an option or future) in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using Distributed Ledger Technology (“DLT”) or other similar technology; or
  • a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and: (i) confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or (ii) has a substantially similar purpose or effect to a security or derivative.

However, importantly, the definition of “Investment Token” will not capture virtual assets which do not either confer rights and obligations substantially similar in nature to those conferred by a security or derivative, or have a substantially similar purpose or effect to a security or derivative. This means that  key cryptocurrencies such as Bitcoin and Ethereum, as well as stablecoins such as Tether, will remain unregulated under the Investment Tokens regime.

Scope of framework

This regulatory framework applies to persons interested in marketing, issuing, trading or holding Investment Tokens in or from the Dubai International Financial Centre (“DIFC”). It also applies with respect to DFSA authorised firms wishing to undertake “financial services” relating to Investment Tokens. Such financial services would include (amongst other things) dealing in, advising on, or arranging transactions relating to, Investment Tokens, or managing discretionary portfolios or collective investment funds investing in Investment Tokens.

Approach taken by the DFSA

The approach taken by the DFSA has been to, rather than establish an entirely separate regime for Investment Tokens, bring these instruments within scope of the existing regime for “Investments”, subject to certain changes. The Consultation Paper noted that “in line with the approach adopted in the benchmarked jurisdictions, [the] aim is to ensure that the DFSA regime for regulating financial products and services will apply in an appropriate and robust manner to those tokens that [the DFSA considers] to be the same as, or sufficiently similar to, existing Investments to warrant regulation”.

The Consultation Paper proposed to do this through four means: (i) by making use of the existing regime for “Investments” as far as possible, whilst addressing specific risks associated with the tokens, especially technology risks; (ii) by not being too restrictive, so that the DFSA can accommodate the evolving nature of the underlying technologies that might drive tokenization of traditional financial products and services; (iii) by addressing risks to investor/customer communication and market integrity, and systemic risks,  should they arise, where new technologies are used in the provision of financial products or services in or from the DIFC; and (iv) remaining true to the underlying key characteristics and attributes of regulated financial products and services, as far as practicable.

As noted at (i) above, the changes brought about on October 25, 2021 necessarily involved the addition of new requirements to address specific issues related to Investment Tokens. For instance, added requirements are imposed on firms providing financial services relating to Investment Tokens in Chapter 14 of the Conduct of Business Module of the DFSA Rulebook.

This sets out (amongst other things):

  • technology and governance requirements for firms operating facilities (trading venues) for Investment Tokens – for instance, they must: (i) ensure that any DLT application used by the facility operates on the basis of permissioned access, so that the operator is able to maintain adequate control of persons granted access; and (ii) have regard to industry best practices in developing their technology design and technology governance relating to DLT that is used by the facility;
  • rules relating to operators of facilities for Investment Tokens which permit direct access – for example, the operator must ensure that its operating rules clearly articulate: (i) the duties owed by the operator to the direct access member; (ii) the duties owed by the direct access member to the operator; and (iii) appropriate investor redress mechanisms available. The operator must also make certain risk disclosures and have in place adequate systems and controls to address market integrity, anti-money laundering and other investor protection risks;
  • requirements for firms providing custody of Investment Tokens (termed “digital wallet service providers”) – for example: (i) any DLT application used in providing custody of the Investment Tokens must be resilient, reliable and compatible with any relevant facility on which the Investment Tokens are traded or cleared; and (ii) the technology used and its associated procedures must have adequate security measures (including cyber security) to enable the safe storage and transmission of data relating to the Investment Tokens; and
  • a requirement that firms carrying on one or more financial services with respect to Investment Tokens (such as dealing in investments as principal/agent, arranging deals in investments, advising on financial products and managing assets), provide the client with a “key features document” in good time before the service is provided. This must contain, amongst other things: (i) the risks associated with, and the essential characteristics of, the Investment Token; (ii) whether the Investment Token is, or will be, admitted to trading (and, if so, the details of its admission); (iii) how the client may exercise any rights conferred by the Investment Tokens (such as voting); and (iv) any other information relevant to the particular Investment Token that would reasonably assist the client to understand the product and technology better and to make informed decisions in respect of it.

Comment

In taking the approach to Investment Tokens outlined in this alert, the DFSA has aligned with the approach taken by certain key jurisdictions. It is similar to that taken by the U.K. Financial Conduct Authority, for example, which has issued guidance to the effect that tokens with specific characteristics that mean they provide rights and obligations akin to specified investments, like a share or a debt instrument (the U.K. version of Investment Tokens) be treated as specified investments and, therefore, be considered within the existing regulatory framework[3].

The DFSA’s regime has baked-in flexibility, particularly as a consequence of the fairly high level, principles-based approach. This will likely prove helpful, given the evolving nature of the virtual assets world. However, the exclusion of key cryptocurrencies from the scope of this regime may limit the attractiveness of the regime, particularly to cryptocurrency exchanges seeking to offer spot trading. However, this may be offset to some extent by the DFSA regime’s willingness to allow operators of facilities for Investment Tokens to provide direct access to retail clients, subject to those clients meeting certain requirements (such as having sufficient competence and experience). This is in contrast to the approach proposed by the Hong Kong Financial Services and the Treasury Bureau, which has proposed restricting access to cryptocurrency trading to professional investors only.[4]

Next steps

As noted above, the Investment Tokens regime does not cover many key virtual assets. However, we understand that the DFSA is drafting proposals for tokens not covered by the Investment Tokens regulatory framework. These proposals are expected to cover exchange tokens, utility tokens and certain asset-backed tokens (stablecoins). The DFSA intends to issue a second consultation paper later in Q4 of this year.[5]

____________________________

    [1]   https://www.dfsa.ae/news/dfsa-introduces-regulatory-framework-investment-tokens

    [2]   DFSA Rulebook: General Module, A.2.1.1

    [3]   FCA Policy Statement (PS 19/22), Guidance on Cryptoassets (July 2019)

    [4]   See our previous alert on the proposed Hong Kong regime: https://www.gibsondunn.com/licensing-regime-for-virtual-asset-services-providers-in-hong-kong/

    [5]   https://www.dfsa.ae/news/dfsa-introduces-regulatory-framework-investment-tokens


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Crypto Taskforce (cryptotaskforce@gibsondunn.com) on the Global Financial Regulatory team, or the following authors:

Hardeep Plahe – Dubai (+971 (0) 4 318 4611, hplahe@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Chris Hickey – London (+44 (0) 20 7071 4265, chickey@gibsondunn.com)
Martin Coombes – London (+44 (0) 20 7071 4258, mcoombes@gibsondunn.com)
Emily Rumble – Hong Kong (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)
Becky Chung – Hong Kong (+852 2214 3837, bchung@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The UAE Commercial Companies Law (the “CCL”) has been amended to permit 100% foreign ownership of companies incorporated in the UAE under the CCL, commonly known as “onshore” companies (“Onshore Companies”). The UAE Ministry of Economy announced that the foreign ownership amendment would be effective on 1 June 2021. We previously discussed the amendment in our earlier Client Alert.

The requirement that a minimum of 51% of the shares in an Onshore Company be held by one or more UAE nationals, being natural or legal persons, has been removed from Article 10 of the CCL. Foreign ownership restrictions are a key concern for foreign investors, including private equity and venture capital funds, and cause additional complexity and barriers  to investments in Onshore Companies. Foreign investors may now own and control Onshore Companies without the need to employ nominee or similar structures, thus avoiding cumbersome arrangements, additional costs and legal uncertainty. Furthermore, single-shareholder entities, which previously had to be wholly-owned by UAE national(s), are now eligible to be 100% owned by foreign investors.

The Department of Economic Development (“DED”) of each Emirate will specify business activities open to 100% foreign ownership. The Abu Dhabi DED has issued a list of license activities which may be conducted by a foreign-owned Onshore Company encompassing more than 1,100 activities and covering a range of sectors. While “trading” does not appear on the current list, the Abu Dhabi DED may expand the list of license activities in the future to include this activity. The Dubai DED has announced that its list will include more than 1,000 commercial and industrial license activities. The discretion of each Emirate’s DED in determining which activities may be conducted by a foreign owned-Onshore Company may result in different foreign ownership regimes applying to companies operating in the same sector, depending on which one of the Emirates an entity is incorporated in.

Foreign ownership limitations remain in respect of companies carrying out activities of strategic importance, as determined by the UAE Council of Ministers. Companies carrying out such activities will be subject to local ownership and board participation requirements to be determined by the UAE Council of Ministers.

We expect the amended CCL to strengthen the UAE’s standing as an international investment destination. It remains to be seen whether the UAE’s free-zones will decline in popularity with foreign investors as a result.

We would be happy to help clients consider and review their current ownership and governance arrangements to assess the impact of the amended CCL on their business and also discuss investment opportunities with clients.


Gibson Dunn’s Middle East practice focuses on regional and global multijurisdictional transactions and disputes whilst also acting on matters relating to financial and investment regulation. Our lawyers, a number of whom have spent many years in the region, have the experience and expertise to handle the most complex and innovative deals and disputes across different sectors, disciplines and jurisdictions throughout the Middle East and Africa.

Our corporate team is a market leader in MENA mergers and acquisitions as well as private equity transactions, having been instructed on many of the region’s highest-profile buy-side and sell-side transactions for corporates, sovereigns and the most active regional private equity funds. In addition, we have a vibrant finance practice, representing both lenders and borrowers, covering the full range of financial products including acquisition finance, structured finance, asset-based finance and Islamic finance. We have the region’s leading fund formation practice, successfully raising capital for our clients in a difficult fundraising environment.

For further information, please contact the Gibson Dunn lawyer with whom you usually work, or the following authors in the firm’s Dubai office, with any questions, thoughts or comments arising from this update.

Hardeep Plahe (+971 (0) 4 318 4611, hplahe@gibsondunn.com)
Fraser Dawson (+971 (0) 4 318 4619, fdawson@gibsondunn.com)
Aly Kassam (+971 (0) 4 318 4641, akassam@gibsondunn.com)
Hanna Chalhoub (+971 (0) 4 318 4634, hchalhoub@gibsondunn.com)
Thomas Barker (+971 (0) 4 3184623, tbarker@gibsondunn.com)
Galadia Constantinou (+971 (0) 4 318 4663, gconstantinou@gibsondunn.com)
Sarah Keryakas (+971 (0) 4 318 4626, skeryakas@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

2020 was a uniquely uncertain and perilous year. Within the world of international trade, the steady increase in the use of sanctions and export controls—principally by the United States but also by jurisdictions around the world—proved to be a rare constant. In each of the last four years, our annual year-end Updates have chronicled a sharp rise in the use of sanctions promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), as well as growing economic tensions between the United States and other major world powers. In the final tally, OFAC during President Donald Trump’s single term sanctioned more entities than it had under two-term President George W. Bush and almost as many as two-term President Barack Obama.

The raw numbers understate the story, as the Trump administration focused sanctions authorities on larger and more systemically important players in the global economy than ever before, and also brought to bear other coercive economic measures—including export controls, import restrictions, foreign investment reviews, tariffs, and novel measures like proposed bans on Chinese mobile apps and restrictions on U.S. persons’ ability to invest in securities of certain companies with alleged ties to the Chinese military. The pace and frequency of these actions intensified in the Trump administration’s final days—an ostensible attempt to force the hand of the incoming Biden-Harris administration on a number of key national security policy decisions.

2020 Year-End Sanctions and Export Controls Update - Chart 1

2020 Year-End Sanctions and Export Controls Update - Chart 2

China takes top billing in this year’s Update, as long-simmering tensions between Beijing and Washington seemingly reached a boil.  Despite a promising start to the year with the January 2020 announcement of a “phase one” trade agreement between the world’s two largest economies, relations between the two powers rapidly deteriorated amidst recriminations concerning the pandemic, a crackdown in Hong Kong, a heated U.S. presidential election, and a deepening struggle for economic, technological, and military primacy.  The Chinese government on January 9, 2021 responded to the Trump administration’s barrage of trade restrictions by issuing the first sanctions blocking regime in China to counteract the impact of foreign sanctions on Chinese firms.  Although the law—which borrows from a similar measure adopted by the European Union—is effective immediately, it currently only establishes a legal framework.  The Chinese blocking statute will become enforceable once the Chinese government identifies the specific extra-territorial measures—likely sanctions and export controls the United States has levied against Chinese companies—to which it will then apply.  While experts have long predicted the rise of a technological Cold War with Chinese 5G and Western 5G competing for dominance—the advent of China’s blocking statute (amid threats of additional counter-measures) suggests the emergence of a regulatory Cold War as well.  Major multinational companies may be forced to choose between the two powers.

The pandemic and Sino-American tensions almost over-shadowed what would have been the principal trade story of the year: nearly four-and-a-half years after the United Kingdom voted to leave the European Union, London and Brussels finally completed Brexit.  On December 30, 2020—one day prior to the end of the Brexit Transition period—the EU and China concluded negotiations, over the objections of the incoming U.S. administration, for a comprehensive agreement on investment focused on enabling an increase in outbound investment in China from the EU.

At year’s end, China, France, Germany, Russia, the United Kingdom, and the High Representative of the European Union for Foreign Affairs and Security Policy stressed the importance of the 2015 Joint Comprehensive Plan of Action (“JCPOA”), while the Trump administration sought to impose additional sanctions on Tehran that will make it more difficult for the Biden-Harris administration to reenter the agreement.

In the coming months, the Biden-Harris administration has promised a fulsome review of U.S. trade measures with a view to finding ways of providing possible relief to help with the global response to the coronavirus pandemic.  And although we expect a more measured approach to diplomatic relations under the new administration, U.S. sanctions and export controls will continue to play a dominant role in U.S. foreign policy—and an increasingly dominant role in foreign policy strategies of America’s friends and competitors.  The increasing complexity of these measures in the United States—with “sanctions” authorities increasingly split between the U.S. Treasury Department, the Department of Commerce, the Department of State, the Department of Homeland Security, and even the Department of Defense—makes for increasing challenges for parties seeking to successfully comply while managing their businesses.

Contents

1.    U.S.-China Relationship

A.    Protecting Communications Networks and Sensitive Personal Data
B.    TikTok and WeChat Prohibitions and Emerging Jurisprudence Limiting Certain Executive Authorities
C.    Slowing the Advance of China’s Military Capabilities
D.    Promoting Human Rights in Hong Kong
E.    Promoting Human Rights in Xinjiang
F.    Trade Imbalances and Tariffs
G.    China’s Counter-Sanctions – The Chinese Blocking Statute
H.    New Chinese Export Control Regime

II.    U.S. Sanctions Program Developments

A.    Iran
B.    Venezuela
C.    Cuba
D.    Russia
E.    North Korea
F.    Syria
G.    Other Sanctions Developments

III.   U.S. Export Controls

A.    Commerce Department
B.    State Department

IV.    European Union

A.    EU-China Relationship
B.    EU Sanctions Developments
C.    EU Member State Export Controls
D.    EU Counter-Sanctions

V.    United Kingdom Sanctions and Export Controls

A.    Sanctions Developments
B.    Export Controls Developments

_______________________________

I.          U.S.-China Relationship

The dozens of new China-related trade restrictions announced in 2020 were generally calculated to advance a handful of longstanding U.S. policy interests for which there is broad, bipartisan support within the United States, namely protecting U.S. communications networks, intellectual property, and sensitive personal data; slowing the advance of China’s military capabilities; promoting human rights in Hong Kong and Xinjiang; and narrowing the trade deficit between Washington and Beijing.  As such, while the new Biden-Harris administration promises a shift in tone—including greater coordination with traditional U.S. allies and a more orderly and strategic policymaking process—the core objectives of U.S. trade policy toward China are unlikely to change, at least in the near term.  Given the emerging consensus in Washington in favor of a tough stance against China, we anticipate that President Biden will continue to pressure China over its human rights record and will be disinclined to relax Trump-era measures targeting Chinese-made goods and technology without first extracting concessions from Beijing.

Meanwhile, China shows few signs of backing down in the face of U.S. pressure.  As we wrote here, in January 2021 China’s Ministry of Commerce unveiled long-anticipated counter-sanctions prohibiting Chinese citizens and companies from complying with “unjustified” foreign trade restrictions, which could soon force multinational firms into an unpalatable choice between complying with U.S. or Chinese regulations.  How vigorously and selectively the Chinese authorities enforce these new counter-sanctions remains to be seen and will help set the tone for the future of U.S.-China trade relations and the challenges multinational corporations will have in navigating between the two powers.

A.            Protecting Communications Networks and Sensitive Personal Data

Spurred by concerns about Chinese espionage and trade secret theft, the United States during 2020 imposed a variety of trade restrictions designed to protect U.S. communications networks and sensitive personal data by targeting globally significant Chinese technology firms like Huawei and popular mobile apps like TikTok and WeChat.

During 2020, the Trump administration continued its diplomatic, intelligence-sharing, and economic pressure campaign to dissuade countries from partnering with Huawei and other Chinese telecommunications providers in the development and deployment of fifth-generation (“5G”) wireless networks.  The rollout of 5G networks—long viewed as a key battleground in the U.S.-China tech war—is about more than faster smartphones, as 5G networks are expected to support advanced technology like autonomous vehicles and to catalyze innovation across the economy from manufacturing to the military.  As Huawei has emerged as a leader in 5G infrastructure, the U.S. government has increasingly raised alarms that the company’s technology may be vulnerable to Chinese government espionage.  Some U.S. allies have taken steps to block Huawei’s involvement in their own domestic 5G networks.  Australia blacklisted Huawei from its 5G network in August 2018, and the British government announced in July 2020 that it would ban the purchase of new Huawei equipment and would remove Huawei gear already installed from its networks by 2027, marking a reversal from a prior decision in January 2020.  Other European allies, however, have resisted an outright ban, with Germany signaling in December 2020 that it could allow Huawei’s continued involvement subject to certain assurances.

The Trump administration also continued to tighten the screws on Huawei along several other fronts, with the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) adding another 38 non-U.S. affiliates of Huawei to the Entity List in August 2020.  Since first adding Huawei in May 2019 citing national security concerns, the Trump administration has added over 150 Huawei affiliates to the Entity List, significantly limiting Huawei’s ability to source products from the United States and U.S. companies.  These actions highlight the administration’s sustained focus on Huawei, but also reflect a broader trend in the increasingly expansive use of the Entity List against Chinese firms.  In its expanding size, scope, and profile, the Entity List has begun to rival the more traditional OFAC Specially Designated Nationals (“SDN”) and Blocked Persons List as a tool of first resort when U.S. policymakers seek to wield coercive authority especially against major economies and significant economic actors.

On May 15, 2020, BIS announced a new rule to further restrict Huawei’s access to U.S. technology.  The complicated rule amends the “Direct Product Rule” (discussed below) and the Entity List to restrict Huawei’s ability to share its semiconductor designs or rely on foreign foundries to manufacture semiconductors using U.S. software and technology.  Although multiple rounds of Entity List designations targeting Huawei entities had already effectively cut off the company’s access to exports of most U.S.-origin products and technology, BIS claimed that Huawei had responded to the designations by moving more of its supply chain outside the United States.  However, for the time being, Huawei and many of the foreign chip manufacturers that Huawei uses, still depend on U.S. equipment, software, and technology to design and produce Huawei chipsets.

BIS’s May 2020 Direct Product Rule amendment expanded one of the bases on which the U.S. can claim jurisdiction over items produced outside of the United States.  Generally, under the EAR, the United States claims jurisdiction over items that are (1) U.S. origin, (2) foreign-made items that are being exported from the United States, (3) foreign-made items that incorporate more than a minimal amount of controlled U.S.-origin content, and (4) foreign-made “direct products” of certain controlled U.S.-origin software and technology.  Under the fourth basis of jurisdiction, also known as the Direct Product Rule, foreign-made items are subject to U.S. Export Administration Regulation (“EAR”) controls if they are the direct product of certain U.S.-origin technology or software or are the direct product of a plant or major component of a plant located outside the United States, where the plant or major component of a plant itself is a direct product of certain U.S.-origin software and technology.

BIS’s new rule allows for the application of a tailored version of the Direct Product Rule to parties identified on its Entity List, with a bespoke list of controlled software and technology commonly used by foreign manufacturers to design and manufacture telecommunications and other kinds of integrated circuits for Huawei.  Specifically, the rule makes the following non-U.S.-origin items subject to the restrictions of U.S. export controls:

  • Items, such as chip designs, that Huawei and its affiliates on the Entity List produce by using certain U.S.-origin software or technology that is subject to the EAR; and
  • Items, such as chipsets, made by manufacturers from Huawei-provided design specifications, if those manufacturers are using semiconductor manufacturing equipment that itself is a direct product of certain U.S.-origin software or technology subject to the EAR.

By subjecting these items to a new licensing requirement, BIS can block the sale of many semiconductors manufactured by a number of non-U.S.-based manufacturers that Huawei uses across its telecom equipment and smartphone business lines.

While Huawei has been a focal point of U.S. trade policy over the past several years, U.S. government concerns about maintaining the integrity of its communications networks and U.S. residents’ sensitive personal data extend more broadly across China’s tech sector.  On May 15, 2019,  acting under the authorities provided by the International Emergency Economic Powers Act (“IEEPA”)—the statutory basis for most U.S. sanctions programs—President Trump issued Executive Order 13873, which declared a national emergency with respect to the exploitation of vulnerabilities in information and communications technology and services (“ICTS”) by foreign adversaries, and authorized the Secretary of Commerce to prohibit transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction of a foreign adversary that pose an undue or unacceptable risk to U.S. critical infrastructure, the U.S. digital economy, national security, or the safety of U.S. persons.

On January 19, 2021, the Commerce Department published an Interim Final Rule clarifying the processes and procedures that the Secretary of Commerce will use to evaluate ICTS transactions covered by Executive Order 13873.  The Interim Final Rule identified six foreign adversaries: China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela’s President Nicolás Maduro; though this list can be revised as necessary.  The Interim Final Rule also identified broad categories of ICTS transactions that fall within its scope, and announced that the Commerce Department will establish a licensing process for entities to seek pre-approval of ICTS transactions.  Unless the Biden-Harris administration acts to delay the measure, the Interim Final Rule is scheduled to take effect on March 22, 2021.

B.            TikTok and WeChat Prohibitions and Emerging Jurisprudence Limiting Certain Executive Authorities

To address the national emergency declared in the ICTS order, President Trump on August 6, 2020 issued two further Executive Orders restricting U.S. persons from dealing with the Chinese social media platforms TikTok and WeChat.  The orders sought to prohibit or restrict certain categories of transactions—subsequently to be defined by the U.S. Secretary of Commerce—involving TikTok’s corporate parent ByteDance and WeChat’s corporate parent Tencent Holdings Ltd. by September 20, 2020.

Pursuant to these Executive Orders, the Commerce Department on September 18, 2020 issued a broad set of prohibitions that would have essentially banned the use or download of the TikTok and WeChat apps in the United States.  The following day, a California federal district court granted a nationwide preliminary injunction halting the WeChat ban on First Amendment grounds.  The plaintiffs, a group of WeChat users, successfully argued that WeChat functions as a “public square” for the Chinese-American community in the United States and that the restrictions imposed by the Commerce Department infringed upon their First Amendment rights.

One week later, a Washington D.C. federal district court granted a similar injunction with respect to the TikTok ban, finding that content exchanged by users on TikTok constitutes “information and informational materials” protected by the Berman Amendment, a statutory provision within IEEPA that aims to safeguard the free flow of information.  The court further found that, by virtue of being primarily a conduit of such informational materials, the platform itself was protected by the Berman Amendment.  On October 30, 2020, a Pennsylvania federal district court granted a second, nationwide preliminary injunction halting the TikTok ban on Berman Amendment grounds.  On December 7, 2020, the D.C. district court found that the Trump administration had overstepped its authority under IEEPA by failing to adequately consider “an obvious and reasonable alternative” to an outright ban.  Together these opinions have clarified and expanded case law regarding the limits of the President’s authority under IEEPA.

The litigation over the Commerce Department’s TikTok and WeChat bans upended a parallel effort by the U.S. Committee on Foreign Investment in the United States (“CFIUS”)—the interagency committee tasked with reviewing the national security risks associated with foreign investments in U.S. companies—to force a divestiture of TikTok’s U.S. operations.  In 2019, CFIUS initiated a review of ByteDance’s 2017 acquisition of the U.S. video-sharing platform Musical.ly in response to growing concerns regarding the use of data and censorship directed by the Chinese government.  The CFIUS review culminated in an August 14, 2020 order directing ByteDance to divest its interest in TikTok’s U.S. platform by November 12, 2020.

The Commerce restrictions and ensuing litigation threatened to derail CFIUS negotiations over the TikTok divestment—a matter made more challenging on August 28, 2020, when China retaliated with its own set of export controls requiring Chinese government approval for such a transaction.  Although the U.S. Department of the Treasury announced an agreement in principle for the sale of TikTok on September 19, 2020, a final agreement proved elusive.  Negotiations ground to a halt around the time of the U.S. presidential election, and CFIUS extended the deadline for a resolution three times by the end of the year before defaulting to a de facto continuation as the parties continue to negotiate.

None of these developments, however, appeared to dampen the Trump administration’s drive to target leading Chinese technology companies.  On January 5, 2021, President Trump issued another Executive Order requiring the Commerce Department to issue a more narrowly tailored set of prohibitions with respect to the Chinese mobile payment apps WeChat Pay, Alipay, QQ Wallet, as well as CamScanner, SHAREit, Tencent QQ, VMate, and WPS Office within 45 days (by February 19, 2021).  Given the timing of the order, the Biden-Harris administration will ultimately be responsible for either implementing or revoking the ban, setting up an early test case for the Biden-Harris administration with respect to Trump-era restrictions on Chinese tech companies.

C.            Slowing the Advance of China’s Military Capabilities

Another key goal of the Trump administration’s trade policy in 2020 was its attempt to blunt the development of China’s military capabilities, including by restricting exports to Chinese military end uses and end users, adding military-linked firms to the Entity List, prohibiting U.S. persons from investing in the securities of dozens of “communist Chinese military companies,” and proposing new rules that seek to eject Chinese firms from U.S. stock exchanges for failure to comply with U.S. auditing standards.

Over the past year, the Trump administration has heavily relied on export controls to deny Beijing access to even seemingly low-end U.S. technologies that might be used to modernize China’s military.  Pursuant to the Military End Use / User Rule, exporters of certain listed items subject to the EAR require a license from BIS to provide such items to China, Russia, or Venezuela, if the exporter knows or has reason to know that the exported items are intended for a “military end use” or “military end user.”  In April 2020, BIS announced significant changes to these military end use and end user controls that became effective on June 29, 2020.  Notably, the new rules (1) expanded the scope of military end uses subject to control, (2) added a new license requirement for exports to Chinese military end users, (3) expanded the list of covered items, and (4) broadened the reporting requirement for exports to China, Russia, and Venezuela.  These changes appear to have been animated by concerns among U.S. policymakers that the targeted countries are each pursuing a policy of “military-civil fusion” that blurs the line between civilian and military technological development and applications of sensitive technologies.

In particular, where the prior formulation of the Military End Use / User Rule only captured items exported for the purpose of using, developing, or producing military items, the rule now covers items that merely “support or contribute to” those functions.  The scope of “military end uses” subject to control was also expanded to include the operation, installation, maintenance, repair, overhaul, or refurbishing of military items.  For a more comprehensive discussion of the new Military End Use / User Rule, please see our client alert on the subject, as well as our 2020 Mid-Year Sanctions and Export Controls Update.

The expanded Military End Use / User Rule has presented a host of compliance challenges for industry, prompting BIS in June 2020 to release a detailed set of frequently asked questions (“FAQs”) addressing potential ambiguities in the rule and in December 2020 to publish a new, non-exhaustive Military End User List to help exporters determine which organizations are considered military end users.  The more than 100 Chinese and Russian companies identified to date appear to be principally involved in the aerospace, aviation, and materials processing industries, which is consistent with the newly added categories of items covered under the rule.  BIS has also continued to add new companies to the Military End User List.

Meanwhile, reflecting the recent significant expansion of the bases for additions to the Entity List, the U.S. Department of Commerce during 2020 announced three batches of Entity List designations tied to activities in support of China’s military.  Among those designated in June, August and December 2020 were more than 50 governmental and commercial organizations accused of procuring items for Chinese military end users, building artificial islands in the South China Sea, and supporting China’s policy of “military-civil fusion”—including substantial enterprises like the Chinese chipmaker Semiconductor Manufacturing International Corporation (“SMIC”).  Such military-related designations have continued into January 2021 with the addition to the Entity List of China National Offshore Oil Corporation (“CNOOC”) for its activities in the South China Sea, suggesting that the Entity List remains an attractive option for U.S. officials looking to impose meaningful costs on large non-U.S. firms that act contrary to U.S. interests while avoiding the economic disruption of designating such enterprises to OFAC’s SDN List.

In addition to using export controls to deny the Chinese military access to sensitive technology, during 2020 the Trump administration and Congress deployed several other types of measures to deny the Chinese military, and the firms that support it, access to U.S. capital.  On November 12, 2020, the Trump administration issued Executive Order 13959, which sought to prohibit U.S. persons from purchasing securities of certain Communist Chinese military companies (“CCMCs”)—ostensibly civil companies that the U.S. Department of Defense alleges have ties to the Chinese military, intelligence, and security services, including enterprises with substantial economic footprints in the United States such as Hikvision and Huawei.  A fuller description of the Order and its implications can be found in our November 2020 client alert.

As amended and interpreted to date by OFAC (which has been tasked with implementing and enforcing the Order), Executive Order 13959 seeks to prohibit U.S. persons from engaging in any transaction in publicly traded securities or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any CCMC.  The Order covers a wide range financial instruments linked to such companies, including derivatives (e.g., futures, options, swaps), warrants, American depositary receipts, global depositary receipts, exchange-traded funds, index funds, and mutual funds.

