On January 19, 2021, the American Bar Association (ABA) Derivatives and Futures Law Committee’s Innovative Digital Products and Processes Subcommittee (IDPPS) Jurisdiction Working Group released an update to its comprehensive white paper addressing jurisdictional issues associated with digital products, including cryptocurrencies and other digital assets, and digital processes, such as blockchain.[1]
The updated white paper gives an in depth analysis of several current issues in the cryptocurrency and digital asset space that have developed since the March 2019 publication of the first white paper, including:
rapid development of Stablecoins;
growth of the decentralized finance movement and the increasing number of state central banks exploring the creation of virtual currencies;
2020 guidance from the CFTC concerning “actual delivery” of digital assets and related litigation;
The SEC’s Digital Asset Framework, its first issuance of digital asset-related no-action letters, and further developments in its key enforcement actions targeting significant digital asset projects;
SEC staff guidance on the custody of digital asset securities under the rules applicable to broker-dealers;
Recent case law developments in certain CFTC enforcement actions involving digital assets;
New developments regarding the Travel Rule’s application to virtual asset service providers;
FinCEN’s first assessment of civil money penalties against a peer-to-peer virtual currency exchanger; and
International developments, including the EU’s recent approval of the Sixth Anti-Money-Laundering Directive.
The need for this update reflects the rapid evolution of the digital asset and cryptocurrency space. As regulators worldwide endeavor to keep pace with this ever-developing industry, it is imperative that market participants continue to keep themselves informed of the applicable legal and regulatory landscape, as detailed in this update. Several key developments merit further discussion below, as we expect that regulators will focus on these areas in the coming years.
A. Stablecoins
Stablecoins were developed in response to the price volatility of bitcoin and other cryptocurrencies.[2] As their name suggests, Stablecoins aim to “increase price stability,” given that their value is tied to fiat currencies, which typically are “stable and liquid.”[3] The stability of Stablecoins should increase their market acceptance, particularly for payment purposes.[4]
In 2019, the Swiss Financial Market Supervisory Authority (FINMA) released Stablecoin guidelines.[5] This guidance noted that while Swiss law lacks specific provisions to regulate Stablecoins, they would be treated the same as any other blockchain-based tokens. The specific characteristics of Stablecoins can influence which financial laws apply. For example, if a token is linked to a particular fiat currency, it likely would be categorized as a deposit under the banking laws. The updated white paper explores FINMA’s and other regulators’ evolving approaches to Stablecoins in more depth.
B. Actual Delivery
The Commodity Exchange Act (CEA) provides that agreements, contracts, or transactions in commodities—other than foreign currencies or securities—entered into by or offered to retail customers on a leveraged, margined, or financed basis must be regulated as or “as if” they were futures, unless covered by an exemption.[6] This effectively means that a non-exempt transaction may be executed only on or subject to the rules of a CFTC-regulated exchange, and persons providing services in connection with nonexempt transactions may be covered by one of the CEA’s registration categories for professionals.
One oft-discussed exception to this requirement is for contracts for commodity sales that result in actual delivery of the commodity within 28 days. The CFTC has been grappling for years with its interpretation of the term “actual delivery.”[7] The need to clarify the meaning of actual delivery in virtual currency transactions became more pronounced in 2016, when the CFTC brought its first enforcement action against a trading platform that offered retail commodity transactions in virtual currency without registering with the CFTC.[8] In its settlement order against that platform, Bitfinex, the CFTC took the position that delivery of bitcoin purchased with borrowed funds to a private, omnibus settlement wallet where the coins were held for the benefit of the buyer but also as collateral for the loan did not constitute actual delivery, because the buyer did not have any rights to access or use the purchased bitcoin until released by Bitfinex following satisfaction of the loan. In March 2020, the CFTC addressed the uncertainty surrounding the concept of “actual delivery” in the context of digital asset transactions by issuing an interpretation that aligns with the approach it employed in Bitfinex. This guidance provides, in part, that the actual delivery exception applies only when a customer secures possession and control of, and has the ability to use freely in commerce, the entire quantity of the digital asset no later than 28 days from the date of the transaction, rendering any lien on the digital asset as a means to secure repayment incompatible with actual delivery.[9] The updated white paper examines the CFTC’s actions in this area in greater depth.
C. SEC Digital Asset Framework and Other Enforcement Issues
In April 2019, the SEC’s Strategic Hub for Innovation and Financial Technology (FinHub) published the Digital Asset Framework,[10] which provides guidance regarding FinHub’s view as to whether a given digital asset would be considered a security—and thus subject to SEC regulation—under the test set forth in SEC v. W.J. Howey Co.[11] The SEC staff also recently issued its first digital-asset-related no-action letters, confirming that two digital assets that essentially function as stored-value cards would not be deemed securities. The Framework and other developments concerning the SEC’s regulation of digital assets are discussed in detail in the updated white paper.
The white paper also addresses the regulatory uncertainty attending digital assets, which could potentially frustrate law enforcement and innovation. The CFTC and the SEC appear to be coordinating in combatting perceived fraudulent activity involving cash market transactions in digital assets, but their coordination does not necessarily mean that where only one agency initiates an action, only that agency has jurisdiction. One legislative attempt to address this regulatory uncertainty is the Digital Commodity Exchange Act of 2020 (DCEA), which was introduced to fill regulatory gaps that exist between the CFTC and the SEC and to provide a clear means by which market participants could ensure that their transactions in digital assets comply with the law. The updated white paper includes more detailed discussion of the DCEA.
D. Travel Rule
FinCEN’s Travel Rule has been a recent focus of international attention, with the Financial Action Task Force (FATF) adopting an interpretive note in June 2019 confirming that countries should apply provisions similar to the Travel Rule to virtual asset services providers.[12] In the United States, FinCEN has confirmed that the Travel Rule is the most commonly cited violation by the IRS against money services businesses engaged in virtual currency money transmission.[13] The updated white paper expands on this topic in detail.
[1] By Michael Spafford and Katherine Berris of Paul Hastings, Jonathan Marcus of Skadden, and Daren Stanaway of Interactive Brokers.
[2] Tim Swanson, Why Bitcoin Needs Fiat (And This Won’t Change in 2018), Coindesk (Jan. 4, 2018), https://www.coindesk.com/bitcoin-still-needs-fiat-currency-wont-change-2018/.
[4] FINMA, Supplement to the Guidelines for Enquiries Regarding the Regulatory Framework for Initial Coin Offerings (ICOS) (2019), https://www.finma.ch/en/news/2019/09/20190911-mm-stable-coins/.
[7] American Bar Association Derivatives and Futures Law Committee Innovative Digital Products and Processes Subcommittee Jurisdiction Working Group, Digital and Digitized Assets: Federal and State Jurisdiction Issues 61 (2020), https://www.americanbar.org/content/dam/aba/administrative/business_law/buslaw/committees/CL620000pub/digital_assets.pdf.
[8]SeeIn reBFXNA Inc., CFTC No. 16-19 [2016-2017 Transfer Binder] Comm. Fut. L. Rep. (CCH) ¶ 33,766 (June 2, 2016).
[9] Retail Commodity Transactions involving Certain Digital Assets, 85 Fed. Reg. 37,734, 37,742–43 (June 24, 2020).
[10] SEC, Strategic Hub for Innovation and Financial Technology, Framework for “Investment Contract” Analysis of Digital Assets (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.
[12] See FATF, Outcomes FATF Plenary, 16-21 June 2019 (June 21, 2019), https://www.fatfgafi.org/publications/fatfgeneral/documents/outcomes-plenary-june-2019.html. FinCEN subsequently “applauded” FATF’s interpretation. See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (May 13, 2020), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-directorkenneth-blanco-delivered-consensus-blockchainsymposium.
[13]See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (Nov. 15, 2019), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blancochainalysis-blockchain-symposium.
Buried in the $740.5 billion National Defense Authorization Act for 2021[1] (“NDAA”) are numerous provisions that affect financial services law. Although the news media directed most of their coverage to Congress’s override of President Trump’s veto of the massive bill[2], this article discusses a few of the provisions that should be of interest to the financial services bar.
Disgorgement Authority
Of major significance is a provision that enhances the Securities and Exchange Commission’s (“SEC”) authority to seek disgorgement remedies in conjunction with an enforcement action.[3] The provision addresses a limitation on the SEC’s authority to seek equitable remedies against bad actors. In Kokesh v. SEC, the U.S. Supreme Court held that the five-year statute of limitations in 28 USC § 2462 applies when the SEC seeks disgorgement from those who have wrongfully enriched themselves. The court held that “disgorgement, as it is applied in SEC enforcement proceedings, operates as a penalty under § 2462. Accordingly, any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued.”[4] In testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Jay Clayton asserted that the Kokesh decision has had the
anomalous effect of allowing the most “successful” perpetrators of fraud—those whose frauds are well-concealed and stretch beyond the five-year limitations period—to keep their ill-gotten gains. Since Kokesh was decided, an estimated $1.1 billion in ill-gotten gains has been unavailable for possible distribution to harmed investors, much of which is tied to losses by investors.[5]
Chairman Clayton further noted:
I greatly appreciate the bipartisan, bicameral work underway to address this issue, and I welcome the opportunity to continue to work with Congress to ensure the Commission is able to seek recoveries in cases of well-concealed, long-running frauds so that defrauded retail investors can get their investment dollars back while remaining true to the principles embedded in statutes of limitations.[6]
Apparently, those efforts bore fruit in the NDAA. The legislation amends Section 21(d) of the Securities Exchange Act of 1934 (“Exchange Act”), granting the SEC the authority to seek disgorgement against the person who received “unjust enrichment.” Congress included a statute of limitations of ten years for equitable remedies in most instances. The statute of limitations “clock” does continue to run during any time that the bad actor is outside of the United States.
I have prepared a mark-up showing how Congress amended Section 21 of the Exchange Act (in “Hill-speak” a “Ramseyer”). I have struck through deletions and marked the legislative changes in italics. It appears below:
H.R. 6395
The “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021”
******
Amendments of Title LXV – Miscellaneous
******
SEC. 6501. INVESTIGATIONS AND PROSECUTION OF OFFENSES FOR VIOLATIONS OF THE SECURITIES LAWS
[Page 1238]
(a) IN GENERAL. —Section 21(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78u(d)) is amended —
(3) CIVIL MONEY PENALTIES IN CIVIL ACTIONS.— AND AUTHORITY TO SEEK DISGORGEMENT
(A) AUTHORITY OF COMMISSION.—Whenever it shall appear to the Commission that any person has violated any provision of this title, the rules or regulations thereunder, or a cease and-desist order entered by the Commission pursuant to section 21C of this title, other than by committing a violation subject to a penalty pursuant to section 21A, the Commission may bring an action in a United States district court to seek, and the court shall have jurisdiction to impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation.“jurisdiction to—
“(i) impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation; and
“(ii) require disgorgement under paragraph (7) of any unjust enrichment by the person who received such unjust enrichment as a result of such violation.”
(B) AMOUNT OF PENALTY. —
(i) FIRST TIER. — The amount of the penaltya civil penalty imposed under subparagraph (A)(i) shall be determined by the court in light of the facts and circumstances. For each violation, the amount of the penalty shall not exceed the greater of (I) $5,000 for a natural person or $50,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation.
(ii) SECOND TIER. — Notwithstanding clause (i), the amount of penaltyamount of a civil penalty imposed under subparagraph (A)(i) for each such violation shall not exceed the greater of (I) $50,000 for a natural person or $250,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement.
(iii) THIRD TIER.—Notwithstanding clauses (i) and (ii), the amount of penalty for each such violationamount of a civil penalty imposed under subparagraph (A)(i) for each violation described in that subparagraph shall not exceed the greater of (I) $100,000 for a natural person or $500,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if— (aa) the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement; and (bb) such violation directly or indirectly resulted in substantial losses or created a significant risk of substantial losses to other persons.
(C) PROCEDURES FOR COLLECTION. — [No change.]
* * * * *
(D) SPECIAL PROVISIONS RELATING TO A VIOLATION OF A
CEASE-AND-DESIST ORDER. [No change.]
* * * * *
(4) PROHIBITION OF ATTORNEYS’ FEES PAID FROM COMMISSION DISGORGEMENT FUNDS.—Except as otherwise ordered by the court upon motion by the Commission, or, in the case of an administrative action, as otherwise ordered by the Commission, funds disgorged under paragraph (7) as the result of an action brought by the Commission in Federal court, or as a result of any Commission administrative action, shall not be distributed as payment for attorneys’ fees or expenses incurred by private parties seeking distribution of the disgorged funds.
(5) EQUITABLE RELIEF [No change.]
* * * * *
(6) AUTHORITY OF A COURT TO PROHIBIT PERSONS FROM PARTICIPATING IN AN OFFERING OF PENNY STOCK [No change.]
* * * * *
(7) DISGORGEMENT. — In any action or proceeding brought by the Commission under any provision of the securities laws, the Commission may seek, and any Federal court may order, disgorgement.
(8) LIMITATIONS PERIODS. —
(A) DISGORGEMENT. — The Commission may bring a claim for disgorgement under paragraph (7)—
(i) not later than 5 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim occurs; or
(ii) not later than 10 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim if the violation involves conduct that violates —
(I) section 10(b);
(II) section 17(a)(1) of the Securities Act of 1933 (15 U.S.C. 77q(a)(1));
(III) section 206(1) of the Investment Advisers Act of 1940 (15 U.S.C. 80b–6(1)); or
(IV) any other provision of the securities laws for which scienter must be established.
(B) EQUITABLE REMEDIES. —The Commission may seek a claim for any equitable remedy, including for an injunction or for a bar, suspension, or cease and desist order, not later than 10 years after the latest date on which a violation that gives rise to the claim occurs.