OFAC has published a list of the targeted CCMCs, providing additional identifying information about the CCMCs.  U.S. persons holding covered securities of CCMCs identified in the initial Annex of Executive Order 13959 must sell or otherwise dispose of those securities by the expiration of a wind-down period on November 11, 2021.  As such, the new Biden-Harris administration has a period of time to review the prohibitions and propose further modifications.

In the months since it was issued, Executive Order 13959 has generated widespread confusion within the regulated community concerning what activities are (and are not) prohibited, prompting index providers to sever ties with named Chinese companies and a major U.S. stock exchange to reverse course multiple times on whether such companies should be de-listed.  Indeed, despite a flurry of guidance from OFAC, there remains considerable uncertainty concerning which companies are covered by the Order, including how the restriction applies to companies whose names “closely match” firms identified by the U.S. government, as well as such companies’ subsidiaries.  In seeming recognition of the compliance concerns expressed by industry, OFAC has issued a general license delaying the Order’s effective date with respect to entities with “closely matching” names of parties explicitly listed until May 2021.

Whatever comes of the Trump administration’s restrictions on investments in CCMCs, there remains broad bipartisan support in Congress for denying Chinese firms access to U.S. capital markets.  In December 2020, Congress unanimously passed and President Trump signed into law the Holding Foreign Companies Accountable Act, which requires foreign companies listed on any U.S. stock exchange to comply with U.S. auditing standards or risk being de-listed within three years.  Although formally applicable to companies from any foreign country, the Act appears to be principally aimed at Chinese firms, many of which have historically declined to comply with U.S. auditing standards, citing national security and state-secrets concerns.  Whether the threat of de-listing Chinese firms materializes will depend in part on how the Act is implemented by the U.S. Securities and Exchange Commission.  However, the measure’s approval by Congress without a single dissenting vote suggests that there is likely to be continuing support among U.S. policymakers for limiting Beijing’s access to U.S. investors and capital.

D.            Promoting Human Rights in Hong Kong

In connection with China’s crackdown on protests in Hong Kong and the June 2020 enactment of China’s new Hong Kong national security law—which criminalizes dissent through vague offenses such as secession, subversion, terrorism, and collusion with a foreign power—the United States moved to impose consequences on Beijing for undermining freedoms enshrined in the 1984 Sino-British Joint Declaration and Hong Kong’s Basic Law.  However, such U.S. measures have so far been limited in scope and have principally involved revoking Hong Kong’s special trading status and imposing sanctions on several senior Hong Kong and mainland Chinese government officials.  No governmental entity within the Special Administrative Region (“SAR”) of Hong Kong has yet been sanctioned.

Under U.S. law, the Secretary of State must periodically certify that Hong Kong retains a “high degree of autonomy” from mainland China in order for the territory to continue receiving preferential treatment—including lower tariffs, looser export controls, and relaxed visa requirements—compared to the rest of China.  On May 28, 2020, Secretary of State Mike Pompeo reported to the U.S. Congress that Hong Kong is no longer sufficiently autonomous to warrant such preferential treatment.  Shortly thereafter, President Trump on July 14, 2020 issued Executive Order 13936 formally revoking Hong Kong’s special trading status and signed into law the Hong Kong Autonomy Act (“HKAA”), which authorizes the President to impose sanctions such as asset freezes and visa bans on individuals and entities that enforce the new Hong Kong national security law.  The HKAA also authorizes “secondary” sanctions on non-U.S. financial institutions that knowingly conduct significant transactions with persons that enforce the Hong Kong national security law—potentially subjecting non-U.S. banks that engage in such dealings to a range of consequences, including loss of access to the U.S. financial system.

With that policy framework in place, various arms of the U.S. government soon implemented more targeted measures designed to hold Hong Kong’s leadership accountable and to conform Hong Kong’s legal status with the rest of China.

Notably, on August 7, 2020, OFAC designated to the SDN List 11 senior Hong Kong and mainland Chinese government officials—including Hong Kong’s chief executive, Carrie Lam—for their involvement in implementing the national security law.  As a result of this action, U.S. persons (as well as non-U.S. persons when engaging in a transaction with a U.S. touchpoint) are, except as authorized by OFAC, generally prohibited from engaging in transactions involving these 11 individuals and their property and interests in property.  Although OFAC has clarified in published guidance that the prohibition does not extend to routine dealings with the non-sanctioned government agencies that these individuals lead, U.S. persons should take care not to enter into contracts signed by, or negotiate with, government officials who are SDNs, activities which could trigger U.S. sanctions.

Meanwhile, the U.S. Department of Commerce in June 2020 suspended the availability of certain export license exceptions that treated Hong Kong more favorably than mainland China.  As a result of this suspension—which appears to have been driven by concerns among U.S. policymakers that sensitive goods, software, and technology exported to Hong Kong could be diverted to the mainland—exports, reexports, or transfers to or within Hong Kong of items subject to the EAR may now require a specific license from the U.S. government.  Further cementing this shift in U.S. policy, the U.S. Department of Commerce in December 2020 removed Hong Kong as a separate destination on the Commerce Country Chart, effectively ending Hong Kong’s preferential treatment for purposes of U.S. export controls.

While the implementation of tougher sanctions and export controls represents an escalation of U.S. pressure on the Chinese government, the Trump administration during its final year in office shied away from imposing more draconian measures with respect to Hong Kong.  For example, the United States has to date refrained from targeting non-U.S. banks, the Hong Kong SAR government, or acted to undermine the longstanding peg that has linked the Hong Kong Dollar and the U.S. Dollar—likely out of concern for the heavy collateral consequences that such measures could inflict on Hong Kong’s pro-Western population, as well as on the many U.S. and multinational firms with operations in the city.

In our assessment, such severe measures—which could undermine Hong Kong’s historic role as a global financial hub—are unlikely to be imposed by the Biden-Harris administration absent significant further deterioration in relations between Washington and Beijing.  Instead, particularly in light of reports of a wave of arrests in January 2021 pursuant to the Hong Kong national security law, the Biden-Harris administration could designate additional Chinese and Hong Kong government officials for their role in eroding Hong Kong’s autonomy.  A further option available to President Biden could involve easing the path for Hong Kong residents to immigrate to the United States (in line with similar proposals mooted by the U.K. government)—which would both shield such individuals from repression and impose costs on Beijing by draining away some of Hong Kong’s considerable human capital.

E.            Promoting Human Rights in Xinjiang

During 2020, the United States ramped up legislative and regulatory efforts to address and punish reported human rights abuses in China’s Xinjiang Uyghur Autonomous Region (“Xinjiang”).  Although concerns about high-tech surveillance and harsh security measures against Muslim minority groups date back over a decade, the latest reports estimate that up to 1.5 million Uyghurs, Kazakhs, and other Turkic minorities have been detained in “reeducation camps” and that many others, including former detainees, have been forced into involuntary labor in textile, apparel, and other labor-intensive industries.

In response to these developments, President Trump on June 17, 2020 signed into law the Uyghur Human Rights Policy Act of 2020.  The Act required the President to submit within 180 days a report to Congress—which as of this writing has yet to be issued—that identifies foreign persons, including Chinese government officials, who are responsible for flagrant human rights violations in Xinjiang.  The Act authorizes the President to impose sanctions (including asset freezes and visa bans) on persons identified therein, and directs the Department of State, the Director of National Intelligence, and the Federal Bureau of Investigation to submit reports to Congress on human rights abuses, and the national security and economic implications of the PRC’s actions, in Xinjiang.

The Trump administration also took a number of executive actions against Chinese individuals and entities implicated in the alleged Xinjiang repression campaign.  On July 9, 2020, OFAC designated to the SDN List the Xinjiang Public Security Bureau and four current or former Chinese government officials for their ties to mass detention programs and other abuses.  On July 31, 2020, OFAC followed up on this action by sanctioning the Xinjiang Production and Construction Corps (“XPCC”)—a state-owned paramilitary organization and one of the region’s most economically consequential actors—plus two further government officials.

In tandem with sanctions designations, the United States during 2020 leveraged export controls to advance the U.S. policy interest in curtailing human rights abuses in Xinjiang—most notably through expanded use of the Entity List.  As discussed in our 2020 Mid-Year Sanctions and Export Controls Update, BIS has over the past year continued to use its powerful Entity List designation tool to effectively ban U.S. exports to entities implicated by the interagency End-User Review Committee (“ERC”) in certain human rights violations.

While the ERC has long had the power to designate companies and other organizations for acting contrary to U.S. national security and foreign policy interests, these interests historically have been focused on regional stability, counterproliferation, and anti-terrorism concerns, plus violations of U.S. sanctions and export controls.  Beginning in October 2019, however, the ERC added human rights to this list of concerns, focusing especially on human rights violations occurring in Xinjiang and directed against Uyghurs, Kazakhs, and other members of Muslim minority groups in China.  Accelerating this trend, the ERC on three separate occasions this past year—including in June, July, and December 2020—added a total of 24 Chinese organizations to the Entity List for their conduct in Xinjiang.  Among the entities targeted were Chinese firms that enable high-tech repression by producing video surveillance equipment and facial recognition software, as well as Chinese companies that benefit from forced labor in Xinjiang such as manufacturers of textiles and electronic components.  In addition to denying these entities access to controlled U.S.-origin items, these designations also spotlight sectors of the Chinese economy that are likely to remain subject to regulatory scrutiny under the Biden-Harris administration and which may call for enhanced due diligence by U.S. companies that continue to engage with Xinjiang.

Consistent with the Trump administration’s whole-of-government approach to trade with China, the United States also used import restrictions—including a record number of withhold release orders issued by U.S. Customs and Border Protection (“CBP”)—to deny certain goods produced in Xinjiang access to the U.S. market.

CBP is authorized to enforce Section 307 of the Tariff Act of 1930, which prohibits the importation of foreign goods produced with forced or child labor.  Upon determining that there is information that reasonably, but not conclusively, indicates that goods that are being, or are likely to be, imported into the United States may be produced with forced or child labor, CBP may issue a withhold release order, which requires the detention of such goods at any U.S. port.  Historically, this policy tool was seldom used until the latter half of the Obama administration.

During 2020, CBP ramped up its use of this policy instrument, issuing 15 withhold release orders—the most in any single year for at least half a century.  Of those orders, nine were focused on Xinjiang, including import restrictions on hair products and garments produced by certain manufacturers, as well as cotton and cotton products produced by XPCC, the Chinese paramilitary organization sanctioned by OFAC.  On January 13, 2021, the Trump administration went further and imposed a withhold release order targeting all cotton products and tomato products originating from Xinjiang.  Taken together, these developments suggest that the U.S. government is likely to continue its aggressive use of import restrictions against goods sourced from Xinjiang, further heightening the need for importers to scrutinize suppliers with ties to the region in order to minimize the risk of supply chain disruptions and reputational harm.

As a complement to the regulatory changes described above, the Trump administration during 2020 published multiple rounds of guidance to assist the business community in conducting human rights diligence related to Xinjiang.  On July 1, 2020, the U.S. Departments of State, Treasury, Commerce, and Homeland Security issued the Xinjiang Supply Chain Business Advisory, a detailed guidance document for industry spotlighting risks related to doing business with or connected to forced labor practices in Xinjiang and elsewhere in China.  The Advisory underscores that businesses and individuals engaged in certain industries may face reputational or legal risks if their activities involve support for or acquisition of goods from commercial or governmental actors involved in illicit labor practices and identifies potential indicators of forced labor, including factories located within or near known internment camps.

Separately, and as discussed further below, the U.S. Department of State on September 30, 2020 issued guidance specifically focused on exports to foreign government end-users of products or services with surveillance capabilities with an eye toward preventing such items from being used to commit human rights abuses of the sort reported in Xinjiang.

Underscoring the extent of U.S. concern about the situation in Xinjiang, then-Secretary of State Pompeo on the Trump administration’s last full day in office issued a determination that the Chinese government’s activities in the region constitute genocide and crimes against humanity—a declaration that was quickly echoed by current Secretary of State Antony Blinken in his Senate confirmation hearing.  While the declaration triggers few immediate consequences under U.S. law, it could portend further U.S. sanctions designations related to China’s treatment of ethnic and religious minorities.

F.            Trade Imbalances and Tariffs

Also in 2020, the Trump administration continued to make broad use of its authority to impose tariffs on Chinese-made goods.  This policy approach met with significant opposition from private plaintiffs, setting the stage for substantial and largely unresolved litigation at the U.S. Court of International Trade.  The year began with significant tariffs already in place through two mechanisms:  Section 232 of the Trade Expansion Act of 1962 (“Section 232”), which allows the President to adjust the imports of an article upon the determination of the U.S. Secretary of Commerce that the article is being imported into the United States in such quantities or under such circumstances as to impair the national security, and Section 301 of the Trade Act of 1974 (“Section 301”), which allows the President to direct the U.S. Trade Representative to take all “appropriate and feasible action within the power of the President” to eliminate unfair trade practices or policies by a foreign country.

1.      Section 232

On January 24, 2020, President Trump issued a proclamation under Section 232 expanding the scope of existing steel and aluminum tariffs (25 percent and 10 percent, respectively) to cover certain derivatives of aluminum and steel such as nails, wire, and staples, which went into effect on February 8, 2020.  President Biden has stated that he plans to review the Section 232 tariffs, although no immediate timetable for that review has been set forth to date.

Two cases of note regarding the scope of the President’s power to impose Section 232 tariffs were decided this year.  In Transpacific Steel LLC v. United States, 466 F.Supp. 3d 1246 (CIT 2020), the court held that Proclamation 9772, which imposed a 50 percent tariff on steel products from Turkey, was unlawful because it violated Section 232’s statutory procedures and the Fifth Amendment’s Equal Protection guarantees.  The court noted that Section 232 “grants the President great, but not unfettered, discretion,” and agreed with the importers that the President acted outside the 90-day statutorily mandated window and without a proper report on the national security threat posed by steel imports from Turkey.  The court also agreed that Proclamation 9772 denied the importers the equal protection of law because it arbitrarily and irrationally doubled the tariff rate on Turkish steel products and there was “no apparent reason to treat importers of Turkish steel products differently from importers of steel products from any other country listed in the” relevant report.  While Transpacific limited the President’s power to impose Section 232 tariffs, on February 28, 2020, the Federal Circuit rejected a constitutional challenge to Section 232 itself and held that Section 232 did not unlawfully cede authority to control trade to the President in violation of the Constitution’s nondelegation doctrine, and the 232 tariffs remain in place.

On December 14, 2020, the Commerce Department published a notice announcing changes to the Section 232 steel and aluminum tariffs exclusions process.  Changes include (1) the adoption of General Approved Exclusions for specific products; (2) a new volume certification requirement meant to limit requests for more volume than needed compared to past usage; and (3) a streamlined review process for “No Objection” exclusion requests.

2.      Section 301

Although the Trump administration initiated Section 301 tariff investigations involving multiple jurisdictions, the Section 301 tariffs that have dominated the headlines are the tariffs imposed on China in retaliation for practices with respect to technology transfer, intellectual property, and innovation that the Office of the U.S. Trade Representative (“USTR”) has determined to be unfair (“China 301 Tariffs”).  The China 301 Tariffs were imposed in a series of waves in 2018 and 2019, and as originally implemented they together cover over $500 billion in products from China.

On January 15, 2020, the United States and China signed a Phase One Trade Agreement, leading to a slight reprieve in the U.S.-China trade dispute.  As part of that agreement, the United States agreed to suspend indefinitely its List 4B tariffs and to reduce its List 4A tariffs to 7.5 percent.  Pursuant to the agreement, China committed (1) to purchase an additional $200 billion in U.S. manufactured, agriculture, and energy goods and services as compared to a 2017 baseline; (2) to address U.S. complaints about intellectual property practices by providing stronger Chinese legal protections and eliminating pressure for foreign companies to transfer technology to Chinese firms as a condition of market access; (3) to implement certain regulatory measures to clear the way for more U.S. food and agricultural exports to China; and (4) to improve access to China’s financial services market for U.S. companies.  A “Phase Two” trade deal never materialized following strained relations between the two countries catalyzed in part over the coronavirus pandemic.

As the statute of limitations to challenge two of the larger China 301 Tariff tranches (List 3 and List 4A) approached with no further progress beyond the Phase One Trade Agreement, in an unprecedented act thousands of parties affected by the tariffs filed suit at the Court of International Trade, alleging that the tariffs were not properly authorized by the Trade Act of 1974, and that USTR violated the Administrative Procedure Act when it imposed them.  More than 3,500 actions, some filed jointly by multiple plaintiffs, were filed, and case management issues are still under development: the U.S. Court of International Trade has not yet designated a “test” case or cases—the case(s) which will be resolved first, while the rest of the cases are stayed pending resolution—or determined if the case(s) will be heard by a three-judge panel.  These arguments are playing out on the docket of HMTX Industries LLC v. United States, Ct. No. 20-00177, which we presume will be a lead case.

Although the China 301 Tariffs were a hallmark of the Trump administration’s trade policy, we expect them to remain in place under the Biden-Harris administration, at least during an initial period of review.  President Biden has nominated Katherine Tai, the former lead trade attorney for the U.S. House of Representatives Ways and Means Committee, to serve as USTR.  Her background includes significant China-related expertise—including successful litigation at the World Trade Organization, involvement in drafting proposed legislation on China-related issues, such as Uyghur forced labor, and experience as USTR’s chief counsel for China enforcement—suggesting that China will remain a focus of U.S. trade policy going forward.

G.            China’s Counter-Sanctions – The Chinese Blocking Statute

The Chinese Blocking Statute, which we discuss at greater depth in our recent client alert, creates a reporting obligation for Chinese persons and entities impacted by extra-territorial foreign regulations.  Critically, this reporting obligation is applicable to Chinese subsidiaries of multinational companies.  The Chinese Blocking Statute also creates a private right of action for Chinese persons or entities to seek civil remedies in Chinese courts from anyone who complies with prohibited extra-territorial measures.

While the Chinese regulations remain nascent and the initial list of extra-territorial measures that the Chinese Blocking Statute will cover has yet to be published, the law marks a material escalation in the longstanding Chinese threats to impose counter-measures against the United States (principally) by establishing a meaningful Chinese legal regime that could challenge foreign companies with operations in China.  If the European model for the Chinese Blocking Statute continues to serve as Beijing’s inspiration, we will likely see both administrative actions to enforce the measure as well as private sector suits to compel companies to comply with contractual obligations, even if doing so is in violation of their own domestic laws.

The question for the United States with respect to this new Chinese law will be how to balance the aggressive suite of U.S. sanctions and export control measures levied against China—which the U.S. government is unlikely to pare back—against the growing regulatory risk for global firms in China that could be caught between inconsistent compliance obligations.  As has long been the case, international companies will continue to be on the front lines of Washington-Beijing tensions and they will need to remain flexible in order to respond to a fluid regulatory environment and maintain access to the world’s two largest economies.

H.            New Chinese Export Control Regime

On December 1, 2020, the Export Control Law of the People’s Republic of China (“China’s Export Control Law”) officially took effect.  This marks a milestone on China’s long-running efforts towards a comprehensive and unified export control regime and to large parts has been discussed in detail in our recent client alert.

By passing China’s Export Control Law, China has formally introduced concepts common to other jurisdictions, yet new to China’s export control regime such as, inter alia, embargos, into its export control regime, and particularly expands the scope of China’s Export Control Law to have an extraterritorial effect.  Compared to China’s prior export control rules scattered in various other laws and regulations, China’s Export Control Law has also imposed significantly enhanced penalties in case of violations.  Pursuant to China’s Export Control Law, the maximum monetary penalties in certain violations could reach 20 times the illegal income.  Any foreign perpetrators may also be held liable, although unclear how.

Before this new law came into effect, China already took actions to curb the export control of sensitive technologies.  On August 28, 2020, in the midst of the forced TikTok sale demanded by the U.S. government, China amended its Catalogue of Technologies Whose Exports Are Prohibited or Restricted to capture additional technologies, including “personalized information push service technology based on data analysis” that is relied upon by TikTok.  Such inclusion would make it extremely challenging, if not impossible, to export the captured technologies because “substantial negotiation” of any technology export agreement with respect to such technology may not be conducted without the approval of the relevant Chinese authorities.

In addition to China’s Export Control Law, detailed provisions with respect to China’s unreliable entity list were unveiled on September 19, 2020, namely, the Provisions on the Unreliable Entities List.  This unreliable entity list, which may include foreign companies and individuals (although none has been identified so far), has been deemed by some as China’s attempt to directly counter BIS’s frequent use of its entity list.  For those listed in China’s unreliable entity list, China-related import and export, investment and other business activities may be restricted or prohibited.

Although there has been no official update so far with respect to exactly whom or which entity would be placed on China’s control list or unreliable entity list, China has imposed sanctions on a number of U.S. individuals and entities in the second half of 2020, which has been perceived as a counter measure against U.S.’s sanctions of Chinese (including Hong Kong) entities and officials.

For instance, on December 10, 2020, shortly after the Hong Kong-related designations by the U.S. Department of the Treasury on December 7, 2020, a spokesperson from China’s Ministry of Foreign Affairs announced sanctions against certain U.S. officials for “bad behavior” over Hong Kong issues and revoked visa-free entry policy previously granted to U.S. diplomatic passport holders when visiting Hong Kong and Macau.

II.       U.S. Sanctions Program Developments

A.            Iran

During the second half of 2020, the outgoing Trump administration and then-candidate Biden articulated sharply contrasting positions on Iran sanctions—both bearing the hallmarks of their broader approaches to foreign policy.  In its final push for “maximum economic pressure,” the Trump administration sought to impose additional sanctions that would make it more difficult for the Biden-Harris administration to reenter the JCPOA, the nuclear deal negotiated by the Obama administration.  At the same time, then-candidate Biden laid out his plan to reengage with Iran, reinstate compliance with the JCPOA, and roll back the U.S. sanctions that had been re-imposed.

With the international community rebuffing efforts to abandon the JCPOA and Iran’s current government signaling interest in a quick return to the deal, the stage could be set for the Biden-Harris administration to achieve its goals for Iran, although the timing is uncertain.  Domestic political concerns in both countries, a global pandemic, and pressure from U.S. allies in the Middle East could frustrate these efforts and ensure the sanctions status quo remains in the near term.

The Trump administration’s effort in August and September to snap United Nations sanctions back into effect marked the culmination of a years-long campaign intended to drive Iran to negotiate a more comprehensive deal for relief.  Where the JCPOA only addressed Iran’s nuclear program, the Trump administration sought an agreement regulating more facets of Iran’s “malign activities” in return for sanctions relief.  The “maximum economic pressure” campaign began in earnest in November 2018 with the full re-imposition of sanctions that had been lifted under the terms of the JCPOA.  As we discussed in our 2019 Year-End Sanctions Update, the campaign continued throughout 2019, as the United States targeted new industries and entities and ramped up pressure on previously sanctioned persons.

The Trump administration continued increasing this pressure over the course of 2020, while clarifying the scope of humanitarian exemptions in response to the global coronavirus pandemic.  Our 2020 Mid-Year Sanctions and Export Controls Update details re-imposition of restrictions on certain nuclear activities, a steady stream of new designations, and the expansion of U.S. secondary sanctions to target new sectors of the Iranian economy.  This increasing pressure was accompanied by several measures designed to facilitate Iran’s response to the coronavirus pandemic, including additional interpretive guidance, approved payment mechanisms, and a new general license.

Trump administration efforts in the latter half of 2020 were more focused on maximizing economic pressure on Iran.  OFAC made use of new secondary sanctions authorities to impose additional sanctions on Iran’s financial sector, and announced further authorities targeting conventional arms sales to Iran, responding directly to the impending rollback of UN sanctions.  The steady stream of designations also continued, with OFAC focusing particularly on entities operating in or supporting Iran’s petroleum and petrochemicals trade (see e.g., designation announcements in September, October, and December), including additional restrictions on the Iranian Ministry of Petroleum, the National Iranian Oil Company (“NIOC”), and the National Iranian Tanker Company (“NITC”).  OFAC also designated several rounds of new targets, including senior officials in the Iranian government, for alleged involvement in human rights violations.

Despite this mounting economic pressure, Iran has still found ways to slip through the grasp of the tightening embargo.  In the fall of 2020, market watchers observed a sharp uptick in Iranian oil exports.  Increasing demand among U.S. adversaries—including China and Venezuela—along with steep discounts from Iran have likely contributed to the spike in exports.  Increasingly-sophisticated evasion tactics have helped too—despite State Department guidance published in May 2020 to address these deceptive shipping practices.

The U.S. also continued to pursue criminal penalties for entities that tried to evade U.S. sanctions.  In August, the United States charged an Emirati entity and its managing director for implementing a scheme to circumvent U.S. sanctions and supply aircraft parts to Mahan Air, an Iranian airline and longtime target of U.S. export controls and sanctions designated for supporting Iran’s Islamic Revolutionary Guard Corps’ Quds Force.  OFAC simultaneously imposed sanctions on those Emirati targets, as well as several other associated entities.  These enforcement efforts hit one notable setback in July, when a judge in the Southern District of New York dismissed a case against Ali Sadr Hashemi Nejad, who had been convicted of using the U.S. financial system to process payments to Iran.  The judge vacated Mr. Nejad’s conviction after the U.S. Attorney’s office revealed alleged misconduct by the prosecutors that originally tried the case—including efforts to “bury” evidence turned over to the defense.

Efforts to increase pressure on Iran reached their zenith with the Trump administration’s unilateral push to trigger the snapback of broad international sanctions on Iran.  In an effort to ensure that the JCPOA remained responsive to concerns about Iran’s compliance, the original parties included a mechanism that would allow the UN-based international sanctions regime to snap back into place if a party to the agreement brought a compliant that Iran was not in compliance.  The United States attempted to trigger this snapback mechanism by submitting allegations of Iranian noncompliance to the UN Security Council on August 20, 2020.  The other members of the Security Council flatly rejected the U.S. efforts.  They argued that the United States, which had withdrawn from the agreement in 2018, no longer had standing to trigger the snapback, and, although they acknowledged Iran’s noncompliance, they expressed a preference for resolving the issue within the confines of the JCPOA.  Nevertheless, in keeping with the timelines provided in the JCPOA, Secretary Pompeo announced “the return of virtually all previously terminated UN sanctions” on September 19.  The remaining members of the JCPOA ignored the announcement and did not re-impose restrictions.

This fatigue with the current U.S. position and the calls for further leniency in response to the pandemic have created an international environment that may facilitate the Biden-Harris administration’s plans to return to the JCPOA.  President Biden and his National Security Adviser, Jake Sullivan, have clearly stated that, if Iran returns to “strict compliance,” the administration would rejoin the JCPOA.  For its part, Iranian President Hassan Rouhani has announced that Iran would hasten to comply with the JCPOA if the U.S. were to rejoin.  Iran’s supreme leader, Ayatollah Ali Khamenei, may also favor a return to the JCPOA, as more reliable oil revenues are important to help ensure future domestic stability.

However, the window for a return to the JCPOA may be narrow and may not accommodate the Biden-Harris administration’s desire for follow-on agreements addressing other aspects of Iran’s malign activities.  Iranian elections are coming up in June, and hard-liners have signaled their opposition to a revived JCPOA.  Iran has also increased its uranium enrichment and begun construction projects at its most significant nuclear facilities.  This activity could embolden domestic opposition in the United States, where there is already limited appetite for a return to the basic JCPOA structure.  Even close Biden ally Senator Chris Coons (D-DE) has suggested that a revised deal should address not only the nuclear issues covered by the JCPOA but also Iran’s missile program.  If domestic political concerns prevent a return to the agreement, sanctions could continue to tighten and could even return to pre-JCPOA levels if Iran intensifies its noncompliance.

B.            Venezuela

Despite the far reaching effects of OFAC’s current Venezuela sanctions program, which has crippled Venezuela’s state-owned oil company, Petróleos de Venezuela, S.A. (“PdVSA”), the regime of President Nicolás Maduro remains firmly entrenched, and emerged victorious from a December 2020 legislative election that U.S. Secretary of State Mike Pompeo described as a “political farce.”  The results have made it increasingly difficult for Venezuela’s opposition movement seeking to oust Maduro, further undermining opposition leader and Interim President Juan Guaidó.  The economic devastation, political instability, and compounding impacts of the pandemic have continued the refugee crisis pressuring some of Venezuela’s neighbors and creating an even more delicate security environment for the Biden-Harris administration.

At the end of 2020, Biden-Harris transition representatives suggested that the new administration would push for free and fair elections in Venezuela in exchange for sanctions relief, but not necessarily to require Maduro’s surrender as a condition of negotiations.  The approach is expected to be coordinated with international allies, and Maduro’s foreign backers in Russia, China, Iran and Cuba will likely be involved.  The Biden-Harris team has promised to review existing OFAC sanctions with respect to Venezuela, assessing which potential measures may be lifted as part of any future discussions.

As we described in our 2020 Mid-Year Sanctions and Export Controls Update, last year the Trump administration deployed an array of tools to deny the Maduro regime the resources and support necessary to sustain its hold on power—from indicting several of Venezuela’s top leaders to aggressively targeting virtually all dealings with Venezuela’s crucial oil sector with sanctions, including designating prominent Chinese and Russian companies involved with the sector.  In February and March 2020, OFAC designated two subsidiaries of the Russian state-controlled oil giant Rosneft for brokering the sale and transport of Venezuelan crude—prompting Rosneft to sell off the relevant assets and operations to a unnamed company.  On November 30, 2020, OFAC announced another major designation under the Venezuela sanctions program,  China National Electronic Import-Export Company (“CEIEC”).  OFAC explained that CEIEC supported the Maduro regime’s “malicious cyber efforts,” including online censorship, strategically timed intentional electricity and cellphone blackouts, and a fake website purportedly for volunteers to participate in the delivery of international humanitarian aid that was actually designed to phish for personal information.  CEIEC has over 200 subsidiaries and offices worldwide, and through the application of OFAC’s 50 Percent rule any subsidiaries that are at least half-owned by CEIEC will be subject to the same restrictions as CEIEC.

On December 18, 2020, OFAC designated a Venezuelan entity and two individuals for providing material support to the Maduro regime, including by providing goods and services used to carry out the “fraudulent” parliamentary elections.  On December 30, 2020, OFAC designated a Venezuelan judge and prosecutor for involvement in the unfair trial of the “Citgo 6,” six executives of PdVSA’s U.S. subsidiary Citgo who were lured to Venezuela under false pretenses and arrested in 2017.

OFAC also narrowed the scope of activities authorized by several general licenses.  In April 2020, OFAC further restricted dealings with Venezuela’s oil sector by narrowing one of the few remaining authorizations for U.S. companies to engage in dealings with PdVSA.  On November 17, 2020, OFAC extended this narrowed version of General License 8 through June 3, 2021.  On January 4, 2021, OFAC revised General License 31A, which authorized certain transactions involving the Venezuelan National Assembly and Guaidó, to specify that it applies only to the members of the National Assembly seated on January 5, 2016, i.e. prior to the December 2020 election.

C.            Cuba

The Trump administration continued its pressure on Cuba in 2020, in an ostensible attempt to appeal to Cuban-American and other voters in Florida prior to the election and then to bind the incoming Biden-Harris administration from shifting course in U.S.-Cuba relations.  The new U.S. administration had previously nodded to changes in U.S.-Cuba relations, with then-candidate Biden criticizing the Trump administration for inflicting harm on the Cuban people and promising to roll back certain Trump’s policies.  That said, Biden-Harris representatives acknowledged that significant change was unlikely to happen anytime soon.

1.      Designations and Remittance Restrictions

As we analyzed in our 2020 Mid-Year Sanctions and Export Controls Update, the Trump administration added numerous entities to the State Department’s Cuba Restricted List this year, thus prohibiting U.S. persons and entities from engaging in direct financial transactions with them and imposing certain U.S. export control licensing requirements.  Between June and September 2020, the State Department added numerous Cuban military-owned sub-entities—most operating in Cuba’s tourism industry—to the Cuba Restricted List, including the financial services company Financiera Cimex (“FINCIMEX”) and its subsidiary American International Services (“AIS”).  In October 2020, OFAC amended the Cuban Assets Control Regulations (“CACR”) to prohibit indirect remittance transactions with entities on the Cuba Restricted List, including transactions relating to the collection, forwarding, or receipt of remittances.  The U.S. administration turned the screws again on FINCIMEX in December 2020, designating it, Kave Coffee, and their Cuban military-controlled umbrella enterprise Grupo de Administración Empresarial (“GAESA”) to the SDN List.  On January 15, 2021, five days before President Biden’s inauguration, OFAC designated the Cuban Ministry of Interior (“MININT”) and its leader, Lazaro Alberto Álvarez Casas, for human rights abuses relating to the monitoring of political activity.  According to OFAC, Cuban dissident Jose Daniel Ferrer was beaten, tortured, and held in isolation in a MININT-controlled prison in September 2019.

2.      State Sponsor of Terrorism Determination

Furthermore, on January 11, 2021, the State Department re-designated Cuba as a State Sponsor of Terrorism (“SST”), on the grounds that Cuba “repeatedly provid[es] support for acts of international terrorism in granting safe harbor to terrorists,” and in a direct reversal of a May 2015 decision by the Obama administration to remove that designation.  An SST designation imposes several restrictions, including a ban on Cuba-related defense exports, credits, guarantees, other financial assistance, and export licensing overseen by the State Department (Section 40 of the Arms Export Control Act); a license requirement (with a presumption of denial) for exports of dual-use items to Cuba (Section 1754(c) of the National Defense Authorization Act for Fiscal Year 2019); and a ban on U.S. foreign assistance to Cuba (Section 620A of the Foreign Assistance Act).  The SST designation opens the door for other U.S. federal agencies to impose further restrictions, and it remains to be seen how the new Biden-Harris administration will navigate the course.  When President Obama lifted the designation, that procedure required months of review by the State Department, a 45-day pre-notification period for Congress, and a cooperative Congress that did not exercise the blocking authority made available to it under the Arms Export Control Act.

3.      Travel Restrictions

In September 2020, OFAC amended the CACR for the first time since September 2019.  In this amendment, OFAC targeted Cuba’s travel, alcohol, and tobacco industries by prohibiting any U.S. person from engaging in lodging transactions, either directly or indirectly, with any property that the Secretary of State has identified as owned or controlled by the Cuban government or its prohibited officials and their relatives.  Concurrent with this change, the State Department published the new Cuba Prohibited Accommodations List to identify the lodging properties that would trigger this prohibition.  Additionally, the CACR amendment eliminated certain general licenses to restrict attendance at professional meetings or conferences in Cuba and attendance at or transactions incident to public performances, clinics, workshops, other athletic or non-athletic competitions, and exhibitions in Cuba.

4.      Helms-Burton Act

As we wrote in May 2019, on April 17, 2019, the Trump administration lifted long-standing limitations on American citizens seeking to sue over property confiscated by the Cuban regime after the revolution led by Fidel Castro six decades ago.  Title III of the Cuban Liberty and Democratic Solidarity (“LIBERTAD”) Act of 1996, commonly known as the Helms-Burton Act, authorizes current U.S. citizens and companies whose property was confiscated by the Cuban government on or after January 1, 1959 to bring suit for monetary damages against individuals or entities that “traffic” in that property.  The policy rationale for this private right of action was to provide recourse for individuals whose property was seized by the Castro regime.  As part of the statutory scheme, Congress provided that the President may suspend this private right of action for up to six months at a time, renewable indefinitely.  Until May 2019, U.S. Presidents of both parties had consistently suspended that statutory provision in full every six months.  While President Biden could suspend the private right of action, already-existing Title III lawsuits are authorized under the Helms-Burton Act to run to completion, inclusive of any appeals.

D.            Russia

Although the COVID-19 pandemic and resulting economic crisis dominated President Biden’s first few days in office, his administration was forced to act fast to achieve an extension of the New Strategic Arms Reduction Treaty (“New START”) arms control treaty ahead of a February 5, 2021 deadline.  The extension to February 4, 2026, does not necessarily portend any greater degree of cooperation between the two countries, however, as the new U.S. administration has suggested that it may impose new measures on Russia pending an intelligence assessment of its recent activities.

1.      CAATSA Section 224 Russian Cyber Sanctions

As noted above, U.S. federal agencies are still assessing the scope and impact of the recent Russian cyberattack that breached network security measures of at least half a dozen cabinet-level agencies and many more private sector entities, which could lead to sanctions under a 2015 Executive Order targeting persons engaged in malicious cyber activities or Section 224 of the Countering America’s Adversaries Through Sanctions Act (“CAATSA”).  There is recent precedent for such actions—on October 23, 2020, OFAC designated Russia’s State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (“TsNIIKhM”) pursuant to Section 224 of CAATSA for TsNIIKhM’s involvement in the development and spread of Triton malware, also known as TRISIS or HatMan, which targets and manipulates industrial safety systems and has been described as “the most dangerous” publicly known cybersecurity threat.  Triton first made news in 2017 after it crippled a petrochemical plant in Saudi Arabia, and OFAC warned that Russian hackers had turned their attention to U.S. infrastructure, where at least 20 electric utilities have been probed by hackers for vulnerabilities since 2019.

2.      CAATSA Section 231 Russian Military Sanctions

On December 14, 2020, the United States imposed sanctions on the Republic of Turkey’s Presidency of Defense Industries (“SSB”), the country’s defense procurement agency, and four senior officials at the agency, for its dealings with Rosoboronexport (“ROE”), Russia’s main arms export entity, in procuring the S-400 surface-to-air missile system.  As we described in December 2020, Section 231 of CAATSA required the imposition of sanctions on any person determined to have knowingly engaged in a significant transaction with the defense or intelligence sectors of the Russian government.  Notwithstanding Section 231’s mandatory sanctions requirement, the Trump administration repeatedly tried to pressure Turkey to abandon the ROE deal before sanctions were imposed.  In line with a growing list of non-SDN measures managed by OFAC (including the Sectoral Sanctions and the Communist Chinese Military Companies investment restrictions), these sanctions are not full blocking measures and the SSB listing led OFAC to construct a new Non-SDN Menu-Based Sanctions List.

3.      CAATSA Section 232 Nord Stream 2 and TurkStream Sanctions

U.S. efforts to block Russia’s ongoing construction of major gas export pipelines to bypass Ukraine have been a longstanding source of tension not just between Washington and Moscow but also with the United States’ core European allies.  In Section 232 of CAATSA, Congress authorized—but did not require—the President to impose certain sanctions targeting Russian energy export pipelines “in coordination with allies of the United States,” a statement of apparent deference to NATO allies like Germany and Turkey that would benefit most from the construction of the Nord Stream 2 and the TurkStream pipelines.  That deference waned in the intervening years, and as we wrote in our 2019 Year-End Sanctions Update, the National Defense Authorization Act for Fiscal Year 2020 (“2020 NDAA”) included provisions requiring the imposition of sanctions against vessels and persons involved in the construction of the Nord Stream 2 and the TurkStream pipelines.  Although the inclusion of these sanctions signaled U.S. support for Ukraine, their impact was thought to be minimal as the pipelines’ construction was nearly complete (only one 50-mile gap remained of the Nord Stream 2 pipeline).

But the impact was more severe than anticipated.  On July 15, 2020, the Department of State updated its guidance concerning the applicability of sanctions under Section 232 of CAATSA, expanding its scope to almost all entities involved in the construction of the Nord Stream 2 or TurkStream gas pipelines, not just to those who initiated their work after CAATSA’s enactment.  And on January 1, 2021, as part of the NDAA for Fiscal Year 2021, Congress amended CAATSA to authorize sanctions for foreign persons whom the Secretary of State, in consultation with the Secretary of the Treasury, deems to have knowingly helped provide pipe-laying vessels for Russian energy export pipelines.

Despite these sanctions—as well as growing domestic opposition to Russia in the aftermath of the poisoning of Russian opposition leader Aleksei Navalny—Germany remains committed to completing Nord Stream 2, which is now over 90 percent finished.  Indeed, in early January, Germany’s Mecklenburg-Vorpommern State Parliament voted to create a state-owned foundation to facilitate the pipeline’s construction, taking advantage of an exemption added on January 1 for EU governmental entities not operating as a business enterprise.

4.      Other Recent Russian Designations

In July 2020, OFAC targeted Russian financier Yevgeniy Prigozhin’s wide-ranging network of companies in Sudan, Hong Kong and Thailand.  Prigozhin has been the target of U.S. sanctions since 2016, and purportedly financed the Internet Research Agency, a Russian troll farm designated by OFAC in 2018, as well as Private Military Company (“PMC”) Wagner, a Russian military proxy force active in Ukraine, Syria, Sudan and Libya that was designated by OFAC in 2017.  OFAC highlighted Prigozhin’s role in Sudan and the “interplay between Russia’s paramilitary operations, support for preserving authoritarian regimes, and exploitation of natural resources.”  OFAC also targeted Prigozhin’s network of financial facilitators in Hong Kong and Thailand.  In September 2020, OFAC imposed sanctions on entities and individuals working on behalf of Prigozhin to advance Russia’s interest in the Central African Republic (“CAR”).

Also in September, OFAC imposed blocking sanctions on Andrii Derkach, a member of the Ukrainian parliament and an alleged agent of Russia’s intelligence services.  According to the U.S. Department of the Treasury, Derkach waged a “covert influence campaign” against then-candidate Biden by distributing false and unsubstantiated narratives through media outlets and social media platforms with the aim of undermining the 2020 U.S. presidential election.  An additional round of sanctions was announced on January 11, targeting individuals and news outlets in Ukraine that cooperated with Derkach in his efforts to interfere in the 2020 U.S. election.  OFAC also extended two Ukraine-related General Licenses, 13P and 15J, that permit U.S. persons to undertake certain transactions related to GAZ Group, which was among the Russian entities designated on April 6, 2018 for being owned by one or more Russian oligarchs or senior Russian government officials.  Among other actions, the regulatory authorizations, extended for over one year to January 26, 2022, allow U.S. persons to transfer or divest their holdings in GAZ Group to non-U.S. persons, allow U.S. persons to facilitate the transfer of holdings in GAZ Group by a non-U.S. person to another non-U.S. person, and allow U.S. persons to engage in certain transactions related to the manufacture and sale of automobiles, trucks, and other vehicles produced by GAZ Group or its subsidiaries.

E.            North Korea

As we described in our 2020 Mid-Year Sanctions and Export Controls Update, the United States continued to expand its campaign to isolate North Korea economically and to cut off illicit avenues of international support for its nuclear, chemical, and biological weapons programs.  In addition to amending the North Korea Sanctions Regulations (“NKSR”), U.S. authorities issued sanctions advisories and pursued multiple enforcement actions against persons who violated these sanctions.

1.      NKSR Amendments

On April 10, 2020, OFAC issued amendments to the NKSR, 31 C.F.R. part 510, to implement certain provisions of the North Korea Sanctions and Policy Enhancement Act of 2016 (“NKSPEA”), as amended by CAATSA, and the 2020 NDAA.  Changes included implementing secondary sanctions for certain transactions; adding potential restrictions to the use of correspondent accounts for non-U.S. financial institutions that provide significant services to identified SDNs; prohibiting non-U.S. subsidiaries of U.S. financial institutions from transacting with the government of North Korea or any SDN designated under the NKSR; and revising the definitions of “significant transactions” and “luxury goods.”

These amendments mark a significant jurisdictional expansion; in addition to potential secondary sanctions for foreign financial institutions that conduct significant business with North Korea, foreign banks that are subsidiaries of U.S. financial institutions are now directly subject to the NKSR.  Thus, although the ailing condition of North Korea’s economy may limit the impact of these measures on the international community, they put global financial institutions on notice to be vigilant with sanctions compliance and mindful of any dealings with North Korea.

2.      Ballistic Missile Procurement Advisory

On September 1, 2020, the U.S. Departments of State, Treasury, and Commerce issued an advisory on North Korea’s ballistic missile procurement activities.  The advisory identified key North Korean procurement entities, including the Korea Mining Development Trading Corporation (“KOMID”), the Korea Tangun Trading Corporation (“Tangun”), and the Korea Ryonbong General Corporation (“Ryonbong”), and provided an annex identifying the main materials and equipment that North Korea is looking to source internationally for its ballistic missile program.  The guidance also highlighted various procurement tactics that North Korea employs, including using North Korean officials accredited as diplomats to orchestrate the acquisition of sensitive technology; collaborating with foreign-incorporated companies (often Chinese and Russian entities) to acquire foreign-sourced basic commercial components; and mislabeling sensitive goods to escape export control requirements or to conceal the true end user.

The advisory emphasized that suppliers must not only watch for items listed in the Annex—or on U.S. or UN control lists—but also for widely available items that may end up contributing to the production or development of weapons of mass destruction (“WMD”).  The electronics, chemical, metals, and materials industries, as well as the financial, transportation, and logistics sectors, are at particular risk of such end-use exposure and must pay heed to “catch-all” controls, such as United Nations Security Council Resolution (“UNSCR”) 2270, that require authorization, like a license or permit, if there is any risk that their products may contribute to WMD-related programs.  Consistent with OFAC’s compliance framework, the advisory encouraged companies to take a risk-based approach to sanctions compliance.

3.      SDN Designations in the Shipping Industry

In May 2020, OFAC, the Department of State, and the U.S. Coast Guard issued a global advisory warning the maritime industry, as well as the energy and metals sectors, about deceptive shipping practices used to evade sanctions.  Numerous designations throughout the course of 2020 demonstrate OFAC’s continued focus on the shipping industry and North Korean trade.  On December 8, 2020, OFAC designated six entities and four vessels for violating UNSCR 2371’s restrictions on transporting or exporting North Korean coal.  Designees include several Chinese entities (two of which were also registered in the United Kingdom), as well as companies in Hong Kong and Vietnam.

4.      Criminal Enforcement

The violation of North Korean sanctions also continues to be an enforcement priority for both OFAC and U.S. Department of Justice.  As we described in our 2020 Mid-Year Sanctions and Export Controls Update, on May 28, 2020, DOJ unsealed an indictment charging 33 individuals, acting on behalf of North Korea’s Foreign Trade Bank, for facilitating over $2.5 billion in illegal payments to support North Korea’s nuclear program.

DOJ and OFAC have also focused on non-North Korean companies who have supported the efforts of their North Korean customers to access the U.S. financial system.  In July 2020, OFAC and DOJ announced parallel resolutions with UAE-based Essentra FZE Company Limited (“Essentra”) for violating the NKSR by exporting cigarette filters to North Korea using deceptive practices, including the use of front companies.  On August 31, 2020, DOJ announced that Yang Ban Corporation (“Yang Ban”), a company established in the British Virgin Islands that operated in South East Asia, pled guilty to conspiring to launder money in connection with evading sanctions on North Korea and deceiving correspondent banks into processing U.S. dollar transactions.

Lastly, on January 14, 2021, OFAC announced a settlement with Indonesian paper products manufacturer PT Bukit Muria Jaya (“BMJ”) to resolve alleged violations of the NKSR connected to the exportation of cigarette paper to North Korea.  DOJ announced a parallel resolution with BMJ through a Deferred Prosecution Agreement (“DPA”) to resolve allegations of conspiracy to commit bank fraud shortly thereafter.  The Yang Ban and BMJ matters highlight DOJ’s increasing use of the money laundering and bank fraud statutes to pursue criminal cases related to sanctions violations, as neither case included an alleged violation of IEEPA.

F.            Syria

OFAC continues to maintain a comprehensive and wide-ranging sanctions regime against the Bashal al-Assad regime in Syria.  On August 20, 2020, OFAC designated Assad’s press officer and the leader of the Syrian Ba’ath Party under Executive Order 13573 as senior Government of Syria officials, while the State Department simultaneously imposed sanctions on several individuals under Executive Order 13894 for their role in “the obstruction, disruption, or prevention of a political solution to the Syrian conflict and/or a ceasefire in Syria.”

On September 30, 2020, OFAC and the State Department designated additional “key enablers of the Assad regime,” including the head of the Syrian General Intelligence Directorate, the Governor of the Central Bank of Syria, and a prominent businessman (and his businesses) who served as a local intermediary for the Syrian Arab Army, while on November 9 OFAC and State designated additional individuals and entities, focusing on stymying Syria’s attempt to revive its petroleum industry.  Rounding out the year, on December 22, 2020, OFAC and the State Department sanctioned additional senior government officials and entities, including Assad’s wife, Asma al-Assad—who had already been designated in June 2020—as well as several members of her family.

Additionally, on December 22, OFAC officially designated the Central Bank of Syria (“CBS”) as an SDN.  However, as the accompanying press release noted, the CBS has been blocked under Executive Order 13582 since 2011.  As a simultaneously issued FAQ states, the designation “underscore[es] its blocked status” but “does not trigger new prohibitions.”  The FAQ includes the reminder that  “non-U.S. persons who knowingly provide significant financial, material, or technological support to, or knowingly engage in a significant transaction with the Government of Syria, including the [CBS], or certain other persons sanctioned with respect to Syria, risk exposure to sanctions.”  Another FAQ, issued on the same date, reiterated that U.S. and non-U.S. persons can continue engage with CBS in authorized transactions that provide humanitarian assistance to Syria, and clarified that OFAC will not consider transactions to be “significant” if they are otherwise authorized to U.S. persons, and therefore non-U.S. persons are not prohibited from participating in transactions that provide humanitarian assistance to the people of Syria.

G.            Other Sanctions Developments

1.      Belarus

During the second half of 2020, OFAC designated several individuals and entities for their role in participating in the fraudulent August 9, 2020 Belarus presidential election or the violent suppression of the peaceful protests that followed.  Beginning in August 2020, the Belarusian government instituted a violent crackdown on wide scale protests that had erupted following the reelection of longtime leader Aleksandr Lukashenko, which had been widely denounced as fraudulent.  The crackdown was broadly condemned internationally, with both the U.S. and EU imposing sanctions on those determined to have been involved in orchestrating the election fraud or the subsequent violence.

On October 2, 2020, OFAC, in coordination with the United Kingdom, Canada, and EU, designated eight individuals under Executive Order 13405, which was initially promulgated in response to Lukashenko’s questionable reelection in 2006.  The eight individuals include Belarus’s Interior Minister and his deputy, the leaders of organizations involved in violently suppressing protesters, the Commander and Deputy Commander of the Ministry of the Interior’s Internal Troops, and the Central Election Commission’s Deputy Chairperson and Secretary.  Several months later, on December 23, OFAC designated the Chief of the Criminal Police as well as four entities involved in the administration of the election and subsequent crackdown.  The EU similarly imposed three rounds of sanctions on a total of 88 individuals and 7 entities following the August 9, 2020 election, while Canada and the United Kingdom also imposed sanctions on Belarus.

2.      Ransomware Advisory

On October 1, 2020, OFAC issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” which details the sanctions risk posed by paying ransom to malicious cyber actors on behalf of victims of cyberattacks.  The Advisory provides several examples of SDNs who have been designated due to their malicious cyber activities, and underscores the prevalence of such actors on OFAC’s sanctions lists.  While the Advisory did not break new ground, it emphasizes that facilitating a ransomware payment, even on behalf of a victim of an attack, could constitute a sanctions violation, including in cases where a non-U.S. person causes a U.S. person to violate sanctions (in this case, to make the ransom payment to an SDN on behalf of the U.S. victim).

3.      Art Advisory

One month later, on October 30, 2020, OFAC issued an “Advisory and Guidance on Potential Sanctions Risks Arising from Dealings in High-Value Artwork.” The Advisory underscores the sanctions risk posed by dealing in high value artwork—in particular artwork valued in excess of $100,000—due to the prevalence of SDNs’ participation in the market.  The Advisory details how SDNs take advantage of the anonymity and confidentiality characteristic of the market to evade sanctions and even provides several examples of SDNs—including a top Hizballah donor, two Russian oligarchs, and a sanctioned North Korean art studio—who have taken advantage of the high-end art market to evade sanctions.

The Advisory further encourages U.S. persons and companies, including galleries, museums, private collectors, and art brokers, to implement risk-based compliance programs to mitigate against these risks.  Further, and significantly, the Advisory clarifies that although the import and export of artwork is exempted from regulation under the Berman Amendment to IEEPA (which exempts from sanctions the export of information), OFAC does not interpret this exemption to encompass the intentional evasion of sanctions via the laundering of financial assets through the purchase and sale of high value artwork.

4.      Hizballah Designations

OFAC has continued to put pressure on Hizballah through the imposition of sanctions in the second half 2020, particularly in the wake of the explosion at the Port of Beirut in August 2020, which highlighted the corruption and mismanagement that had become endemic to the Lebanese government.  By the end of 2020, over 95 Hizballah-affiliated individuals and entities had been designated by OFAC since 2017.  On September 8, 2020, OFAC designated two Lebanese government ministers for having “provided material support to Hizballah and engaged in corruption.”  Both ministers reportedly took bribes from Hizballah in return for granting the organization political and business favors.  Fewer than two weeks later, on September 17, 2020, OFAC designated two Lebanese companies for being owned or controlled by Hizballah, as well as a senior Hizballah official, who is “closely associated” with the companies.  The companies, which are controlled by Hizballah’s Executive Council, reportedly had been used by Hizballah to evade sanctions and conceal the organization’s funds.  One month later, on October 22, 2020, OFAC designated two members of Hizballah’s Central Council, which is the body that elects the organization’s ruling Shura Council.

On September 2, 2020, the United States designated the chief prosecutor of the International Criminal Court (“ICC”), as well as an ICC senior official, to the SDN List, the first promulgation of sanctions pursuant to a June 11, 2020 Executive Order—which we discussed in more detail in our 2020 Mid-Year Sanctions and Export Controls Update—declaring the ICC to be a threat to the national security of the United States due to its ongoing investigation of U.S. military actions in Afghanistan.

On January 21, 2020, a court in the Southern District of New York issued a preliminary injunction against the government, enjoining it from enforcing aspects of the Executive Order and its implementing regulations (that had been published on September 30, 2020).  In so doing, the court determined that, by preventing U.S. persons and organizations from providing advice or other speech-based support to the designated individuals, the restrictions infringe on the plaintiffs’ constitutional right to free speech.  Although the court has yet to issue a final ruling, the case may become mooted if the Biden-Harris administration revokes or allows the Executive Order to lapse, as commentators speculate.

III.   U.S. Export Controls

Although China was often an explicit or implicit focus of many developments in U.S. export controls, 2020 was also year of significant innovation more broadly in export controls, especially those administered by the Department of Commerce.  Each innovation has brought with it added complexities for compliance.

A.            Commerce Department

1.      Emerging Technology Controls

The Department of Commerce’s Advanced Notice of Proposed Rule Making on Emerging Technologies in late 2018 sparked strong concern within many economic sectors that the Department was planning to swiftly act on its mandate under the Export Control Reform Act (“ECRA”) of 2019 to identify and impose new and broadly framed controls concerning emerging technologies.  However, as 2020 began—and even before the coronavirus took hold—it became clear that Commerce, for a few reasons, planned to take it slow.  Commerce took well into late 2019 to analyze the public comments and to host many non-public meetings with a range of private sector actors, interagency, and non-government stakeholders on emerging technology controls.  Among the key takeaways Commerce has shared publicly is its determination that emerging technology controls need to be tailored narrowly, and that Commerce needed to persuade other countries to adopt similar export controls to minimize the impact on the U.S. private sector companies and other organizations that are developing them.

The United States has several different ways to promote multilateral controls, including through its participation in the 42 member Wassenaar Arrangement (“WA”).  Through its inter-plenary work in 2019, the participating states of the WA achieved consensus to impose new controls on six specific technologies at the December 2019 Wassenaar Arrangement Plenary, and in October 2020, Commerce added new controls on: hybrid additive manufacturing (AM)/computer numerically controlled (“CNC”) tools; computational lithography software designed for the fabrication of extreme ultraviolet (“EUV”) masks; technology for finishing wafers for 5 nm production; digital forensics tools that circumvent authentication or authorization controls on a computer (or communications device) and extract raw data; software for monitoring and analysis of communications and metadata acquired from a telecommunications service provider via a handover interface; and sub-orbital craft.  Due to COVID, the Wassenaar Arrangement did not convene its annual plenary in December 2020 and consequently no new controls were adopted.  However, the United States will Chair the General Working Group of Wassenaar in 2021, and given the significant work completed by Commerce and other U.S. Government agencies over the past several years to identify emerging technologies for control, the United States will be well-positioned to push for new controls over the course of 2021 for adoption at the Plenary meeting in December 2021.

Commerce made one exception in 2020 to its policy of waiting to build international consensus before imposing U.S. controls on emerging technologies.  On January 3, 2020 it imposed new export controls on artificial intelligence software that is specially designed to automate the analysis of geospatial imagery in response to emergent national security concerns related to the newly covered software.  As a result, a license from Commerce is now required to export the geospatial imagery software to all countries, except Canada, or to release the software to foreign nationals employees working with the software in the United States.  To impose the new control, Commerce deployed a rarely used tool for temporarily controlling the export of emerging technologies—the 0Y521 Export Controls Classification Number (“ECCN”).  This special ECCN category allows BIS to impose export restrictions on previously uncontrolled items that have “significant military or intelligence advantage” or when there are “foreign policy reasons” supporting restrictions on its export.  In early 2021, Commerce opted to extend this unilateral control for another year while it continues to work towards consensus with other countries to impose parallel controls.

2.      Foundational Technology Controls

ECRA also mandates Commerce to identify and impose new export controls on foundational technologies, and Commerce released an Advance Notice of Proposed Rule-making (“ANPRM”) on this topic in August 2020.  However, in contrast to its more open-ended ANPRM on emerging technologies, in this request for comments, Commerce suggested that new, item-based controls on foundational technologies may not be warranted provided that their export is being controlled to certain destinations through other means.  Specifically, Commerce noted that the expanded list of ECCNs it added to the EAR’s Military End User controls, which includes technologies that might be used by the governments of China, Russia, and Venezuela to build their respective defense industrial capabilities, could be deemed foundational technologies.  Commerce also noted that it might draw on recent DOJ enforcement actions to help identify technologies that other countries have deemed critical enough to target for economic espionage.  Overall, the approach taken in this ANPRM suggests that Commerce will be looking for other ways to impose controls on foundational technologies that would be less sweeping than the near globally-applicable, item-based licensing requirements it has imposed on the emerging technologies it has identified to date.

3.      Removal of CIV License Exception

On June 29, 2020, as part of its efforts to curtail the export of sensitive technologies to countries that have policies of military-civil fusion, Commerce removed the license exception Civil End Users (“CIV”) from Part 740 of the EAR, which previously allowed eligible items controlled only for National Security (NS) reasons to be exported or reexported without a license for civil end users and civil end uses in certain countries.

NS controls are BIS’s second most-frequently applied type of control, applying to a wide range of items listed in all categories of the Commerce Control List (“CCL”).  The countries included in this new restriction are from Country Group D:1, which identifies countries of national security concern for which the Commerce Department will review proposed exports for potential contribution to the destination country’s military capability.  D:1 countries include China, Russia, Ukraine, and Venezuela, among others.  By removing License Exception CIV, the Commerce Department now requires a license for the export of items subject to the EAR and controlled for NS reasons to D:1 countries.  As with the expansion of the Military End Use and End User license requirements described above, the Commerce Department has stated that the reason for the removal of License Exception CIV is the increasing integration of civilian and military technological development pursued by countries identified in Country Group D:1, making it difficult for exporters or the U.S. Government to be sufficiently assured that U.S.-origin items exported for apparent civil end uses will not actually also be used to enhance a country’s military capacity contrary to U.S. national security interests.