(C) CALCULATION. — For the purposes of calculating any limitations period under this paragraph with respect to an action or claim, any time in which the person against which the action or claim, as applicable, is brought is outside of the United States shall not count towards the accrual of that period.
(9) RULE OF CONSTRUCTION. — Nothing in paragraph (7) may be construed as altering any right that any private party may have to maintain a suit for a violation of this Act.”
*****
(b) APPLICABILITY— The amendments made by subsection (a) [i.e., of this amendment] shall apply with respect to any action or proceeding that is pending on, or commenced on or after, the date of enactment of this Act.[7]
Anti-Money Laundering Provisions
Protection of Algorithms
The NDAA includes a remarkable provision to protect the privacy of algorithms that financial institutions use for their anti-money laundering (“AML”) compliance programs. Division F of the NDAA includes many amendments to the Bank Secrecy Act (“BSA”), including provisions that expand the scope of the BSA to “value that substitutes for currency,”[8] presumably referring to cryptocurrency. Other provisions strengthen the Financial Crimes Enforcement Network (“FinCEN”) by establishing a FinCEN exchange to facilitate voluntary public-private sharing of information[9] and increase technical assistance for international cooperation.[10] This article does not attempt to discuss all of those provisions on a comprehensive basis. However, I will focus on one provision that may have implications beyond AML compliance, and will make a recommendation with respect to AML rules.
The NDAA amends the Bank Secrecy Act to protect the confidentiality of algorithms that financial institutions use for their AML efforts. Section 6209 amends 31 USC § 5318(o)(3) to provide that if a financial institution discloses to its regulator information about an algorithm that the institution uses in conjunction with its AML program, the regulator must not disclose that information to the public.
Hedge fund managers have had legitimate concerns about revealing the details of their trading algorithms to regulators for fear of public disclosure. Managers appreciate the need for regulatory oversight, but preferred that regulators look at actual trading patterns, rather than the algorithms, during examinations. Managers only wished to release information about the algorithms themselves after regulators have examined other, less proprietary data, but still have regulatory concerns.
This amendment to the Bank Secrecy Act protects the confidentiality of the algorithms that financial institutions use for AML purposes, i.e., a public purpose, rather than trading algorithms. Nonetheless, the provision demonstrates the sensitivity of algorithms and the need for confidentiality, at least in some settings.
Perhaps this amendment to the Bank Secrecy Act will validate hedge fund managers’ concerns about keeping their trading algorithms confidential unless regulators cannot reasonably discharge their oversight responsibility in any other way.
Recommendation to FinCEN
The author suggests that the Treasury Department and FinCEN should re-propose and adopt final AML rules for investment advisers. Remarkably, FinCEN has never adopted final rules subjecting investment advisers to AML requirements. Prior administrations have proposed rules, but never adopted them.
The FinCEN 2015 Proposal[11] reviewed the history of the proposal and I have summarized it below:
On September 26, 2002, FinCEN proposed rules requiring that unregistered investment companies establish AML programs (“Proposed Unregistered Investment Companies Rule”).[12]
On May 5, 2003, FinCEN proposed requiring that certain investment advisers establish AML programs (“First Proposed Investment Adviser Rule”).[13]
In June 2007, FinCEN announced that it was reconsidering both the Proposed Unregistered Investment Companies Rule and the First Proposed Investment Adviser Rule, and subsequently withdrew them.[14]
After Congress passed the Dodd Frank Act,[15] FinCEN decided to propose new AML rules for investment advisers. The proposal notes that the Dodd Frank Act required most investment advisers to be registered with the SEC. “Accordingly, FinCEN believes the two-pronged approach of the prior proposals is no longer necessary to address the money laundering and terrorist financing risks presented by SEC registered investment adviser clients and the unregistered investment companies that are managed by such advisers.”
Briefly, the proposal would have amended 31 CFR § 1010 to add a new subsection 100(nnn), defining an investment adviser as “[a]ny person who is registered or required to register with the SEC under section 203 of the Investment Advisers Act of 1940….” As a result, the proposal would have made such investment advisers subject to the AML requirements. Of course, the proposal included numerous other requirements.[16] For whatever reason, the Obama Administration never adopted a final rule requiring that investment advisers have AML rules.
On September 14, 2020, FinCEN published an advanced notice of rulemaking (“ANPRM”), seeking comments on ways to improve the current AML requirements. The proposal notes that “any such amendments would be expected to further clarify that such a program assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN.”[17] The ANPRM does not include any reference to the 2015 Proposal. The Trump Administration did not otherwise pursue the issue of applying AML requirements to investment advisers.
In my view, the Biden Administration should re-propose rules subjecting investment advisers to AML rules. I cannot point to a specific regulatory failure to justify my suggestion. Nonetheless, I believe that it is time for FinCEN to adopt such requirements for the following reasons:
Investment advisers, particularly hedge funds, have AML programs. It would be foolish indeed for any investment manager not to have a program and wittingly or unwittingly to take “dirty” money. Any manager that accepted tainted money would face extreme reputational risk and probably would violate other statutes, depending on the circumstances.
In some circumstances, it may be wise to adopt rules in the absence of a crisis. As President Kennedy said, “the time to repair the roof is when the sun is shining.”[18] I suggest that FinCEN should propose and adopt new rules in an environment that would permit thoughtful consideration of a proposal and comments rather than hastily adopting ill-conceived rules in a crisis environment. The NRPRM noted above might inform such a proposal.
FinCEN’s rules should reflect the existing course of business that investment managers have with other, regulated financial institutions. AML rules for investment managers should integrate with the existing regulatory framework.
If FinCEN adopted AML rules that differ from existing practice, managers would have an opportunity to comply.
Thoughtful rules would help investment advisers do a better job of supporting the existing AML infrastructure. Establishing clear rules for investment advisers that complement existing rules and practices would benefit everyone.
[1] The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116th Cong., 2d. Sess. (2021). The bill is 1,480 pages long.
[2] The House voted to override the veto on Dec. 28, 2020; the Senate voted to override on Jan. 1, 2021. See also WSJ, Jan. 1. 2021
[3] Section 6501 of the NDAA. See also A. Frankel, Congress hid a big gift to the SEC in defense spending bill awaiting Trump’s signature, Reuters, Dec. 23, 2020.
[5]Testimony of the Honorable Jay Clayton, Dec. 10, 2019 at text accompanying footnote 76. The Supreme Court subsequently upheld the SEC’s authority to seek disgorgement “an antecedent question” that Kokesh left unanswered. Liu v. SEC, 591 US ____ (2020), at slip op. 1.
[14] Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Unregistered Investment Companies, 73 FR 65569 (Nov. 4, 2008); and Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Investment Advisers, 73 FR 65568 (Nov. 4, 2008).
[15] The Wall Street Reform and Consumer Protection Act (“Dodd Frank Act”), Public Law 111–203, 124, Stat. 1376 (2010).
[16] FinCEN, Department of the Treasury, RIN 1506-AB10, (Aug. 15, 2015); 80 FR 52680 (Sept. 1, 2015)
Owners of closely held corporations or LLCs often find themselves litigating for control of their “Company.” When that happens, on which side of the caption does the Company line up? What role should it play? And should either warring faction enjoy access to the Company’s assets to fund that side’s litigation costs?
When derivative claims are asserted, the Company must be a party,[1] but when nothing is sought on behalf of or from the Company and all the owners are before the court, should the Company be a plaintiff or a defendant, or should it be left off the caption altogether? If it is not named as a party, the court may require the Company to become one so that it will be subject to the court’s orders.
When the Company is named a nominal defendant in the Complaint, the plaintiff runs the risk that the defendant owners will retain one lawyer to represent both them and the Company and pay that lawyer’s retainer (and eventually a lot more) from the Company’s treasury, even though as a practical matter that lawyer will be advancing one side’s position in the litigation against the other. In addition to whether that is fair, joint representation raises ethical issues.[2] The result is that the choice of counsel, the authority to choose counsel, and the use of Company funds to pay counsel become issues in a soon-to-follow pretrial application for relief by the plaintiff.[3]
These issues were addressed, but not conclusively resolved, in a case that came before the Texas Supreme Court on pretrial applications to disqualify defendants’ counsel.[4] The underlying dispute, which had not yet been decided by the lower court, was between twelve LLC owners and six “Governing Persons” collectively divided into two factions. The disagreement arose from the majority’s firing of the previously unanimously elected president and managing member who, with his supporters, claimed that a unanimous vote was required for dismissal. The minority’s Complaint, asserting derivative as well as direct claims, included the LLC as a named plaintiff. The defendant majority engaged a law firm that had previously represented the LLC, funded its litigation costs from the Company treasury, and asserted counterclaims.
Late in the litigation, the minority moved to disqualify defendants’ counsel charging (1) that the law firm, having previously been counsel to the plaintiff LLC, could not appear against its former client, and (2) that the defendant faction had no authority to hire a law firm to act for the LLC.
The court noted that the core issue underlying the litigation was who had the right to control the LLC’s management, and as to this issue, each faction’s position was that the other side’s position was incorrect and harmful to the LLC. The court observed that when stripped of the baggage of the derivative label, the Company’s alignment in the caption was immaterial to this issue, noting that “[C]ompanies in derivative litigation are simultaneously ‘plaintiffs’ and ‘defendants’ depending on how you look at it.”[5]
The court reviewed decisions from other jurisdictions questioning joint representation and found no categorical rule.[6] Based on Texas law and the Texas Rule serving as the basis for one of the applications made below, and in light of the timing of the motions to disqualify, the Texas Supreme Court upheld the lower court’s discretion not to grant disqualification. The core merits question of control was capable of being fairly litigated by the factions and lawyers for both sides presently before the court.
Whether defendants had the authority to hire counsel at Company expense was not determined at this stage of the proceeding. The authority to hire counsel for an LLC often turns on whether it is a “major” or “material” or “extraordinary” or “not in the usual course of business” decision that requires unanimity or high vote under either statute or operating agreement.
As to the inequity of one side’s use of Company money to pay its litigation costs, the court said that “adequate remedies exist” for subsequent recovery of any legal fees that may turn out to have been improperly paid from the other group’s interests in the LLC.
“Adequate remedies” after the fact may be viable if the personal resources of both sides fighting for control are such that each is able to fund its litigation costs without hardship. This may have been true in the Texas case. If one or both litigants have limited resources, the rights of one side to postlitigation remedies are of little avail when the other side is enjoying the real-time advantage of financing its position in the litigation with the Company’s funds. Courts do afford relief in those situations when timely application is made.[7]
[1] Meyer v. Fleming, 327 U.S. 161 (1946); Liddy v. Urbanek, 707 F.2d 1222 (11th Cir. 1983). In Cotter on behalf of Reading International, Inc. v. Kane, 473 P.3d 451 (Nev. 2020), the plaintiff, asserting that his termination as corporate president was void, filed a derivative action against the directors naming the corporation as a nominal defendant. Although the corporation had to remain neutral on the merits of the claim, the court allowed it to challenge the plaintiff’s standing because the corporation might later be called upon to indemnify the defendant directors.
[2] See, for example, In re Conduct of Kinsey, 680 P.2d 660 (Or.1983).
[3] When the court orders the Company to be represented by separate counsel, additional indirect costs are incurred by both parties. The Company’s lawyer, however, when acting as a neutral, may assist the court as would a guardian and perhaps facilitate amicable resolution.
[4] In re Murrin Brothers 1885, Ltd., 603 S.W.3d 53 (Tex. 2019).
[5]Id. at 58. Because the nominal defendant corporation stands to be the beneficiary of any derivative action recovery, its interests are not necessarily adverse to the plaintiff. Cotter on behalf of Reading International, Inc. v. Kane, note 1 supra.
[6] In addition to the cases cited, Rosenfeld v. Metals Selling Corp., 643 A.2d 1253, 1264 (Conn. 1994), and Messing v. FDI, Inc., 439 F.Supp. 776 (D. N.J. 1977) are also instructive.
[7] In Ehlinger v. Hauser, 785 N.W.2d 328 (Wis. 2010), the court, recognizing that the dispute was really between the two shareholders, and citing Matter of Clemente Bros., Inc., 239 N.Y.S.2d 703 (App. Div. 1963), aff’d o.b. 13 N.Y.2d 963 (1963), observing that “the corporation may not assume a ‘militant alignment on the side of one of the two equal, discordant stockholders,’ ” prohibited the corporation from paying the expenses incurred by one of the shareholders. Similarly, Matter of Penetent Corp., 605 N.Y.S.2d 691 (App. Div. 1993), affirmed the trial court’s grant of petitioner’s motion to restrain respondent from using corporate funds to pay for professional services incurred in the proceeding.
At the ABA Business Law Section’s annual meeting in Spring 2020, which went virtual for the first time due to the pandemic, the Section’s Gaming Law Committee took up the issue of sports betting and data security as a key emerging area that intersects with numerous other areas of law practice, including contracts, commercial transactions, securities regulation, business entity issues, tribal-state compacting, and intellectual property. Along with the authors of this article, Dennis Ehling (Partner with Blank Rome in Los Angeles), Raymond Luk, Jr. (Corporate Counsel for BorgWarner Inc., in Auburn Hills, Michigan), and Peter McLaughlin (Partner with Culhane Meadows in Boston) comprised the panel, which was co-sponsored by the Business Law Section’s Intellectual Property and Sports Law Committees. ABA Business Law Section members can watch the program for CLE credit on-demand here.
Introduction
A rapidly evolving subfield in gaming law concerns cybersecurity, data protection, and privacy rights. The swift expansion of legalized sports betting, as well as igaming, mobile gaming, daily fantasy sports (DFS), and competitive videogaming (esports), have created both opportunities and challenges for the business lawyer. Online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise issues related to intellectual property, data collection and reporting, data ownership, protection, and privacy, and ensuring data security. A business lawyer advising clients in these areas, or working directly in these industries, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts. Such matters also increasingly intersect with the dynamic area of digital currencies and cryptocurrencies, blockchain technologies and transactions, and compliance within and across jurisdictions, whether domestic or international.