4.      Direct Product Rule Change

Although Commerce’s initial expansion of its Entity List-based controls targeted Huawei, it may point the way toward other Entity List-based and new end-user and end use-based licensing controls in 2021.  As noted above, to further constrain Huawei and its affiliates, Commerce created a new Entity List-specific rule that significantly expands the Direct Product Rule to include a wide range of software, technology, and their direct products, many of which used to develop and produce semiconductor and other items that Huawei uses in its products.  We expect further experimentation with Entity List-based controls in 2021, including potentially, lowered the “De Minimis Rule” thresholds, which could greatly expand the range of foreign products incorporating controlled U.S. content that would require Commerce licensing when specific parties are involved.

5.      Expanded Crime Control and Human Rights Licensing Policy

Commerce also focused efforts in 2020 on a review and update of controls imposed on U.S. origin items under its Crime Control policy.  Most of the items controlled by the EAR for Crime Control reasons today are items that have been used by repressive regimes for decades, such as riot gear, truncheons, and implements of torture.  In July 2020, Commerce issued a Notice of Inquiry signaling its intention to update the list of items to include advanced technology such as facial recognition software and other biometric surveillance systems, non-lethal visual disruption lasers, and long range acoustic devices.  While, as of this writing, Commerce continues to work through the comments submitted in response to the Notice, on October 6, 2020 it imposed new controls on exports of water cannon systems for riot and crowd control to implement a specific mandate from Congress to restrict the export of commercial munitions to the Hong Kong Police Force.

On the same day, Commerce amended the EAR to reflect a new licensing policy to deny the export of items listed on the Commerce Control List for crime control reasons to countries where there is either civil disorder or it assesses that there is a risk that items will be used in the violation or abuse of human rights.  This amendment changed the Commerce Department’s licensing policy in two ways.  First Commerce licensing officers no longer require evidence that the government of an importing country has violated internationally recognized human rights.  Instead, BIS will consider whether an export could enable non-state actors engage in or enable the violation or abuse of human rights.

Second, Commerce noted that it would extend its Crime Control review policy to proposed exports of other items that are not specifically listed on the CCL for Crime Control reasons.  This second expansion is particularly noteworthy because it expressly allows Commerce licensing officers to consider human rights concerns when reviewing proposed exports of many other items used by repressive governments today to surveil and stifle dissent or engage in other kinds of human rights violations, such as more generally benign telecommunications, information security, and sensor equipment.

B.            State Department

1.      Directorate of Defense Trade Controls (DDTC)

There were far fewer legal or regulatory developments at DDTC than occurred at Commerce in 2020, and DDTC appeared to focus much more effort on several practice-related changes.  Indeed, DDTC spent significant time to launch a single digital platform for the processing of registrations, license applications, and correspondence requests, among other submissions.

The most significant rule change came in January when DDTC issued its final rule to revise Categories I, II, and III of the United States Munitions List to remove from Department of State jurisdiction the controls on certain firearms, close assault weapons, and combat shotguns, other guns and armament, and ammunition.  The Department of Commerce now regulates the export and reexport of the items transferred to the Commerce Control List going forward.

DDTC also implemented a long awaited change to the ITAR’s export licensing treatment of encrypted communications on March 25, 2020.  The rule change affords similar (but not thesame) treatment to encrypted communications as does the EAR and should make it easier for companies and other organizations to use Internet and international cloud networks to transmit and store encrypted ITAR technical data without triggering licensing requirements.

DDTC made greater use in 2020 of Frequently Asked Questions to provide guidance on a range of topics.  Most significantly, the DDTC shared, in real time, its evolving policy on whether U.S. person nationals working outside of the United States and providing defense services need to maintain separate registrations and obtain ITAR authorizations in a series of FAQs published on January 8, February 21, and April 4.  DDTC also issued FAQs providing guidance on its recently revamped “By or For” license exemption, 22 CFR § 126.4, which will make it significantly easier for U.S. Government contractors to export defense articles and defense services without ITAR authorization when these exports are being done at the direction of U.S. Government agencies and meet certain criteria.  On October 20, DDTC used an FAQ to provide an explanation of a frequently invoked but not always clearly understood licensing rule referred to as the ITAR “see-through rule.”  Curiously, DDTC found it necessary to inform the exporting public in a May FAQ that Puerto Rico is in fact a U.S. territory, along with American Samoa, Guam, and the U.S. Virgin Islands, and did not require ITAR licensing.

2.      Bureau of Democracy, Human Rights, and Labor

On September 30, the State Department Bureau of Democracy, Human Rights, and Labor issued due diligence guidance on transactions that might result in the sale of products and services with surveillance capabilities foreign government end-users (hereinafter “Guidance”).  The non-binding Guidance tracks and applies human rights diligence international standards set out in the United Nations Guiding Principles and Organization for Economic Co-operation and Development (OECD) Guidelines for Multinational Enterprises to surveillance product and service transactions.  State’s surveillance guidance identifies “red flags” members of the regulated community should watch for prior to entering into a transaction with a government end-user, along with suggested safeguards—such as contractual provisions and confidential reporting mechanisms—to detect and halt rights abuses should they occur.  Although the Guidance does not break new ground for many large manufacturers of these products that already incorporate human rights-related diligence in their evaluation of proposed sales of these products and services, sensitive jurisdictions, mid- and smaller-size firms might find it helpful.  Especially for resource-constrained entities that may not know what resources might be available to inform their due diligence, the Guidance identifies specific U.S. and non-U.S. Government publications and tools.  For those companies not yet conducting human rights diligence on transactions involving these products, the Guidance helps set the bar on the expectations that investors, non-government organizations, and other stakeholders have for their business conduct going forward.

IV.    European Union

A.            EU-China Relationship

In 2020, the EU charted a somewhat different course than Washington in its economic relations with China.  It finalized a comprehensive agreement on investment focused on enabling an increase in outbound investment in China from the EU, and at the same time, EU and its member states enhanced their framework for reviewing foreign direct investment (“FDI”) to address concerns regarding, inter alia, Chinese investments in certain sectors in the EU.

On December 30, 2020, the EU and China concluded negotiations for a Comprehensive Agreement on Investment (“CAI”).  China has committed to a greater level of market access for EU investors, including opening certain markets for foreign investments from the EU for the first time.  China has also made commitments to ensure fair treatment of investors from the EU, with the EU hoping for a level playing field in China (specifically vis-à-vis state owned enterprises), transparency of subsidies granted and rules against the forced transfer of technologies.  China has also agreed to ambitious provisions on sustainable development, including certain commitments on forced labor and the ratification of certain conventions of the International Labor Organization.  The EU has committed to a high level of market entry for Chinese investors and that all rules apply in a reciprocal manner.  As next steps, China and the EU will be working towards finalizing the text of CAI, before then being submitted for approval by the EU Council and the European Parliament.

On October 11, 2020, Regulation (EU) 2019/452 of 19 March 2019 establishing a framework for screening of foreign direct investments into the EU (the “EU Screening Regulation”) entered into force, marking the beginning of EU-wide coordination regarding FDIs among EU member states and the European Commission.  While FDI screening and control remains a member state competency, the EU Screening Regulation increases transparency and awareness of FDI flows into the EU.  (For details on the EU Screening Regulation and the newly applicable EU-wide cooperation process, see our respective client alert of March 2019.)

A notable case of enforcing FDI control in particular with respect to China is the prohibition by the German government in December 2020 of the indirect acquisition of a German company with expertise in satellite/radar communications and 5G millimeter wave technology by a Chinese state-owned defense group.  Germany has seen an increased number and complexity of foreign investments and takeover (attempts) over the past couple of years, especially by Chinese investors, which has resulted in a continuous tightening of FDI rules in Germany.  For additional details on the developments in 2020 with regard to the German FDI rules, including an overview of the investment screening process in Germany, please refer to our client alerts in May 2020 and November 2020.

B.      EU Sanctions Developments

Currently, the EU has over forty different sanctions regimes or “restrictive measures” in place, adopted under the EU’s common foreign and security policy (“CFSP”).  Some are mandated by the United Nations Security Council, whereas others are adopted autonomously by the EU.  They can broadly be categorized in EU Economic and EU Financial Sanctions.  Further, EU member states may implement additional sanctions.  EU economic sanctions, broadly comparable to U.S. sectoral sanctions, are restrictive measures designed to restrict trade, usually within a particular economic sector, industry or market—e.g., the oil and gas sector or the defense industry (“EU Economic Sanctions”).

EU financial sanctions are restrictive measures taken against specific individuals or entities that may originate from a sanctioned country, or may have committed a condemned activity (“EU Financial Sanctions”).  These natural persons and organizations are identified and listed by the EU in the EU Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions (“EU Consolidated List”), broadly comparable to U.S. Specially Designated Nationals (“SDN”) listings.

It is noteworthy that, on a regular basis, third-party countries align with EU Sanctions, such as recently North Macedonia, Montenegro, Albania, Iceland and Norway with regards to the Belarus Sanctions.

For a full introduction into EU Sanctions, including the EU Blocking Statute, as well as, exemplary, the German export control regime, please take a look at a recent GDC co-authored publication, the International Comparative Legal Guide to Sanctions 2020.

While EU sanctions are enforced by EU member states, the EU Commission has announced that it plans to take steps to strengthen sanctions enforcement.  On January 19, 2021, the EU Commission published a Communication to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions titled “The European economic and financial system: fostering openness, strength and resilience” (the “Communication”).  The Communication describes EU sanctions as “key instrument” playing a “critical role in upholding the EU’s values and in projecting its influence internationally”.  To improve the design and effectiveness of EU sanctions, the EU Commission will from 2021 will conduct a review of practices that circumvent and undermine sanctions.  It will further develop a database, the Sanctions Information Exchange Repository, to enable “prompt reporting and exchange of information between the Member States and the Commission on the implementation and enforcement of sanctions.”  In addition, the Commission is setting up an expert group of Member States’ representative on sanctions and extra-territoriality and intends to improve coordination on certain cross-border sanctions-related matters between Member States.  The Commission will also work with Member States to establish a single contact point for enforcement and implementation issues when there are cross-border implications.

To supervise the harmonized enforcement of EU sanctions, the EU Commission—among other measures—plans to create a dedicated system to report sanctions’ evasion anonymously, including a confidential whistleblowing system.

1.      EU Human Rights Sanctions

On December 7, 2020, the Foreign Affairs Council of the Council of the European Union, adopted Decision (CFSP) 2020/1999 and Regulation (EU) 2020/1998, together establishing the EU’s first global and comprehensive human rights sanctions regime (“EU Human Rights Sanctions”) (as discussed in detail in our recent client alert).  The EU Human Rights Sanctions will allow the EU to target individuals and entities responsible for, involved in or associated with serious human rights violations and abuses and provides for the possibility to impose travel bans, asset freeze measures and the prohibition of making funds or economic resources available to those designated.

EU Human Rights Sanctions mirror in parts the U.S. Magnitsky Act of 2012, and its 2016 expansion, the U.S. Global Magnitsky Human Rights Accountability Act as well as similar Canadian and United Kingdom sanction regimes.  Notably, in contrast to the U.S. and Canadian human rights sanctions regimes, and similar to the United Kingdom human rights sanctions regime, the list of human rights violations does not include corruption.

While human rights violations have been subject to EU sanctions in the past, imposed on the basis of a sanctions framework linked to specific countries, conflicts or crises, the newly adopted EU Human Rights Sanctions are a significantly more flexible tool for the EU to respond to significant human rights violations.  Although no specific individual or entity have yet been designated under the EU human rights sanctions, companies active in the EU should be mindful of this new sanctions regime and take it into consideration in their compliance efforts.

On December 17, 2020, the European Commission published the Commission Guidance Note of the Implementation of Certain Provisions of Council Regulation (EU) 2020/1998 (“Human Rights Guidance Note”) regarding the implementation of certain provisions of the EU Human Rights Sanctions, advising on the scope and implementation in the form of 13 “most likely” questions that may arise and the respective answers.

2.      EU Cyber Sanctions

On May 17, 2019, the EU established a sanctions framework for targeted restrictive measures to deter and respond to cyber-attacks that constitute an external threat to the EU or its Member States.  The framework was expounded in two documents, Council Decision (CFSP) 2019/797 and Council Regulation 2019/796 (as discussed in detail in our previous client alert).  In July 2020, the EU imposed its first ever sanctions listing related to cyber-attacks against Russian intelligence, North Korean and Chinese firms over alleged cyber-attacks.  The EU targeted the department for special technologies of the Russian military intelligence service for two cyber-attacks in June 2017.  Four individuals working for the Russian military intelligence service were sanctioned for their alleged participation in an attempted cyber-attack against the Organization for the Prohibition of Chemical Weapons in the Netherlands in April 2018.  Further, North Korean company Chosun Expo was sanctioned due to suspicions of it having supported the Lazarus Group, which is deemed responsible for a series of major cyber-attacks and cybercrime activities worldwide.  In addition, Chinese firm Haitai Technology Development and two Chinese individuals were sanctioned.  The EU alleged cyber-attacks aimed at stealing sensitive business data from multinational companies.  On October 22, 2020, the EU used the framework to impose further sanctions on two Russian officials and part of Russia’s military intelligence agency (GRU) over a cyberattack against the German parliament in 2015.

The Council of the EU recently extended the EU Cyber Sanctions until May 18, 2021.

3.      EU Chemical Weapons Sanctions

On October 12, 2020, the European Council decided to extend the sanctions concerning restrictive measures against the proliferation and use of chemical weapons by one year, until October 16, 2021.  Such EU Chemical Weapons Sanctions were initially introduced in 2018 with the aim to counter the proliferation and use of chemical weapons which pose an international security threat.  The restrictive measures consist of travel bans and asset freezes.  Further, persons and entities in the EU are forbidden from making funds available to those listed.  Currently, restrictive measures are imposed on nine persons and one entity.  Five of the persons are linked to the Syrian regime and the sanctioned entity is understood to be the Syrian regime’s main company for the development of chemical weapons.  The remaining four of the nine persons are linked to the 2018 attack in Salisbury using the toxic nerve agent Novichok.

4.      EU Iran Sanctions & Judicial Review

In January 2020, France, Germany and the UK (the “E3”) issued a joint statement reaffirming their support to the JCPOA, repeating their commitment throughout the year, and roundly rejecting the United States’ attempts to trigger a UN sanctions snapback.  In September 2020, the E3 also warned the United States that its claim to have the authority to unilaterally trigger the so-called JCPOA snap-back mechanism that would have led to reimposing UN mandated nuclear-related sanctions on Iran would have no effect in law.  On December 21, 2020, a Meeting of the E3/EU+2 (China, France, Germany, the Russian Federation, the United Kingdom, and the High Representative of the European Union for Foreign Affairs and Security Policy) and the Islamic Republic of Iran stressed that JCPOA remains a key element of the global nuclear non-proliferation architecture and a substantial achievement of multilateral diplomacy that contributes to regional and international security.  The Ministers reiterated their deep regret towards the U.S. withdrawal and agreed to continue to dialogue to ensure the full implementation of the JCPOA.  Finally, the Meeting also acknowledged the prospect of a return of the U.S. to the JCPOA, and expressed they were ready to positively address this move in a joint effort.

Regarding litigation, on October 6, 2020, the Court of Justice of the European Union (“CJEU”) gave its long-awaited judgment in Bank Refah Kargaran v. Council (C-134/19 P), an appeal against the judgment of the General Court in T-552/15, raising the question of the EU Courts’ jurisdiction in sanctions damages cases.  By this judgment, the General Court dismissed the action by Bank Refah Kargaran seeking compensation for the damage it allegedly suffered as a result of the inclusion in various lists of restrictive measures in respect of the Islamic Republic of Iran.

In its judgment, the CJEU ruled that the General Court erred in law by declaring that it lacked jurisdiction to hear and determine the action for damages for the harm allegedly suffered by the appellant as a result of the Common Foreign and Security Policy (“CFSP) decisions adopted under Article 29 TEU.  According to the CJEU, and in sync with Advocate General Hogan’s Opinion delivered in that case in May 2020, the General Court’s jurisdiction extends to actions for damages in matters relating to the CFSP.  In fact, it is to be understood that jurisdiction is given for the award of damages arising out of both targeted sanctions decisions and regulations.  However, the CJEU dismissed the appeal on account of the lack of an unlawful conduct capable of giving rise to non-contractual liability on the part of the EU and upheld the General Court’s interpretation that the inadequacy of the statement of reasons for the legal acts imposing restrictive measures is not in itself sufficiently serious as to activate the EU’s liability

5.      EU Venezuela Sanctions

The EU’s Venezuela Sanctions include an arms embargo as well as travel bans and asset freezes on listed individuals, targeting those involved in human rights violations, and those undermining democracy or the rule of law.

On January 9, 2020, the EU’s High Representative, Josep Borrell, declared that the EU is “ready to start work towards applying additional targeted measures against individuals” involved in the recent use of force against Juan Guaidó, the president of Venezuela’s National Assembly, and other lawmakers to impede their access to the National Assembly on January 5, 2020.

On November 12, 2020, the European Council extended sanctions on Venezuela until November 14, 2021, and replaced the list of designated individuals, which now includes 36 listed individuals in official positions who are deemed responsible for human rights violations and for undermining democracy and the rule of law in Venezuela.

Recently, the EU has issued a Declaration stating that it is prepared to impose additional targeted sanctions in response to the decision of the Venezuelan National Assembly to assume its mandate on January 5, 2021, on the basis of non-democratic elections.

6.      EU Russia Sanctions & Judicial Review

Since March 2014, the EU has progressively imposed increasingly harsher economic and financial sanctions against Russia in response to the destabilization of Ukraine and annexation of Crimea.  EU Russia Economic Sanctions continue to include an arms embargo, an export ban on dual-use goods for military use or military end-users in Russia, limited access to EU primary and secondary capital markets for major Russian state-owned financial institutions and major Russian energy companies, and limited Russian access to certain sensitive technologies and services that can be used for oil production and exploration.  On December 17, 2020, the EU renewed such sanctions for six months.  The EU Russia Economic Sanctions imposed in response to the annexation of Crimea and Sevastopol have been extended until June 23, 2021.

Russia has imposed counter-measures in response to EU Russia Economic and Financial Sanctions.  In particular, Russia decided to ban agricultural imports from jurisdictions that participated in sanctions against Moscow.  The measures included a ban on fruit, vegetables, meat, fish, milk and dairy products.  On December 22, 2020, in response to new EU Russia Financial Sanctions imposed on Russians officials in connection with the poisoning of opposition leader Alexei Navalny, Russia imposed additional travel bans on representatives of EU countries and institutions.

As to related judicial review, on June 25, 2020, the CJEU dismissed appeals brought by VTB Bank (C-729/18 P) and Vnesheconombank (C-731/18 P) against the General Court’s judgments confirming their inclusion in 2014 in the EU’s sanctions list, which restricted the access of certain Russian financial institutions to the EU capital markets.  The Court inter alia remarked that the measures were justified and proportionate because they were capable of imposing a financial burden on the Russian government, because the government might need to have to rescue the banks in the future.

On September 17, 2020, the CJEU rejected an appeal (C-732/18 P) brought by Rosneft (a Russian oil company) against the General Court’s decision to uphold its 2014 EU listing (T‑715/14).  The CJEU confirmed the General Court’s assessment that the measures were appropriate to the aims they sought to attain.  More specifically, given the importance of the oil sector to the Russian economy, there was a rational connection between the restrictions on exports and access to capital markets and the objective of the sanctions, which was to put pressure on the government, and to increase the costs of Russia’s actions in Ukraine.

Following the same line of reasoning as in a series of previous judgments by the EU Courts in 2018[1] and 2019,[2] the General Court decided in a number of new cases that certain individual listings on the EU’s Ukraine sanctions list (which, inter alia, targets those said to be responsible for the “misappropriation of State funds”) are unlawful because the EU has not properly verified whether the decisions of the Ukrainian authorities contained sufficient information or that the procedures respected rights of defence.  More specifically:

On December 16, 2020, the General Court annulled the 2019 designation of Mykola Azarov, the former Prime Minister of Ukraine (T-286/19).  Mr. Azarov is no longer subject to EU sanctions after his delisting in March 2020.  The Court ruled that the Council of the European Union had made an error of assessment by failing to establish that the Ukrainian judicial authorities had respected Mr Azarov’s rights of the defence and right to judicial protection.

Earlier in 2020, on June 25, 2020, the General Court issued its judgment in Case T-295/19 Klymenko v Council, in which the Court held that it was not properly determined whether Mr Klymenko’s rights of defence were respected in the ongoing criminal proceedings against him in Ukraine.  In particular, the Council had not responded to or considered Mr Klymenko’s arguments such as that the pre-conditions for trying him in his absence had not been fulfilled, he had been given a publicly appointed lawyer who did not provide him with a proper defence, the Ukrainian procedure did not permit him to appeal against the decision of the investigating judge, and he was not being tried within a reasonable time.  Mr Klymenko was relisted in March 2020 and so remains on the EU sanctions list.

Furthermore, on September 23, 2020, with its Judgments in cases T-289/19, T-291/19 and T-292/19, the General Court annulled the 2019 designation of Sergej Arbuzov, the former Prime Minister of Ukraine, Victor Pshonka, former Prosecutor General and his son Artem Pshonka, respectively.  All remain on the EU’s sanctions list, because their designations were renewed in March 2020.

7.      EU Belarus Sanctions

On August 9, 2020, Belarus conducted presidential elections and, based on what were considered credible reports from domestic observers, the election process was deemed inconsistent with international standards by the EU.  In light of these events and acting with partners in the United States and Canada, the EU foreign ministers agreed on the need to sanction those responsible for violence, repression and the falsification of election results.  In addition, EU foreign ministers called on Belarusian authorities to stop the disproportionate violence against peaceful protesters and to release those detained.

Shortly afterwards, on August 19, 2020 the EU heads of state and government met to discuss the situation and, in declarations to the press, President Charles Michel affirmed that the EU does not recognize the election results presented by the Belarus authorities and that EU leaders condemned the violence against peaceful protesters.  On this occasion, EU leaders agreed on imposing sanctions on the individuals responsible for violence, repression, and election fraud.  However, Cyprus opposed the adoption of measures by insisting that the EU should first agree on the adoption of restrictive measures against Turkey.  This episode highlighted that a single EU member state or small group of EU member states can complicate EU foreign policy goals and push for trade-offs on unrelated matters.

Yet, restrictive measures were effectively imposed on October 2, 2020 against 40 individuals identified as responsible for repression and intimidation against peaceful demonstrators, opposition members and journalists in the wake of the 2020 presidential election, as well as for misconduct of the electoral process.  The restrictive measures included a travel ban and asset freezing.

On November 6, 2020, the set of restrictive measures was expanded, and the Council of the EU added 15 members of the Belarusian authorities, including Alexandr Lukashenko, as well as his son and National Security Adviser Viktor Lukashenko, to the list of individuals sanctioned.

Lastly, on December 17, 2020, the set of restrictive measures was further expanded in order to adopt 36 additional designations, which targeted high-level officials responsible for the ongoing violent repression and intimidation of peaceful demonstrators, opposition members and journalists, among others.  The listings also target economic actors, prominent businessmen and companies benefiting from and/or supporting the regime of Aleksandr Lukashenko.  Therefore, after three rounds of sanctions on Belarus, there are currently a total of 88 individuals and 7 entities designated under the sanctions’ regime in place for Belarus.

8.  EU North Korea Sanctions

On July 30, 2020, the EU North Korea Economic Sanctions targeting North Korea’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programs or for sanctions evasion were confirmed, and will continue to apply for one year, until the next annual review.

9.  EU Turkey Sanctions

On December 10, 2020, EU leaders agreed to prepare limited sanctions on Turkish individuals over an energy exploration dispute with Greece and Cyprus, postponing any harsher steps until March 2021 as countries sparred over how to handle Ankara.

Josep Borrell, the High Representative of the European Union for Foreign Affairs and Security Policy, is now expected to come forward with a broad overview report on the state of play concerning the EU-Turkey political, economic and trade relations and on instruments and options on how to proceed, including on the extension of the scope of the above-mentioned decision for consideration at the latest at the March 2021 European Council.

10.  EU Syria Sanctions – Judicial Review

On December 16, 2020, the General Court dismissed the applications of two Syrian businessmen, George Haswani (T-521/19) and Maen Haikal (T-189/19), to annul their inclusion on the EU’s Syria sanctions list.  In both cases, the General Court held that the Council of the European Union had provided a sufficiently concrete, precise and consistent body of evidence capable of demonstrating that both Applicants are influential businessmen operating in Syria.

Similarly, on July 8, 2020, the General Court rejected an application by Khaled Zubedi to annul his inclusion on the EU’s Syria sanctions (T-186/19) and on July 9, 2020 the CJEU rejected an appeal by George Haswani (C-241/19 P).  In both cases the Courts concluded that the Council of the European Union could appropriately demonstrate that both men were leading businessmen operating in Syria and that neither had rebutted the presumption of association with the regime of President Assad.  Also, on December 2, 2020, the General Court dismissed Nader Kalai’s similar application of annulment (T-178/19).

In addition, maintaining its established position on the subject, the CJEU dismissed a series of appeals brought before it by 6 Syrian entities, Razan Othman (Rami Makhlouf’s wife), and Eham Makhlouf (vice-president of one of the listed entities) challenging the General Court’s decision to uphold their 2016-2018 listings (see cases C-350/19 P; C‑349/19 P, C-348/19 P, C‑261/19 P, C‑260/19 P, C‑159/19 P, C‑158/19 P and C‑157/19 P, published on October 1, 2020).  The CJEU held that the General Court was right to uphold the appellants’ listings because the EU’s Syria sanctions include membership of the Makhlouf family as a criterion on which a designation can be based.  Considering that the Appellants were all found to be wholly or by majority owned by Rami Makhlouf, their assets were liable to be frozen without the need to demonstrate that they actively supported or had derived some benefit from the regime.

11.  EU Egypt Sanctions – Judicial Review

On December 3, 2020, the CJEU delivered its ruling on Joined Cases C‑72/19 P and C‑145/19 P, concluding that the sanctions on deceased former Egyptian leader Hosni Mubarak and several members of his family should be lifted because of due process errors.  The CJEU found that the Council of the EU took as its basis for listing Mr. Mubarak and his family members the mere existence of judicial proceedings against them in Egypt for misappropriation of State funds, i.e., the decision of an authority of a third State.  As the Council of the EU took assurances from Egyptian authorities that these rights were being observed when it should have independently confirmed that the legal protections were in place before designating the individuals, the CJEU found that the Council of the EU failed to verify whether that decision had been adopted in accordance with the rights of the defense and the right to effective judicial protection of the individuals listed.

Nevertheless, the asset freeze on the Mubarak family members will remain in place as the judgment only overturns the Council of the EU’s decisions to impose sanctions on the family in 2016, 2017 and 2018. The 2019 and 2020 renewals of the original legal framework are still undergoing litigation.

C.            EU Member State Export Controls

1.      Belgium

On June 26, 2020 the Belgian Federal Parliament adopted of a resolution urging the government to prepare a list of countermeasures against Israel in case it annexes the occupied Palestinian territories.

2.      France

On June 3, 2020, the Court of Appeal of Paris (international commercial chamber) issued its Judgment in SA T v Société N.  The Court of Appeal dismissed an appeal by a French contractor seeking the annulment of an arbitral tribunal’s award on the grounds that it had breached French international public policy by failing to take into account UN, EU and US sanctions.  The tribunal had ordered the contractor to pay €1 million to an Iranian company following a dispute over the conversion of a gas field into an underground storage facility.  The Court of Appeal concluded that UN and EU sanctions regulations constitute “mandatory overriding provisions.”

On July 24, 2020, the French Cour de Cassation lodged a request for a preliminary ruling to the CJEU, regarding the interpretation of UN and EU Iran sanctions, and more specifically on questions concerning creditors’ ability to take enforcement action against assets frozen by EU sanctions regulations (registered under Case C-340/20).

The French Court referred the questions to the CJEU in order to decide appeals brought in case Bank Sepah v Overseas Financial Ltd and Oaktree Finance Ltd.

On December 9, 2020, the French government published an Ordinance n° 2020-1544 in the Official Journal, which expands controls on digital assets as part of efforts to combat money laundering and terrorist financing.

3.      Germany

The German Federal Court of Justice (Bundesgerichtshof) (“BGH”) decided on August 31, 2020, that the procurement of materials for a foreign intelligence service, while circumventing EU Sanctions, fulfills the elements of a crime under section 18 para. 7 No. 1 of the Foreign Trade and Payments Act (Aussenwirtschaftsgesetz) (“AWG”).  Espionage or affiliation with an intelligence service are not necessary to act “for the intelligence service of a foreign power.”

In the case, a man sold machine tools to Russian companies for around €8 million in seven cases between 2016 and 2018.  The man’s actual contractual partner—a member of a Russian intelligence service—subsequently supplied the machines to a Russian state-owned arms company for military use.  The arms company operates in the field of carrier technology and develops cruise missiles.  The machine tools are considered dual-use technology, and the sale and export of such items to Russia is prohibited since 2014 under the EU Russia Sanctions, specifically Regulation (EU) 883/2014 as amended.

The BGH decided that it is sufficient if the delivery of the machines is a result of the perpetrator’s involvement in the procurement structure of foreign intelligence services.  An organizational integration of the perpetrator into the foreign intelligence service is not required to justify the higher penalty of section 18 para. 7 No. 1 AWG (imprisonment of not less than one year) compared to the regular sentencing range of section 18 para. 1 AWG (imprisonment from three months up to five years) imposed for embargo violations under the AWG.