Data security has always been a key issue for the gaming industry. Traditionally a “cash business,” the current $260 billion U.S. gaming industry runs primarily on transactions, often large ones. Like finance and banking institutions, casinos must be diligent in guarding against cybersecurity threats, especially as mobile and online transactions become the norm. The gaming industry also relies on computer systems for operating gaming devices, gaming floor security, and gathering and storing player data, among other functions, all of which can be targets for hackers and cheats. With the recent spread of legalized sports betting, data security is more important than ever.
Casinos and Cybersecurity
Like other industries that retain extensive customer data, the gaming industry is particularly vulnerable to cyber threats. The 2014 hacking of the Las Vegas Sands Corporation (LVS), which owns the Venetian and Palazzo casino resorts in Las Vegas as well as several casino resorts in Asia, provides a cautionary tale. As confirmed by the U.S. Director of National Intelligence, the cyber-attack was carried out by Iranian “hacktivists” in retaliation for LVS CEO Sheldon Adelson’s support of a U.S. military strike against Iran. Malware shut down company email and phone lines, and wiped out employee hard drives. Hackers stole customer credit card data, Social Security numbers, and driver’s license information. The company’s casino websites were taken over and defaced, prompting a one-week shutdown before the sites were restored. The cyber-attack impacted the majority of the company’s Las Vegas servers; the cost of recovering data and building new systems reportedly was in excess of $40 million.
The gaming industry has its own particular vulnerabilities as well. Several years ago, a Russian hacker devised a system to decipher the random number generator programs in slot machines. He then organized teams to visit casinos and identify vulnerable slot machines, before using a smartphone app to trigger a jackpot on the machine. Reportedly, the teams took in $250,000 a week from casinos around the world. In 2014, four team members pled guilty to federal fraud charges stemming from using the slot machine cheat in casinos in California, Illinois, and Missouri. The hacker also leveraged the success of the teams to attempt to extort the slot machine manufacturer. Though the extortion attempt was unsuccessful, the hacker bragged to magazine that he continues to earn millions through the scheme.
Sports Betting
Since the U.S. Supreme Court’s 2018 decision striking down the federal Professional and Amateur Sports Protection Act in Murphy v. NCAA, 584 U.S. ___, some 24 states plus the District of Columbia have legalized sports betting, with as many as a dozen more expected to take up sports wagering legislation in 2021. Commentators predict that as many as 45 states may have legal sports betting within five years. A growing number of states, including Indiana, Iowa, Nevada, New Jersey, Pennsylvania, Rhode Island, and West Virginia, have also legalized online and mobile sports betting.
Legal wagers on Super Bowl LIV in 2020 exceeded $270 million (though legal wagers continue to be eclipsed by the illegal market; the estimated total wagers for the Super Bowl were over $6 billion, placed by some 26 million bettors). Industry experts estimated that five million people placed their bets—both legal and illegal—via online or mobile platforms.
Next on the calendar, of course, was March Madness—the NCAA men’s basketball tournament. The American Gaming Association had predicted over $10 billion in wagers ($295 million made legally) by over 50 million Americans and some 100 million people around the world. The tournament was cancelled due to the pandemic—as were all collegiate and major-league professional sports throughout the U.S., as well as globally, throughout the summer and into the fall. This only raised the stakes. Industry commentators predict that latent and pent-up demand for sports and sports gambling opportunities will generate wagers of similar or even larger amounts for Super Bowl LV in Tampa Bay, as well for as the recently announced “bubble edition” of March Madness taking place in Indiana in spring 2021.
As more states enter the legalized sports betting market, many of them have minimal regulatory experience as compared to Nevada, where sports betting has been legal and highly regulated for decades. Even fewer states have experience with regard to online and mobile betting, as federal law has permitted states to legalize online gaming only for the last decade or so.
Sports Betting and Data Security
Cybersecurity experts warn about the risks posed by the lure of the anticipated handle, both legal and illegal, around sports betting. While money laundering and theft are concerns, so are data breaches of customer information, which in the long run may be even more valuable—and more damaging—to patron and operator alike. The customer data collected by casinos often is extensive. Bettors may be required to provide date of birth, Social Security number, physical and email addresses, and other personal identifying information. They may also be required to create accounts with financial and banking information, along with passwords and security questions. Customer habits and preferences may be tracked through players club cards and apps. For online and mobile betting, age (sometimes via date of birth) and location data is also collected.
But sports betting also has other valuable data: sports data.
Sports books offer wagers not just on the outcome of the game (win or moneyline), but on the score (over/under, point spread) and special events (proposition bets, such as whether the game will go into overtime or whether a particular player will score a touchdown). In-play or live betting allows bettors to place wagers after an event has started and up to the time of its conclusion. The odds on all of these bets are driven by sports data on all features of the players, teams, contests, and leagues. The security of sports data is critical to the integrity of legalized sports betting. As sports betting has one of the slimmest margins of any casino games, the security of sports data also is critical to the financial risk inherent in a casino’s sports book.
Sports data also is an intellectual property asset. Leagues and teams have claimed ownership of sports data, with the business plan of selling their official data to data analytics companies and oddsmakers, or charging integrity or data rights fees to the gaming industry. For example, in 2018, MGM Resorts entered into a 3-year deal with the NBA to receive league-verified data for some $25 million, followed by similar deals between MGM and the NHL and MLB. But there are unsettled questions regarding ownership, copyright, and fair use. Broadcasts of sporting events may be copyrightable, but the live game likely is not. Prior cases, including NBA v. Motorola, Inc., 105 F.3d 841 (2d Cir. 1997) (broadcasts, not games, are copyrighted; facts derived from broadcasts are not copyrighted; a sports broadcast is not “hot news”), Morris Communications Co. v. PGA Tour, 364 F.3d 1288 (11th Cir. 2004) (a sports league may charge a fee for access to proprietary data without violating antitrust laws), C.B.C Distribution & Marketing, Inc. v. MLB Advanced Media, 505 F.3d 818 (8th Cir. 2007) (a fantasy sports operator’s use of baseball statistics in the public domain is protected by the First Amendment), and Daniels v. FanDuel, Inc., 909 F.3d 876 (7th Cir. 2018) (college athletes’ names, likenesses, and statistical data are “newsworthy” and may be used without an athlete’s permission), provide clear answers to issues that are increasingly significant, or even novel, in the post-Murphy legal environment as the legal sports betting industry—and its demands for data—expand.
Similar considerations and questions with regard to data security and intellectual property apply to DFS and esports.
Applicable Data Security Laws
While data protection, data privacy, and data-breach notification are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in any comprehensive legislation in the U.S Not so elsewhere. The European Union’s comprehensive General Data Protection Regulation (GDPR) took effect in 2018. The GDPR regulates the processing of personal data within its territoriality requirements. Processing of personal data includes collection, use, storage, organization, disclosure, or any other operation performed on personal data. Personal data is defined as any information relating to an identified or identifiable person, including names, identification numbers, location data, IP addresses, etc. The GDPR’s territoriality requirements bring within its scope any organization with an “establishment” in the EU that processes personal data as part of that establishments’ activities.
As for the U.S., there is not yet a single, comprehensive federal data protection law. There are several federal laws that address data security in specific areas, including:
Children’s Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Consumer Financial Protection Act (CFPA)
Electronic Communications Privacy Act (ECPA)
Family Educational Rights and Privacy Act (FERPA)
Federal Trade Commission Act (FTC Act)
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act (FCRA)
These laws, however, speak to highly diverse forms of data and expectations of privacy, with divergent requirements for relevant industry actors.
States, however, have moved more rapidly to address privacy, cybersecurity, and data breaches, passing or at least considering hundreds of bills across all 50 states, territories, and the District of Columbia, many of which focus heavily on consumer protection. At least 25 states have laws addressing data security practices in the private sector, more than half of them passed in the last five years. Most states also now have data disposal laws, governing how companies destroy or render indecipherable the personal information obtained from customers and employees. The California Consumer Privacy Act (CCPA) is notable for its comprehensive approach, as it applies to most for-profit companies that do business in the state, and regulates all “personal information,” encompassing nearly any and all information that a business might collect from a customer.
Conclusion
The rapid expansion of legalized sports betting, as well as the emergent areas of DFS and esports, have created both opportunities and challenges for the business lawyer. In particular, online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise rapidly mounting issues and dynamic questions related to intellectual property and data protection, privacy, and security.
A business lawyer advising clients in these areas, or working directly in the gaming industry or with public officials who either have or claim a stake in the success of gaming regulation, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts as they merge with gaming law in retail casino operations and online or mobile wagering alike.
Fortunately, the ABA’s Business Law Section, including its Gaming Law, Intellectual Property, and Sports Law Committees, will continue to spotlight these issues as they arise and evolve.
The year 2020 was an unprecedented year, but one thing remained constant: the number of Fair Credit Reporting Act (FCRA) case filings continued to increase dramatically.[1] In addition to new filings, the year saw several key decisions handed down by federal courts, shedding light on diverse issues such as the matching procedures of credit reporting agencies (CRAs), Article III standing, the meaning of “maximum possible accuracy,” and preemption of state credit reporting laws. As FCRA cases continue to be filed with increasing frequency, CRAs, employers seeking to screen new hires, and other FCRA-regulated entities should examine these decisions and their consequences carefully. To that end, we’ve compiled the following list of ten key FCRA decisions of 2020.
Williams v. First Advantage LNS Screening Solutions
In January 2020, the Eleventh Circuit affirmed a $250,000 compensatory damages award and reduced a $3.3 million punitive damages award to $1 million in an individual mixed-file claim brought pursuant to section 1681e(b) of the FCRA.[2] In Williams, the plaintiff sued defendant First Advantage for alleged violations of the FCRA in connection with twice attributing the criminal background information of another individual to the plaintiff.
The court recognized that although First Advantage had a policy requiring use of a third identifier before attributing criminal information to a subject with a common name, evidence indicated that this policy was not followed in practice. Based on this evidence, the Eleventh Circuit affirmed the district court’s denial of First Advantage’s motion for judgment as a matter of law with respect to willfulness under the FCRA.
The court also affirmed the jury’s compensatory damages award but found that the $3.3 million punitive damages—at a ratio of 13:1 to the compensatory damages—was unconstitutionally excessive. The court noted that the Supreme Court had previously found that a 4:1 ratio was “close to the line” of unconstitutionality and that an award that exceeded a single-digit ratio was likely a violation of the Due Process Clause. Ruling that a 4:1 ratio was appropriate here based on the state court’s assessment of First Advantage’s conduct, the court reduced the award to $1 million.
As evidenced by Williams, challenges to matching procedures utilized by the background screening industry continue to be an area of focus in FCRA litigation. This decision is also significant regarding the availability (and constitutional limits) of punitive damages.
Ramirez v. TransUnion LLC
In February, the Ninth Circuit issued its decision in a class action case watched closely by consumer reporting agencies.[3]Ramirez involved a product offered by TransUnion to identify consumers with names designated by the Department of the Treasury’s Office of Assets Control (OFAC) as posing a national security threat. A jury ultimately awarded $8 million in statutory damages and $52 million in punitive damages to the class members, finding that TransUnion failed to comply with certain disclosure requirements under the FCRA. TransUnion appealed on various grounds, including that many of the class members lacked Article III standing.
On appeal, the Ninth Circuit held for the first time that “every member of a class certified under Federal Rule of Civil Procedure 23 must satisfy the basic requirements of Article III standing.” However, the court went on to rule that a “material risk of harm” was sufficient to confer standing to each class member. The Ninth Circuit held that “a real risk of harm arose when TransUnion prepared the inaccurate reports and made them readily available to third parties,” even though most class members’ reports were never actually disclosed to a third party.
The Supreme Court granted certiorari in December 2020, to consider “whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”
Walker v. Fred Meyer, Inc.
In March, the Ninth Circuit issued important guidance for employers obtaining background checks on potential or current employees.[4] The plaintiff in Walker claimed that his employer violated the FCRA by not disclosing its background check process in a “clear and conspicuous” disclosure contained “in a document that consists solely of the disclosure.” Although the district court held the disclosure form signed by the plaintiff was a standalone document, the Ninth Circuit reversed, finding that certain provisions in the disclosure form referenced other rights under federal and state law and, in so doing, violated the FCRA’s requirement that the document consist “solely of the disclosure.”
The Ninth Circuit held that in addition to a “plain statement” that a report may be obtained for employment purposes, a standalone disclosure may include a “concise explanation” of that statement. The court cautioned, however, that the explanation must not be so long or confusing that it detracts from the disclosure or in any way makes the disclosure unclear and conspicuous.
Separately, the Ninth Circuit also affirmed that employers, in a pre-adverse action letter sent before taking action against an applicant or employee, are not required to provide employees or applicants with an opportunity to directly discuss a consumer report with the employer. Rather, it is sufficient for the employer to provide notice in a pre-adverse action letter that describes the consumer’s ability to dispute the completeness or accuracy of the information with the CRA.
Luna v. Hansen & Adkins Auto Transport, Inc.
In April, shortly after the Walker decision, the Ninth Circuit issued another decision interpreting the FCRA’s disclosure requirements for employers conducting background checks on potential hires.[5] Whereas Walker looked at the language of the disclosure, Luna focused on the format of the disclosure and its accompanying authorization.
The disclosure form in Luna was a separate page included within a larger group of application materials. The plaintiff argued that including the disclosure page alongside other materials violated the FCRA’s “standalone” requirement. The court rejected this argument, stating that while the disclosure itself cannot contain other unrelated information, “no authority suggests that a disclosure must be distinct in time, as well.”
The court in Luna also weighed in on the “clear and conspicuous” prong of the FCRA’s disclosure requirement—one of the issues left open in Walker. The court reiterated that a disclosure must be “readily noticeable” and in a “reasonably understandable form.” The court found the employer’s disclosure (featuring a bold, all-caps heading and simple explanatory statement) to meet the clear and conspicuous requirement, saying “applicants, such as big-rig truckers, can be expected to notice a standalone document featuring a bolded, underlined, capital-lettered heading.”
Finally, the Ninth Circuit also dispensed with the employee’s claim that the authorization for an employer to obtain a consumer report on an applicant also needed to be in a clear and conspicuous standalone document. The court found no statutory support for this position.
Davis v. C&D Security Management, Inc. et al.
In July, the Eastern District of Pennsylvania confirmed that a plaintiff lacks Article III standing to state a claim for violation of the FCRA premised solely on a failure to receive a copy of the background report and a summary of rights.[6] In Davis, the plaintiff applied for employment as a security guard with C&D Security and was ultimately denied the position twice. She brought suit on behalf of a putative class claiming that C&D Security failed to provide her with notice of the background check, a copy of her report, and a summary of her rights, as required under the FCRA.
Following Third Circuit precedent, the court held that Davis lacked an injury-in-fact since she ultimately became aware of her rights and timely brought suit against the employer. It cited the U.S. Supreme Court’s maxim in its landmark Spokeo decision that a bare procedural violation, divorced from any concrete harm, cannot satisfy the injury-in-fact requirement of Article III. Further, the court found that because Davis failed to establish her own standing, she could not seek relief on behalf of the putative class.
This decision highlights the critical role of Article III standing in FCRA cases, in both individual and class contexts. Companies defending FCRA class actions should consider standing issues at the forefront of the matter, rather than reserving them for the certification stage.
Moran v. The Screening Pros, LLC, et al.
Also in July, a California district court granted summary judgment in favor of a background screening agency, holding there was no willful or negligent violation of the FCRA despite the agency’s incorrect interpretation of the FCRA provision at issue.[7]
Plaintiff Moran filed suit after he was allegedly denied housing based on a screening report issued by The Screening Pros, LLC. The report included misdemeanor charges that had been filed ten years earlier but dismissed after six years, prior to the report. Moran argued that this violated the FCRA’s prohibition on reporting nonconviction adverse information older than seven years, pursuant to 15 U.S.C. § 1681c(a)(5). The district court dismissed the claim, holding that because the charges had only been dismissed six years prior, the dismissal fell within the seven-year period prior to issuance of the report. The Ninth Circuit reversed, holding that the seven-year reporting window for a criminal charge begins on the date of entry rather than on the date of disposition.
Despite this reversal, the district court granted summary judgment to The Screening Pros on remand because the violation of § 1681c(a)(5) was neither willful nor negligent. The district court’s holding was supported by the fact that this was an issue of first impression in the Ninth Circuit. FTC guidance available at the time the report was issued (but rescinded afterward) indicated that the seven-year reporting period ran from the date of the disposition.
While the decision in Moran was certainly favorable to the background screener defendant, courts are not likely to be as lenient moving forward, given that the holding in Moran was largely predicated on the fact that the FTC’s guidance was rescinded only after the report was issued.
Domante v. Dish Networks, LLC
In September, the Eleventh Circuit weighed in on the meaning of a “legitimate business need,” one of the permitted purposes for obtaining a screening report under § 1681b of the FCRA.[8] In Domante, the court held that requesting and obtaining a consumer report for verification and eligibility purposes is a legitimate business need under the FCRA.
Plaintiff Domante had previously filed and settled an FCRA suit against Defendant Dish Networks, LLC (Dish), after Domante’s personal information was stolen and used to open two accounts with Dish. To implement the terms of that settlement, Dish entered Domante’s personal information, including her Social Security number, into an internal system designed to prevent unauthorized accounts from being opened in the future.
When an attempt was made to open a new account using the last four digits of Domante’s Social Security number but a different name, Dish submitted the applicant’s information to a CRA to verify the applicant’s identity. The CRA matched the information with Domante and returned her credit report to Dish, which included Domante’s full Social Security number. Dish then blocked the application and requested that the CRA delete the inquiry from Domante’s credit record. Domante sued, arguing that Dish did not have a legitimate business need to pull her credit report because Dish knew or should have known that Domante was not the account applicant based on their prior settlement agreement.
The Eleventh Circuit noted that the false applicant provided only the last four digits of Domante’s Social Security number. Dish depended on the CRA’s credit report to obtain the full Social Security number for cross-checking with its internal records. Using the report for this verification and eligibility purpose was a legitimate business need.
A key takeaway for requesters of consumer credit reports is the importance of developing and maintaining internal verification and eligibility procedures that are consistent with the information contained in the requested report.
Consumer Data Industry Association v. Frey
In October, the district court of Maine held that the federal FCRA preempted burdensome credit reporting restrictions imposed by the Maine Fair Credit Reporting Act.[9] The Maine legislature passed two amendments to the Maine Fair Credit Reporting Act in 2019 prohibiting CRAs from including certain kinds of information in a consumer’s credit report. The amendments restricted reporting certain medical debts and debts that were the result of “economic abuse.” Both laws required CRAs to engage in extensive investigations of the underlying circumstances, conditions, and status of a consumer’s debts to determine whether those debts were reportable. The Consumer Data Industry Association (CDIA) filed suit, seeking declaratory judgment that both laws were preempted by the FCRA.
The court ruled in favor of the CDIA and held that the amendments were preempted by the FCRA. Engaging in a detailed analysis of the language and history of the FCRA’s preemption provisions, the court held that the FCRA preempted any state regulation of information contained in consumer reports. In doing so, the court rejected the narrower construction advocated by the state of Maine that would limit preemption to the specific types of information already regulated by the FCRA.
The court’s analysis in Frey will have important ramifications for other states seeking to impose their own restrictions on consumer credit reports and for any other present or future preemption claims against states by CRAs, furnishers and users. The state of Maine has filed an appeal of the district court’s decision, which will give the First Circuit an opportunity to rule definitively on this issue.
Settles v. Trans Union, LLC
The year 2020 saw an influx of complaints alleging that the “current pay status” reported by a furnisher is inaccurate when an account that was delinquent when closed is reported with a historical delinquency status. Settles was one such case where the theory was soundly rejected.[10]
In Settles, the plaintiff was overdue on his account by 120 days when his account was closed. His credit report showed that his account was closed, and the account balance was $0. However, the pay status reflected 120 days past due. The plaintiff brought suit claiming that this was materially misleading because the account could not be past due while also having a $0 balance. The court held that the reporting was not inaccurate or misleading. The court noted that it must look at the accuracy of the report as a whole, taking into account relevant context. It listed several cases holding that reporting historical data is not inaccurate.
This decision and others like it underscore that the inclusion of accurate historical account information on credit reports is allowable and not misleading, even when the current account information is different from the historical information and may even appear contradictory on its face.
Erickson v. First Advantage Background Services Corp.
Addressing a recurring issue bedeviling the background screening industry, the Eleventh Circuit confirmed in December that it is not inaccurate for a CRA to report a criminal or sex-offender record without matching the record to a subject consumer, as long as the CRA notifies the user of the report that the record needs further investigation before being attributed to the consumer.[11]
Plaintiff Erickson applied to be a Little League coach and was subjected to a background check. Unfortunately, his report identified a sex offender record of his estranged father, with whom he shared his name. In releasing the report, First Advantage explained to Little League that it was a name-only match and that further review was necessary to determine if the record belonged to Erickson. Erickson nevertheless filed suit, arguing that First Advantage violated the FCRA’s requirement that a CRA “follow reasonable procedures to assure maximum possible accuracy” of reported information. The district court ruled against him.
On appeal, the Eleventh Circuit weighed in on a debate that has reached several circuit courts: whether the FCRA’s “maximum possible accuracy” requirement demands more than technical accuracy. The court held that it does, following a plurality of circuit courts by holding that the FCRA requires reported information to be both factually true and “unlikely to lead to a misunderstanding.”
Despite rejecting a lenient test in favor of a more stringent one, the court affirmed that First Advantage’s report was neither inaccurate nor objectively misleading because no reasonable user in the shoes of the report’s intended user would be misled. The court focused on First Advantage’s cautionary disclaimer that further review was required. CRAs seeking compliance tips should note carefully the notifications First Advantage gave to the users of its reports, which the court found to be clear.
Conclusion
FCRA litigation continues to increase. With increased caseloads comes increased precedent, and going forward, we continue to expect to see more and more published FCRA decisions.
[1] WebRecon LLC, WebRecon Stats for Oct 2020 & Year-End Projections, https://webrecon.com/webrecon-stats-for-oct-2020-year-end-projections.
[2] Williams v. First Advantage LNS Screening Solutions, Inc., 947 F.3d 735 (11th Cir. 2020).
On September 4, 2020, in ABC Corporation I, et al. v. The Partnerships and Unincorporated Associations Identified on Schedule “A,” the U.S. District Court for the Northern District of Illinois held that plaintiffs could not conceal their identities in patent infringement suits by filing suit under pseudonyms. The plaintiffs had filed using pseudonyms to avoid tipping off the defendants and giving them the opportunity to reorganize under new seller aliases and to evade prosecution.
The plaintiffs create, manufacture, and sell products with patented designs. They anonymously filed a complaint, including exhibits under seal, alleging that the defendants had infringed plaintiffs’ patented designs. The plaintiffs alleged that the defendants were selling infringing products to consumers in Illinois and the United States through online stores that misleadingly portrayed the defendants as authorized online retailers. The plaintiffs asserted that the defendants regularly registered or acquired new seller aliases to conceal their identities and avoid the cessation of their business operations.
After the complaint was filed, the Northern District of Illinois issued an order to show cause why the documents should not be unsealed and why the complaint should not be stricken because the plaintiffs filed under pseudonyms. In response to the order, the plaintiffs cited Doe v. Village of Deerfield, which provided that with leave of the court, a party may file anonymously if there are “exceptional circumstances.” Such exceptional circumstances must outweigh both the public policy in favor of identified parties and the prejudice to the opposing party that would result from anonymity. Examples include, but are not limited to, the need to protect state secrets, trade secrets, or victims of abuse, as well as “a party’s allegation of fear of retaliation.”
Here, the plaintiffs’ theory for filing anonymously was to prevent the defendants from receiving advance notice of the lawsuit and creating new, fictitious seller names, thus evading the case. However, according to the court, this reasoning did not meet the necessary burden to proceed anonymously in the patent infringement case because the defendants could use new fictitious seller names even after the court issued a temporary restraining order. The court went on to hold that “[a] patent infringement case, without more, is not enough of a reason to circumvent the public disclosure requirements of the Federal Rules.” As a result, the complaint was stricken, and the court granted the plaintiffs leave to file an amended complaint reflecting the actual names of the entities.
The court’s decision further fleshes out “exceptional circumstances” in the context of intellectual property cases, excluding the desire to avoid tipping off an elusive defendant as a sufficient basis for filing a lawsuit anonymously. Consequently, in the absence of compelling grounds in favor of anonymity, plaintiffs may be required to provide their actual names in court filings related to patent infringement, despite any risks or fears associated with doing so.
Although filing a patent case as an anonymous plaintiff may not be an option unless exceptional circumstances can be shown, an alternative that might thwart a defendant’s evasion is to file a motion for a temporary restraining order contemporaneously with the complaint to maintain the status quo of the case. Contrary to the plaintiffs in ABC Corporation I who filed a complaint with the intention of later seeking a temporary restraining order, patent owners who file a complaint in conjunction with a motion for a temporary restraining order may successfully prevent defendants from removing any evidence of infringement and resurfacing under new seller aliases.
In addition to contemporaneously filing a complaint and a motion for a temporary restraining order, patent owners may notify third-party e-commerce websites and request the permanent removal of the seller and/or the infringing material. E-commerce companies, such as Amazon and Alibaba, provide platforms where owners may anonymously allege infringement of their patented works and report concerns with inappropriate listings, other sellers, and policy violations. Once a report is submitted, it is then evaluated through a multistep process that may result in the resolution of the alleged conflict. Such an option allows patent owners to potentially avoid the significant expense of federal litigation and seamlessly seek protection of their works without disclosing their names or any other identifiable information to the infringers. It would likely be more difficult for an infringer to evade the likes of Amazon with whom it already has a relationship as an Amazon seller.