4.      Latvia / Lithuania / Estonia

On August 31, 2020, Latvia, as well as Lithuania and Estonia, imposed travel bans on 30 officials including the President of Belarus Alexander Lukashenko, on the basis of their contribution to violations of international electoral standards and human rights, as well as repression against civil society and opposition to democratic processes.  Following this designation, on September 25, 2020, the aforementioned EU Member States added 98 Belarusian officials to this list.

In November 2020, the aforementioned EU Member States proceeded to further designations.  More specifically, Estonia and Lithuania imposed travel bans on an additional 28 Belarusian officials, and Latvia imposed a travel ban on 26 officials, all of whom are said to have played a central role in falsifying election results and using violence against peaceful protesters in Belarus.  Overall, Latvia has now listed a total of 159 officials, who are banned from entering its territory indefinitely.  Estonia and Lithuania have both listed 156 officials in total.

In February 2020, the Administrative Regional Court in Riga, Latvia rejected a request to suspend a ban issued by Latvia’s National Electronic Mass Media Council on the broadcasting of 9 Russian television channels due to the designation of their co-owner, Yuriy Kovalchuck, who is listed pursuant to Council Regulation (EU) 269/2014 (undermining or threatening the territorial integrity, sovereignty and independence of Ukraine).

5.      Luxembourg

On December 27, 2020, a law allowing Luxembourg to implement certain sanctions in financial matters adopted by the UN and the EU entered into force.  The restrictive measures in financial matters envisaged by the law include asset freeze measures, prohibitions/restrictions of financial activities and financial services to designated people, entities or groups.

The measures can be imposed on Luxembourg nationals (residing or operating in or outside Luxembourg), legal persons having their registered office, a permanent establishment or their center of main interests in Luxembourg and which operate in, from or outside the territory, as well as all other natural and legal persons operating in Luxembourg.

Under this legislation, domestic supervisory and regulatory bodies are responsible for supervising the implementation of the law.  This includes (i) the power to access any documentation; (ii) request information from any person; (iii) request disclosure of communications from regulated persons; (iv) carry out on-site inspections; and (v) refer information to the State prosecutor for criminal investigation.

Failure to comply with the newly adopted restrictive measures shall be punishable by criminal penalties, such as imprisonment and/or a fine up to €5 million.  Where the offence has resulted in substantial financial gain, the fine may be increased to four times the amount of the offence.

6.      The Netherlands

On April 21, 2020, the Dutch Senate adopted an Act implemented amendments to the Fourth Anti-Money Laundering Directive (Directive EU 2015/849).  This Act—which entered into force on May 18, 2020—provides that professional and commercial cryptocurrency exchange and wallet providers seeking to provide services in the Netherlands must register themselves at the Dutch Central Bank.  For successful registration, adequate internal measures and controls to ensure compliance with EU and national (Dutch) sanctions must be demonstrated.  Failure to show adequate sanctions compliance systems could lead to registration being denied, in which case such crypto companies would need to refrain from providing services.  Further, the adoption in December 2019 by the Dutch Ministry of Foreign Affairs of guidelines for companies compiling an internal compliance programme (ICP) for “strategic goods, torture goods, technology and sanctions” is noteworthy.  These guidelines resemble that of the EU’s guidance aside from the inclusion of shipment control (rather than physical and information security) in its seven core elements.

7.      Slovenia

On November 30, 2020, the Slovenian government issued a statement proscribing Hezbollah as a terrorist organisation, becoming the sixth EU member, after the Netherlands, Germany, Lithuania, Estonia, and Latvia to recognize the Iranian-sponsored Hezbollah as a terrorist organization.

8.      Spain

On June 12, 2020, the Spanish Ministry of Economic Affairs and Digital Transformation published a Draft Law, amending Law 10/2010 of April 28 on the prevention of money laundering and terrorist financing, to transpose into Spanish domestic law the EU’s Fifth Money Laundering Directive.  The legislation also sets out the legal framework for enforcing compliance with EU and UN sanctions.  More specifically, when it comes to the enforcement of sanctions, the Draft Law increases the limitation periods for sanctions:  in the case of very serious offenses from three to four years, and in the case of serious offenses, from two to three years.  In addition, fines will always be accompanied by other sanctions such as public or private reprimands/warnings, temporary suspensions or removals from office, while with the current Law 10/2010 this only occurs in case of sanctions for grave infractions.

C.            EU Counter-Sanctions

The EU and its member states are also deeply concerned about the extraterritorial effects of both U.S. and Chinese sanctions and the recent approval of U.S. sanctions in relation to the Nord Stream 2 pipeline have further focused attention on this issue.  With respect to Nord Stream 2, Josep Borrell affirmed that the EU does not recognize the extraterritorial application of U.S. sanctions and that it considers such conduct to be contrary to international law.

As discussed above, Germany has taken concrete steps to fend off the threat of U.S. sanctions targeting the Nord Stream 2 pipeline.  The German state of Mecklenburg-Vorpommern approved the establishment of the Mecklenburg-Vorpommern Climate and Environmental Protection Foundation (the “Foundation”) to, inter alia, ensure the completion of the Pipeline, which is already more than 94% completed.  While the declared aim of the Foundation is to counter climate change and to protect the environment (e.g., to avoid a pipeline run on the bottom of the ocean), the Foundation is also outspokenly designed to provide protection against U.S. sanctions by acquiring, holding and releasing necessary hardware to complete the Pipeline.

If successful, the move to shield companies or projects with state-owned/state-supported foundations might be copied by other governments in the EU, replacing or at least complimenting reliance on the EU Blocking Statute, which, at least in its current form, has been perceived as being insufficient to achieve its stated goal.

The EU has also been taking steps to provide itself with a toolkit that would allow to adopted block or counter non-EU sanctions with which it disagrees.  A recent study requested by the European Parliament foreshadows possible upcoming counter sanctions and blocking measures aimed at defending the sovereignty of the European Union.  The study suggests, for example, that EU businesses should be encouraged and assisted in bringing claims in international investor-state arbitration and in U.S. courts against sanctions imposed by the U.S. or other States and the blocking of financial transactions by the SWIFT system, which is constituted under Belgian law, subjected to European legislation and has been used in connection with the EU implementation of UN sanctions in the past. It remains to be seen if the EU will take onboard any of the suggestions put forward by the study.

Finally, on January 19, 2021, the EU Commission published a Communication to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions titled “The European economic and financial system: fostering openness, strength and resilience” (the “Communication”).  The Communication notes that the EU plans to enforce the policy goals of the EU Blocking Statute through the general investment screening processes, which is enforced by the EU member states.  Accordingly, U.S. investments in EU companies could be subject to more intense investment scrutiny if such investments could result in the EU target having to comply with U.S. extra-territorial sanctions.

According to the Communication, the EU Commission also plans to strengthen cooperation on sanctions, in particular with the G-7 partners.  Also, the EU Commission will put in place measures to strengthen the Blocking Statute as the EU’s most powerful tool to respond to sanction regimes of third countries, including (i) clearer procedures and rules; (ii) strengthened measures to block the recognition and enforcement of foreign decisions and judgments; (iii) streamlines processing for authorization requests; and (iv) possible involvement in foreign proceedings to support EU companies and individuals.

V.       United Kingdom Sanctions and Export Controls

A.            Sanctions Developments

1.      New U.K. Sanctions Regime

Following the end of the Brexit Transition period on December 31, 2020, EU sanctions regulations are no longer being enforced by the U.K.  However, the EU sanctions regime has been substantially retained in law in the U.K. through the introduction of multiple new U.K. sanctions regulations under the Sanctions and Anti-Money Laundering Act 2018 (“SAMLA”).  The full list of these sanctions regulations can be found here.  Certain of the new regulations relate to specific geographic regions (essentially those also subject to EU sanctions regimes).  There are also a number of sanctions and related regulations imposing thematic sanctions (again, largely reflecting existing EU regimes), such as those relating to chemical weapons, terrorism, cybersecurity, human rights and kleptocracy.

The U.K. is also now maintaining the U.K. sanctions list, which provides details of all persons designated or ships specified under regulations made under SAMLA, the relevant sanctions measures which apply, and for U.K. designations, reasons for the designation.  The U.K. sanctions list is updated in light of decisions making, varying or revoking a designation or specification.  The U.K.’s Office of Financial Sanctions Implementation (“OFSI”) maintains a consolidated list of persons and organizations under financial sanctions, including those under SAMLA and other U.K. laws.  It should be noted that not all persons designated under EU sanctions regimes have been designated under the new U.K. regulations.

The new U.K. regime differs in certain modest, albeit significant ways, from the EU regime as implemented in the U.K. that went before.  Perhaps the most significant of these is the fact that the U.K. sanctions regulations provide a greater degree of clarity than has been present to date in EU instruments as to the circumstances in which a designated person may “own or control” a corporate entity.  The relevant provisions typically provide that a person will own or control a company where (s)he holds, directly or indirectly, more than 50 percent of its shares or voting rights or a right to remove or appoint the majority of the board, or where it is reasonable in all the circumstances to expect that (s)he would be able to “achieve the result that affairs of” the company are conducted in accordance with his/her wishes, by whatever means.

The geographic scope of liability under U.K. sanctions regimes is clarified by section 21(1) of SAMLA, and generally extends only to conduct in the U.K. or by U.K. persons elsewhere.  Certain U.K. sanctions regulations contain provisions allowing the effect of the sanctions regulation in question to be overridden in the interests of national security or prevention or detection of crime; a provision which has no analogue in the EU sanctions instruments.  “No claims” clauses of the kind typically present in EU sanctions regulations (i.e., provisions prohibiting satisfaction of a claim occasioned by the imposition of a sanctions regime) are not a feature of U.K. sanctions regulations.

The provisions in the U.K. sanctions regulations relating to asset-freezes also differ in certain limited, but material respects.  For example, the provisions creating offences for breaches of asset-freezes require a prosecuting authority must prove that the accused had knowledge or reasonable cause for suspicion that (s)he was dealing in frozen funds or economic resources.

The framework for U.K. sanctions designations, administrative ministerial and periodic review of designations, and judicial challenges to designation decisions under Chapters 2 and 4 of SAMLA is now in effect.

2.      New U.K. Human Rights Sanctions Regime

On July 9, 2020, the U.K. Government introduced into law in the U.K. the Global Human Rights Sanctions Regulations 2020 and began designating individuals under those regulations in connection with their alleged involvement in gross human rights violations.  A link to our client alert on these Magnitsky-style sanctions can be found here.

3.      The “U.K. Blocking Statute”

Following the end of the Brexit transition period, the EU Blocking Statute (Council Regulation No 2271/96) and related Commission Implementing Regulation 2018/1101) will no longer be directly applicable in the U.K., but will form part of the retained EU law applying in the U.K. through the Protecting against the Effects of the Extraterritorial Application of Third Country Legislation (Amendment) (EU Exit) Regulations 2020, which amends the Extraterritorial US Legislation (Sanctions against Cuba, Iran and Libya) (Protection of Trading Interests) Order 1996, the law which implemented the EU Blocking Statute.  The explanatory memorandum to the 2020 Regulations can be found here, and related (albeit likely non-binding) summary guidance here.

It therefore remains an offence in the U.K. to comply with a prohibition or requirement imposed by the proscribed U.S. laws relating to Iran and Cuba, or by a decision or judgment based on or resulting from the legislation imposing the proscribed sanctions, and such decisions and judgments may not be executed in the U.K.  The offence can be committed by anyone resident in the U.K., a legal person incorporated in the U.K., any legal person providing maritime transport services which is a U.K. national or (where for U.K.-registered vessels) controlled by a U.K. national, or by any other natural person physically present within the U.K. acting in a professional capacity.

4.      U.K. Sanctions Enforcement in 2020

On February 18, 2020, OFSI published the fact that two fines totaling £20.47 million had been issued to Standard Chartered for violations of the Ukraine (European Union Financial Sanctions) (No. 3) Regulations 2014, which implemented EU Council Regulation 833/2014 imposing sanctions in view of Russia’s actions in Ukraine.  Article 5(3) of the EU Regulation prohibits any EU person from making loans or credit or being part of an arrangement to make loans or credit, available to sanctioned entities, where those loans or credit have a maturity of over 30 days.  This enforcement action, which was in connection with loans made by Standard Chartered to Turkey’s Denizbank, which was at the time owned almost to 100% Russia’s Sberbank (then subject to restrictive measures), was OFSI’s highest fine to date.  The Report of Penalty can be found here.

The decision followed a review by the Economic Secretary to the Treasury under section 147 of the Policing and Crime Act 2017, which permits a party on whom a monetary penalty is imposed by the Treasury (of which OFSI forms part) under section 146 of that Act to request a review by the relevant minister.  The Economic Secretary upheld OFSI’s decision to impose two monetary penalties, but substituted smaller fine amounts.  The fines originally imposed by OFSI were of £11.9 million and £19.6 million.  The Economic Secretary reduced these to £7.6 million and £12.7 million.  These numbers included a 30 percent reduction in accordance with OFSI’s Guidance on Monetary Penalties to reflect the fact that Standard Chartered made a voluntary disclosure in this case.  OFSI determined that this case should be considered in the ‘most serious’ category for fining purposes, allowing a maximum reduction of 30 percent.

The fine reductions granted by the Economic Secretary were on the basis of further findings that the bank did not willfully breach the sanctions regime, had acted in good faith, had intended to comply with the relevant restrictions, had fully co-operated with OFSI and had taken remedial steps following the breach.  While these factors had been considered in OFSI’s assessment, the Economic Secretary felt they should have been given more weight in the penalty recommendation.

B.               Export Controls Developments

Following the end of the Brexit transition period, the domestic regime for exporting controlled goods (primarily military and dual-use items, and goods subject to trade sanctions) remains substantially unchanged in the U.K., save that the U.K.’s relationship with the EU and the equivalent EU regime will change.  The Export Control Joint Unit (“ECJU”) remains the body responsible for control and licensing exports of such items.  Under the Northern Ireland Protocol to the EU-U.K. Trade and Cooperation Agreement of December 30, 2020, EU regulations governing on export of controlled goods continue to apply in Northern Ireland.

Controls on the export of military items from the U.K. are largely unchanged; such exports remain subject to licensing, although open individual export licenses (“OIELs”) exist for the export of military items from Great Britain (i.e., the U.K. excluding Northern Ireland) to the EU.

The former EU regime for export control of dual use items established under EU Regulation No 428/2009 is largely retained in English law through The Trade etc. in Dual-Use Items and Firearms etc. (Amendment) (EU Exit) Regulations 2019, the Export Control (Amendment) (EU Exit) Regulations 2020 and the Export Control Act 2002, which remains in force.

U.K. persons will now need an export license issued by the U.K. for exports of dual-use items from Great Britain to the EU, however, such exports are covered by a new open general export licence (“OGEL”) published by the ECJU, which reduces the burdens for Great Britain exporters in having to apply for individual licenses.  For exports of such items from the EU to the U.K., a license issued by an EU member state will now be needed, although it has been proposed by the European Council that the U.K. be added as a permitted destination under GEA EU001 to avoid licensing burdens for such exports.

An OGEL or individual export license to export dual-use items to a non-EU country issued by the U.K. remains valid for export from Great Britain.  Registrations made with the U.K. for the EU General Export Authorisations (“GEAs”) will continue to be valid for exports from Great Britain, as they will automatically become registrations for the retained GEAs.  However, an export license issued by an EU member state will no longer be valid for export from Great Britain.  Moreover, licenses issued by the U.K. will no longer be valid for export from an EU member state.

* * *

Finally, our entire team wishes you and yours health and safety during what continue to be very challenging circumstances.  We recognize that the coronavirus pandemic has affected our clients and friends in different ways over the course of the last year—some have thrived, some are starting to rebuild, and others can never regain what has been lost.  Our hearts go out to those who have struggled the most.  We aim to be of service in the best and worst of times, and we certainly all hope for better days ahead in 2021.

_________________________

   [1]   Judgment of the Court of Justice of the European Union of December 19, 2018 in case C‑530/17 P, Mykola Yanovych Azarov v The Council of the European Union, para. 26, EU:C:2018:1031.

   [2]   Judgment of the General Court of the European Union of July 11, 2019 in cases T‑244/16 and T‑285/17, Viktor Fedorovych Yanukovych v The Council of the European Union, EU:T:2019:502; Judgment of the General Court of the European Union of July 11, 2019 in case T‑274/18, Oleksandr Viktorovych Klymenko v The Council of the European Union, EU:T:2019:509; Judgment of the General Court of the European Union of July 11, 2019 in case T‑285/18, Viktor Pavlovych Pshonka v The Council of the European Union, EU:T:2019:512.


The following Gibson Dunn lawyers assisted in preparing this client update: Judith Alison Lee, Attila Borsos, Patrick Doris, Markus Nauheim, Adam M. Smith, Michael Walther, Wilhelm Reinhardt, Qi Yue, Stephanie Connor, Chris Timura, Matt Butler, Laura Cole, Francisca Couto, Vasiliki Dolka, Amanda George, Anna Helmer, Sebastian Lenze, Allison Lewis, Shannon C. McDermott, Jesse Melman, R.L. Pratt, Patrick Reischl, Tory Roberts, Richard Roeder, Sonja Ruttmann, Anna Searcey, Samantha Sewall, Audi Syarief, Scott Toussaint, Xuechun Wen, Brian Williamson, Claire Yi, Stefanie Zirkel, and Shuo Josh Zhang.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade practice group:

United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)
Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com)
Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com)
Jesse Melman – New York (+1 212-351-2683, jmelman@gibsondunn.com)
R.L. Pratt – Washington, D.C. (+1 202-887-3785, rpratt@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202-887-3509, ssewall@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, stoussaint@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, szhang@gibsondunn.com)

Asia:
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing – (+86 10 6502 8534, qyue@gibsondunn.com)

Europe:
Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com)
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Nicolas Autet – Paris (+33 1 56 43 13 00, nautet@gibsondunn.com)
Susy Bullock – London (+44 (0)20 7071 4283, sbullock@gibsondunn.com)
Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com)
Sacha Harber-Kelly – London (+44 20 7071 4205, sharber-kelly@gibsondunn.com)
Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com)
Steve Melrose – London (+44 (0)20 7071 4219, smelrose@gibsondunn.com)
Matt Aleksic – London (+44 (0)20 7071 4042, maleksic@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Richard W. Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.

Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“EU”):

  • On 16 July 2020, the Court of Justice of the EU (“CJEU” or “Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S.  While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law also compels these companies to ensure that personal data will be safeguarded.
  • As a consequence of the COVID-19 pandemic, a number of public, corporate and workplace practices have emerged to limit the spread of the virus, all which have privacy implications.  To respond to this, many EU Member States have issued rules and guidelines with respect to the processing of personal data in the context of the pandemic.
  • Negotiations among EU Member States have been ongoing regarding the adoption of a new e-Privacy Regulation, due to replace the soon 20-year-old e-Privacy Directive.  Meanwhile, EU supervisory authorities have continued to publish guidance on cookie practices and other e-privacy matters, as well as to impose heavy fines on companies in breach of cookies-related requirements.
  • Before Brexit was completed on 31 December 2020, the EU and the UK adopted the Trade and Cooperation Agreement, which includes an overall six-month “bridging mechanism” to cover transfers of personal data into the UK.  The European Commission and the UK are in negotiations to adopt an adequacy decision that can enable the free flow of personal data beyond this six-month period, as in the pre-Brexit scenario.

In addition to the EU, different legal developments occurred in other jurisdictions around the globe, including in other European jurisdictions, the Asia-Pacific region, the Middle East, Africa and Latin America.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

__________________________________________

Table of Contents

I. European Union

A.        International Data Transfers

1.         The Schrems II Ruling
2.         Guidance Adopted by the EDPB and Member State Authorities
3.         Conclusions on Data Transfers

B.        COVID-19 Pandemic

1.         Guidance Adopted by Supervisory Authorities
2.         Guidance at EU Member State Level
3.         Next Challenges for the Fight against the COVID-19 Pandemic

C.        E-Privacy and Cookies

1.         Guidance Adopted by the EDPB and Member State Authorities
2.         Reform of the e-Privacy Directive
3.         Enforcement in Relation to Cookies

D.        Cybersecurity and Data Breaches

1.         Guidance and Initiatives Adopted by ENISA
2.         Enforcement in Relation to Cybersecurity

E.         The UK and Brexit 17

1.         Transfers from and into the EU/EEA and the UK
2.         Transfers from and into the UK and other Jurisdictions

F.         Other Significant Developments in the EU

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A.        Russia

1.         Access Restriction Trend in Privacy Laws Enforcement
2.         The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies
3.         Legislative Updates

B.        Switzerland

1.         The Revised FADP
2.         The Swiss-U.S. Privacy Shield

C.        Turkey

1.         Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents
2.         Turkish Data Protection Act Continues to be Enforced

III. Developments in Asia-Pacific, Middle East and Africa

A.        Australia

B.        China

1.         New Developments in Chinese Legislation
2.         Enforcement of Chinese Data Protection and Cybersecurity Legislation

C.        Hong Kong SAR

D.        India

1.         Legislative initiatives
2.         Regulatory opinions and guidance
3.         Enforcement of data protection laws

E.         Indonesia

F.         Israel

G.        Japan

H.        Malaysia

I.        Singapore

J.        South Korea

K.        Thailand

L.        United Arab Emirates

M.       Other Developments in Africa

N.        Other Developments in the Middle East

O.        Other Developments in Southeast Asia

IV. Developments in Latin America and in the Caribbean Area

A.        Brazil

B.        Other Developments in South America

1.         Argentina
2.         Chile
3.         Colombia
4.         Mexico
5.         Uruguay

__________________________________________

I. European Union

A.  International Data Transfers

1. The Schrems II Ruling

On 16 July 2020, the CJEU struck down as legally invalid the EU-U.S. Privacy Shield, which some companies had relied upon to transfer personal data from the EU to the U.S.  The Court also ruled that the Standard Contractual Clauses (“SCCs”) approved by the European Commission, another mechanism used by many companies to transfer personal data outside of the EU, remained valid with some caveats.  The Court’s landmark decision has forced companies on both sides of the Atlantic to reassess their data transfer mechanisms, as well as the locations where they store and process personal data.[1]

2.  Guidance Adopted by the EDPB and Member State Authorities

Following the Schrems II ruling, several supervisory authorities shared their views and opinions on its interpretation.[2]  On its side, the UK Information Commissioner’s Office (“ICO”) invited companies to continue transferring data on the basis of the invalidated Privacy Shield and, on the contrary, several German Authorities have advised against it.

These initial reactions were overcome by the Frequently Asked Questions (“FAQ”) report issued by the European Data Protection Board (“EDPB”) on 23 July 2020.  In its FAQs on Schrems II, the EDPB stated, in particular, the following:

 

i.

 

No “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield.  Entities relying on the now invalidated Privacy Shield should immediately put in place other data transfer mechanisms or frameworks.

    
 

ii.

 

Data controllers relying on SCCs and BCRs to transfer data should contact their processors to ensure that the level of protection required by EU law is respected in the third country concerned.  If personal data is not adequately protected in the importing Member State, the controller or the processor responsible should determine what supplementary measures would ensure an equivalent level of protection.

    
 

iii.

 

If data transferred cannot be afforded a level of protection essentially equivalent to that guaranteed by EU law, data transfers should be immediately suspended.  Companies willing to continue transferring data under these circumstances should notify the competent supervisory authority(ies).[3]

In October 2020, the U.S. Department of Commerce and the European Commission announced that they had initiated discussions to evaluate the potential for a new version of the Privacy Shield that would be compliant with the requirements of the Schrems II ruling.[4]

Pending the discussions between the EU and the U.S. on a new data transfer framework, on 10 November 2020, the EDPB issued important new guidance on transferring personal data out of the EEA, namely:

 

i.

 

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[5] which aim to provide a methodology for data exporters to determine whether and which additional measures would need to be put in place for their transfers; and

    
 

ii.

 

Recommendations 02/2020 on the European Essential Guarantees (“EEG”) for surveillance measures,[6] which aim to update the EEG, in order to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a receiving country, whether national security agencies or law enforcement authorities, can be regarded as a justifiable interference.

The EDPB’s guidance lessened some of the uncertainty caused by the Schrems II ruling.  However, since this guidance was issued in the form of a public consultation closing on 21 December 2020, it may be subject to further changes or amendments.

In the Recommendations on supplementary transfer tools, the EDPB recommends that data exporters: (i) map all transfers of personal data to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary; (ii) verify the transfer tool on which the transfers are based; (iii) assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards, and document this assessment; (iv) identify and adopt additional measures (examples are provided in Annex 2 of the Recommendations); (v) take any formal procedural steps that the adoption of the supplementary measure may require; and (vi) re-evaluate at appropriate intervals the level of protection afforded to the data transferred.  Although the guidance takes the form of non-binding recommendations, companies that transfer personal data outside of the EEA would be well served to review their approach to such transfers in light of the EDPB guidance.

On 12 November 2020, the European Commission published a draft implementing decision on SCCs for the transfer of personal data to third countries along with a draft set of new SCCs.  The new SCCs include several modules to be used by companies, depending on the transfer scenario and designation of the parties under the GDPR, namely: (i) controller-to-controller transfers; (ii) controller-to-processor transfers; (iii) processor-to-processor transfers; and (iv) processor-to-controller transfers.

These new SCCs also incorporate some of the contractual supplementary measures recommended by the EDPB, as described above.  They have been opened for public consultation that closed on 10 December 2020 and the final new set of SCCs is expected to be adopted in early 2021.  At this stage, the draft provides for a grace period of one year during which it will be possible to continue to use the old SCCs for the execution of contracts concluded before the entry into force of the new SCCs.[7]

Besides, the European Commission also published on 12 November 2020 draft of SCCs for contracts between controllers and processors.  These SCCs are intended to be optional (the parties may choose to continue using their own data processing agreements) and have also been opened for public consultation that closed on 10 December 2020.  The final draft of SCCs are also expected to be adopted in early 2021.[8]

On 15 January 2021, the EDPB and European Data Protection Supervisor adopted joint opinions on both sets of SCCs (one opinion on the SCCs for contracts between controllers and processors, and another one on SCCs for the transfer of personal data to third countries).[9]

3.  Conclusions on Data Transfers

As explained above, 2020 was a year of changes when it comes to data transfer mechanisms.

The EU-U.S. Privacy Shield, once believed to have put an end to the issues raised by the EU-U.S. Safe Harbour, has again been deemed to be insufficient to safeguard the data protection rights of individuals in the EU.  It is expected that, with a change in the U.S. federal administration, and the need for authorities to give legal certainty and facilitate cross-border commercial activity in the current economic context, the EU and the U.S. will work swiftly towards a mechanism that can resolve transatlantic transfers once and for all.

The adoption of new SCCs, expected to occur in 2021, will also bring more certainty to companies that relied on this framework to transfer personal data.  The new sets of SCCs will cover wider scenarios than those under the current framework, reducing implementation costs and limiting uncertainty.  However, given the limited grace period expected to apply to pre-GDPR SCCs, and the introduction of changes to the new SCCs, companies should take the opportunity to review the new contractual framework and adapt it to their data transfer needs.

B.  COVID-19 Pandemic

The COVID-19 pandemic and the ensuing health crisis has led to the emergence of new practices to limit the spread of the virus, such as the issuance of tracing apps and the implementation of temperature checks at public administration buildings or at the workplace.  These practices involve the processing of various health data, and may therefore have privacy implications.  On the other hand, remote working has increased the exposure of companies and their employees to cybersecurity risks, such as the use of private (unprotected and non-certified) assets to review, print or process company information.[10]

1.  Guidance Adopted by Supervisory Authorities

On 19 March 2020, the EDPB adopted a statement on the processing of personal data in the context of COVID-19.  In the statement, the EDPB emphasised that while data protection rules should not hinder the fight against the virus, data controllers and processors must ensure the protection of personal data even in these exceptional times.[11]

Further, on 17 April 2020, the European Commission set out the criteria and requirements that applications supporting the fight against COVID-19 must meet in order to ensure compliance with data protection regulations.[12] Building on this guidance, the EDPB adopted Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak as well as Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak.[13]

Since the beginning of the pandemic, European authorities have also focused on pooling resources at the EU level.  The European Commission and the EDPB published materials relating to the interoperability between the Members States’ contact tracing applications, in order for users to be able to rely on a single app wherever they are located in the EU.[14]

The EDPS also issued a Preliminary Opinion on the European Health Data Space, which aims to promote better exchange and access to different types of health data within the EU.[15]

2.  Guidance at EU Member State Level

Member State supervisory authorities have also issued their own guidance with respect to the processing of personal data in the context of the COVID-19 pandemic.  Although authorities have emphasised the general principles set forth under the GDPR, they have failed to adopt a unified approach.

As regards national tracing applications, the UK ICO issued a notice on the joint initiative by two tech companies to enable the use of Bluetooth technology in contact research applications,[16] as well as on the development of contact tracing applications in accordance with the principles of privacy by design and privacy by default.[17]  In France, the French supervisory authority (the “CNIL”) opened and closed a formal enquiry into the national tracing app sponsored and developed by the French government,[18] after requesting the Ministry of Solidarity and Health to remedy certain breaches identified in the app.[19]  In Germany, as in France, the authority emphasised that the use of the national COVID-19 app should be voluntary.[20]

On a different note, supervisory authorities have also intervened in different degrees in the testing and tracing efforts of public authorities.  In the UK, for example, the ICO issued a notice on the recording and retention of personal data in support of the test and trace scheme, where it advised in particular to only collect data requested by the government, not to reuse the data for other purposes, and to delete the data as soon as it is no longer necessary.[21]  In Germany, a regional supervisory authority even issued warnings for excessive health requests.[22]

Supervisory authorities have also issued substantial guidance in respect of measures to fight the COVID-19 pandemic in an employment context, for example, in the UK,[23] France,[24] Italy,[25] Belgium[26] and the Netherlands.[27]  The topics covered by supervisory authorities include the implementation of tests and the monitoring of employees, the reporting of sensitive information to the employer, and in turn the communication of such information to the health authorities, as well as remote work.