Recognized international human rights have traditionally been framed in terms of the duties and obligations of states under treaties and other instruments and elements of international human rights law.[1] The main concern of human rights activists has generally been vertical protection, which refers to ensuring that individuals and groups get protection and required services and resources from the state. In the past, relatively little or no attention was paid to businesses’ responsibility for human rights. Many business ethicists were skeptical about whether businesses had any ethical responsibilities, and they noted that it was difficult and unfair to identify responsibilities in this area when the concept of human rights was so difficult to describe. Others clung to the traditional argument that states had exclusive responsibility with regard to human rights and that the role of businesses should be confined to complying with the laws and regulations promulgated by states with respect to workplace conduct, use of natural resources, and the like.[2]
In recent years, however, the criticism of businesses that accompanied the globalization that dominated the last decades of the twentieth century has shifted more and more attention to horizontal protection, which refers to individuals obtaining protection or services from nonstate actors such as businesses, nonstate armed groups, the media, and other people, groups, or institutions. For example, protecting women and children from violence in their homes; improving conditions for workers in factories, offices, and other workplaces; and reducing pollution from operations damaging the health of people living in surrounding communities must be addressed by strengthening horizontal protections and imposing higher human rights duties and responsibilities on businesses. These duties go beyond simply complying with the domestic laws and regulations of the countries in which businesses have made an affirmative choice to operate. The pressure to hold businesses, as well as states, accountable for human rights duties and obligations was exacerbated by highly publicized events such as the chemical gas leak at Union Carbide’s Bhopal pesticide plant in 1984 that killed thousands in India, the catastrophic Exxon Valdez oil spill in 1989, disclosures of child labor abuses among the supply chains of well-known global apparel and footwear companies, and the complicity of Western mining, oil, and gas companies in the violence perpetrated by governmental security forces in developing countries.[3]
The day-to-day operational activities and strategic decisions of businesses inevitably have an impact, both positive and negative, on one or more universally recognized human rights. On the positive side, businesses create jobs that provide workers and their families with a higher standard of living and give them the financial resources to pursue education and leisure. These businesses, having direct control over their operations, can take steps to make progress on fundamental human rights topics such as discrimination, sexual harassment, health and safety, and privacy. The philanthropic activities of businesses can also support the efforts of states and other nonstate actors such as nongovernmental organizations (NGOs) to alleviate poverty and improve education and housing conditions. Many businesses have been acknowledged and praised for the unique role they play in society as the creators of wealth, sources of employment, deliverers of new technologies, and providers of basic needs.[4]
At the same time, businesses, fixated on profits as their main and often seemingly exclusive goal and purpose, have repeatedly treated their workers poorly, engaged in dangerous or corrupt business activities, polluted the environment, developed and marketed products and services that harm consumers, and overseen development projects that have displaced or marginalized communities. Concern over these negative impacts of business activities has increased as corporations themselves have grown in size to the point where many of them are larger than some nation states. Moreover, as states struggle to balance their own budgets and provide their citizens with services that are part of basic human rights, they are turning to business for assistance. This trend has raised further concerns about whether companies can assume and carry out these responsibilities in an ethical fashion with due respect for human rights.
In this scenario, three key questions have emerged and are being hotly debated by a wide range of stakeholders around the world in a variety of forums: (1) What should be the appropriate scope of human rights duties and obligations for businesses and other nonstate actors; (2) how should those duties and obligations be formalized; and (3) what role should the state take in enforcing the human rights duties and obligations imposed on businesses and nonstate actors, and how should that role be integrated into the existing international human rights framework (e.g., a treaty)?[5] It is certainly true that some businesses have no interest in being held accountable for the human rights impacts of their activities and will never voluntarily participate in formulating laws, regulations, and standards that might hold them responsible for their violations of human rights. It is also likely, however, that progress toward viable formulations of the duties and responsibilities of businesses with respect to human rights is being hampered by a lack of consensus among states, businesses, multigovernmental organizations, NGOs, community groups, human rights activists, and other interested parties on how to frame and address key fundamental questions. Chief among such questions are what are human rights; who should be responsible for human rights; which human rights, if any, should businesses be responsible for; and what should be the scope of that responsibility?[6]
Articles 29 and 30 of the UN Declaration of Human Rights specify that no state, group, or person (presumably including business enterprises such as corporations) can infringe upon human rights. Building on that basic concept, it seems easy to arrive at the position that businesses should not knowingly expose their workers to dangerous working conditions or rely on forced labor, but even in these areas progress has been slow. However, looking at business activities through a human rights lens has raised novel and challenging questions when those activities bring into play rights that have traditionally been assigned to and carried out by the state:[7]
Social media businesses have been allowed to make their own decisions regarding the communications activities of visitors to their sites and can remove those communications if they violate policies created and enforced solely by the business. When a social media business removes a communication, does it violate the user’s freedom of expression, and should the business have a legal duty not to infringe on users’ freedom of expression?
Does a restaurant that fails to provide food to a homeless person who comes into the restaurant and asks for food infringe on the homeless person’s human right to be free from hunger, and should restaurants have an affirmative legal duty to provide food in such situations?
Does a utility company that provides electricity or water to households have a duty and obligation, based on human rights principles, to continue providing services to households that are unable or unwilling to pay? Similarly, do hospitals have a duty to provide emergency medical services to patients without insurance or other means to pay for such services?
In each of these situations, the question is whether human rights duties imposed on states should also be applied to nonstate actors such as businesses. In some cases, the first steps have been left to the businesses themselves. Such has been the case with social media businesses that make their own decisions regarding political advertising on their sites and how they can use data collected from visitors to the site within the business and shared with outside parties. Some states, pushed by a range of stakeholders, including consumers and human rights activists, are now beginning to realize that leaving these issues to businesses is untenable. It may be too early, however, to reliably predict the ultimate resolution. An obvious problem in several cases is whether and how imposing human rights obligations on businesses will impact their ability to remain in business and create positive human rights impacts for their stakeholders. (For example, a restaurant required to fulfill the unmet needs of homeless people in its community for food may eventually be unable to achieve the minimum level of profitability necessary to remain in business. This will cause workers to lose their jobs, reduce the revenues of their suppliers, and deprive governments of tax revenues that could be used to provide other support and assistance to the homeless community.)
The International Organization for Standardization (ISO), a worldwide federation of national standards bodies, developed ISO 26000 Guidance on Social Responsibility to serve as a guide for organizations based on principles of social responsibility. ISO 26000 highlights the social responsibility and engagement of stakeholders; the seven core subjects and issues pertaining to social responsibility, the second of which is human rights; and ways to integrate socially responsible behavior into the organization.[8] ISO 26000 maintains that states have a duty and responsibility to respect, protect, and fulfill human rights and that organizations have the responsibility to respect human rights by identifying and responding to members of vulnerable groups within their sphere of influence. This guideline points out that the responsibilities of organizations with respect to human rights are independent of the duties and obligations of the state, which means that organizations must act regardless of whether the state is unable or unwilling to fulfill its duty to protect. At a minimum, organizations should avoid passively accepting or actively participating in the infringement of the rights of others, a duty that can only be discharged by undertaking due diligence. Moreover, while the baseline responsibility for businesses and other nonstate organizations is to respect human rights, they need to take into account stakeholder expectations that go beyond respect. They may also want to make affirmative contributions to the fulfillment of human rights for their own sake.
The overall landscape relating to business and human rights has been transformed over the last few decades. Businesses now have access to specialized groups formed to provide assistance to companies in operationalizing human rights (e.g., the Business and Human Rights Resource Centre, the Global Business Initiative on Human Rights, Business for Social Responsibility, the Danish Institute for Human Rights, the Institute for Human Rights and Business, and Shift). States have responded to calls to strengthen their actions relating to human rights protection by developing and adopting national action plans on business and human rights. In addition, national human rights institutions (NHRIs), such as national human rights commissions, have shifted more of their attention toward business and human rights and are providing platforms for discussions among the key players, including businesses, government officials, and representatives of civil society.[9] NGOs, community groups, and human rights activists around the world continue to monitor the conduct of businesses relating to human rights, publicizing abuses, organizing consumer boycotts, initiating lawsuits, and participating in complaint mechanisms established in various human rights standards to facilitate the resolution of disputes.[10]
This article is an excerpt from the author’s new book, Business and Human Rights: Advising Clients on Respecting and Fulfilling Human Rights, published by the ABA Section of Business Law. More information on the book is available here.
[1] Alan S. Gutterman is a business counselor and prolific author of practical guidance and tools for legal and financial professionals, managers, entrepreneurs,, and investors on topics including sustainable entrepreneurship, leadership and management, business law and transactions, international law, and business and technology management. He is the co-editor and contributing author of several books published by the ABA Business Law Section, including The Lawyer’s Corporate Social Responsibility Deskbook, Emerging Companies Guide (3rd Edition), and Business and Human Rights: A Practitioner’s Guide for Legal Professionals. Alan is also currently a partner of GCA Law Partners LLP in Mountain View, California (www.gcalaw.com). More information about Alan and his work is available at his personal website at www.alangutterman.com.
[2] G. Brenkert, Business Ethics and Human Rights: An Overview, Business and Human Rights Journal 1, 277 (2016).
[3] The movement to focus attention on the impact of businesses on the environment and people actually has its roots earlier, in the 1960s and 1970s, with the formation of new activist organizations such as the World Wildlife Foundation (1961), Friends of the Earth (1971), and Greenpeace (1971). K. Earley, From Reactionto Purpose: The Evolution of Business Action on Sustainability, The Guardian (October 31, 2017).
[4] C. Mayer, Prosperity: Better Business Makes the Greater Good (2019).
[5] 1 An Introduction to Human Rights in Southeast Asia 17–18 (A. Sharom, J. Purnama, M. Mullen, M. Asuncion, and M Hayes eds., 2018).
[10] Id. (noting availability on information on a number of leading business and human rights lawsuits on the Corporate Legal Accountability Portal of the Business and Human Rights Resource Centre).
Since the outbreak of the COVID-19 pandemic, there has been a wave of cases in Canada and the United States where buyers have sought to walk away from an acquisition.[1] In justifying their decision not to close, buyers have invoked material adverse effect (“MAE”) clauses and covenants to carry on business in the ordinary course. The recent decision of the Ontario Superior Court of Justice in Fairstone Financial Holdings Inc. v. Duo Bank of Canada has established an important Canadian precedent for the interpretation of these commonly-found provisions in M&A transaction agreements. Interestingly, around the same time, the Delaware Court of Chancery released its AB Stable VIII LLC v. MAPS Hotels and Resorts One LLC decision, which also centered on a purchaser’s right to abandon an M&A transaction in the face of COVID-19. Since these types of disputes are typically settled before trial, these decisions offer some important takeaways. This article primarily focuses on the Fairstone decision and then compares it to the Court’s analysis in AB Stable.
The Fairstone Decision: Facts
In early 2020, Duo Bank of Canada (“Duo”) won a highly competitive auction to purchase Fairstone Financial Holdings Inc. (“Fairstone”), Canada’s largest consumer finance company for near prime borrowers. The share purchase agreement (the “SPA”) was signed on February 18, 2020, with the closing date set for June 1, 2020 and an outside date of August 14, 2020.
At the time of signing, the World Health Organization had already declared that COVID-19 was a “public health emergency” and the mounting pandemic only exacerbated Fairstone’s financial situation over the coming months. Duo ultimately communicated to Fairstone on May 27, 2020 that it would not be closing the transaction on the planned date of June 1, taking the position that it could abandon closing because the MAE clause and the ordinary course covenant had been breached. In response, Fairstone brought an application for specific performance.
Did the COVID-19 Pandemic Constitute an MAE?
The SPA included a closing condition that no MAE could occur between signing and closing. The definition of MAE in the SPA was fairly typical. It included any fact, circumstance, condition or occurrence that has (or would reasonably be expected to have) a material adverse effect on Fairstone’s business, operations, or condition (financial or otherwise). The definition then went on to identify a number of carve-outs; that is, circumstances or events that would be deemed not to be an MAE under the SPA. The carve-outs included:
worldwide, national, provincial, or local conditions or circumstances, including emergencies and crises;
changes in the markets or industry in which Fairstone operates; and
the failure of Fairstone to meet any financial projections.
The first two carve-outs were further subject to a disproportionate effects exception whereby the carve-out would not apply (and thus an MAE would occur) if the carve-out event had a materially disproportionate adverse impact on Fairstone compared to other players in its industry or market.
The Court ultimately found that although Duo had met its burden of proof to establish that there was an MAE, all three of the carve-outs applied and none of them had a materially disproportionate adverse impact on Fairstone relative to others in the industry or market. Accordingly, an MAE did not occur and the no MAE condition was satisfied.
The decision sheds light on several important considerations for the interpretation of MAE provisions:
Issues of timing were clarified. The Court agreed with Fairstone that August 14, 2020, the outside date by which the transaction was to close, was the appropriate date to assess whether an MAE had occurred. Duo had argued that May 27, 2020 – the date that it gave notice that it would not close – was the appropriate date. The “outside date” was chosen by the Court because Duo made the strategic decision not to terminate the SPA before then to avoid a potentially significant damages claim by Fairstone and to reserve its ability to close. Had Duo formally terminated the SPA, the termination date would have been the proper assessment date.
A second timing-related issue addressed by the Court was the question of how far into the future a court should look to determine if a condition is reasonably expected to constitute an MAE. While the answer to this question will depend on the circumstances of the case, the Court underscored that the forward-looking period cannot be indefinite and the nature of the business to be acquired will play a role in this determination.
Delaware case law can be influential in Canada, eh. Justice Koehnen affirmed the principle that MAE clauses are to be interpreted from the perspective of the party for whose benefit they were granted. He cited with approval case law from Delaware that sets out three requirements for an MAE:
an event that is unknown when the agreement is signed;
which is a threat to overall earnings potential; and
which has “durational significance”.
Of particular interest, the Court concluded that while the existence of the pandemic was known at the time the SPA was signed, the effect of the pandemic was not. The effect was, therefore, the unknown condition.
MAE clauses are not meant to protect purchasers against systemic risks. In finding that each of the three carve-outs applied, Justice Koehnen adopted a broad interpretation that supported the principle that MAE clauses are intended to allocate systemic risks to the purchaser, whereas company-specific risks are borne by the seller. Against this backdrop, the findings further highlighted that the MAE clause could have been drafted in a way that better protected the purchaser from exogenous risks like a pandemic, however the Court made a point not to afford either party protections they could have had but did not bargain for.
Were Fairstone’s responses to COVID-19 ordinary course?
The second issue the Court considered was whether Fairstone breached the ordinary course covenant, which required Fairstone to operate the business in the ordinary course between the signing of the SPA and the closing date. “Ordinary Course” was defined in the SPA as an action consistent with past practices and taken in the ordinary course of the normal day-to-day operations. The only way that Fairstone could forego this obligation was to obtain the consent of Duo, which could not unreasonably withheld.
Duo argued that Fairstone took various steps in response to the pandemic that violated the ordinary course covenant, namely that Fairstone made changes:
to its branch operations;
its collection process;
its employment policies;
its expenditures; and
its accounting methods.