The use of smart and thermal cameras has also been strictly regulated both in France and in Germany.[28]

3.  Next Challenges for the Fight against the COVID-19 Pandemic

While data protection laws were not meant to hinder the deployment of necessary measures to trace and contain the evolution of the virus, EU supervisory authorities have been adamant that this should not come at a cost in terms of privacy.

Privacy standards are likely to remain high as Member States commence their vaccination plans and prepare for the post-COVID-19 economic recovery.  For example, in the Member States the monitoring of doses and medical supervision of patients are generally conducted by qualified medical staff, and health and pharmaceutical institutions.  However, there is still some debate whether private and public institutions can issue or request vaccination “passports” or certificates to facilitate the safe movement of people.[29]  With regard to tracing and detection data, public administrations and companies have to assess the proper retention periods that apply to the storage and archive of such information.

C.  E-Privacy and Cookies

Against the backdrop of the ongoing EU discussions on the future e-Privacy Regulation, guidance has been released by Member State supervisory authorities.  Meanwhile, significant fines continue to be imposed on companies that do not comply with applicable e-privacy rules.

1.  Guidance Adopted by the EDPB and Member State Authorities

On 5 April 2020, the EDPB updated its Guidelines (05/2020) on consent, which now specifically address the practice of so-called “cookie walls” (a practice which consists in making access to online services and functionalities conditional on the consent of a user to cookies).  Among others, in these Guidelines the EDPB explicitly states that continuing browsing on a website does not meet the requirements of valid consent.[30]

As a result of the additional clarifications provided by the EDPB, the Spanish supervisory authority (“AEPD”) updated its guidance on the use of cookies, denying the validity of consent obtained through cookie walls or continued browsing.[31]

In France, the CNIL adopted a different approach set by the French Administrative Court, which in a 2020 ruling invalidated the general and absolute ban on cookie walls.  Consequently, the CNIL adopted amending guidelines and a recommendation on the use of cookies and other tracing devices, offering practical examples of the collection of user’s consent.[32]

2.  Reform of the e-Privacy Directive

The e-Privacy Regulation was proposed by the European Commission in 2017 in order to update the legislative rules applicable to digital and online data processing and to align e-privacy laws to the GDPR.  Ambitious and promising at first, eight presidencies of the Council of the EU have been unable to push the project over the finish line.

In January 2021, the Portuguese Presidency of the Council of the EU (January to June 2021) proposed a new version (the 14th) of the e-Privacy Regulation, with the aim to simplify the text and further align it with the GDPR.[33]

While the new Regulation is not expected to be applicable before 2022, its adoption process should be closely monitored in order to anticipate compliance efforts that will be required, in particular in view of the shorter transition period (from 24 to 12 months) set out in the proposal of the Portuguese Presidency.

3.  Enforcement in Relation to Cookies

In parallel, Member State supervisory authorities continued to enforce their national e-privacy legislation transposing the e-Privacy Directive.

In Spain, a social network service was fined €30,000 for breaching the rules relating to cookies, specifically because its cookie banner did not enable users to reject the use of trackers or to issue consent per type of cookie.[34]  Similarly, the AEPD imposed a fine of the same amount to an airline for implementing a “cookie wall” on its website.[35]

In France, hefty fines have been imposed for violations of the legal provisions on cookies.  First, two companies of a food and goods retail distribution group were fined €2,250,000 and €800,000 euros for various violations, including the automatic setting of cookies on users’ terminals.[36]  More recently, two U.S. tech companies have been imposed fines of €100 million and €35 million, respectively, due to violation of the legal framework applicable to cookies.  In particular, the CNIL observed that these companies placed advertising cookies on user’s computers without obtaining prior consent and without providing adequate information.[37]

D.  Cybersecurity and Data Breaches

As in previous years, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards.

1. Guidance and Initiatives Adopted by ENISA

The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity, including management of personal data.

In 2020, ENISA continued to issue guidelines and to spearhead initiatives to achieve these objectives:

  • On 27 January 2020, ENISA released an online platform to assist companies in the security of personal data processing.  Among others, the platform focuses on the analysis of technical solutions for the implementation of the GDPR, including the principle of privacy by design.  The platform may assist data controllers and processors in the determination of their approach when developing personal data protection policies.[38]
  • On 4 February 2020, ENISA published a report outlining frameworks, schemes and standards of possible future EU cybersecurity certification schemes.  The report focuses in particular on the current standards applied to fields such as the Internet of Things, cloud infrastructure and services, the financial sector and electronic health records.  The Report also addresses gaps in the current cybersecurity certification schemes, paving the way for the adoption of future EU cybersecurity certification schemes.[39]
  • On 19 March 2020, ENISA issued a report on security requirements for digital service providers and operators of essential services, based on Directive (EU) 2016/1148 of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (“NISD”) and the GDPR.  Among other things, the report proposes and sets the outline for a risk-based approach to security.  It identifies the guidelines relevant to NISD and GDPR security measures, recommends the establishment of certification mechanisms, and sets the need for competent EU bodies and research bodies to continue providing specialised guidance on state-of-the-art data protection and security techniques.[40]
  • On 9 June 2020, ENISA made available a visual tool to ensure transparency with regard to cybersecurity incidents.  The tool provides information on eight years of telecommunications security incidents, as well as four years of trust services incident reports.  In total, the tool provides information on a total of 1,100 cybersecurity incidents notified as mandated by EU legislation for over nine years.  In its release, ENISA noted that, over the last four years, system failure was the most common cause behind both telecom security incidents and trust services incidents.[41]

Finally, it is worth noting the Strategy for a Trusted and Cyber Secure Europe released by ENISA on 17 July 2020.  The Strategy aims to achieve a high common level of cybersecurity across the EU, containing ENISA’s strategic objectives to boost cybersecurity, preparedness, and trust across the EU.  The Strategy sets out a list of seven objectives that it aims to reach, including the effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.[42]

2.  Enforcement in Relation to Cybersecurity

Member State supervisory authorities have been particularly active in sanctioning data breaches and the lack of appropriate security measures, with significant monetary penalties.

For example, in the UK, three sanctions have been especially significant.  First,an airline company was fined £20 million following a cyberattack in 2018, compromising the personal and financial data of more than 400,000 of its customers for over two months.[43]  ICO investigators found that the airline company should have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the cyber-attack.

Second, a hotel chain was fined £18.4 million after an estimated 339 million guest records worldwide were affected following a cyberattack that occurred in 2014, but remained undetected until September 2018.[44]  According to the ICO, the investigation revealed failures on the side of the hotel chain to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.  In those two cases, the ICO significantly reduced the amount of the fine originally considered in its notice of intention to fine the companies, taking into account the company’s representations and the economic impact of the COVID-19 pandemic in setting the final amount of the fine.

Third, a ticket sales and distribution company was imposed a £1.25 million fine for failing to comply with its security obligations, in the context of a cyberattack on a chatbot installed on its online payment page, potentially affecting the data of 9.4 million people.[45]  The ICO concluded that the company failed to assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner.

In Germany, a German telecommunications service provider was fined by the German Federal Data Protection Authority for insufficient data security procedures established in a call centre that lead to an inappropriate disclosure of a cell phone number of an individual who then complained to a data protection authority.  While the fine initially amounted to €9.5 million, it was challenged by the telecommunications service provider and later reduced by the competent district court in Bonn to €900,000.

More recently, in Ireland, a social network service was fined €450,000 concerning its 2019 data breach.  This decision bears great importance, as it represented the outcome of the first application of the GDPR dispute resolution mechanism, where the Irish Data Protection Commission adopted a decision further to the adoption of a prior decision by the EDPB.[46]

On 30 July 2020, the Council of the EU imposed its first ever sanctions on cyberattacks.  In particular, the Council adopted restrictive measures against six individuals and three entities responsible for or involved in various cyberattacks, including a travel ban and an asset freeze.  In addition, EU individuals and entities are forbidden from making funds available to these individuals and entities.[47]

E.   The UK and Brexit

The UK regained full autonomy over its data protection rules at the end of the Brexit transition period, on 31 December 2020.  However, before Brexit was concluded, the EU and the UK entered into the EU-UK Trade and Cooperation Agreement on 30 December 2020.[48]  This Agreement regulates data flows from the EU/EEA to the UK under a so-called “bridging mechanism”, and sets a timeline for the adoption of an EU-UK adequacy decision thereafter.

The Trade and Cooperation Agreement includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism.  The EU does not have the power to block changes to the UK’s framework or use of its powers.  However, if the EU objects to changes considered by the UK, and the UK implements them despite these objections, the EU/EEA-UK bridge will be terminated.

1.  Transfers from and into the EU/EEA and the UK

As indicated above, the bridging mechanism contained in the EU-UK Trade and Cooperation Agreement covers personal data transfers from the EU/EEA to the UK.  According to the provisions in the Agreement, it will apply for up to a maximum period of six months, unless an adequacy decision comes into effect earlier.  The adoption of an EU adequacy decision for the UK, which is expected to be adopted in 2021, would enable the ongoing free flow of personal data from the EEA to the UK thereafter, without needing to implement additional safeguards.

Notwithstanding the stability offered by the Trade and Cooperation Agreement, the UK Government has advised companies to put in place alternative transfer mechanisms that may safeguard personal data received from the EEA against any interruption to the free flow of personal data.[49]  SCCs have been identified as the most relevant mechanism that organisations may resort to in order to safeguard such transfers.

On the other side, regarding personal data transfers from the UK to the EU/EEA and Gibraltar, the conditions under which such transfers may be made will remain unchanged and unrestricted, according to the UK Government.[50]

2.  Transfers from and into the UK and other Jurisdictions

The transfer of personal data from third countries and territories to the UK generally raises questions of legal compliance in the exporting jurisdiction.  The impact of Brexit has been particularly significant regarding the regulation of data transfers into the UK from jurisdictions that were already covered by an adequacy decision of the European Commission.

Pre-Brexit, the European Commission had made findings of adequacy of personal data transfers to a number of jurisdictions.[51]  These adequacy decisions generally address the inbound transfer of personal data from these jurisdictions into the EU/EEA.  However, in order to obtain and maintain these adequacy decisions, these jurisdictions put in place legal restrictions on (onward) transfers of personal data to countries outside the EEA, which now include the UK.

To resolve potential issues on transfers of personal data from these jurisdictions to the UK, the governments of most of these jurisdictions have issued statements, resolutions and even modified their legal regimes in order to permit the continued transfer of personal data into the UK.  The UK ICO has indicated that it is continuing to work with these jurisdictions in order to make specific arrangements for transfers of personal data to the UK.[52]

On the UK side, the 2019 Brexit regulations applicable to data protection matters recognised the European Commission’s adequacy decisions, and rendered permissible cross-border transfers of personal data to these jurisdictions.[53]  The Government and the ICO are working on the adoption of new UK adequacy regulations, to confirm that particular countries, territories or international organisations ensure an adequate level of protection, so as to allow transfers of personal data from the UK to these jurisdictions, without the need for adoption of additional safeguards.  SCCs and other mechanisms for lawful international data transfers may be put in place to cover transfers of personal data from the UK to jurisdictions not covered by adequacy decisions.

F.  Other Significant Developments in the EU

More generally, this year has been marked by the adoption of important EDPB Guidelines.  In addition to those mentioned above, the EDPB released new Guidelines on the concepts of controller and processor, on the targeting of social media users, and on data protection by design and by default.[54]

Furthermore, hefty fines were imposed as mentioned in Sections I.A to D above, in particular in France with the €100 million fine imposed on a tech company which is the highest penalty ever imposed by a supervisory authority as of end of December 2020.

Fines were also imposed on topics other than those addressed above.  In particular, in Germany, the Hamburg supervisory authority fined a retail company €35.3 million for illegally collecting and storing sensitive personal data from employees, such as information about health condition, religious beliefs and family matters.  According to the authority’s investigation, data about the personal life of the company’s employees had been collected comprehensively and extensively by supervisors since at least 2014, and stored on the company’s network drive.  This information was accessible to up to 50 managers of the company and was used, among other things, to create profiles of individual employees in order to evaluate their work performance and to adopt employment decisions.  In sum, the practice of the company amounted to a number of data protection violations, including a lack of legal basis for the data processing, illegal processing of the data, and the absence of controls to limit storage and access to the data.[55]

Significant monetary penalties have also been imposed due to the lack of valid consent under the GDPR:

  • In Italy, two telecommunications operators were fined approximately €17 and €12 million for processing hundreds of unsolicited marketing communications without having obtained users’ prior consent, without having offered to users their right to object to the processing, and for aggressive telemarketing practices, respectively.[56]
  • In Spain, the AEPD fined a bank €5 million for violations of the right to information and for lack of valid consent.  In particular, the bank used imprecise terminology to define the privacy policy, and provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through financial products, services, and channels.  Moreover, the bank failed to obtain consent before issuing promotional SMS messages, and did not have in place a specific mechanism for consent to be obtained by customers and account managers.[57]

As regards the requirements for valid consent under the GDPR, the CJEU, in its ruling on Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, decided that valid consent cannot be inferred from a preselected box in a contract for the provision of telecommunications services, whereby the customer allegedly consents to the collection and storage of his/her identity document.  The Court specified that this is also the case where the customer is misled as to the possibility of concluding the contract if he/she refuses to consent to the processing of his/her data, or where the freedom to choose to object to that collection and storage is affected by the requirement to complete an additional form setting out that refusal.[58]

In addition to increased scrutiny by data protection authorities, there is also a slightly increasing trend in private enforcements actions from consumers and (former) employees.  These actions primarily relate to both the enforcement of transparency and access rights to personal data as well as claims for compensation for alleged GDPR violations.

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

As explained in the 2020 International Outlook and Review, the increasing impact of digital services in Europe and the overhaul brought about by the GDPR in the EU have continued to influence the regulatory and enforcement actions of jurisdictions in the vicinity of the EU.

A.  Russia

1.   Access Restriction Trend in Privacy Laws Enforcement

Russian local data privacy laws have continued to be heavily enforced by the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”).  This activity reflects the growing priority and concern that personal data protection represents for the Russian population.  According to Roskomnadzor’s statistics, in the previous year the number of complaints concerning personal data protection had increased to 50,300.  The largest number of complaints related to the actions of the owners of internet sites, including social networks, credit institutions, housing and communal services organisations, and collection agencies.[59]

The most notable activity of Roskomnadzor in 2020 was its use of its regulatory powers to manage activities of numerous Internet-based services.  Below we describe three noteworthy cases where the access to Internet resource was restricted by Roskomnadzor until the respective company satisfied certain expectations and /or requests of the regulator.

On 29 January 2020, Roskomnadzor announced that it would restrict access to the mail service of a tech company.  In deciding so, Roskomnadzor noted that the company was used by cybercriminals to send false messages under the guise of reliable information, and that it had categorically refused Roskomnadzor’s repeated requests for information to be included in the register of information dissemination organisers on the Internet.[60]  However, the company has taken actions to address the situation, and currently it is accessible for the Russian users.

On 20 February 2020, Roskomnadzor took a similar measure and temporarily restricted access to another email service provider.[61]  The authority stated that, in 2019 and in February 2020, the email service had been used by cyber-attackers to send false messages under the guise of reliable information about the massive mining of social transport infrastructure and ships in the Russian Federation.

On 18 June 2020, Roskomnadzor also announced that it had removed the requirements to restrict access to the messaging application of a tech company.[62]  This decision was paired with Roskomnadzor’s declaration of its readiness to cooperate with internet companies operating in Russia to quickly suppress the spread of terrorist and extremist information, child pornography, and the promotion of suicide and drugs.  In addition, Roskomnadzor noted that, through joint efforts with leading Russian and foreign companies, it had removed, on average and weekly, 2,500 materials relating to suicidal behaviours, 1,300 materials of an extremist and terrorist nature, 800 materials propagandising drug use, and 300 materials containing pornographic images of minors.

2.  The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies

In 2020, Roskomnadzor followed its set trend in targeting large, multinational digital companies.  On 31 January 2020 the authority announced that it had initiated administrative proceedings against two social network services.[63]  In particular, Roskomnadzor stated that these companies did not meet the requirements for data localisation of Russian users on servers located in the Russian Federation.

Following the authority’s proceedings, on 13 February 2020, the Tagansky District Court of Moscow fined both social network services RUB 4 million (approx. €45,000) for these violations.[64]  The Court affirmed the authority’s finding that one of the companies had violated Russia’s legal requirement to record, organise and store the personal data of Russian citizens in databases located in the Russian Federation.[65]

3.  Legislative Updates

Several notable laws have been adopted at the end of 2020.

New amendments to the Code of Administrative Offenses of the Russian Federation entail considerable fines for failure to delete prohibited information upon the request of Roskomnadzor.[66]  The fines can be imposed on hosting providers or any person enabling other persons to publish information on the Internet for failure to restrict access to prohibited information and owners of the websites or Internet resources for non-deletion of prohibited information may be up to RUB 4,000,000 (approx. €45,000) for the first offence and up to 10% of the company’s annual turnover from the preceding calendar year (but not less than RUB 4,000,000) for the subsequent offence.  If prohibited information contains propaganda of extremism, child pornography, or drugs, liability is increased for up to RUB 8,000,000 (approx. €90,000) for the first offence or up to 20% of the company’s annual revenue from the preceding calendar year (but not less than RUB 8,000,000) for the subsequent offence.  This law is aimed at establishing liability for hosting providers, owners of websites and information resources who fail to restrict access to or delete the information, dissemination of which is prohibited in Russia, and has come into force on 10 January 2021.

Another amendment to Russian law[67] increases significantly the risks of blocking of internet resources in Russia.  The law introduces the status of the owner of an Internet resource involved in violations of the fundamental human rights of Russian citizens.  The Prosecutor General, in consultation with the Russian Foreign Ministry, may assign this status to the owner of an Internet resource that discriminates against materials from the Russian media.  Such a decision can be made if the internet resource limits access to socially important information based on the nationality, language, or in connection with the imposition of sanctions against Russia or its citizens.  If the owner of the internet resource censors or anyhow restricts the access to accounts of Russian media, Roskomnadzor is entitled to restrict access to such internet resource, fully or partially.  This law has come into force on 10 January 2021.

The law amending the Personal Data Law significantly changes the legal landscape with regard to the processing of publicly available personal data.[68]  As per the new law, data controllers making personal data publicly available for further processing by third parties must obtain individuals’ explicit consents, which shall not be bundled to any other consents and data subjects have a wide range of rights in this regard.

Third parties who intend processing publicly available personal data have three options: (i) to rely on the consent obtained by the controller when making the data publicly available, subject to compliance with the rules of data processing; (ii) to rely on the consent provided by an individual to Roskomnadzor via a dedicated web-based platform to be set up under the law, but also subject to compliance with the rules of data processing; or (iii) to ensure on their own that they have appropriate legal grounds as per the general requirements of Russian Personal Data Law.  The above rules will enter into force as of 1 March 2021.

In addition, the new law introduces the data controller’s obligation to publish information on the processing terms and existing prohibitions and conditions for processing of personal data, permitted by a data subject for dissemination, by an unlimited number of persons.  These new requirements will come into force as of 1 July 2021.  According to the amendments to the Law on Information, Information Technologies, and Information Protection, if a resource is considered a social network, it will be included in the register maintained by the Roskomnadzor.[69]  These amendments impose moderation obligations on social networks regarding the content published by users, and require them to make available certain information on their websites.

In practice, social networks will now be required to identify and restrict access to illegal content.[70]  Furthermore, the following information must be posted on the social network by its owner: (i) name, email address and an electronic form for sending requests about the illegal content; (ii) annual reports on the results of the consideration of requests and monitoring activities; (iii) terms of use of the social network.  This amendment will enter into force on 1 February 2021.

The recently adopted laws evidence the trend of the increased regulation of IT-industry activities in Russia.  With these new regulations, the Russian authorities increase the regulatory mechanisms that may affect the activities of websites, news media, social media, social networks and video hosting services in Russia.

B.  Switzerland

1.  The Revised FADP

On 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”).[71]  The Revised FADP is not in force yet, as it was subject to approval by referendum until 14 January 2021 (which was not held).  The Federal Council will decide on entry into force which is expected during 2021 or at the beginning of 2022.  The specific date is particularly important because the Revised FADP does not provide for any transitional periods.

One of the main reasons behind the adoption of the Revised FADP was to ensure that the EU recognises Switzerland as providing an adequate level of protection to personal data according to GDPR standards.

The most significant differences between the Revised FADP and the previous version, are the following:

  • The Revised FADP now codifies expressly the international principle of the effects doctrine, subject to the principles governing civil and criminal enforcement that remain in place.[72]  Hence, the Revised FADP will also apply on persons that are domiciled outside of Switzerland if they process personal data and this data processing has an effect in Switzerland.
  • Personal data pertaining to legal entities is no longer covered by the Revised FADP, which in line with the GDPR, and most foreign data protection laws.[73]
  • The Revised FADP will extend the term of sensitive data by adding two new categories: (i) genetic data; and (ii) biometric data that uniquely identifies an individual.[74]
  • The Revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR.[75]
  • The Revised FADP distinguishes controllers and processors.[76]
  • Like the GDPR, the Revised FADP contains provisions concerning data protection by design and by default.[77]
  • The Revised FADP provides that a processor can hire a sub-processor only with the prior consent of the controller.[78]
  • Under the Revised FADP and subject to specific exemptions, controllers and processors must maintain records of data processing activities under their respective responsibility.  The former duty to notify data files to and register with the Federal Data Protection and Information Commissioner (“FDPIC”) has been abolished.[79]
  • Under the Revised FADP and under specific conditions, controllers that are domiciled or resident abroad and process personal data of Swiss individuals must designate a representative in Switzerland.[80]
  • The Revised FADP provides that individuals must (at the time of collection) be informed about certain minimum information[81] and have a new right to intervene in case of automated decision-making.[82]
  • Under the Revised FADP, the FDPIC will have the power to issue binding decisions.  However, it will not have the unilateral power to impose fines, unlike most data protection authorities in Europe – resort to Swiss courts will be required.
  • Controllers are required to conduct a Data Protection Impact Assessment (“DPIA”) where there is a high risk for the privacy and the fundamental rights of data subjects.[83]
  • Controllers will have a data breach notification obligation to the FDPIC where an incident results in high risk for data subjects.[84]
  • The Revised FADP introduces the right to data portability, which was not covered by the previous data protection law.[85]
  • The maximum amount of sanctions for individuals will be CHF 250,000 (approx. €232,000),[86] and the Revised FADP also extends criminal liability to the violation of additional data protection obligations.

As can be seen, there are significant similarities between the Revised FADP and the GDPR.  The entry into force of the Revised FADP is therefore expected to lead to continuity in the cross-border data transfers between the EU and Switzerland.

2. The Swiss-U.S. Privacy Shield

On 8 September 2020, the FDPIC published an assessment on the Swiss-U.S. Privacy Shield where it found that the cross-border transfer mechanism did not guarantee an adequate level of protection regarding data transfers from Switzerland to the U.S.[87]  Prior to FDPIC’s assessment, the CJEU had delivered its judgment in Schrems II,[88] in July 2020, which rendered the European Commission’s decision on the EU-U.S. Privacy Shield invalid.

The FDPIC identified two key problems concerning the Swiss-U.S. Privacy Shield, namely: (i) the lack of an enforceable legal remedy for persons concerned in Switzerland in particular due to the inability to assess the effectiveness of the Ombudsman mechanism because of a lack of transparency; and (ii) the inability to assess the decision-making abilities of the Ombudsman and its independence with respect to U.S. intelligence services.  Since FDPIC’s assessment is a soft-law instrument without legally binding nature, the Swiss-U.S. Privacy Shield will remain valid and binding for the companies registered unless and until it is repealed or annulled on a case-by-case basis by the competent Swiss courts or in its entirety by the U.S.

C.  Turkey

1.  Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents

In 2020, the Turkish Data Protection Authority (“KVKK”) and the Turkish Data Protection Board (the “Board”) continued to issue a number of statements, decisions and guidance documents regarding the application and enforcement of Turkish data protection provisions.  We outline and briefly explain below the most relevant ones:

  • On 16 December 2020, the KVKK issued a statement on the data protection rules related to publicly available personal data.  In the statement, the KVKK acknowledged that the Law on Protection of Personal Data No. 6698 (“Turkish Data Protection Act”) allows personal data to be processed where the data concerned is made available to the public by the data subject themselves.[89]  However, the KVKK clarified that the concept of “making data public” has a narrow meaning under the Turkish Data Protection Act, and only covers scenarios where the data subjects wish the data to be public for data processing – the mere act of making personal data available to the public is not sufficient.
  • On 26 October 2020, the KVKK issued a statement on cross-border data transfers outside of Turkey.[90]  The statement noted that the Turkish Data Protection Act allowed a grace period for compliance with relevant data transfer provisions, and that several deadlines had been extended due to the COVID-19 pandemic.  The KVKK also committed to eliminate and correct any misunderstandings arising from the interpretation and implementation of the Act, which had led to criticism from practitioners and scholars.  As a start, the KVKK clarified that the Board will carry out assessments on the adequacy of foreign jurisdictions for data transfers based on a number of factors, including the reciprocity concerning data transfers between the importing country and Turkey.  The KVKK also indicated that “Binding Corporate Rules” (“BCRs”) may be applicable and used in data transfers between multinational group companies.  Indeed, on 10 April 2020, the KVKK introduced BCRs to the Turkish data protection law, to be used in cross-border personal data transfers of multinational group companies.[91]  In its announcement, the KVKK described the undertaking letter procedure for data transfers outside of Turkey, and states that although the undertaking letters make bilateral data transfers easier; they may be inadequate in terms of data transfers between multinational group companies.  Therefore, the KVKK determined BCRs as another mean that could be used in international data transfers between group companies.
  • On 17 July 2020, the KVKK issued a statement on de-indexing of personal data from search engine results[92] based on the Board’s decision with number 2020/481.[93]  The KVKK stated in its announcement that, they have evaluated the applications submitted before the KVKK with regards to the requests as to de-indexing web search results and within the scope of “right to be forgotten”, the Board decided that search engines should be considered as “data controllers” under the Turkish Data Protection Act, that individuals may primarily convey their de-indexing requests to the search engines and file complaints before the KVKK and search engines should make a balance test between fundamental right and freedoms and public interest.  Additionally, KVKK also published a criteria document[94] by indicating that de-indexing requests should be considered per the issues indicated therein, which is mainly based on Article 29 Working Party’s Opinion on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on Costeja Case.
  • On 26 June 2020, the KVKK issued a statement on obligation to inform data subjects.[95]  The statement concerns the general rules that are already regulated under the Turkish Data Protection Act and secondary legislation concerning the obligation to inform set forth for the data controllers.  KVKK indicated in its announcement that privacy policies or data processing policies should not be used to fulfill the obligation to inform and thus, privacy notices should be separated from these texts.  Following that, the KVKK listed several examples with regards to the deficiencies and illegalities as to obligation to inform.
  • In the context of the COVID-19 pandemic, on 9 April 2020, the KVKK issued a statement on the processing of location data in light of the COVID-19 pandemic.[96]  The statement highlights that many other countries have used and allowed the use of personal data, such as the health, location and contact information of individuals, to identify those who carry or are at risk of carrying this disease. The KVKK reminds that the processing of this data needs to be carried out within the framework of the basic principles enshrined in the Turkish Data Protection Act.

2.  Turkish Data Protection Act Continues to be Enforced

2020 was also a year in which the KVKK enforced the Turkish Data Protection Act in a number of data protection proceedings.

On 6 February 2020, the KVKK fined an undisclosed bank TRY 210,000 (approx. €27,800) for illegally processing personal data to gain potential customers.[97]  The case concerned the creation of bank accounts without the knowledge or consent of individuals, using information gained by the bank via a third party.  The KVKK found that the bank had acted in breach of its security obligations to prevent unlawful processing of personal data.

On 22 July 2020, the KVKK fined an automotive company TRY 900,000 (approx. €101,840) for violations related to the transfer of personal data based on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”).[98]  The software provider sought to rely on the fact that the receiving country was party to Convention 108 and, therefore, offered sufficient protection to personal data imported from Turkey.  However, the KVKK outlined that the fact that a receiving country is a party to Convention 108 is in itself an insufficient measure in determining adequate protection of data.  The data transfer had thus been carried out in breach of the Turkish Data Protection Act, without data subjects’ consent and not benefitting from any of the exceptions set out in the Turkish Data Protection Act.  It is worth noting, in this regard, that the KVKK is yet to publish the list of countries deemed to provide sufficient protection under Turkish law.  Finally, the decision notes that the data controller failed to comply with its data security obligations, as it had failed to prevent the unlawful processing and transfer of personal data.  The KVKK ordered the data controller to delete/destroy the personal data unlawfully transferred outside of Turkey.