The Court disagreed and made the following key holdings in reaching this conclusion:
The interpretation of the ordinary course covenant warrants a contextual analysis. The Court rejected Duo’s submission that Fairstone’s conduct during the pandemic ought to be compared to its conduct before the pandemic. Instead, a contextual approach was applied whereby the Court found that in the face of an economic contraction, it was more appropriate to look at what Fairstone had done in similar economic circumstances or what other businesses were doing. Although it was deemed in the ordinary course of any business to respond to economic downturns, the magnitude and the duration of the response factored into the Court’s analysis. The Court concluded that, in response to an economic contraction, if a business takes prudent steps that have no long-lasting effects and do not impose any obligations on the purchaser, such steps fall within the realm of ordinary course operations.
The purpose of the ordinary course covenant is to protect a buyer against company-specific risks and moral hazard. The Court’s interpretation of the ordinary course covenant in light of this purpose sought to evaluate whether Fairstone’s conduct was pursued in good faith for the purpose of continuing the business, as opposed to changing it. The Court found that none of the actions taken by Fairstone in response to the pandemic fundamentally changed its business. Fairstone’s responded to the pandemic with the aim of preserving normal operations, as much as possible. Conversely, if a seller is responding to economic challenges that are unique to the target business or is behaving opportunistically, then a Court will be hard-pressed to find that such conduct falls within the ordinary course.
Obtaining the purchaser’s consent to operate outside of the ordinary course may not be required if withholding such consent would be unreasonable. The SPA allowed Fairstone to operate outside of the ordinary course if it obtained prior written consent from Duo, which Duo could not withhold unreasonably. The Court found that Fairstone did not need to seek Duo’s consent because it was operating within the ordinary course. However, the Court went further and determined that even if Fairstone’s conduct fell outside of the ordinary course, Duo would have had to provide its consent because it would have been unreasonable to withhold consent in the circumstances. The inclusion of a reasonableness standard left it to the Court to ultimately decide whether or not obtaining the purchaser’s consent was just a legal formality. It remains to be seen how similar clauses will be interpreted in subsequent decisions.
A different approach in AB Stable
The AB Stable litigation stemmed from a September 2019 agreement of Mirae Asset Financial Group (“Mirae”) to acquire Strategic Hotels & Resorts (“Strategic”), a luxury hotel portfolio. The transaction was set to close in April 2020; however, Mirae provided notice to the seller, a subsidiary of Anbang Insurance Group (“Angbang”), that it was not required to close. Mirae asserted that Strategic’s business had suffered an MAE due to COVID-19 and Angbang had breached its covenant to ensure Strategic continued to carry on its business in the ordinary course between signing and closing by reason of the changes that Strategic made to its business to respond to the COVID-19 pandemic. Angbang sued Mirae to compel it to close.
Vice Chancellor Laster found that the COVID-19 pandemic did not result in an MAE on the target business because the consequences of the pandemic fell within the plain meaning of the carve-out to the MAE definition for “natural disasters and calamities.” However, the Vice Chancellor found that Angbang made significant changes to Strategic’s business to respond to the pandemnic and that these changes were not undertaken in the ordinary course of business, in breach of Angbang’s covenant in the merger agreement to operate Strategic’s business in the ordinary course between signing and closing. As result of that breach, Mirae could avoid closing.
Below is a summary of critical findings from the decision and how they compare to the Ontario Court’s approach in Fairstone:
Baseline assumptions of risk allocation warrant a broad interpretation of the MAE clause. Because the structure of a typical MAE definition (as described above in the Fairstone SPA) shifts systemic risks to a purchaser, it made sense to read the “calamity” exception as shifting the systemic risk of a global pandemic to Mirea. This reasoning supported the Court’s rather expansive interpretation of the plain meaning of “calamities” and it mirrors the broad reading of MAE carve-outs taken by the Court in Fairstone. Both decisions also suggest that deviations from the underlying assumptions of risk allocation should, therefore, be explicit.
The Delaware Court’s analysis of the ordinary course covenant largely relied on the specific contractual language in the merger agreement. In response to COVID-19, Angbang took various actions that included closing hotels, severely limiting operations of other hotels, and reducing its staff. While acknowledging that these changes were “reasonable responses to the pandemic,” the Court viewed inclusion of the word only in the ordinary course covenant – i.e. Strategic was to conduct its business “only in the ordinary course consistent with past practices” (emphasis added) – as creating a standard that looked exclusively at how the target business was operated before and after entering into the merger agreement. The Court in AB Stable rejected the kind of contextual analysis undertaken by the Ontario Court in Fairstone and concluded that the steps taken by Angbang “departed radically” from Strategic’s routine operations. The AB Stable decision highlights that the flexibility to respond to extraordinary events must be drafted into the ordinary course covenant, whereas the Ontario Court’s analysis in Fairstone imported a degree of flexibility in its analysis.
“Compliance with the notice requirement is not an empty formality.” Vice Chancellor Laster stated these words in support of his finding that Angbang was obligated to seek Mirae’s consent before operating outside of the ordinary course. The Court explained that notice allows a purchaser to protect its interests, such as proposing reasonable conditions to providing consent. Accordingly, if a purchaser’s consent is not granted, then a seller’s recourse is to sue the purchaser for unreasonably withholding its consent. This approach is in stark contrast to the conclusion reached by the Ontario Court in Fairstone where it held that in the circumstances, actions taken by the target in response to the pandemic, the purchaser could not have reasonably withheld its consent even if the seller had deviated from the ordinary course.
Conclusion
These decisions provide important guidance for Canadian and American M&A practitioners negotiating MAE clauses and ordinary course covenants. They are significant because in each respective jurisdiction, a court had not previously opined on this subject matter in the context of COVID-19. The Fairstone decision is also the first Canadian decision that approvingly cites a string of modern Delaware cases that generally have been viewed as being pro-seller.
The Court in Fairstone ultimately ordered the purchaser to specifically perform the SPA, and the purchaser completed the acquisition on January 5, 2021. Remedies were therefore not a major point of contention and we will have to wait for further Canadian judicial guidance on this point. Conversely, the Court in AB Stable ruled that the purchaser was entitled to a return of the deposit it paid plus interest, in accordance with the terms of the transaction agreement.
[1] John F. Clifford is a partner (and head of the Business Law/M&A Group) and Mikolaj Niski is as associate in the Toronto office of McMillan LLP.
A recent[1] ABA ethics opinion addresses conflicts arising out of a lawyer’s personal relationship with opposing counsel under Rule 1.7(a)(2) of the Model Rules of Professional Conduct. That Rule prohibits a lawyer from representing a client without informed consent if there is a significant risk that the representation of the client will be materially limited either by a lawyer’s responsibilities to others (another client, a former client, a third person) or by a personal interest of the lawyer.
Formal Opinion 494 (“Op. 494”) considers the latter in the context of personal relationships with counsel representing different clients in the same or related matters. The point of departure for this examination is Comment [11] to the rule, which observes that when opposing counsel are related by blood or marriage, “there may be a significant risk that client confidences will be revealed and that the lawyer’s family relationship will interfere with both loyalty and independent professional judgment.”
The opinion expressly relies upon—and derives these categories from—an opinion issued a year earlier, Formal Opinion 488, dealing with judicial disqualification or recusal[2] based on a judge’s social or close personal relationships with lawyers or parties. This weakens Op. 494, as analogy to judicial ethics is not entirely apposite: Judicial disqualification under Rule 2.11 of the Model Code of Judicial Conduct arises when a judge’s impartiality “might reasonably be questioned.”[3] The judiciary’s authority and persuasiveness are dependent upon public trust and confidence in the fairness, integrity, and impartiality of judicial officers, in fact as well as in appearance.[4] Indeed, the importance of such public perceptions is emphasized on the very first page of Formal Opinion 488.
In contrast, practicing lawyers are not supposed to be impartial, either in fact or in appearance; on the contrary, lawyers have an ethical obligation to be zealous advocates of their clients’ interests. In fact, the “appearance of impropriety” as an ethical paradigm, which was included in Canon 9 of the ABA Model Code of Professional Responsibility,[5] has since been firmly repudiated, primarily because it was too vague a standard to be enforceable. The Restatement observed that this standard did not “give fair warning of the nature of the charges to a lawyer respondent” and “subjective and idiosyncratic considerations could influence a hearing panel or reviewing court in resolving a charge based only on it.”[6] The Ethics Committee conceded the point in 1975,[7] as did the ABA when adopting the Model Rules.[8]
Despite the unsuitability of the analogy to judicial disqualification, it does seem sensible to try to identify bases for distinguishing different types of relationships with other lawyers that might give rise to a conflict of interest and identifying those that are waivable by client consent.
Op. 494 divides such relationships into three categories: intimate relationships, friendships, and acquaintances.[9] Ascertaining which of these three characterizes a relationship with opposing counsel will help to determine whether a conflict exists. If it does, the lawyer may still be able to continue the representation under Rule 1.7(b)(1) and (b)(4), provided “the lawyer reasonably believes that the lawyer will be able to provide competent and diligent representation to each affected client” and “each affected client gives informed consent, confirmed in writing.”
Intimate relationships include marriage, engagement to be married, or an exclusive romantic attachment. Intimate but non-exclusive relationships are more difficult to characterize and require a more nuanced judgment by the lawyers involved. Lawyers cohabiting in an intimate relationship are treated pari passu with married couples.
Friendships “may be the most difficult category to navigate.” The opinion strikes the balance this way: Close friendships (routine socializing, vacationing together, exchanges of gifts) should be disclosed, and informed consent should be obtained; professional friendships (law school classmates, former professional colleagues) need not ordinarily be disclosed, but even if, out of an abundance of caution, disclosure is advisable, informed consent need not be obtained.
Acquaintances are described as “relationships that do not carry the familiarity, affinity or attachment of friendships.” Examples include individuals whom the lawyer sees at social or professional gatherings, such as a professional organization or a church, but with whom there is no “close personal bond.” These need not ordinarily be disclosed and do not require client consent. The opinion notes, however, that disclosure “may be advisable to maintain good client relations” and may help explain to the client that the relationship may actually benefit the representation “because the lawyers can work collegially.”
While certainly useful for promoting awareness of what constitutes a personal interest conflict in the context of relationships with other lawyers, Op. 494 fails to elaborate a clear mental process for lawyers to detect and resolve these personal interest conflicts.
In this author’s opinion, a sensible approach would be to start by asking whether the risk is significant that the lawyer’s relationship with other counsel would materially impair professional judgment in representing each affected client. If not, then there simply is no conflict of interest. If so, then the self-assessment morphs to whether the lawyer “reasonably believes” that he or she can nonetheless “provide competent and diligent representation to each affected client.” (Recall that “reasonably” and “reasonably believes” are defined terms in Model Rule 1.0). If the answer to that question is affirmative, then the lawyer should disclose the relationship and obtain informed consent in writing, but, if negative, then it seems the conflict is not curable by consent, and the lawyer cannot ethically represent the client in the matter.
Finally, if a lawyer is disqualified by a personal relationship conflict, what about that lawyer’s partners and associates? Unlike conflicts involving current and/or former clients, personal interest conflicts are not automatically imputed to others in the conflicted lawyer’s firm. In that situation, Model Rule 1.10(a)(1) would not impute the conflict if the personal interest “does not present a significant risk of materially limiting the representation of the client by the remaining lawyers in the firm.”
[1] Formal Opinion 494, though dated July 29, 2020, was not actually released until October 7, 2020.
[2] Strictly speaking, “recusal” traditionally refers to a judge’s withdrawal from a case sua sponte, while “disqualification” refers to the motion of a litigant asking the judge to step down. See, e.g., Forrest v. State, 904 So.2d 629, 629 n.1 (Fla. App. 2005) (noting that “[r]ecusal is the process by which a trial court voluntarily removes itself, while disqualification is the process by which a party seeks to remove a judge from the case”). In many jurisdictions, however, this distinction has not been observed or the two terms have been conflated. See, e.g., Hendrix v. Sec’y, Fla. Dept of Corrections, 527 F.3d 1149, 1152 (11th Cir. 2008) (using the terms interchangeably); Advocacy Org. v. Motor Club Ins. Ass’n, 472 Mich. 91, 97 (2005) (Weaver J., concurring) (observing that recusal is the “process by which a judge is disqualified on objection of either party (or disqualifies himself or herself) from hearing a case.”). Cf. John P. Frank, Disqualification of Judges: In Support of the Bayh Bill, 35 Law & Contemp. Probs. 43, 45 n.7 (1970) (observing that amendments to the federal disqualification statute, 28 U.S.C. § 455, have rendered the term “recusal” obsolete). The ABA’s 1972 Code of Judicial Conduct and subsequent versions have used the term “disqualification” to mean both withdrawal sua sponte and upon motion of a party.
[3] This is the current default standard in the Model Code of Judicial Conduct and has been adopted in nearly all the states. Forty-five states have actually adopted it virtually in haec verba. (It is also the federal standard. See 28 U.S.C. § 455(a)).
[4]Canon 1 of the Model Code of Judicial Conduct expressly requires judges to avoid impropriety and the appearance of impropriety.” “Appearances matter because the public’s perception of how the courts are performing affects the extent of its confidence in the judicial system. And public confidence in the judicial system matters a great deal . . . public confidence in our judicial system is an end in itself.” American Bar Ass’n, Justice in Jeopardy: Report of the Commission on the 21st Century Judiciary 10 (2003).
[5] Canon 9 provided, “A lawyer should avoid even the appearance of professional impropriety.”
[6] Restatement (Third) of the Law Governing Lawyers § 5(c) (2000).
[7]See Formal Opinion 342, n.17, reprinted in 62 A.B.A. J. 517 (interpreting the appearance standard and characterizing it as “too vague to be useful”).
[8] “In the context of private practice, the test has no apparent limits except what a particular tribunal might regard as impropriety. . . . [S]uch a standard is too vague and could cause judgments about the propriety of conduct to be made on instinctive, ad hoc, or ad hominem criteria.” ABA Comm. on Evaluation of Model Rules of Prof’l Conduct 53 (Prop. Final Draft 1981).