On 16 April 2020, the KVKK fined a gaming company TRY 1,100,000 (approx. €120,000) for failing to notify the KVKK of data breach within seventy-two (72) hours after becoming aware of the relevant data breach and to take required data security measures.[99]

On 27 February 2020, the KVKK fined an e-commerce company TRY 1,200,000 (approx. €120,000) mainly, TRY 1,100,000 for failing to fulfil the obligations relating to data security and TRY 100, 000 for failing to comply with the obligation to inform data subjects.[100] Besides, the Board also ordered the data controller to revise the data processing processes and privacy policy, Conditions of Sale and Use and Cookie Notice in accordance with the determined irregularities and in line with the Turkish Data Protection Act.  The Board stated in its decision that (i) the privacy policy contains lots of information and general information about personal data processing and this does not mean that the data subjects are duly informed; (ii) although the data processing activities start with the cookies as soon as a user enters the website, information obligation is not complied with at any stages such as cookies or member login to the website; (iii) explicit consent is not obtained for commercial electronic communications and cross-border transfer of personal data; and (iv) considering that the undertaking letters submitted for cross-border transfer of personal data are not approved and the safe countries have not been announced, data controller may only transfer personal data abroad based on data subjects’ explicit consent.

III.  Developments in Asia-Pacific, Middle East and Africa

A.    Australia

The Australian government released the Terms of Reference and Issues Paper for the review of the Privacy Act 1988, and solicited public submissions by 29 November 2020.  This wholesale review may update main provisions of the Privacy Act 1988, such as increasing maximum civil penalties, creating a binding privacy code for social media platforms, strengthening notification and consent requirements, modifying international data transfers, and expanding the definition of personal information.  The government plans to issue a discussion paper seeking specific feedback on preliminary outcomes and possible areas of reform in early 2021.

B. China

1. New Developments in Chinese Legislation

The most significant legislative framework in China for the protection of personal data is the Cybersecurity Law (“Cybersecurity Law”) which came into effect on 1 June 2017.  Two additional laws were introduced into the pipeline in 2020: the Draft Personal Information Protection Law[101] (“Draft PIPL”); and the Draft Data Security Law (“Draft DSL”).  Once adopted, the combination of these three legal instruments (the Cybersecurity Law, the Draft Data Security Law and the Draft PIPL) are expected to become the fundamental laws in the field of cybersecurity and data protection in China.

The Draft PIPL is intended to be a general data protection law, which could harmonise the current fragmented legislative framework.  However, even after the adoption of the Draft PIPL, personal information protection in China would remain sector based.

The Draft PIPL was partially inspired by the GDPR, but it has important differences that prevent a common cross-border approach (e.g., regarding the legal grounds for data processing, there is no legal basis of legitimate interest of the controller).  Using a single privacy framework for EU and Chinese companies would consequently not result in adequate compliance.

The Draft PIPL introduces substantial new fines.  For example, data processors are subject to fines of RMB 50 million (approx. €8 million, or $7.4 million), or 5% of the company’s revenue from the previous year.[102] In addition, the Cyberspace Administration of China would also have the competence to blacklist organisations and individuals for misusing data subjects’ data.[103]

On 18 November 2020, the Centre for Information Policy Leadership (“CIPL”) submitted recommendations on possible modifications of the Draft PIPL in order to ensure the protection of China’s citizens, businesses and government data,[104] including the following:

  • The Draft PIPL includes definitions for sensitive personal information,[105] including biometric, financial, ethnic and religious information.  The CIPL suggested a risk-based approach to assess personal data processing, rather than providing categories of predefined “sensitive information”.
  • According to the CIPL, exemptions should be provided to the general requirement to appoint data protection officers and representatives, in line with other foreign privacy laws like the GDPR.
  • The Draft PIPL should explain further what conditions or factors are required to satisfy the Cyberspace Administration’s security assessment for cross-border transfers of personal data.
  • The Draft PIPL should clarify what constitutes a “serious” unlawful act.
  • Finally, the CIPL recommended that organisations be afforded a two-year grace period from the date that the Draft PIPL is passed, to be fully compliant.

The other major legislative proposal, the Draft DSL, is intended to provide the fundamental rules of data security for both personal and non-personal data.  The intended scope of application of the Draft DSL is broad, applying to “activities” (actions including collection, storage, processing, use, supply, trade and publishing) regarding “data” (any record of information in electronic or non-electronic form).

Finally, on 1 January 2021 the Civil Code of the People’s Republic of China entered into force, adopted by the third session of the 13th NPC.  The Civil Code applies to all businesses in general (without distinguishing among controllers and processors), and introduces rules for the protection of personal information, including its collection, use, disclosure, and processing.

2. Enforcement of Chinese Data Protection and Cybersecurity Legislation

In August 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued two separate fines of RMB 1 million ($150,000) on two banks.[106]  In both cases the banks were fined for failures to provide protection to personal data of credit card customers.

C.  Hong Kong SAR

On June 30, 2020, the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “NSL”) passed by the Standing Committee of the National People’s Congress of the People’s Republic of China (the “PRC”) became effective in Hong Kong.  The NSL empowers law enforcement authorities to search electronic devices and premises that may contain evidence of related offenses and carry out covert surveillance upon approval of the Chief Executive; criminalizes acts of terrorism, subversion, secession, or collusion with foreign or external forces to endanger national security; and holds incorporated or unincorporated entities accountable for violations of the NSL.

Furthermore, the Committee for Safeguarding National Security (the “Committee”), which consists of specified Hong Kong officials and an advisor appointed by the Central People’s Government of the PRC (the “CPR”), is established pursuant to the NSL and assumes various duties including formulating work plans and policies, advancing the enforcement mechanisms and coordinating significant operations for safeguarding national security in Hong Kong.  Decisions made by the Committee are not subject to judicial review.

The Office for Safeguarding National Security of the CPG (the “Office”) may in specified circumstances assume jurisdiction over serious or complex cases which would be difficult or ineffective for Hong Kong to handle in light of, for example, involvement of a foreign country or external elements. Such cases shall be investigated by the Office and, upon prosecution by a body designated by the Supreme People’s Procuratorate, adjudicated by a court designated by the Supreme People’s Court of the PRC.

The NSL applies not only to offenses committed or having consequences in Hong Kong by any person or entity, but also offenses committed from outside Hong Kong against Hong Kong by any person or entity.

D.  India

1. Legislative initiatives

As indicated in the 2020 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Parliament on 11 December 2019 adapted from the draft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018[107], by the committee of experts led by Justice Srikrishna.  Thereafter the PDP Bill was referred to a Joint Parliamentary Committee for its review.  As of January 2021, the PDP Bill is in its final stages of deliberation and is expected to be promulgated soon.  Several industry bodies and stakeholders were asked to depose before the Joint Parliamentary Committee for their views on the amendments made in the PDP Bill and the desired requisites of a national data protection law.  Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, continue to govern data protection in India.

In September 2019, the Ministry of Electronics and Information Technology constituted a committee of experts (“Committee”) to devise a framework for the regulation of non-personal data.  Ultimately, on 12 July 2020, the Committee released a Report on Non-Personal Data Governance Framework (“NPD Framework”)[108], where it emphasised that the regulation of non-personal data is necessary to incentivise innovation, create value from data sharing, address privacy concerns, and prevent harm.  The NPD Framework was met with criticism for the imposition of compulsory data sharing obligations and onerous compliance requirements on entities collecting and managing non-personal data.  After reviewing feedback from public and stakeholders, the Committee released a revised version of the NPD Framework on 1 January 2021, wherein the Committee provided several clarifications to the earlier draft and streamlined the jurisdictions of the PDP Bill and the NPD Framework.  The NPD Framework is still under public consultation and is yet to be presented before the Parliament as a bill for the promulgation of a single national-level regulation to establish rights over non-personal data collected and created in India.

In August 2020, the Government of India also proposed a data-sharing framework in the fintech sector.  The National Institution for Transforming India (“NITI Aayog”) released a draft framework on the Data Empowerment and Protection Architecture[109] which will be implemented by the four government regulators: the Reserve Bank of India, the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority, and the Pension Fund Regulatory and Development Authority, and the Ministry of Finance.  The draft aims to institute a mechanism for secure consent-based data sharing in the fintech sector, which may be an important step towards empowering individuals in relation to their personal data.  The draft aims to enable individuals to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner.

In August 2020, the Government of India also launched the National Digital Health Mission (“NDHM”), a visionary project which intends to digitise the entire health care ecosystem of India.  The National Health Data Management Policy, 2020[110] came into force on 15 December, 2020, and is the first step in realising the NDHM’s guiding principle of “security and privacy by design” for the protection of data principals’ personal digital health data privacy.  It is intended to be a guidance document across the National Digital Health Ecosystem and sets out the minimum standard for data privacy protection for data relating to the physiological and psychological health of individuals in India.

2.  Regulatory opinions and guidance

Indian institutions have also adopted certain measures in response to the challenges resulting from the COVID-19 pandemic.  For instance, the Data Security Council of India (“DSCI”) issued the best practices on working from home in light of COVID-19[111] on 18 March, 2020.  The guidance notes, among other things, that virtual private networks should only be used on company-owned devices, employees should access company data and applications through a browser-based webpage or virtual desktop, and a risk assessment should be conducted when selecting a remote access method.  In addition, the guidance outlines a basic mandate for organisations and employees, which includes taking care of the confidentiality of valuable transactions and sensitive financial documents when working from home.

In a similar vein, the DSCI published, on 24 April 2020, its guidelines on data privacy during the COVID-19 pandemic, which highlights the privacy implications of COVID-19 for different sets of stakeholders and provides privacy and data protection practices.[112]  The guidelines address healthcare privacy considerations and note the importance of notifying patients of all information that is collected, having specific protocols in place to ensure that consent is obtained, having internal and external audit mechanisms to assess privacy measures, and using health data solely for the specific purposes of their collection.  Finally, the guidelines provide working from home considerations both for employers and employees, noting the importance of revisiting data protection strategies, data management practices, remaining compliant with regulatory obligations, conducting Data Protection Impact Assessments to ascertain privacy risks, and spreading privacy awareness and training across organisations.[113]

The DSCI also published its Report for Enabling Accountable Data Transfers from India to the United States Under India’s Proposed Personal Data Protection Bill on 8 September 2020[114] (“Report on Data Transfers”).  The purpose of the Report on Data Transfers is to make additional recommendations to the existing draft of the PDP Bill to enable free flow of data between countries, especially with the U.S. owing to the value it adds to India’s digital economy, and to provide solutions for facilitating India-US data transfers.  The Report on Data Transfers also suggests, among other things, that the PDP Bill’s provision on the creation of codes of practice should include certification requirements in order to increase interoperability between different privacy regimes as well as facilitate cross-border transfer mechanisms.

On 2 September 2020, the Artificial Intelligence Standardisation Committee for the Department of Telecommunication released its Indian AI Stack discussion paper.[115]  The Discussion Paper notes that the AI Stack will, among other things, secure storage environments that simplify archiving and extraction from data based on the data classification, ensure the protection of data through data federation, data minimisation, an open algorithm framework, defined data structures, interfaces and protocols, and monitoring, auditing, and logging, as well as ensuring the legitimacy of backend services.

3. Enforcement of data protection laws

In 2020, the Government of India adopted three decisions to block applications following information that they were engaging in activities which were prejudicial to the integrity and the national security of India.[116]

In particular, the Government had received complaints regarding the misuse of mobile application data, stealing and secretly transmitting users’ data in an unauthorised manner to servers located outside of India.  As a result, on 29 June 2020, the Government decided to disallow the use of 59 applications to safeguard the interests of Indian mobile and internet users.[117]  Similarly, on 2 September 2020[118], and 29 November, 2020,[119] the Indian Government decided to further block 118 and 43 mobile applications respectively for misusing users’ data and engaging in activities which are prejudicial to the sovereignty, integrity and defence of India, as well as the security of the state and public order.  According to the Government, the applications’ practices raised concerns relating to the fact that they were collecting and sharing data in a manner which compromised the personal data of users, posing a severe threat to the security of the State.

On 23 November 2020, the Orissa High Court delivered an important judgment emphasising the need to recognise the right to be forgotten, noting the presence of objectionable images and videos of rape victims on social media platforms.[120]  The court emphasised that the principle of purpose limitation is already embodied in law by virtue of the precedent of the Supreme Court’s judgment in K.S. Puttaswamy v. Union of India, and that capturing images and videos with the consent of the victim cannot justify the subsequent misuse of such content.  The court referred to existing case law and the PDP Bill, which provide for the right to be forgotten.  Accordingly, the court recognised the right to be forgotten as a right in rem and stressed that, in the absence of legislation, victims may nevertheless seek appropriate orders to have offensive posts erased from public platforms to ensure protection their right to privacy.

E.  Indonesia

On 24 January 2020, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives.[121]  The PDP Bill consolidates the rules related to personal data protection in Indonesia, and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[122]

On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[123]  However, it appears that the COVID-19 pandemic has led to delays in the adoption of the Bill.

Finally, on 10 March 2020, Kominfo submitted a new draft regulation on the Management of Privately Managed Electronic System Organiser (“Draft Regulation”) for approval.  The Draft Regulation is intended to serve as an implementing regulation of Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, which, as noted in the 2020 International Outlook and Review, became effective in October 2019.

F.  Israel

On 29 November 2020, the Israeli Ministry of Justice (“MoJ”) launched a public consultation on the introduction of amendments to the Protection of Privacy Law 5741-1981.[124]  The MoJ also launched, on 23 July 2020, a public consultation on proposed amendments to privacy law database registration requirements which would reduce the scope of the obligation to register a database and amend certain definitions contained in the law.[125]

Moreover, the Privacy Protection Authority (“PPA”) published a number of reports and recommendations on a series of topics, including:

  • privacy protection in the context of epidemiological investigations,
  • security recommendations following security incidents,
  • the protection of privacy in the context of money transfers and app payments,
  • data processing and storage service providers,
  • smart transportation services,
  • digital monitoring tools for COVID-19 contact tracing,
  • GSS assistance in contact tracing,
  • recommendations in the context of the COVID-19 pandemic (e.g., remote learning, privacy for individuals entering workplaces, medical institutions privacy compliance).

Following the CJEU’s decision to annul the EU-U.S. Privacy Shield in Schrems II, the PPA issued, on 29 September 2020, a statement regarding transfers of personal information from Israel to the U.S.  In this statement, the PPA indicated that data transfers from Israel to the U.S. could no longer rely on the EU-U.S. Privacy Shield or the Transfer of Information Regulations, and that alternative exceptions provided for in Section 2 of the Regulations could only be used where applicable.  The PPA had nonetheless clarified that personal data could be transferred from Israel to EU Member States, as well as to countries which will cease to be EU Member States but will continue to apply and enforce the provisions of EU Law on the protection of personal data.[126]

On the enforcement side, in 2020 the PPA identified and investigated a number of violations, including the leak of personal data of 6.5 million Israeli voters.[127]  The PPA also offered security recommendations following the security incident at an insurance company.

G.  Japan

On 5 June 2020, the Parliament of Japan adopted a bill to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”).[128]

Under the bill, the rights of the data subjects have been expanded.  For example, if the proposed amendments to the APPI are introduced, data subjects will be entitled to request an organisation to delete their personal information, but only if certain requirements are met.  Consequently, the scope has remained narrower than the right to erasure and the right to object under the GDPR.

Regarding data retention periods, the currently applicable law provides that any data which was to be erased after six months is not considered as “retained personal data”, and therefore is not not subject to data subject requests.  The Amendments will abolish this six-month rule, and data subjects will be able to exercise their data-related rights regardless of the retention period.

Under the current applicable law, organisations should “duly make an effort” to report data breaches to the Personal Information Commission (“PIC”).  In contrast, the bill will introduce a mandatory obligation to notify data breaches, obliging organisations to report data breaches to the PIC and to notify the affected data subjects if their rights and interests are infringed.  Although this requirement is similar to the corresponding provisions in the GDPR, the latter sets a strict deadline of 72 hours for notification, while the bill requires “prompt” reporting.

The amended APPI will include the concept of “pseudonymously processed information”, which similarly to the GDPR will mean personal information that cannot be used to identify an individual unless combined with other information.  Pseudonymously processed information will not be subject to some requirements, such as requests for disclosure, utilisation, or correction.  In the event of a data breach concerning pseudonymously processed information, reporting to the PIC will not be mandatory.

One of the main goals of the bill is to address the increasing risks associated with cross-border data transfers.  Under the new provisions, data subjects should be informed about the details of any data transfer to a third party located in a foreign country.  The bill has also increased the criminal penalties, such as the penalty for violating an order of the PIC (100 million yen; approx. €800,000).  However, administrative fines will not be introduced.

The bill is expected to enter into force no later than June 2022.  The new rules will bring the APPI into closer alignment with the EU’s data protection standards and strengthen Japan’s data protection regime.

H. Malaysia

On the legislative side, on 14 February 2020, a public consultation paper was released proposing amendments to the Malaysian Personal Data Protection Act 2010, which currently regulates data protection in Malaysia.[129] If adopted, the amendments would introduce significant changes to Malaysia’s data protection regime, including: the obligatory appointment of a data protection officer, mandatory breach reporting, the introduction of civil litigation against data users, the implementation of technical and organisational measures such as data portability and privacy by design, and the broadening of the Malaysian Personal Data Protection Act’s scope to data processors.  Many of the proposed amendments have been inspired by the GDPR and aim to bring the Malaysian regime closer to EU data protection standards.

On 29 May 2020, the Department of Personal Data Protection (“PDP”) released advisory guidelines on the handling of personal data by businesses under the Conditional Movement Control Order.[130]  The advisory guidelines highlight that only names, contact numbers, and the dates and times of attendance can be collected from customers, and requires a clearly visible notice detailing the purpose of collection.  The PDP also advises that personal data should only be collected for informational purposes and must be permanently deleted six months after the Control Order is terminated.

I.  Singapore

As explained in the 2020 International Outlook and Review, Data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).

The Personal Data Protection Commission (“PDPC”) conducted a review of the Singapore PDPA and, on 14 May 2020, the PDPC released a joint statement with the Ministry of Communications and Information announcing the launch of an online public consultation on a bill to amend the Singapore PDPA and the Spam Control Act 2007 (“SCA”).[131]

On the basis of this, the proposed amendments to the Singapore PDPA to address Singapore’s evolving digital economy needs, and related amendments to the SCA, were passed in Parliament on 2 November 2020.[132]  The bill introduced several notable amendments, including mandatory data breach notification requirements, enabling meaningful consent where necessary and providing consumers with greater autonomy over their personal data through the incorporation of a data portability obligation.[133] Moreover, the bill strengthened the enforcement powers of the PDPC.[134]

Subsequently, on 20 November 2020, the PDPC issued the draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“Draft Advisory Guidelines”).[135] The Draft Advisory Guidelines provide clarifications on key provisions in the bill, covering, inter alia, the framework for the collection, use, and disclosure of personal data, mandatory breach notification requirements, financial penalties, and offences for mishandling personal data.  The Draft Advisory Guidelines will be finalised and published when the amendments to the Singapore PDPA come into effect, i.e., upon their signing and publication in the Gazette, which is expected in early 2021.

J. South Korea

In January 2020, the National Assembly of the Republic of Korea adopted amendments (“Data 3 Act”) to the Personal Information Protection Act 2011 (“PIPA”)[136] and to other main data protection laws.  The adoption of the Data 3 Act meant the implementation of a more streamlined approach to personal data protection in South Korea.  In addition, it is expected that these legislative changes will facilitate the adequacy assessment under the GDPR and the adoption of an adequacy decision from the European Commission.

The Data 3 Act aims to extend the powers of the Personal Information Protection Commission (“PIPC”), which will be the supervisory authority for any data breaches.  Data protection issues are currently handled by several different agencies, but with the entry into force of the reforms these will now be handled exclusively by the PIPC.  In addition, the PIPC will have the competence to impose fines similar to those provided under the GDPR.

The Data 3 Act introduced to the PIPA the concept of “pseudonymised information” (i.e., personal information processed in a manner that cannot be used to identify an individual unless combined with other information).  Pseudonymised information may be processed without the consent of the data subject for purposes of statistical compilation, scientific research, and record preservation for the public interest.

Finally, it should be noted that the cross-border transfer of the personal data of Korean data subjects has remained restricted as their consent is required prior to transferring their personal data abroad.

K. Thailand

As noted in the 2020 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020.  However, in May 2020, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021, citing the negative effects of the COVID-19 pandemic as one of the main reasons for doing so.[137]

Subsequently, on 8 June 2020, the Ministry of Digital Economy and Society (“MDES”) issued a statement on the Thailand PDPA’s postponement, noting that government agencies, and private and public institutions, were not ready for the enforcement of the legislation.[138]  This was followed by a notice published by the MDES on 17 July 2020 for data controller requirements and security measures to be implemented during the postponement period of the Thailand PDPA.[139]

Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation.  Moreover, the Thailand PDPA provides for the creation of the Personal Data Protection Committee (“PDPC”), which is yet to be fully established.  As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand.  Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA by 27 May 2021.

L. United Arab Emirates

On 19 November 2020, the Abu Dhabi Global Market (“ADGM”)[140] announced the issuance of a public consultation on proposed new Data Protection Regulations 2020 amending the existing Data Protection Regulations 2015.[141]  The proposed draft aims at aligning the ADGM with certain international standards, especially the GDPR,[142] and introduces, amongst other things, the following elements: definitions, the principles of accountability and transparency, the processing of special categories of data, individual rights, security obligations, and the notification of data breaches.  The proposed data protection framework is aimed to have a broad scope of application, including the processing of personal data in the context of the activities of an establishment in ADGM, regardless of whether the processing takes place in ADGM.  In a similar vein, it will apply to natural persons, whatever their nationality or place of residence, excluding cases where a data controller is only connected to ADGM because it uses a data processor located inside the ADGM.  In the latter case, the Proposed Data Protection Framework would not apply to the data controller.[143]

On 1 July 2020, the Dubai International Financial Centre (the “DIFC”) published the Data Protection Regulations, which entered into effect on the same date with the Data Protection Law No. 5 of 2020.[144]  In particular, the Regulations comprise provisions regarding, in particular, the content and format to be followed by personal data processing records, activities requiring data processing notifications to the Data Protection Commissioner, conditions to transfer data outside of the DIFC, and fines.  Moreover, in September 2020, the DIFC became a fully accredited member of the Global Privacy Assembly (“GPA”).[145]

M. Other Developments in Africa

Data protection authorities in Africa have generally been monitoring compliance with data protection requirements, especially in the context of the COVID-19 pandemic.  Moreover, Nigeria and other African nations have developed a framework that aims to harmonise laws on data protection and the digital economy.[146]

Egypt: On 17 July 2020, Resolution No. 151 of 2020 (“Egypt Data Protection Law”) was approved and published in the official gazette, and within three months it came into force.[147]  The Egypt Data Protection Law governs the processing of personal data carried out electronically, in part or in full, and gives to data subjects’ rights in relation to the processing of personal data.  The key elements that the law provides for are the following:

  • consent is the main legal basis for the processing of personal data;
  • conditions and principles for data processing must be respected;
  • the Centre for the Protection of Personal Data is the regulatory body aiming to maintain compliance with the Egypt Data Protection Law; and
  • activities covered include the processing of sensitive personal data, cross-border transfers, electronic direct marketing practices, monetary penalties and criminal sanctions for violations of the Egypt Data Protection Law itself.

Kenya:[148] The Information Technology Industry Council (“ITI”) announced, on 28 April 2020, that it had submitted comments to the Office of the U.S.  Trade Representative on the U.S. and Republic of Kenya Trade Agreement negotiations.  These comments include measures that should ensure protection of personal data by taking into account best international practices for privacy and interoperability, strengthen regulatory practices in emerging technologies such as artificial intelligence and machine learning, and promote risk-based cybersecurity and vulnerability disclosure in alignment with international standards.[149]  The formal negotiations were launched in July 2020.[150]

Namibia: Namibia has not yet enacted a comprehensive data protection legislation.  On 24 February 2020, the Council of Europe organised, in coordination with Namibia’s Ministry of Information and Communication Technology, a two-day stakeholders’ consultation workshop on a draft data protection bill for Namibia.[151]  A draft of the bill is expected to be published in 2021.

Nigeria: In Nigeria, data privacy is currently protected by a comprehensive data protection regime comprising a variety of laws, regulations, and guidelines.  As underlined in a statement, issued on 27 January 2020 by the National Information Technology Development Agency (“NITDA”), the Nigeria Data Protection Regulation concerns the use, collection, storage or transfer of personal data and intends to provide a clear framework for data protection in Nigeria.  However, pursuant to the Nigerian Communications Commission, appropriate legal instruments must be put in place in order in order to strengthen cybersecurity.[152]

The NITDA issued, on 17 May 2020, its Guidelines for Management of Personal Data by Public Institutions in Nigeria.[153] On 20 August 2020, the NITDA had published the Draft Data Protection Bill 2020 for public comments.  The Draft Bill aims primarily to promote a code of practice that ensures the protection of personal data and its lawful, fair and transparent process in accordance with the principles set out in the Draft Bill while taking into account the legitimate interests of commercial organisations as well as government security agencies.  In addition, the Draft Bill provides for a Data Protection Commissioner, an impartial, independent and effective regulatory authority.

South Africa:[154] In 2013, the Protection of Personal Information Act (“POPIA”) was signed into law by the President of South Africa and the Information Regulator was established as the supervisory authority.  In June 2020, the President announced that certain essential remaining sections of POPIA would commence to apply on 1 July 2020 and that, following a 12-month transition period, public and private bodies would need to comply from 30 June 2021.

In addition, on 3 April 2020, the South African Regulator published a guidance note on processing personal information during the Coronavirus pandemic encouraging proactive compliance by responsible parties when processing personal information belonging to COVID-19 cases and their contacts.[155]

Togo: On 9 December 2020, the National Assembly announced that it had adopted a draft decree on the organisation and functioning of the body for the protection of personal data, the IPDCP, which will have a power of investigation and enforcement in order to support the government’s policy on personal data protection.[156]

Rwanda: A final draft of the data protection bill was approved and published on 27 October 2020 by the Office of the Prime Minister of the Republic of Rwanda.[157] The Bill includes provisions on data subject rights, general rules for data collection and processing, and procedures for data activities, such as transfers, sharing and retention.[158] Moreover, the Ministry of ICT and Innovation (MINICT) published, on 5 May 2020, COVID-19 guidelines addressing cybersecurity measures.[159]

N.  Other Developments in the Middle East

Whereas data protection was mainly provided for in sectoral regulations, privacy laws are progressively emerging across the region.

Oman: On 12 July 2020, the State Council of the Sultanate of Oman announced that it had held discussions on the draft law on the protection of personal data, which comprises in particular provisions regarding the role of the Ministry of Technology and Communications, the responsibility to protect the rights of personal data owners, and the obligations of controllers and processors, as well as the applicable sanctions.[160]  The State Council also announced on 10 September 2020 that it had discussed a draft law of a new legislation dealing with cybersecurity.  The Technology and Innovation Committee of the State Council had approved in part the content of the draft law.

Pakistan: Data protection is still governed through sectoral legislation.  However, the Ministry of Information Technology and Telecommunication (“MOITT”) finalised the draft Personal Data Protection Bill 2020 which was presented to the Cabinet of Pakistan for approval.[161]  The bill, which was introduced in April 2020, provides for the general requirements for personal data collection and processing and contains several similar provisions to those found within GDPR, but is silent regarding the right to data portability and does not require data controllers to notify data subjects of data breaches.  In addition, the MOITT adopted, on 18 November 2020, social media rules setting measures and obligations applicable to social media and internet providers in order to prevent unlawful online content and to protect national security.[162]

O.  Other Developments in Southeast Asia

Throughout 2020, developments related to the data protection and cybersecurity landscape occurred in certain other jurisdictions in the south-eastern subregion of Asia, including the following:

Cambodia: While the country does not have a general personal data protection law or a data protection authority, there have been recent legislative developments addressing relevant areas.  In particular, a draft cybercrime law is currently being prepared that would regulate Cambodia’s cyberspace and security, aiming to prevent and combat cyber-related crimes.

Philippines: On 9 March 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system.  As such, the Philippines becomes the ninth APEC economy to join the CBPR system.

The institutions in the Philippines have been particularly active in formulating data protection measures and statements to address issues relating to the collection and processing of data in the wake of the COVID-19 pandemic.  On 1 June 2020, the Philippines created a task force in order to drive practical responses to privacy issues emerging from the pandemic.

Vietnam: The data protection framework in Vietnam was fragmented, and relevant provisions can be found in numerous laws.  In 2020, the government of Vietnam issued Decree No. 15/2020/ND-CP, providing for regulations on penalties for administrative offences in the sectors of post, telecommunication, radio frequency, information technology, and electronic transactions, which is in effect as of 15 April 2020.  In February 2020, however, a draft personal data protection decree was released, which has already undergone public consultation.  The draft decree sets out principles of data protection, including purpose limitation, data security, data subject rights, and the regulation of cross-border data transfers.  Moreover, the draft decree contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, and the creation of a data protection authority.

IV. Developments in Latin America and in the Caribbean Area

A.  Brazil

The biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018, the General Personal Data Protection Law[163] (as amended by Law No. 13.853[164] of 8 July 2019) (“LGPD”) on 18 September 2020.  The specific enforcement provisions of the LGPD are expected to enter into force on 1 August 2021, further to an additional law passed in June 2020.

Compared to the EU’s GDPR, the LGPD shows both differences and similarities.  The definitions of “personal data” are very similar in both instruments, both having the goal of assuring a high level of protection for any “information related to an identified or identifiable natural person”.  Thus, anonymised data falls expressly out of scope in the two jurisdictions, with a caveat on the Brazilian side existing in the sense that if anonymised data is used to create or enhance the behavioural profiling of a natural person, it may also be deemed as personal data, provided that the impacted person can be identified in the process.

Both legislations apply to the processing of personal data carried out by both public and private entities, online and offline.  As for the territorial scope, the rules apply to organisations that are physically present in the EU and Brazil as well as to organisations that, although not located in those states/regions, may offer goods or services there.  When it comes to the handling of sensitive data, the LGPD sets forth a narrower list of legal grounds that can be elected to legitimise the processing of such data, such as the necessity to comply with a legal obligation, to protect the life and physical safety of the subject or a third party, for the exercise of rights in contractual or judicial proceedings and for the prevention of fraud.