[9] Formal Opinion 488 used a slightly different spectrum: “(1) acquaintanceships, (2) friendships, and (3) close personal relationships.” The latter included not just romantic relationships but also situations where a romance was not existing but desired, former romantic interests (e.g., a judge divorced from a lawyer where the two remain in communication because, for example, they share custody of children), and godparents. Despite Op. 494’s reliance on Formal Opinion 488, the former inexplicably does not consider the latter’s example of divorced couples sharing custody of their children.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR)1 came into effect, replacing the EU’s 1995 Data Protection Directive.2 With the aim of modernizing and harmonizing the patchwork of laws across the European Union, the GDPR strengthened the protection afforded to data that identify individuals under the Data Protection Directive and clarified a number of key principles. Most notably, the GDPR extended the territorial reach of European data privacy law to organizations outside of the EU. For the first time, numerous U.S. companies would be directly subject to European data privacy law and therefore obliged to comply. In addition, the GDPR introduced tough new penalties, threatening organizations with fines of up to €20 million or 4 percent of global revenues for the most serious breaches. This led companies across Europe and the world to focus on bringing themselves into compliance and to build new processes and functions to respond to greater regulatory responsibilities, coupled with an increased awareness among data subjects of their rights under the GDPR.
In its first progress report, published two years after the GDPR took effect,3 the European Commission in June 2020 highlighted a number of improvements brought about by the GDPR, including a level playing field for businesses across Europe, a greater awareness of citizens’ rights, and the GDPR’s flexibility to adapt to new technology. The Report concluded that “the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.”4
This article addresses some of the most significant compliance issues under the GDPR and how these have evolved since the GDPR came into effect, some of the most notable cases applying the GDPR, and practical points that U.S. companies should consider.
The Importance of Consent
The GDPR states that personal data may not be “processed,” such as collecting, storing, and transmitting personal data, unless at least one of six legal bases is met.5 One of those legal bases is whether the “data subject,” or individual, “has given consent.”6 Consent has drawn a lot of attention over the last couple of years as it was previously a commonly used mechanism to enable the processing of personal data. Obtaining consent under the GDPR is now more challenging in practice due to stricter conditions than those set out in the Data Protection Directive.7 The “controller,” which is the entity or organization that decides the purpose and means of processing personal data,8 is responsible for compliance with the requirement to ensure personal data are legally processed, along with the other principles relating to the processing of personal data described in Article 5 of the GDPR (and other requirements of the GDPR).
“[C]onsent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment,” according to the European Data Protection Board (EDPB), an independent body, consisting of representatives from each EU country, whose purpose is to ensure the GDPR’s consistent application across Europe.9 This is important not least because of the increasing prominence of consent for particular processing activities in the digital age, such as in the areas of new technologies and cookies.
Since the GDPR came into effect, the objective of increased transparency has been strongly emphasized in various guidelines published by European data protection authorities and the EDPB. A prerequisite to obtaining valid consent is that the data subject must be informed about the processing for which consent is being obtained.10 According to Article 4(11) of the GDPR, the controller must be able to demonstrate that consent of the data subject was freely given, specific, and informed and an unambiguous indication of the wishes of the data subject, in which the data subject, either by a statement or by a clear affirmative action, signifies agreement to his or her personal data being processed. If there is insufficient transparency, the data subject’s consent will not be deemed valid.
The link between transparency and consent has been a pivotal issue in the much noted and discussed ruling by the French data protection authority—Commission Nationale de l’Informatique et des Libertés (CNIL)—against Google LLC.11 In June 2020, France’s highest administrative court, the Conseil d’État, confirmed the ruling.12 The ruling sanctioned Google with a €50 million fine for failure to comply with the GDPR requirements on transparency, adequate information, and valid consent for ad personalization. As of this article’s publication, this is the largest European fine confirmed as final and not subject to appeal.
In this important ruling, the CNIL referred to Articles 12 and 13 of the GDPR.13 These articles require the controller to take appropriate measures to provide specific information to data subjects about the controller’s processing activities “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”14 The specific information required to be provided is listed in Article 13 of the GDPR and includes the identity of the controller, the purposes of the processing, the legal basis for the processing, the recipients of the personal data, and other information necessary to ensure fair and transparent processing. The CNIL made it clear that the information provided by the controller to data subjects must put individuals in a position to determine in advance the scope and consequences of the processing so that their data are not used in ways that they are not expecting.15 The CNIL determined that, when providing information to data subjects using a layered approach—such as giving a short initial notice containing key information and then including links to additional layers of information covering more detail—the most relevant information (including the scope and extent of purposes of the data processing) must be provided in the very first layer.16
A related and important issue arising in the context of online advertising was noted by the Conseil d’État. It found that in order to obtain a valid consent for personalized ads, Articles 4(11), 6, and 7 of the GDPR—articles covering the definition of consent, the lawful bases of processing, and the conditions for consent, respectively—prohibit collection of the data subject’s consent by way of a pre-checked checkbox.17 It also noted that for the consent to be deemed valid the data subject must be provided with all adequate and sufficient information, and that the main information must be made available to the data subject up front, in the first layer of information.18 Furthermore, the Conseil d’État found it improper to seek consent as part of the overall acceptance of general terms and conditions for using a service because the request for consent is not clearly distinguished from the overall acceptance of the general terms and conditions, as required by Article 7(2) of the GDPR.19
When the GDPR came into effect, one of the initial challenges to assessing whether consent was valid arose because certain processing activities fell under both the GDPR and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (ePrivacy Directive)—a 2002 EU directive on data protection and privacy in the digital age. However, in October 2019, the Court of Justice for the European Union (CJEU)—the European Union’s highest court—handed down an important decision concerning how consent to process personal data and use cookies may be obtained on the internet.20 The CJEU ruled that consent is invalid under the ePrivacy Directive if it is given by means of opt-out boxes that users must uncheck in order to refuse consent.21 The CJEU also pointed out that user consent, as required by the ePrivacy Directive, should be interpreted and read in conjunction with the definition of consent in the GDPR,22 which also means that active consent from the user is required.23 In addition, the CJEU ruled that the aforementioned interpretation of consent should be applied regardless of whether or not the data being stored or accessed from a user’s equipment are personal data.24
This ruling had a significant impact on the use of cookies by companies, and their marketing strategies had to be revised. The CNIL in France has worked with several marketing and advertising firms to find solutions to standardize the vocabulary in cookie banners. Also, the UK data protection authority, the Information Commissioner’s Office, has made clear that it will take a risk-based approach to the requirement of GDPR-level consent for cookies under its enforcement policy.25 Businesses should therefore take particular care in obtaining consent for privacy-intrusive cookies such as those used for behavioral advertising or sensitive personal data collection.
From a practical perspective, the implications of both the aforementioned judgments as well as guidance published by European data protection authorities for controllers are as follows:
It is critical that controllers assess their level of transparency from the standpoint of complying with data subjects’ needs, rather than from the perspective of how well it serves the controller’s business;
Data privacy statements should be reviewed regularly to ensure that they provide the level of transparency now expected by data protection authorities and data subjects;
Controllers should carefully assess all of the legal bases described in Article 6 of the GDPR that could be available to ensure that consent is the most appropriate basis for processing and check that the basis on which a controller has been processing personal data in previous years is still accurate, as sometimes this may have changed. Moving from one basis to another presents challenges that are beyond the scope of this article;
If consent is considered the most appropriate basis for processing, then the entire mechanism for obtaining consent, including the information provided to data subjects through layered notices and policies, must be properly reviewed; and
For accountability purposes, controllers should ensure that they adequately record what consents have been provided and to what processing activities and purposes they relate.
The Evolving Concept of Accountability
While largely building on existing principles, the GDPR introduced a new concept of “accountability”—the principle that the controller “shall be responsible for, and able to show compliance with,” the GDPR’s subject matter and objectives.26 This principle requires that, if requested, organizations can demonstrate the steps they took to comply with the GDPR and the effectiveness of those steps. The GDPR therefore requires organizations to not only take responsibility for everything they do with personal data but also actually document how they comply with all obligations enshrined in the GDPR.
In its Report, the EC commended the GDPR, saying that “The GDPR … ensures that all those that handle personal data under its scope of application are more accountable and responsible.”27 Unfortunately, the GDPR does not further specify which measures are necessary to fulfill the accountability requirement. In the course of assessing and then implementing the relevant measures to ensure that GDPR requirements are met, organizations have often interpreted accountability to mean technical and organizational measures, which are already required under the GDPR, including specific measures such as keeping a register of processing activities, making data protection impact assessments, and providing data protection notices. However, as a result of published guidance by European data protection authorities, it has become clear that more documentation is needed than originally thought when companies were initially preparing for the GDPR.
For larger organizations, a new best practice has emerged: adoption of an overall data protection management framework, embedding processes that ensure systematic and demonstrable compliance across the entire organization. Typical measures include:
Robust program controls relating to the material obligations under the GDPR;
Mapping of the organization’s processing operations— and maintenance of an inventory of them—that is regularly reviewed;
Bespoke allocation of data protection responsibilities and implementation of reporting structures;
Appointment of a Data Protection Officer28 when processing is carried out by a public authority or body, the core activities of a controller or processor involve regular and systematic monitoring of data subjects on a large scale, or there is processing on a large scale of special categories of personal data29 or personal data relating to criminal convictions;
Written documentation of internal checks and assessments, including appropriate data protection policies; and
Audit and evaluation processes.
The latter two points are important in practice. European data protection authorities expect that companies can prove that they completed relevant assessments and that these assessments are performed regularly. For example, companies should carry out and thoroughly document an assessment of the circumstances in which they consider that they can lawfully process personal data on the basis that it is in their legitimate interests to do so,30 especially since many European data protection authorities have requested these assessments in administrative proceedings. There have been cases where data protection authorities have sanctioned companies for breaching the accountability obligation, which demonstrates the importance of these process requirements. For example, in its decision dated July 30, 2019, the Greek data protection authority based its €150,000 fine against PwC on a breach of the accountability principle, because the controller allegedly was not able to demonstrate that they had collected valid consents for a certain processing activity.31
Against this background, organizations should reassess whether they have appropriate documentation in place and whether they have implemented a system of regular checks and audits of their data handling practices in order to keep up with stricter accountability interpretation and enforcement by data protection authorities.
Joint Controller Responsibilities
The most significant development in terms of which parties are subject to the GDPR is that of “joint controllers.”32 Guidance from European data protection authorities demonstrates that there are many more circumstances in which the relationship between two parties is likely to be deemed that of joint controllers—rather than a controller and a “processor” or two independent controllers—than many practitioners and commentators anticipated. The importance of this distinction lies in the way that the GDPR places primary responsibility for compliance on the controller—the entity that determines the purposes and means of processing of personal data. The GDPR also allows for a scenario in which two or more controllers jointly determine the purpose and means of processing. Where this is the case, they are classified as joint controllers.
A number of legal obligations flow from the concept of joint controllers, including the requirement for the joint controllers to determine their respective responsibilities for compliance and the obligation to ensure that this arrangement is transparent and that key aspects are made available to the data subjects whose data are being processed.
In addition to guidance, there are also several CJEU cases signalling that more relationships will fall under the joint controller category than once anticipated.
The first was the Fan Page case,33 in which the court found in June 2018 that the operator of a fan page and a social network, Facebook, were both joint controllers with respect to the processing of the personal data of visitors to a fan page hosted on Facebook. The court noted that visitors to the fan page were not warned that Facebook was collecting their personal data with cookies. One takeaway from this case was that a joint controller relationship was possible even if one of the parties—the administrator of the fan page—did not have access to the data that the other party—Facebook—was collecting. The court found the fact that both parties were determining the parameters for data analysis was sufficient for them to be deemed joint controllers.
In the Jehovah’s Witnesses case,34 the court found in July 2018 that a religious community, such as the Jehovah’s Witnesses, is a controller jointly with its members who engage in preaching for the processing of personal data carried out by its members in their door-to-door preaching. The court noted that an entity that exerts influence over the processing of personal data for its own purposes and that participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller. As with the Fan Page case, joint responsibility did not require access to the data on the part of both controllers.
Finally, in the Fashion ID case,35 the court found in July 2019 that website operators that incorporate a third-party plug-in—a piece of software that acts as an add-on—on their sites can become joint controllers in the collection and sharing of personal data with that third party. One takeaway from this case was that joint control does not need to span the entire processing cycle for the parties to be joint controllers; it could be limited to certain processing steps.
These cases demonstrate that the CJEU applies a very low threshold for the required level of influence on data processing to categorize companies as joint controllers. Unfortunately, there is still a lack of clear and unambiguous criteria for assessing when a joint controller relationship may exist. In practice, companies should check that key intra-group and vendor relationships are properly assessed to ensure that any joint controller relationships have been identified and responsibilities documented that accurately reflect the processing activities being carried out. They should also review privacy notices to ensure they provide adequate disclosures of any joint controller arrangements.
Ongoing Focus on Security
Security of data processing may not be a new concern in itself, but it has become a major focus area for data protection authorities and therefore a key area of risk for controllers and processors. The introduction of more specific data breach notification duties and other onerous obligations on controllers and processors to implement organizational and technical security measures under the GDPR means that data protection authorities may investigate thoroughly and question organizations’ operations and internal processes. Experience shows that European data protection authorities have started making effective use of their new powers under the GDPR. In fact, there has been a significant number of investigations opened, and fines issued, as a result of an organization notifying a data breach to the data protection authority. In the months following the GDPR’s implementation, data protection authorities reported a sharp increase in data breach notifications received. For example, the Dutch data protection authority, Autoriteit Persoonsgegevens, declared more than 20,000 notifications in 2018 alone. As society increasingly digitizes, security issues are a trend that seems here to stay.
Certain high-profile cases have also hit the press, with the Information Commissioner’s Officer in October 2020 fining Marriott International more than €20 million,36 and in October 2020 fining British Airways more than €22 million,37 in both cases as a result of major data breaches and failure to fulfil data security requirements. There are many other ongoing cases all showing the willingness of data protection authorities to take a more critical view of organizations’ approach to security and to require the application of a genuine information management and classification policy.
The GDPR adopts a technology-neutral approach to data security but stresses the importance of addressing the actual risks in an appropriate manner, by implementing a set of measures ranging from organizational and contractual preparedness, to technical protection and safeguards, logging and documenting incidents, training staff, and raising awareness. For instance, in a recent German case, a health insurance organization that collected data from raffle participants implemented internal guidelines and training to ensure that only those who consented would be contacted for marketing.38 In spite of these measures, data of individuals who had not consented was used for marketing purposes, and the organization’s security measures were found to be insufficient. The German data protection authority wanted to highlight the need to implement better security measures in order to achieve the sought-after result and to turn good intentions into reality. This example shows how far reaching the implications of the security obligations under the GDPR can be, well beyond the straightforward situations of passwords or individuals’ credentials that leak online. Generally speaking, on the enforcement front, the EC’s Report describes the approach as “balanced.” Data protection authorities are making use of a range of their powers and taking into account mitigating factors—such as an organization’s willingness to acknowledge its failures and to work with authorities to fix and remedy breaches—when weighing appropriate enforcement action.
In addressing the ongoing and increased threat to all businesses from sophisticated physical and cyber security attacks, companies should ensure that they implement best-practice security measures and continually review them, together with keeping internal records of policies and procedures. Having well-rehearsed and documented incident management protocols is also essential to identifying and mitigating the impact of any security events. Companies should also carefully scrutinize existing and potential vendors and ensure that they have robust contractual protections in place dealing with ongoing security measures, incident response, and liability.
Enhanced Data Subject Rights
One of the main objectives of the GDPR is to give data subjects control over their own personal data. Since the GDPR came into effect, data subjects have become well aware of their rights through data protection authority awareness campaigns, high-profile data breaches, and numerous email updates to marketing consents and privacy policies. This has ultimately led to an increased number of data subject requests to controllers and complaints to national data protection authorities. According to a recent survey by the EU Fundamental Rights Agency, 69 percent of the population over the age of 16 in the European Union have heard about the GDPR and 71 percent have heard about their national data protection authority.39 Public recognition of data privacy means that companies have suddenly faced an urgent need to implement a more efficient process to address and respond to the exercise of rights by data subjects within the GDPR’s mandated timeframes, which require controllers to respond to requests without undue delay and within one month of receipt of the request.40 Having a streamlined response process not only supports compliance but can also improve customer service, which could give a competitive advantage.
In Spain, the Spanish Data Protection Act41 goes one step further than the GDPR by enshrining additional digital rights under national law to supplement the GDPR. The act includes the express recognition of the right to be forgotten in search engines, social networks, and other similar services (based on the CJEU’s ruling in the Google Spain case42). Following this theme, the EDPB also published recent guidance on the exercise of the right to be forgotten in search engines.43
Companies can take steps to preemptively minimize requests from data subjects, and thus mitigate any costs of resolving those requests, by being fully transparent and providing comprehensive details about their personal data processing activities. It should be noted that companies are usually more exposed to requests and complaints from data subjects (especially in relation to the exercise of the data subject access right) if they include scarce, or the bare minimum of, information about the relevant data processing.
Because the exercise of data subject rights is essentially free of charge under the GDPR (a change for some jurisdictions), there are numerous examples of cases where individuals took advantage of those rights in bad faith to put pressure on a controller in connection with a separate and unrelated dispute. This is a developing trend. In any event, if a particular request is manifestly unfounded or excessive, the controller may (1) charge a reasonable fee (based on the administrative costs of providing the information, communicating, and responding to the request) or (2) refuse to act on the request, albeit guidance from data protection authorities suggests this concept is likely to be narrowly construed. The GDPR clarifies that fees may be charged, in particular, where requests are repetitive. One example is that the GDPR expressly confers on controllers the ability to charge a reasonable fee for any further copies requested by data subjects in the exercise of their data subject access rights.
With respect to the manner in which data subjects may exercise their data protection rights, the GDPR recommends that controllers implement an electronic means of facilitating the exercise of those rights (especially in cases where personal data are also processed by electronic means). In this sense, making standard forms available for data subjects could make the handling and resolution of these requests easier for controllers. However, since data subjects cannot be forced to use any specific form in order to exercise their rights, companies may still need to invest in dedicated teams to handle data subject requests (whatever their form may be) and to ensure GDPR compliance. The creation of dedicated teams has also proven to be favored when dealing with data breaches.
The Current Status of International Data Transfers
As for international data transfers—namely, transfers to a jurisdiction outside the European Union—the GDPR provides for some continuity with the previous regime in terms of legal tools and legal bases for a transfer. The GDPR provides that in the absence of an adequacy decision of the European Commission (and such decisions so far have been given to few jurisdictions, the most relevant of which are Argentina, Canada, Israel, Japan, and Switzerland), companies should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject, unless a specific (but limited) derogation applies. Such safeguards may consist of making use of binding corporate rules, standard contractual clauses adopted by the EC, standard data protection clauses adopted by a data protection authority, or contractual clauses authorized by a data protection authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union. These include the availability of enforceable data subject rights and effective legal remedies, including the right to obtain effective administrative or judicial redress and to claim compensation in the European Union or a third country.
Standard contractual clauses (or model clauses) approved by the European Commission are the most commonly adopted legal instrument to carry out international data transfers. Basically, there are two different contractual types that address the transfer from a European controller (known as the data exporter) to a non-European controller or processor (in both cases, known as data importers).44
European businesses exporting personal data to the United Stated once relied on the EU-U.S. Privacy Shield Framework.45 This was a legal framework designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
Then, the CJEU invalidated the Privacy Shield in the July 2020 case of Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II case).46 The CJEU examined the adequacy of the protection provided by the Privacy Shield, holding that (1) the requirements of U.S. law, and in particular certain programs enabling U.S. authorities to access personal data transferred from the European Union to the United States for national security purposes, result in limitations on personal data protections that are not circumscribed in a way that satisfies EU law requirements; and (2) such U.S. law does not grant data subjects actionable rights before the courts against the U.S. authorities.
Additionally, the CJEU examined the validity of the EC’s Decision 2010/87/EC, which had approved the use of a set of standard contractual clauses for the transfer of personal data to processors in third countries.47 Although the CJEU found that these clauses remain valid, it noted that validity depends on whether such clauses are able, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the European Union by the GDPR or, if not, transfers of personal data pursuant to such clauses are suspended or prohibited. The CJEU pointed out that the above-mentioned decision imposes an obligation on European companies acting as data exporters and on the data importers in third countries to verify, prior to any transfer—and taking into account the circumstances of the transfer—whether that level of protection is respected in the country concerned. Furthermore, the decision requires the data importer to inform the data exporter of any inability to comply with the standard contractual clauses, and where necessary, with additional safeguards that the parties included to supplement those measures already included in those clauses. As a consequence of such notification, the European data exporter is then obliged to suspend the transfer of data or terminate the clause with the data importer.
The Schrems II case is having a major impact on international data transfers because, in one fell swoop, the Privacy Shield that many businesses relied on for their data transfers was declared invalid while standard contractual clauses now need additional assessments and possible supplementary measures (not specifically identified by the court or any other body, so far).
Any possible approval of additional sets of standard contractual clauses by the European Commission or by the individual national data protection authorities is unlikely in the short term and will require time. Furthermore, it is unlikely that individual data protection authorities will decide to act alone and outside a common framework agreed at the European level.
Companies might look into seeking the approval of European data protection authorities for use of binding corporate rules, which are data protection policies written and adhered to by companies established in the European Union for transfers of personal data outside the European Union within a group of undertakings or enterprises. But this is a procedure that takes time and is costly, and therefore it is not an immediate solution for companies that may be seeking to implement a solution in the next few months in response the Schrems II case. Furthermore, even the use of binding corporate rules must be assessed on a case-by-case basis by companies using them. Companies must make an assessment taking into account the circumstances of the transfers and supplementary measures (as referred to above in connection with standard contractual clauses) put in place to ensure that U.S. law does not impact the adequate level of protection that the binding corporate rules guarantee.
The invalidation of the Privacy Shield and broader impact of the Schrems II case on other data transfer mechanisms as described above is serious, not least because the alternative limited derogations for international transfers under the GDPR only apply in specific situations and because no grace period has been given for organizations to implement alternative data transfer mechanisms. Furthermore, the data protection authorities have begun to receive complaints about international data transfers allegedly in breach of the Schrems II case. Companies are therefore strongly advised to promptly review their international data flows and start taking appropriate action, especially if the data importer is located in the United States.
Finally, many aspects of the Schrems II Case and the issues examined by the CJEU are particularly relevant for the future of data transfers from the European Union to the United Kingdom after the end of the Brexit transition period on December 31, 2020. After this date, the current status quo for data transfers will no longer apply and the United Kingdom will be a third country according to the GDPR. Companies are therefore tracking closely the outcome of the UK’s pending application to the European Commission for adequacy status.
Conclusion
Going forward, we expect to see more enforcement action, the further overlaying of national legislation supplementing the GDPR on specific data privacy topics, and additional guidance from European data protection authorities. While the stated aim of the European Commission in its Report is to support the harmonized and consistent implementation and enforcement of the GDPR across the European Union, there are likely to be challenges to this objective.
Key issues on the horizon include:
Much-anticipated guidance around international data transfers in light of the recent invalidation of the EU-U.S. Privacy Shield and additional measures required in connection with the use of standard contractual clauses;
The scope of the final draft ePrivacy Regulation, which will replace the existing ePrivacy Directive, governing the use of personal data and other information in marketing as well as the use of cookies and how this practice intersects with the GDPR, particularly as to when GDPR-level consent will be required;
The outcome of the adequacy assessment currently being carried out by the European Commission with respect to the United Kingdom in accordance with the Political Declaration on the Future Relationship; and
The application of the GDPR to new technologies, such as artificial intelligence and machine learning.
Companies will need to consider these external issues and also closely monitor their internal data collection and use in order to ensure that their data privacy compliance approach remains in step with the GDPR as it evolves in the coming years.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter GDPR].
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 [hereinafter Data Protection Directive].
3 Eur. Comm’n, Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition—Two Years of Application of the General Data Protection Regulation, COM (2020) 264 final (Jun. 24, 2020) [hereinafter Report].
5 GDPR, art. 6(1). Additional conditions apply when special categories of personal data are being processed. See id. art. 9.
6Id. art. 6(1)(a). The GDPR defines “data subject” as “an identified or identifiable natural person.” Id. art. 4(1). It defines “consent” as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Id. art. 4(11).
8Id. art. 4(7) defines “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In the context of the internet, the term often refers to companies that operate websites.
9 Eur. Data Prot. Bd., Guidelines 05/2020 on Consent Under Regulation 2016/679 ver. 1.1 ¶ 3, at 5 (May 4, 2020), https://edpb .europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.
11 CNIL, Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 Pronouncing a Financial Sanction Against Google LLC (2019), https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001.pdf.
12 Conseil d’État, Sanction infligée à Google par la CNIL, Décision 19 Juin 2020, https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-sanction-infligee-a-google-par-la-cnil.
13See, e.g., CNIL, supra note 12, ¶¶ 86–89, at 11–12. Article 12, in particular, is cited throughout the opinion.
20 Case C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände––Verbraucherzentrale Bundesverband eV v. Planet49 GmbH, ECLI:EU:C:2019:801 (Oct. 1, 2019).
25 Info. Comm’r’s Office, Guidance: Privacy and Electronic Communications: Guidance on the Use of Cookies and Similar Technologies 47 (July 3, 2019); https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf.
29Id. art. 9(1) (defining special categories of data as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”).
30 The controller’s legitimate interest is one of the six legal bases for processing personal data. Id. art. 6(1)(f).
31 Decision 26/2019 of the Hellenic Data Protection Authority, https://www .dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.
33 Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388 (June 5, 2018).
34 Case C-25/17, Tietosuojavaltuutettu v. Jehovan todistajat––uskonnollinen yhdyskunta, ECLI:EU:C:2018:551 (July 10, 2018).
35 Case C-40/17, Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629 (July 29, 2019).
36 Press Release, Info. Comm’r’s Office, ICO Fines Marriott International Inc £8.4 Million for Failing to Keep Customers’ Personal Data Secure (Oct. 30, 2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.
37 Press Release, Info. Comm’r’s Office, ICO Fines British Airways £20m for Data Breach Affecting More than 400,000 Customers (Oct. 16, 2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/.
38 Commissioner for Data Protection and Freedom of Information Baden-Wurttemberg, decision of 26 June 2020 re. AOK Baden Wuerttemberg.
39 Eur. Union Agency for Fundamental Rights, Your Rights Matter: Data Protect ion and Privacy (2020).
40 GDPR, art. 12(3). The period of one month may be extended by two further months where necessary, taking into account the complexity and number of requests. Id.
41 Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales, 2018 B.O.E. 119788.
42 Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD), ECLI:EU:C:2014:317 (May 13, 2014).
43 Eur. Data Prot. Bd., Guidelines 5/2019 on the Criteria of the Right To Be Forgotten in the Search Engines Cases Under the GDPR (Part 1) (Dec. 2, 2019), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201905_rtbfsearchengines_forpublicconsultation.pdf.
44 There are currently two different types of standard contractual clauses for use, depending on whether the EU-based data exporter is transferring personal data to a controller, in which case one of the two sets of the European Commission approved controller-to-controller clauses should be used, or the data exporter is transferring personal data to a processor, when the European Commission approved controller-to-processor clauses are used.