The LGPD offers ten legal grounds for processing of personal data, which are comparable to the ones provided in the GDPR.  In addition, the LGPD offers four additional grounds that may authorise the processing of personal data, namely for the conduction of studies of research bodies, for the exercise of rights in judicial, administrative, and arbitral proceedings, for the protection of health in procedures conducted by health professionals and health entities, and for the protection of credit.

Both the LGPD and the GDPR expressly provide for a set of rights granted to data subjects with respect to their personal data.  Both norms recognise individuals’ right of access to their personal data, right to be informed of processing activities based on their personal data, and rights of rectification and erasure.  Although the rights prescribed in both pieces of legislation are fairly similar, it could be argued that the major element that sets both norms apart are the timeframes for responding to data subject requests.  While on the European side organisations must generally respond to requests within one month of the receipt of a request, the LGPD is limited to a 15-day period for complying with access requests, while requests for the exercise of other rights should be responded to immediately.

The role of data protection officers (“DPOs”) is fairly similar under both legislations.  DPOs are legally tasked with acting as a point of contact between the organisation they represent, the supervisory authorities, and data subjects, as well as advising and orienting the organisation they represent with regard to its data protection obligations.  There are, however, two major differences between the Brazilian and the EU rules concerning the position of DPOs.  The first one is that the GDPR expressly specifies instances where an organisation is required to appoint a DPO, while the LGPD makes no such limitation, thus obliging virtually every organisation subject to its scope to appoint one.  The second difference is that, while the GDPR establishes the need for DPOs to be independent within the organisational structure of their organisations and also to be provided with monetary and human resources to fulfil their tasks, the LGPD does not provide such express guidance.

A significant difference between the two instruments is their enforcement.  The legal structure of the Brazilian supervisory authority lacks some traits of independence and autonomy when compared to the structure provided for under the GDPR.  However, the LGPD has introduced a number of sanctions that can be imposed by the ANPD, such as public disclosure of a violation, erasure of personal data relating to a violation, and even a temporary suspension of data processing activities.  The entry into force of the provisions of the LGPD governing administrative sanctions has been deferred to 1 August 2021.

On 23 September 2020, Bill 4695/2020,[165] seeking to protect the personal information of students when using distance learning platforms, was introduced.  The bill would require distance learning platforms to follow data processing requirements provided by the LGPD and to, whenever possible, use the technology without collecting and sharing personal and sensitive data, revealing racial origin, religious or political beliefs, or genetics of the users.  Furthermore, the bill requires that processing of personal data can only take place when prior and express consent has been obtained.

Finally, on 18 December 2020, the National Telecommunications Agency (“Anatel”) approved the Cybersecurity Regulation[166] applied to the telecommunications sector.  The regulation is intended to promote cybersecurity in telecommunications networks and services and support ongoing supervision of the market, infrastructures, and the adoption of proportional corrective measures.  Moreover, the regulation imposes an obligation on telecommunication providers to develop, maintain and implement a detailed cybersecurity policy, which must include, inter alia, national and international norms, best practices, risk mapping, incident response time and sharing and sending information to Anatel.  The regulation came into force on 4 January 2021.

B. Other Developments in South America

1.  Argentina

On 28 January 2020, The Argentinian data protection authority (“AAIP”) issued a resolution[167] against a telecommunication company for violations of Law No. 26.951 (“DNC Law”).[168]  In particular, the AAIP issued a fine of ARS 3,000,000 (approx. €45,000) for 248 charges relating to violations of Article 7 of the DNC Law, which provides that those who advertise, offer, sell or give away goods or services by means of telephone communications may not address any individual who is registered in the “Do Not Call” registry.

On 6 June 2020, the AAIP imposed a fine[169] of ARS 280,000 (approx. €3,770) against a tech company for violations of the Personal Data Protection Act No. 25.326 of 2000.  In particular, the AAIP found that the company did not allow a user to access their personal data in their email account and related applications after changes to their passwords were made by an un-authorised third party.

2.  Chile

On 1 June 2020, the Chilean Transparency Council (“CPLT”) announced that an audit of 12,000 purchase orders made by 86 organisations in the health sector had revealed some disclosures of sensitive personal data of patients without their express consent.[170]  Moreover, the CPLT highlighted that in some cases the data had even been made public through online platforms.  To remedy that, the CPLT has offered technical support to the Chilean Ministry of Health.[171]

3.  Colombia

On 26 November 2020, the Colombian data protection authority (“SIC”) announced that it had issued an order[172] requiring a videoconference service provider (with no physical presence in Colombia) to implement new measures guaranteeing the security of personal data of its users in Colombia.  SIC emphasised that the measures should be effective and meet the standards of data security required under the Colombian Data Protection Law, and required the company to provide a certificate issued by an independent data security expert.  SIC’s order raise significant jurisdictional question, since the Colombian Data Protection Law does not apply to processing that occurs outside of Colombia (and there was no allegation that any processing in violation of the Law occurred in Colombia).).[172a]

Through 2020, SIC also imposed a number of fines on various companies for non-compliance with data protection rules.  Some of the biggest and most notorious fines were imposed on a health company[173] and on financial institutions[174]

4.  Mexico

Since the beginning of the COVID-19 pandemic, the Mexican data protection authority, the National Institute of Transparency, Access to Information and Data Protection (“INAI”) began a series of actions to provide information to the general public on how to protect their personal data and the guidelines for data controllers on how to process personal and sensitive personal data.

Among these actions, it became imperative to announce to health-related data controllers, public and private hospitals, to comply with their legal obligations as per the Mexican data protection laws, on how to process personal data of patients diagnosed with COVID-19.  This was especially the case because Mexican data protection laws consider health-related data to be sensitive and thus require stronger security measures.

One of the first actions by the Mexican data protection authority was that, on 29 March, 2020, it launched a COVID-19 microsite[175] dedicated specifically to provide useful information and guidelines to protect personal data and provide transparency during the pandemic.  This microsite has been a useful tool for both data subjects and data controllers to handle personal data processed as a result of the COVID-19 pandemic.

On 2 April 2020, the INAI released a statement calling for the adoption of extreme precautions with regard to personal data of COVID-19 patients.[176]  Medical personnel handling such data must use strict administrative, physical and technical safeguards to avoid any loss, destruction of improper use.  The INAI also recommended that only minimum necessary personal data is collected, and only for purposes of preventing and containing the spread of the virus.  This communication also speaks of the responsibility that all data processors bear when handling personal data.

As the pandemic grew, on 13 July 2020, the INAI expressed its concerns on the deficiencies of the health sector in the processing of personal data of COVID-19 patients.  Francisco Javier Acuña Llamas, the then President Commissioner of INAI, noted that data bases that contain COVID-19 patients must be kept for a specific period of time and not indefinitely.  He established that all data transferences of sensitive personal data should be under the specificities of the Mexican data protection laws.  He also recognised that the Global Privacy Assembly, to be held in Mexico in 2021, should have at its core a discussion of the impact of the pandemic.[177]

The pandemic brought a series of events that had not been taken into consideration on a regular basis, because of the pandemic many companies allowed their employees to work from home.  Because of this development, on 8 April 2020, the INAI issued recommendations for the protection of personal data in a home office environment.  These guidelines highlighted the need to implement security measures that included only using computer equipment provided by the employer, not using public connections, using only official communication sites to share information, and using passwords on all equipment used at home for work-related activities.[178]

In Mexico this brought legislative changes to the Federal Labor Law[179] that now establishes how work from home is to be regulated.  These modifications to the law establish both the employers and employees’ obligations when working from home.  This comes to show how, due to the COVID-19 pandemic, a new normality is underway and will be here to stay.

This pandemic is far from over and it poses a challenge not only to the processing of sensitive personal data, but also to the implementation of health check points in every public space or while working from home.  It has changed the way organisations protect their information from any loss or improper access putting cybersecurity at the forefront for any organisation.  It has changed the way organisations interact with clients and how products or services are purchased, turning evermore to an online commerce activity.  This will bring challenges not only regarding companies’ operations, but also how companies collect and process a data subjects’ information.

5.  Uruguay

On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.[180]

The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours.  Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.

The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection.  The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.


[10]  See, e.g., https://www.enisa.europa.eu/news/executive-news/top-tips-for-cybersecurity-when-working-remotely.  On 15 March 2020, the Director of the ENISA shared some views on teleworking conditions during COVID-19.  The Director recommended that individuals work with a secure Wi-Fi connection and have up-to-date security software, regularly update their anti-virus systems and make periodic backups.  Employers should also provide regular feedback to their employees on the procedures to follow in case of problems.

[51]  The adequacy decisions adopted by the European Commission currently cover Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

[53]  See Schedule 21 of the Data Protection Act 2018, as enacted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

[59] The Statistics are (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71528.htm.

[60] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71612.htm.  For more information in English seehttps://www.reuters.com/article/us-russia-protonmail-idUSKBN1ZS1K8.

[61] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news72026.htm.

[62] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news73050.htm.  For more information (in English) seehttps://www.ft.com/content/b1e76905-29f2-4ac0-99e0-7af07cef280d.  For more information see the 2020 Privacy and Cybersecurity International Review and Outlook.

[70] The Russian laws define the notion of illegal content broadly.  Inter alia, illegal content is materials containing public calls for terrorist activities or publicly justifying terrorism, other extremist materials, as well as materials promoting pornography, the cult of violence and cruelty, and materials containing obscene language.

[72] See Revised FADP, Article 3.

[73] See Revised FADP, Article 5(a).

[74] See Revised FADP, Article 5(c).

[75] See Revised FADP, Article 5(f).

[76] See Revised FADP, Article 5(j) and (k).

[77] See Revised FADP, Article 7.

[78] See Revised FADP, Article 9(3).

[79] See Revised FADP, Article 12.

[80] See Revised FADP, Article 14.

[81] See Revised FADP, Article 19.

[82] See Revised FADP, Article 21.

[83] See Revised FADP, Article 22.

[84] See Revised FADP, Article 24.

[85] See Revised FADP, Article 28.

[86] See Revised FADP, Articles 60-63.

[88] Judgment of the Court of 16 July 2020 in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, available athttp://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=rst&part=1&cid=9791227.

[93] Full decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6776/2020-481.

[97] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6733/2020-103.

[98] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6790/2020-559.

[99] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6763/2020-286.

[100] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6739/2020-173.

[102] See Article 62 of the Draft PIPL.

[103] See Article 42 of the Draft PIPL.

[105] See Article 29 of the Draft PIPL.

[107] For the daft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018 by the committee of experts led by Justice Srikrishna, seehttps://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

[108] Report on Non-Personal Data Governance Framework available at https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf

[109] See “Data Empowerment and Protection Architecture: A Secure Consent-Based Data Sharing Framework to Accelerate Financial Inclusion – Draft for Discussion” (August 2020), available athttps://niti.gov.in/sites/default/files/2020-09/DEPA-Book_0.pdf.

[110]        See the National Health Data Management Policy, available athttps://ndhm.gov.in/assets/uploads/NDHM%20Health%20Data%20anagement%20Policy.pdf.

[111] See DSCI, “Work from Home – Best Practices” (18 March 2020), available athttps://www.dsci.in/sites/default/files/DSCI-WorkfromHomeAdvisory-1.pdf.

[112]      See DSCI, “COVID-19: Data Privacy Outlook” (24 April 2020), available athttps://www.dsci.in/sites/default/files/DSCI_COVID19_Data_Privacy_Outlook.pdf.

[113]      See also DSCI, “Business Resiliency and Security During COVID-19” (24 May 2020), available at https://www.dsci.in/sites/default/files/Business-Resiliency-and-Security.pdf.

[114]      See DSCI, “Report on Data Transfers” (8 September 2020), available athttps://www.dsci.in/sites/default/files/documents/resource_centre/DSCI-CIPL-Accountable-Data-Transfer-Report.pdf.

[116] See “India bans 43 more mobile apps as it takes on China” Reuters (25 November 2020), available athttps://uk.reuters.com/article/uk-india-china-apps/india-bans-43-more-mobile-apps-as-it-takes-on-china-idUKKBN2841QI.

[117] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1635206#.XvoIE9L3Qpw.whatsapp.

[118] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1650669.

[119]      The press release and a list of the apps that were blocked are available athttps://www.pib.gov.in/PressReleasePage.aspx?PRID=1675335.

[120]      Case BLAPL/4592/2020 Subhranshu Rout @ Gugul v State of Odisha available at https://www.medianama.com/wp-content/uploads/display_pdf.pdf.

[126]      See “Opinion regarding cross-border transfers of personal data, from Israeli based organisations to organisations based in countries complying with the data protection legislation of the EU” (1 July 2020), available athttps://www.gov.il/en/Departments/publications/reports/personaldata_the_european_union.

[127]      See “Personal data of all 6.5 million Israeli voters is exposed” (10 February 2020), available athttps://www.nytimes.com/2020/02/10/world/middleeast/israeli-voters-leak.html.  Press release, “Data Breach at Shirbit” (1 December 2020), available athttps://www.gov.il/en/departments/news/news_shirbit.

[129] Department of Personal Data Protection, “Public Consultation Paper No. 10/2020 – Review of Personal Data Protection Act 2010 (Act 709)” (14 February 2020), available athttps://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdfSee also a press release of 26 August 2020, where the Malaysian government announces the continued discussions on amending the Personal Data Protection Act 2010 (in Malay), available athttps://www.kkmm.gov.my/awam/berita-terkini/17616-bernama-26-ogos-2020-kerajaan-masih-bincang-keperluan-pinda-akta-perlindungan-data-peribadi.

[130] Advisory guidelines (in Malay) available athttps://www.kkmm.gov.my/images/AdHoc/200529-ADVISORY.pdf.

[131] See “MCI and PDPC launch online public consultation on Personal Data Protection (Amendment) Bill 2020”, Press Release (14 May 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/5/MCI-and-PDPC-launch-online-public-consultation-on–Personal-Data%20Protection-Amendment-Bill-2020; “Public Consultation on the Draft Personal Data Protection (Amendment) Bill” (28 May 2020), available athttps://www.mci.gov.sg/public-consultations/public-consultation-items/public-consultation-on-the-draft-personal-data-protection-amendment-bill.

[132] See Bill No. 37/2020 Personal Data Protection (Amendment) Bill, available athttps://www.parliament.gov.sg/docs/default-source/default-document-library/personal-data-protection-(amendment)-bill-37-2020.pdf; Ministry of Communications and Information, “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[133] See “Opening Speech by Mr S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020 on 2 November 2020” (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/opening-speech-by-minister-iswaran-at-the-second-reading-of-pdp-(amendment)-bill-2020.

[134] See “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[135] See PDPC, “Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill” (20 November 2020), available athttps://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en.

[140]      The AGDM is a financial free zone within the UAE.

[141]      See “Abu Dhabi Global Market Launches Public Consultation on New Data Protection Regulatory Framework” by Natasha G. Kohne, Jenny Arlington, Sahar Abas & Mazen Baddar, GDPR, International Privacy (7 December 2020), available at https://www.akingump.com/en/experience/practices/cybersecurity-privacy-and-data-protection/ag-data-dive/abu-dhabi-global-market-launches-public-consultation-on-new-data-protection-regulatory-framework.html.

[142]      See “ADGM commences Public Consultation on proposed new Data Protection Regulations” (19 November 2020), available athttps://www.adgm.com/media/announcements/adgm-commences-public-consultation-on-proposed-new-data-protection-regulations.

[143]      This explanation is taken from Data Guidance – AGDM.

[144]      See Data Protection Regulations, available athttps://www.difc.ae/files/9315/9358/7756/Data_Protection_Regulations_2020.pdf and Data Protection Law No. 5 of 2020, available athttps://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf.

[145]      For the full list of accredited GPA members, see https://globalprivacyassembly.org/participation-in-the-assembly/list-of-accredited-members/.

[146]                 See “Africa to harmonise laws for data protection, digital economy” by Gloria Nwafor, Guardian (8 October 2020), https://guardian.ng/appointments/africa-to-harmonise-laws-for-data-protection-digital-economy/?_sm_au_=iVV7MH8JqKDPF0RFFcVTvKQkcK8MG.

[147]      See “Sisi endorses law on personal data protection”, Egypt Today (18 July 2020), available athttps://www.egypttoday.com/Article/1/89794/Sisi-endorses-law-on-personal-data-protection.

[148]      Kenya’s high court ruled that the country’s new digital ID scheme could continue with some conditions and stronger regulations.  The court banned the collection of DNA and geolocation data, See “Court orders safeguards for Kenyan digital IDs, bans DNA collecting“, by Humphrey Malalo, Omar Mohammed, (31 January 2020),  available athttps://www.reuters.com/article/us-kenya-rights/court-orders-safeguards-for-kenyan-digital-ids-bans-dna-collecting-idUSKBN1ZU23D

[149]      See “ITI Comments on the U.S.-Kenya Trade Agreement Negotiation” (27 April 2020), https://www.itic.org/policy/ITIUS-KenyaFTAComments_27APR2020_FINAL.pdf and “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade” (28 April 2020), available athttps://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade.

[150]      See “Joint Statement Between the United States and Kenya on the Launch of Negotiations Towards a Free Trade Agreement” (7 August 2020), available athttps://ustr.gov/node/10204.

[152]      See “Pantami Reiterates FG’s Commitment to Strengthening Cybersecurity” (14 April 2020), available athttps://www.ncc.gov.ng/media-centre/news-headlines/783-pantami-reiterates-fg-s-commitment-to-strengthening-cybersecurity.

[154]      See “Annual Report for the 2019/2020 Financial Year”, available athttps://www.justice.gov.za/inforeg/docs/anr/ANR-2019-2020-InformantionRegulatorSA.pdf and “South Africa must implement privacy laws to protect citizens, says UN expert” (12 March 2020), available athttps://mg.co.za/article/2020-03-12-south-africa-must-implement-privacy-laws-to-protect-citizens-says-un-expert/.  Moreover, two significant incidents were reported: Experian South Africa announced a data incident affecting 24 million South Africans and 793,749 businesses, see “Experian South Africa curtails data incident” (19 August 2020), available athttps://www.experian.co.za/content/dam/marketing/emea/soafrica/za/assets/experian-south-africa-statement-19082020.pdf.  Nedbank announced a data incident concerning 1.7 million clients, see “Nedbank warns clients of potential impact of data incident at Computer Facilities (Pty) Ltd”, https://www.nedbank.co.za/content/nedbank/desktop/gt/en/info/campaigns/nedbank-warns-clients.html.

[155]      See “Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA),” available athttps://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf and Press Release (3 April 2020), available athttps://www.justice.gov.za/inforeg/docs/ms-20200403-GuidanceNote-PPI-Covid19.pdf.

[156]      See “Conseil des ministres: un projet de décret sur la protection des données à caractère personnel adopté” (9 December 2020), available athttps://presidence.gouv.tg/2020/12/09/conseil-des-ministres-un-projet-de-decret-sur-la-protection-des-donnees-a-caractere-personnel-adopte/.

[159]      See Cybersecurity Regulation n˚ 010/r/cr-csi/rura/020 of 29/05/2020, available athttps://rura.rw/fileadmin/Documents/ICT/Laws/Cybersecurity_Regulation_in_Rwanda.pdf.

[160]      See “Oman: Latest developments in data protection and cybersecurity,” Alice Gravenor, PWC-Middle East (19 November 2020), available athttps://www.pwc.com/m1/en/media-centre/articles/oman-latest-developments-data-protection-cybersecurity.html.

[161]      See Draft Personal Data Protection Bill (9 April 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Personal%20Data%20Protection%20Bill%202020%20Updated(1).pdf.

[162]      See social media rules adopted (6 October 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Corrected%20Version%20of%20Rules.pdf.

[173] The imposed fine was of COP 894,365,280 (approx. €214,524), after confirming the violation of the personal data of a data subject whose data was being processed by EPS.  Full Resolution available at https://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/1%20Apelacio%CC%81n%2018-179365%20%20EPS%20SANITAS%20VP%20F%20(1)%20(1).pdf.

[174] For the first bank, the imposed fine was of COP 702,000,000 (approx. €171,400) for including information that was not of a financial or credit nature in the credit history of 288,753 Colombians.  Full Resolution available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/SANCIO%CC%81N%20CIFIN.pdf; for the second bank, the imposed fine was of COP 269,046,492 (approx. €60,030) for violating a data subject’s right to deletion.  Full Resolution of SIC available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/19-141889%20VP.pdf; for the third bank, the imposed fine was of COP 356,070,000 (approx. €80,910) for violations of Law 1581 of 2012 and Decree 4886 of 2011.  Full decision of SIC available athttps://www.sic.gov.co/sites/default/files/files/Noticias/2019/RE10720-2020(1).pdf.

[179] Mexico’s Official Gazzete publication of January 11, 2021 that modifies section XII Bis of the Federal Labor Law available  athttp://dof.gob.mx/nota_detalle.php?codigo=5609683&fecha=11/01/2021.

[180] Decree (in Spanish) available athttps://www.impo.com.uy/bases/decretos/64-2020


The following Gibson Dunn lawyers assisted in the preparation of this article: Ahmed Baladi, Alexander Southwell, Alejandro Guerrero, Vera Lukic and Clémence Pugnet.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

We are pleased to present a comparative guide to restructuring procedures in the UK, US, DIFC, ADGM and UAE.

The easy-to-use comparative guide is organised by key aspects of the restructuring processes and compares and contrasts the selected restructuring regimes in each jurisdiction so that the reader can easily identify the differences.

The comparative guide will be particularly relevant for clients operating in the UAE who may be considering restructuring options in the current market conditions.

Comparative Guide to Restructuring Procedures in the UK, US, DIFC, ADGM and UAE


For further information, please contact the Gibson Dunn lawyer with whom you usually work, or the following authors, with any questions, thoughts or comments arising from this update.

Aly Kassam – Dubai (+971 (0) 4 318 4641, akassam@gibsondunn.com)
Scott J. Greenberg – New York (+1 212-351-5298, sgreenberg@gibsondunn.com)
David M. Feldman – New York (+1 212-351-2366, dfeldman@gibsondunn.com)
Ben Myers – London (+44 (0) 20 7071 4277, bmyers@gibsondunn.com)
Galadia Constantinou – Dubai (+971 (0) 4 318 4663, gconstantinou@gibsondunn.com)
Ashtyn Hemendinger – New York (+1 212-351-2349, ahemendinger@gibsondunn.com)

*  *  *  *  *

Gibson Dunn’s Middle East practice focuses on regional and global multijurisdictional transactions and disputes whilst also acting on matters relating to financial and investment regulation. Our lawyers, a number of whom have spent many years in the region, have the experience and expertise to handle the most complex and innovative deals and disputes across different sectors, disciplines and jurisdictions throughout the Middle East and Africa.

Our corporate team is a market leader in MENA mergers and acquisitions as well as private equity transactions, having been instructed on many of the region’s highest-profile buy-side and sell-side transactions for corporates, sovereigns and the most active regional private equity funds. In addition, we have a vibrant finance practice, representing both lenders and borrowers, covering the full range of financial products including acquisition finance, structured finance, asset-based finance and Islamic finance. We have the region’s leading fund formation practice, successfully raising capital for our clients in a difficult fundraising environment.

Our international Business Restructuring and Reorganization Practice is a leader in U.S., European, Middle East and cross-border insolvencies and workouts. Our lawyers advise companies in financial distress, their creditors and investors, and parties interested in acquiring assets from companies in distress. We also guide hedge funds, private equity firms and financial institutions investing in distressed debt and/or equity through the restructuring and bankruptcy process. The group has been widely recognized by top industry publications, including Chambers and The Guide to the World’s Leading Insolvency Lawyers. Our lawyers are committed to understanding the businesses of their clients and crafting solutions, including complex out-of-court workouts and in-court restructurings. We also advise on innovative DIP and exit financing agreements to both debtors and DIP providers.

On 15 December 2020, the Ruler of Dubai issued Decree No. (33) of 2020 which updates the law governing unfinished and cancelled real estate projects in Dubai (the “Decree”).

The Decree creates a special tribunal (the “Tribunal”) for liquidation of unfinished or cancelled real estate projects in Dubai and settlement of related rights which will replace the existing committee (the “Committee”) set up in 2013 for a similar purpose. The Tribunal will be authorised to review and settle all disputes, grievances and complaints arising from unfinished, cancelled or liquidated real estate projects in Dubai, including the disputes that remain unresolved by the Committee. The Tribunal will have wide-ranging powers, including, the ability to form subcommittees, appoint auditors and issue orders to the trustees of the real estate project’s escrow accounts in all matters related to the liquidation of unfinished or cancelled real estate projects in Dubai and determine the rights and obligations of investors and purchasers.

The Decree streamlines the process for resolving disputes, grievances and complaints relating to unfinished and/or cancelled real estate projects in Dubai by granting the Tribunal jurisdiction over all unfinished or cancelled disputes relating to real estate projects in Dubai and prohibiting all courts in Dubai, including the DIFC Courts from accepting any disputes, appeals or complaints under the jurisdiction of the Tribunal – thereby creating a more efficient route for resolution. The implementation of the Decree will be of interest to clients who have transactions related to unfinished and cancelled real estate projects in Dubai and may lead to the resolution / completion of projects that have stalled in Dubai.

The Decree also details the responsibilities and obligations of the Real Estate Regulatory Agency (“RERA”) related to supporting the Tribunal in performing its duties and responsibilities set out in the Decree. For example, RERA will be required to prepare detailed reports about unfinished and cancelled real estate projects in Dubai and provide its recommendations to the Tribunal to assist the Tribunal in settling disputes under its jurisdiction.


Gibson Dunn’s Middle East practice focuses on regional and global multijurisdictional transactions and disputes whilst also acting on matters relating to financial and investment regulation. Our lawyers, a number of whom have spent many years in the region, have the experience and expertise to handle the most complex and innovative deals and disputes across different sectors, disciplines and jurisdictions throughout the Middle East and Africa.

Our corporate team is a market leader in MENA mergers and acquisitions as well as private equity transactions, having been instructed on many of the region’s highest-profile buy-side and sell-side transactions for corporates, sovereigns and the most active regional private equity funds. In addition, we have a vibrant finance practice, representing both lenders and borrowers, covering the full range of financial products including acquisition finance, structured finance, asset-based finance and Islamic finance. We have the region’s leading fund formation practice, successfully raising capital for our clients in a difficult fundraising environment.

For further information, please contact the Gibson Dunn lawyer with whom you usually work, or the following authors in the firm’s Dubai office, with any questions, thoughts or comments arising from this update.

Aly Kassam (+971 (0) 4 318 4641, akassam@gibsondunn.com)

Galadia Constantinou (+971 (0) 4 318 4663, gconstantinou@gibsondunn.com)

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

 

On 23 November 2020 the UAE government announced that Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE, had issued a decree (the “New Decree”) amending Law No. 2 of 2015 on Commercial Companies (the “2015 Law”). The New Decree is yet to be published, but it will reportedly overhaul the foreign ownership rules in respect of commercial companies in the UAE. Under the 2015 Law (and its predecessors), foreign investors were permitted to hold up to a maximum of 49% of the shares of locally incorporated “onshore” companies, with the remaining 51% required to be held by UAE national(s).

In its latest bid to attract foreign investment and strengthen its position as an international hub, the UAE has overhauled the 2015 Law, removing the requirement for a UAE shareholder to hold at least 51% of the shares of onshore companies (other than in relation to certain strategically important sectors).

Some foreign investors and business owners have, in the past, hesitated to establish or invest in onshore companies because of such ownership restrictions. The new measures, which are expected to take effect from 1 December 2020, should facilitate making investments into and doing business in the UAE and provide flexibility for foreign business owners wishing to operate outside of free zones. In particular, the New Decree should open up UAE-based businesses to investment from international private equity houses and venture capital firms without the need to resort to complex structuring arrangements.

The New Decree builds on Federal Legislative Decree No. 19 of 2018 (the “FDI Law”) which signaled an initial shift away from the strict foreign ownership restrictions by opening up certain activities (a “positive list”) to 100% foreign ownership through an approval process. While the New Decree supersedes (and effectively cancels) the provisions of the FDI Law on foreign ownership requirements, the relaxation will not apply to ownership of state-owned entities and companies that are deemed to operate in strategically important sectors, such as, for example, oil and gas exploration, utilities and transport.

The New Decree represents a clear break from the past and we anticipate that it will strengthen the UAE’s position as a leading international financial center and lead to an increase in foreign direct investment. While the terms of the New Decree are yet to be made available, the announcement is positive and encouraging.


Gibson Dunn’s Middle East practice focuses on regional and global multijurisdictional transactions and disputes whilst also acting on matters relating to financial and investment regulation. Our lawyers, a number of whom have spent many years in the region, have the experience and expertise to handle the most complex and innovative deals and disputes across different sectors, disciplines and jurisdictions throughout the Middle East and Africa.

Our corporate team is a market leader in MENA mergers and acquisitions as well as private equity transactions, having been instructed on many of the region’s highest-profile buy-side and sell-side transactions for corporates, sovereigns and the most active regional private equity funds. In addition, we have a vibrant finance practice, representing both lenders and borrowers, covering the full range of financial products including acquisition finance, structured finance, asset-based finance and Islamic finance. We have the region’s leading fund formation practice, successfully raising capital for our clients in a difficult fundraising environment.

For further information, please contact the Gibson Dunn lawyer with whom you usually work, or the following authors in the firm’s Dubai office, with any questions, thoughts or comments arising from this update.

Hardeep Plahe (+971 (0) 4 318 4611, hplahe@gibsondunn.com)

Fraser Dawson (+971 (0) 4 318 4619, fdawson@gibsondunn.com)

Aly Kassam (+971 (0) 4 318 4641, akassam@gibsondunn.com)

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.